selling crypto

for the next few years, tensions seemed to ease between the government and the newly emerging independent forces in the world of crypto. After Bobby Inman’s unsuccessful campaign to censor crypto researchers legislatively, the agency seemed willing to coexist with academics treading on turf it once had owned exclusively. There might have been some wishful thinking in all of this, a sense at the NSA that all of these greenhorn academics were unlikely to turn up anything that might truly threaten The Fort’s mission. If the bureaucrats behind the Triple Fence believed that, though, they were in deep denial. The seminal breakthroughs at Stanford and MIT had turned a beacon upon the imaginary crossroads of crypto, where mathematics, computer science, and data security met. In 1971, when Whit Diffie wanted to talk to someone about crypto, he had to travel miles for morsels. A decade later, over a hundred members of the new crypto community were spending days together on a Pacific beach, discussing everything from cutting-edge algorithms to cryptanalysis.

The “Crypto” conferences began in 1981, when a University of California at Santa Barbara electrical engineering professor named Alan Gersho invited about 120 potential attendees to his campus, a sprawling collection of modest structures on a bluff overlooking the ocean. He’d gotten the names from a list Len Adleman had compiled of people who’d shown an interest in nongovernmental cryptography. Gersho had wheedled a grant from the National Science Foundation to stage the event. About one hundred people showed up, including Diffie, Rivest, Merkle, and other newly minted luminaries in Cipher Land. They delivered papers—many of them offering refinements on the new public key schemes like knapsacks and RSA—gave talks, and schmoozed at cafeteria lunches and a barbeque on the beach. Gersho had planned the conclave as a one-time gathering, and despite the excitement, there were no immediate plans for a follow-up. Not long afterward, some European cryptographers held an invitation-only meeting in Germany, but that was also designed to be a stand-alone event.

It was a then-minor player in the Santa Barbara shindig, a mere graduate student, who actually took the lead in making sure that such meetings would be held regularly. His name was David Chaum, and he would not be a minor player in the field for long. Working with no support, he got a copy of Adleman’s list of crypto academics and began organizing a return to the beachfront campus. Chaum also felt that the overseas event should be repeated, but under a different group of leaders. He hadn’t been invited to the German meeting but had gotten the impression that its organizers were “a little off to the right.” So he talked to some European cryptographers about organizing an annual spring “Eurocrypt.” Finally, Chaum thought that both yearly shebangs should be under the care of an actual organization of independent cryptographic researchers. He quietly made plans to form such a group. His inspiration was a speech by Martin Luther King Jr. he’d once heard that emphasized the word “organization” as a path to liberation.

Concerned about possible pressure from the NSA to smother his plans in the bassinet, Chaum kept his communications to a minimum. You never know who’s listening, especially in a government of snoops. He took care to compartmentalize the information he discussed with people: while he landed Ron Rivest to chair the Santa Barbara conference program, for instance, he didn’t share his plans for the crypto society with Rivest. He avoided the telephone, instead arranging face-to-face meetings with those he wanted to reach. He typeset the conference notices himself, and got them printed at the same small Berkeley type shop that produced Covert Information Bulletin, a well-known newsletter critical of U.S. intelligence activities.

His efforts paid off: the second conference, Crypto ’82, turned out to be even more exciting than the first. Serendipitous events, like the freewheeling “rump session” held toward the end of the week, solidified into traditions. The rump sessions, usually hosted by Diffie, mixed frivolous parodies of mathematics papers with serious, last-minute cryptological developments, but the tone was often raucous and irreverent. One year, speakers were required to speak in a code that replaced certain words with silly alternatives (for instance, instead of “Diffie-Hellman,” you had to say “Coke bottle”). Missed cues were greeted with a shower of water. Another year, some foreign visitors took too literally Diffie’s announcement that there would be a special session before breakfast the following morning with ninety minutes of Belgian jokes.

One well-anticipated session at Crypto ’82 was the presentation of a collection of papers on cryptanalysis, chaired by Whit Diffie. The very inclusion of the topic on the agenda couldn’t have pleased the NSA: in its view, any knowledge of codebreaking outside the Triple Fence represented a possible threat to its own codes. Diffie himself had been worried that the session would be a bust. Over the winter he had arranged for the presentations. But one by one, for various reasons, his presenters dropped out. By late spring only one survived—a talk entitled “The Bombe at Bletchley Park,” by one of the original World War II codebreakers.

It was Adi Shamir who came to the rescue. Shamir had been studying Ralph Merkle’s knapsack scheme for public key cryptography. And now, several weeks before the conference, he thought he had broken it, at least the weaker variation of the system known as the single-iteration knapsack. In the days following his announcement, others figured out a way to use his techniques—which themselves were based on mathematical innovations discovered by Hendrick Lenstra—to launch wider attacks. Diffie’s panel would be the ideal time to test these ideas. So by the time the cryptographers met in Santa Barbara that summer, Diffie’s program was filled with would-be assaults on knapsacks.

The most interesting one would be Len Adleman’s. He not only had come up with a variation on Shamir’s ideas, but had also actually programmed the technique on his Apple II personal computer. The cryptographers in Santa Barbara decided to try a little experiment. During the first night of the conference, a gauntlet was tossed to Adleman—an encrypted knapsack message. Could he use his little machine to decode it? (If so, he would presumably collect the $100 reward Merkle had offered some years earlier.) The answer would come a couple of days later, right there in Diffie’s session, when Adleman’s attack would either bring him new glory—or leave him mortified in front of his crypto contemporaries.

Adleman was scheduled to speak last. “The hour passed,” Diffie later recounted. “Various techniques for attacking knapsack systems with different characteristics were heard; and the Apple II sat on the table waiting to reveal the results of its labors.” When Adleman came forward to speak, he appeared anything but confident. He said he’d give “the theory first, the public humiliation later.” (He subsequently would explain that the humiliation he referred to was not Merkle’s but his own, if “the numbers didn’t turn out right.”) Then he proceeded with a description of his methods. While he talked, Carl Nicolai (the inventor whose crypto device had been temporarily suppressed by an NSA secrecy order in 1978), fiddled with the Apple II, which had been working away for the past few days, using Adleman’s formula to crack the encrypted message. Before long, Nicolai began painstakingly copying a screenful of numbers from the Apple’s monitor onto an overhead-projector transparency sheet.

