13 — Historical Incidents
Relevant events where cryptography was broken, sabotaged, misused, or where entire systems fell. Each incident: context, root cause, impact, lessons.
1. Zimmermann Telegram (1917)
Context: Arthur Zimmermann (German Foreign Secretary) proposes an alliance with Mexico against the US in WWI.
Crypto: Nomenclator codes 13040 and 0075. The British (Room 40) deciphered them via the capture of partial codebooks + analysis.
Impact: Publication brings the US into WWI in Apr 1917. A wartime inflection point.
Lesson: Diplomatic codes without rotation are vulnerable to capture + cryptanalysis; trivial political impact > technical impact.
2. Enigma (1932–1945)
Already covered in 03-classical.md. Historical summary:
- The Poles (Rejewski) read it from 1932.
- Transferred to Bletchley in Jul 1939.
- Throughout WWII: Bletchley read ~10% of traffic at any given moment; much more during periods of better crib supply.
- Shortened the war by an estimated 2 years.
Lesson: electromechanical machines with weak indicator systems are breakable; the operator's operational security matters as much as the algorithm.
3. Venona Project (1942–1980)
Context: The KGB and GRU use OTP for diplomatic/espionage traffic. The volume exceeds the Soviet capacity to generate random pads.
Error: ~1942–1945, pads are duplicated across messages. Cell B in Moscow sends the same pad to New York and Washington.
Break: Meredith Gardner (US SIS) discovers the repetition (1946). Two-time-pad analysis deciphers ~3000 messages.
Revelations:
- Identity of Alger Hiss, the Rosenbergs, Klaus Fuchs.
- Soviet espionage operation against the Manhattan Project.
- ~349 American citizens identified as agents.
Status: Program classified until 1995.
Lesson: a reused OTP is not an OTP. Without logistical discipline, perfect secrecy becomes an XOR pad shorter-than-the-message, cryptanalyzable.
4. Crypto AG / Operation Rubicon (1970–2018)
Context: Crypto AG (CAG), a Swiss company founded by Boris Hagelin (~1952). Sells cryptographic machines to governments worldwide.
Covert operation:
- In 1970, the CIA + BND (West Germany) secretly buy CAG.
- Operations: Thesaurus (original NSA cooperation), then Minerva (CIA), and Operation Rubicon (BND/CIA).
- Machines sold had deliberately weakened algorithms or backdoors.
Adoption:
- 130+ countries used CAG, including Argentina, Brazil, the Vatican, Libya, Iran, Iraq, Pakistan, South Korea.
Intelligence extracted:
- ~40% of American signals intelligence in some periods.
- Camp David negotiations (EgyptIsraelUS 1978) with Egypt using CAG.
- Falklands/Malvinas crisis (1982) — Argentinians using CAG, the British reading.
- Iran-Iraq War (1980–1988).
- The BND withdrew in 1993; the CIA continued until the sale of CAG in 2018.
Revelation: Washington Post + ZDF + SRF (Feb 2020) publish a joint investigation with documents.
Impact: Swiss reputation (neutrality) shaken. Diplomatic fallout. Confirmed decades of suspicions (Snowden, Wikileaks had already hinted at it).
Lesson: Do not trust a black-box cryptography vendor. Kerckhoffs's principle applies: the algorithm must be public and verifiable.
5. CRYPTO Wars (1990s)
Context: The US classifies strong cryptography as munitions (US Munitions List); export controls.
Events:
- PGP 1991 (Zimmermann) → criminal investigation for export without a license (1993–1996, closed without prosecution).
- Clipper chip (1993) — Clinton administration proposal: a chip with mandatory key escrow (LEAF — Law Enforcement Access Field). Broken by Matt Blaze in 1994 (forge LEAF). Abandoned 1996.
- Export grade crypto: 40-bit symmetric, 512-bit RSA allowed. Forced weakened design in SSL.
