Security Experts Call For Boycott of RSA Conference In NSA Protest

Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"

money boycott

[schneidafunk]

"'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.

Re:money boycott

[Chrisq]

"'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.

That relies on your company having people who see security as more than ticking a box to cover them if something goes wrong.

Re:money boycott

[kry73n]

boycotting the conference is the first step and will add to their reputation, companies not doing business is the natural consequence that will follow

Re:money boycott

How ticking the bo "bought RSA product" could cover their asses now? If they were the only one to know about the backdoor, they'd could do it but now others knwo they know about RSA backdooring their product.

Re:money boycott

[Grishnakh]

Depends on the company. Lots of places will probably still happily spend enormous sums of money on RSA products, even though everyone knows they're backdoored. It's a big company, and as they say, "you can't get fired for buying from $BIG_VENDOR".

Just look at how many large corporations and governments continue to buy products from big, overpriced enterprise software firms, even though that software is all crap. Hell, look at how many companies still spend millions to license and use IBM/Rational ClearCase, even though it's a bloated, obsolete piece of shit that doesn't even support something as utterly basic as atomic commits, when you can download and use many different open-source version control systems for free which all work far better (and faster) than CC.

Rest assured, lots of places will continue to buy from RSA, no matter how obvious it becomes that that decision is idiotic.

Re:money boycott

[BobMcD]

This is doubly true because $BIG_VENDOR denied it. So if it were true that a backdoor did exist, you could doubly blame $BIG_VENDOR.

It's like ticking that box twice.

Re:money boycott

[Grishnakh]

I don't see the difference.

Scenario A: "Software A is a horrible piece of shit that costs a fortune and is far, far worse than Software B, C, D, E, etc., which are all free (not to mention G, H, I, and J which are all expensive and proprietary but still far better than A), but Software A's vendor insists it's great so we believe him and we're buying it anyway."

Scenario B: "Software A claims to be highly secure, even though there's evidence that it's not, which has been aired by multiple reputable media outlets. Software A's vendor insists it's highly secure and the evidence is hogwash; we believe him and we're buying it anyway."

In both cases, the customer is believing the vendor despite much outside evidence to the contrary.

Re:money boycott

[Grishnakh]

The problem here is that RSA's software actually does do its job, just not 100%. It's more than 0%: their products will, presumably, protect your data and systems from being accessed by most attackers. It just doesn't protect your data and systems from the NSA, because they have a back door. As long as that exploit (and how to do it, not just its existence) doesn't become public knowledge, then RSA's systems will make you secure, in the same way that a strong door with a key-lock makes you safe from everyone except people who have a copy of the key (like whoever built the lock).

Re:money boycott

[Lennie]

Two wrongs don't make a right.

Re:money boycott

[L4t3r4lu5]

... Unless you have an MBA.

Cheap

The only thing interesting about this affair is that RSA only got $10M.

Re:Cheap

[alex67500]

The only thing interesting about this affair is that RSA only got $10M.

That we know about...

Re:Cheap

[Chewbacon]

How does that equate to us working class? A $5 whore?

Why aren't there any lawsuits yet?

I don't know if they sold their products with some clever fine-print disclaimers, but shouldn't those who bought their products bring them into court and demand damage payments?

Or everyone in the industry has slept with the NSA so they don't want to set a precedent by suing RSA?

Re:Why aren't there any lawsuits yet?

[Dunbal]

Kind of hard to build a case on hearsay. Prove they received 10M, and they will be sued into nothingness. But this is "he said she said" - ain't worth shit.

Re:Why aren't there any lawsuits yet?

[TheGratefulNet]

you can defend them all you want.

at this point, anything that comes to light about NSA and shows them in a bad light, I will fully believe until THAT is proven otherwise.

given the reputation, it sounds more likely than not. we're seeing the true color of the 'security' industry, here, and its about time!

and anyone who defends the nsa or rsa, well, you've shown YOUR true colors, as well.

Re:Why aren't there any lawsuits yet?

Right on, brother! I, too, accept as fact anything that confirms what I already believe, and I too believe anyone who thinks different than me is a complete ignorant asshole with absolutely no worth as a human being. You, obviously, are an upstanding guy in my opinion. There needs to be more people like us in Washington to break all this partisan bickering.

Re:Why aren't there any lawsuits yet?

