> And the RSA did go on record. They said it wasn't true.
What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.
If you read the keynote from the current RSA Conference, RSA's defense is that they stopped independently creating and verifying the cryptographical algorithms, instead just getting them straight from NIST and ANSI. And they knew or should have known that Dual_EC_DRBG was written by NSA.
> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."
Meanwhile RSA Security ignored all the independent research showing that Dual_EC_DRBG was radioactive. So RSA Security's defense is that they stopped doing any due diligence, and instead just copied everything straight from NSA. And because they stopped even trying to do independent cryptography, they were not aware of the possible backdoor. And you think RSA Security's statements in their defense are not laughable, and that people protesting this is just "a$$holes"?
> They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.
Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.
RSA Security also have not yet given a good explanation for why they ignored the multitude of red flags until 2013. As cryptographer Matthew Green writes:
> So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow -- which has real performance implications -- it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.
If RSA Security makes secret contracts that impacts other people's security, I don't see why RSA Security should get any benefit of the doubt. Why should we trust a company cloaked in secrecy who has shown themselves to be overwhelmingly incompetent and/or malicious?
> There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.
It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely. But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine...
Jeffrey Carr has a good point from the RSA Conference keynote:
> "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech
So up until then, they apparently considered all the criticism of RSA security without merit? On what basis? The research was obviously right.
If you read a bit more in the actual keynote, there is actually an unexpectedly frank explanation:
> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."
But they ignore most of the input of the larger community, in favor of taking $10,000,000 from NSA to use their backdoored algorithm.
What we have seems to be standard exploitation of a valuable acquired brand which is no longer profitable. Take a high-quality brand with an outstanding reputation for independent quality checking. Fire everybody skilled (and expensive), and sell as many cheap commodity products under that brand as you can get away with, with as little expensive quality control as possible. Their claim is that they expected to get the quality control for free from NIST, which they knew was dominated by the NSA. Meanwhile, RSA Security choose to totally ignore any contradicting independent research.
Personally I believe the amount of incompetence and cluelessness claimed by RSA Security as defense strains credulity beyond breaking point.
Did the summary just link to a PDF file... in Finnish? It wasn't enough that the same file was already linked from the mail article, but was judged useful enough to link from the summary? Really?
The trick to good linking is to avoid overlinking, to avoid confusing the reader. This summary fails.
> The shi-fu ('kung-fu masters,' meaning the scientists and engineers)
According to Wikipedia, shifu means master craftsman. Though that obviously also covers kung-fu masters, I don't think that is what the Chinese were alluding to!
I think somebody has been watching too many Hong Kong kung-fu movies.
Dropping USB keys in parking lots is a known way to infect a network. Any Google employee competent enough to use bitcoin should hopefully also know that picking up random USB keys is a bad idea.
Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.
> the developers are staying anonymous because they probably fear the inevitable copyright lawsuits
So Kanye West wrote the code for the platform, and therefore owns the copyright to the code, and they pirated it? Why else would they fear a copyright lawsuit?
So an anonymous manager - manager! - thinks it isn't a big deal. They couldn't find an actual cryptographer to quote? While all the cryptographers do think it is a big deal. This is not an issue where there is real discussion. It is not me who are exaggerating, it is you who are understating the issue.
Many news articles in mainstream media have pointed out that it is a non-denial. If RSA Security was innocent, it would be the easy to just issue a new press release saying unambiguously that no contract existed. Why hasn't RSA Security done that?
I think the backdoored Dual_EC_DRBG still as forward security. xorshift64 doesn't have forward security, if nothing else then because the period is small enough that you can brute force search it.
> In short, as is the case with many conspiracy theories all you have is a collection of things that are suggestive, not definitive.
When you design a standard, one of the design criteria is that it does not allow for even a potential a backdoor. See fx https://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number . It is most definitive that Dual_EC_DRBG should never have been approved given the knowledge available at the time of how to prevent any possible backdoor.
You need to read it like a lawyer. Take the first claim for example
> Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
Note what is not denied:
* It is not denied that the contract existed * It is not denied that they set Dual_EC_DRBG as default as a result of the contract * It is not denied that the contract was secret (they do later deny that their relationship with NSA in general was not secret, which is correct, but does not preclude one contract from being secret)
They only thing they deny is that they knew that Dual_EC_DRBG contained a backdoor when they made the secret contract to set it as the default.
