134 comments

[ 2.9 ms ] story [ 140 ms ] thread
This guy had dubious ethics right from the start by offering most users a free version with weak encryption just so they can pay for the premium version. The export control excuse is bogus as by then DJB had already won the lawsuit against the U.S. government over this issue.

So all in all, I could see it coming that he would be offering the source code on the silver platter to the NSA after reading the first couple of paragraphs from the post.

I also like how he calls that guy a "dumb criminal" for not buying his military-grade encrypted software, as if he hadn't already admitted that he was giving the source code for the full version to the NSA anyway. In other words, he didn't just break the trust of the free users, but also of those paying him to keep their conversations private. This is why I said he had dubious ethics.

I don't see why it's any different than a photo-editing app that applies a watermark to the free version. It's intended to let people give the software a try, and if it seems to meet their needs, they buy the actual product.

As for sharing the source code with the NSA, I think you have a better argument there. That said, it's kind of like helping someone install a secure lock on their door to keep out criminals, yet being willing to share a master key with police if it's a matter of life and death.

It's not a master key, it's a blueprint of the lock with no combination or exact pin layout.
(comment deleted)
not the master key, the schematics to the lock maybe. Assuming no bugs, I don't see how the source code could help in any way, they may as well have downloaded the source code for openssl.

He also didn't bother to verify whether it was a matter of life or death, he just immediately assumed he was helping break into a file containing the deactivation code for a bomb or something, who knows what the NSA was actually doing.

> offering most users a free version with weak encryption just so they can pay for the premium version

As long as that wasn't a hidden fact from the users, I don't see the issue.

People are stupid. Seat belts that appeared to work but didn't actually keep you safe would be illegal even if labeled.
You die if your seatbelt doesn't work and companies charge for seat belts. You don't die if your encryption is weak and you aren't paying for it.

But otherwise, super useful analogy.

> You don't die if your encryption is weak

This really depends on the business you're in.

The laws were different back then. The State Dept changed the rules a decade or more ago, I forget when, and AES 256 has been the default cipher ever since. Encryption is listed as a munition. I would have gone to jail if I put anything greater than 40-bit encryption on the shareware sites. Look what happened with Phil Z with PGP.
The law was changed a year before your story takes place.
Furthermore, if the government calls someone a criminal, their target may well be a dissident, journalist, whistleblower, etc. Things aren's so black and white any more.
Good security isn't based on keeping source code secret. There is plenty of the most secure encryption software that is open source. I don't really see any ethical issue in handing over the source code.
Exactly. TrueCrypt was the big open source product at the time. A great product used by many hundreds of thousands of people -- I know, because I used to track their progress.
How does access to the source code help?
attempting to find bugs (likely cryptographic weaknesses) that will let them crack the encryption faster.
I should hope he didn't roll his own encryption, pretty sure openssl existed in 2000, the NSA could have gotten a copy of that easily
I did not roll my own. Very few people in the world are smart enough to do that. I just create a very nice user interface to make things easy for ordinary Windows users.
Looking for bugs. Promising avenues of attack.
the cynic in me thinks they could use the source to plant a backdoor in, then try to manipulate known targets into installing the tampered software under the guise of an update
Gives them a few hours headstart over reverse engineering to get the details of the binary format, and most likely, if the application was password based, which KDF was used. Because even if it was indeed 256 bits encryption, a weak KDF was all too common...

In any case, they didn't need the source if their goal was as some say, not to decrypt files a bit faster but to produce a backdoored version.

Speed. You can look through disassembled code and find the algorithm in due time, but having the source code could make your job take literally five minutes if all you need is the right parameters (e.g. bcrypt with cost factor 11 as input for DES). Knowing those, and assuming it's reasonably small, you can just fire up your cracking station at that point. If it's too strong, you'll have to look for weaknesses in the code, which is still much faster to do with source code than with assembly.

For backdooring, getting it to compile might take longer than putting the right jumps in and linking the desired dll, depending on how standard the compilation toolchain is and how experienced you are in backdooring.

This is all assuming that they have the program in the first place and not only the encrypted file, though it sounds like they did.

So, the NSA was able to build and deploy a backdoored version of this software to their targets without the trouble of reverse engineering and modifying it. Nice
All for the cost of a coffee cup.

