Slashdot Mirror
RSA Flatly Denies That It Weakened Crypto For NSA Money
The Register reports that RSA isn't taking quietly the accusation reported by Reuters, based on documents released by Edward Snowden, that the company intentionally used weaker crypto at the request of the NSA, and accepted $10 million in exchange for doing so. RSA's defends the use of the Dual Elliptic Curve Deterministic Random Bit Generator, stating categorically "that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
Tell it to 60 Minutes.
the lady doth protest too much
RSA denying it? "Well, he would, wouldn't he?" - Mandy Rice-Davies
If this story turns out to be true, then RSA's name is mud. Only a complete and utter moron would buy from them after this.
Same goes for the other companies who have been selling us out. Even Google and Microsoft who are now leaking stories about them boldly protecting their backbones from the NSA have been handing over our data, and in the case of Microsoft took cold hard cash to add backdoors to Skype and God knows what else. If you trust *any* of these companies you are a complete and utter moron.
Hell I also do not trust PGP.
I trust GNUPG as long as Canonical doesn't improve it.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
They said they didn't do it. Everybody move on and never speak of it again.
Please substantiate your answers in the space below
The problem is that the NSA has been lying to everyone with doublespeak--asking permission for X warrants when the warrants really covered umpteen billion warrants, things like that. So while this press release categorically denies "that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries[,]" it could still be truthful even if any ONE of the facts in that list is false.
For example, "known" flawed random number generator--suppose the NSA knew it was flawed and RSA didn't. This denial does not contradict that.
In the context of a topic where companies and government agencies are lying regularly by using careful diction, even a "strong" "categorical" denial has to eliminate the possibility of loopholes in order for it to be believable.
But in that thought process RSA would be the first to stand up for the constitution on a list that includes all major telecoms and even other governments. Unlikely.
It's called lying, and American Law specifically allows partners of the NSA to issue any form of false statement to the public, their shareholders, their investors, or any other non-governmental entity. In other words, once any individual or corporation gets in bed with the NSA, you can never again believe a word they say.
Google lies through its teeth, Microsoft lies through its teeth. These two companies now compete with one another as to which can provide the NSA with greatest value.
RSA is evil beyond any doubt, but Google and Microsoft are infinitely worse. Remember, Bill Gates gave you Common Core, the inBloom full surveillance child database created in partnership with Rupert "Fox News" Murdoch and the Xbox One NSA spy platform this year alone. Meanwhile Google, the R+D arm of the NSA, moved forward significantly with its programs to build autonomous, self-driving, killing machines for use in future US military invasions.
They didn't do it for NSA money, that was just gravy. They did it for Mossad money and got the NSA to chip in after the fact.
Just because you're paranoid doesn't mean they aren't out to get you
They're just claiming again that they assumed the NSA were good people.
This all happened in 2006. RSA adopted DUAL_EC. RSA was sold to EMC. NIST released the standard. Microsoft researchers showed the flaws in DUAL_EC. The flaws in DUAL_EC have been known since 2006, the only thing we didn't know was that they were deliberate.
Also it's interesting to note that an anonymous organization paid for the same DUAL_EC algorithm to be added to Open SSL. With Open SSL at least they didn't make it the default but it's not far off from what RSA did.
http://arstechnica.com/security/2013/12/nsas-broken-dual_ec-random-number-generator-has-a-fatal-bug-in-openssl/
Well, of course they HAVE to deny this.
But who am I to believe, the RSA or their long list of security hiccups.
Oh, and Microsoft denies this too. That's good enough for me!
Our fatherly corporate overlords would never lie for a buck, or $10M...
>80 column hard wrapped e-mail is not a sign of intelligent
>life
Comment removed based on user account deletion
They very well could have had a few employees that accepted $10 million to do it.
17. RSA agrees that should the existence of this contract, the general nature of the agreements made herein, or the relationship bewtern the RSA and NSA be made public then the RSA shall, with due expediency, issue the following denial: "we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
Recycle PCs and build a wireless community network www.hillsborough.org.nz
I believe them.
Just as much as I believe that Nigerian Prince's nephew's super deal for helping him get funds out of the country.