- Bernstein v. United States (1995–2002): DJB sues the US arguing that code is speech. Wins — the 9th Circuit declares crypto code as First Amendment.
- 2000: massive relaxation of export controls.
Technical legacy:
- FREAK (2015), Logjam (2015), DROWN (2016): exploits against "export grade" left on servers 20 years later.
- "Export ciphers" still in CDNs until ~2015.
Lesson: policy has a cryptographic half-life. Decisions from the 90s still bite in the 2010s.
6. DualECDRBG (2007–2014)
Context: NIST SP 800-90A (2006) standardizes several RNGs, including DualECDRBG (Elliptic Curve Dual). Recommended by the NSA.
Mathematical suspicion:
- Shumow + Ferguson (CRYPTO 2007 rump): show that the curve constants may contain a trapdoor. Whoever knows \(d\) such that \(P = dQ\) can predict the output after a few bytes.
- NIST never explains how the constants were generated.
Confirmation:
- Snowden documents (Sep 2013) show the NSA paid US$10 million to RSA Security to make Dual_EC the default in BSAFE.
- The BULLRUN program confirmed.
Affected products:
- RSA BSAFE (default RNG in some versions).
- Juniper ScreenOS NetScreen firewalls (2008–2013) — Juniper later announces a secondary backdoor installed by a third party in 2012 (CVE-2015-7755) that altered the constants; speculation: a different state actor stole the NSA backdoor via Dual_EC.
- McAfee, Fortinet, Microsoft (partial), BlackBerry (partial).
Removal: NIST withdraws the recommendation in 2014. RSA "deprecates" it in 2013. Final removal in NIST SP 800-90A Rev 1 (2015).
Impact:
- Trust in the NIST process shaken for decades.
- The community demands an open process (AES, SHA-3, PQC competitions).
- NSA documentation has been read carefully ever since.
Lesson: Magic numbers in standards without explanation are red flags. Even "neutral" standards may contain backdoors. Open competition is the antidote.
7. Debian OpenSSL RNG bug (2008, CVE-2008-0166)
Context: In 2006, a Debian developer (Kurt Roeckx) commented out a line in crypto/rand/md_rand.c that Valgrind reported as an "uninitialized memory read".
Bug: The line contributed the contents of the uninitialized buffer to the entropy pool — intentional use via MD_Update(&m, buf, j) before the buffer was populated. It was removed.
Result: openssl_rand() seeded only with the PID (1 to 32768). Only 32k unique keys generated across all of Debian/Ubuntu from 2006-09-17 to 2008-05-13.
Detection: Luciano Bello discovered it via a Valgrind suppress investigation; the bug affected SSH host keys, SSL certs, OpenVPN keys, DNSSEC keys.
Impact:
- 30k+ public servers exposed.
- Massive certificate revocation.
- Long-tail: vulnerable keys found in production years later.
Lesson: Patch reviews in crypto require expertise. Distros should not alter upstream crypto without analysis. Valgrind warnings are not uniformly safe to suppress.
8. Heartbleed (CVE-2014-0160)
Discovery date: Codenomicon (Finland) + Neel Mehta (Google) — simultaneously, April 2014.
Bug: OpenSSL implementation of the TLS Heartbeat extension (RFC 6520). The client sends a heartbeat with a declared length \(N\) + a short payload. The server returns \(N\) bytes of memory starting at the payload buffer — leaking \(N\) bytes of residual heap.
// vulnerable code
n2s(p, payload); // attacker-controlled length
memcpy(bp, pl, payload); // copies payload bytes, not actual data sizeLeak:
- RSA private keys (recoverable via key schedule patterns in the heap).
- Session cookies, passwords, recent plaintext.
- ~17% of public servers affected.
Mitigation:
- OpenSSL 1.0.1g patch on Apr 7.
- Mass rotation: every TLS cert in the world (with an RSA key) revoked and re-issued.