  "But there’s still one thing that continues to nag me after all these years  -
  how the hell did Dave track me down 3,000 miles away from home after midnight
  on that hot summer’s eve in Bristol, Connecticut?"
Assuming the author flew cross-country from California and his brother had a phone number in the family name, it doesn't seem too hard to piece together with good old fasioned detective work - on top of good old fashioned databases open to the NSA. I wonder if Dave got it right on the first call?
I'm the author. They found me on the firsts call. I have a unique name - the footprint was there. But, I had 5 relatives in the same town. Nobody else got a call. Were they just lucky?
This person is either lying or delusional, or got pranked really hard. The "details" provided, while they make great story, simply don't cohere with how the NSA operate.
I noticed one internally inconsistent detail, although possibly he just mis-remembered. They called him "after midnight" in Connecticut. He called them back, which took less than 10 minutes. After some discussion he calls his employee in Oregon - "by then it was after 4AM on the west coast." Midnight in Connecticut is 9PM on the West Coast, so unless the conversation went on for 7 hours before he called Ron, he's wrong about one or the other of the times.
(comment deleted)
18 years is a long time ago, and memories fade and get corrupted even after a short period of time, much less that long (its on reason we have statutes of limitations on most crimes).
You're absolutely right...I forgot the time diff as I wrote the story and some is just plain fuzzy after all this time. I spent hours on the phone with them that night and I was giving them guidance by memory since I was so familiar with the code. Somewhere in the course of that they ventured to ask for he source.
Care to explain? When the NSA calls me how will I know if it's really them? Do you have anything to share?
(comment deleted)
I think we can rule out prank, because of the way that the caller had him get back in touch, starting with 411.

Unless the pranker had complete control of his phone and could route dialed numbers to anywhere.

I mean, Bethesda is like 20-miles away from where the NSA operates. So straight up, the location is immediately wrong.

A funny thing about people who live in Maryland: the NSA has a big sign that says "NSA" on the highway. We all know where it exists, and there are funny local stories about ignorant criminals taking the wrong road and ending up in the NSA checkpoint. Its a famous local landmark.

http://www.capitalgazette.com/news/ph-ac-cn-carjacking-suspe...

People tell me that you can even drive up and go to a public gift-shop they have out front, by the National Cryptologic Museum (which is run by the NSA). Its literally a public place and they let anyone in to see some cool stuff. https://www.nsa.gov/about/cryptologic-heritage/museum/

----------

The thing is: the guy seems to have been called by Naval Support Activity, Bethesda.

https://www.cnic.navy.mil/regions/ndw/installations/nsa_beth...

This is a "different" NSA, and not "THE NSA" that people talk about.

Whether or not its actually part of protocol: I dunno. But maybe "Naval Support Activity" dudes like to pretend they are "the NSA" as a prank. Or maybe they really are part of national security (I mean, the US Navy is still... technically national security, right?)

---------

In short: my expectation.

1. Naval Support Activity called this guy up to ask for a favor. They misrepresent themselves (but without lying: they are the "NSA" after all) to kinda encourage this guy to do something for them.

2. They feel bad about pranking the dude. So they drive to the Cryptographic Museum and buy him the first "real NSA"-branded gear that they find. Then they ship it to him.

He says they sent him a blue NSA mug afterwards and "I’ve had that top secret coffee cup for 18 years now. It’s the same one pictured at the top of this article.". The picture of a blue mug on the post says National Security Agency. Hard to imagine one agency pretending to be another like that. Not sure what to make of it.
Those mugs are probably sold at the NSA Gift Shop in the Museum. Its probably the real deal, but anybody can buy them.

If these pranksters were really in Bethesda, it wouldn't take much longer than 40 minutes or so to drive over to "real NSA", buy the mug, and then come back to their office.

The Naval Support base in Bethesda was just the "entry point" to the chain of calls - note he was asked to then ask for a sequence of additional people/lines to get to his eventual contact. Probably those reroutes were to separate facilities, eventually landing at "Dave" with the National Security Agency.
Read the article carefully.

> Dave told me he was with the NSA in Bethesda — the National Security Agency.

So did DAVE say he was with "National Security Agency", or did Dave only say "I'm with the NSA in Bethesda", and then the author misinterpreted the claim?

I 100% believe the mysterious man said "I'm Dave from the NSA in Bethesda". But what I DON'T believe, is that Dave is with the National Security Agency.

