Posted on 12/20/2013 4:16:47 PM PST by James C. Bennett
Reuters reports that the NSA paid massive computer security firm RSA $10 million to promote a flawed encryption system so that the surveillance organization could wiggle its way around security. In other words, the NSA bribed the firm to leave the back door to computers all over the world open.
Thanks to documents leaked by Edward Snowden, we already knew the NSA played a central role in promoting a flawed formula for generating random numbers, which if used in encryption, essentially gives the spies easy access to computing systems. A piece of RSA software, bSafe, became the most significant vector for the security flaw. The encryption tools which hundreds of millions of people rely on to protect the private information are significantly weaker as a result.
The sickening revelation is that the NSA paid RSA to make sure that the formula got into the software just the way they wanted it to. Both the NSA and RSA haven't directly acknowledged the deal, but Reuters claims to have thoroughly vetted it with sources inside the security company.
The report is just the latest which shows thatin an effort to collect as much information as possiblethe NSA has been systematically undermining security infrastructure for decades. While some of Reuters' sources appear to think that RSA was duped by the government, it seems pretty clear now that the company knew what it was doing when it entered into a secret contact with the NSA. Disgusting.
The list, Ping
Let me know if you would like to be on or off the ping list
I remember around 2005 being given my little RSA code device. I asked why the heck did I need that, and the company boss I had responded....to log onto the timecard website. Then the issues arose. Minute by minute...there was a new sign-in pin number issued to me. The network that I had to use (the AF)...was so slow....that once you typed in the pin number and hit enter....it was a fifty-fifty shot that the pin would hit the server in time to be approved ok on the timecard website. For months, folks complained about this, and I would imagine that each person wasted at least one man-hour every two weeks....trying to get their RSA number to work.
In this case....I would imagine some goofball with RSA felt this ‘help’ would get them a good spot on future contracts. It may be listed as a 10-million dollar effort....but look at the contracts they got with the US gov’t after that. As for their future? RSA will have to sell themselves out to some other company, and be renamed. They won’t be trusted anywhere in the commercial world after this episode.
Yep. in a high latency environment RSA will be a frustrating pain the ass.
Good post.
Here’s a clip from the original Reuters piece:
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
RSA EVOLVES
RSA and others claimed victory when export restrictions relaxed.
But the NSA was determined to read what it wanted, and the quest gained urgency after the September 11, 2001 attacks.
RSA, meanwhile, was changing. Bidzos stepped down as CEO in 1999 to concentrate on VeriSign, a security certificate company that had been spun out of RSA. The elite lab Bidzos had founded in Silicon Valley moved east to Massachusetts, and many top engineers left the company, several former employees said.
And the BSafe toolkit was becoming a much smaller part of the company. By 2005, BSafe and other tools for developers brought in just $27.5 million of RSA’s revenue, less than 9% of the $310 million total.
“When I joined there were 10 people in the labs, and we were fighting the NSA,” said Victor Chan, who rose to lead engineering and the Australian operation before he left in 2005. “It became a very different company later on.”
By the first half of 2006, RSA was among the many technology companies seeing the U.S. government as a partner against overseas hackers.
New RSA Chief Executive Art Coviello and his team still wanted to be seen as part of the technological vanguard, former employees say, and the NSA had just the right pitch. Coviello declined an interview request.
An algorithm called Dual Elliptic Curve, developed inside the agency, was on the road to approval by the National Institutes of Standards and Technology as one of four acceptable methods for generating random numbers. NIST’s blessing is required for many products sold to the government and often sets a broader de facto standard.
RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings.
RSA’s contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.
“The labs group had played a very intricate role at BSafe, and they were basically gone,” said labs veteran Michael Wenocur, who left in 1999.
Within a year, major questions were raised about Dual Elliptic Curve. Cryptography authority Bruce Schneier wrote that the weaknesses in the formula “can only be described as a back door.”
After reports of the back door in September, RSA urged its customers to stop using the Dual Elliptic Curve number generator.
But unlike the Clipper Chip fight two decades ago, the company is saying little in public, and it declined to discuss how the NSA entanglements have affected its relationships with customers.
The White House, meanwhile, says it will consider this week’s panel recommendation that any efforts to subvert cryptography be abandoned.
(Reporting by Joseph Menn; Editing by Jonathan Weber and Grant McCool)
FILED UNDER:
Politics
“Looks like to me the founder of RSA, a marine by the way, left, and the company went to the dogs.”
What you are referring to is known as _NSAKEY.
_NSAKEY was a variable name discovered in Windows NT 4 Service Pack 5 (which had been released unstripped of its symbolic debugging data) in August 1999 by Andrew D. Fernandes of Cryptonym Corporation. That variable contained a 1024-bit public key.
“Who watches the Watchers? “
S/B the courts, but we all know they’re on the other side as well. In the case of RSA, I hope that they are sued into bankruptcy!
Thanks
Ok, thanks for the correction. I was very concerned about the possibility of secure http being compromised that would be very very bad. thanks again
As a patriot, I want the NSA to be able to crack into any system.