C'mon, RSA guys. I know you're pretty butt-hurt about this revelation from the Snowden release. Heck, I can even understand that you guys may well have received an "offer you can't refuse" from the NSA, et al.
You'd be much better off playing that angle, rather than attempt a laughably-preposterous and totally unbelievable denial. The denial gets you no sympathy or possible assistance out of your situation at all from the public, only hatred, vitriol, and the ends of many of your careers.
Remember that when making deals with the Empire, Darth has a nasty habit of "altering the deal". Though you "pray" he "doesn't alter it further", it never fails to eventually happen. Neville Chamberlain, 'nuff said.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
The government has a new encryption algorithm that is "amazingly strong". Only they are paying YOU to use it? And that does not throw up any red flags in a company based on SECURITY?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Microsoft handed the NSA access to encrypted messages â Secret files show scale of Silicon Valley co-operation on Prism â Outlook.com encryption unlocked even before official launch â Skype worked to enable Prism collection of video calls â Company says it is legally compelled to comply http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
"Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple" http://gizmodo.com/google-to-government-let-us-publish-national-security-512647113
And look at the chronology of this:
23 September 2013: BBC News - RSA warns over NSA link to encryption algorithm http://www.bbc.co.uk/news/technology-24173977
21 December 2013: NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened https://www.techdirt.com/articles/20131220/14143625655/nsa-gave-rsa-10-million-to-promote-crypto-it-had-purposely-weakened.shtml How apt: Techdirt said the story was from the "from the say-bye-bye-to-credibility,-rsa dept"
Fuck you RSA. Fuck you NSA.
Look at the language. It sounds like it was written by an NSA lawyer.
Define "project", please?
There is a subjunctive there that one can drive a truck though. Or, perhaps, eight digits on the bottom line.
The Guardian ran the story. If it wasn't true RSA could sue their arses off in court for the value of their now worthless business. Guardian wouldn't dare run it unless they could prove it is true. http://www.theguardian.com/world/2013/dec/20/nsa-internet-security-rsa-secret-10m-encryption
Some serious insider trading happening via these backdoors
Sure, that's what they all say.
RSA:
You see, they had no idea that EC-DRBG was compromised. They just thought the NSA had everyone's best interests at heart when took $10M to make it the default generator.
captcha: apologia!!!
Seriously, a lolcat is more trustworthy.
As usual with these things, it's a non-denial denial. "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use." Emphasis added. The first part says that they can't say whether they've taken any money from the NSA, so the story of them receiveing $10 million from the NSA could still be true. The second part leaves a lot of wiggle room. The word "intention" is the weasel. The statement leaves open the possibility that they could have taken the money from the NSA in good faith, in the same way that Mozilla takes Google's money in exchange for making Google the default search engine in Firefox. They didn't know then what the NSA's true intentions were in pushing use of Dual_EC_DRBG (never that mind it's several orders of magnitude slower than any other CPRNG algorithm described in NIST SP 800-90A). They were already using it in BSAFE as early as 2004, and the algorithm became a NIST recommendation in 2006. The possibility of a backdoor in the algorithm was floated publicly in 2007, a few months after it was published. I for one don't buy that they did all this in good faith, but there's no way to prove it unless some cryptographer who was employed by RSA at the times in question blows the whistle and says they had suspicions with the algorithm and the NSA's intentions for it.
The NSA wasn't always thought of as so evil. They modified the DES s-boxes so as to strengthen it against a cryptanalytic technique (differential cryptanalysis) that was known only to them and IBM since at least 1974, and kept classified until it was independently discovered by the academic cryptographic community in the late 1980s, so there may be some reason to give RSA the benefit of the doubt.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Given the state of affairs in the United States, I would think that every country on earth should be reviewing their reliance on American tech (especially in cryptography). Do you really want your parliament having discussions over skype? Or using Microsoft Windows to conduct their Seriously Secret activity? Microsoft is implicated in compromising Skype, so there is every reason to suspect they have also compromised Windows and every other piece of software they make. Google mail? Apple phones? RSA security? The list goes on.
