Darknet Diaries - Ep 12: Crypto Wars
Episode Date: February 1, 2018In the 1990's the Internet started to take shape. But the US goverment had strict laws regulating what type of cryptography is allowed to be used online. A few brave people stood up to the go...vernment in the name of civil rights and won the right to use strong encryption. Listen to their battle and what they had to do through to accomplish this.
Transcript
Discussion (0)
My grandfather went most of his life without using or needing encryption.
But now we live in a time where encryption is intertwined in almost all of our electronic communications.
That shift to go from a world where everyday people didn't use encryption at all
to a world where everyone uses it and doesn't even know it was a major transformation.
And there was nothing easy about it.
There were powers at play that
didn't want everyday people to encrypt their messages, but human rights and civil rights
activists fought and fought and fought. You know the outcome of this story, but you may not know
what it took for us to get here. So let's take a journey through time, back to the 1990s, and understand exactly what were to be known as the Crypto Wars.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to's not a fair fight. But I realized
I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a
subscription service that finds and removes personal information from hundreds of data
brokers' websites and continuously works to keep it off. Data brokers hate them because Delete.me
makes sure your personal profile is no longer theirs to sell. I tried it and they immediately
got busy scouring the internet for my name and gave me reports on what they found. And then they Thank you. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries and use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more
people into the security field. And if you decide to pay over $195, you get six months access to the
MetaCTF cyber range, which is great for practicing your skills and showing them off to potential
employers. Head on over to blackhillsinfosec.com to learn more
about what services they offer and find links to their webcasts to get some world-class training.
That's blackhillsinfosec.com. Blackhillsinfosec.com.
Before we get started, I feel like I should say something. It's really hard for me to stay neutral on this topic because I'm such a privacy and security advocate.
This is a topic that's important to me and I'm staunchly on a specific side.
So up front, I just want to say that I apologize if I don't represent both sides fairly in this story.
So to help take us through this pivotal piece of history, we have a very special guest.
My name is Cindy Cohen, and I'm the executive director of the Electronic Frontier Foundation.
The EFF is a nonprofit digital rights group. It helps protect your civil liberties online.
Cindy has been with the EFF for over 20 years, and she's played a crucial part in the crypto wars, as we'll soon discover. But before we get into her role in it, we need to take a quick glimpse into the history of
cryptography. Cryptography has been used by military people to protect their plans and
share information, say, across, you know, between the generals and the front lines for
as far back as Julius Caesar. Caesar had a cipher, right, that they used.
And in World War II, there's some great stories about how the ability to break the German code,
the Enigma machine, which they were using to code, had a tremendous influence on the ability of the Allies to win the war.
And there's great stories about both the code breakers in Bletchley Park breaking the German code.
There were also really successful efforts to break the Japanese codes. And lots of people will, I think, quite credibly say that the Allies' ability to break encryption codes had a lot to do with
us actually winning the war.
Encryption is when you take a message and encode it in such a way that if someone else
were to get that message, they would not be able to read it.
But then whenever the receiver gets the message, they would be able to decode it and read the
message.
This is also known as cryptography.
The military has always viewed encryption as part of its tool set, right?
Part of what they needed to do in order to help us win military wars.
And the U.S. State Department keeps a list called the U.S. Munitions List that has all of the things that
the government treats as a military tool such that it can't be exported without a license from
the government. And so the U.S. Munitions List is pretty long. It has things that will be, you know,
it has tanks and surface-to-air missiles and submarines and things like that, military subs, that if you build them or a piece of them, you need to get a license from the U.S. government before you export it.
So during the Cold War era, sometime in the 1970s or 80s, the U.S. State Department added cryptography to the munitions list. And it wasn't particularly important to the rest of us
because the rest of us didn't really need to have strong encryption
in what we did every day.
So that's kind of what the world looked like
heading into the early days of the Internet.
The shift came as the Internet was getting to be developed,
especially in the kind of early 1990s, you know, just before the World Wide Web, but when a lot
more people were beginning to think about what the world would look like if we had, you know,
everybody in the world connected via digital technology, the realization that we were going to need to have privacy and security in this new world
and that encryption was one of the ways that you could get it
was fairly obvious to a lot of early thinkers about this.
