Security Through Obscurity

by Ed Sawicki    May 15, 2003 (updated December 2019)

LaBelle discotheque bombing

The 1986 bombing of Libya by the United States teaches an important lesson about Security Through Obscurity. The U.S. raid was in response to the bombing of the La Belle discotheque in West Berlin that targeted and killed two U.S. soldiers. The U.S. National Security Agency (NSA) learned that Libya was responsible for the bombing by eavesdropping on the encrypted radio communications between Tripoli and the Libyan embassy in West Berlin. President Ronald Regan had the proof he needed to order the attack.

The Libyans didn't know that Crypto AG, the Swiss firm they purchased encryption equipment from, had links to the German and U.S. intelligence organizations — the Bundesnachrichtendienst (BND) and the National Security Agency (NSA). Crypto AG embedded the decryption key in the cipher text allowing the BND and NSA to monitor the encrypted communication in real-time.

Libya was not the only country that made poor decisions when purchasing crypto equipment. Iran was also using Crypro AG equipment and discovered that their diplomatic communications were being monitored by Western powers because of statements made by Reagan. Iran arrested the local Crypto AG salesman and released him when the company paid a one-million dollar ransom.

Far better security can be achieved using open source software that has already been scrutinized by an army of cryptographers. Anyone who believes that open source cryptographic software is less secure because the code is open to examination by anyone is seriously mistaken - as were the Libyans and Iranians.

Sources

NSA, Crypto AG, and the Iraq-Iran Conflict

Wikipedia West Berlin discotheque bombing

Wikipedia 1986 United States bombing of Libya

Wikipedia Crypto AG

Wikipedia C-52 (cipher machine)

— END —