NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened

from the say-bye-bye-to-credibility,-rsa dept

Earlier this year, the Snowden leaks revealed how the NSA was effectively infiltrating crypto standards efforts to take control of them and make sure that backdoors or other weaknesses were installed. Many in the crypto community reacted angrily to this, and began to rethink how they interact with the feds. However, Reuters has just dropped a bombshell into all of this, as it has revealed that not only did the NSA purposefully weaken crypto, it then paid famed crypto provider RSA $10 million to push the weakened crypto, making it a de facto standard.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.
If this is true, it represents a serious attack on RSA's credibility. While RSA, now owned by EMC, put out a statement saying that "under no circumstances does RSA design or enable any back doors in our products" Reuters sources seem to suggest something quite different. While it might not be seen as "designing or enabling" back doors, that is the effective result of this.

Reuters spoke to a number of former RSA employees, many of whom said it was a huge mistake for RSA to make this deal, showing how the company had strayed far away from its initial mission. Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard. That's not a totally crazy assertion, but it's not particular comforting either way. While it seems crazy to trust the NSA, for years, many people did recognize that the NSA did employ many top crypto experts, and it was believed that, rather than compromising crypto, they were helping to build stronger crypto. Yes, some were always suspicious of this, but it wasn't entirely crazy to think that a crypto standard supported by the NSA was for good reasons. Of course, it is now quite apparent that the skeptics were exactly correct all along. And RSA's agreement to take this money from the NSA and to promote compromised crypto now has to call into question pretty much all of RSA's activities.

$10 million doesn't seem like that much to make on a deal in which you effectively undermine the entire reason why anyone does business with you. As someone in the article notes, the deal was "handled by business leaders rather than pure technologists." And it shows.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, bsafe, crypto, nsa, surveillance
Companies: emc, rsa


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 20 Dec 2013 @ 2:36pm

    when you consider the 'play on words' that comes from the NSA, it isn't hard to imagine that same sort of thing from RSA. the 'say one thing, in a certain way', denies and admits at the same time, but over different things. if true though, it is shameful that RSA became a partner in all of this. it's street cred is way down now!!

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 20 Dec 2013 @ 2:42pm

    Re:

    In certain circles, RSA's "street cred" has long since been questioned...

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 20 Dec 2013 @ 3:08pm

    RSA - RIP 2013.

    link to this | view in thread ]

  4. icon
    Hephaestus (profile), 20 Dec 2013 @ 3:08pm

    Slow motion train wreck doesn't even begin to describe this years political and governmental abuse news stories, the NSA scandal, Obamacare, etc.

    And for your viewing enjoyment ...

    Slow Motion Train Crash High Definition

    link to this | view in thread ]

  5. icon
    Hephaestus (profile), 20 Dec 2013 @ 3:09pm

    Re:

    "this years political and governmental abuse news stories"

    should read

    this years political screw ups and governmental abuse news stories

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 20 Dec 2013 @ 3:27pm

    This is more likely to happen with closed-source software

    The NSA revelations are the best thing that ever happened to the free/open source movement. Will 2014 finally be the year of the GNU/Linux Desktop?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 20 Dec 2013 @ 4:05pm

    OpenSSL's implementation of DUAL-EC-DRBG has never worked. It crashes the program using it.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 20 Dec 2013 @ 4:27pm

    Sad to see all the original founders resigned from RSA, and the company is now an empty shell of it's former self. I personally wouldn't trust anything coming out of RSA, ever again. I don't trust the NIST anymore, either.

    More irreparable damage caused to the US economy, all in the name of creating an Orwellian spy trap.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 20 Dec 2013 @ 4:27pm

    Re: This is more likely to happen with closed-source software

    There will never be a single "year of linux" anything - but a gradual rise instead.

    My wife literally asked me the other day, based on everything she has heard this year, if I would help her replace Windows with Linux on her desktop machine.

    She already uses open source software for nearly everything she does on a daily basis, so the switch will be minor.

    The kids' computers will be next.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 20 Dec 2013 @ 5:24pm

    NSA/RSA... same thing.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 20 Dec 2013 @ 5:30pm

    EMC

    EMC own them, and does raids, cloud storage, data centers, data backup....

    Imagine all that juicy 'business' data with an NSA backdoor.

    Do terrorists use RSA software now?

    link to this | view in thread ]

  12. icon
    BernardoVerda (profile), 20 Dec 2013 @ 11:49pm

    Re: This is more likely to happen with closed-source software

    Nah. Everybody knows that Open Source software, like Linux and stuff like that, is just a bunch of hacked-together amateur stuff cobbled together by a loose network of basement dwelling dreamers and anti-capitalist ideologues. Anybody can see the code -- so it's vulnerable to hacking, and obviously not worth much, or these guys would have real jobs working at Microsoft, where they protect their valuable IP better.

    That's why no one uses it much, except for techno-weanie palaces like Red Hat, IBM, NYSE and the like...

    If it was any good at all, Microsoft would be pushing it hard and recommending it vigorously to all their big and medium-sized customers.

    Capiche? Good -- glad to have cleared that up for you.
    :P

    link to this | view in thread ]

  13. icon
    Fitzwilly (profile), 21 Dec 2013 @ 12:50am

    I hate to break it to everybody about Snowden, but

    ....he's a far-right wing libertarian nutjob/hypocrite who was pissed off for some reason and didn't like his job, so he bailed out of it to Hong Kong & Russia with information the NSA has a right to have.

