NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened
from the say-bye-bye-to-credibility,-rsa dept
Earlier this year, the Snowden leaks revealed how the NSA was effectively infiltrating crypto standards efforts to take control of them and make sure that backdoors or other weaknesses were installed. Many in the crypto community reacted angrily to this, and began to rethink how they interact with the feds. However, Reuters has just dropped a bombshell into all of this, as it has revealed that not only did the NSA purposefully weaken crypto, it then paid famed crypto provider RSA $10 million to push the weakened crypto, making it a de facto standard.Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.If this is true, it represents a serious attack on RSA's credibility. While RSA, now owned by EMC, put out a statement saying that "under no circumstances does RSA design or enable any back doors in our products" Reuters sources seem to suggest something quite different. While it might not be seen as "designing or enabling" back doors, that is the effective result of this.
The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.
Reuters spoke to a number of former RSA employees, many of whom said it was a huge mistake for RSA to make this deal, showing how the company had strayed far away from its initial mission. Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard. That's not a totally crazy assertion, but it's not particular comforting either way. While it seems crazy to trust the NSA, for years, many people did recognize that the NSA did employ many top crypto experts, and it was believed that, rather than compromising crypto, they were helping to build stronger crypto. Yes, some were always suspicious of this, but it wasn't entirely crazy to think that a crypto standard supported by the NSA was for good reasons. Of course, it is now quite apparent that the skeptics were exactly correct all along. And RSA's agreement to take this money from the NSA and to promote compromised crypto now has to call into question pretty much all of RSA's activities.
$10 million doesn't seem like that much to make on a deal in which you effectively undermine the entire reason why anyone does business with you. As someone in the article notes, the deal was "handled by business leaders rather than pure technologists." And it shows.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, bsafe, crypto, nsa, surveillance
Companies: emc, rsa
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
And for your viewing enjoyment ...
Slow Motion Train Crash High Definition
[ link to this | view in chronology ]
Re:
should read
this years political screw ups and governmental abuse news stories
[ link to this | view in chronology ]
This is more likely to happen with closed-source software
[ link to this | view in chronology ]
Re: This is more likely to happen with closed-source software
My wife literally asked me the other day, based on everything she has heard this year, if I would help her replace Windows with Linux on her desktop machine.
She already uses open source software for nearly everything she does on a daily basis, so the switch will be minor.
The kids' computers will be next.
[ link to this | view in chronology ]
Re: This is more likely to happen with closed-source software
That's why no one uses it much, except for techno-weanie palaces like Red Hat, IBM, NYSE and the like...
If it was any good at all, Microsoft would be pushing it hard and recommending it vigorously to all their big and medium-sized customers.
Capiche? Good -- glad to have cleared that up for you.
:P
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: OpenSSL and DUAL-EC-DRBG
[ link to this | view in chronology ]
Re:
And it was gov't (FIPS) certified! That's how you know you can trust it!
[ link to this | view in chronology ]
More irreparable damage caused to the US economy, all in the name of creating an Orwellian spy trap.
[ link to this | view in chronology ]
Re:
They should have taken their names with them. Now they get to be associated with security sellout.
[ link to this | view in chronology ]
Re:
See how easily a real executive can fix problems?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
EMC
Imagine all that juicy 'business' data with an NSA backdoor.
Do terrorists use RSA software now?
[ link to this | view in chronology ]
Re: EMC
No, wait, that other thing.
[ link to this | view in chronology ]
I hate to break it to everybody about Snowden, but
The sad, sorry tale can be found here:
In 2009, Ed Snowden said leakers “should be shot.” Then he became one
As well as here (and this applies to anybody who believed this servile dunce):
How the Professional Left's Blind Obama Hatred Got them Played by a Far-Right Nutjob
Whistleblower My Ass: Snowden's Russia Connection Confirmed by Putin
Making a hero out of a whiny crybaby lunatic far-right wing libertarian nut job that stole data that compromised the safety of the United States-and who then fled to the arms of a authoritarian leader isn't helping the cause that Techdirt agitates about.
[ link to this | view in chronology ]
Re: I hate to break it to everybody about Snowden, but
[ link to this | view in chronology ]
Re: Re: I hate to break it to everybody about Snowden, but
[ link to this | view in chronology ]
Re: I hate to break it to everybody about Snowden, but
[ link to this | view in chronology ]
Re: Re: I hate to break it to everybody about Snowden, but
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So many things are falling into place. Odds are, the previously "stolen" RSA keys were not actually stolen either. Time to reexamine everything we already know about the RSA in light of these new revelations.
[ link to this | view in chronology ]
30 silver coins = 10 million $ at current rate
[ link to this | view in chronology ]
All I understand ...
[ link to this | view in chronology ]
Re: All I understand ...
[ link to this | view in chronology ]
Not Credible
It is simply not believable that RSA thought that the NSA was just giving them 10 million dollars and expecting nothing in return.
[ link to this | view in chronology ]
Not god damn further
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Well, this confirms what I've always...
[ link to this | view in chronology ]
Lost Coin Recovery Agency
It's a sad experience to lose your money to these wallets...I lost mine to Paxful in Dec 2021. A huge amount was stolen but I was lucky to recover it back after weeks of mails with no positive response from Paxful. I finally met a tech guy who tracked and recovered my trading $ with my stolen coin. If you have a similar issue, you can reach out: Jimfundsrecovery at consultant dot com.
[ link to this | view in chronology ]