Security Through Obscurity

by Ed Sawicki    May 15, 2003

The 1986 bombing of Libya by the United States teaches an important lesson about Security Through Obscurity. The U.S. raid was in response to the bombing of the La Belle discotheque in West Berlin that targeted and killed two U.S. soldiers. The U.S. National Security Agency (NSA) learned that Libya was responsible for the bombing by eavesdropping on the encrypted radio communications between Tripoli and the Libyan embassy in West Berlin. President Ronald Regan had the proof he needed to order the attack.

The Libyans didn't know that Crypto AG, the Swiss firm they purchased encryption equipment from, had links to the German intelligence community (the BND) and the NSA. Crypto AG embedded the decryption key in the cipher text allowing the NSA to monitor the encrypted communication in real-time.

Libya was not the only country that made poor decisions when purchasing crypto equipment. Iran was also using Crypro AG equipment and discovered that their diplomatic communications were being monitored by Western powers. Iran arrested the local Crypto AG salesman and released him when the company paid a one million dollar ransom.

Far better security can be achieved using open source software that has already been scrutinized by an army of cryptographers. Anyone who believes that open source crypto software is less secure because the code is open to examination by anyone is seriously mistaken - as were the Libyans and Iranians.

— END —