If I were a foreign government I would dump serious subsidies into my domestic software development industry. This extends to our allies as well. After all, if the USA is willing to spend insane resources and flaunt the law/morality by spying upon its own citizenry to a degree hardly less severe than 1984... why wouldn't they be using the very same backdoors on you?
What you thought he said, "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
What he actually said "We did it for the money"
"GET / HTTP/1.0" 200 51230 "-" "Mozilla/4.0 (compatible; Setec Astronomy)"
"that we have never ENTERED into any contract or ENGAGED in any project with the intention of weakening RSA's products, or introducing POTENTIAL 'backdoors' into our products for anyone's use." (my emphasis in bold text)
I read this as: ..but when we do, we always provide the excuse that we couldn't possibly have had any intention for doing so.
We never enter into or engage at doing anything that was clearly meant to weaken any security that we work on..
It's a very sad day when we have media which prostituting themselves to the BIG BROTHER and companies betraying the trust of their customers for some breadcrumbs.
If all that happened in a banana republic we may say "Oh, but they are banana republics".
But no. All these are happening in the United States in America !
What hath my beloved country turned into ?
Muchas Gracias, Señor Edward Snowden !
the lady doth protest too much
Actually, I think that lady is trying very hard to circumvent the truth.
Witness:
What the Snowden paper has revealed was not about "any contract" nor "any project", rather, it's about a one-time payment of $10 million (under table or not, unfortunately the Snowden's paper didn't state clearly) - and the result is a crippled RSA product for the rest of us.
If the $10 million payment was an under table transaction, then there would be *NO* contract signed nor any *official project".
What it entailed would be a change of a couple of lines of code, that is all to it.
Muchas Gracias, Señor Edward Snowden !
Have known this for a while. There may be more leakers than one might think.
RSA's response is utter bullshit; the right people know this. Ignore these assholes. At every level.
I don't think you could prove they were lying even if they were open source. All looking at the source code would tell you is that they implemented Dual_EC_DRBG; exactly the same as looking at the OpenSSL source code will tell you. I doubt there would be a handy comment saying "/* Implemented a known-weak method on behalf of the NSA. */" around it.
The problem Dual_EC_DRBG, as far as I can tell, is in the choice of constants used in it; the constants are defined by the NIST standard.
Yeah, I had a sig once; I got bored of it.
I do not trust Snowden just because he is Snowden. I do not know that guy in person. I only heard of his name after what he has disclosed what NSA had done - PRISM / GCHQ / tapping on foreign leaders, and so on.
Every single "story" about a leak that has been linked to Snowden file is just that, a "story".
After reading them, I re-traced the link back to the matter itself. If there are articles related to the matter, I give them a good read up.
The case regarding RSA for example - there have been case studies since 2006 (and earlier) that can be used as reference to what has just been reported.
That is why I say it is a very sad day when my country has turned into something worse than a banana republic.
Muchas Gracias, Señor Edward Snowden !
Are you saying that the self-driving cars by Google are being designed for the military to kill people?
posting anonymously (iamnotasmurf - check out my not so hilarious pun-filled comment history) cus everytime after I log into my account, it brings me to the screen where I can update my personal information but if I click on another part of the website im no longer logged in? this started happening a few days ago, it wasnt a problem before and ive replicated the problem on another browser (yes im computer retarded, PICNIC error whatever, shock horror, or just too lazy to figure it out, dunno. yesterday my dad had to tell me how to find an option on a drop down menu on a website that sells bus tickets)
ANYWAY...this might be a snowden doc but 10 million? One can understand that people are money hungry (whether they need it or not) but this is either
1) untrue
2) the 10 million is token sum offered to soften the blow of some (INSERT ADJECTIVE) social engineering
3) some other retarded (only 10 million?) reason
Im stuck between 2 and 3, but if i had to choose ill pick 2 cus it sounds sexier, either way its a total fuckin joke
If they really did it, and they admitted it, they'd be utterly fucked in the security world. Nobody would trust them ever again. How much more fucked could they possibly be if they were caught lying about it instead?
Well, we could pick at their wording, but assuming we take their use of the word "categorically" to mean what the word means, it's rather hard to suggest that they intended to say anything other than what their statement says on the surface: it didn't happen.
