It’s worth reading Ray Ozzie’s (Lotus Notes creator)’s comment on this from a HN 2013 discussion:
Before the software was released, Ray Ozzie and Kauffman openly described what they were doing at an RSA conference. This was not a secret back door. It was compliance with export controls everybody in the industry dealt with.
Also worth reading barrkel’s comment a couple comments down…
For people younger than ~37, I'd remind them that crypto before 2000, especially in shipped commercial products, was playing under substantially different government restrictions.
Effectively and in short, you were prohibited by the US government from shipping strong encryption in any internationally distributed product. Which generally meant everything commercial.
Despite open source implementations of strong encryption existing (e.g. PGP et al.).
Now, no one bats an eye if you ship the most secure crypto you want. Then, it was a coin flip as to whether you'd feel the full weight of the US government legal apparatus.
It was a crazy, schizophrenic time.
It was a crazy, schizophrenic time.
Still is. To this day, we have to debate and justify ourselves to these people. They make us look like pedophiles for caring about this stuff. They just won't give up, they keep trying to pass these silly laws again and again. It's just a tiresome never ending struggle.
And that's in the US which is relatively good about this. Judges in my country were literally foaming at the mouth with rage when WhatsApp told them they couldn't provide decryption keys. Blocked the entire service for days out of spite, impacting hundreds of millions.
Windows 2000 came on a CD... and a floppy disk.
The CD was a globally-legal image, and export-controlled strong crypto came on the floppy in countries where it was allowed.
How hard would it have been for a "rogue state" to get a copy of that floppy? I understand that times were different, you couldn't just PGP encrypt it and attach a 1.44 MB blob to an email, sending it at 24 kbps. You couldn't just upload it to an anonymous filesharing site.
But today it seems fundamentally obvious that once a single copy is leaked, it's all over... was that not true in 2000?
Gnutella, including popular clients like LimeWire, were released around the same time as Windows 2000. People were doing decentralized filesharing of files larger than 1.44 MB just fine in 2000.
Filesharing at that time was just wild, by the way. It was far too easy to set up your client such that you were sharing the entire contents of your computer with the whole internet. More often than not, this was done by the kids in the family on the same machine where mom and dad had their work stuff plus their private finances.
So of course the files were leaked. If you were intending to share something illegal to distribute outside the US, you could easily get plausible deniability just by sharing everything on your computer and feigning ignorance.
Back in those days you didn't even need to be on LimeWire or eMule to look at the contents of someone's home PC. I remember around the late 90s/early 2000s, when I got DSL. This is before consumer grade routers became a common thing in the household. So most people had their PC connected directly to their DSL box. Browsing through windows share on other people's home PC was one of this easiest things to do.
Of course all that stuff was leaked (and there were anonymous filesharing sites). The whole export-grade crypto thing was a legal fig leaf.
It was all extremely silly. Debian took a different approach: before 2005, they put all crypto packages in a separate "non-US" archive, hosted in the Netherlands. American developers weren't allowed to upload there. That way, Debian never exported crypto code from the United States, it only ever imported it.
It was. People were sharing pirated software on BBSes 40 years ago! Downloading a floppy might take an hour. In the 90's, I knew kids who got jobs at ISPs just so they could run warez FTP sites off of the T1.
We were sharing lots of 3-7MB files peer-to-peer at the time :D Napster, Limewire, Audiogalaxy, etc. Plenty of public FTP sites all over the place as well.
Even in the late 90s, 128kbps ISDN connections were not unheard of, and 256kbps DSL was rolling out as well.
Damn, Audiogalaxy! That takes me back! A simple Windows client for downloading (and well uploading), and to search and download you go to their website, login and add stuff to your queue (although I barely remember what the website looked like). Sooner or later someone with the files you want would come online and your computer would begin downloading from their computer..
a copy of that floppy
Mostly off-topic, but your use of rhyme is reminiscent of https://www.youtube.com/watch?v=up863eQKGUI
A few years before that plenty of people were downloading 30ish floppy images over modems to install Slackware or SLS.
Now, no one bats an eye if you ship the most secure crypto you want.
To me, there are only two plausible explanations for the change:
1. The three letter agencies gave up on backdooring cryptography.
2. The three letter agencies successfully subverted the entire chain of trust.
Only one of them is consistent with a workforce consisting of highly motivated codebreaking professionals available working for many decades with virtually unlimited resources and minimal oversight.