[Grishnakh]

Not necessarily. Before the leaks, who really thought that much about the NSA and what it was doing? Maybe some of us really thought about it and suspected the NSA was spying on us all, but most of us were unaware; it just wasn't something that came up on our radar. Now that there's lots of evidence about what the NSA's been doing, including admissions from the NSA themselves (and a lot of nasty statements by NSA leadership about various people who oppose their spying programs), the onus is on the NSA to disprove any new allegations that arise. At this point, for me (and the OP I'm sure), the NSA has proven themselves to be completely untrustworthy, so for any new allegations against them, I'll choose to believe the allegations until the NSA can really prove them wrong. Why would I do otherwise? It's all about trust: without good evidence, you can only go on trust (and knowledge of what's really feasible; e.g., the NSA monitoring our thoughts by brain implants is obviously fantasy so allegations that aren't feasible like that can be dismissed). Since I distrust the NSA completely, I'll always believe the other side until they're proven wrong.

Re:Why aren't there any lawsuits yet?

[kasperd]

Kind of hard to build a case on hearsay. Prove they received 10M, and they will be sued into nothingness. But this is "he said she said" - ain't worth shit.

Even if it can be proven that they received 10M$ and that they knowingly introduced the backdoor, it is hard to prove that the money was payment for introducing the backdoor. However, it might be sufficient to prove, that they knowingly introduced the backdoor. What payment they received for it, shouldn't affect the outcome of the case, because it is not the payment, which is hurting the customers, it is the backdoor.

Can we prove that RSA knew about the backdoor? Maybe not, but most likely it can be proven that given the knowledge RSA had, RSA should have assessed the algorithm to be most likely backdoored, at the time where they introduced it.

In cryptography it is generally accepted best practice, that any constant whose value isn't justified in some way, should be assumed to be a backdoor until proven otherwise. That is a principle, which RSA knows about. Additionally it has been public knowledge for many years that DECDRBG was relying on a constant whose value was not justified, moreover it had been formally proven, that there was a way to hide backdoor in that constant. It's like finding a smoking gun and saying we can't be sure anybody fired that gun, it could be smoking for so many other reasons.

The fact that DECDRBG uses asymmetrical primitives for a task, which is usually done with symmetrical primitives, is in itself suspect. Symmetrical primitives are usually faster, and there is a wide range of attack techniques that could be applied on asymmetrical primitives but not on symmetrical primitives. Good reasons for asymmetrical primitives is when you are working on a task, which cannot be done symmetrically. In the case of DECDRBG the introduction of a backdoor could not have been done symmetrically.

Re:Why aren't there any lawsuits yet?

[mcgrew]

Not only that, but James Clapper, head of the NSA, perjured himself before congress and was not held accountable. It's hard to trust a proven liar.

Re:Why aren't there any lawsuits yet?

[YumoolaJohn]

Before the leaks, who really thought that much about the NSA and what it was doing?

People who actually paid attention?

Bad Analogy

As child porn wouldn't effect the customers bottom line.

This is more like Bernie Madoff hosting an ethics conference.... today.

Why not just recast the conference as a black hat/government contractor conference and show the tiniest amount of honesty.

Re:Bad Analogy

[qwijibo]

They could market it with a twist on google's "do no evil" motto:

RSA 2014 - All evil, all the time. F security, F US technology, and F YOU!

Re:Bad Analogy

[DickBreath]

I agree. The child porn analogy is a bad one. If the CEO were found with it, that would make me think differently of him, but not necessarily the company itself. (Unless he had somehow created a culture of this throughout the company.)

What RSA has done is lose my trust in the company (which includes the CEO and the highest level decision makers in the company). Criminal personal actions of the CEO would only affect my perception of him and that he should be prosecuted -- and not necessarily the company if he had continued to make good business decisions on the company's behalf.

Re:Bad Analogy

[qwijibo]

Swearing was implied, but I figured if someone at RSA wanted to own their evil, they'd want to jab at F-Secure for their vocal opposition.

"The researchers and experts who have pulled out include Mikko Hypponen, chief research officer of Finland-based antivirus provider F-Secure, and Adam Langley and Chris Palmer, who work on security practices at Google."

Re:Bad Analogy

[kasperd]

As child porn wouldn't effect the customers bottom line.

Is that the worst you can say about that analogy? How about this:

The actions of one person doesn't say anything about the company as a whole. Even if it is the CEO. If the CEO had indeed been involved in child pornography, the response from the company and its employees says more about the company, than the actions of the CEO.

But what is even more disturbing is coming up with involvement in child pornography as the worst a person can possibly do. How about murder? In my book that is worse than involvement in child pornography.

The analogy to child pornography sounds most of all like a sensationalistic statement aimed at getting attention. If you have a good point, you can get it across without resorting to such bad analogies.