And so suddenly this thing that wasn't particularly relevant to the rest of us,
the fact that the government controlled encryption technology suddenly became very relevant. ordinary people who wanted to do commerce or have a private conversation or, you know, use this
technology to, you know, develop new tools that they might, you know, need to protect as trade
secrets or keep confidential and also keep the network secure. Encryption does both of these
things. It both keeps things private and it keeps things secure. And so it emerged as one of
the really important technologies that we were going to have to have available if we were going
to have an internet that really worked for everybody. The government created an encryption
standard that it let people use so that there could be at least some encryption,
but it was very, very weak.
This standard was known as DES and stood for Data Encryption Standard. With it, you can encrypt your
data or a message, and anyone who reads the encrypted message could not understand what it
said. And the person receiving the message had a key to decrypt the message. But by the time the internet was taking
shape, DES had already been around for 20 years and was starting to show its age.
And most cryptographers, most mathematicians knew this for years. By the 90s, DES was clearly not,
you know, not good security anymore. And the government was kind of pretending
like it was. And one of the, one of, it was kind of an, uh, you know, uh, one of those situations
in which the government policy people wanted something to be true, uh, that Des was really
secure, um, because they had backdoored it because they, they knew that it wasn't, it wasn't really
secure. And so they could always break it. and were pretending like it was really secure and hoping that nobody noticed.
But, of course, people did notice.
So the government knew 40-bit DES encryption was not 90s, but there are other people as well who, you know,
were making representations about DES that were, you know,
I think not really true.
And I don't, you know, you have to either think
that they knew what they were talking about
and were basically trying to convince the rest of us that it wasn't
or that they didn't know what they were talking about,
in which case it's a little troubling because they're the NSA. Businesses and banks were digitizing their data and the need for
all this data to be encrypted slowly became more and more important. The early 90s was a place where
people are engaging in various kinds of protest activity, political organizing, all of that sort
of activity. Encryption is tremendously important for people
who are trying to change the government, who are trying to change corporate policies, who are
trying to stand up for building a world that is better than the one that we have. And we know that
the U.S. government has traditionally spied on people who are engaging in political protests. We know they spied on
Martin Luther King. We know they spied on John Lennon. We know that they spied on all of the
civil rights movement. This is why PGP got started. Phil Zimmerman, a software engineer, developed a
much more secure way of communicating called PGP, which stood for Pretty Good Privacy. And he helped human rights activists use it.
He put his PGP code on an FTP server for anyone to download and use.
And while Phil said he did not spread it outside the U.S.,
it eventually found its way to the other side of the U.S. borders.
Because cryptography was considered a munition,
Phil was investigated by the U.S. Customs Service
for violating the Arms Export Control Act.
This would be the same violation
if someone were to export Stinger missiles
outside the U.S. without an arms permit.
Businesses were originally fine with DES as the standard,
even though they knew stronger encryption existed.
Because in the 80s, the only adversary to businesses were other businesses. And they
knew other businesses didn't have strong crypto analytic capabilities. So even if it was weak,
nobody had the ability to crack it except for governments. But it started to become clear that
other nations were trying to develop ways to break DES. So businesses were starting
to get a little worried and wanted to use stronger encryption. So businesses started using PGP as a
form of communicating trade secrets and sensitive data. And using PGP internally was legal as long
as the encryption didn't cross the U.S. border. For the next few years, Phil would be continually investigated
for spreading his encryption method around the world.
A case was brought against him by the government
for violating the Arms Export Control Act.
And from what I can tell,
the battle between Phil Zimmerman and the U.S. government
was the first battle of the crypto wars.
The users of the internet, security companies and banks were all starting to request higher and higher security encryptions to be used by the people.
And on the other side was the military and law enforcement saying, no, you know, we need we need to keep the encryption weak so we can catch the bad guys. And, you know, we were pointing out that, you know, most of us would
rather be secure in the first instance and not get robbed than have very low security,
but slightly increase the chance that they might catch the robbers afterwards.
In 1993, Bruce Schneier published a book called Applied Cryptography. This book describes various
cryptographic algorithms and how to use them.
It even contains algorithms which were not allowed to be used on the internet.
An electronic engineer named Phil Karn asked the U.S. State Department for a commodities jurisdiction for the book. He wanted to know if he could legally ship the book across U.S. borders.
And since there's no export regulations on books, he was given permission to export the book.
So then Phil Karn took a few pages from the book, which contained some cryptographic algorithms, and placed them on a floppy disk.