- Browsers updated CRL/OCSP rapidly.
Financial impact: estimated US$500M in rotation + downtime + revocation.
Additional details: the vulnerability existed since Dec 2011 (2.5 years). It is estimated that exploitation by state actors occurred before public disclosure. The NSA was accused of knowing (officially denied).
Lesson: C heap-based libraries require obsessive care with bounds. Post-Heartbleed: the OpenBSD fork LibreSSL, the Google fork BoringSSL, both cleaning up the code. OSS-Fuzz ramped up. OpenSSL 3.0 redesign.
9. POODLE (Oct 2014)
Technical details in 11-attacks.md. Historical context:
Bodo Möller, Thai Duong, Krzysztof Kotowicz (Google). Browsers still fall back to SSL 3.0 when the TLS handshake fails → a MITM attacker forces a downgrade → CBC padding oracle reveals cookies.
Response: Browsers disable SSL 3.0 in Q4 2014–Q1 2015. TLSFALLBACKSCSV (RFC 7507) added.
10. Freak / Logjam (2015)
FREAK (Mar 2015): a state machine bug in OpenSSLAppleMicrosoft TLS allowed servers to accept "export-grade" 512-bit RSA even without cipher negotiation. 512-bit RSA breakable in ~7h via NFS.
Logjam (May 2015): "imperfect forward secrecy" — researchers demonstrate that pre-computing NFS against common DH-1024 primes is within the NSA's capability. Reading historic VPN traffic possible.
Both: legacy of the export ciphers of the 90s still in the code.
11. Bullrun / Edgehill / Snowden disclosures (Jun 2013–)
Edward Snowden, NSA contractor, leaks ~1.7M documents to Glenn Greenwald, Laura Poitras, Barton Gellman.
Programs disclosed:
| Program | Agency | What |
|---|---|---|
| PRISM | NSA | Direct access to Big Tech (Google, Apple, Facebook, etc.) data |
| MUSCULAR | NSA + GCHQ | Tap into Google/Yahoo internal data center links |
| BULLRUN | NSA | Crypto sabotage program ($250M/year budget) |
| EDGEHILL | GCHQ | UK equivalent of BULLRUN |
| XKEYSCORE | NSA | Internet surveillance database |
| MYSTIC / SOMALGET | NSA | Bulk recording of phone calls |
| TAO catalog | NSA | Hardware implants catalog (COTTONMOUTH, BULLDOZER, etc.) |
| Quantum Insert | NSA | Man-on-the-side packet injection |
BULLRUN specifically included:
- Influencing standards bodies (NIST, ISO, IETF) to weaken algorithms.
- Industry partnerships with secret payments (RSA Security $10M).
- Custom backdoors in commercial crypto products.
- Cracking of specific protocols (TLS, IPsec, SSH variants).
Impact on cryptography:
- Massive shift to E2E messaging (Signal adoption exploded).
- TLS 1.3 designed with paranoia (remove RSA key transport, etc.).
- PQC migration urgency.
- Browsers push HTTPS everywhere (Let's Encrypt 2015).
- IETF declares pervasive monitoring as an attack (RFC 7258, 2014).
Snowden a refugee in Russia since 2013.
Lesson: The threat model must include state actors by default. Before 2013, "the NSA won't attack you" was a common assumption. Post-Snowden, any long-term system must consider nation-state capability.
12. DigiNotar (Sep 2011)
Context: DigiNotar, a Dutch CA, a trusted issuer for the MozillaMicrosoftApple root stores.
Compromise:
- An Iranian attacker (likely a state actor) compromises the internal infrastructure.
- Issues ~500 fraudulent certs:
*.google.com,*.microsoft.com,*.skype.com,*.cia.gov,*.mozilla.org, etc. - Iranian users redirected via DNS spoof + MITM with a
*.google.comcert for Gmail interception.
Detection: Chrome in Iran (with hardcoded pinning for Google domains) warns users. Public reports trigger an investigation.