Obviously they could be lying, but so could Reuters, or maybe Snowden forged the documents, or maybe Reuters simply misunderstood them, or maybe it's just some sort of bullshit NSA internal documentation intended to mislead any spies who happen to steal the information. (...and it did get stolen, which almost seems to kick that last idea into the realm of possibility.)
Hell, now that I think about it, that might also explain Google et. al.'s denial of their involvement with the NSA as well. I mean, if you can't actually spy on everything your enemies do on the internet, you might just settle for convincing them that you can, so that they're afraid to use the internet and are therefore at a disadvantage by not utilizing a valuable tool. It might also cause them to choose methods of communication that you can easily monitor.
Maybe Edward Snowden stole a honeypot. Wouldn't that just be hilarious? Has he revealed anything that's independently verifiable?
Just to make it clear: This was Reuters and their own sources. NOT Snowden!
they are not going to confess that they betrayed the trust of their customers and the people, eventually the truth will come out and heads will roll
Politics is Treachery, Religion is Brainwashing
They have denied, in effect, that they even are competent to evaluate cryptosystems or that they are competent to protect their customers as they claim. This denial I think is actually worse for them than saying they actually knew what they were doing and did so anyway.
RSA's official response is limp and evasive. It makes no mention of the $10M payment. Even the PR spokesliars couldn't turn this truck load of pig shit into a silk purse https://blogs.rsa.com/news-media-2/rsa-response/
> We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
Then why did they have to pay you to use a 'good' algorithm? If all they had to do is convince you it was awesome that would have been enough. How fucking dumb do you think we are?
> This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
Fuck you, RSA. You made it the default, knowing most people would trust and use it for that reason. You fucking well know if one of the options was starred 'NSA paid us $10M to make this one the default' no one would have touched it. Remember the public suspicion when Microsoft's NSAKEY was discovered. Don't bullshit us that RSA didn't know about that.
> We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
Then you should have gone back to NSA and said "Hey look, you paid us $10M to use a flawed algorithm. You are supposedly experts in encryption. We aren't stupid. What the fuck are you trying to pull on us and our customers?"
And that's the scenario that assumes they *didn't* know.
> When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
Fuck you. It was out in the open by then. You could hardly hide it them, and you still didn't warn your customers their data might have been compromised.
> RSA, as a security company, never divulges details of customer engagements,
Like $10M Bribes? Or agreements with one customer to fraudulently sell flawed software to other customers? I bet lawyers everywhere can smell big class actions off this one!
> but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSAâ(TM)s products, or introducing potential âbackdoorsâ(TM) into our products for anyoneâ(TM)s use.
Oh fucking puleaze. "intention" is a bullshit cop out that means you did it but didn't fucking us over wasn't the primary reason. If that $10M was so clean, show us the contract and the minutes of meetings. If you don't, don't expect us to trust you. And if they don't exist even though this is all above board, why?
RSA is either incompetent or malicious. Either way it can't be trusted again. Security companies can't operate unless their customers trust them. RSA is dead.
In most security scenarios people trade resources vs security. Some security algorihms are more cpu intense than others. What if RSA isn't lying per se? Consider the following scenario, a company has a dozen or so algorithms, and lets say the weakest one is default, it is also the easiest one to execute in terms of resources, if it is strong enough to prevent all but the most dedicated and well funded attempts to break it, it might be considered consumer grade but not say military grade. Over time the weaknesses the company learns about in the algorithm are kept internal and used to develop even stronger algorithms. The NSA approaches world renowned cryptography company for expertise in breaking algorithms. Knowing the NSA has more resources to dedicate to the task then almost any other player, and resources mere run of the mill hackers or criminals couldn't come close to, suspose the crypto company then sells expertise around how to break products they've written, while rarely known, and not purposely introduced these errors could be broken by an organization with significant resources and knowledge of the weakness. The company then sells the expertise on how to put gigantic resources to use.
In this scenario, no backdoor was introduced, and the weaker algorithms, were known and disclosed to be weaker but less cpu intensive to operate (and break), and later discovered knowledge of potential avenues of attack leads the company to develop stronger products. In this case, a company could sell expertise on breaking their own products, without either a intenionally weakening them or B creating a backdoor.