I have been adding various facts to the Wikipedia article on Dual_EC_DRBG. A good deal of the most interesting points have not been reported in mainstream media.
* The ANSI group which standardize Dual_EC_DRBG were aware of the potential for a backdoor. * Three RSA Security employees were listed as being in that ANSI group, making RSA Security's claim innocence claim shaky, since it is less likely that RSA Security didn't know about the back door when NSA paid them $10 million to use Dual_EC_DRBG as default. * Two Certicom members of the ANSI group wrote a patent which describes the backdoor in detail, and two ways to prevent it. * Somehow the ways to prevent the backdoor only make it into the standard as non-default options. * Somehow the people on the ANSI group forget to publicize the potential for a backdoor. Especially Daniel brown of Certicom (co-author of the patent), who also wrote an attempt at a mathematical security reduction for Dual_EC_DRBG, but somehow forgets to explicitly mention the backdoor. The conclusion in Brown's paper also seems very determined to hype Dual_EC_DRBG, whereas the other papers about Dual_EC_DRBG seem excited to hype the errors they find. * The potential backdoor only becomes public knowledge in 2007. * Daniel Brown writes in December 2013 that "I'm not sure if this was obvious." and "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se.".
Certicom is the main inventor and patent-holder for elliptic curve cryptography. The two Certicom employees failing to warn or prevent the backdoor they clearly know was possible doesn't reflect well on Certicom.
> Like RSA they will just keep denying it and hope there is nothing to directly contradict them.
Yup. And now John Kelsey (who authored the NIST report) says that the potential for the Dual_EC_DRBG backdoor was brought up in an ANSI group meeting, in a group that had three formal RSA Security members (whether they were actually present at the meeting we don't know). And two Certicom members of the same group wrote a patent exactly describing the back door in January 2005, which presumably all the ANSI group members had access to. But RSA Security's know-nothing defense is looking ever-more ridiculous.
Also there is no way at least Daniel Brown of Certicom (co-author of the patent) wasn't aware there were probably a backdoor. But he seems to have kept it fairly low-key. And now in 2013 he says: "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se."... And at least Daniel Brown knew exactly how to neutralize the back door, but little was done.
Minix was explicitly considered a toy operating system by Andrew Tanenbaum, who refused to accept patches to add functionality because the complexity would have made Minix less suited as a teaching tool.
> Has the manipulation of currencies masked the real changes in our currencies vs gold?
The main currencies (dollar and euro) have been relatively stable to each other and to a basket of commodities, while gold has not. The result is what counts.
As for there being manipulation: Central banks exist to manipulate currency prices to be stable. That is a feature, not a bug - stability is good. But the US Central bank's manipulation has actually had the goal weakening the dollar (by printing more) compared to doing nothing, not strengthening it. There is no reason to believe that the US Central Reserve has been manipulating the US dollar in a dangerous way - if the dollar was to begin falling, it could sell of some of the many assets it has been buying for newly printed dollars, thereby unprinting those dollars again (reducing the money supply), which would make the remaining dollars worth more.
On your food price chart: I remember a number of global food crisises caused by crop failures in recent years, such as the drought in Russia. That food prices have been swinging a lot says something about the wheat market, but doesn't necessarity say anything about the dollar. To get a fuller picture of combined dollar price swings, you have to average the price swings of all commodities. Such an averaged price index is called an inflation index, and shows the dollar to be stable (and the price of gold not to be stable).
> Excuse me if I'm just showing my ignorance but can we really determine what is changing in those graphs? Is it the value of the currencies to which it is measured against that changes or the value of the gold?
The prices in dollars of commodities in inflation indexes have been relatively stable. For example the price of gold doubled between 2009 and 2011 - do you remember the dollar-price of commodities doubling in the same time interval, as would be the case if it was just the dollar halving in value and gold being stable? No, obviously not.
There is no real doubt that it has been the price of gold which is unstable, and not the price of dollars.
Slashdot Mirror
> And the RSA did go on record. They said it wasn't true.
What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.
If you read the keynote from the current RSA Conference, RSA's defense is that they stopped independently creating and verifying the cryptographical algorithms, instead just getting them straight from NIST and ANSI. And they knew or should have known that Dual_EC_DRBG was written by NSA.
> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."
Meanwhile RSA Security ignored all the independent research showing that Dual_EC_DRBG was radioactive. So RSA Security's defense is that they stopped doing any due diligence, and instead just copied everything straight from NSA. And because they stopped even trying to do independent cryptography, they were not aware of the possible backdoor. And you think RSA Security's statements in their defense are not laughable, and that people protesting this is just "a$$holes"?
