NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened

from the say-bye-bye-to-credibility,-rsa dept

Earlier this year, the Snowden leaks revealed how the NSA was effectively infiltrating crypto standards efforts to take control of them and make sure that backdoors or other weaknesses were installed. Many in the crypto community reacted angrily to this, and began to rethink how they interact with the feds. However, Reuters has just dropped a bombshell into all of this, as it has revealed that not only did the NSA purposefully weaken crypto, it then paid famed crypto provider RSA $10 million to push the weakened crypto, making it a de facto standard.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.
If this is true, it represents a serious attack on RSA's credibility. While RSA, now owned by EMC, put out a statement saying that "under no circumstances does RSA design or enable any back doors in our products" Reuters sources seem to suggest something quite different. While it might not be seen as "designing or enabling" back doors, that is the effective result of this.

Reuters spoke to a number of former RSA employees, many of whom said it was a huge mistake for RSA to make this deal, showing how the company had strayed far away from its initial mission. Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard. That's not a totally crazy assertion, but it's not particular comforting either way. While it seems crazy to trust the NSA, for years, many people did recognize that the NSA did employ many top crypto experts, and it was believed that, rather than compromising crypto, they were helping to build stronger crypto. Yes, some were always suspicious of this, but it wasn't entirely crazy to think that a crypto standard supported by the NSA was for good reasons. Of course, it is now quite apparent that the skeptics were exactly correct all along. And RSA's agreement to take this money from the NSA and to promote compromised crypto now has to call into question pretty much all of RSA's activities.

$10 million doesn't seem like that much to make on a deal in which you effectively undermine the entire reason why anyone does business with you. As someone in the article notes, the deal was "handled by business leaders rather than pure technologists." And it shows.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 2:36pm

    when you consider the 'play on words' that comes from the NSA, it isn't hard to imagine that same sort of thing from RSA. the 'say one thing, in a certain way', denies and admits at the same time, but over different things. if true though, it is shameful that RSA became a partner in all of this. it's street cred is way down now!!

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 2:42pm

    Re:

    In certain circles, RSA's "street cred" has long since been questioned...

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 3:08pm

    RSA - RIP 2013.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Hephaestus (profile), Dec 20th, 2013 @ 3:08pm

    Slow motion train wreck doesn't even begin to describe this years political and governmental abuse news stories, the NSA scandal, Obamacare, etc.

    And for your viewing enjoyment ...

    Slow Motion Train Crash High Definition

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    Hephaestus (profile), Dec 20th, 2013 @ 3:09pm

    Re:

    "this years political and governmental abuse news stories"

    should read

    this years political screw ups and governmental abuse news stories

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 3:27pm

    This is more likely to happen with closed-source software

    The NSA revelations are the best thing that ever happened to the free/open source movement. Will 2014 finally be the year of the GNU/Linux Desktop?

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 4:05pm

    OpenSSL's implementation of DUAL-EC-DRBG has never worked. It crashes the program using it.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 4:27pm

    Sad to see all the original founders resigned from RSA, and the company is now an empty shell of it's former self. I personally wouldn't trust anything coming out of RSA, ever again. I don't trust the NIST anymore, either.

    More irreparable damage caused to the US economy, all in the name of creating an Orwellian spy trap.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 4:27pm

    Re: This is more likely to happen with closed-source software

    There will never be a single "year of linux" anything - but a gradual rise instead.

    My wife literally asked me the other day, based on everything she has heard this year, if I would help her replace Windows with Linux on her desktop machine.

    She already uses open source software for nearly everything she does on a daily basis, so the switch will be minor.

    The kids' computers will be next.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 5:24pm

    NSA/RSA... same thing.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Dec 20th, 2013 @ 5:30pm

    EMC

    EMC own them, and does raids, cloud storage, data centers, data backup....

    Imagine all that juicy 'business' data with an NSA backdoor.

    Do terrorists use RSA software now?

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    BernardoVerda (profile), Dec 20th, 2013 @ 11:49pm

    Re: This is more likely to happen with closed-source software

    Nah. Everybody knows that Open Source software, like Linux and stuff like that, is just a bunch of hacked-together amateur stuff cobbled together by a loose network of basement dwelling dreamers and anti-capitalist ideologues. Anybody can see the code -- so it's vulnerable to hacking, and obviously not worth much, or these guys would have real jobs working at Microsoft, where they protect their valuable IP better.

    That's why no one uses it much, except for techno-weanie palaces like Red Hat, IBM, NYSE and the like...

    If it was any good at all, Microsoft would be pushing it hard and recommending it vigorously to all their big and medium-sized customers.