Response:
- Browsers remove DigiNotar from the trust store globally (Sep 2011).
- DigiNotar declares bankruptcy within a few weeks.
- The Dutch government performs an emergency reissue (DigiNotar held government contracts).
Lesson: CA single point of failure. Catalyzes the adoption of Certificate Transparency (RFC 6962, 2013), HPKP (later deprecated), DANE (RFC 6698 — TLSA records).
13. Stuxnet (discovered 2010)
Context: A USB-borne worm designed to sabotage Iranian centrifuges at the Natanz nuclear facility. Estimated: NSA + Unit 8200 (Israel).
Crypto:
- 4 zero-day exploits.
- Forgery of a Microsoft Windows Update signature via MD5 chosen-prefix collision (Marc Stevens technique, 2008–2012). Allowed infection via the update mechanism.
- Encrypted C2 communication.
Impact:
- Destroyed ~1000 centrifuges at Natanz.
- Delayed the Iranian nuclear program by ~2 years.
- The first cyber weapon confirmed by a government (not directly, but with official acknowledgment over the years).
Lesson: Crypto attacks can cost real billions when they target industrial hardware. The MD5 collision was still exploitable in 2012, years after the public "break". CRL/CT matter.
14. Apple vs FBI / San Bernardino (2016)
Context: San Bernardino shooter (Dec 2015). The FBI wants Apple to unlock an iPhone 5C with iOS 9.
Demand:
- Custom firmware with brute-force PIN without limit, without the 1-second delay.
- Signed by Apple (\(Apple signing key\) + boot chain).
Apple:
- Tim Cook publishes an open letter refusing —
apple.com/customer-letter. - Argument: creating this capability is "creating the master key for all iPhones".
Resolution:
- The FBI eventually pays a "third party" (rumored Cellebrite or GrayShift) ~US$1M to crack it via a 0-day exploit.
- Apple never helps.
Legacy:
- Apple increases security: SE with
aacskd, randomized boot, hardware-backed entropy. - iOS 14+: blastdoor sandbox for iMessage.
- 2024: Apple Private Cloud Compute (PCC) — attested compute for Apple Intelligence.
Lesson: A cryptographic backdoor = a backdoor for everyone. The industry took a firm stance against encryption mandates. But the debate continues (UK Investigatory Powers Act, EU CSAR, Australia AA Act).
15. ShadowBrokers / NSA TAO leak (2016–2017)
Context: An anonymous group, "Shadow Brokers", leaks NSA TAO (Tailored Access Operations) tools.
Leaked:
- EternalBlue (CVE-2017-0144) — SMBv1 exploit.
- DoublePulsar — backdoor implant.
- Decrypts of various firewall/router exploits.
Impact:
- WannaCry ransomware (May 2017) — uses EternalBlue, spreads globally. NHS UK, Maersk, FedEx, Renault paralyzed.
- NotPetya (Jun 2017) — wiper disguised as ransomware. Maersk lost US\(300M, Merck US\)870M.
- Total estimated damage > US$10B.
Lesson: A stockpile of 0-days leaks eventually. An argument against government cyber arsenals (Vulnerabilities Equities Process).
16. ROCA (Oct 2017, CVE-2017-15361)
Details in 11-attacks.md. Context:
The Infineon RSALib used in smartcardsTPMseIDs generated keys with a special structure. Researchers (Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas) discover it in Jul 2017; disclose it in Aug 2017.
Affected:
- Estonia eID — 750k cards, nationwide ID. The state issues an emergency update in November 2017.
- Slovakia eID, Spain DNIe.
- TPMs in Lenovo, HP, Fujitsu laptops.
- Yubikey 4 (FIDO U2F) — rotated.
Mitigation: rotate keys; Infineon patched the library but fielded hardware remained.