I believe "Dave" is from the Naval Support Activity in Bethesda. EDIT: Although the article seems to say that they were really interested in breaking his encryption. Which seems like a "real NSA" thing to do.

EDIT2: Regardless, it was an entertaining read.

A funny thing about people who live in Maryland: the NSA has a big sign that says "NSA" on the highway. We all know where it exists, and there are funny local stories about ignorant criminals taking the wrong road and ending up in the NSA checkpoint.

Yes. In 2015, two drugged-out tranny hookers in a stolen SUV went down the employee entrance road. They tried to crash through the gate. They didn't get very far.[1][2]

[1] https://www.nbcnews.com/nightly-news/video/feds-say-nsa-gate... [2] https://abcnews.go.com/US/injured-nsa-headquarters-fort-mead...

Tranny is considered an extremely derogatory way of describing a person. I would use transsexual or a crossdresser, although the article you linked didn't specify the reason for cross dressing so it might be just been a disguise rather than a lifestyle choice.
I can't imagine what in the world the Naval Support Activity would need the code for that application for. They're literally nothing more than a facilities command.

It is odd that the writer refers to them specifically, they have no connection with the actual NSA of which I'm aware.

> I can't imagine what in the world the Naval Support Activity would need the code for that application for. They're literally nothing more than a facilities command.

This wouldn't be the first time I heard of a US Military dude prank-call someone.

yeah, but the story doesn't add up for just a prank call.
Hmmm... tracking down the dude as he flew across the country seems outside the scope of a prankster.

Well, now I'm neutral on the subject. There's details that make me disbelieve the story. But tracking down the author and finding the right phone number to call him seems like a feat that would require decent resources.

Basically: that's a level of effort that goes well above and beyond a typical prank call.

Agree -- there are too many dissonant pieces to this story. I guess it could be true, it just doesn't make a lot of sense.
> I mean, Bethesda is like 20-miles away from where the NSA operates

The NSA exists beyond Ft Meade

I encourage people to go to the crypto museum if they're in the area! It's really neat with all sorts of old cipher texts, old super computers (original Cray etc), and they have an Enigma machine that you can play with. The tour guides are knowledgeable and it's a worthwhile time.
Then why don't you share with us what is wrong about it? It seems a fairly legit way to prove identity (I was thinking about it and the easiest would be to suggest the wrong number as directory services, hoping the person doesn't use DS and doesn't know the number that well, or is to sleepy to notice). Some parts are a little overdone, like, "Was Dave even his real name?" (of course not), but I don't know any better so instead of just making a short remark, why don't you share your wisdom?
As others have noted, NSA isn't in Bethesda, and those mugs, along with keychains and tshirts, are available in the gift shop. Also, there's a 0% chance that the NSA would call him up afterwords to let him know that everything worked.
(comment deleted)
I'm sorry, but my post said things worked out - not that they cracked the code. I was clear they wouldn't tell me anything. I had always assumed the mug was from the gift shop. It would be hard to think otherwise.
Yes, I wonder about that, too. NSA hasn't been that mysterious about contacting them in decades. Their people have business cards. There was a time when you did something for them and got paid with a check from a furniture store in Maryland. But that was back when the USSR was still a thing. They have a web site now. You can call NSA's main number.[2] The "chain of calls" thing sounds totally fake.

The coffee cup is from the NSA gift shop at the National Cryptologic Museum.

[1] https://www.businessinsider.com/nsa-gift-shop-2016-5#right-a... [2] https://www.nsa.gov/about/contact-us/

My guess is that this is a marketing ploy designed to convey the message that the author's skills are above the NSA's and as such his software should be bought by anyone and everyone interested in great security. Considering the shareware version was 40bit encrypted, I highly doubt the NSA couldn't crack it before making that phonecall.
All commercial encryption software uses the same public ciphers. Do you really think nearly 20 years after the fact I'm trying to impress anyone? But, they were impressed at the time about my user interface which wrapped the ciphers, and they later had a group visit me in California about some internal uses of that same UX; but nothing came of it in the end.
Yeah that was the impression the blogpost left me with. If I'm in the wrong I apologize but as always I feel that honesty is the best policy.
People use encryption so that their files are secure in situations where failure would be disastrous. Ranging all the way from protecting your credit card number to protecting your sources from being tortured and killed for talking to you.