Snowden: 100% accuracy so far.
RSA: For profit company that looks really bad right now and there's no downside to them lying.
I'll go with the 100% guy with nothing to gain.
Sorry - they're not credible any more.
Sounds like legal speak to me. These are very narrow terms in a legal sense.
Doesn't matter if they intended to or not. Arguing that they didn't intend for the result that has happened is equally as pointless as the criminal arguing in court that they intended to just rob the convenience store but ended by killing the clerk therefore murder shouldn't be charged against them.
we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use.
Not corrupt, just incompetent.
Someone came in pedaling a specific rng, with a sack with a dollar sign on it, and they asked no questions so they wouldnt have to tell any lies.
> That's precisely the trouble with all of Snowden's crap.
Snowden's Crap? What PR agency are you from? Seymor Hersch is certain that NSA whistleblower Edward Snowden "changed the whole nature of the debate" about surveillance. Hersh says he and other journalists had written about surveillance, but Snowden was significant because he provided documentary evidence. Editors love documents. Chicken-shit editors who wouldn't touch stories like that, they love documents, so he changed the whole ball game" http://www.theguardian.com/media/media-blog/2013/sep/27/seymour-hersh-obama-nsa-american-media
And before you have pity on US firms losing this cash, remember that they have been knowingly aiding the NSA and the CIA and any other government entity that came knocking for years, and they would still be handing over our data (and they probably still are) without any concerns had Snowden not exposed the extent of the NSA's illegal, immoral, unconstitutional, and and brazenly stupid surveillance program.
When Angela Merkel is comparing the NSA to the Stasi, we've got problems. When Chinese tech firms become more trusted than American tech firms, we've got problems. When a schmuck wearing a military costume -- which is a disgrace to people who served their country instead of their government -- lies to congress about spying on Americans and gets away with it, we've got problems. "General" Keith B. Alexander was head of Army Intelligence and missed the piles of evidence pointing towards 9/11, and even after he helped the state security apparatus morph into the world's largest and most expensive spying effort, the organization under his control has still failed to stop a single terrorist attack.
The NSA, the CIA, and Mr. Alexander are a disgrace to our country, but they are unfortunately typical of American government, and the corporations that have been colluding with them for years. They're more interested in their own careers and dollar signs than they are about upholding the Constitution, but when they are caught, they hide behind their military titles and bullshit legalese because they have no redeeming qualities as individuals or as organizations.
If it seems personal, its because it is personal. It may just be a coincidence that I am flagged constantly when I cross the border for "random" searches, but I live in a country where I can't even find out why I seem to be a magnet for the attention of the security state. For my own protection, I am not allowed to know what my government is doing. And now that the NDAA has passed, an American agent could pick me up and detain me indefinitely without a trial.
Thanks for protecting American ideals from those totalitarian invaders, Mr. Alexander. You're doing a heckuva job.
Change did not come over night. You had patriot act over 10 years ago. You had George Bush senior saying he does not consider atheists citizens or something along that lines. You know what you are - Theocracy. You say your church and state are seperate, but your politicians, media and even citizens don't agree. Hell, majority of your people don't even belive evolution and vote for creationism. What can you expect in that kind of environment?
This is supposed to make us feel better? That instead of taking money to undermine security they were duped into it? Aren't they saying here, that they didn't knowingly undermine encryption, they were simply incompetent? These guys are toast in any case, time to turn the lights off and go home...
Seriously.
"Now I want you to listen to me. I did NOT... weaken... cryptography... for that agency... the NSA."
I have myself been wondering though, when someone "leaks" something, how do we know it's authentic? Is it possible that you can steal a treasure-trove of documents, run off where you're functionally beyond the reach of the law and release them bit by bit, forcing eventual embarrassing admissions to a point where people will believe whatever you say?
What happens when Snowden leaks a document saying aliens from another world landed at Area 51, the CIA was behind Kennedy's death, and that the Easter Bunny is conspiring with Santa Claus to invade Thanksgiving and ethnically cleanse all the turkeys, replacing them with Christmas hams?