Give this guys some cake

[cloud.pt]

About time more americans started acting snowde-like. As in ballsy

Re:Give this guys some cake

[Rosco+P.+Coltrane]

If all Americans started acting just a little Snowden-like, there would be another revolution in this country. That on the other hand is just some guy renowned in a very narrow, very specialized field, sulking.

It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.

Re:Give this guys some cake

[TheGratefulNet]

america's response is based on FEAR of the three letter agencies.

even congress is not above them, and if they can't get honesty from the org, how can we even hope to get a fair shake?

there won't be a revolution. the government has us locked up too much with fear and they also have more firepower and the fight would be horrible. no one wants that.

peaceful ways won't work and we can't use any other ways.

we feel helpless.

what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control? what exactly do you propose when the powerful hold ALL the cards?

fighting a less powerful government could be possible, but fighting the US government is not going to happen anytime soon.

I think people care but they feel utterly unable to do a single thing to fight it or bring about change. I'd love to hear what you think we COULD do, for real, that will have any effect.

Re:Give this guys some cake

[SirGarlon]

Privacy in America is complicated. The majority argument in the Supreme Court decision that legalized abortion, Roe v. Wade, was based on a right to privacy. Since then (1973), the Republican Party has refused to accept that a right to privacy exists, because that would imply that Roe v. Wade is based on a sound principle and therefore abortion has to remain legal. This puts us in the unfortunate position of privacy rights being collateral damage in the culture war. Any Federal court nominee is going to get asked in his/her confirmations hearings whether there exists a right to privacy, and an affirmative answer means the Republicans will block that nominee. Most nominees prevaricate.

It's not the only reason privacy is a suppressed issue in mainstream American politics. Both parties have an authoritarian streak a mile wide (manifested in slightly different ways, so they can hate each other anyway) and privacy is the enemy of authority.

A lot will have to change before America is willing to make privacy a priority. What I find encouraging about Snowden's relevations is that it looks like enough people are talking about privacy that the issue might not crawl away to die again. Give it time.

Re:Give this guys some cake

[mrchaotica]

It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.

The American media's response to this absolute outrage has been a big, fat, shameful nothing, so most Americans still don't even know what's going on!

Re:Give this guys some cake

Holy shit, I never thought about that. Republicans are the real threat to privacy.

Re:Give this guys some cake

[Grishnakh]

what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control? what exactly do you propose when the powerful hold ALL the cards?

fighting a less powerful government could be possible, but fighting the US government is not going to happen anytime soon.

I think people care but they feel utterly unable to do a single thing to fight it or bring about change. I'd love to hear what you think we COULD do, for real, that will have any effect.

Who's "we"? American citizens, or citizens of other nations? If you're not American, the answer is pretty simple: shunning. You don't *have* to do business with American companies. Stop buying from RSA, Microsoft, etc. (esp. companies which most likely have NSA backdoors). Start buying from companies in your own country instead.

The US is a lot like the Roman Empire. Eventually, it collapsed because of excessive corruption and overextension. The same thing is going to happen to the US, it's just a matter of time. The process will accelerate if the economy collapses, caused by other countries not trading with them.

Re:Give this guys some cake

[LVSlushdat]

It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.

What do you expect from what has become the defacto US Department of Propaganda? With little Jay Carney as Secretary.. He lies really good, but of course, he *has* to, to be able to cover up the lies his boss tells..

Re:Give this guys some cake

[bob_super]

> what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control?
> what exactly do you propose when the powerful hold ALL the cards?

You mean the late 18th century British?

Re:Give this guys some cake

[cloud.pt]

Better than facing death sentence for actually doing a good thing, IMHO. The time of martyrs is long gone: we have attained a maturity level, as a species and a global society, which should prevent us from taking irrational action such as murdering people because they read the bible (North Korea) or they export an encryption algorithm to foreign countries (US). He just decided it was better to be labeled a false traitor than a dead one.

Re:Give this guys some cake

[Obfuscant]

The majority argument in the Supreme Court decision that legalized abortion, Roe v. Wade, was based on a right to privacy. Since then (1973), the Republican Party has refused to accept that a right to privacy exists, because that would imply that Roe v. Wade is based on a sound principle and therefore abortion has to remain legal.

Your conclusion does not follow from your argument. The "right to privacy" is only one part of the abortion debate and even if one accepts the specific "right to privacy" that the court created to cover Roe V. Wade one can still be opposed to abortion.

Your assumption that Republicans oppose "the right to privacy" as a whole because they oppose the SCOTUS invention of a right to support federally funded abortion is also suspect. There is a fourth amendment that tells us what we have a right to be secure in that creates a significant right to privacy which is not questioned, only the "right to privacy" that results in the right to terminate a pregnancy.