He then requested a commodity jurisdiction for the floppy disk.
The State Department had a discussion with the NSA and denied the request.
We know they had a discussion with the NSA because of records
requested through the Freedom of Information Act years later. Because the encryption was in
electronic form, it was now considered a regulated munition and was not allowed to cross U.S. borders
in that form. This created quite a controversy. A book containing a mathematical algorithm can be sent across the border,
but a floppy disk with the same algorithm cannot? So Phil Karn sued the U.S. State Department.
He believed that if the data contained in a book is considered protected under the First Amendment,
then data contained on a floppy disk should also be protected in the same way.
And once Phil Zimmerman heard of this lawsuit,
he decided to print his PGP source code in a book format.
He even took great care into making the book easily scannable.
He too asked for a commodity jurisdiction on his book.
But the State Department was now more aware of the situation and did not grant him the right to export the book.
However, they didn't deny him either.
The State Department
just sat on the request for a while. Phil Zimmerman's publisher didn't wait for a response.
Instead, they started shipping the book containing his PGP code all over the world.
The security community took us in various other directions too, such as printing algorithms on
t-shirts, which would then make the t-shirt a regulated munition. When something is a regulated munition like that, you can't even allow foreigners to read the t-shirt.
Simply wearing that shirt in front of a foreigner violated the Arms Export Control Act.
So several things happened. I launched a team from EFF with EFF lawyers launched a lawsuit
against the encryption technologies. There were actually
three lawsuits that were filed. We handled one called Bernstein versus Department of Justice.
Another cryptographer named Dan Bernstein was developing encryption methods that were above
the regulated limit. In 1995, Bernstein wanted to write about his encryption, give talks about it,
and publish the source code on the internet. The Arms Export Control Act and the International Traffic and Arms Regulation
required Bernstein to submit his ideas about cryptography to the government for review,
which also required him to register as an arms dealer and to apply for a license,
all this simply to publish his ideas about cryptography to the internet.
Bernstein decided to doography to the internet.
Bernstein decided to do battle against the U.S. Department of Justice.
And he got help from the EFF, specifically Cindy Cohen herself.
The EFF took their best lawyers to go and help out Bernstein.
Yeah, that was exactly what the goal of the litigation was, to make sure that people could publish.
Publishing on the internet always is an export, right? because everybody in the world can see what gets published on the
internet so we wanted people to be able to publish and share strong encryption on the internet
to get there what we did was we argued that computer programs, computer code, was protected speech under the First Amendment,
and that the government's regulations of that speech in the form of the munitions list regulations were not consistent with the First Amendment.
So for the next year, Bernstein, Cindy, and the EFF did battle against the U.S. Department of Justice. In 1996, a professor at Case Western University named Peter Younger
also joined the battle. Yeah, Peter Younger is the third case. He also was arguing that he was
a law professor, but he also had a computer science background. And he argued basically
the same thing as Professor Bernstein, that he wanted to publish code as well.
Not only did he want to publish code to the Internet, but he also wanted to teach a class on cryptography.
But because he included cryptography as a topic of his class, he was restricted from accepting foreign students in his class.
This resulted in Younger challenging the export laws as well.
So that case was going on in Cleveland. Our case,
EFF's case was going on in California. And then Phil Karn's case was going on in D.C.
And the three of us all kind of worked together to try to,
you know, make sure that we were putting as much pressure on the government as we could collectively.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself, what if?
When I was thinking, what if I start a podcast?
My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off, because with Shopify, you can make it a reality. Shopify makes it simple to create your brand. Thank you. are all visible from one dashboard, allowing you to focus on the important stuff. So what happens if you don't act now and someone beats you to the idea?
The best time to start your new business is now with Shopify.
Your first sale is closer than you think.
Established in 2025.
That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at shopify.com.
Go to shopify.com.
Start selling with Shopify today.
Shopify.com.
By this point, there were numerous businesses expressing a need for stronger encryption for their data.
Banks in particular were requesting the government allow them to use a stronger encryption method.
Specifically, the U.S. government was not allowing encryption that was over 40 bits in length to be used on the internet.
Around this time, AT&T created a phone that would encrypt a phone call.
It basically created a modem connection from one end to the other and digitized the voice and then did a DES encryption on the data.
