NSA Official: Supporting Backdoored Random Number Generator Was "Regrettable"

Trailrunner7 writes In a new article in an academic math journal, the NSA's director of research says that the agency's decision not to withdraw its support of the Dual EC_DRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a "regrettable" choice. Michael Wertheimer, the director of researcher at the National Security Agency, wrote in a short piece in Notices, a publication of the American Mathematical Society, that even during the standards development process for Dual EC many years ago, members of the working group focused on the algorithm raised concerns that it could have a backdoor in it. The algorithm was developed in part by the NSA and cryptographers were suspect of it from the beginning. "With hindsight, NSA should have ceased supporting the dual EC_DRBG algorithm immediately after security researchers discovered the potential for a trapdoor. In truth, I can think of no better way to describe our failure to drop support for the Dual_EC_DRBG algorithm as anything other than regrettable," Wertheimer wrote in a piece in Notices' February issue.

No admission of guilt

Parse his words carefully. He never admits that the NSA actually engineered the backdoor into the algorithm, he only states that he regrets supporting the algorithm after other people pointed out it was backdoored.

This is basically equivalent to the mealy-mouthed apologies you hear from young children after they've done something wrong but absolutely refuse to fess up about it.

Re:That's why we gave EMC money

[Smallpond]

To ensure it's inclusion as default in RSA products.

Yup. $10M to use it as the default encryption mode. They also tried to require it for FIPS certification so pardon my gasps of disbelief.

Re:Wait, which part is he sorry about now?

[AmiMoJo]

It's worse than that. The NSA is demonstrating how incredibly arrogant it is. The apology is for not dropping support once the flaws become public knowledge. The implicit assumption is that it was secure before the flaw was made public, which shows how little the NSA thinks of foreign intelligence agencies. Clearly there was no way one of them could have found it and been exploiting it for years.

Re:Wait, which part is he sorry about now?

[Required+Snark]

Treason is not the correct term. It refers to betrayal of country.

In law, treason is the crime that covers some of the more extreme acts against one's sovereign or nation. Historically, treason also covered the murder of specific social superiors, such as the murder of a husband by his wife or that of a master by his servant.

The correct term is Sedition.

In law, sedition is overt conduct, such as speech and organization, that is deemed by the legal authority to tend toward insurrection against the established order. Sedition often includes subversion of a constitution and incitement of discontent (or resistance) to lawful authority. Sedition may include any commotion, though not aimed at direct and open violence against the laws. Seditious words in writing are seditious libel. A seditionist is one who engages in or promotes the interests of sedition.

Note the boldface. In this case the "established order" is the rule of law enshrined in the constitution. The NSA has subverted the constitution with warrantless mass surveillance. The Department of Homeland Security (aka Department of Homeland Pork) has ignored the constitutional right to due process with the "no fly list": there is no official way to find out if you are on it or to be removed from the list.

These actions, along with many current policies, are absolutely unconstitutional. In short, sedition. They betray the constitutional rule of law. Treason typically is the betrayal of one's country to another sovereign entity.