The other is what people want to believe.
I think a 3rd option is actually much more likely and (semi) less conspiratorial:
3. NSA realized that "frontal assaults" against encryption were a lot less fruitful than simply finding ways to access info once it has been decrypted.
Would have to search for the quote, but Snowden himself said exactly that, something along the lines of "Encryption works, and the NSA doesn't have some obscure 'Too Many Secrets' encryption breaking machine. But endpoint security is so bad that the NSA has lots of tools that can read messages when you do." And indeed, that's exactly what we saw in things like the Snowden revelations, Pegasus, and I'd argue even things like side-chain attacks.
Plus, I don't even know what "The three letter agencies successfully subverted the entire chain of trust" means. In the case of something like TLS root certificates that makes sense, but there are many, many forms of cryptography (like cryptocurrency) where no keys are any more privileged than any other keys - there is no "chain of trust" to speak about in the first place.
I've long (post-snowden?) estimated NSAs capabilities are roughly what you imply. Lots of implementation-specific attacks, plus a collection of stolen/coerced/reversed TLS certs so they can MITM a great deal of web traffic. US-based cloud represents another big backdoor for them to everyone's data there, I think.
They've presumably got a pretty vested interest in making sure most communications are legitimately secure against most common attacks - arguably good for national security overall, but doubly good for making sure that if anyone can find a novel way in, its them, and not any of their adversarial peers.
There's a reason many corporate information security programs don't go overboard with mitigations for targeted, persistent, nation-state level attacks. Security is a set of compromises, and we've seen time and time again in industry that this sort of agency doesn't need to break your encryption to get what they need.
When the NSA for example has access to the Intel ME or AMDs version of it(and I think they do) then they surely don't need to break any encryption. They don't even need to hack. They just would have direct access, to most Desktops/Servers.
Even this is too conspiratorial for me. Not because I believe the NSA wouldn't like access, but because it's not the best approach. Convincing Intel or AMD to have a hidden back door, and to somehow keep that it hidden, is a nearly impossible task. Compare that with just hunting for 0-days like the rest of the world, which the NSA has shown to be quite good at.
Not saying there couldn't be a targeted supply chain attack (that's essentially what was revealed in some of the Snowden leaks, e.g. targeting networking cables leased by big tech companies), but I don't believe there is some widely dispersed secret backdoor, even if just for the reason that it's too hard to keep secret.
Did you forget about NIST curve recommendations?
Not at all, considering that coincidentally just yesterday I was having an HN discussion on an unrelated topic about DJ Bernstein, https://en.wikipedia.org/wiki/Daniel_J._Bernstein#Cryptograp....
You're right though, I guess I didn't mean to say that NSA would give up on or would not want back doors into widely deployed crypto algorithms, but even with Dual_EC_DRBG the suspicions were widely known and discussed before it was a NIST standard (i.e. I guess you could say it was a conspiracy, but it wasn't really a secret conspiracy), and the standard was withdrawn in 2014.
I don't even know what "The three letter agencies successfully subverted the entire chain of trust" means.
For one thing, they're interdicting hardware and inserting hardware implants:
IMHO, the IC gave up on the feasibility of maintaining hegemony over encryption, particularly in the face of non-corporate open source. You can't sue a book / t-shirt / anonymous contributors.
Consequently, they still have highly motivated and talented cryptanalysts and vast resources, but they're attacking widely-deployed academically-sound crypto systems.
Hypothetical encryption-breaking machines (e.g. large quantum computers) are too obviously a double-edged sword: who else has one? And given that possibility, wouldn't you switch to algorithms more secure against them?
In reality, the NSA's preference would likely be that no-such machine exists, but rather there are brute-force attacks that require incredibly large and expensive amounts of computational resources. Because if it's just a money problem, the US can feel more confident that they're near the top of the pile.
Which probably means that their most efficient target has shifted from mathematical forced decryption to implementation attacks. Even the strongest safe has a weakest point. Which may still be strong, but is the best option if you need to get in.
I don't know much about hardware, but is it not possible that there is a small part of a chip somewhere deep in the highly complex systems we have that simply intercepts prior to encryption and, if some condition is met (a remote connection sets a flag via hardware set keys), encrypts/sends the data elsewhere? Something like that anyway. It seems possible, but idk how plausible it is, and if things like the Linux kernel would be likely to not report on it, if the hardware is not known enough.