I’m a citizen and don’t want them breaking into any of MY systems. They have no business in there.
Imagine the class action suits against RSI for fraudulently selling their security services to the public?
Billons about to be forked over.
It's still out there - the problem is less its availability and more about its utility - in order to be useful for point-to-point communications, both sides have to actively engage in becoming part of the ecosystem, which means as long as relative few people use it, relatively few people will use it (a "critical mass" issue, essentially).
The PGP algorithms are also fairly slow, so they're really not particularly good at doing something like encrypting data on a disk - for that, you'd want to generate a one-time random key, and then use PGP to encrypt the key so that you can recover it later. (Even point-to-point does this, creating a session key that is encrypted with the actual PGP algorithm, rather than encrypting the entire message with PGP encryption.)
And, of course, none of that deals with the fact that all of the data exists in unencrypted forms at certain points in time. With email, for example, the sender composes in plain text and converts to encrypted while the recipient receives encrypted and converts to plain text - the transmission itself is protected, but if either endpoint is compromised, it probably doesn't matter.
Thank you for that explanation. Much appreciated!
No back door is required, though there is probably one there that the company doesn't even know about courtesy of the NSA. What they most likely do, is include a corporate public key along with any other key it is encrypted with. It's easy to do, and can be transparent to the user.
The U.S. government is the driving force behind the woeful state of the security of the internet. Without the Feral government leaning on companies, we'd have end-to-end encryption installed almost universally now. It's not difficult to do, and given the horsepower of computers these days, it's almost criminal not to use it everywhere IMO.
I've been trying to get people to use PGP for years, and years. Since I use thunderbird as an email client, it's trivial to use. However, in order to use encryption, the other side has to be able to use it as well.
-----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.15 (GNU/Linux) jA0EAwMCpSjdGqWizjZgyUYXkYT45LVswm+0PcKLjI2hVDUIDd3BFsDfxDV1K+/Y go9VlLB7J63Jm+bAeSL0K+wL77o/IrPFl1OPZ7BHG9BE2jx0hH2Q =Avp6 -----END PGP MESSAGE-----
Decrypt this, NSA.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.15 (GNU/Linux) mQINBFCxIJYBEADd9j7yvsociqFrK6CIY+835aL8XpkkNTEz72f6h+PJ62PeOc0z ORRiytePe/R1c8BbzSh8OKy+ybvRirHHGET3URFXyyTUkfMMrN9oMyNke09/uN7s UumEnZ/Gy1U2sGEOcV8RWN9mE+t1EETi6xB4tTQNQuol8HwRmCxXu2tY/EaHf/gY 16b4MJNGnrc5DQ3UfnFh3jEW2mxxuiP+ISyS7e82a4QP2mt0m7+ijDWzW/0hZsu5 7ouX+i22NpRJjm7epu2CJEy2bQ14i1zo0UrkKtewqvHZ9qz/SRrsIhC/olSHxrf9 WCxEPkSQ1cjZxtKT2RTTkuT75w+veaZsmfdlhSzDxPzdeLO6Rw11q3EIYMpAi3Ub 08oU1rWr9sqCisa7ueYX9vyB+qptIWnXAOX9nqZd9Bl1Hk5vZTJOWVtgWIsaZLbY mUUALEy47iwk7bBZ5CWsZYgN4r7kMcM18B3teLIpC7XfO5m9AakqQP18dyJFP/uQ Om++jqQj7EnoYDjnkOkbM647i/jWBY55SinXpaqtKMa30Ba/djhE3vTcyAV6D8NM Dhwa19B5h2aT1ERqO7sycEGDqfXsvmUFmyMzkiNUfw8oSL21n35OOqqhlTXlCD1R NBK0MEUeXo3A5E20k03/mL2nGWX4chkbsUNxbeILcOC9ZFnn/mpWkB4m6QARAQAB