Re:Give this guys some cake

[david_thornley]

If you think Republican leaders really care about abortion, I have a small research project for you.

Roe vs. Wade did not simply legalize abortions. It laid down guidelines as to under what circumstances abortions could be banned. How many legislatures passed laws that went up to the border of the Supreme Court decision, and no further? How many Republicans supported such laws? I didn't find any, personally, and neither did a friend who did more research on it.

Instead, we see laws of questionable constitutionality being passed, and campaigns against types of abortions that are essentially never performed unless necessary for the health of the mother. It's been nothing more than a wedge issue since Roe vs. Wade.

Reuters reported it.

Reuters reported that they did.

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.

So, who's going to sue them? And on what grounds?

Re:Reuters reported it.

[Darinbob]

This is still hearsay. Where's the evidence other than Snowden's claims? Where are these documents, and who has validated them as authentic other than Reuters? Yes there's enough here to warrant an investigation but everyone's assuming they already know what happenened because of confirmation bias.

This is worse than child porn (for the company)

[Arrepiadd]

'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr.

The CEO getting involved in child porn means his personal life is tainted and he goes to jail and hell and all that.
This is bad news for the company because people lose their trust on the company. No one needs to identify with the CEO of a company... but not trusting a company in the security field doesn't bode well for said company.

Re:This is worse than child porn (for the company)

[Alsee]

I'm going to have to disagree. A company's CEO getting involved in child porn would definitely be worse.

What sort of company has a child as CEO?

-

Re:This is worse than child porn (for the company)

[ciderbrew]

A CEO into child porn would have the top interest in software security. That's the type of CEO you need. Money isn't the motivation.

Re:This is worse than child porn (for the company)

[Jah-Wren+Ryel]

> What sort of company has a child as CEO?

Most of them?

Re:This is worse than child porn (for the company)

[doesnothingwell]

I hate this thread but: Is the NSA worse than child porn? I think I taste vomit.

Re:This is worse than child porn (for the company)

[fatphil]

Well, I know one whose CEO only knew 4 words...

developers, developers, developers, and developers.

Surprised the nappy never fell down during his monkey dance.

Re:This is worse than child porn (for the company)

[YumoolaJohn]

I'd say so. The NSA is a government organization that's violating just about everyone's rights; that's many orders of magnitudes worse than the child porn bogeyman.

Re:This is worse than child porn (for the company)

[cryptizard]

Rofl so the NSA maybe having compromised one RNG which nobody even uses is as bad as child molestation. Get some freaking perspective.

Re:This is worse than child porn (for the company)

[YumoolaJohn]

"Is the NSA worse than child porn?"

That was the question. Since the NSA is gathering data (metadata is data) on just about everyone--that is, violating people's rights--I do believe they are far worse than the child porn bogeyman. For one thing, the production of child porn doesn't affect nearly as many people.

Has anybody seen the actual "evidence"?

[Ronin+Developer]

I asked this when this original story first broke headlines. There are allegations, but has anybody ACTUALLY seen proof they compromised security on the NSAs wishes for a paltry $10M?

When I attended the conferences back in the 1990's, the NSA was there...they even presented findings on the strength of DES and the need for a newer algorithm. Skipjack and Clipper, promoted by Al Gore, was the scare at the time.

Back then, licensing of the libraries (BSafe and TIPEM) came in two flavors - the low-cost Mom/Pop shop licensing (with 10% royalties paid on profits and $10K for a license to distribute and $250K+lower royalties for larger organizations. Being a little guy, the Mom/Pop deal made sense. Larger corporations would easily pay out $10M from royalties alone.

The licensing has since changed - probably because of the expiration of the RSA related patents. Perhaps, the new owners, EMC, felt that they should take the money (they are publicly traded, right?). RSA Labs was private in the past (and, had a reputation to uphold). It was well known at the time there were values that would make algorithms such as RSA and Diffie-Hellman and DES/3DES weak. Discussions centered on how to eliminate those weaknesses. EC was just coming into existence outside of the academic circles. Given source was available (for a price) and compilable, there was plenty of opportunity to examine the code for holes. The biggest, publiclly, known threat we knew of was when SecureId and SecureToken was compromised - that was admitted by the company. Too much money, particulary in secure systems design and certification was to be made - why build upon a loosely constructed house of cards?

So, did RSA/EMC intentionally weaken their products for a paltry $10M? Where is the proof, beyond circumstantial supposition, that this occurred? Can somebody point me to links showing this evidence? Or, is this conjecture based on documents that Snowden supposedly "leaked"? If so, how was the veracity and authenticity of these "admissions" proven? Is there a check, signed contract or ledger book showing the transaction(s) actually took place?

