NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened
from the say-bye-bye-to-credibility,-rsa dept
Earlier this year, the Snowden leaks revealed how the NSA was effectively infiltrating crypto standards efforts to take control of them and make sure that backdoors or other weaknesses were installed. Many in the crypto community reacted angrily to this, and began to rethink how they interact with the feds. However, Reuters has just dropped a bombshell into all of this, as it has revealed that not only did the NSA purposefully weaken crypto, it then paid famed crypto provider RSA $10 million to push the weakened crypto, making it a de facto standard.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
The earlier disclosures of RSA’s entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.
If this is true, it represents a serious attack on RSA’s credibility. While RSA, now owned by EMC, put out a statement saying that “under no circumstances does RSA design or enable any back doors in our products” Reuters sources seem to suggest something quite different. While it might not be seen as “designing or enabling” back doors, that is the effective result of this.
Reuters spoke to a number of former RSA employees, many of whom said it was a huge mistake for RSA to make this deal, showing how the company had strayed far away from its initial mission. Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard. That’s not a totally crazy assertion, but it’s not particular comforting either way. While it seems crazy to trust the NSA, for years, many people did recognize that the NSA did employ many top crypto experts, and it was believed that, rather than compromising crypto, they were helping to build stronger crypto. Yes, some were always suspicious of this, but it wasn’t entirely crazy to think that a crypto standard supported by the NSA was for good reasons. Of course, it is now quite apparent that the skeptics were exactly correct all along. And RSA’s agreement to take this money from the NSA and to promote compromised crypto now has to call into question pretty much all of RSA’s activities.
$10 million doesn’t seem like that much to make on a deal in which you effectively undermine the entire reason why anyone does business with you. As someone in the article notes, the deal was “handled by business leaders rather than pure technologists.” And it shows.
Filed Under: backdoors, bsafe, crypto, nsa, surveillance
Companies: emc, rsa
Comments on “NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened”
when you consider the ‘play on words’ that comes from the NSA, it isn’t hard to imagine that same sort of thing from RSA. the ‘say one thing, in a certain way’, denies and admits at the same time, but over different things. if true though, it is shameful that RSA became a partner in all of this. it’s street cred is way down now!!
Re: Re:
In certain circles, RSA’s “street cred” has long since been questioned…
RSA – RIP 2013.
Slow motion train wreck doesn’t even begin to describe this years political and governmental abuse news stories, the NSA scandal, Obamacare, etc.
And for your viewing enjoyment …
Slow Motion Train Crash High Definition
Re: Re:
“this years political and governmental abuse news stories”
should read
this years political screw ups and governmental abuse news stories
This is more likely to happen with closed-source software
The NSA revelations are the best thing that ever happened to the free/open source movement. Will 2014 finally be the year of the GNU/Linux Desktop?
Re: This is more likely to happen with closed-source software
There will never be a single “year of linux” anything – but a gradual rise instead.
My wife literally asked me the other day, based on everything she has heard this year, if I would help her replace Windows with Linux on her desktop machine.
She already uses open source software for nearly everything she does on a daily basis, so the switch will be minor.
The kids’ computers will be next.
Re: This is more likely to happen with closed-source software
Nah. Everybody knows that Open Source software, like Linux and stuff like that, is just a bunch of hacked-together amateur stuff cobbled together by a loose network of basement dwelling dreamers and anti-capitalist ideologues. Anybody can see the code — so it’s vulnerable to hacking, and obviously not worth much, or these guys would have real jobs working at Microsoft, where they protect their valuable IP better.
That’s why no one uses it much, except for techno-weanie palaces like Red Hat, IBM, NYSE and the like…
If it was any good at all, Microsoft would be pushing it hard and recommending it vigorously to all their big and medium-sized customers.
Capiche? Good — glad to have cleared that up for you.
😛
OpenSSL’s implementation of DUAL-EC-DRBG has never worked. It crashes the program using it.
Re: OpenSSL and DUAL-EC-DRBG
It’s not a bug, it’s a feature!
Re: Re:
“OpenSSL’s implementation of DUAL-EC-DRBG has never worked. It crashes the program using it.”
And it was gov’t (FIPS) certified! That’s how you know you can trust it!
Sad to see all the original founders resigned from RSA, and the company is now an empty shell of it’s former self. I personally wouldn’t trust anything coming out of RSA, ever again. I don’t trust the NIST anymore, either.