Offering broken encryption that appears to work is dangerous, unethical, and stupid.

The author ought to be ashamed and people ought to be smarter.

Yes, but offering non-broken encryption was illegal at the time.
As the author stated, encryption was export controlled for a long time. The legal fight was very intense. If I recall any encryption stronger than 40 bits needed a license to export outside of the USA until about 2000 or so.
Yeah, I remember that being a thing in browsers. It was kind of odd to download a browser with 128-bit encryption that forbade me to distributing it to anyone outside of the USA.
Pretty sure this isn't accurate. I thought the government dropped their lawsuit against PGP in the 90s.
Yeah, my brain said "18 years ago? Yeah, that was the nineties" and I didn't realize it was 2000, although the shareware version might have been developed much earlier.

Also the lawsuit was against Phil Zimmermann himself, not PGP.

U.S. non-military exports are controlled by Export Administration Regulations (EAR), a short name for the U.S. Code of Federal Regulations (CFR) Title 15 chapter VII, subchapter C.

https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...

From your own link "The export of cryptographic technology and devices from the United States was severely restricted by U.S. law until 1992, but was gradually eased until 2000;"

The software was capable of strong encryption it was restricted by being paid for.

40 bit encryption in 2000 wasn't seen as bad, it was seen as decent. It would have required a fair amount of computer power to break in a short time.

It was also what was legally exportable at the time.

Providing some security is better than providing none. You lock your doors but have glass windows.

Arguably stronger than the locks on most home doors, that could be picked in under a minute
But I don't buy a lock for my front door expecting the manufacturer to simply give the key to anyone that asks nicely for it.
Your lock already has a backdoor. A locksmith can open your door in 2 minutes.
This wasn't providing the key as much as the schematics to the lock, which turns out, they pretty much do: https://www.kwikset.com/Libraries/Literature/Rekeying_Manual...
It's the spirit of the action. Publishing the source on github ought to be OK in theory if it isn't implemented poorly but it turns out that it is in fact implemented in a deliberately weak fashion.

Knowing that his customers privacy was on the line, knowing that there was no due process, knowing that revealing the source would help the NSA violate his customers privacy, not needing any explanation or legal paperwork, not even truly knowing if the person on the other end of the line actually was the NSA, not a private citizen trying to violate the privacy of another citizen he decided to comply without question.

Ticking bomb scenarios that can be solved by cracking encryption are so rare I'm not aware of any existing in history.

The right answer was to request a court order and wait. If it was truly a matter of national security they can also wake up the judge in the middle of the night and have an officer of the court serve it.

They were obsequious about it because they didn't have a leg to stand on. 50 50 they weren't even the NSA but rather a sailor trying to spy on a mates computer.

Seeing as all you did was call a naval base and get transferred several times how do we know he wasn't talking to a random individual at the base.

The ciphers are public. Providing source for this specific implementation of "user interface" did nothing more than indicate sizes of file headers, etc. No customers were put at risk. All I did was save the NSA maybe a few hours of time during a critical moment. Do you really think they couldn't have figured out there is a 4K file header (see, I've said it here, no harm).
Can you explain how you can prove you are talking to the NSA by call foo ask to be transferred to bar, ask to speak to baz?

Logically the fact that you called into the navy base indicates you are talking to them but by the time you get transferred how do you know who you are ultimately talking to?

Couldn't you be talking to anyone who works at the navy or works with someone who works at the navy? One great thing about court orders is that its trivial to authenticate them and they get the exciting task of making sure the person asking for them is a legitimate actor on legitimate business.

If a random private wanted to fool you couldn't they have had you call in in such a way as you would trivially be talking to a known party who will ultimately transfer you said party? Hey this joker is going to be transferred to your extension asking to speak to john doe at the NSA send him to my extension please.

Considering that we now know that intelligence apparatus was used to spy on love interests how do you know you were collaborating with a legitimate legal operation as opposed to illegal spying on citizens?

Likely you aren't in a position to judge right which is why we have you know judges and court orders and such ceremony.

I respond to random calls that seem strange by hanging up and telling them to send me something official in the mail.

Neither the people who claim they would like me to give me a fortune I inherited overseas, the guy who claimed I won the lottery, or the guy that claimed to be the IRS demanding immediate payment have followed up yet.