tC9aZXVnbWEgKEZyZWVSZXB1YmxpYykgPHpldWdtYUBmcmVlcmVwdWJsaWMuY29t PokCPgQTAQIAKAUCULEglgIbAwUJA8JnAAYLCQgHAwIGFQgCCQoLBBYCAwECHgEC F4AACgkQbpBV6pKNXc0PZA//et3z80uT55LzJN4PNlCelO07KFnaWtqbDWbhiVQZ a84Dh7oIHd8PiODViubdqP8lxpKPErkaUhrw1nRcBLwqsrPgF6Hwa5dUVPwSWGrW FQwk6tjWNPcOR78gsRhDLLpqC4rgz5P5YXbIdXcZiIf5MmLA8uEquXvsOmm53RRr Useg2+Uu5pw2fbpN3AZbUQ06PqXoAiSgS/QzCmI6jLroybzh9EwJ2mH54hrC7XF2 rHkY+3S/jovubV8sihyqGLcN2YGO538r6HnFbWn3PYvL7DsielC7gxXMM5f+43q7 h7DP9gXFKgUSEykI+Tsw3JQ8EdqwrbmDr3YE5EBpHtfM/sNVP2eJJxAOsYlCfIfv sTe5C8eCvZtj98Mir4EPFTIBukcbH8XYFzlDqxYnR7OZoYQh1vnG2wjeZ2nG227S ikIIMOSmbEGFBn0Wm4CoklWi6QJYWy1hGaJtuDed1SHH5Okl/XSnfPRC2Kk7BSeC VQoLfWCfXdWGzoyIe0EyDP4uLW3Fyeubmf/MKF5TcLc3b0dB91C3Av70JB/Q63Xz 6AtsDWPMynAAmwCEIm7FGxaEiJNXNpkwI8OBDf19mYr3CTgHUP6PhjyJJWv+Mshx 1b3nGkiUt1xah+hQ1qx4lk6XJgFfTrj5HQhqjZdKiQcXMR8s9ZeseWRhuXNJgOb9 dIW5Ag0EULEglgEQALBYmS/sx9SyQAit0EUGCWKW/XJn/OvSG8rezfLj7EVruo6M 9/8ExY33ZKsbL+jhsSnTEvXOnDkIyimN+gNOLW2s5S5Z5kRwKgbRQhtq9RQu5FJU Wkuye4/0NNTpulwvvh/C5a6QB6K0I7R9GzunC6PU7mka/Xmw4q14HLWFViHWVHVg p/ic1p86Y/dIYUKvRpH/8y6Dob3496fPRFaASOuvR+IKvEmPT6a6N8JsloBEpTMx qWrxjZ/5RMKSJWLhCCF7hrvyZlHNuV5fTj03dapnUmLS6HQuM4RJdQawvOcs6xlq u3E8YT9nS1nhV2lHNnLYChwDZwVfwWPNU/1iJ/1mUkMCrdPQexh456fVwlgcfG4d 1niSjM64Dw1jJz2wg9FHkjSOI1vdrs+/C2aTmoSaFOaS4PYRDJCFYcuC56TmgtYp zAsrmv1HW+CyRrX+DD+VhT2Q0KzQ0SH+taalKHc/gt8e1qKEXhB4ZwOu6L5t3hdE dV9ytL3ttxTjC4hmUYWtH6QefjgD7c2Tg70CZvrgEYr6y5XBzolKuI/qELji7FL+ YzR6jWxIFGlW5Oq6vh6gbYoIkizVA3zOMCdDuioWQkxXDtzvKVKQ7MxXHJRHfow5 n8d3UtiD/0rQvltQEcJY0ypdXvpbqeEpk2Gl5/CGmiNfIKr+vvQNmvYmr2WdABEB AAGJAiUEGAECAA8FAlCxIJYCGwwFCQPCZwAACgkQbpBV6pKNXc0n0Q//ZnPvvKjm ewblRQJgQ+IlNYiofehTVAf8rDwe43enpYiUXiNwr4LvyDlZwjrxblXBDZHkxLcr QEK6b0/c9dWSUg0YSvHgD+UZOqIupXGynm6pIFTpufug0WUIPPhr8ORly+LnIuo6 suGP3OVv1IVahW/MrpaA3FXXSSf+DkUvH6V2wz3P96CeOPTA9bjXLUfqQ5UjNDtQ iaE5f7hGc/aMSigchuHIEYk3kCES7FUYBpMxwMou6xKgaH0cD/Jr39XD0pGXrgFo QD4M5thjO34CtkYjhfuaxu6BfUT5uOMWBc9OKwa62ct9J9J4bdYSuyJrsr4i7tIC lw6AwJn5B/dH9RO0UVsdB/GzSon3NowDv4Y2kF0wyp0Veu5d+Pe9d/fOfdFOH3Xy a1M42lDrIpxdstduoeBl9htNEblvaSMoDxet1fWXMdt9FGvfQABEG/jvg4eKLgyy 8BMaGJOTE5Lfaw4zZ9bEipJ0h1wxV5l25sA6Ml4Uz3UU45C1tgeKDs04AyUEc2Wm VHOyvfJjI5OIo08t3dSKtYQgVzDsTRpdxPkZsQeZzE7W9P5vZn5lRydJkPqtguXv BgQEhHkYwGb7sRtOKSPg0k6poqSJrE9nLjNuLBGZsj0mFrNWoyUj1x4neCsQu+5i QJmWylbosEa3uRgHzUAXJ6xX4HL77HfzfTs= =I1Xz -----END PGP PUBLIC KEY BLOCK-----
You can say that again!
BRAVO!
Freepers who donate have an option to have a FR email address. I don't know how long JR has been doing this. (IT doesn't seem to work at the moment. However, if it were, you'd be able to send email directly to zeugma@freerepublic.com, and it would automagically be forwarded to whatever email address you configure it to.
if you were to use this, you'd have to be very careful with the 'reply-to' field in your email client.
A bunch of brain rotted blithering idiots running & ruining our once great nation...
I guess they got their money’s worth! We ALREADY KNEW this was going on - remember Project Eschelon? Snowden just CONFIRMED it, and fleshed out the details. BOTTOM LINE: If they can lie and cover up the truth shoot-down of TWA Flight 800, they can lie and cover up ANYTHING. Maybe the story of the killing of Osama Bin Laden is a hoax, too.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.