Slashdot Mirror
Reuters: RSA Weakened Encryption For $10M From NSA
Lasrick writes "As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned." Asks an anonymous reader: "If the NIST curves really are broken (as has been suggested for years), then most SSL connections might be too, amirite?"
The NSA sold its own customers out to the US government for the price of an NYC apartment.
Considering that this kind of revelations could cause massive exodus of all RSA's non-US (and many US) customers, that's a surprisingly low number.
"... We are now merely haggling over the price."
Oh, no, wait, it's $10M.
(apologies to George Bernard Shaw)
P.S. - AC, yes, if you used an RSA CA appliance with the default Dual EC DRBG PRNG configuration, your private key is probably easy to break and your traffic easy to intercept/decrypt if you're not using perfect forward secrecy (assuming that's not on an RSA appliance).
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I mean, what the FUCK? The land of freedom and liberty. That's what I was always taught. We have a Constitution, which includes protections against unreasonable search. And now my FUCKING GOVERNMENT is doing pretty much anything you can conceive of in the name of spying on everybody including the people of the United States. They are so FUCKING PARANOID that EVERYTHING is on the table, including the privacy and liberty of the citizens. I lower my head in FUCKING SHAME as to what has become of this country.
Wow. With one single contract, RSA just destroyed their whole business. A company in the trust business cannot allow themselves to lose their customers' trust.
No RSA product can ever be trusted again.
"amirite?"
This wouldn't have been posted 10, or even 5, years ago. I don't want to see it. Please don't lower your standards.
I'm assuming for the moment that this evidence is, in fact, legitimate. Given how heinous the NSA's actions have been lately, it seems completely in character, which makes that likely a safe assumption. However, just to give them the benefit of the doubt, everyone involved should receive a fair trial. With that said, everyone involved should be tried for high crimes against the United States and its allies. These are accusations of very serious crimes.
Deliberately compromising the secure communications of hundreds of millions of computers all around the world just so a bunch of pencil-dicked asshats can play their little spy games goes so far beyond unconscionability that it borders on a crime against humanity. Such ends-justify-means thinking is fundamentally incompatible with any form of liberty or justice. Our data is fundamentally easier to crack not just by our own government, but also by organized crime syndicates, foreign governments, and even terrorist groups. In all likelihood, even military communications gear is less secure, which means our troops are at elevated risk during a time of war as a direct result of their actions. That's treason, even by the absolute strictest definition thereof. Further, such deliberate weakening of crypto endangers the lives of dissidents in countries with oppressive regimes, many of which are considered our enemies—an act that could also be considered treason.
Their actions, if true, clearly constitute providing material support to terrorists and treason by means of providing material aid to our enemies in a time of war. Therefore, according to U.S. law, everyone involved should be immediately treated as enemy combatants, deported to an appropriate holding facility outside our borders—preferably the one affectionately known as "Gitmo"—and tried before a military tribunal.
In addition to prosecution of individuals, there should be consequences for the groups involved. RSA should be immediately dissolved and all its assets destroyed. Further, at this point, it should be abundantly clear to anyone with even the slightest understanding of crypto that nothing short of the complete and total elimination of the NSA and a constitutional amendment clearly and plainly banning any similar organization from ever existing in the future can even begin to restore trust in cryptography and computers. That organization is fundamentally malevolent, and its very existence is inherently incompatible with the very concepts of security and privacy. No matter what successes they may have had, nothing can possibly even come close to justifying such a heinous breach of the public's trust.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The article submitter (or maybe the Slashdot "editors" and I use the term loosely) probably just wanted to link whore by playing a game of Madlibs and associating anything related to cryptography and the big-bad NSA. The elliptic curve thing.. that people already assumed was flawed in 2006 years before Snowden became cool and that nobody used*... is *not* how the NSA would operate if it wanted to be *effective* at spying on everyone.
Remember kids: Snowden said that the NSA hates it when you use cryptography. If the NSA could just click a button and decrypt everyone's traffic, then they wouldn't have gone to the major expense and risk to bypass the encryption that Google/Yahoo/etc. were using, now would they?
