Skip to content
DevMeme
3169 of 7435
When the NSA thought math was a weapon
Cryptography Post #3490, on Aug 1, 2021 in TG

When the NSA thought math was a weapon

Why is this Cryptography meme funny?

Level 1: Banning Big Locks

Imagine you have a diary with a lock, and you want to keep your secrets safe. Now, picture a rule at school that says, “If your lock is too strong, it’s as bad as bringing a weapon to class.” Sounds silly, right? But that’s essentially what happened in real life with computer secrets about 30 years ago.

In the meme’s picture, a man sees a cute butterfly and calls it “ammunition.” That’s like mistaking something harmless for something dangerous. The joke is comparing this to when the government thought using a really strong lock on your information (a long secret code, like more than 40 bits) was like having a piece of ammo. In simple terms, back in 1992 the U.S. government told people and companies, “You can’t use super-strong locks on your data if you send it outside the country, because we’re going to treat those locks like guns or bullets.” The meme makes us laugh because, just like a butterfly isn’t a bullet, a long password or key isn’t a weapon. It’s poking fun at how overprotective and absurd that rule was – as if math could be as dangerous as a gun! So the feeling you get is a mix of “Wow, that’s crazy they did that!” and “Thank goodness we don’t do that anymore”, all captured in one silly image.

Level 2: Encryption as Ammo

This meme references a time when the U.S. government treated a piece of computer security technology as if it were a weapon. The picture shows an anime character (labeled “NSA 1992”) pointing at a butterfly labeled “Keys longer than 40 bits” and asking, “Is this ammunition?” To understand the joke, let’s break it down:

  • NSA (National Security Agency): This is the U.S. government agency in charge of electronic spying and code-breaking. In 1992, the NSA was very worried about people using super-strong encryption because it could stop them from reading secret communications.

  • Encryption and Keys: Encryption is a way to scramble data so that only someone with the secret code (key) can unscramble it. A cryptographic key is basically a big secret number (like a password, but made of bits) that a computer uses to lock and unlock information. The length of the key (measured in bits, where one bit is a 0/1 digit) matters a lot. More bits = more possible keys = stronger encryption. For example, a 40-bit key is a sequence of 40 binary digits. That means there are about 1 trillion possible combinations for that key. A 41-bit key has double that number of combinations (about 2 trillion). The longer the key, the harder it is for someone else (like a hacker or even the NSA) to guess or brute-force the right combination. Think of it like the difference between a lock with 3 dials vs. a lock with 6 dials – the 6-dial lock has way more possible combinations and is much harder to crack.

  • “Keys longer than 40 bits”: In the early 1990s, the U.S. government had a rule that said you couldn’t export (send out of the country) encryption technology if it used keys longer than 40 bits. At the time, 40-bit keys were considered “okay” (not too hard for the NSA to possibly break if they really tried), but anything stronger was considered too secure. If a key was longer than 40 bits – even 41 bits – it was considered strong encryption, and the government literally classified it as munitions (a word that means military weapons or ammunition). So in a legal sense, a floppy disk or software manual containing an encryption algorithm with a long key was treated like it was a shipment of bullets or missiles! This was part of the U.S. export control policy: similar to how you can’t just ship a rifle or advanced weapon to another country without permission, you couldn’t ship strong encryption code either.

  • Impact on Technology: This policy forced tech companies to make weaker “international” versions of their products. For instance, web browsers and software distributed outside the US often had only 40-bit encryption, because that was the maximum allowed for export. If you were a user abroad, your data encryption was intentionally made weaker by design. The idea was that if encryption was weak, U.S. intelligence (like the NSA) could still potentially break it if needed. Of course, it also meant worse security for everyone else, which was pretty controversial.

  • Why It’s Funny/Ironic: The meme highlights how ridiculous this seems now. The NSA character is looking at a butterfly (which is something innocent and fragile) and calling it “ammunition” (which is something dangerous). Similarly, in 1992, officials looked at a long random number (a strong encryption key) and treated it like a physical weapon. It’s an ironic exaggeration to show how over-the-top that policy was. Today, saying “a 41-bit key is ammunition” sounds as silly as saying “a butterfly is a bullet.”

  • The Aftermath: Groups like the Electronic Frontier Foundation (EFF) and others fought against these rules, arguing that encryption is crucial for privacy and security (for example, protecting people’s communications and online transactions). By the late 1990s, these export laws were relaxed, and companies were allowed to export strong encryption (and we all quickly moved to 128-bit and higher keys for better security). In other words, the government eventually stopped treating long keys like weapons. The meme is a nod back to that strange time in tech history when using a strong password or encryption could literally get you in legal trouble with arms-control agencies!