Anyway, just suggesting something that wouldn't require quantum cryptography.
As pointed out by another comment above, exfiltration then becomes the risky step.
If that did exist, you'd still have to get packets out through an unknown network, running unknown detection tools. Possible, but dicey over the intermediate term.
Who's to say they didn't just plug a box in, run a fake workload on it, and put all network traffic it emits under a microscope?
I don't buy that it has to be just one or the other. Fundamentally, crypto is just very dense information and once it became widely enough standardized by people who could easily share and apply it commercially, getting even the strongest crypto to the most basic user becomes extremely easy.
Short of blocking the very essence of digital data spread and transactions, the three-letter agencies and the giant governments behind them realized that there was no way to effectively put that particular genie back in the bottle without fucking over too many other extremely well-connected commercial interests.
Thus, while they didn't entirely give up on their bullshit, and keep looking to find arguments for privacy subversion, they realized that roundabout methods were a usable practical course.
That's where we stand today: a world in which there's no obvious way to block something that's so cheaply easy to share and securely be applied by so many people, but governed by technocrats who do what they can to subvert meanwhile.
The fundamental math of crypto is secure, regardless of any conspiracy theories. AES-256, for example, can't just be broken by some secret Area 51 alien decoder ring. The mathematics of good modern crypto simply crush any human computing technology for breaking them regardless of budget. However, the agencies also know that in a complex world of half-assed civilian security and public habits, they still have enough methods to work with without delving into political firestorms.
I've always thought the ratio of average residential network bandwidth to average file size is underappreciated as an arbiter of change.
The only true solution to distribution / piracy is for the file to be so big as to be inconvenient.
Which is why mp3 was such a game changer.
Note that ACME (Let's Encrypt) means that anyone that can reliably man-in-the-middle a server can intercept SSL traffic (module certificate revocation lists, and pinning, but those are mostly done by big sites with extremely broad attack surfaces).
Similarly, most consumer devices have a few zero-days each year, if not more, so if you really want to decrypt someone's stuff, you just need to wait a few months.
I think that both your explanations are probably incorrect though. It's a bit of "neither" in this case.
They continue to backdoor all sorts of stuff (they recently were marketing and selling backdoored "secure" cell phones to crooks), and most chains of trust are weak enough in practice.
Note that ACME (Let's Encrypt) means that anyone that can reliably man-in-the-middle a server can intercept SSL traffic (module certificate revocation lists, and pinning, but those are mostly done by big sites with extremely broad attack surfaces).
I don't understand why you think ACME means this. Can you explain?
Not the original poster, but if you can control responses to and from a server (MITM) you can get a TLS/SSL certificate issued for it easily. In the old days, getting a cert was quite a hassle! You used to have to fill out paperwork and perhaps even talk to a human. It could literally take weeks.
They aren't backdooring modern open-source encryption. They may have some elite knowledge about some esoteric corner of the code that allows them to theoretically throw a data center at the problem for a month or two, but the days of easy backdoors to decrypting everything in real time are gone imho. It is just too easy to implement mathematically-strong encryption these days. Too many people know how to do it from scratch. The NSA's real job is keeping american systems safe. That is done through creating the best encryption possible. They are very good at that job.
"We kill people based on metadata." -- former head of NSA Gen. Michael Hayden
Fighting against crypto is a public and costly affair, it was deemed easier to twist Intel/AMD's arm a little on the silicon level.
I see another plausible explanation: The NSA is concerned with maintaining security of its own / the government's infrastructure / is interested in finding breaches in infrastructures of others.
(this is speculation, I have no actual knowledge on this)
"Now, no one bats an eye if you ship the most secure crypto you want."
The most surprising thing to me is that, in speaking in the past several years with younger entrepreneurs, they're not even aware of the obligation to file for an export license for any/all software containing crypto (such as that submitted to the App Store).
I've not yet seen a case in which a mass market exemption isn't quickly granted, but devs still need to file - and re-file annually.
Is that still a requirement for US developers?
As in, currently.
When you submit the documentation via Apple, also submitting it to the government is not necessary: https://developer.apple.com/documentation/security/complying...
Essentially Apple built a system so you have to agree to export restrictions with every single build you upload to Apple.
