Slashdot Mirror
RSA Flatly Denies That It Weakened Crypto For NSA Money
The Register reports that RSA isn't taking quietly the accusation reported by Reuters, based on documents released by Edward Snowden, that the company intentionally used weaker crypto at the request of the NSA, and accepted $10 million in exchange for doing so. RSA's defends the use of the Dual Elliptic Curve Deterministic Random Bit Generator, stating categorically "that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
Tell it to 60 Minutes.
RSA denying it? "Well, he would, wouldn't he?" - Mandy Rice-Davies
If this story turns out to be true, then RSA's name is mud. Only a complete and utter moron would buy from them after this.
Same goes for the other companies who have been selling us out. Even Google and Microsoft who are now leaking stories about them boldly protecting their backbones from the NSA have been handing over our data, and in the case of Microsoft took cold hard cash to add backdoors to Skype and God knows what else. If you trust *any* of these companies you are a complete and utter moron.
The problem is that the NSA has been lying to everyone with doublespeak--asking permission for X warrants when the warrants really covered umpteen billion warrants, things like that. So while this press release categorically denies "that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries[,]" it could still be truthful even if any ONE of the facts in that list is false.
For example, "known" flawed random number generator--suppose the NSA knew it was flawed and RSA didn't. This denial does not contradict that.
In the context of a topic where companies and government agencies are lying regularly by using careful diction, even a "strong" "categorical" denial has to eliminate the possibility of loopholes in order for it to be believable.
They didn't do it for NSA money, that was just gravy. They did it for Mossad money and got the NSA to chip in after the fact.
Just because you're paranoid doesn't mean they aren't out to get you
They're just claiming again that they assumed the NSA were good people.
This all happened in 2006. RSA adopted DUAL_EC. RSA was sold to EMC. NIST released the standard. Microsoft researchers showed the flaws in DUAL_EC. The flaws in DUAL_EC have been known since 2006, the only thing we didn't know was that they were deliberate.
Also it's interesting to note that an anonymous organization paid for the same DUAL_EC algorithm to be added to Open SSL. With Open SSL at least they didn't make it the default but it's not far off from what RSA did.
http://arstechnica.com/security/2013/12/nsas-broken-dual_ec-random-number-generator-has-a-fatal-bug-in-openssl/
Comment removed based on user account deletion
17. RSA agrees that should the existence of this contract, the general nature of the agreements made herein, or the relationship bewtern the RSA and NSA be made public then the RSA shall, with due expediency, issue the following denial: "we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
Recycle PCs and build a wireless community network www.hillsborough.org.nz
I believe them.
Just as much as I believe that Nigerian Prince's nephew's super deal for helping him get funds out of the country.
C'mon, RSA guys. I know you're pretty butt-hurt about this revelation from the Snowden release. Heck, I can even understand that you guys may well have received an "offer you can't refuse" from the NSA, et al.
You'd be much better off playing that angle, rather than attempt a laughably-preposterous and totally unbelievable denial. The denial gets you no sympathy or possible assistance out of your situation at all from the public, only hatred, vitriol, and the ends of many of your careers.
Remember that when making deals with the Empire, Darth has a nasty habit of "altering the deal". Though you "pray" he "doesn't alter it further", it never fails to eventually happen. Neville Chamberlain, 'nuff said.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
The government has a new encryption algorithm that is "amazingly strong". Only they are paying YOU to use it? And that does not throw up any red flags in a company based on SECURITY?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Microsoft handed the NSA access to encrypted messages â Secret files show scale of Silicon Valley co-operation on Prism â Outlook.com encryption unlocked even before official launch â Skype worked to enable Prism collection of video calls â Company says it is legally compelled to comply http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
"Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple" http://gizmodo.com/google-to-government-let-us-publish-national-security-512647113
And look at the chronology of this:
23 September 2013: BBC News - RSA warns over NSA link to encryption algorithm http://www.bbc.co.uk/news/technology-24173977
21 December 2013: NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened https://www.techdirt.com/articles/20131220/14143625655/nsa-gave-rsa-10-million-to-promote-crypto-it-had-purposely-weakened.shtml How apt: Techdirt said the story was from the "from the say-bye-bye-to-credibility,-rsa dept"
Fuck you RSA. Fuck you NSA.
