If Your Adversary Is the Mossad (2014) [pdf]
44 comments
·October 27, 2025samlinnfer
This will always be my favourite Mikens essay (The Slow Winter): https://www.usenix.org/system/files/1309_14-17_mickens.pdf
chao-
Mine as well.
I have a fond memory of being at a party where someone had the idea to do dramatic readings of various Mickens Usenix papers. Even just doing partial readings, it was slow going, lots of pauses to recover from overwhelming laughter. When the reading of The Slow Winter got to "THE MAGMA PEOPLE ARE WAITING FOR OUR MISTAKES", we had to stop because someone had laughed so hard they threw up. Not in an awful way, but enough to give us a pause in the action, and to decide we couldn't go on.
Good times.
eeeficus
Sounds like you found nerd heaven. I couldn't imagine a situation like yours in my world! :)
mike_hearn
It's hilarious, but the hilarity gets in the way of recognizing how much insight there is also there. It makes serious points. This part about the Mossad is especially astonishing given the pager attack:
> If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone
It's like a Mossad agent read this paper and thought hey that's actually not a bad idea.
But the core rant is about dubious assumptions in academic cryptography papers. I was also reading a lot of academic crypto papers in 2014, and the assumptions got old real fast. Mickens mocks these ideas:
• "There are heroes and villains with fantastic (yet oddly constrained) powers". Totally standard way to get a paper published. Especially annoying were the mathematical proofs that sound rigorous to outsiders but quietly assume that the adversary just can't/won't solve a certain kind of equation, because it would be inconvenient to prove the scheme secure if they did. Or the "exploits" that only worked if nobody had upgraded their software stack for five years. Or the systems that assume a perfect implementation with no way to recover if anything goes wrong.
• "you could enlist a well-known technology company to [run a PKI], but this would offend the refined aesthetics of the vaguely Marxist but comfortably bourgeoisie hacker community who wants everything to be decentralized", lol. This got really tiresome when I worked on Bitcoin. Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
• "These [social networks] are not the best people in the history of people, yet somehow, I am supposed to stitch these clowns into a rich cryptographic tapestry that supports key revocation and verifiable audit trails" - another variant of believing decentralized cryptography and PKI is easy.
He also talks about security labels like in SELinux but I never read those papers. I think Mickens used humor to try and get people talking about some of the bad patterns in academic cryptography, but if you want a more serious paper that makes some similar points there's one here:
Yizahi
> Lots of semi-technical people who had never run any large system constantly attacking every plausible design of implementable complexity because it wasn't decentralized enough for their tastes, sometimes not even proposing anything better.
And for added fun, that same radical decentralization crowd, finally settling on the extremely centralized Lightning crutch, which is not only centralized but also computationally over complicated and buggy.
lifestyleguru
Then how it's possible Mossad didn't know about what had happened on 7 October 2023?
bbarnett
The same way the US didn't know about 9/11. Intelligence failures.
(Portions of the US intelligence apparatus knew, but that knowledge didn't transition into action)
INTPenis
This is exactly the type of comment that will get you mossad'd.
ozirus
Domestic intel = Shin Bet, not Mossad
tuzemec
Somewhat related video: https://vimeo.com/95066828
edu
That's a fun take, similar to the classic XKCD 538: Security. https://xkcd.com/538/
hshdhdhehd
The 4096 bits just stops it being so easy to surveil you that it is hyper-automated. So there is some use. The $5 wrench needs a million dollar operation to get that guy to your house.
bbarnett
Oh come on, that's way over budget! Every time I managed such an operation, we'd just rent a van and... uh, I mean, um, I heard it costs less.
<NO CARRIER>
torginus
If your adversary is a state intelligence agency, you're probably a high ranking politician and a boomer who is clueless about computers, and has demonstrably terrible opsec, either through government incompetence of your own agencies, or not following the terribly cumbersome opsec procedures, either because of inconvenience, the policies being terrible or sheer incompetence.
The amount of examples we've seen of this is staggering.
broodbucket
Remember, you don't have to be unhackable, just sufficiently unimportant to not be worth burning any novel capability on
INTPenis
That's right, just keep your head down, smile and nod, do your job and nothing will ever go wrong. /s
GreenWatermelon
You /s but this is actually valid advice for someone who just wants to get by in life and is content.
brigandish
A more charitable view would be to act like a zebra in a herd of zebra rather than a zebra in a herd of horses.
impossiblefork
The Mossad part is a very silly element of the text. Many organizations have to defend against US intelligence, Israeli intelligence etc., and I'm sure, that they, with the exception of some very terrible countries with a lot of incompetence or which are full of disloyal people likely to become infiltrators, are quite successful.
Actual security is possible even against the most powerful and determined adversaries, and it's possible even for you.
megous
Not sure what audience he is talking to. Experts deal with a lot more issues that sit between choosing a good password + not falling for phishing and "giving up because mossad". The terminology that he sprinkles about suggests the audience is experts.
rini17
The article actually addresses this -- that all these extra issues are not manageable for mere mortals anyway and/or perfectly spherical cows are involved.
optimalsolver
I think fighting Israel is kind of a glimpse into what trying to fight a malevolent AGI will be like.