* No really, nobody used it. Try to do anything with that RNG in OpenSSL and guess what... your program segfaults because in 7 years nobody even did rudimentary unit tests of the code, much less tried to do anything with it.
"They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption."
Right, the NSA, known to be codebreakers, paid them $10M to include their "special" algorithm, and no one had any idea that it could be compromised. Right. Why else would they pay them to use it?
No, it also takes a seller of such weapons. And there aren't any, or we'd have been sweeping up the remains of some city, political center, or major chunk of infrastructure by now. The whole "terrorists and nuclear weapons" is a total mind job done on you and yours by your government. One thing to to keep in mind: Nukes are very difficult and expensive to manufacture, and pretty damned difficult to lose track of.
Civilization isn't likely to die due to nuclear weapons. We've set off well over a thousand of them already, and there's no particular notable effects other than the low hum of hysteria at the intersection of the set of the ill-informed and the paranoid.
Also, Chemical weapons are a lot less "mass" than nukes are, barring very sophisticated delivery systems, which again, aren't available to religious tools. Bacterial weapons are vaguely possible (although still very, very technical), but incorporate the downside of most likely eventually killing everyone everywhere instead of just the target(s), and so not even your average superstition-addled dingbat seriously considers them.
If you are a US citizen, If you want to worry about civilization, you should be worrying about the decay of our government from one authorized by the constitution into a form exclusively controlled by corporate and political groups. Because unlike the "nuclear threat", said decay is real and ongoing and has already screwed things up immensely: almost 100% loss of manufacturing capacity and so also jobs, crippling inflation, loss of citizen's rights, usurpation of article five powers by the judiciary, illegal legislation that spans almost the entire bill of rights to ex post facto laws to the complete inversion of the commerce clause, promulgation of multiple very expensive, ultimately useless wars... the problem isn't terrorists. The problem is our federal government. The whole terrorist thing is to keep the citizens looking the wrong way.
I've fallen off your lawn, and I can't get up.
Because the people behind CryptoLocker (who are probably from Russia or China or some other country that isn't exactly best buddies with the US) are likely smart enough not to trust US-made off-the-shelf cryptography.
There is probably some secret law hidden deep in a drawer in the far corner of a dark dungeon that legalises this specific contract.
If necessary, I am sure the Congress will grant retroactive immunity from lawsuits over this, just like they did with AT&T over the warrantless wiretap scandal. Justification: national security.
All the successful companies do U-turns to stay in business. Bill Gates did a U-turn on the Internet, Steve Jobs did a U-turn on the iPhone. IBM did several U-turns in its long history, they didn't even make computers when they were founded. And that's just U-turns, then there's acquisitions. When Larry Ellison buys Google in the next 10 years, do you think he'll have any qualms about selling peoples' data to anybody?
Google is Evil because they Built The Dataset. This data is so valuable and comprehensive, and the pioneering of the techniques to do it over and over again, ever more efficiently and cheaply, that people without scruples want it now, will want it in the future, and will eventually control it. That it certain, and you helped make it happen.
Following this. This headline is not exactly true. 1) RSA was paid 10M to make the NSA algo the default in their bSecure product. We have no direct evidence that RSA (now owned by EMC) KNEW the RNG (random number generator) in the NSA compromised algo had been compromised. This is 20/20 hindsight.
2) at the time, *some* people were suspiious generally of work done by NSA cryptographers for a variety of reason- the NSA had fought for the Clippe r Chip in the 90s ; the NSA was generally hsotile to strong encryption for civiliians etc. However, those opinions were countered by the majority of people who plausibly considered that the NSA had a real interest in seeing real encryption be used by US corporations etc. We now know who was right, the skeptics, but we didn't know that at the time that deal went down.
This is what's called "plausible deniability" or "cover" in intelligence circles and everywhere else now but that's the point- it IS plausible, entirely, that RSA was taking money (and not a lot to RSA) to make it the default because they believed the NSA.
Overall, at the time, the people who believed the NSA participated in encryption with the public out of a concern to see it done right were the majority.
Just keeping the story as straight as possible because what we're interested in is the truth as far as we can discern it, right?