Sadly, so many in the security field will do anything to make a name for themselves - 15 minutes of fame. If there is real proof, then the call for a boycott and public raking over the coals is justified. I am asking to see the proof.

A bigger problem we, as consumers and businesses, are now facing are all the compromised wireless routers that was revealed last week. Given that the shutdown of Blackhole malware kit and no suitable replacement, we are seeing a rise of Ransom-ware. But, a single compromised machine on a wireless network behind one of these routers opened up the entire network - the attackers could access ANY machine without having to go through the originally infected host at will. We should be asking how THAT happened and insist upon inspection of the hardware and firmware by respected engineers and cryptographers (under NDA) for any critical parts or components sold for use in our routers. Their stamp would put their reputations on the line if an easily manifested exploit were found. And, did any of the companies selling products with these vulnerabilities know of the backdoors in their products? Just wondering.

Re:Has anybody seen the actual "evidence"?

[Error27]

The wikipedia entry is good on this:

http://en.wikipedia.org/wiki/RSA_Security#NSA_backdoor

RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit.

Re:Has anybody seen the actual "evidence"?

[hydrofix]

I was also skeptical when I first saw the news articles (like this one) that said that RSA had published a statement where they supposedly refuted the existence of that NSA deal. The existence of the deal was originally broken by Reuters in this article, where they cite "two sources familiar with the contract" as their sources. But then, after more in-depth analysis of the RSA blog post where they supposedly "denied" the existence of the deal, it was revealed that actually RSA neither denied nor acknowledged that such deal existed in their statement. They are just using general wording to give an impression, that they would certainly never do such thing. But they are not directly denying the existence of the deal.

Now, thinking logically, it's pretty damn clear that they would have denied that such a deal was ever made, if they were in the position of making such a claim. But given they don't directly deny the claims presented by Reuters, it would seem a much more logical explanation that the deal indeed was made, and RSA just went into damage control mode after the publication of the Reuters article. Lying to the public would have meant more damage if Reuters would have later been able to present the actual paper of the deal, so I suppose we can take their lack of directly denying this deal's existence as an admission of sorts. This is also the reason why speakers are canceling their appearance in the conference ("Your company has issued a statement on the topic, but you have not denied this particular claim.")

So, I think we have grounds to believe that there is actually quite much truth to the original story by Reuters. As they say, the deal was "handled by business leaders rather than pure technologists". I am pretty sure that this is a yet-another example of a major manager-level f*ck up. Tech companies very often have all the expertise on the technical personnel level, while managers are a "necessary evil" who often have much fewer insight into the technical field where the company actually operates. Of course, anyone with even the slightest idea of how the IT security field functions, would never ever endanger their company's credibility (at least for such little reward as $10 million), because deals like this tend resurface in the public sphere sooner or later. All we can assume that someone in the management made a very major f*ck-up and made this secret deal with NSA without much consulting from the technical folks. But I am pretty sure that now that this deal has surfaced in the public sphere, it will end up costing RSA a great deal more in lost sales than what the "business leaders" anticipated they could gain in short term from making the deal with NSA.

Re:Has anybody seen the actual "evidence"?

[Alsee]

Huh?

I'll break this issue down into three levels. First there's the compromised algorithm itself. The algorithm and source code for it is public. Anyone can trivially test that it's about a hundred times SLOWER than the alternative algorithms. It has zero redeeming features. And anyone with the slightest security knowledge can see that it was covered in huge red flags all over it (unexplained magic numbers pulled out of the algorithm-submitter's ass are a HUGE security no-no). It had squat track record of being vetted by the global security community for flaws. No one with the slightest security expertise would ever willingly use it, much less set it as a default algorithm.

Second, there's RSA's products. Anyone who bought it can check the configuration to see that the compromised algorithm is in there, and that it's set as the default. Anyone with an internet connection can do a search and check the product specs. I'll admit I haven't personally checked this detail, but it's beyond implausible that the story has run this long without anyone here posting a fact-check on it if it were false.

So that just leaves the third aspect. Whether RSA got paid twenty pieces of silver.... errr.... I mean ten million dollars....to set the compromised algorithm as the default in their products. I would say that is a forgone issue when RSA's response on the story was an astonishingly lame we-didn't-know-it-was-compromised and we-would-never-knowingly-compromise-our-customer's-security. If they hadn't been paid $10 million by the NSA to do, then the first words out of their mouths would have been to deny the $10 million NSA payment.

