The story behind my top secret coffee cup and the source code.
Please listen carefully and don’t hang up. Those were the first words this unknown male caller said to me when my brother handed me the phone.
It was the July 4th weekend, 2000, give or take a day, and Mr. X knew to say that first because he was calling me after midnight at my brother’s house in Connecticut.
This was beyond creepy because I lived in California and nobody knew I was in Connecticut except for my immediate family, who were all there with me in the house. I had only arrived the day before as I do most years about this time for our annual family picnic.
Why was this guy calling me?
It was a matter of national security.
The caller apologized for waking us up and said his name was Dave. He asked me to get a pen and paper because he was about to give me some important instructions that would allow me to confirm his identity. Then he dropped the bomb and said “it was a matter of national security.”
By now some of the other people in the house had started to gather around where I was standing in the kitchen by the wall-mounted phone. What the hell was going on? I signaled to my brother to bring me a pen — stat.
I was still trying to process what was going on, and strangely, I didn’t even have the frame of mind to ask Dave how he got this number. He sounded serious and spoke with an air of authority; I guess I was already convinced he was on the level.
Okay, I’m ready to write.
Dave told me he was with the NSA in Bethesda — the National Security Agency. He couldn’t say anything more until I called him back. This is why I needed the pen. He was about to give me a series of steps to follow to call him back in a way that proved his identity and cemented the gravity of the situation.
Call Me Back
Dave instructed me to hang up the phone and dial 411 (information) and ask the operator for the main number to the naval base in Bethesda, MD.
I was to call that number and then work my way through a series of other base operators, asking each in turn to connect me to the next one in the chain. He gave me the exact words to say at each hop since I’d be asking to be put through to a secure facility.
The adrenaline had kicked in and I was wide awake.
To put me at ease, he said he’d call back in ten minutes if he didn’t hear from me — just in case I messed up. But I didn’t mess up.
A few minutes later I was back on the phone with Dave. Whoa — the NSA. This was actually real. The adrenaline had kicked in and I was wide awake.
We Need Your Help
Dave proceeded to tell me that they were in possession of a laptop containing files that had been encrypted using my SafeHouse privacy software.
They had a national security situation that required immediate access to those files and they needed my help; or more specifically, for me to help them gain access possibly faster than they could do all on their own. Time was of the essence; hence, the midnight call.
Bad things were about to happen if the NSA couldn’t get into those files.
SafeHouse was (and still is) a popular Windows utility I developed to encrypt private files which was distributed as Internet shareware. The free shareware edition purposely featured weak encryption to comply with State Department export controls on munitions as well as to encourage users needing serious privacy to upgrade to the stronger paid edition. My customers ranged from home users to big Wall Street institutions.
Bad things were about to happen if the NSA couldn’t get into those files. Maybe people would die, or at least Dave instilled that impression on me as he politely asked if I would be willing to give him my source code; all the while, apologizing for not being able to tell me anything more about the situation.
I mention Dave was polite in asking for my code because it’s something that stood out and struck me as unusually odd — he was way too nice. He seemed predisposed or prepared for me to say no.
And if it had been anyone else at any other time, he would have been right, but I could tell something big was up and there simply wasn’t time to debate the merits of handing over my source code to the NSA.
Of course, Dave asked right off if there was any chance there might be a back door to the encryption, as that would save a lot of time. But no. SafeHouse was designed to the highest standards and best practices using strong 256-bit industry-standard ciphers.
I’ll give you the source. Absolutely. Anything you need. No problem. But there actually was a tiny problem — I didn’t have it with me. I was on vacation. So I called and woke up Ron in Portland, OR. By then it was about 1am on the west coast. Ron was a programmer on my team and I knew he had a copy of the source code at home.
Zipped. Emailed. Done.
I tried to probe — so, can you guys actually break 256-bit encryption? Dave was mum. Encryption insiders had always speculated about that; I figured it was worth a try. I didn’t really expect him to answer.
When did this laptop dude buy SafeHouse? What version did he have? The more I know, the more I can point you guys in the right direction.
And that’s when Dave let on that laptop dude had the shareware version. What — seriously? That changes everything. The shareware version only supported cheap 40-bit encryption — totally breakable within just a few days by most determined hackers; and likely, I’d assume, in quite a bit less time than that by the secret code breakers working in windowless rooms deep inside the NSA.
I probed again, this time about their capability at 40 bits; maybe that reduced level wasn’t such a State secret. But again, Dave was mum.
But seriously, this laptop idiot was planning to blow up a building, or something equally as bad, but wasn’t smart enough or flush enough to pop for the $39.99 to step up to the maximum-strength encryption?
This time Dave answered — “surprisingly, it happens all the time. They call them dumb criminals for a reason. Unbelievable, but true.”
I continued to work with Dave and his team over the next day or so. I answered all of their questions and they answered none of mine — naturally. But they were always polite in these one-sided conversations that fueled an insane curiosity that I knew would never be satisfied.
But there’s still one thing that continues to nag me after all these years – how the hell did Dave track me down 3,000 miles away from home after midnight on that how summer’s eve in Bristol, Connecticut.
Continue reading here.