Not just US but other countries had their own restrictions. For example I think France didn't allow anything better than 40-bit encryption without key escrow.
It was a crazy, schizophrenic time.
Or, we are currently experiencing a brief oasis of freedom in between extended periods of encryption lockdowns and controls.
Yup, networks with a neuron count above a certain threshold (2+T?) will likely be on the IDAR restriction list again.
For anybody who hasn't already read it, I highly recommend the book: "Crypto" by Steven Levy. I was 30% of my way through the book before I started recognizing real world events, news stories, whispered computer secrets; and realized that it wasn't a fictional book and was instead talking about real history.
Fabulous book, I found it in a public library when I was 15 or so and it was a hell of an education. Not least because I was already reading about tor and i2p. I'd recommend it to anyone - the story about Phil Zimmerman printing the code to PGP in a book made me laugh my head off.
IIRC this is part of what shifted hardware manufacturing out of the US.
If you wanted to build in the U.S. you had to produce two versions of your product, one with “full encryption” and one with encryption hobbled.
Or you could go build one version somewhere else and import it into the U.S.
Similar situation with space hardware. Even cots memory chips hardened for radiation and space are ITAR export restricted.
Yeah, I worked at a company up to a few years ago where it was actually a huge competitive advantage for us not being in the US, because the products we designed, manufactured and sold (full satcom terminals as well as the microwave converters in them) would have been ITAR if they came from the US (being ‘dual use’).
Except to Iran, Syria, North Korea…
Also you couldn’t just ship products with a spot where crypto went and remove the crypto. API designs had to go through mental gymnastics to allow crypto without explicitly adding crypto. Which is why you have odd constructs that take strings as arguments and give you encryption back. Sometimes.
And since new languages copy patterns from old to remain familiar, these APIs are still frequently some of the most patience-testing.
It's not completely gone. If you implement crypto in an iOS app you have to get an "export license" even if you're not based in the US or publish your app there.
I’ve had to sign ITAR related paperwork a few times for commercial software specifically because it was made in the US and being “exported” to the UK.
Really boils my piss given a lot of it, upon inspection, just used OpenSSL under the hood.
That this is no longer the case is a fairly strong indication that The Powers That Be have durably resolved the issue of decryption.
Well... some folks still do care.
Also, always makes you wonder, why the standards the OS ships with are exempt...
An ex Microsoft dev did a good breakdown video of NSAkey:
It was an interesting time. I forget the person's name, but I talked briefly with the guy who implemented the crc32 and encryption algorithms for ZIP, and he (almost apologetically) said the encryption was designed to be exportable under those laws. It's still not trivial to break, but you can test millions of passwords on a ZIP archive entry in the time it takes to try one on a modern Office document.
Partial known plaintext attacks are very, very useful when cracking ZIP “encryption”.
I’ve mostly used this to unpack ZyXEL firmware updates (reference below to this), but it also works on a lot of other stuff if you can get a partial plaintext. Some file formats headers might work.
Whether secret or not, it was a backdoor that could be/was exploited. Today governments are asking for 'secret backdoors' from tech companies, not seeing the immense risks. Crazy times.
None of this was secret. I worked at Lotus in the mid-90s and there were 2 versions of Lotus Notes, one for the US and the other labelled "International".
This was not a secret back door. It was compliance with export controls everybody in the industry dealt with.
The author states it correctly. Here is the text from the author "The idea was that they got permission to export 64 bit crypto if 24 of those bits were encrypted for the NSA's public key. The NSA would then only have the small matter of brute-forcing the remaining 40 bits to get the plaintext"
Here is the text from the RSA conference.