Finally, Adleman finished describing how his attack worked. It was time to see whether it worked. Nicolai gave the transparency to Adleman, who handed it to Adi Shamir. He also gave Shamir the sealed envelope with the numerical message encrypted earlier in the conference. Shamir placed the sheets side by side in the overhead, beaming the results on the screen. They matched precisely.

Diffie would later write that “the public humiliation was not Adleman’s—it was the knapsack’s.” Indeed, this crack was the penultimate blow in what would turn out to be the utter destruction of the groundbreaking, clever, yet ultimately useless Merkle knapsack public key cryptosystem. The coup de grâce was instigated by Merkle himself. Paying the $100 to Adleman had not been particularly traumatic; Merkle had half expected someone to break the single-iteration knapsack scheme, which was the much weaker cousin of the real thing, the multiple-iteration version. In fact, Merkle felt secure enough to cast another challenge. In November of that year, he wrote a letter to Time magazine, offering $1000 to the first intrepid cryptanalyst who successfully decoded a multiple-iteration knapsack. Two years later, Merkle had to write a check for a cool grand to a researcher from Sandia National Laboratory named Ernie Brickell, who used a government Cray supercomputer to rip open a 40-iteration knapsack. When later asked what the problem was with the knapsack scheme, Merkle was succinct: “It didn’t work.”

The significance of the knapsack attacks went far beyond the destruction of Merkle’s system. In fact, the moment at which Len Adleman’s Apple publicly destroyed a potentially valuable cryptosystem could be seen as a symbolic turning point in the still uneasy balance between the NSA-affiliated crypto spooks and the swelling ranks of outsiders who independently studied the protocols of crypto and routinely published their results. It was now clear that simply by sending scientists to a conference and subscribing to a few journals, a foreign government could get the kind of training in cryptology that was previously limited only to a sanctioned elite. It meant that codebreakers everywhere would be more resourceful. Only months before, government critic George Davida had mocked the NSA’s calls for prepublication review by asserting that the agency’s biggest worry—that the outsiders would circulate codebreaking methods—was ridiculous. “Researchers do not engage in cryptanalysis,” he wrote. But clearly, they did.

Some at the NSA understood the threat that an independent crypto community represented: one of them approached Diffie and glumly observed, “It’s not that we haven’t seen this territory before, but you are covering it very quickly.”

The only thing worse for the NSA would be watching the work of these academic cryptographers put to practical use. If an industry could be built on selling cryptography, and masses of people started using coding technologies, then the clear unencrypted signals intercepted by the NSA’s listening devices—whether cell phone calls or computer e-mail and files—would change to a dense white noise, a chaotic fugue that the agency’s computers might, with some effort, decipher. Or might not.

Could crypto be commercialized? Although the common use of personal computers, and, later, the Internet, demanded a way to protect information and verify who was sending it, the means of getting there was at best a rutted path. The bumps and potholes in that road are best illustrated by the fortunes (or lack of them) of the company founded by Ron Rivest, Adi Shamir, and Len Adleman. As with their landmark algorithm, the firm bore their initials. But while the RSA algorithm quickly reached an enthusiastic audience, the trajectory of their commercial operation initially threatened to resemble a busted missile launch.

In fact, despite the rosy predictions of a crypto Renaissance in the seminal Diffie-Hellman and Rivest-Shamir-Adleman papers, there was little reason in the early 1980s to believe that serious bucks would ever be earned with the technology. Who would get venture capital to manufacture crypto products? How would those products be built into systems so that one could reasonably be assured that a scrambled document could actually be unscrambled by its recipient, or that the person receiving a digital signature would have the wherewithal to verify it? Nobody knew whether actual paying customers would be willing to put up with the difficulties that would come with having their computers crunch huge numbers for encryption and authentication. In fact, nobody knew if a substantial enough set of customers existed who were willing to pay for those things at all. “Some people said our stuff might turn out to be useful, but it wasn’t clear whether this would turn out to be successful in a commercial sense,” says Rivest.

Still, the universities that had employed the crypto researchers hedged their bets by patenting their public key breakthroughs. In December 1977, MIT filed for its patent on the RSA algorithm. Ironically, the very act of filing for a patent made crypto’s widespread adoption potentially less likely. There was a definite Catch-22 aspect to claiming crypto as intellectual property: if algorithms were patented, then they could be used only by those who licensed them from the owners (presumably for a fee). But such tariffs might create a disincentive to universal adoption. If crypto was to be useful on a large scale, it stood to reason that everyone had to be using the same system, a convergence that would come about much more quickly if the system was free. It was a classic example of the Network Effect, a positive feedback loop in which value comes only with ubiquity. If everyone wasn’t using the same algorithms, then communicating with others in secret would be infinitely more difficult. It would be as if Bob had to worry about what brand of phone Alice used before he could ring her up.

Not that this bothered the institutions that helped subsidize the public key research. While MIT had only the RSA system as its intellectual property, Stanford actually pursued a number of patents, ranging from a general claim for public key crypto to more specific implementations, including the Diffie-Hellman key exchange protocol and Merkle’s knapsack scheme.

But the benefits of holding patents would be limited. For one thing, the largest current market for crypto—the government—didn’t have to pay to exploit either the Stanford or the MIT work. Both sets of cryptographers had enjoyed the support of the National Science Foundation, and the fruits of such subsidized research were, by law, available without charge, in perpetuity, to any and all federal agencies. And if that weren’t enough of a handicap, it turned out that both the Stanford and the RSA patents were valid only in the United States. In the case of both breakthroughs, the researchers had presented their findings before actually applying for the patent, an innocent mistake that didn’t affect their patent rights in the States but that did (because of the way patents are treated abroad) disqualify them from such protection in Europe.

Still, once the patent filings were under way, it became clear to Rivest, Shamir, and Adleman that they still had the inside track on exploiting those patents. MIT was known to be generous in licensing its intellectual properties to the people who actually created them. (Any other stance would have risked a faculty revolt.) But the trio faced a unique situation: their crypto scheme had the potential to be a worldwide standard for privacy and commerce, but so far, the only thriving commerce in the field was in the realm of defense contractors and the relatively new market for DES-based products for financial institutions. In any case, none of the three researchers had any business experience. Nonetheless, they decided to forge ahead, hoping to transform their mathematical breakthroughs into something that actual human beings could use to communicate. Their hopes were high, and at least one of them thought that a payoff was around the corner. Len Adleman splurged on a flashy red Toyota. “It cost three or four thousand bucks, a big investment since I was making, like, thirteen thousand a year,” he says. “But I thought I would soon have money to throw away.”