Will everyone implicitly buy that too, and assume the denials are self-serving lies?
Surely there must be a way to test RSA... Perhaps encrypt the same message with it over and over a few trillion times, and see if the output is random. If there's a problem with the randomness of the input, compromising the security of the output as has been alleged, then it stands to very good reason that there would be a problem with the output identifiable by testing the frequency of output and looking for patterns. I'm not crypto-expert, admittedly, but the whole point of a successful crypto-system is to make the output, without regard to the appearance of the input, look like pure, random noise, right?
This all happened in 2006. RSA adopted DUAL_EC. RSA was sold to EMC. NIST released the standard. Microsoft researchers showed the flaws in DUAL_EC. The flaws in DUAL_EC have been known since 2006, the only thing we didn't know was that they were deliberate.
So... IF there was indeed a ~$10 million move afoot to slide Dual EC_DRBG into BSAFE and common use, why then was its implementation in the OpenSSL library left unattended? I can easily imagine that a bit of firm anonymous advocacy or subtle pressure on developers would have yielded results -- in the least a segfault-free product.
This empirically suggests that no such move was afoot. There are enough real controversies facing us today, we should be careful when going out on limbs.
Perhaps Snowden caught wind of someone in NSA who bloviated on RSA/BSAFE's default PRNG setting, misrepresenting a fortunate occurrence (for them) as if it was some deliberate operation...? In the comfoirtable world of internal memoranda such a 'fib' is possible. Just sayin'.
<blink>down the rabbit hole</blink>
We need reporters that can craft absolutely air-tight, weasel-proof questions to force both corporate and governmental officials into an inescapable corner.
Even Bill Clinton would be impressed by the linguistic gymnastics now being displayed by liars of the highest order.
Look how the BBC fucked up the reporting of this: http://www.bbc.co.uk/news/technology-25492461 https://blogs.rsa.com/news-media-2/rsa-response/
Let's assume, for the same of argument, that RSA is being completely honest and sincere: their product is not compromised by the U.S. Government. Given that the U.S. Government can just slap any company in the U.S. with a National Security Letter; the violation of which comes with prison time, and which prohibits the recipient from even saying they got one; we can't trust any U.S. (or U.K., for that matter) company's word that they haven't been compromised by the Government.
So as our computer security companies start to decline, and our economy (which has a huge computer company component to it) declines even further, we can all tip our hats to the corrupt polititians that gave our three-letter agencies the power to deal a body blow to the very country they are supposed to be protecting; and to the agencies that use that power to harm us more than any terrorist plot ever could.
The likely had an NDA with the NSA...so can't comment :)
RSA should not have settled for a cent less than 1 MILLION dollars.
Reduced Security Agency.
Tomorrow is another day...
"We have never weakened or introduced 'backdoors' into our products."
Too little wiggle room?
Compare keys or whatever this thing is generating and look for a pattern. if they keys are weakened there should be patterns and that will be all the proof you need.
Short of that... no one trusts anyone anymore.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
And everyone in prison is also innocent. Just ask them.
Seven puppies were harmed during the making of this post.
First, a contract to commit a crime cannot be enforced (in most jurisdictions). A contract to deliberately and knowing mislead the public for commercial gain would qualify. So such a clause is a dead letter.
Second, only a great fool would put such a clause in writing. Not the least of the reasons is that you're contemplating the event of someone leaking the contract document itself...
Deterministic Randomness? My, isn't that an Oplympic grade thought-pretzel? Is it Darwinian? Heisenberg and Descartes are dancing on a Einstein-Rosen player-piano Clavichord, to music originally played by a black cat in a box. Who may, or may not, already be ...
The NSA has them on their gag order leash that forces them to jerk around like a puppet and lie rather than point the finger at the molester who raped them. Notice that they are lying to their customers and employees too. The fact that the NSA forced them to behave like this is beyond acceptable. This is not how a free society works.
I guess I need to change careers if I don't want a federal thug's hand up my ass. Thanks for fucking with my life you NSA gangster thugs.
They would, wouldn't they?