The Guardian ran the story. If it wasn't true RSA could sue their arses off in court for the value of their now worthless business. Guardian wouldn't dare run it unless they could prove it is true. http://www.theguardian.com/world/2013/dec/20/nsa-internet-security-rsa-secret-10m-encryption
As usual with these things, it's a non-denial denial. "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use." Emphasis added. The first part says that they can't say whether they've taken any money from the NSA, so the story of them receiveing $10 million from the NSA could still be true. The second part leaves a lot of wiggle room. The word "intention" is the weasel. The statement leaves open the possibility that they could have taken the money from the NSA in good faith, in the same way that Mozilla takes Google's money in exchange for making Google the default search engine in Firefox. They didn't know then what the NSA's true intentions were in pushing use of Dual_EC_DRBG (never that mind it's several orders of magnitude slower than any other CPRNG algorithm described in NIST SP 800-90A). They were already using it in BSAFE as early as 2004, and the algorithm became a NIST recommendation in 2006. The possibility of a backdoor in the algorithm was floated publicly in 2007, a few months after it was published. I for one don't buy that they did all this in good faith, but there's no way to prove it unless some cryptographer who was employed by RSA at the times in question blows the whistle and says they had suspicions with the algorithm and the NSA's intentions for it.
The NSA wasn't always thought of as so evil. They modified the DES s-boxes so as to strengthen it against a cryptanalytic technique (differential cryptanalysis) that was known only to them and IBM since at least 1974, and kept classified until it was independently discovered by the academic cryptographic community in the late 1980s, so there may be some reason to give RSA the benefit of the doubt.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Given the state of affairs in the United States, I would think that every country on earth should be reviewing their reliance on American tech (especially in cryptography). Do you really want your parliament having discussions over skype? Or using Microsoft Windows to conduct their Seriously Secret activity? Microsoft is implicated in compromising Skype, so there is every reason to suspect they have also compromised Windows and every other piece of software they make. Google mail? Apple phones? RSA security? The list goes on.
If I were a foreign government I would dump serious subsidies into my domestic software development industry. This extends to our allies as well. After all, if the USA is willing to spend insane resources and flaunt the law/morality by spying upon its own citizenry to a degree hardly less severe than 1984... why wouldn't they be using the very same backdoors on you?
It's a very sad day when we have media which prostituting themselves to the BIG BROTHER and companies betraying the trust of their customers for some breadcrumbs.
If all that happened in a banana republic we may say "Oh, but they are banana republics".
But no. All these are happening in the United States in America !
What hath my beloved country turned into ?
Muchas Gracias, Señor Edward Snowden !
the lady doth protest too much
Actually, I think that lady is trying very hard to circumvent the truth.
Witness:
What the Snowden paper has revealed was not about "any contract" nor "any project", rather, it's about a one-time payment of $10 million (under table or not, unfortunately the Snowden's paper didn't state clearly) - and the result is a crippled RSA product for the rest of us.
If the $10 million payment was an under table transaction, then there would be *NO* contract signed nor any *official project".
What it entailed would be a change of a couple of lines of code, that is all to it.
Muchas Gracias, Señor Edward Snowden !
I don't think you could prove they were lying even if they were open source. All looking at the source code would tell you is that they implemented Dual_EC_DRBG; exactly the same as looking at the OpenSSL source code will tell you. I doubt there would be a handy comment saying "/* Implemented a known-weak method on behalf of the NSA. */" around it.
The problem Dual_EC_DRBG, as far as I can tell, is in the choice of constants used in it; the constants are defined by the NIST standard.
Yeah, I had a sig once; I got bored of it.
I do not trust Snowden just because he is Snowden. I do not know that guy in person. I only heard of his name after what he has disclosed what NSA had done - PRISM / GCHQ / tapping on foreign leaders, and so on.
Every single "story" about a leak that has been linked to Snowden file is just that, a "story".
After reading them, I re-traced the link back to the matter itself. If there are articles related to the matter, I give them a good read up.