AT&T sold these phones for $1,400 in the
mid-90s. The U.S. government freaked out about this phone. They contacted AT&T and said they
have a better solution. The government had been working on a new way to encrypt data electronically
using a specialized computer microchip. The encryption was far superior to the common DES, possibly even unbreakable. The
government called this the Clipper chip. The government developed this chip for anyone who
wanted to use stronger encryption, and so a solution was found. The government urged AT&T
to use the chip on their phone. AT&T was hesitant at first, but the government offered to buy a
bunch of these phones if they added the chip.
So AT&T added the Clipper chip into the phone, and the U.S. government bought a ton of these phones.
But in the features of the Clipper chip, there was one rather large asterisk. The Clipper chip had a backdoor key built into it, which allowed the government to decrypt any message encrypted
by the chip.
The government was basically allowing people to use a rather strong encryption method,
but had a key to break the encryption if they needed it.
The idea was that the government would be the only one who would ever have the key.
And one of the things that happened right after that got released is a guy by the name of Matt Blaze,
who's now a professor at the University of Pennsylvania, computer science, a very famous computer science professor, demonstrated that these Clipper chips were really insecure.
And demonstrated what we all kind of know is true right now is that if you're going to you can't build a door into strong encryption and only expect the good guys to ever figure out what the key is to ever have a key to it if you're going to weaken the encryption to let the good guys have a
key you're going to weaken the encryption such that the bad guys will have access to um and the
the demonstration of the flaws in the clipper chip that matt blaze did was really uh central
to this conversation because ultimately it meant that the government dropped
the Clipper chip idea. And that was kind of the first, you know, nail in the coffin of the
government's crypto policy. A second thing that happened was we were beginning to win our lawsuit.
We won it at the district court, and then we also won it at the Court of Appeals. And at the same time, there were efforts
by in the, you know, to put, you know, there were efforts in Congress that were moving along a little
more slowly. And there was also just direct pressure on the administration from the tech
companies. And Al Gore, who was, you know, wanting to be president after Clinton, and, you know, was
a pretty technically savvy guy. And I think he
understood that this position wasn't very good and he wanted to curry favor with this growing
Silicon Valley group of companies. And so ultimately what happened, the government decided
that they were not going to keep encryption on the munitions list anymore. On November 15th, 1996, Bill Clinton signed
Executive Order 13026, which removed encryption from the munitions list. The executive order also
moved who oversees encryption from the U.S. State Department to the U.S. Department of Commerce.
Signing the executive order was a major victory for the civil rights activists.
I'm sure that we had a party because we always had parties back then. I'm sure that we did.
And we, I think there was much champagne. And, and, and we, you know, we were really happy about
it. We were a little nervous that they would backtrack. We actually had some meetings with the government about it. And ultimately,
I flew to D.C. and we had some meetings with them to kind of settle on exactly what this was going to look like. And actually, it turns out the government was still holding a position
on the battlefront. See, the government was still requiring you to get a license for encryption and still regulated it.
The government only licensed 40-bit DES.
They said you can have all the encryption you want as long as it's 40-bit,
which is a little like saying you can have all the security you want
as long as there's nothing but a really weak lock on your door.
It was becoming obvious that people needed more encryption than something that was stronger
encryption than just 40 bits.
Because encryption was limited to only 40 bits in length, it severely limited how secure
our computers could be.
There were numerous stronger ciphers available, but under government regulation, this was
not allowed to be used.
A company called RSA Security sponsored a DES challenge. They offered a reward for anyone who could crack the DES cipher.
In 1997, a group found a way to brute force and crack a DES message. It took them 39 days to
decipher the message. Cryptographers thought this would be enough for the government to allow people to use stronger encryption.
But that didn't happen.
NIST, the National Institute of Standards and Technology, still considered DES to be safe.
The government downplayed the issue by saying 39 days to crack the code was too long of a time for it to be a significant threat. And one of the things that happened as a result of this kind of weird disconnect
is that EFF created a tool called a DEScracker.
They still exist.
It was a hardware tool that basically,
you know, very cheaply could break DES.
And the reason to do that was to demonstrate that the government wasn't being
straight with people about how secure the technology was and that we needed to move to a
more secure government standard. DES is a, you know, government standard. So if you're going to
sell to the government or, you know, a financial industry, you need to be licensed by the government.
The EFF called this tool Deep Crack and could crack a DES message in just 56 hours.