Expect to lose in highly surprising ways.
speedgoose
I don't know, driving a big truck into AWS' us-east-1 power supply section sounds more than enough to take down internet for a while.
lesser-shadow
[dead]
realFredWilson
Mickens' piece is a classic - love his rants.
But that Mossad bit? Come on, it's straight-up invoking antisemitic tropes. Portraying Israeli intelligence as this omnipotent, cartoonishly evil entity that assassinates via uranium phones and then gloats at press conferences with "IT WAS DEFINITELY US" t-shirts? That's not just hyperbole, it echoes blood libel and conspiracy crap that's been weaponized against Jews for centuries. In a sec context, it's lazy - why not swap in the NSA or GRU for the same point without punching down?
As someone in the field (and yeah, Israeli), it sours the whole read. We can roast bad crypto assumptions without this baggage. Anyone else feel like this kind of "edgy" humor ages poorly post-Snowden?
tsimionescu
Just because you don't like the reputation that the Mossad has both gotten and created for itself, doesn't mean that playing on that reputation is in any way antisemitic. It's fair perhaps to consider it anti-Israel, given that the Mossad is am agency of the state.
And the Mossad really has a terrible reputation, both for efficiency and for being relatively bloody. The assassinations of the nazi officials who had fled to South America are a founding myth (and a positive one, of course - no one should cry for spilled literal nazi regime blood). For a more recent example, you have the campaign of booby-trapped Hezbollah devices that killed or injured quite a few Lebanese civilians along with various militia members, which the Mossad and Israeli government more generally gleefully talked about.
You'll find far fewer similar stories about the CIA or even GRU - at least from any current events (e.g. the CIA's most heinous actions were usually only talked about years later, like their campaigns of terror in Latin America). The GRU's operations are also less talked about, no doubt to a great extent because it is an adversary, and we don't want to talk about how good our adversaries are.
dralley
>> For a more recent example, you have the campaign of booby-trapped Hezbollah devices that killed or injured quite a few Lebanese civilians along with various militia members,
It was quite possibly the most well targeted large scale military attack on a militia group in history, not to mention nonlethal to 99.5%, including Hezbollah members. What alternative military approaches do you suggest? While collateral damage is always tragic, it was almost inconceivably clean for what it managed to accomplish
george916a
[flagged]
kotaKat
Interesting we get these sudden 2 to 3 month old accounts with no comment history popping into these threads to start stirring the pot.
tsimionescu
Ridiculous on the face of it.
pjc50
> assassinates via uranium phones and then gloats at press conferences with "IT WAS DEFINITELY US" t-shirts?
This would be an easier complaint to make if Israeli intelligence hadn't assassinated a bunch of people by exploding pagers and then publicly taken credit for it.
I'm sure the thousand exploding pagers miraculously only managed to target Hamas members, and that no children or innocent civilians were maimed or injured.
Mossad got this reputation from back in the day with "Operation Wrath Of God", where in retaliation for the horrific Black September attack on the Israeli Olympic team they carried out a series of extra-territorial murders. History might forgive them that until they murdered a Morrocan waiter in Lillehammer by mistake.
(no excuse for generalized anti-semetism, though. People should stick to criticisms of things that Israel has actually done, not make them up)
h33t-l4x0r
I don't see antisemitic here, the implication is that Mossad is highly competent at hacking compared to NSA / GRU. And this was 2014, back before antisemitism became rather fashionable among people who should know better.
westpfelia
Uranium phones no. Pager bombs sure. If you dont want to be labeled as cartoonishly evil then stop doing cartoonishly evil things.
Look at the Pegasus spyware. Shit was sold by Israel to the Saudi's so they could track a journalist and chop him up.
BLKNSLVR
> Portraying Israeli intelligence as this omnipotent, cartoonishly evil entity that assassinates via uranium phones
Uses term "cartoonishly evil" to describe a scenario scarily close to a recent actual example.
The only way I can fathom this comment on HN is that it's masterful irony. And if that's the case, I applaud it.
If not: smh.
Edited to add two things:
1. It seems like the opposite of punching down, more like fearful respect of their capability.
2. I struggle to draw a line between criticising the efficiency with which an agency kills people and anti-semitism.
I would think that most people that consider themselves jewish, or a true believer of any religion, or just a well-adjusted non-denominational human (as rare as they are) for that matter, would respect the sanctity of life, and see the pursuit of murder, for any reason, as antithetical to their beliefs.
lexicality
Bought a pager recently?
icameron
While not the uranium phones and tee shirts, in the real world just last year we got Operation Grim Beeper, where Mossad remotely detonated thousands of custom made pagers with a few grams of plastic explosive, followed by two way radios the next day. AFAIK they didn’t make tee shirts but they did go on 60 minutes, in disguise, to brag about the operation. Just saying, it seems pretty on brand.
kotaKat
Nice ChatGPT bait, Mossad agent.
Never agreed with this logic. For a lot of people (anyone that does political activism of some sort for example) the threat model can be a lot more nuanced. It might not be Mossad or the CIA gunning for you, specifically, but it might police searching you and your friend's laptops or phones. It might be burglars targetting the office of the small organization you have and the small servers you have running there.