    Capiche? Good -- glad to have cleared that up for you.
    :P

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Fitzwilly (profile), Dec 21st, 2013 @ 12:50am

    I hate to break it to everybody about Snowden, but

    ....he's a far-right wing libertarian nutjob/hypocrite who was pissed off for some reason and didn't like his job, so he bailed out of it to Hong Kong & Russia with information the NSA has a right to have.

    The sad, sorry tale can be found here:

    In 2009, Ed Snowden said leakers “should be shot.” Then he became one

    As well as here (and this applies to anybody who believed this servile dunce):

    How the Professional Left's Blind Obama Hatred Got them Played by a Far-Right Nutjob

    Whistleblower My Ass: Snowden's Russia Connection Confirmed by Putin

    Making a hero out of a whiny crybaby lunatic far-right wing libertarian nut job that stole data that compromised the safety of the United States-and who then fled to the arms of a authoritarian leader isn't helping the cause that Techdirt agitates about.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 12:51am

    Re: EMC

    Clearly, as they've all been caught.

    No, wait, that other thing.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 1:18am

    What is wrong with what they did? They saw a cheap opertunity and took it. I would have thought the free market minded would see it as a good thing?

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 4:05am

    Re: OpenSSL and DUAL-EC-DRBG

    It's not a bug, it's a feature!

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 4:43am

    Re: I hate to break it to everybody about Snowden, but

    The Charles Johnson worship service is down the hall to the right. Otherwise, no one gives a flying fuck what spills out of your festering pie-hole.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 5:07am

    "(CNN) -- In 2011, I was on a panel, organized by the security company RSA, with two retired National Security Agency directors, Michael Hayden and Kenneth Minihan. During the course of our debate, I raised concerns, as the only non-American on the panel, that their plans and preferences for having the NSA secure cyberspace for the rest of us were not exactly reassuring. To this, Minihan replied that I should not describe myself as "Canadian" but rather "North American.""

    So many things are falling into place. Odds are, the previously "stolen" RSA keys were not actually stolen either. Time to reexamine everything we already know about the RSA in light of these new revelations.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 6:07am

    30 silver coins = 10 million $ at current rate

    Not sure RSA will get the kiss with their customers goodbye though

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 6:16am

    All I understand ...

    ... from this is: Stay away! Don't buy any US software or hardware! Don't use any US based service! And the most funny thing is the irony of the whole story. The NSA is performing industrial espionage to help US industry, but it has overdone everything and started to harm the US industry. Well done!

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous, Dec 21st, 2013 @ 11:51am

    Re: All I understand ...

    Most stuff is made in China anyway. Feel better?

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 11:57am

    Not Credible

    "Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard."

    It is simply not believable that RSA thought that the NSA was just giving them 10 million dollars and expecting nothing in return.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 12:02pm

    Re:

    "OpenSSL's implementation of DUAL-EC-DRBG has never worked. It crashes the program using it."

    And it was gov't (FIPS) certified! That's how you know you can trust it!

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 12:12pm

    Re:

    "Sad to see all the original founders resigned from RSA, and the company is now an empty shell of it's former self. I personally wouldn't trust anything coming out of RSA, ever again."

    They should have taken their names with them. Now they get to be associated with security sellout.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 12:13pm

    Who ELSE has an abc agency like nsa "donated" too........seems like a good list for some investigative journalism i think, maybe for the last damn 100 years if
    Not god damn further

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 1:38pm

    Re:

    Anti-virus companies obviously.

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Dec 21st, 2013 @ 5:47pm

    TOR. This is already known, but glossed over by many.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Dec 22nd, 2013 @ 2:39am

    Re: I hate to break it to everybody about Snowden, but

    Why didn't he fly straight to Russia then? Why the stop in Hong Kong?

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    RyanNerd (profile), Dec 22nd, 2013 @ 6:02am

    Well, this confirms what I've always...

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    DannyB (profile), Dec 23rd, 2013 @ 7:39am

    Re:

    But the irreparable damage caused to the US economy by the Orwellian spy trap can be easily fixed by the administration implementing all of the recommendations to reign in the NSA. Then they can just hand wave it all away and chant transparency, oversight, accountability and everyone should now trust the US government and US companies again.

    See how easily a real executive can fix problems?

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Fitzwilly (profile), Dec 25th, 2013 @ 2:57pm

    Re: Re: I hate to break it to everybody about Snowden, but

    Hey, I guess being a silly emotarian fool is better than learning the truth. What else is new?

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    Fitzwilly (profile), Dec 25th, 2013 @ 2:59pm

    Re: Re: I hate to break it to everybody about Snowden, but

    Because he's an opportunistic crybaby with delusions of grandeur who didn't get his diaper changed, I guess.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This