The case regarding RSA for example - there have been case studies since 2006 (and earlier) that can be used as reference to what has just been reported.
That is why I say it is a very sad day when my country has turned into something worse than a banana republic.
Muchas Gracias, Señor Edward Snowden !
Snowden: 100% accuracy so far.
RSA: For profit company that looks really bad right now and there's no downside to them lying.
I'll go with the 100% guy with nothing to gain.
And before you have pity on US firms losing this cash, remember that they have been knowingly aiding the NSA and the CIA and any other government entity that came knocking for years, and they would still be handing over our data (and they probably still are) without any concerns had Snowden not exposed the extent of the NSA's illegal, immoral, unconstitutional, and and brazenly stupid surveillance program.
When Angela Merkel is comparing the NSA to the Stasi, we've got problems. When Chinese tech firms become more trusted than American tech firms, we've got problems. When a schmuck wearing a military costume -- which is a disgrace to people who served their country instead of their government -- lies to congress about spying on Americans and gets away with it, we've got problems. "General" Keith B. Alexander was head of Army Intelligence and missed the piles of evidence pointing towards 9/11, and even after he helped the state security apparatus morph into the world's largest and most expensive spying effort, the organization under his control has still failed to stop a single terrorist attack.
The NSA, the CIA, and Mr. Alexander are a disgrace to our country, but they are unfortunately typical of American government, and the corporations that have been colluding with them for years. They're more interested in their own careers and dollar signs than they are about upholding the Constitution, but when they are caught, they hide behind their military titles and bullshit legalese because they have no redeeming qualities as individuals or as organizations.
If it seems personal, its because it is personal. It may just be a coincidence that I am flagged constantly when I cross the border for "random" searches, but I live in a country where I can't even find out why I seem to be a magnet for the attention of the security state. For my own protection, I am not allowed to know what my government is doing. And now that the NDAA has passed, an American agent could pick me up and detain me indefinitely without a trial.
Thanks for protecting American ideals from those totalitarian invaders, Mr. Alexander. You're doing a heckuva job.
Change did not come over night. You had patriot act over 10 years ago. You had George Bush senior saying he does not consider atheists citizens or something along that lines. You know what you are - Theocracy. You say your church and state are seperate, but your politicians, media and even citizens don't agree. Hell, majority of your people don't even belive evolution and vote for creationism. What can you expect in that kind of environment?
Let's assume, for the same of argument, that RSA is being completely honest and sincere: their product is not compromised by the U.S. Government. Given that the U.S. Government can just slap any company in the U.S. with a National Security Letter; the violation of which comes with prison time, and which prohibits the recipient from even saying they got one; we can't trust any U.S. (or U.K., for that matter) company's word that they haven't been compromised by the Government.
So as our computer security companies start to decline, and our economy (which has a huge computer company component to it) declines even further, we can all tip our hats to the corrupt polititians that gave our three-letter agencies the power to deal a body blow to the very country they are supposed to be protecting; and to the agencies that use that power to harm us more than any terrorist plot ever could.
The test is simple. If Snowden lied, then the NSA and the President have nothing to charge him with. It is simple. They tried claling him a liar and a traitor guilty of treason in the same paragraph. When it was pointed out he couldn't be both they quickly stopped pretending he was lying.
Are you seriously suggesting that Snowden is not trustworthy? I would definitely support the guy that had to run away from his country because of a massive information leak than some crude government/corporation propaganda. It truly makes me wonder why you are posting as an anonymous coward and spread FUD about the only way we could have found out about such things in the first place.
Different AC here ... You are making a very naive assumption. That if one side is lying the other side is telling the truth. That's silly. Both sides may be lying.
The truth is Snowden has an agenda. It is therefore plausible that he is exaggerating. He is also under the control of dubious masters, formerly China and now Russia. It is mildly plausible that he needed to keep China or needs to keep Russia happy with his leaks and/or believe he is valuable asset so that they continue to protect him.
Or to put things another way, you should NOT drop your skepticism because someone's claims match your expectations or politics. That is how you get conned. You sell what people are predisposed to believe.