Lesson: Hardware crypto is no more secure than its library. Even FIPS 140-2 certified products had the bug. Estonia case: government emergency rotation was viable only with mature digital identity infrastructure.
17. Juniper Dual_EC backdoor backdoored (CVE-2015-7755, Dec 2015)
Context: Juniper ScreenOS firewalls (2008–2013) had DualECDRBG with constants that the NSA could probably exploit.
2012: An unknown attacker (not the NSA per the documents) changes the constants in the ScreenOS code. Inserts their own backdoor over the existing one.
Detection: A Juniper internal security audit (2015) discovers it. Public disclosure Dec 2015.
Implications:
- A different state actor "stole" the NSA backdoor.
- Shows that a backdoor inserted for the "good guys" eventually serves the "bad guys".
Lesson: a practical argument against crypto backdoors. A backdoor inserted by country A will be discovered/used by country B.
18. WhatsApp / Mexico Pegasus (2019)
Context: NSO Group Israel develops Pegasus spyware — a zero-click iOS/Android exploit.
Crypto-adjacent:
- 1400+ WhatsApp victims identified (Citizen Lab, Univ. of Toronto).
- Journalists, activists, lawyers.
- Mexico, Saudi Arabia (Khashoggi), Hungary, India, Spain, France (Macron).
WhatsApp/Meta sues NSO — in May 2025, a jury awarded WhatsApp US$167M in damages.
Lesson: Even E2E encryption does not protect if the device is compromised at runtime. Hardware/OS security is a prerequisite.
19. ROBOT (CVE-2017-13099)
Details in 11-attacks.md. The Bleichenbacher 1998 attack still working in 2017 against:
- Cisco ACE, ASA.
- Citrix NetScaler.
- F5 BIG-IP.
- IBM WebSphere DataPower.
- Erlang TLS lib.
- Java SafeNet HSM lib.
Lesson: 19 years was not enough for a universal fix. Implementations never catch up to theoretical patches.
20. RSA SecurID (Mar 2011)
Context: RSA Security (an EMC subsidiary) issues SecurID hardware tokens — a popular enterprise 2FA.
Compromise:
- APT phishing email, Excel macro with a Flash exploit.
- Attackers (APT1 / a China group) access internal systems.
- Stealth theft of seed records — serial numbers + seeds of the manufactured tokens.
Use:
- Lockheed Martin attacked (May 2011) — the attackers have the seeds, manage to clone the engineers' SecurID tokens.
- L3 Communications, Northrop Grumman also targeted.
Response: RSA emergency reissue of 40M tokens.
Lesson: Centralized 2FA systems with a seed-database are a single point of failure. Modern practice prefers TOTP (without seed escrow) or WebAuthn (hardware-bound).
21. KRACK (Oct 2017)
Mathy Vanhoef (KU Leuven) discovers the Key Reinstallation Attack in the WPA2 4-way handshake. Forcing reinstallation of the PTK → reuses the nonce stream → deciphers parts of traffic.
Affected: practically every WPA2 Wi-Fi client.
Patches: rolled out 2017–2018. WPA3 (with the Dragonfly handshake) introduced as a successor — but Dragonfly had Dragonblood vulns in 2019 (Vanhoef again).
Lesson: Wi-Fi crypto has always had a bad track record (WEP killed by Fluhrer-Mantin-Shamir 2001; WPATKIP killed by Tews-Beck 2008; WPA2KRACK 2017; WPA3/Dragonblood 2019). A cyclical migration.
22. Zerologon (CVE-2020-1472, Aug 2020)
Tom Tervoort (Secura). A bug in the Netlogon protocol: AES-CFB8 with an all-zeros IV. ~1/256 probability of "session key = zeros" → the attacker authenticates as the domain controller without credentials.
Scope: Active Directory environments globally (~70% of enterprises).
Patch: Microsoft Aug 2020. Mass adoption push.