Level 3: Arms Control for Algorithms

For seasoned developers and security engineers, this meme hits on a notorious chapter of TechHistory: the era when writing software could make you an arms smuggler. The text “NSA 1992” and “KEYS LONGER THAN 40 BITS – IS THIS AMMUNITION?” refers to the Crypto Wars of the 1990s, when U.S. policy treated strong encryption technology as a national security threat. The humor lies in the absurd overreach: imagine an engineer implementing a slightly stronger cipher and the government reacting like they’ve built a new missile. It’s funny and true – back then, encryption really was subject to export control as if it were literal ammunition.

In practice, this led to some crazy workarounds and headaches in the software industry:

  • Export-grade encryption in software: Companies had to create deliberately weakened versions of their products for international use. A famous example is web browsers (like Netscape Navigator) in the mid-90s. The U.S. edition could use 128-bit encryption for SSL, but the international edition was crippled to use a 40-bit RC4 cipher. This meant if you were outside the U.S., your “secure” HTTPS connection was secured by a key trivially small by today’s standards. It wasn’t a technical limitation but a legal one – strong security features were literally stripped down to comply with regulations. Software boxes and about dialogs would even advertise “International Edition – 40-bit encryption” as a feature, which in hindsight is darkly comic. Developers at the time had to juggle two sets of crypto libraries: one strong and one intentionally weak. To ship strong crypto overseas without clearance was to risk federal prosecution for arms trafficking.

  • Activist hacks and workarounds: The tech community didn’t take this sitting down. Phil Zimmermann, for instance, released PGP (“Pretty Good Privacy”) encryption software freely online, and soon faced a federal investigation because posting the code on the internet meant it could be downloaded abroad – effectively “exporting munitions.” In response, activists and organizations like the Electronic Frontier Foundation (EFF) fought back. One legendary protest was the RSA algorithm T-shirt: people printed the entire RSA encryption algorithm (a few lines of code) on a shirt and wore it overseas, cheekily demonstrating how a t-shirt could violate export laws. After all, if those few lines of printed code were run on a computer, they’d produce strong encryption – so the shirt was arguably an illegal munitions export under the letter of the law! These stunts highlighted the absurdity of equating cryptographic keys and code with weapons. (Fun fact: the EFF, which turned 30 years old around 2020, was founded in this era to champion digital liberties like the right to use strong encryption.)

  • Legacy issues decades later: The ripple effects of those policies lasted well into the future. Many systems continued to support those weak “export-grade” ciphers for backward compatibility. This came back to bite us. In 2015, security researchers discovered vulnerabilities like FREAK (Factoring RSA Export Keys) and Logjam, which exploited the fact that servers and browsers still allowed a fall-back to 1990s-era weak encryption. Attackers could force a modern connection to use 40-bit or similarly feeble keys and then crack them, all because that old code was still hanging around. It was a direct throwback to the short-key era: a vulnerability rooted in rules from two decades prior. In other words, that 40-bit key limit that the NSA insisted on in 1992 left a ghost in our machines for years, a piece of technical debt from national security policy.

The meme’s punchline – “Is this ammunition?” – perfectly encapsulates the senior developer eye-roll at those bygone regulations. The NSA agent staring at a butterfly and calling it “ammunition” is a snarky metaphor for bureaucrats eyeballing a harmless cryptographic key and freaking out. It’s a nod to the surreal time when security software was treated like a literal weapon of war. Anyone who’s deployed encryption or studied cybersecurity history can appreciate the irony: the thing meant to protect people’s data was treated as a dangerous object from which people needed protection. This shared memory of industry absurdity makes the meme both enlightening and darkly funny.

// Examples of 90s SSL cipher suite names:
SSL_RSA_EXPORT_WITH_RC4_40_MD5    ← 40-bit key (approved for export)
SSL_RSA_WITH_RC4_128_MD5          ← 128-bit key (“too strong” in 1992)

(Above: In the 90s, your HTTPS cipher might be downgraded to 40 bits if you were using the export-approved version. The notation “EXPORT” in the name was a constant reminder that your security was deliberately weakened.)

Level 4: When Bits Became Bullets

In the early 90s, the U.S. government literally treated certain pieces of cryptography as weapons. Under Cold War-era ITAR export restrictions (International Traffic in Arms Regulations), any encryption technology using keys longer than 40 bits was classified as munitions – the same legal category as guns and bombs. This meant a 41-bit encryption key (just one bit beyond 40) was, in the eyes of 1992 policy, akin to a new bullet in the chamber. It sounds absurd, but it was very real: the NSA and other agencies were deeply concerned that strong encryption might spread worldwide and thwart their surveillance capabilities. They effectively weaponized mathematics, launching the first battles of the Crypto Wars of the 1990s.