At best your judgement is questionable.

Here's how I looked at it -- they are 1000x smarter than me on matters of encryption. It was totally unlikely I knew something they didn't. At most, I saved them a few hours on a matter of life and death, and I had minutes to make that decision. And recall, back then, people felt differently about the NSA. If this was a total spoof - the reality is I didn't give anything up. I didn't invent the encryption ciphers. I just packaged common ciphers in a user interface people really liked.

But in response to the people here who think I was tricked. That's not the case. What I didn't put in the post was that a team from the NSA visited me in California a few months later. But again, had I been tricked, it wouldn't have mattered.

You remembered to mention the coffee cup but you forgot to mention the team from the NSA that visited you to confirm the authenticity of what sounds on the face like a story of you getting scammed.

I'm sorry this is utterly beyond belief.

Are you OK with a freedom of information request regarding the NSA's request for your participation in helping the NSA break into your customers machines?

If I understand correctly such a request could be made by anyone running your software.

Given moores law the only encryption that has ever been acceptable is that which is impossible to break within any reasonable time frame.

Taking slightly longer for a computer to open your files while I put my feet up and drink coffee doesn't suggest an increased degree of security unless it requires a truly substantial investment in hardware or time. The encryption in question could have been broken on a home computer 4 years later in 2 weeks.

Seen as bad is a poor benchmark it WAS bad.

The legal limitations on crypo export is a bad argument on so many fronts its hard to pick one.

- The legal matter of exporting encryption was well on its way to settled by 2000 see https://en.wikipedia.org/wiki/Bernstein_v._United_States where such restrictions were found to be illegal in 1999.

- Author sold a higher grade of encryption including abroad

- Author either didn't care about the law or would have been afoul of it with his paid version.

- The laws against exporting encryption were a useless farce that never did anything useful

I'm not ashamed! The product was not broken. As others have correctly pointed out, there were export restrictions for public shareware downloads. The product is still sold and has never been reported to have been broken. The ciphers used are all public domain - that's how people trust them. Nothing about a cipher can be secret.
What a dingus. Maybe there was no emergency, they just wanted your original source to look for imperfections in your implementation. Maybe 256 is secure, that doesn't mean your 256 is secure.
Assume the 411 call is legit, and this really was the NSA. The author has no evidence there was a ticking time bomb scenario underway. Other than the fact that he was called late at night.

Calling him at his parents’ place late at night seems less like a coincidence and more like an ominous demonstration of their power. I know that would influence me, and I’d feel more disposed to cooperate.

I could forgive someone making a rash decision after midnight while traveling. But here it is, some time later, and the author still seems to think it’s a cool story. Nice to know that a maker of privacy software doesn’t think skeptically about the government.

He gave away the source code, not the master keys to unlock every single version of the software. At best, the source allowed the NSA to derive the binary format used by the files. Whoopie.
Yeah so if there are any vulnerabilities in his software, he just gave them all they need to exploit them...
Not quite. Not that source code secrecy should be relied on, but the source code not being secret increases the changes of e.g. side channels being discovered that jeopardize all the users of the author's software.
The ciphers are public. What the NSA really wanted was the size of file headers, special markers, etc -- so they could skip over the fluff and home in on the juicy stuff. I gave up nothing that would put the product or users at risk.
With due respect, the person you spoke to on the phone didn't really answer your questions, per your post. What leads you to the conclusion? From my perspective, it doesn't sound like you know what they were using it for at all, or even if there was an urgent matter that even required it. For all we know, it was just a Tuesday and they were just hunting for the source of a common encryption utility.

And just because a cipher is public does not mean that there does not exist a side channel in the implementation of the ciphers or a mistake in your usage of them.

> And just because a cipher is public does not mean that there does not exist a side channel in the implementation of the ciphers or a mistake in your usage of them.

And just because they have the source code, doesn't mean they couldn't get it from reverse engineering the binary. I have not seen a binary that was completely resistant to reverse engineering yet.

Likely he was just saving them time.