One of the problems in the late 1970s was that the most common general-purpose computers were too weak to generate good RSA encryption. In order to efficiently perform the calculations required to generate primes for a key and do all the mathematics required in encryption, decryption, and authentication, the MIT professors essentially would have to build a little computer-within-a-computer (on a circuit board loaded with specially designed chips) dedicated to those tasks. Rivest, aided by his colleagues, began working on such a device. After months of work they came up with hardware that could crunch two 50-digit primes in less than a second.

Then reality sank in. There was no way that these relatively expensive circuit boards could become a mass-market product. It was absurd to assume that millions of people would pay several hundred dollars to install a complicated circuit board inside their computers in order to participate in a revolution that they hardly understood.

So in 1981, the MIT trio came up with a more plausible scenario. They would put the RSA algorithm on a chip. Semiconductor chips could be mass-produced, and when millions of them were churned out, their costs shrank. You could even put tiny chips on credit-card-sized “smart cards” for people to carry around.

The timing seemed right. Just a few years earlier, when IBM used its vast resources to make history by putting DES on a chip, it had been inconceivable that a few academics could attempt such a feat without a passel of deep-pocketed investors. Back then, such a feat would have been about as unlikely as a few grad students in some random engineering department deciding to launch a rocket to the moon. But in the interim, a Caltech professor named Carver Mead had changed all that. Mead, a veteran of the Silicon Valley semiconductor industry, was the guru of Very Large Scale Integration (VLSI), a technology that shrank what was once a huge computing machine into a thumbnail-size silicon chip. Eager to encourage research in the field, Mead had not only published a book on the subject, but helped set up a fabrication facility—known as a fab—to help academics actually build their own chips. At the time MIT was gearing up its own VLSI program, and Rivest signed up to run an experimental project that would result in getting the entire RSA process on one of those tiny chips.

Meanwhile, they continued what had become an ongoing, if unintentionally comedic, effort to interest a big business mogul—any mogul—in the world of cryptography. As math nerds unschooled in the niceties of venture capital and unsuited for poker-faced negotiations, they were at the mercy of any random suit they hooked up with. But sometimes they lucked out and met someone who actually connected with the religion of it all. One such fellow was Pat Cremen, a loquacious Irishman who worked for the big Ericsson electronics firm. But he, too, was more of a vision seeker than a deal cutter. After examining the MIT crew’s algorithms, he broke into rhapsodies about the coming age of electronic wallets and virtual money. Rivest and his colleagues were transfixed by that vision, and probably wound up mentally counting the megabucks that would fill their own digital wallets when this new world came into being. They traveled to Dublin to pursue the idea. While the mutual admiration society was morale building, it turned out to be nothing more than that. Cremen ultimately failed to convince his bosses at Ericsson to put up the bucks.

Maybe the bosses were right. There is a telling anecdote from this period. To implement RSA on a chip, the MIT scientists found themselves on the cutting edge of VLSI chip design. They had to invent their own tools, which potentially became valuable intellectual property in and of themselves, stuff that corporations and foreign spies might covet. For instance, in order to keep track of the hundreds of thousands of logic gates and transistors on the chip design, Rivest wound up writing elaborate chip-simulation software to organize the project. His program made things much easier when negotiating the chaos the scientists were generating on the fifth floor of Tech Square—when they would spread out huge layouts of the chip, parts of which Adleman had designed, parts of which Rivest had modeled, and other pieces that Shamir had created—wondering where this wire went or what that transistor did. So much easier, in fact, that it began to dawn on the trio that the software they were using to create the chip might have as much commercial or military value as the RSA algorithm itself.

By creating this valuable technical property, they found themselves in the situation in which they imagined their future customers might one day be: possessing secrets worth protecting and in need of a system to protect it. So one night they sat down together and wondered whether they should protect all their precious ideas . . . by encrypting them. Did these pioneers of cryptography indeed use their own system to protect their ideas? “I remember our decision was, ‘Naaah, it’s too much trouble,’ ” says Adleman. “Too much work to encrypt it. And we never did.” The irony was lost on them. But the reality was they were harboring big-time hopes for a technology that even its inventors considered a pain in the ass to use!

They all thought that Rivest’s chip-simulation system was a masterpiece. “We didn’t just throw this thing together and hope that a hundred thousand things were going to work out,” says Adleman. “Ron’s software simulated the chip according to Mead’s rules.” Because the simulation was sound, boasts Adleman, “we knew the chip would work.”

But when they tested the actual chip, it didn’t work. Instead of crunching primes and other stuff, it did nothing. Adleman blames the failure on their overreliance on Carver Mead’s publications. “The rules in his book weren’t complete,” he says. But in fairness to Mead—who in any case wasn’t working for the MIT trio—the RSA project was larger than any he had contemplated to date. While other researchers were creating little baby projects like chips that would operate streetlights, the MIT people were using advanced mathematical algorithms, with huge prime numbers and zillions of calculations, to choose keys, encrypt text, decipher scrambled missives, process public keys, and sign messages with digital signatures. So much was going on that the silicon “wires” in the chip were, by standards of microtechnology, extremely long, sort of nano-equivalents of transatlantic cable. This made it all too easy to place those silicon microthreads too close to each other, causing deadly “crosstalk” that would flip bits and ruin the calculations. That’s not what you want when performing precision math.

“It had simulated perfectly.” Rivest sighs. “But the fabrication process didn’t return working chips. It probably just needed some little tweak in the processor design.” In other words, though the experiment was a technical failure, Rivest was confident that the system could ultimately work. Still, the failure to produce a working prototype was not a great selling point.

Nonetheless the three scientists persisted. In 1983, they formally joined the world of commerce by creating RSA Data Security, Incorporated (they had originally hoped to call it simply “RSA,” but that was the name of a garbage collection company in Maine). There was no product, no customers, and no evidence of demand. And not even their dreams at that point flirted with the possibility that one day hundreds of millions of people would use their new company’s technology on a daily basis.