...to hash RSA to mud?
It's entirely possible that RSA is telling the truth here. That they never entered into a deal with the NSA. That they never intentionally weakened or pushed a poorly implemented RNG. Perhaps. But if so, then they are guilty of gross negligence given the innate weakness and terrible performance from their RNG and their being a self-appointed industry leader in such products. Pick your poison. Either way, I wouldn't buy another thing from them.
I would deny just about anything.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
While new revelations are being disclosed almost daily, I don't believe everything "Snowden" releases because it's him. The licensing and royalty rights are very high and they already held a lock on the market...$10m is a very small price to pay to sell your soul and reputation. For that amount, I believe they would disclose their source under an NDA license.
I wouldn't surprise me that a deal was struck after the RSA patents expired or to have export restrictions lessened. But, I really would need to see the actual contract and/or banking records to fully believe this happened.
Snowden's word, in my opinion, isn't that good .. He's got some documents -some are authentic.- But, i don't trust someone who would put this nation in such a bad light - causing economic damage to a county he "loves" as well as put lives at risks just "because". Show me the money trail and I'll buy in to this story. Until then, it's just that...a story.
The agreement and payment between NSA and RSA is classified above TOP SECRET.
NSA will never willfully acknowledge nor divulge details on the agreement and payment: to do so would violate security conditions.
President Obama will carry on likewise.
That gives RSA free rein to deny any knowledge of an agreement and payment.
Then comes the IRS.
RSA's tax and financial reports to the IRS would need to be given close attention for a spurious $10 million.
If RSA supplied IRS with false tax and financial reports then some fallout can occur.
So it depends on getting to IRS, to get the RSA tax and financial reports, and getting inside RSA to get the real tax and financial reports (the ones they did not give to IRS) to do a comparison of the documents and numbers.
The government was trying to move to more COTS products instead of home grown so that they could push crypto across the government. USG goes to RSA and says "we'll use your product as a standard as long as you use this algorithm because it meets the minimum standard. We'll pay you to integrate it". RSA would analyze the algorithm and put it in based on assurances and the level of analysis they were capable of. They take the money and release the new product. There were a bunch of crypto export restrictions at the time. The government lessens export crypto restrictions because every country already has the main algorithms and their mathematicians and they want to know what algorithms people are using.
A court can’t compel you to lie, but there’s nothing that says that your arrangement with the NSA can’t compel you to lie. It could very well be that RSA’s contract wiht the NSA states that if they are asked about this that they must categorically deny it.
What bugs me the most about this is that there isn’t any sort of grass-roots push to vote out congress representatives who have supported this unconstitutional spying. Of course, there are no guarantees about their replacements (all of which will really be selected by their political parties, not really the people). But this would (a) probably reduce the concentration of supporters of these laws, and (b) send a message that this garbage isn’t supported by the people. Eventually, repeated voting selection will, after many years, filter out politicians who advocate spying.
Comment removed based on user account deletion
So weakening your product for bribe money = bad. Lying about it in the face of clear evidence = complete corporate suicide. Sell your stocks because it's goodbye RSA.
Well they would say that wouldn't they?
Are you seriously suggesting that Snowden is not trustworthy? I would definitely support the guy that had to run away from his country because of a massive information leak than some crude government/corporation propaganda. It truly makes me wonder why you are posting as an anonymous coward and spread FUD about the only way we could have found out about such things in the first place.
Different AC here ... You are making a very naive assumption. That if one side is lying the other side is telling the truth. That's silly. Both sides may be lying.
The truth is Snowden has an agenda. It is therefore plausible that he is exaggerating. He is also under the control of dubious masters, formerly China and now Russia. It is mildly plausible that he needed to keep China or needs to keep Russia happy with his leaks and/or believe he is valuable asset so that they continue to protect him.
Or to put things another way, you should NOT drop your skepticism because someone's claims match your expectations or politics. That is how you get conned. You sell what people are predisposed to believe.
Admitting would put them out of business i no time.
**Cough, cough, cough**, bullshit, **Cough, cough, cough**
"We just did that stuff because it seemed like such a good idea. The $10 mil was just a ... um ... a research grant - or something."