You seem to be arguing (across multiple comments) that you gave up nothing that would put your product or users at risk though you have no evidence of that. In fact, just the fact that you gave them what they wanted means that it had some impact greater than nothing and it certainly wouldn't be for the positive towards your users or the product. Why did they want it in the first place then?
So one of the many services the NSA offers to the US Government is reverse engineering. Do you really think that his software was so mysterious that they couldn't figure this out eventually?
That's resource intensive. They might have, but it's also entirely possible they would have decided it wasn't worth it. Might as well first see if the author is kind enough to just hand over the source. At the very least, he should have made the code open source after giving it to the NSA so that there was a chance of zero days they discovered getting worked out.
> They might have, but it's also entirely possible they would have decided it wasn't worth it

That's an enormous assumption based on zero evidence. The only resource the NSA is limited by is time. Money and man power (up to diminishing returns) are effectively limitless.

They were trying to skip a step, but there's absolutely no reason to believe they could have (and would have) done without through reverse engineering the binary. The NSA guy implied time was the major factor, and wanting the source certainly implies that was the case.

With source in hand, couldn’t they just distribute backdoored copies of said software?
It seems a little unlikely that the NSA would require the source code of a small shareware utility just to release a backdoored version.
Also, author didn't mention how his programmer securely transmitted source code to NSA. Did NSA publish their public keys anywhere on Contact Us form?
You have to take into account the temporal setting of the story. 18 years ago is pre-9/11 and all the reveals that happened between then and now.
The 1990s were the era of the cypherpunks, the Clipper chip, and, as the author alludes to, some fairly inane export restrictions on cryptography. This was not some innocent time.

If you want to go further back, there's the Church Committee (which concluded that security agencies were way out of control and had to be reined in).

You're passing judgement based on a life time of learnings. How much did this person know at the time? Arm chair quarter backs always seem to have the right answers.
If I’m coming across as accusing that he made the wrong decision, I don’t mean to say that. The story he’s telling suggests he made a difficult decision under the impression that it was urgent and important.

What I am saying is that in hindsight, this seems like the wrong decision, and I would hope a maker of crypto software would realize that.

This article seems like a great argument for using open source encryption software. This guy handed over his source code to the NSA without a warrant or anything? So any idiot that steals your laptop can just call him up and exploit his software to get to your files. Great.
Looks like weak security is a trend with this software.

> You attempted to reach www.safehousesoftware.com, but the server presented a certificate signed using a weak signature algorithm (such as SHA-1). This means that the security credentials that the server presented could have been forged, and the server may not be the server that you expected (you may be communicating with an attacker).

> But seriously, this laptop idiot was planning to blow up a building, or something equally as bad, but wasn’t smart enough or flush enough to pop for the $39.99 to step up to the maximum-strength encryption?

Boy, you sure seem confident in your assessment of the severity of the situation. It's not like the NSA would have any idea how to get information out of people by convincing them the situation was something other than what it actually was.

Granted 18 years ago was a much different time than today. It's a shame that these agencies have proven their motives so untrustworthy.

Lets also assume there is a selection bias. The things the do right with the right intentions you never hear of. Its only when things go wrong do we know.
There's nothing to be proud of and writing a blog post about it.

Your users used the software to protect them, or even paid for it. Now this "Dave" can crack files generated by this shareware. Maybe "Dave" had a genuine national security situation. But was it really? What if Dave just wanted to prank the author, during a boring afternoon? What if it were a couple of guys parked outside who hijacked the phone system, so even if you call 411, it would route to their van outside? Or what if Dave already did the same demand to dozens of other security vendors, effectively having the source code of all encryption software? And even if it was a national security situation, what is the legal basis of giving up source code and keys?

What I get is "I was just a regular computer programmer and overnight, I was actually important enough to be useful for the NSA"

The ethical implications are often not considered by software developers, thus you get cases like this where the author did not stop to push back, acting as a useful idiot for the NSA.

There are way too many people like that in tech, who don't stop to take in the bigger picture before performing the requested action.

I agree, the first thing he should have asked for is a warrant signed by a judge, and then independently verified it was real.
At the very least there are many circumstances where reporters who were reporting on pretty underhanded activities in the us were targeted by the us govt, and what if this situation happened to them. My govt is generally good here in the us, but we know plenty of cases where they didn't have good intentions, this is done to intimidate. So if you are an author of security software, you might keep this in mind. And other countries like Russia and China would definitely put pressure on people to help them.
Let's be a bit more realistic, the title might as well have been "how I open-sourced my encryption software at the request of someone".