By that point, Len Adleman was getting fed up with the whole process. He felt that he was getting further away from where his talents lay, in theoretical math. All the intellectual effort expended in squeezing formulas into silicon, he thought, might be better spent trying to discover Fermat’s last theorem or some similarly epochal challenge. Still, he hung in, hoping that if he and his colleagues could get their new company on a solid commercial footing, they would cash in. Then Adleman, at least, could return to his vocation, gleefully covering white-boards with intricate equations that had no discernable practical application.

As mathematicians, they knew that the principle of Occam’s razor applied: the shortest solution to the problem was a straight line. But in this real-world puzzler of making a business succeed, there were endless detours in getting to point B. “We were clueless on this stuff,” says Adleman. Their first CEO was the reluctant Adleman himself, a man whose head was clearest when among the clouds. “At various times I was the prime mover; other times it was Ron,” he says now. (Adi Shamir, in the process of moving back to Israel to work at the Weizmann Institute, wasn’t as active.) Adleman naively figured that he’d handle this moonlighting lark in the spare moments left over from his new post as an associate math professor at the University of Southern California.

They did understand they needed someone with experience to advise them. Somehow, they hooked up with a business consultant named Ted Izen, who was able to concoct one thing that the three brilliant MIT professors collectively had not managed to produce: a business plan. They also looked to Izen to come up with investors—fast. After months of delay and revision, the government was expected to finally grant MIT the patent for the RSA work. The Stanford patents had already been granted; on April 29, 1980, U.S. Patent 4,200,770, “Cryptographic Apparatus and Method,” credited Diffie, Hellman, and Merkle as the inventors of public key cryptography. And on August 19 of that year came another Stanford patent, for the work of Hellman and Merkle. Called “Public Key Cryptographic Apparatus and Method,” it specifically dealt with knapsacks but more broadly claimed to cover any implementation of the public key idea.

The impending MIT patent built upon those Stanford patents to cover the RSA algorithm. If the new company was to succeed, it required the exclusive rights to that innovation; otherwise, more established competitors could simply license the RSA work from MIT and blow away the company formed by the actual R, S, and A. Here’s where MIT’s generosity kicked in. The university agreed to grant Rivest, Adleman, and Shamir the exclusive rights to their invention. For a price—$150,000. (Generosity goes only so far.) Where would these young math professors find that kind of cash?

Izen delivered the answer: a Reno, Nevada, physician and businessman named Jack Kelly. He had a company called Sierra Microsystems in Lake Tahoe that designed chips and which could be a potential business partner for this new company. One day Kelly flew his private plane to Burbank to meet with the RSA trio. For the researchers, the easy part turned out to be convincing him that in an emerging information age, a technology like RSA’s was going to be absolutely pivotal. The harder part was forging a deal that the novice entrepreneurs would feel good about in the morning. Adleman later came to view the experience at a philosophical distance. “He was an experienced businessman, and I was an inexperienced businessman,” he says. “And when that combination gets together, it is often the case that the inexperienced businessman gets some experience.”

Nonetheless, Kelly provided the requisite six-figure sum—$225,000—that RSA Data Security needed to survive. And so, when, in September 1983, MIT was granted U.S. Patent 4,405,829, entitled “Cryptographic Communications System and Method,” its inventors were ready. Nine days later the fledgling company paid MIT the $150,000 (plus 5 percent of all its future revenues) for exclusive rights to the patent.

With a real investment and control of its intellectual property, it was time to begin behaving like a business, creating and selling uncrackable cryptographic tools to anyone with a computer. With the remainder of Kelly’s investment, they set up an office in Silicon Valley and hired a professional manager to run the company. His name was Ralph Bennett. He had an impressive résumé—he’d worked at respectable companies like Fairchild Semiconductors—and from the point of view of the MIT professors, this fifty-something businessman seemed as good as anyone else around.

With Bennett’s help, the company began gathering a workforce, including a sharp young marketer named Bart O’Brien. Even to an academic like Len Adleman, O’Brien, who had worked for a Florida high-tech company called Paradyne, was impressive. He was a slick dresser and an aggressive salesman who dreamed of running his own business. One day Adleman accompanied O’Brien on a sales call and was dazzled at the deft manner with which O’Brien parried the potential customer’s objections.

Having deemed the RSA-on-a-chip scheme too complicated, the team’s first product was to be a software program mainly used to encrypt e-mail and stored data on personal computers. It would be called Mailsafe, a public key cryptosystem that would run on the most popular business personal computer, the IBM PC, and its clones. Adleman worked on the algorithms and Rivest concentrated on the implementation. Though Adleman did not find the work as intellectually thrilling as pure theory, he was engaged by the challenge of the alchemy of commercial programming, discovering tricks to make the math routines run more efficiently.

Since both professors were working in their spare time, Mailsafe turned out to be a long project. During the development period, of course, RSA Data Security had no revenues. And Kelly’s investment was just about dried up. The situation became increasingly desperate. In theory, the company could get income from outside investors or advances paid on licensing deals. But under Ralph Bennett, not much of that was happening. Some of the people involved with the company would later claim that Bennett didn’t understand the nature of high-tech start-ups, and he wasn’t ideally prepared to evangelize the groundbreaking area of cryptography. In any case, the state of the young enterprise was, to say the least, precarious when Bart O’Brien called upon an old Paradyne friend of his named Jim Bidzos to help out with sales for RSA.

At the time, it seemed like just one more random call. But the entrance of Jim Bidzos not only changed the future of the company, but the technology itself. Crypto had found its first supersalesman. And the repercussions would ripple from Silicon Valley to Fort Meade.

Jim Bidzos was an unlikely savior for public key cryptography. The closest he came to processing algorithms was figuring out backgammon odds in the high-stakes Las Vegas tournaments he liked to frequent. Bidzos was then thirty-one, a Greek national born on February 20, 1955, in a mountainous region near the Albanian border: “A very, very small village in the middle of nowhere, no roads, maybe seventy people,” he says. Bidzos’s family had been there for ages; his father had taken a bride from a neighboring village in an arranged marriage. Bidzos was the second of four children, born in a small stone house. In the late 1950s, his father left Greece to do what Bidzos calls “the classic immigrant thing: he didn’t speak the language, had no training, no education, no skills, but he joined some people from the village who had gone to Ohio.” About two years later, when Bidzos was five, he and his mother and siblings followed.