    The sad, sorry tale can be found here:

    In 2009, Ed Snowden said leakers “should be shot.” Then he became one

    As well as here (and this applies to anybody who believed this servile dunce):

    How the Professional Left's Blind Obama Hatred Got them Played by a Far-Right Nutjob

    Whistleblower My Ass: Snowden's Russia Connection Confirmed by Putin

    Making a hero out of a whiny crybaby lunatic far-right wing libertarian nut job that stole data that compromised the safety of the United States-and who then fled to the arms of a authoritarian leader isn't helping the cause that Techdirt agitates about.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 21 Dec 2013 @ 12:51am

    Re: EMC

    Clearly, as they've all been caught.

    No, wait, that other thing.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 21 Dec 2013 @ 1:18am

    What is wrong with what they did? They saw a cheap opertunity and took it. I would have thought the free market minded would see it as a good thing?

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 21 Dec 2013 @ 4:05am

    Re: OpenSSL and DUAL-EC-DRBG

    It's not a bug, it's a feature!

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 21 Dec 2013 @ 4:43am

    Re: I hate to break it to everybody about Snowden, but

    The Charles Johnson worship service is down the hall to the right. Otherwise, no one gives a flying fuck what spills out of your festering pie-hole.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 21 Dec 2013 @ 5:07am

    "(CNN) -- In 2011, I was on a panel, organized by the security company RSA, with two retired National Security Agency directors, Michael Hayden and Kenneth Minihan. During the course of our debate, I raised concerns, as the only non-American on the panel, that their plans and preferences for having the NSA secure cyberspace for the rest of us were not exactly reassuring. To this, Minihan replied that I should not describe myself as "Canadian" but rather "North American.""

    So many things are falling into place. Odds are, the previously "stolen" RSA keys were not actually stolen either. Time to reexamine everything we already know about the RSA in light of these new revelations.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 21 Dec 2013 @ 6:07am

    30 silver coins = 10 million $ at current rate

    Not sure RSA will get the kiss with their customers goodbye though

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 21 Dec 2013 @ 6:16am

    All I understand ...

    ... from this is: Stay away! Don't buy any US software or hardware! Don't use any US based service! And the most funny thing is the irony of the whole story. The NSA is performing industrial espionage to help US industry, but it has overdone everything and started to harm the US industry. Well done!

    link to this | view in thread ]

  21. identicon
    Anonymous, 21 Dec 2013 @ 11:51am

    Re: All I understand ...

    Most stuff is made in China anyway. Feel better?

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 21 Dec 2013 @ 11:57am

    Not Credible

    "Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard."

    It is simply not believable that RSA thought that the NSA was just giving them 10 million dollars and expecting nothing in return.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 21 Dec 2013 @ 12:02pm

    Re:

    "OpenSSL's implementation of DUAL-EC-DRBG has never worked. It crashes the program using it."

    And it was gov't (FIPS) certified! That's how you know you can trust it!

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 21 Dec 2013 @ 12:12pm

    Re:

    "Sad to see all the original founders resigned from RSA, and the company is now an empty shell of it's former self. I personally wouldn't trust anything coming out of RSA, ever again."

    They should have taken their names with them. Now they get to be associated with security sellout.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 21 Dec 2013 @ 12:13pm

    Who ELSE has an abc agency like nsa "donated" too........seems like a good list for some investigative journalism i think, maybe for the last damn 100 years if
    Not god damn further

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 21 Dec 2013 @ 1:38pm

    Re:

    Anti-virus companies obviously.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 21 Dec 2013 @ 5:47pm

    TOR. This is already known, but glossed over by many.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 22 Dec 2013 @ 2:39am

    Re: I hate to break it to everybody about Snowden, but

    Why didn't he fly straight to Russia then? Why the stop in Hong Kong?

    link to this | view in thread ]

  29. icon
    RyanNerd (profile), 22 Dec 2013 @ 6:02am

    Well, this confirms what I've always...

    link to this | view in thread ]

  30. icon
    DannyB (profile), 23 Dec 2013 @ 7:39am

    Re:

    But the irreparable damage caused to the US economy by the Orwellian spy trap can be easily fixed by the administration implementing all of the recommendations to reign in the NSA. Then they can just hand wave it all away and chant transparency, oversight, accountability and everyone should now trust the US government and US companies again.

    See how easily a real executive can fix problems?

    link to this | view in thread ]

  31. icon
    Fitzwilly (profile), 25 Dec 2013 @ 2:57pm

    Re: Re: I hate to break it to everybody about Snowden, but

    Hey, I guess being a silly emotarian fool is better than learning the truth. What else is new?

    link to this | view in thread ]

  32. icon
    Fitzwilly (profile), 25 Dec 2013 @ 2:59pm

    Re: Re: I hate to break it to everybody about Snowden, but

    Because he's an opportunistic crybaby with delusions of grandeur who didn't get his diaper changed, I guess.

    link to this | view in thread ]

  33. icon
    Ryan (profile), 25 Feb 2022 @ 4:27pm

    Lost Coin Recovery Agency

    It's a sad experience to lose your money to these wallets...I lost mine to Paxful in Dec 2021. A huge amount was stolen but I was lucky to recover it back after weeks of mails with no positive response from Paxful. I finally met a tech guy who tracked and recovered my trading $ with my stolen coin. If you have a similar issue, you can reach out: Jimfundsrecovery at consultant dot com.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.