So that just leaves us with two possibilities. Either RSA knowingly took a $10 million payoff to look the other way and install a compromised back door as the default setting in their products, or they don't have a single competent security person on their entire staff.

It's hard to say which of those two possibility would be worse for a security company, but we don't have to ponder which applies here. It is utterly implausible that RSA doesn't have competent security experts on staff. They make highly sophisticated security products. They know damn well how to make products that will strongly protect you from attack by random hackers. However they are also willing to sell out your security so that the US Government has a back door into your system.

So... if you want top tier security products to protect your business and you don't give a hoot that it comes with a back door for US spook agencies, sure, go with RSA. They've got some of the top security experts. But if you want security products that don't come with back doors, there are other world-class security companies to turn to. World class security companies with world class security experts who, even in a drunken stupor, would neverselect an unproven absurdly slow ugly blatantly-backdoored random number generator to use.

-

Re:Has anybody seen the actual "evidence"?

[chihowa]

The blame for this can't be kept entirely off of the techie's shoulders, though. While management may have made the deal and pocketed the money, management isn't capable of actually altering the product. At some point the product they shipped was made to be different than the product the technical side originally designed and it took cooperation from the technical team to make that change happen.

Re:Has anybody seen the actual "evidence"?

[hydrofix]

That might be somewhat mitigated by the fact that the deal and the alteration to the software were done in 2004, but the first researcher analyses to hint of problems with this algorithm weren't published until 2006. When making the change, the developers were not necessarily told that NSA had paid RSA to use that algorithm. It might have passed as just another security improvement to the product.

Re:Has anybody seen the actual "evidence"?

[chihowa]

Good point wrt withholding the knowledge of the payment. Being paid to use the algorithm is certainly sketchy, but if the technical team received only the word that the NSA had advised they use a particular algorithm it could certainly seem like advice worth following.

Re:Has anybody seen the actual "evidence"?

[Ronin+Developer]

The BSafe and TIPEM source code are NOT "freely" available. You license the binaries by default. If you license the source, it is under NDA. Licensing the source is not cheap. Consequently, I suspect few have had the opportunity to examine the source. Perhaps, some may have decompiled it. But, the source is not public.

There are open source variants of the libraries out there - OpenSSL being one of them. But, it isn't the BSafe or TIPEM code.

More likely, the NSA paid for a source code license at $10M..made a modification and then put the modified source back into their source control - perhaps removing the old code in the process. Or, somebody in management made the call to put it back into the repository. If the code isn't broken, odds are, nobody will touch it or even question it.

When someone chooses to confirm nor deny an accusation, it isn't an admission of guilt - Like pleading the 5th, it's a right against self-incrimination (like being railroaded no matter how you answer). It's a cover one's ass action in the event somebody might have done something wrong - it's plausible deniability by those having to answer the questions.

Re:Has anybody seen the actual "evidence"?

[Alsee]

The BSafe and TIPEM source code are NOT "freely" available.

I never said they were.
I said, "The algorithm and source code for it is public".
And they are. The Dual_EC_DRBG algorithm is a standard published by the U.S. government.

We know the code in the RSA products are functionally identical to the published algorithm and code because if it weren't then they would fail the test suite and never have received certification.

More likely, the NSA paid for a source code license at $10M..made a modification and then put the modified source back into their source control - perhaps removing the old code in the process.

You seem to be misunderstanding the problem here. There was no code modification, there was no need for code modification. The algorithm as originally published by the government had an embedded back door. The algorithm was so blatantly atrocious and so blatantly insecure that no half-educated security professional would ever want to select it. The government paid RSA to include the algorithm, and furthermore paid RSA to set it as the default. RSA then faithfully copied the blatantly backdoored algorithm to their products, and set it as the default.

When someone chooses to confirm nor deny an accusation, it isn't an admission of guilt - Like pleading the 5th

This isn't a courtroom, and this isn't an abstract exercise on what is and isn't theoretically possible. This is a corporation that is doubtless losing millions of dollars in business, and has taken devastating and potentially permanent damage to their reputation for trustworthiness in an industry where trustworthiness is the end-all-be-all of a product. To suggest that RSA management knew the widely reported $10-million-NSA-contract report was false, and declined to say so, is beyond implausible. In fact I suspect failing to say so would get them in serious legal trouble for violating their fiduciary responsibility to stockholders.

And just to bury them even deeper, a minimum of three RSA employees were explicitly aware of the backdoor issue, as they were all members of the ANSI X9F1 Tool Standards and Guidelines Group where the backdoor issue was initially raised.

