[pavritch]

The ciphers are public. What the NSA really wanted was the size of file headers, special markers, etc -- so they could skip over the fluff and home in on the juicy stuff. I gave up nothing that would put the product or users at risk.

[_asummers]

With due respect, the person you spoke to on the phone didn't really answer your questions, per your post. What leads you to the conclusion? From my perspective, it doesn't sound like you know what they were using it for at all, or even if there was an urgent matter that even required it. For all we know, it was just a Tuesday and they were just hunting for the source of a common encryption utility.

And just because a cipher is public does not mean that there does not exist a side channel in the implementation of the ciphers or a mistake in your usage of them.

[bb88]

> And just because a cipher is public does not mean that there does not exist a side channel in the implementation of the ciphers or a mistake in your usage of them.

And just because they have the source code, doesn't mean they couldn't get it from reverse engineering the binary. I have not seen a binary that was completely resistant to reverse engineering yet.

Likely he was just saving them time.

[hnmonkey]

You seem to be arguing (across multiple comments) that you gave up nothing that would put your product or users at risk though you have no evidence of that. In fact, just the fact that you gave them what they wanted means that it had some impact greater than nothing and it certainly wouldn't be for the positive towards your users or the product. Why did they want it in the first place then?

[bb88]

So one of the many services the NSA offers to the US Government is reverse engineering. Do you really think that his software was so mysterious that they couldn't figure this out eventually?

[tarboreus]

That's resource intensive. They might have, but it's also entirely possible they would have decided it wasn't worth it. Might as well first see if the author is kind enough to just hand over the source. At the very least, he should have made the code open source after giving it to the NSA so that there was a chance of zero days they discovered getting worked out.

[jhall1468]

> They might have, but it's also entirely possible they would have decided it wasn't worth it

That's an enormous assumption based on zero evidence. The only resource the NSA is limited by is time. Money and man power (up to diminishing returns) are effectively limitless.

They were trying to skip a step, but there's absolutely no reason to believe they could have (and would have) done without through reverse engineering the binary. The NSA guy implied time was the major factor, and wanting the source certainly implies that was the case.