Yes, the author was way too quick to give up the source code, but it was just source code, not a backdoor key.

The code was not open-sourced. It was only given to one party, and presumably did not come with a license to redistribute the source code.

This means all users of the software are less safe. If the NSA can find a bug in the code, they can unlock everyone's files, but nobody else could ever uncover that bug.

I'm the author of the article. All common ciphers are available as open source already. I just packaged it into a product. Encryption done right does not suddenly become vulnerable if published to an open forum. I gave up nothing. I did not put any customers at risk, nor did I put my product at risk. People who think otherwise do not really know how encryption works. It works because the ciphers are public and tested by time. And for the record -- I would do it again if asked.
Thanks for your honesty.

However, I would probably respond along the lines, "I'd be happy to supply this, right after you show me a court order". Otherwise, no matter what, I cannot see how it would not be used for anything other than a nefarious purpose.

If it doesn't help them get into files used to encrypt the software, then why did they need it?
If it was for criminal purposes it would have been easier to bribe a janitor at their office to plug a USB drive into one of their machines for a couple minutes before tossing it.

I'm willing to bet Dave was a government employee, though I won't give up the possiblity he wasn't NSA and more likely some other government organization that needed to stop something yesterday but didn't have the clout to get the big 3 letter organizations to pay attention and help them out

Yeah, makes sense. And I planned it all out even down to timing the post to hit last night after midnight before all the pipe bomb news this morning on TV. Or, much closer to reality, maybe I just wanted to see if I could write a post that got some traction. Don't overthink it.
This is an incredibly condescending and insensitive post... Why would you attack the completely valid opinion from that person in this way?
Please. Save the moral judgement for events that happened after Edward Snowden. This happened 18 years ago. And judging his actions back then through the lens of what the NSA has done in recent history is very unfair.

Fast forward a year to 9/11, and the question would be, "What is the legal basis for not doing everything you can to help the NSA?"

For a 9/11 situation, I would ask that the case should be reviewed by a judge who'd mandate an injunction (or similar) to deliver source code. In a national security situation, I'm sure the judge will work quickly, and you will still get your NSA cup. Everyone's happy.

There are laws and a constitution, you can't just throw it out the window at the first phone call.

Notice how he masterfully distilled cool details about his software culminating in the 'low' price, all wrapped in a captivating story?

30 minutes later after he has left and you have closed the door to go back to your chores, you're wondering why you ordered 2 magic-mix blenders...

The only thing I did masterfully was write a Medium article that got some attention. I didn't even include a link to the old software which hasn't been updated in a decade. It's nothing more than an interesting story about one night nearly 20 years ago. Sorry to disappoint.
Can I return the blenders?
I think I know his brother. Given his intellectual interests, especially at the time, I bet the phone call from the NSA is something they still talk about.
Ha ha. We moved on years ago. Our conversations are now typically about the fact he as way more patents than me. I only have two ;)
The number of commenters who clearly did not read the story and have completely missed that this story was about the year 2000 is pretty stunning.

Plus the complete lack of understanding of the encryption standards that were legally exportable (which is also mentioned in the story) and seen as good enough is kind of stunning. 40 bit encryption in 2000 was decent. It wasn't great, but it would deter almost anyone.

I get that we all want to feel like something we are a part of is so important that James Bond-esque stuff happens to us. But, the author of this software did a disservice to his users by immediately rolling over to an, essentially, unknown party. I'm wondering what he would have given up if "Dave" had claimed to be Nigerian nobility.

Though, kudos to "Dave" if this was just a ruse to avoid paying for the $39.99 version.

God bless you for doing what's right for America.
Mitnick?
I'm about half way through Ghost in the Wires and this sounds exactly like something he'd do. "Hi, this is so-and-so and I'm with this-and-that. Could you send me a copy of the source code? I'm all over your phone line" The book is a continuous stream of anecdotes like this. Love it.
Yep so good and the ‘ring this number to prove I am real’ was a walk in the park for him.
If it were me, I'd be very wary about that coffee cup.
Yepp, throw that thing in an x-ray machine.
I'm not surprised at all seeing all sort of comments from the people of the ethical sect...

I'd really love to see any of these people in such situation. Or maybe even further, in a situation in which they actually have a tangible proof that "something bad is going to happen".