But still, the government did not change their stance on DES
and still continued to endorse it.
So a few months after that,
the EFF and the winners of the first DES challenge
joined together to develop an even faster way to crack DES.
They were able to crack a message in just 22 hours.
We did it because we weren't getting anywhere with the government
and they were pretending, you know, again,
continuing to kind of pretend like the emperor had clothes on
when we were pointing out that the emperor didn't have any clothes.
What EFF built was completely available for bad guys to build all over the world.
You know, we didn't create anything.
We just demonstrated to the public what was long known privately,
which was any bad guys with access to really straightforward off-the-shelf technology
could build something that would break the security
that all these financial institutions were relying on to protect our money.
This was the last battle of the war.
Once someone could crack a DES message in under a day,
the U.S. government agreed it was no longer secure.
They released a new cipher called Advanced Encryption Standard, or AES.
AES used 120-bit strength and was far superior to the 40-bit DES.
They also allowed triple DES, which was a stronger version of DES.
And by 1999, all court cases were dropped by the U.S. government.
And new, stronger encryption methods were allowed.
And by the year 2000, the government stopped requiring licensing or restricting key lengths altogether.
People were now allowed to encrypt their communication with as strong of an encryption method as they wanted. Businesses were able to utilize the most cutting-edge encryption to secure their transactions
and data. And of course, Phil Zimmerman could publish his code online, and Peter Younger could
accept non-U.S. students in his class that talks about cryptography. By the year 2000, the first
set of the crypto wars were over, marking a major victory for our civil rights.
We are now safer and our privacy is more protected because of it.
We have these internet crypto warriors to thank for paving the way for our privacy and security.
I think personally, it's the thing I'm most proud of that I've accomplished by working with EFF.
I think EFF has done lots of other things, but I had such a central role in this.
And I'm very, very proud of the work that we did.
I think we set up, you know, today's Internet to be a place where people have the right to have strong security.
But this story is not over.
This is just the story of the first crypto wars. Shortly after this, the government began attacking crypto in new ways,
which went entirely undetected for a long time.
But that's a story for another time.
People ask me if I think we're becoming more secure or less secure online over time.
And after researching this episode, I definitely think we are becoming more secure.
Because once crypto was
allowed at any strength on the internet, it opened up the doors for websites to encrypt their whole
website and not just a login page or a credit card page. And more and more websites are going full
HTTPS, making all of their communication to it private. And the EFF creates tools like HTTPS
everywhere, which is a browser plugin to allow us to use HTTPS where available.
And what's more is when strong encryption is showing up in our everyday lives
without us even knowing it's there,
we don't even have to enable it.
And in fact, we can't disable the encryption even if we wanted to.
For instance, Facebook uses a protocol called Signal
to do end-to-end encryption of their messaging service.
PGP had a hard time getting mass adoption because it was hard to use,
but now even the most technologically illiterate people are using strong encryption when talking with their friends on Facebook.
When these strong encryption methods become integrated into our lives in ways that make it easy for us to use,
we become safer and our privacy is protected.
Encryption is becoming more seamless and more integrated in so many products. Yes, a lot of
technology we use every day still isn't using good security practices like text messaging and
standard phone calls, but there are still major wins in the name of privacy and online security
that happen all the time.
We'll never become fully safe and secure online because it's simply a hostile environment.
But we can stay vigilant and speak up when we feel our privacy and security is not being looked after.
And when enough of us raise our voices, we can win the next crypto war.
You've been listening to Darknet Diaries.
For show notes and links,
check out darknetdiaries.com.
There you'll be able to see a picture of the Clipper chip and Deep Crack.
Music in this episode is provided by
Ian Alex Mack and Kevin McLeod.
Hey, it's Jack. As you just heard, the EFF played a crucial part in winning the crypto war. Thanks, Matt. civil rights. If you appreciate what they've done, and you should, then you should join the EFF.
They have over 40,000 members, and by joining, you will be helping them make the internet a
better place for all of us. I'm positive you like the internet. You might even love the internet.
So please consider joining the EFF to help keep the internet a great and awesome thing.
Also, for joining, you get some cool swag like hats, shirts, and stickers.
I've been a member since 2009
and I hope you join me too.
Sign up today by visiting
EFF.org
slash Darknet Diaries.
Don't forget the link.
It's EFF.org
slash Darknet Diaries.
Thank you.