> They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.
Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.
RSA Security also have not yet given a good explanation for why they ignored the multitude of red flags until 2013. As cryptographer Matthew Green writes:
> So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow -- which has real performance implications -- it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.
If RSA Security makes secret contracts that impacts other people's security, I don't see why RSA Security should get any benefit of the doubt. Why should we trust a company cloaked in secrecy who has shown themselves to be overwhelmingly incompetent and/or malicious?
> There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.
It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely. But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine...
Jeffrey Carr has a good point from the RSA Conference keynote:
> "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech
So up until then, they apparently considered all the criticism of RSA security without merit? On what basis? The research was obviously right.
http://jeffreycarr.blogspot.dk...
If you read a bit more in the actual keynote, there is actually an unexpectedly frank explanation:
> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."
But they ignore most of the input of the larger community, in favor of taking $10,000,000 from NSA to use their backdoored algorithm.
What we have seems to be standard exploitation of a valuable acquired brand which is no longer profitable. Take a high-quality brand with an outstanding reputation for independent quality checking. Fire everybody skilled (and expensive), and sell as many cheap commodity products under that brand as you can get away with, with as little expensive quality control as possible. Their claim is that they expected to get the quality control for free from NIST, which they knew was dominated by the NSA. Meanwhile, RSA Security choose to totally ignore any contradicting independent research.
Personally I believe the amount of incompetence and cluelessness claimed by RSA Security as defense strains credulity beyond breaking point.
There are lots of Linux titles, but they are mostly indie games. Indie games don't seem to have any problem posting to Linux.
Go buy some Humble Bundles - most games in those have Linux support (and Steam keys).
Obviously the update should not be applied while the car is turned on... car companies are not that stupid.
Did the summary just link to a PDF file... in Finnish? It wasn't enough that the same file was already linked from the mail article, but was judged useful enough to link from the summary? Really?
The trick to good linking is to avoid overlinking, to avoid confusing the reader. This summary fails.
> The shi-fu ('kung-fu masters,' meaning the scientists and engineers)
According to Wikipedia, shifu means master craftsman. Though that obviously also covers kung-fu masters, I don't think that is what the Chinese were alluding to!
I think somebody has been watching too many Hong Kong kung-fu movies.
Dropping USB keys in parking lots is a known way to infect a network. Any Google employee competent enough to use bitcoin should hopefully also know that picking up random USB keys is a bad idea.
https://www.schneier.com/blog/...
Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.
"Any headline which ends in a question mark can be answered by the word no."
> Then all that happens is we adopt those other schemes faster
But what of all the encrypted old traffic that the NSA has stored?
> the developers are staying anonymous because they probably fear the inevitable copyright lawsuits
So Kanye West wrote the code for the platform, and therefore owns the copyright to the code, and they pirated it? Why else would they fear a copyright lawsuit?
So an anonymous manager - manager! - thinks it isn't a big deal. They couldn't find an actual cryptographer to quote? While all the cryptographers do think it is a big deal. This is not an issue where there is real discussion. It is not me who are exaggerating, it is you who are understating the issue.
Many news articles in mainstream media have pointed out that it is a non-denial. If RSA Security was innocent, it would be the easy to just issue a new press release saying unambiguously that no contract existed. Why hasn't RSA Security done that?
I think the backdoored Dual_EC_DRBG still as forward security. xorshift64 doesn't have forward security, if nothing else then because the period is small enough that you can brute force search it.
If you can choose P and e, then you can easily calculate Q=eP. It it only if you start with P and Q given that you can't find e.
> In short, as is the case with many conspiracy theories all you have is a collection of things that are suggestive, not definitive.
When you design a standard, one of the design criteria is that it does not allow for even a potential a backdoor. See fx https://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number . It is most definitive that Dual_EC_DRBG should never have been approved given the knowledge available at the time of how to prevent any possible backdoor.
You need to read it like a lawyer. Take the first claim for example
> Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
Note what is not denied:
* It is not denied that the contract existed
* It is not denied that they set Dual_EC_DRBG as default as a result of the contract
* It is not denied that the contract was secret (they do later deny that their relationship with NSA in general was not secret, which is correct, but does not preclude one contract from being secret)
They only thing they deny is that they knew that Dual_EC_DRBG contained a backdoor when they made the secret contract to set it as the default.