Young Jim Bidzos took to America quickly. While his parents instilled some values from the old country in him, his iconoclastic nature seemed to fit the looser pace of American life. A naturally bright, though not particularly diligent, student, he breezed through school. He describes himself as a rebellious teenager: not necessarily a troublemaker but the kind of kid who made it a point to do precisely what he was told not to do. He wound up in the marines. After his military stint (though not as a U.S. citizen; he held, and still does, a Greek passport), Bidzos attended the University of Maryland. While he majored in business, he did take some courses in computer programming. He claims to have written one of the earliest computer viruses, “just to prove it could be done.” After a couple of years at Maryland, he took a job at IBM and never went back to school.

In the early 1980s, he got a visit from a headhunter. Would he be interested in working for Paradyne, a Florida firm that made networking equipment for IBM mainframes? The position was in marketing, but technical skills were required to explain products to customers. Paradyne was a fairly buttoned-down company, with almost two football teams’ worth of vice presidents who had come over from IBM and had adopted some of the company’s uptight culture: the black shoes, the starched white shirts, the feeling that you’ve screwed the pooch if you’re the first one to leave on a given day. But Bidzos had learned how to play the corporate game. Indeed, he thrived at it, racking up a series of promotions. At Paradyne, he also learned how to use an expense account. During vacations he’d blow off steam: his passions included motorcycle racing, high-stakes backgammon, and women. His journals from the seventies are permeated with notations about this woman or that. Still in his late twenties, he was living a Hugh Hefner–esque bachelor existence.

This status was endangered only once, by a young woman he began dating; Bidzos sensed that she might really be the one. The matter was brought to a head by a change in his job situation. Bidzos had been getting bored at Paradyne. The white-shirt culture was making him nuts; he wanted to be in a less structured, more freewheeling environment, with high risks and rewards. To strike out on his own. But when he finally cut the cord at Paradyne and began a global marketing firm with some friends, his girlfriend uttered the words every confirmed bachelor dreaded: it’s now or never. She felt that if they didn’t marry, this new venture would take him away. Ever the deal maker, Bidzos chafed at being handed an ultimatum. It would be submitting to her terms. He would never get married under pressure, even to a woman he loved. So it was over.

His girlfriend had been right about the lifestyle: his new job selling high-tech equipment to international customers and his own services to clients was all-consuming. Almost every month he’d go to Europe or the Far East—some months he’d hit both continents, a global ricochet—staying in the best hotels, dining in the best restaurants, choosing the priciest wines, and doing the deal, always doing the deal. Then he hit a wall. Was this to be his life—on the road all the time, looking for the next client? He began to ponder his lost love affair. He quit the company and began working on freelance marketing projects. If he needed a few bucks, something would come up. He was bored with Florida by this time and wanted to move to California. A firm for whom he’d sold IBM-compatible computer terminals offered him a job that would take him west, but he wasn’t interested. The president of the small company came back with a counteroffer. “I know you want to come here,” he said, “and I know you like my receptionist, so if you come and work for me two days a week, I’ll pay for the move—just give me six months.”

The guy had pegged Bidzos right—he did like the receptionist—so he was in California by August 1985. Then he got in touch with his friend Bart O’Brien at RSA Data Security.

O’Brien had mentioned RSA to Bidzos back in May, had even FedExed him a business plan. But Bidzos, who’d been about to leave on a five-week trip to Europe, couldn’t make any sense of it. He’d forgotten about it in the excitement of his travels. When he returned to his Florida apartment there were a few more envelopes waiting for him, all of which contained new and different RSA business plans, which apparently reversed course quicker than a backgammon game. Obviously, this strange new company was a work in progress.

But O’Brien kept pushing. He invited Bidzos to stop in San Francisco on his way back from a trip to the Far East. Bidzos had barely arrived when O’Brien immediately embarked on a business trip of his own, leaving Bidzos with the keys to his apartment and car and a mandate to stay for a week and have some fun. Naturally, Bidzos took to Baghdad by the Bay, and began to make frequent return visits. O’Brien used these opportunities to ask for advice on RSA’s revolving business plans, and to solicit ideas on raising money. “You should come here to work,” O’Brien kept saying.

Bidzos wasn’t quite ready for that, but he began to spend more time doing freelance projects for RSA, writing up a marketing plan and studying the possibilities of selling the entire system to IBM. The more he learned about the company’s mysterious product, the more intrigued he got. Despite being a motorcycle-racing, woman-chasing, wine-quaffing, high-risk gambler, Bidzos also had an intellectual streak, and he got a huge kick out of hanging out with the engineers, and particularly the cryptographers.

One amazing night in late 1985, he met the most brilliant guy of all: Whit Diffie. Bidzos joined a group of RSA people treating Diffie to dinner at a Mexican restaurant at the Stanford Mall. The company had long been urging the public key inventor to become its chief scientist (at one point Diffie had even accepted, but wound up holding off until the company got more funding). The group included O’Brien, Ralph Bennett, and Al Alcorn, who’d been a key figure in the early days of Atari and Apple; RSA had been wooing him to join the company as well. Bidzos was dazzled at the conversational interplay between the brainy Alcorn and the enigmatic Diffie. After some cursory discussion about RSA’s future, the two minds just sort of hooked up and Bidzos grooved on the conversation like an uptown hipster wanna-be who’d sneaked into a secret jam session between Miles and Trane.

As the group broke up, Bidzos asked Diffie if he might be available for lunch sometime to talk more. “I’m always available for lunch,” said Diffie. Over the next few months—years, really—Bidzos would take Diffie out for meals in Palo Alto and Berkeley for what was essentially a roaming tutorial in cryptography, public key, privacy, and politics. He eventually became quite knowledgeable on crypto’s fine points. On the other hand, Ralph Bennett—at least as far as Bidzos could tell—didn’t seem to be as charmed by Diffie. And vice versa. Bidzos recalls one lunch with the three of them at which Diffie began eyeing Bennett’s ham-and-cheese croissant sandwich. The stare was so intense that Bidzos was sure that Diffie was about to lunge at the food. Bennett must have noticed, too, because he offered Diffie a piece. Diffie declined, but kept staring at it. Suddenly, the long-haired, bearded cryptographer pulled out a large knife he’d been carrying, pulled the plate toward him, and whacked off half the sandwich. Then he calmly ate it. God knows what Bennett thought about that. But it obviously wasn’t a bonding moment.

