Posted on 12/20/2013 4:16:47 PM PST by James C. Bennett
Reuters reports that the NSA paid massive computer security firm RSA $10 million to promote a flawed encryption system so that the surveillance organization could wiggle its way around security. In other words, the NSA bribed the firm to leave the back door to computers all over the world open.
Thanks to documents leaked by Edward Snowden, we already knew the NSA played a central role in promoting a flawed formula for generating random numbers, which if used in encryption, essentially gives the spies easy access to computing systems. A piece of RSA software, bSafe, became the most significant vector for the security flaw. The encryption tools which hundreds of millions of people rely on to protect the private information are significantly weaker as a result.
The sickening revelation is that the NSA paid RSA to make sure that the formula got into the software just the way they wanted it to. Both the NSA and RSA haven't directly acknowledged the deal, but Reuters claims to have thoroughly vetted it with sources inside the security company.
The report is just the latest which shows thatin an effort to collect as much information as possiblethe NSA has been systematically undermining security infrastructure for decades. While some of Reuters' sources appear to think that RSA was duped by the government, it seems pretty clear now that the company knew what it was doing when it entered into a secret contact with the NSA. Disgusting.
The above assume this story is not BS, I am hoping the story is BS.
Up till now the NSA leaks have been embarrassing, this is down right destructive to our economy and security. RSA is used on EVERYTHING.
and the hits just keep on rolling
Many companies I consult for use them, and their key fob devices.
They’re big.
I wouldn't be too sure about that. They don't have the billions to blow on this bullshyte and may not have enough capable people. They might do NSA type stuff on a modest scale
Perhaps it is time to do some more reading on the ‘writs of assistance’ and the 4th amendment. The broad and illegal search was this sort of illegal behavior that sparked the Revolutionary war.
If a “loser”, as described by the NSA, like Snowden can get this much information, the agency must be staffed with a bunch of bumbling idiots. I doubt that’s the case. I’m beginning to believe my wife’s theory. Snowde was put out there to warn us just how much power they have over us.
The RSA public-key encryption algorithm and the RSA company aren't the same thing, and nobody's alleging that the RSA PK algorithms are compromised.
This story concerns a specific product (BSAFE, a suite of cryptography libraries) sold by a specific company (RSA, a division of EMC). There are many open-source and other implementations of the RSA public-key encryption algorithm that contain no RSA (the company) code at all.
(Considering what RSA charges for BSAFE -- I've priced it before -- I'm surprised anyone uses it for anything.)
You didn’t like Road House or Red Dawn?!?
Don’t let your sense of Patriotism color your good sense. The folks at NSA know, or should know, that a corrupted system is no good to anybody. If I were up to no good or even doing things that required absolutely reliable comm. I would run at least a double system-—one that was full of plausible but eroneous krap and one other completely independent one for the real stuff. Going back as far as WW II our military radio guys learned to keep up a continuous volume of meaningless gibberish so that traffic for real events wouldn’t be noticed in the volume. If you only send out a message when you have something important to say then it is much easier for a “listener” to analyze it. If you paid a lot of money for SOMEBODY ELSES encription system you probably got took.
I always thot RSA was a scam, looks like I was right, and I hope they get their hip pockets sued off and go to that big flush toilet in the sky.
Seems like RSA would be subject to enough successful lawsuits to be driven into bankruptcy.
Just the loss of business could do that
My recent cybersecurity refresher training was pimping encryption and claiming only company issued PKI was acceptable. I smell a back door in that policy. If it’s sensitive enough to need encryption, you’ll have to get the key and the algorithm from me. No corporate back door.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.