The same with their other non-denials.
I have been adding various facts to the Wikipedia article on Dual_EC_DRBG. A good deal of the most interesting points have not been reported in mainstream media.
* The ANSI group which standardize Dual_EC_DRBG were aware of the potential for a backdoor.
* Three RSA Security employees were listed as being in that ANSI group, making RSA Security's claim innocence claim shaky, since it is less likely that RSA Security didn't know about the back door when NSA paid them $10 million to use Dual_EC_DRBG as default.
* Two Certicom members of the ANSI group wrote a patent which describes the backdoor in detail, and two ways to prevent it.
* Somehow the ways to prevent the backdoor only make it into the standard as non-default options.
* Somehow the people on the ANSI group forget to publicize the potential for a backdoor. Especially Daniel brown of Certicom (co-author of the patent), who also wrote an attempt at a mathematical security reduction for Dual_EC_DRBG, but somehow forgets to explicitly mention the backdoor. The conclusion in Brown's paper also seems very determined to hype Dual_EC_DRBG, whereas the other papers about Dual_EC_DRBG seem excited to hype the errors they find.
* The potential backdoor only becomes public knowledge in 2007.
* Daniel Brown writes in December 2013 that "I'm not sure if this was obvious." and "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se.".
Certicom is the main inventor and patent-holder for elliptic curve cryptography. The two Certicom employees failing to warn or prevent the backdoor they clearly know was possible doesn't reflect well on Certicom.
According to Dan Shumow and Niels Ferguson's 2007 presentation, finding the private key e corresponds to solving one instance of the elliptic curve discrete log problem, which is believed to be a very hard problem indeed, and probably not even doable for a any current supercomputer.
> Like RSA they will just keep denying it and hope there is nothing to directly contradict them.
Yup. And now John Kelsey (who authored the NIST report) says that the potential for the Dual_EC_DRBG backdoor was brought up in an ANSI group meeting, in a group that had three formal RSA Security members (whether they were actually present at the meeting we don't know). And two Certicom members of the same group wrote a patent exactly describing the back door in January 2005, which presumably all the ANSI group members had access to. But RSA Security's know-nothing defense is looking ever-more ridiculous.
I have been updating Wikipedia: https://en.wikipedia.org/wiki/Dual_EC_DRBG . At some point I guess the journalists will wake up?
Also there is no way at least Daniel Brown of Certicom (co-author of the patent) wasn't aware there were probably a backdoor. But he seems to have kept it fairly low-key. And now in 2013 he says: "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se."... And at least Daniel Brown knew exactly how to neutralize the back door, but little was done.
Minix was explicitly considered a toy operating system by Andrew Tanenbaum, who refused to accept patches to add functionality because the complexity would have made Minix less suited as a teaching tool.
> Has the manipulation of currencies masked the real changes in our currencies vs gold?
The main currencies (dollar and euro) have been relatively stable to each other and to a basket of commodities, while gold has not. The result is what counts.
As for there being manipulation: Central banks exist to manipulate currency prices to be stable. That is a feature, not a bug - stability is good. But the US Central bank's manipulation has actually had the goal weakening the dollar (by printing more) compared to doing nothing, not strengthening it. There is no reason to believe that the US Central Reserve has been manipulating the US dollar in a dangerous way - if the dollar was to begin falling, it could sell of some of the many assets it has been buying for newly printed dollars, thereby unprinting those dollars again (reducing the money supply), which would make the remaining dollars worth more.
> http://www.indexmundi.com/commodities/?commodity=food-price-index&months=120
On your food price chart: I remember a number of global food crisises caused by crop failures in recent years, such as the drought in Russia. That food prices have been swinging a lot says something about the wheat market, but doesn't necessarity say anything about the dollar. To get a fuller picture of combined dollar price swings, you have to average the price swings of all commodities. Such an averaged price index is called an inflation index, and shows the dollar to be stable (and the price of gold not to be stable).
> Excuse me if I'm just showing my ignorance but can we really determine what is changing in those graphs? Is it the value of the currencies to which it is measured against that changes or the value of the gold?
The prices in dollars of commodities in inflation indexes have been relatively stable. For example the price of gold doubled between 2009 and 2011 - do you remember the dollar-price of commodities doubling in the same time interval, as would be the case if it was just the dollar halving in value and gold being stable? No, obviously not.
There is no real doubt that it has been the price of gold which is unstable, and not the price of dollars.