Hello, 1st off please don't publish my name on your site. I'm too lazy to set up another cheezy mail acct. Today I downloaded cryptography/nsa/lotus.notes.backdoor.txt from your site. I have a close friend who is a developer for Iris (the people who make Notes for lotus.) I sent him the file I downloaded and asked him what the deal was, and here's his response:
Here's the necessary info to truly understand the issue here; a speech by Ray Ozzie and Charlie Kaufman's white paper on the topic. What it comes down to is that notes provides superior exportable encryption technology when compared to other US products on the market. For anyone (but the NSA) to crack our international encryption keys they must crack a 64 bit key, the same as with a US encryption key. In the international version we take 24 of the 64 bit encryption key and encrypt the 24 bits with the NSA's public key and send it, encrypted strongly, along with the encrypted message. This means the NSA can decrypt with their key and have 24 of the 64 bit key. They still have to break the remaining 40 bits. 40 bit key encryption has been the max for exportable encryption and that is what all other US exportable encryption providers allow. That limit has just been raised to 56 bits and we are incorporating that as I type. In the worst case: the NSA's private key is compromised, the 40 bit portion of the key still must be cracked. So we haven't weakened the security of international encryption, but actually made it equal to the US security (to everyone but the NSA). We are proud of this arrangement because we have found a way to make Notes as secure as the US government will allow for our international customers. If we hadn't used this technique all of the international notes encrypted data would be with only a 40 bit key. As it stands, the 64 bit key used in both US and international encryption is extremely secure. It's too bad the author of this article choose to attack Lotus Notes without considering the options the US government provides. We could have just shipped 40 bit encryption like MS, Netscape, etc. and leave our international customers with weak encryption but we didn't. Oh well, you can't make everyone understand, this confusing and frustrating stuff. I hope this helps.
Some previous discussions all mentioning Lotus Notes in the title:
4 years ago
8 years ago
10 years ago
NSA's Backdoor Key from Lotus Notes (2002) - https://dstill.ai/hackernews/item/21859581 - Dec 2019 (87 comments)
NSA's Backdoor Key from Lotus Notes - https://dstill.ai/hackernews/item/9291404 - March 2015 (51 comments)
NSA's Backdoor Key from Lotus Notes - https://dstill.ai/hackernews/item/5846189 - June 2013 (85 comments)
Good ole' "NOBUS." More fun NSA fumbles:
This and the Clipper Chip aren't NOBUS. The NSA doesn't want you to know that the cryptosystem has law-enforcement access capability. The FBI doesn't care if you know as the kinds of criminals they are attacking don't do OPSEC.
NOBUS isn't just intentional vulnerabilities, it's any vulnerability assumed to only be exploitable by US IC, whether engineered or otherwise.
I think these qualify.
It's amazing to me that the folks at the NSA had enough self-reflection to see that this is Big Brother behavior, but not enough to realize why that's a bad thing.
The 'Big Brother' thing doesn't shock me, I know about it for some time now. At least you can still believe a modicum they maybe have good intentions... You know, protecting us from bad guys or something...
But the 'MiniTruth' thing... Wow,just wow...
Context: The Ministry Of Truth in the 1984 novel is the service dedicated to propaganda, in which the whole society is drowned. Everything about the society they live in is a lie...
It just blows away any hope of good intention from their part.
The last time I read about something so cynic, suggesting so much contempt for the people they pretend to serve, with such carelessness, is when it was revealed que FTX internal chatroom was called 'Wirefraud'.
Wasn't the original backdoor in a code example the NSA provided to companies interested in using cryptography? They gave an example seed or whatever, and most companies copy/pasted it instead of generating their own primes, so the NSA could break it trivially.
My memory around this is fuzzy and I can't seem to find the original source.
I wonder how difficult would it be to brute force the private key for an RSA 760 bit public key from 1998. Does anyone know?
https://en.wikipedia.org/wiki/Integer_factorization_records and https://en.wikipedia.org/wiki/RSA_numbers gives some pointers. Specifically, the latter describes a 768 bit key being factored "on December 12, 2009, over the span of two years", with CPU time that "amounted approximately to the equivalent of almost 2000 years of computing on a single-core 2.2 GHz AMD Opteron-based computer".
Later, in 2019, a 795 bit key was factored with CPU time that "amounted to approximately 900 core-years on a 2.1 GHz Intel Xeon Gold 6130 CPU. Compared to the factorization of RSA-768, the authors estimate that better algorithms sped their calculations by a factor of 3–4 and faster computers sped their calculation by a factor of 1.25–1.67."
So assuming the better algorithms transfer to smaller numbers, someone who knows how to use them (factoring big numbers seems significantly harder than just running CADO-NFS and pointing it at a number and a cluster) could probably do it in a couple months on a couple dozen modern machines.
For example, using the "795-bit computations should be 2.25 times harder than 768-bit computations" from the publication accompanying the second factorization, we could assume 900/2.25 = 400 Core-years of the Xeon reference CPU (which is 6 years old by now) would be needed to break the smaller key with the modern software. Two dozen servers with 64 equivalently strong cores each would need slightly over 3 months. Not something a hobbyist would want to afford just for fun, but something that even a company with a moderate financial interest in doing could easily do, provided they had people capable of understanding and replicating this work.