Bidzos soon realized that this little company trying to sell a crazy product to scramble computer data was in huge trouble. They had yet to ship a product or even license an algorithm. Operating expenses were murderous. The rent alone was a huge burden. O’Brien, ever the optimist, had rented the company a huge space in Redwood City near the Bay, just across from Oracle. It was the size of a soccer field, even though layoffs had left fewer than five employees.

There was another potential land mine waiting to explode. It involved a loan from an investment banking operation run by two guys in New York. One was an Italian named Vinnie, who spoke with a profusion of disses and dats. His associate was a more soft-spoken Jewish fellow named Steve. They liked to hold meetings at Kaplan’s Deli in New York City. Though everything was on the up-and-up with these two, they still seemed like escapees from an Elmore Leonard novel.

Drawing upon a list of about fifty investors (including, Bidzos says, dozens of New York doctors, dentists, and the comedian David Brenner), they had loaned RSA half a million dollars in December 1985. But RSA Data Security went through the money like a sugar-toothed eight-year-old gobbling Halloween candy. The $500,000 had barely been counted before it was almost gone, drained by accrued salaries, debt, and a bridge loan to cover operating expenses. The company was going bust.

If that wasn’t enough to worry about, Bidzos then learned that Ralph Bennett, a Scientologist, had indicated that he might transfer his own considerable shares in the company to that organization. This would have made the Church of Scientology one of the biggest shareholders in the company—and the keeper of modern cryptography.

Oddly, one thing that was not considered a problem at the time was the possibility that RSA, by launching a new and powerful form of cryptography into the growing ether of computer communications, might alienate the National Security Agency, or provoke a response from law enforcement agencies that felt threatened by the advent of cryptography. “Bart and Ralph understood the NSA had an interest in this sort of thing,” says Bidzos. “But they saw the agency as a potential customer.” As far as the visible lack of interest from the NSA itself—no queries or threats had emerged from behind the Triple Fence—Bidzos came to believe (correctly, as it turned out) that the spooks had figured that the smartest course of action would be to leave RSA alone . . . because the company almost certainly was falling apart on its own.

“Bart was just lost and didn’t know what was happening,” says Bidzos. “He’s an optimist and a very enthusiastic fellow, and he was going to do a $10 million deal with every computer company in the world. But there were no prospects of making money anywhere.” Even so, drawn by the big-idea-ness of it all, Bidzos found himself more and more interested. In mid-January 1986, he agreed to accompany O’Brien to Boston to brainstorm with Rivest about the company’s problems. They flew on People Express, a discount airline with all the frills of a Greyhound Bus route on the Texas plains. The night before the meeting he and O’Brien went over the numbers, which looked bleaker than ever. It appeared that the flag bearer for public key cryptography might die without ever even raising the damn flag. Some revolution.

In Rivest’s office the next day, Bidzos laid out the whole mess, scrawling the specifics on his blackboard. At first Rivest’s attitude was . . . professorial. After hearing the bad news, he sighed and said, “Oh, gee, I’d really hoped it would do well.” Bidzos tried to tell him that he simply wasn’t getting it. RSA’s failure wasn’t analogous to not winning some academic honor. There were consequences. When you take money from people, there’s a different kind of accountability. They all could be sued. Finally, as Rivest began to get the picture, he began to flip out.

Then they got Adleman on the phone in Southern California. After hearing how dire the circumstances were, the mathematician once again realized why it was so much more pleasant dealing with theoretical problems in number space. So he decided to make his involvement theoretical. “I resign from the board of directors,” he said, and hung up.

Years later, Adleman was philosophical about his role. “A large part of why the company wasn’t working was me,” he said. “In the beginning, RSA was a nonentity; it existed on paper but didn’t really exist. Somebody had to pick up the ball, and there was good news and bad news in my picking it up. If I hadn’t, the technology would have been picked up by someone else, and the patents would have gone to someone else. But while I gave birth to RSA to a certain extent, I didn’t do a good enough job to get a baby out that didn’t have some serious defects.”

After O’Brien and Bidzos returned to California, they hired a management consultant who worked with them to try to find a way through the mess. As the meetings progressed, the consultant commented that Bidzos’s ideas seemed both inventive and practical. A crazy idea crossed Bidzos’s mind: maybe he should be running things.

Even now, Bidzos cannot come up with a coherent sense of the reasoning that led him to join the endangered company full time as the instrument of its salvation. Indeed, in the months to come, trying to unravel the ongoing crisis late at night before the computer screen, he would often ask himself: Am I really here? I could be in a first-class cabin, flying to Paris to drink bordeaux at the Tour d’Argent with sweet Dominique! Yes, there was the opportunity to finally run a business. Yes, there was the excitement of a new technology. And yes, there was the lure of San Francisco with its women, its restaurants, its hot-tub parties in Tiburon. But it still really didn’t make sense. Though he went through the motions of figuring out how he might personally avoid the consequences if everything wound up in a horrid thicket of lawsuits and recriminations, deep down, he understood that he was involving himself in a potential train wreck.

For a while, he maintained to himself that his role was only temporary—he would help the company secure some funding, hire a new leader, and eventually collect some stock for his labors. Then he’d be on his way. But by the end of March, everybody else on the payroll had left or been cleared out. (Bennett technically didn’t leave until mid-August, after some tough negotiations that led to a buyout and, incidentally, the end of a possible relationship between RSA and the Church of Scientology.) It was Good Friday, but Bidzos called it Black Friday. He went out to dinner that night with Rivest and Bennett, and officially took the title of vice president of sales and marketing. Later on, he realized that since he was the only official there, he might as well call himself the president.

His chief concern was the financial crisis. Some bills simply could not be paid. And, of course, no money was coming in. He called debtors and negotiated. “You call a law firm and tell them the company’s winding down—we owe you $175,000 and we’ve got $10,000 to give you,” says Bidzos. And they’d settle for the cash! Meanwhile, he set off to keep Vinnie and Steve happy. Fortunately, he had a good relationship with them. One day at Kaplan’s Deli, Bidzos was signing the credit-card bill for the meal, and he mistakenly underpaid, writing a three instead of an eight. The waitress went ballistic, calling him a cheater. Bidzos was mortified. But Vinnie and Steve beamed. “We like that,” they joked.

