In 2020, news reports around the world revealed that a Swiss IT security company, Crypto AG, had secretly been owned by the CIA and the German spy agency since 1970.
The story is not unique. A similar story emerged about the ANOM app and Operation Trojan Shield. However, the latter involved a much wider collaboration with the justice department while the Crypto AG operation ran for a much longer period of time and with much less, if any, oversight.
For most ordinary people, the moral of the story is clear: don't do bad stuff.
More significantly, if you don't have the knowledge to fully understand computer security and encryption, it is always better not to use it at all.
Students in computer science and engineering courses are being prepared to work with this technology in a professional environment. ETH Zurich is one of Switzerland's top universities and their graduates go on to become responsible for information security in leading Swiss institutions. Diana von Bidder-Senn, the wife of Adrian von Bidder-Senn, completed her PhD on the theme of computer security, I contemplate that in a related blog post.
One of the ETH Zurich students, Marco Fischer completed an internship at Crypto AG. He wrote an article about the internship, in German, for the student newspaper. Here is a translation:
Internship at Crypto AG
The company description reads: Crypto AG, a financially and legally independent Swiss company, has been a leader in information technology since 1952. The company specializes in the deployment of security solutions in all types of communication networks.
The Message Scheduler
Crypto AG develops encryption devices that can be administered from a remote management station. This requires distributing management messages to the devices via an IP network at a defined time and receiving corresponding acknowledgments from the devices. This functionality is to be implemented in a message scheduler, which is placed between the management station and the public network containing the end devices.
My task was to create a PC application that simulates the message scheduler as a partner of the management station for testing purposes and enables interaction. The main functions of this application were receiving, analyzing, displaying, and persistently storing messages, as well as sending and receiving receipts. In a second step, I extended the message scheduler application for communication with end devices.
On the technical side, development involved object-oriented modeling with UML using a modeling tool. Implementation was done in C++ with MFC (Microsoft Foundation Classes). The development environment was Microsoft's Visual Studio .NET. Source code management using PVCS was also part of the process, as were ongoing tests and the integration of the individual components.
Learning new things – Gathering information – Applying knowledge
At the beginning of the internship, the first challenge was absorbing a huge amount of new information, structuring it, and not forgetting it immediately. During the first few weeks, I often found myself in situations where I had learned or heard about certain things, but still lacked that final piece of understanding.
(Like everybody else who was tricked by this operation)
However, I could count on a very helpful team.
(Team = CIA and BND working together)
Every question was answered patiently, and every problem was resolved promptly and easily. At this point, I would like to sincerely thank everyone who supported me in any way during this internship! As the weeks passed, I gradually got used to the new, initially unfamiliar environment. I became more familiar with the tools used daily, and the work transformed more and more from simply absorbing and learning to the creative implementation of my own ideas and solutions. As soon as the first versions of my software performed reasonably well, the collaboration within the team also became closer. I had the opportunity to test the "real" management station together with a physical encryption device. To my relief, this revealed not only outstanding issues and errors on my end.
20 Weeks – Far Too Long?
ETH Zurich requires a minimum 10-week internship for its computer science program. With the initial intention of gaining my first practical experience abroad, I took a semester off in the summer of 2003 to have enough time for an exciting and challenging internship.
After an initially positive response from Canada, this didn't pan out. Other avenues through exchange organizations also proved unsuccessful. So I was forced to look for a suitable internship in Switzerland. After several applications, Crypto invited me for an interview, where all I had to do was accept.
Looking back, I'm very glad I took the time. I had the opportunity to complete an independent project from start to finish, which ultimately interacted with other projects under development and became a valuable component.
In my opinion, the 10 weeks required by ETH Zurich are far too short. It's difficult to find a suitable task that can be completed in such a short time. Whenever possible, you should allow yourself ample time for initial practical experience. It's extremely valuable for your future career and a fundamental component of your studies. This makes me even more convinced that it's essential to have worked in a company for a period of time during your engineering studies at ETH Zurich.
And how do projects actually work?
Do projects really proceed as we're taught in relevant supplementary and application courses? On the one hand, yes; the experiences we're told about certainly largely reflect reality. On the other hand, however, none of the lectures mentioned can replace working on a 'real' project. It was exciting to observe the technical progress, attend the weekly team meetings, discuss current problems, and implement agreed-upon approaches.
It's not always just about bits and bytes.
But what fascinated me even more was the human aspect of such collaboration. It's about the ability to defer at the right time, but also to stand up for your point of view and find compromises. Communication skills play a crucial role – how aptly and precisely someone can express themselves, and whether their arguments resonate with colleagues. Ultimately, I believe I developed personally in this area – social skills – at least as much as in technical matters.
I would go back to Crypto in a heartbeat!
In conclusion, there's not much more to say except that it was an inspiring and intense period full of valuable new impressions and experiences. In my opinion, my role was perfectly suited to an internship within this context. It was a real pleasure to work in such a dynamic team. I can only praise the competent supervision, and I couldn't have imagined a more pleasant relationship with my superiors. In short: It was fantastic!
The FSFE misfits pretending to be associated with the real FSF are another interesting example of a social engineering attack. Are the CIA and BND behind that too or is it just Google and IBM Red Hat?
Read more about the FSFE misfits.