Why 40 bits? The strength of a cryptographic key grows exponentially with its length. Each additional bit doubles the key’s possible combinations, drastically increasing the effort needed to brute-force guess it. A 40-bit key has $2^{40}$ possible values, whereas a 128-bit key (common in modern encryption) has $2^{128}$. To put that in perspective:

$$ 2^{40} \approx 1.1 \times 10^{12} \text{ possible keys} \ 2^{128} \approx 3.4 \times 10^{38} \text{ possible keys} $$

That’s about one trillion versus ten undecillion (a number with 38 digits!). With 1990s computing power, 40-bit keys were tough-but-not-impossible for an organization like the NSA to crack, but 128-bit keys were astronomically beyond reach. So from a purely mathematical standpoint, strong encryption truly functioned like armament: an unbreakable cipher was as threatening to a spy agency as a new stealth weapon. The humor in the meme comes from this extreme conflation of math with munitions. A harmless-looking butterfly labeled “keys longer than 40 bits” represents advanced encryption, and the NSA 1992 character is asking if it’s ammunition — a nod to the fact that strong cryptographic keys were literally treated as ammo under the law.

This policy wasn’t just rhetoric; it was enforceable law. Encryption software and algorithms were listed on the U.S. Munitions List alongside fighter jets and missiles. Developers distributing encryption beyond 40 bits had to obtain export licenses as if they were arms dealers. Academic papers on encryption protocols sometimes required approval to publish overseas. Essentially, abstract algorithms and prime numbers fell under arms control. The irony is thick: a few extra bits of key length – just a slight tweak in a math formula – transformed a piece of code from “harmless tool” into “dangerous munition” in the eyes of regulators. The meme captures this irony by parodying the classic “Is this a pigeon?” scene: the NSA guy mistakes a butterfly (innocuous cryptographic keys) for a weapon. It’s a sharp commentary on how the government’s security policy treated mathematical munitions with the same paranoia as physical weaponry.

Description

This image uses the 'Is this a pigeon?' anime meme format to comment on a specific moment in tech history. The anime character is labeled 'NSA 1992,' and he is looking at a butterfly labeled 'KEYS LONGER THAN 40 BITS.' The subtitle below reads, 'IS THIS AMMUNITION?'. The meme humorously references the United States' export regulations during the 'Crypto Wars' of the 1990s. At the time, software with strong encryption (using keys longer than 40 bits) was classified as a 'munition' under the International Traffic in Arms Regulations (ITAR), treating cryptographic code as if it were a weapon. This policy was heavily criticized by privacy advocates and the tech industry, including the Electronic Frontier Foundation (EFF) mentioned in the post's caption, as it stifled innovation and weakened global software security

Comments

13
Anonymous ★ Top Pick Remember the 90s when you could accidentally commit a felony by exporting a web browser? The original military-grade encryption was literally just math the military didn't want you to share
  1. Anonymous ★ Top Pick

    Remember the 90s when you could accidentally commit a felony by exporting a web browser? The original military-grade encryption was literally just math the military didn't want you to share

  2. Anonymous

    1992: “Ship the RC4-40 build or we need an export license.” 2024: “Ship the post-quantum build or we need a breach notification.” Amazing how the definition of ‘munitions’ keeps moving up the key schedule

  3. Anonymous

    The best part about treating 40-bit keys as weapons-grade munitions is that by the time your export license was approved, a teenager with a Pentium could've already cracked it during their lunch break

  4. Anonymous

    Back when the NSA genuinely believed that exporting RSA keys over 512 bits would destabilize global security more than, you know, actual ammunition. Meanwhile, every cryptographer was printing PGP source code on t-shirts and calling it 'free speech' - technically correct, the best kind of correct. The irony? By the time they relaxed export controls in 2000, script kiddies worldwide had already implemented AES in JavaScript. Turns out you can't put the mathematical genie back in the bottle, no matter how many export licenses you require

  5. Anonymous

    1999: 41-bit keys were “munitions”; 2015 proved it - leave EXPORT cipher suites enabled and TLS turns into FREAK

  6. Anonymous

    Ah, the era when shipping 41-bit RSA overseas required ATF paperwork longer than your modulus

  7. Anonymous

    Classifying entropy as ammunition gave us export ciphers - FREAK/LOGJAM were just the interest on that policy-driven technical debt

  8. @pyproman 4y

    What

    1. @anatoli26 4y

      https://en.m.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States

      1. @chupasaurus 4y

        The article doesn't mention the witch hunt for RSA authors

        1. @anatoli26 4y

          Ahh sure, it’s quite extensive topic as a whole. Actually, that’s why OpenBSD (considered the most secure general-purpose OS) was developed in Canada, to stay outside the most democratic country in the whole world 😆

          1. @chupasaurus 4y

            GCHQ might still have a word there, but there isn't a law that mandates the access to data for the officials

  9. @slnt_opp 4y

    I will, if they stop spamming.___.

Use J and K for navigation