-

Can they be sued...

[MitchDev]

for not truthfully advertising their products as "Insecurity Solutions"

Missed point - off topic comment to follow

[ka9dgx]

We're all running systems based on some derivative of Unix. The user based permission model was fine for 1970s computer science departments, but it's totally crap for the world we now live in. We all should be running systems that are at least Orange Book A1 level secure, but we aren't. The resources are available to do it, we could totally pump this out in a year or two in the open source world.... but we won't.

Everyone thinks they have secure enough systems... but they don't, not by a country mile. Nobody seems to understand that trusting applications to do their jobs, and not subvert the systems, is a stupid thing.

We have persistently insecure computing... encryption, even if done perfectly, doesn't help fix that.

I don't think the full story is out...

[msauve]

From what I've read, it may be too quick to gang up on RSA. It sounds like they accepted a payment from the NSA to make Dual_EC_DRBG preferred/default, not to accept a backdoor.

The industry as a whole is responsible for accepting and adopting Dual_EC_DRBG. According to Wikipedia, "Members of the ANSI standard group, to which Dual_EC_DRBG was first submitted, were aware of the exact mechanism of the potential backdoor and how to disable it, but did not take sufficient steps to unconditionally disable the backdoor."

It seems to me that RSA is just being made a scapegoat for an industry failure because they accepted a payment to make it the default (which would be perfectly acceptable if the NSA positioned it as payment to ensure wide acceptance of an improvement over the previous default). I've seen nothing to indicate that RSA knew about or was involved in creating the backdoor, or that it is any more culpable than the rest of the industry for its acceptance as a standard.

Re:I don't think the full story is out...

Standard or not, it's been shown, since 2006, that Dual_EC_DRBG is at best cryptographically flawed, and at worst backdoored. There have been better suited algorithms available and supported before, during, and after 2006. So how quickly did this security company update their software? When did RSA stop using a poor and vulnerable algorithm as the default? September 2013.
That's either incompetence or malice. Neither of which should be supported or trusted in a supposed "security" company.

Not a cipher...

Not a cipher, but a pseudo-random number generator. Which means that every cipher, signature, or other algorithm that used random keys was compromised.

Re:Hmmmm

[SirGarlon]

Not quite. I am telling you that because of abortion, no one is willing to stop the NSA putting back doors in software.

ok then, let's have it

[BringsApples]

What end-user products should one avoid in order to avoid this back door?

Re:ok then, let's have it

[mrjimorg]

The problem is that these products don't exist to large extent. The reason is that people are unwilling to accept any performance degradation in exchange for security. So, instead they use insecure systems, then they install 'anti-virus' which seeks to un-infect a system during/after an infection. This is like telling doctors "You don't need a hazard suit for that Ebola patient. If you get Ebola we'll give you some drugs". So, in order to protect ourselves we run virtual machines so that threats such as viruses are contained.
It's disgraceful that in 2014 we don't have secure operating systems. SE Linux is better than most, but not by much. If I went to you with a USB key and said 'run this on your SE Linux box, would you feel comfortable doing that knowing that your system is safe? Probably not.
If you want real security here is what you need:
1. A true microkernel that has been mathematically proven. This code would never change because it has been proven to be perfect. There is a field of CS/Math that allows for this. The only updates that would ever be needed for this code would be if the field of CS/Math allowed for more advanced features to be proven, and probably not even then.
2. Drivers and hardware must be assumed to be subverted and untrusted. Drivers would all run in user-space processes. No hardware or drivers may be allowed to access any resources that has not be assigned to them. Hardware DMA should go through a virt-phys translation that is set up to prevent access to any unauthorized areas of memory. This can be done using new virtualization extensions such as intel VT-X and ARM MR-IOV. This is because buggy drivers/hardware are the biggest security threat vector for exploits. However, I've seen issues in VT-X that allows a PCI device to lock out the entire bus which I consider to be a DOS failure.
3. Trusted Hardware. This is the soft spot in Intel's armor. There have been some publicly embarrassments for Intel in this field- such as a cache exploit that was a significant threat in certain circumstances, or the backdoor into TPM which invalidates it's only purpose. If a company were to release a version of the ARM processor that has undergone provability in same way that software can be proven they may be able to create a secure processor that is guaranteed to not have issues to exploit.
4. A layered security approach. None of this "I to become root now, so I'll use su root". You should start in a root container that has access to the entire system within which a subcontainer would be created for what you as a user can access. Within that you can create subcontainers, each of which would have even more limit access than their parent.
I should be able to create a container that has no access to the network, or to the disk, etc
My document editor should only have access to my Documents directory
I should be able to create a container within which none of my secure files are accessible (my passwords file, my tax docs, etc). In Linux any program I run can read any file that I have permission to access- this is totally unacceptable!
5. Visibility - the difference between malware and useful software is whether the user wants that program to be doing what its doing. When I look at my Linux system I see hundreds of processes and I don't know what many of them are doing. Any of those programs could be malware and I wouldn't know the difference. We need to have a better way for users to really see what's going on in your system and what resources are accessible to which programs. For instance:
You should be able to see which programs have access to the keyboard events. This would immediately tell you if you have a keylogger
You should be able to see which programs have access to which parts of your harddrive, and what they are doing. Can't tell you how many times I've heard my HDD spin up without any idea why. It sends a chill up my spine every time
You should be able to limit which ip addresses a program can access