Affection aside, Vinnie and Steve had to think of their investors, and a lawsuit against RSA was still a possibility. They decided to get the opinion of a respected outsider, a guy whom they called “the Wizard of Wall Street.” He was a no-nonsense cigar smoker who cut to the chase when Bidzos was brought to meet him. “What’s the story?” he asked. Bidzos drew on his own cigar and launched into a spiel about the brilliant young MIT geniuses who figured out a way to secure computer data and enable commerce in the next century. The wizard was impressed, and Vinnie and Steve decided to keep the faith.

The process that would truly save RSA, however, would be convincing large companies that they needed crypto, and then selling them the technology. While the encryption software program Mailsafe was getting closer to a finished version (it would finally ship in July), the current business plan assumed that it would not be software sales but licensing fees that brought in the bulk of RSA’s revenues. Before leaving the company, Bart O’Brien had compiled a list of about thirty potential large customers, and Bidzos went through it. Discussions with AT&T, which O’Brien had figured for a $10 million contract, had stalled. Bidzos kept taking meetings, seeing executives at IBM, DEC, and Xerox. But that first major contract seemed frustratingly elusive, a siren just out of reach. If RSA didn’t rope in a big score, all of Bidzos’s efforts would be wasted. The debts would be due, and the lawsuits would follow. Then the MIT patent, the crown jewel of the company, would be auctioned off for peanuts. He needed money now. But who would buy first? Would anyone bite?

One potential savior stood out—a small software company called Iris Associates that was funded by the spreadsheet giant Lotus Development Corp. Iris’s product, called Notes, was the first example of a new software category called groupware, a program meant to be used by dozens or even thousands of people over a network. Notes was an ideal candidate for a built-in encryption system since it assumed that users would electronically exchange virtually all their messages, even ones involving the most confidential corporate secrets. Without a means of securing that information against eavesdroppers, Lotus’s potential customers—major corporations whose data were worth zillions—would be unlikely to purchase Notes.

No one understood this better than the inventor of Notes. Ray Ozzie was one of those double-threat computer geniuses who not only could code their way out of a trunk loaded with rocks dropped into the middle of the ocean, but were equally visionary in the analog world, with an instinctive sense of the marketplace. He began his career at Data General, the minicomputer company, but when he saw the IBM PC microcomputer he realized that the future lay in these personal devices. So he moved to what was then one of the biggest PC software companies, Software Arts, creator of the original spreadsheet, VisiCalc. But in his head Ozzie was thinking about what could happen when all these personal computers got networked together. He felt that IBM itself would eventually get into the business of writing software for that world, but in the meantime there was a total vacuum—one that he hoped to fill with a program of his own design. That was Notes, and he founded Iris Associates to produce the program. But he spent much of 1982 unsuccessfully seeking start-up funding.

In early 1983, he set out to pitch his vision to Mitch Kapor, the founder of Lotus, which had recently released a spreadsheet called 1-2-3 that immediately supplanted VisiCalc as the industry gold standard. Kapor’s main concern was finding a master software wizard to write Symphony, a multifunction program for Lotus, one that melded a spreadsheet, word processor, and database. So they made an agreement: if Ozzie would create Symphony for him, Kapor would fund Iris Associates to create Notes, and Lotus would distribute it. On the day Symphony shipped, in 1984, Kapor said, “Okay, Ray, do your thing.”

Ozzie knew early on that security would be a key feature in Notes, and he looked forward to developing a technology to frustrate snoops and crooks. As a kid, he’d loved the TV show The Man from U.N.C.L.E. and played secret agent with his friends. That took a back-seat to electronics and, eventually, computer science, but he’d gotten excited when he read Martin Gardner’s article about RSA in 1977. So he suspected that his product might benefit from a public key cryptosystem. Coincidentally, in early 1984, not long before he finished Symphony, he came across an article in Dr. Dobb’s Journal (a sort of programming guide for granola-chomping hackers) with a FORTRAN source code for encrypting with RSA. “It was so cool,” he recalls.

In 1984, though, the appearance of an early implementation of RSA in a computer hobbyist magazine was a symbol of public key’s status: although the advance had made a lot of noise in the academic community, no one had seriously considered using it in a software product. But Notes needed something like it. In a memo Ozzie wrote about security issues, he identified the problem that his groupware product faced, both in protecting privacy and establishing authenticity:

Mitch Kapor wants to send mail to Jim Manzi [Lotus’s second-in-command] about some (perhaps sensitive) subject. Mitch sends it to Jim. First, although this mail SAYS that it is from Mitch, has some hacker on the network “faked” the message and put it into Jim’s mailbox? How can he be sure that this mail is really from Mitch? Second, he realized that this message passed through several intermediate machines; did anyone “take a peek” at the message as it was on its way to Jim?

Ozzie continued to describe the way a traditional computer security system would deal with the problem, that is, via a central authority that delivered passwords off-line, and became, essentially, a mandatory hub through which all traffic passed. This model was not only vulnerable in exactly the way that had made Whit Diffie so dissatisfied in the late 1960s—if the central authority screwed up, turned crooked, or turned you in, the whole system failed—but its very spirit was locked into an age that was destined for the junk heap. That system was synced with the mainframe model of computing, where some huge hulking circuit-laden beast did all the crunching, flipping computations to dozens or hundreds of users like some giant robotic blackjack dealer. Ozzie saw Notes not only as a pioneering product but also as a seminal example of the networked future, where the masses would have their own computers and not have to check in with some massive digital Big Brother. Like the phone system, communications would be one-to-one, people communicating directly with their peers (as opposed to some now-antiquated models where communications were funneled through a central authority). “We believe that this is a bad approach,” wrote Ozzie of the central-authority model. “It changes the distributed nature of the network back into the old ‘centralized data’ approach of mainframes. . . . It also resurrects the problems with the ‘traditional solution,’ that is, trust in people and/or mechanisms that are not completely understood.”

The way to deliver security in the far-preferable decentralized manner was, of course, via public key. Diffie and Hellman’s landmark paper seemed almost to have Notes in mind when it outlined how Ozzie’s problems could be addressed. Through use of a “global phone book,” everybody in the organization would have access to everybody else’s public key. Public key provided a way that Notes users could not only send messages in complete privacy but could also make sure that the message wasn’t forged:

Consider the aforementioned scenario where Mitch sends a message to Jim. . . . Mitch writes a memo. In Notes, it invokes a menu item called “Sign Message.” Notes uses Mitch’s private key and the message itself to attach to the original message a “Signature,” a code that uniquely identifies both Mitch and the actual contents of the message. Once the message is signed, Mitch invokes the “Send Message” menu item. The message then leaves Mitch’s PC, goes across the network, and ends up in Jim’s PC. Jim, receiving the message, reads it and wonders if Mitch really sent him this message. He invokes a menu item called “Verify Message” (this, of course, could have been done automatically). Notes now looks at the directory of users to find Mitch’s Public Key. Once found, Notes uses the message’s attached “Signature” and Mitch’s Public Key to do the verification. When Notes says “OK,” it is indicating that the message was indeed sent by Mitch and the message is in its original form and has not been modified between Mitch and Jim.

