7 Things You Missed If You Didn't Read Wired's Big Story On How The NSA Is Killing The Internet

A Bunch Of Security Researchers Cancel Appearance At RSA's Conference To Protest Selling Out To NSA

from the good-for-them dept

Tue, Jan 7th 2014 1:13pm — Mike Masnick

A few weeks ago, there was quite a big story concerning how the NSA paid $10 million to RSA to make its compromised random number generator the "default" in a key RSA product. The RSA issued a ridiculously stupid "categorical denial" of the report, which actually denied something entirely different, more or less confirming the original report. Following this, one of the most well-known security researchers around, Mikko Hypponen, announced that he was cancelling his planned talk at RSA's big conference in February. Since then, additional security experts, including Chris Soghoian, Jeffrey Carr and Josh Thomas have each announced that they're cancelling their own talks as well.

Carr also has a good post debunking some of the key claims in RSA's non-denial denial. For example, RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn't the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million to sell its soul. Carr further notes that, not too long before that, RSA's former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:

"For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we're the real enemy, we're the real target."

While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA's interests and RSA's interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning. It's good to see security experts speaking up and taking a stand against the company, not just for the deal, but for its totally bogus fake denial.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: chris soghoian, jeffrey carr, josh thomas, mikko hypponen, nsa, researchers, rsa conference, security
Companies: rsa

11 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

This comment has been flagged by the community. Click here to show it

out_of_the_blue, 7 Jan 2014 @ 1:27pm

I was skeptical of public key "cryptography" from mid-80's.
Any system not fully understood is subject to trickery. Any three-card monte dealer should be able to convince you of that in ten minutes. Complex math in particular requires long analysis by maniacs to even be likely safe.

But mainly, any system in which money can sway morality is inherently corrupt. And I'm pretty sure that includes all human activiities.
Google's tailoring to YOU can selectively substitute, omit, and lie. You can't trust anything on the net, neither what you see nor what you don't see!

09:27:20[k-730-2]
[ link to this | view in chronology ]
- Aaron T (profile), 7 Jan 2014 @ 2:06pm
  
  Re: I was skeptical of public key "cryptography" from mid-80's.
  Not sure what you're talking about. Dual EC DRBG has nothing to do with public key crypto (RSA/DSA/etc). Instead it is classified as a CSPRNG (cryptographically secure psudo-random number generator).
  
  Also, nothing revealed so far has put into question any public key crypto algorithms.
  [ link to this | view in chronology ]
- Anonymous Coward, 7 Jan 2014 @ 2:12pm
  
  Re: I was skeptical of public key "cryptography" from mid-80's.
  You have obviously not looked at the problem, the basis of public key cryptography is easy to understand, Factorising very large numbers is extremely time consuming, with the best algorithms a minor optimisation on try every prime less than the square root of the number to be factorised, with finding primes essentially being the same problem.
  Computers simply allowed the necessary operations used in encrypting and decrypting using very large numbers to be carried out in reasonable time.
  [ link to this | view in chronology ]
- Anonymous Coward, 7 Jan 2014 @ 3:35pm
  
  Re: I was skeptical of public key "cryptography" from mid-80's.
  Any system not fully understood is subject to trickery.
  
  Just because you don't understand it doesn't mean most people don't. It just means you're not very smart.
  [ link to this | view in chronology ]
Anonymous Coward, 7 Jan 2014 @ 1:45pm

I'm adding RSA to my "doomed companies" list
No matter what the current management of RSA thought their products were, they were really selling trust to their customers. Now, they have nothing to sell.
[ link to this | view in chronology ]
- Ninja (profile), 8 Jan 2014 @ 1:45am
  
  Re: I'm adding RSA to my "doomed companies" list
  Let me guess the top company on your list: Prenda Law!
  
  Right, right?
  [ link to this | view in chronology ]
  - That One Guy (profile), 8 Jan 2014 @ 5:50am
    
    Re: Re: I'm adding RSA to my "doomed companies" list
    They just need to change careers and they could strike gold.
    
    Off the top of my head I'd suggest either circus performers(plenty of practice with that in court), or muses-for-hire(they always seem to bring out the best/eloquent/funny in judges.)
    [ link to this | view in chronology ]
Anonymous Coward, 7 Jan 2014 @ 1:51pm

They are guilty as charged. They took the money which was 1/3 of their revenue, with no costs attached, just to make that NSA-backed algorithm the default, and they didn't think anything is suspicious about that? Or how about keep using it as a the default, even after several well known cryptographers called it a backdoor by name? Even then they didn't think something is wrong?

Give me an effing break. We're not toddlers. RSA deserves to die as a company. Period.
[ link to this | view in chronology ]
Anonymous Coward, 7 Jan 2014 @ 4:35pm

Hey, Mike, have you read these posts?

Sorry, RSA, I'm just not buying it
Dual EC, The Saga Continues

I was shocked to learn that there was essentially a patent on backdooring Dual EC.
[ link to this | view in chronology ]
Anonymous Coward, 7 Jan 2014 @ 6:55pm

It's good to see that some people still have a backbone.
[ link to this | view in chronology ]
Anonymous Coward, 7 Jan 2014 @ 7:28pm

I love how the current RSA executives claim they were simply relying on NIST's judgement about Dual Elliptical Curve' security integrity. Yet, Dual EC would have never been a NIST standard, if RSA would have never blessed the random number generator with their own stamp of approval to begin with.

All these facts together show just how greedy and deceitful the executives in charge of RSA, really are. RSA is now known as a company who will do anything for easy money. Including selling out every last soul on this world, for 10 million dollars.
[ link to this | view in chronology ]