You never really know how close to the edge you can go until you fall off.
You may not trust the maths behind the encryption we use today, but not in this case , and not ever has it been math at fault. Maths doesn't help when there are mistakes in the algorithm, which would be exactly the case with this RSA incident.
If you want to start trusting it the way we do at universities, then try understanding how it works.
This is why you don't get in bed with government.
As opposed to industry that treats you so kindly the morning after when they hand you your pink slip?
Let me FTFY:
This is why you need to keep all powerful organizations in check. Business are kept in check by the government, and in turn, the government is kept in check by the people when they exercise their democratic rights.
If you're like me you're wondering exactly what the implications of this revelation are in the real world. This article and this discussion helped clear it up for me.
Thankfully, this PRNG likely isn't used in any implementation of OpenSSL. It also doesn't appear to be used, at least in newer versions, of Microsoft applications. It may be used in any older Java, and C applications though (especially those linking RSA's BSafe library).
If anyone has anymore information or clarification that would be great.
If it ain't broke, don't fix it.
Bruce Schneier had a good write-up on this in 2007:
Speak before you think
I'm raising this issue, having read most of the comments here and, frankly, supporting the clearly majority view.
But this brings to the table the possiblity that old laws forbidding the exportation of US'ian encryption technologies could have been a ruse.
I mean this: What better way to convince foreign governments and businesses to feel confident in the security offered by US'ian encryption entities! "We feel our crypto is soo strong that it could be used as a weapon against us!" was a rallying cry in those days ...
Yet after some years, after businesses complained about losing money to foreign competitors , those laws were changed. What a clever way it might have been, for NSA etc to expand it's icey-fingered-web of spying throughout the industrialized world!! Watch them jump at the chance to obtain our products! Watch NSA officials gloat!
Yes, i'm cynical .. because it is logical to be so.
RSA do you really want me to believe what you just said out of a prepared statement ?
Why pay for what is free? The question is did they do it? Not did they get paid or not for doing it, duh!
Sleezy no freezy.
You didn't understand he answer. The postulated problem with the eliptic code is NOT the algorithm. It is being presumed that the algorithm is properly implemented. It's with the data chosen to initialize the routine. And nobody has been able to show whether that's a weak selection of initializers or not...but the hypothesis is that the NSA caused the RSA to select those particular initializers BECAUSE they are weak. It could equally be because they were strong. We don't know.
Having access to the code would not solve this problem. (There are other problems that it would solve. E.g., we are trusting that the implementation was accurate. But that's not where suspicion has been focused.)
I think we've pushed this "anyone can grow up to be president" thing too far.
All looking at the source code would tell you is that they implemented Dual_EC_DRBG; exactly the same as looking at the OpenSSL source code will tell you. I doubt there would be a handy comment saying "/* Implemented a known-weak method on behalf of the NSA. */" around it.
Perhaps, but I suspect the comments on the rollback merges from the Git repository from when well-meaning developers tried to fix the flawed algorithm. would be quite enlightening.
Call in the SEC, FTC, FCC, IRS and the District Courts.
This could be prime entertainment over the holidaz watching the subpoenas and search warrants form Congress and District attorneys in DC, NY, Boston, California vying for a criminal complaints, discovery warrants, friend of the court letters and such. It will be an "OJ Chase Down I5" coast to coast! Yee Haa.
Posting to undo mod.
ill go even further then that
"Its 10 million bucks that came directly out of americans pockets"
Actually it's money from China !
Comment removed based on user account deletion
after reading their denial?
The denial reeks of clintonesque cynicism, where one is tacitly splitting hairs in some clever semantic way which not only to me demonstrates guilt, but a culture of guilt and a preparedness for smirking dishonesty.
These are the people we entrust with our encryption? We are good and truly fucked.
"No good deed goes unpunished"
This sounds reasonable and very plausible. But, in saying so I am not entering into any agreement.
Considering the problems with the RNG, they had to pick between being stupid and useless - promoting something not secure - or being bribed.
They picked stupid and useless.
Regardless, noone is going to trust RSA anymore. Maybe even less now when we think they are both bribed and stupid?