Ozzie concluded that the only viable implementation of public key crypto was RSA. He needed a heavy-duty system. While the Dr. Dobb’s program was a fun hack, it was many magnitudes too slow to be used in a commercial program, let alone to be used to encrypt large messages. When Ozzie and his team got serious about encryption, they decided to go with a more sophisticated use of RSA: a hybrid system, using the public key method as a way for users securely to create symmetrical keys, which would be used to encrypt messages in a conventional cryptosystem. They figured the proper combo was RSA as a key-exchange algorithm and DES to actually scramble the message content.

Around that time, Mitch Kapor got an unsolicited letter from Ron Rivest. I don’t know if you have any need for this, the letter went, but there’s this useful algorithm called RSA, and we have the exclusive rights. . . .

“Do you know what this is?” Kapor asked Ozzie.

“Oh, shit,” said Ozzie. “RSA is subject to licensing?”

A meeting was arranged. On April 29, 1985, Bart O’Brien and Ron Rivest came to Iris. It was by far the most promising sales call in RSA company history. When O’Brien launched into his standard song and dance about the wonders of their system, Ozzie cut him off—the Iris people were already sold on the virtues of RSA. Discussion immediately switched to how the companies might work together. Ozzie was particularly excited at the prospect of having Rivest himself available for consultation: “Who can better verify an algorithm than its inventor?” he wrote in a memo.

The main sticking point turned out to be money. When it came time to give actual figures, O’Brien, offering what he called “a first-guess estimate,” asked for the moon: $100 a unit for the first 15,000 customers (or “seats”) with a sliding downward scale that stopped at $50 a seat after the 100,000th user. Ozzie told them those estimates were “tremendously out of line with reality.” After all, the wholesale price of the entire software package was to be only a couple of hundred dollars. Ozzie promised, though, that he’d discuss pricing with Lotus, which would ultimately be paying the licensing fees. But he knew that there was no way Lotus would ever pay that kind of money.

Sometime during the discussion Bart O’Brien mentioned that Ozzie might want to check out whether including encryption in its product might affect overseas sales. Ozzie admitted that he’d never given any thought to the issue. Rivest and O’Brien suggested that he make contact with the National Security Agency on this, but first Iris or Lotus—whichever was going to export the product—should figure out a government strategy. “These are not people you want to deal with casually,” they told Ozzie. “You want to understand the endgame.” When the meeting was over, Ozzie quickly realized that no matter what system Notes used, this might be an issue, and in his memo he requested that Lotus’s lawyers look into how the export regulations might affect the product.

The meeting ended amicably, but the sticking point remained: RSA’s outrageous asking price. On the other hand, the public key algorithms were perfect for Notes. “We knew technologically what we wanted—we’d already prototyped it,” says Ozzie. “I wasn’t going to put all my cards on the table at the first negotiation, but they could tell we were clearly excited.” But for a while it remained a stalemate. RSA regarded Lotus as one of many potential big scores, and Ozzie began what he saw as a sales job to Lotus, trying to get them to shell out for a reasonable license fee.

By the time Jim Bidzos joined the talks, almost a year had passed since the initial contact between RSA and Ozzie, with little progress made. In fact, after making some tentative inquiries with the government, the Notes people had reason to second-guess the whole idea of licensing crypto: they’d been given hints that the National Security Agency would be less than pleased at the prospect of a major software product with technology to scramble information that the supercomputers behind the Triple Fence could not easily read. But as soon as RSA’s new leader came in—this fast-talking thirty-one-year-old Greek who was obviously not a hacker, not from the Silicon Valley culture at all—the Iris guys knew that negotiations had reached a new phase.

Bidzos jacked up the urgency quotient instantly. He clearly wanted to cut a deal and wasn’t afraid to take the conversation in an adversarial direction. He emphatically reminded Lotus that RSA had the technology Notes needed, technology unattainable elsewhere. Without crypto, big corporations that wanted their communications protected would never use Notes. As far as he was concerned, Jim Bidzos had Ray Ozzie by the balls, and made sure he knew it. This aggressiveness unnerved Ozzie and his colleagues. Bidzos’s come-on was so intense that for weeks the speculation at Iris and Lotus was whether this pushy Greek was actually some sort of intelligence agent who’d been planted at RSA to control crypto. Still, Bidzos’s appearance broke the stalemate. He could switch from an iron glove to a velvet one. He reassured the Iris people that RSA—meaning Ron Rivest and some moonlighting MIT colleagues—could actually help to build the RSA algorithm into the product. And his financial demands were nowhere near the fantasy figures that Bart O’Brien had demanded earlier. In fact, one of his chief criticisms of his predecessors was their ridiculous financial demands.

Meanwhile, Ozzie had convinced Lotus CEO Mitch Kapor that public key technology was essential to Notes and it was time to come in with a solid offer. Lotus dangled before the troubled crypto company something it needed desperately: a cash advance against royalties. The figure was $200,000, but Lotus wouldn’t pay all of that until the development work was done. Upon signing, however, Bidzos would get a check for $50,000. At that point, $50,000 represented the difference between life and death for RSA Data Security.

The contracts were drawn that summer, to be executed in October, when Bidzos would go to Lotus’s new headquarters on the Charles River in Cambridge, and he and Mitch Kapor would both sign the contract. But when the RSA contingent arrived that day they sensed a profound disarray at Lotus. Sitting in the waiting room, Bidzos reached for a copy of the Wall Street Journal. On the front page was one of its trademark ink-pen portraits—of Mitch Kapor. It accompanied a story that said that Kapor was resigning from Lotus to pursue those ever-compelling personal goals. Essentially, the former transcendental meditation teacher had grown intolerant of the business world’s soul-battering minutiae, and he was following his muse out the door.