More irreparable damage caused to the US economy, all in the name of creating an Orwellian spy trap.
Re: Re:
“Sad to see all the original founders resigned from RSA, and the company is now an empty shell of it’s former self. I personally wouldn’t trust anything coming out of RSA, ever again.”
They should have taken their names with them. Now they get to be associated with security sellout.
Re: Re:
But the irreparable damage caused to the US economy by the Orwellian spy trap can be easily fixed by the administration implementing all of the recommendations to reign in the NSA. Then they can just hand wave it all away and chant transparency, oversight, accountability and everyone should now trust the US government and US companies again.
See how easily a real executive can fix problems?
NSA/RSA… same thing.
EMC
EMC own them, and does raids, cloud storage, data centers, data backup….
Imagine all that juicy ‘business’ data with an NSA backdoor.
Do terrorists use RSA software now?
Re: EMC
Clearly, as they’ve all been caught.
No, wait, that other thing.
I hate to break it to everybody about Snowden, but
….he’s a far-right wing libertarian nutjob/hypocrite who was pissed off for some reason and didn’t like his job, so he bailed out of it to Hong Kong & Russia with information the NSA has a right to have.
The sad, sorry tale can be found here:
In 2009, Ed Snowden said leakers ?should be shot.? Then he became one
As well as here (and this applies to anybody who believed this servile dunce):
How the Professional Left’s Blind Obama Hatred Got them Played by a Far-Right Nutjob
Whistleblower My Ass: Snowden’s Russia Connection Confirmed by Putin
Making a hero out of a whiny crybaby lunatic far-right wing libertarian nut job that stole data that compromised the safety of the United States-and who then fled to the arms of a authoritarian leader isn’t helping the cause that Techdirt agitates about.
Re: I hate to break it to everybody about Snowden, but
The Charles Johnson worship service is down the hall to the right. Otherwise, no one gives a flying fuck what spills out of your festering pie-hole.
Re: Re: I hate to break it to everybody about Snowden, but
Hey, I guess being a silly emotarian fool is better than learning the truth. What else is new?
Re: I hate to break it to everybody about Snowden, but
Why didn’t he fly straight to Russia then? Why the stop in Hong Kong?
Re: Re: I hate to break it to everybody about Snowden, but
Because he’s an opportunistic crybaby with delusions of grandeur who didn’t get his diaper changed, I guess.
What is wrong with what they did? They saw a cheap opertunity and took it. I would have thought the free market minded would see it as a good thing?
“(CNN) — In 2011, I was on a panel, organized by the security company RSA, with two retired National Security Agency directors, Michael Hayden and Kenneth Minihan. During the course of our debate, I raised concerns, as the only non-American on the panel, that their plans and preferences for having the NSA secure cyberspace for the rest of us were not exactly reassuring. To this, Minihan replied that I should not describe myself as “Canadian” but rather “North American.””
So many things are falling into place. Odds are, the previously “stolen” RSA keys were not actually stolen either. Time to reexamine everything we already know about the RSA in light of these new revelations.
30 silver coins = 10 million $ at current rate
Not sure RSA will get the kiss with their customers goodbye though
All I understand ...
… from this is: Stay away! Don’t buy any US software or hardware! Don’t use any US based service! And the most funny thing is the irony of the whole story. The NSA is performing industrial espionage to help US industry, but it has overdone everything and started to harm the US industry. Well done!
Re: All I understand ...
Most stuff is made in China anyway. Feel better?
Not Credible
“Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard.”
It is simply not believable that RSA thought that the NSA was just giving them 10 million dollars and expecting nothing in return.
Who ELSE has an abc agency like nsa “donated” too……..seems like a good list for some investigative journalism i think, maybe for the last damn 100 years if
Not god damn further
Re: Re:
Anti-virus companies obviously.
TOR. This is already known, but glossed over by many.
Well, this confirms what I've always...
Suspected.
Lost Coin Recovery Agency
It’s a sad experience to lose your money to these wallets…I lost mine to Paxful in Dec 2021. A huge amount was stolen but I was lucky to recover it back after weeks of mails with no positive response from Paxful. I finally met a tech guy who tracked and recovered my trading $ with my stolen coin. If you have a similar issue, you can reach out: Jimfundsrecovery at consultant dot com.