Re:ok then, let's have it

This sounds like the HURD, the design principles of which seem to me possibly better than the current monolithic approach of the Linux kernel. Is the HURD the closest (free software) thing we have to a solution like this?

Re:ok then, let's have it

[mrjimorg]

Honestly, I think Qubes is a better match. Although, last time I looked at HURD there were no virtualization extensions

not showing up? Really?

[slashmydots]

No way, go there and freaking trash the place. Go all "occupy" on them or plan silly string attacks or flash mob protests in the middle of presentations. THAT would send them more of a message than slightly lower than average attendance.

Re:Security researchers toddling...?

[wonkey_monkey]

I find the slow researcher withdrawal more than a little disconcerting.

All depends what you're researching and who with.

Re: My off topic post

[BringsApples]

Revelations of back doors are, as I suspect, limited - perhaps there are many more that we don't know of yet. And since that's the case, since people are more into making money than they are into making sense, then "computers" themselves cannot be "trusted". That doesn't mean that we can't use them as they are however. I'm not about to go off and learn what the shit "systems that are at least Orange Book A1 level secure" even means. I'm going to continue to use commercial software and hardware, because life's simply to short, and I only care so much about privacy - as long as I'm not being charged with some bullshit charge (and I have been charged with some bullshit charge in the past) that I cannot prove is a bullshit charge (I was able to prove that what I was charged with was total bullshit and it got thrown out), aka some terrorist plot or something like that.

"Computers" should be treated like girls that have a stinky vagina. There's obviously something wrong, but that doesn't mean that she's not cool to talk to, ask questions of, play games with.

Re:Security researchers toddling...?

[ZouPrime]

People go to these conferences for the networking opportunities, not necessarily because they care about the flagship product of the main sponsor.

Boycott won't work

Those security conferences are packed with government contractors that know better than to bite the hand that feeds them.

Much like everyone else on the planet...

[Grog6]

I agree; barring incontrovertible evidence to the contrary, the NSA will never be believed again.

Time to dismantle the entire operation and start over with new people; obviously none of these people understand what Domestic enemies are: People who are destroying the Constitution.

It is being destroyed because it is being ignored in the name of "National Security"; that bill of rights is so inconvenient for Despots.

They didn't need to repeal it; take a look around; they know there's nothing we can do about it.

Congress is likely being blackmailed into silence; in our society, everyone is guilty of something, are they not?

And here we always thought the "tinfoil hat" and gun nuts were just crazy... :facepalm:

Re:Much like everyone else on the planet...

[zlives]

i am reminded:

"It is the certainty that they possess the truth that makes men cruel."

Re:Much like everyone else on the planet...

[Ash-Fox]

People who are destroying the Constitution.

Why would that matter when the U.S. is in a state of emergency and has been for ages now?

That's like you're trying to say "the Constitution" has some sort of power to begin with, it doesn't.

Republicans are the real threat to reason.

[Grog6]

n/t.

Discounted, surplus tickets available for 50% off

[Supp0rtLinux]

So in summary, there's discounted tickets available now...

Stupid, stupid, stupid.

[eyenot]

Uh, hello pinhead. HELLO PINHEAD!

NOT going to the conference is EXACTLY what the NSA wants you to do!

If you DO go to the conference, then you get to discuss the issue with like minds and with the source of the issue.

If you "boycott" the conference, trust me, there's already a prepared script for handling that "quote" "contingency" "quote".

I would have some serious questions for whomever first pitched the idea of boycotting the conference as some kind of political statement. Can it be traced to a person or circle of people? What is / are their identity(ies)?

Re:Stupid, stupid, stupid.

[bill_mcgonigle]

Can it be traced to a person or circle of people? What is / are their identity(ies)?

IIRC, the head of R&D at F-Secure.