Lesson: AES-CFB8 with a zero IV is an example of broken cryptographic protocol design from old decisions (Netlogon protocol design from the 90s). Modern implementations need a random IV. Crypto agility — protocols that are too rigid take a long time to fix.
23. ProxyLogon / ProxyShell (2021)
Microsoft Exchange Server vulnerabilities (Mar 2021). Crypto-related: ASP.NET viewstate signed with a leaked MachineKey → forge auth.
10k servers compromised within days. White House blame on a China APT (Hafnium).
24. SolarWinds (Dec 2020)
Supply chain attack: The SolarWinds Orion update server compromised. A malware-laden update signed legitimately with a valid signing key.
Impact: 18k organizations including US Treasury, State Dept, DHS, Microsoft, FireEye.
Crypto-adjacent: a (valid) signing key used incorrectly; SAML token forging post-access.
Lesson: Code signing assumes the build process is sound. Reproducible builds + multi-party signing begin to gain focus post-incident.
25. Log4Shell (CVE-2021-44228, Dec 2021)
Not a crypto incident per se, but it reshaped security thinking. Log4j JNDI lookup remote code execution. 100% of Java internet impacted.
26. WhatsApp/Meta Pegasus, NSO Group (various, 2019–present)
Commercial spyware industry. NSO Group, Candiru, Intellexa. Zero-click exploits. Crypto bypass via endpoint compromise.
27. Boothole / LogoFAIL / Black Lotus (UEFI bootkits, 2020–2023)
Boothole (CVE-2020-10713): GRUB2 buffer overflow. Bypasses Secure Boot.
Black Lotus (2023): the first commercialized UEFI bootkit (sold in dark markets). Persists before the OS loads.
LogoFAIL (CVE-2023-...): vulnerabilities in vendor boot-logo image parsers. Generic across BIOS vendors (AMI, Insyde, Phoenix).
Lesson: The Secure Boot chain of trust depends on every link. Bugs in pre-OS code escape OS protections.
28. xz-utils backdoor (CVE-2024-3094, Mar 2024)
Long-running supply chain attack: a contributor under the "Jia Tan" pseudonym gains trust in the xz-utils project over 2 years. Inserts a sophisticated backdoor in release 5.6.0/5.6.1 that attacks OpenSSH via a systemd dependency.
Backdoor activated by an RSA-style trigger in SSH connection metadata.
Discovered accidentally by Andres Freund (Microsoft PostgreSQL dev) investigating a 500ms-slower SSH login.
Impact: discovered before stable distros adopted it (Debian/RHEL still on 5.4.x). Catastrophic if not caught.
Lesson: Single-maintainer open source projects are targets. Reflects fundingsustainability problems in open source cryptosecurity infrastructure.
29. Lessons by category
A broken algorithm does not fall instantly
MD5: collision academic 2004, practical 2008, exploited in Flame 2012, still in use in some systems in 2026.
Implementation > algorithm
Heartbleed bug = ~17% of the internet exposed. The TLS algorithm was correct.
Operations > theory
Venona broken by OTP reuse, not by the OTP itself.
State actors are part of the threat model
BULLRUN, Crypto AG, Stuxnet, Pegasus, SolarWinds.
Supply chain is a crypto attack vector
xz-utils, SolarWinds, Stuxnet (via forged signature).
Long-tail of legacy algorithms
FREAK, DROWN, ROBOT — exploits decades after "deprecated".
A backdoor inserted by A will be used by B
Juniper Dual_EC, ShadowBrokers NSA tools.
Mass rotation is viable but costly
Heartbleed, ROCA Estonia eID, Debian RNG. Requires preparedness.
30. Cross-reference
- Detailed technical attacks:
11-attacks.md. - People involved:
12-people.md(Snowden, Marc Stevens, Zimmermann, etc.). - Chronological timeline:
01-timeline.md. - Confidential computing as a response:
09-confidential-computing.md. - Koder Stack security posture:
14-koder-applied.md.