Classic CPU hasn't held a candle compared to GPU on very repetitive math calculations. AI this year has really shown the same difference. In other words, it isn't just graphics... https://www.spiceworks.com/it-security/identity-access-manag...
I assume there is some reason why the past factorizations weren't done with GPUs. It could be just lack of a good implementation and insufficient numbers of people interested in the topic, but it could also be something about the algorithm not being very suitable for GPUs.
Someone has tried to factorize it before (2018) http://factordb.com/index.php?query=444376527415060195687748...
Always depends on what resources you have (compute, time). It's possible, but not easy.
Oddly specific question, something in particular on your mind?
Now with the cloud none of this is necessary. With data at rest laws, all our email older than six months is open game.
Dupe (2002!) https://dstill.ai/hackernews/item/21859581
With no context, I don't know why this is front page news today. Am I missing something?
This would be a repost rather than a dupe.
HN considers dupes to be stories with significant discussion repeated within a year. (Items with little or no discussion can be resubmitted a few times.)
Stories reshared after a year are reposts, and are perfectly fine, though its appreciated to have the item's original publication year included in the title.
Are you asking what reposts are?
No. I'm pointing out that (a) it's not marked as being from 2002 and someone would therefore assume it was some newly discovered backdoor and (b) there's no context or commentary as to why it is relevant in 2023.
Also, on closer inspection the story is from 1997 https://catless.ncl.ac.uk/Risks/19.52.html#subj1
I'd wager that its still relevant today because the NSA is still the worlds greatest wholesale violator of human rights, at massive scale, and literally nothing effective has been done about this situation - we are still tolerating this repression, because we don't see it and simply don't care enough about the human rights violations, as a people, to reign in this out of control agency.
Bringing these articles to light is of great utility to those of us who do not consider the NSA state of affairs to be, in any way, tolerable.
the NSA is still the worlds greatest wholesale violator of human rights, at massive scale, and literally nothing effective has been done about this situation - we are still tolerating this repression
I don’t approve of their actions but turning the hyperbole up to 11 doesn’t help. There are millions of people in China who’d love to be only that repressed, for example.
You can always rely on an American to bust out the China hate train when challenged on the facts of their own empires crimes ..
Did you miss the fact that the NSA is literally violating the human rights of billions of people (including the Chinese), while China in the meantime has brought a billion people out of poverty conditions into their new middle class?
There are millions of people in China who’d love to be only that repressed, for example
I seriously doubt you understand the nature of this fallacy. Meanwhile, how many families live under a broken bridge in the USA, just because Mom got cancer? Those 1,000 black-ops CIA sites around the world - you know for sure what they are being used for, eh? No torture?
Seriously, get a grip. The moral authority you claim is a fallacy.
... are you serious?
You don't think military invasions & communist dictatorships constitute "wholesale violation of human rights at a massive scale"?
If the NSA is spying on people, that's an invasion of their privacy, but it is nothing in comparison to those other violations
Its a massive, wholesale violation of human rights, which can then be used as further justification for more atrocities and calamity at the hands of the US' military industrial complex ..
And yes, the USA is still the worlds worst violator of human rights, bar none. The NSA is why.
The NSA violates privacy at scale - a lot of little violations of civil liberties. It's the difference between robbing a man for everything he has, versus pick-pocketing 30 cents out of the pocket of every person on the planet.
Furthermore, they're part of a larger intelligence apparatus that has absolutely committed very large and very harmful violations of civil liberties. The NSA's sister org, the CIA, was overthrowing democratically elected left-wingers in South America for decades, replacing them with brutal dictators and tyrants that gave both Hitler and Stalin runs for their money. The CIA wrote the book on how to do so, arguably even moreso than the KGB did. In fact, the reason why Russia today is so effective at information warfare and covert propaganda is specifically because they learned from observation.
 Not(?) to be confused with Russia Today
I think a Microsoft coder recently came clean about some pretty funky stuff from the 90s and 00's. Hope I didn't hallucinate that.
While we work on scaling free distillation to more content and while we are figuring out payment options, you can use your own API keys.
Your API keys are stored in your browser, and never on our servers.
We will let you know when this and other new features are generally available.