NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened

from the say-bye-bye-to-credibility,-rsa dept

Earlier this year, the Snowden leaks revealed how the NSA was effectively infiltrating crypto standards efforts to take control of them and make sure that backdoors or other weaknesses were installed. Many in the crypto community reacted angrily to this, and began to rethink how they interact with the feds. However, Reuters has just dropped a bombshell into all of this, as it has revealed that not only did the NSA purposefully weaken crypto, it then paid famed crypto provider RSA $10 million to push the weakened crypto, making it a de facto standard.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

The earlier disclosures of RSA’s entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.

If this is true, it represents a serious attack on RSA’s credibility. While RSA, now owned by EMC, put out a statement saying that “under no circumstances does RSA design or enable any back doors in our products” Reuters sources seem to suggest something quite different. While it might not be seen as “designing or enabling” back doors, that is the effective result of this.

Reuters spoke to a number of former RSA employees, many of whom said it was a huge mistake for RSA to make this deal, showing how the company had strayed far away from its initial mission. Others suggest that the NSA basically duped the RSA on this, such that RSA agreed to the deal, without realizing they were promoting a compromised standard. That’s not a totally crazy assertion, but it’s not particular comforting either way. While it seems crazy to trust the NSA, for years, many people did recognize that the NSA did employ many top crypto experts, and it was believed that, rather than compromising crypto, they were helping to build stronger crypto. Yes, some were always suspicious of this, but it wasn’t entirely crazy to think that a crypto standard supported by the NSA was for good reasons. Of course, it is now quite apparent that the skeptics were exactly correct all along. And RSA’s agreement to take this money from the NSA and to promote compromised crypto now has to call into question pretty much all of RSA’s activities.

$10 million doesn’t seem like that much to make on a deal in which you effectively undermine the entire reason why anyone does business with you. As someone in the article notes, the deal was “handled by business leaders rather than pure technologists.” And it shows.

Filed Under: , , , ,
Companies: emc, rsa

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA Gave RSA $10 Million To Promote Crypto It Had Purposely Weakened”

Subscribe: RSS Leave a comment
Anonymous Coward says:

when you consider the ‘play on words’ that comes from the NSA, it isn’t hard to imagine that same sort of thing from RSA. the ‘say one thing, in a certain way’, denies and admits at the same time, but over different things. if true though, it is shameful that RSA became a partner in all of this. it’s street cred is way down now!!

Anonymous Coward says:

Re: This is more likely to happen with closed-source software

There will never be a single “year of linux” anything – but a gradual rise instead.

My wife literally asked me the other day, based on everything she has heard this year, if I would help her replace Windows with Linux on her desktop machine.

She already uses open source software for nearly everything she does on a daily basis, so the switch will be minor.

The kids’ computers will be next.

BernardoVerda says:

Re: This is more likely to happen with closed-source software

Nah. Everybody knows that Open Source software, like Linux and stuff like that, is just a bunch of hacked-together amateur stuff cobbled together by a loose network of basement dwelling dreamers and anti-capitalist ideologues. Anybody can see the code — so it’s vulnerable to hacking, and obviously not worth much, or these guys would have real jobs working at Microsoft, where they protect their valuable IP better.

That’s why no one uses it much, except for techno-weanie palaces like Red Hat, IBM, NYSE and the like…

If it was any good at all, Microsoft would be pushing it hard and recommending it vigorously to all their big and medium-sized customers.

Capiche? Good — glad to have cleared that up for you.

Anonymous Coward says:

Sad to see all the original founders resigned from RSA, and the company is now an empty shell of it’s former self. I personally wouldn’t trust anything coming out of RSA, ever again. I don’t trust the NIST anymore, either.

More irreparable damage caused to the US economy, all in the name of creating an Orwellian spy trap.

DannyB (profile) says:

Re: Re:

But the irreparable damage caused to the US economy by the Orwellian spy trap can be easily fixed by the administration implementing all of the recommendations to reign in the NSA. Then they can just hand wave it all away and chant transparency, oversight, accountability and everyone should now trust the US government and US companies again.

See how easily a real executive can fix problems?

Fitzwilly (profile) says:

I hate to break it to everybody about Snowden, but

….he’s a far-right wing libertarian nutjob/hypocrite who was pissed off for some reason and didn’t like his job, so he bailed out of it to Hong Kong & Russia with information the NSA has a right to have.

The sad, sorry tale can be found here:

In 2009, Ed Snowden said leakers ?should be shot.? Then he became one

As well as here (and this applies to anybody who believed this servile dunce):

How the Professional Left’s Blind Obama Hatred Got them Played by a Far-Right Nutjob

Whistleblower My Ass: Snowden’s Russia Connection Confirmed by Putin

Making a hero out of a whiny crybaby lunatic far-right wing libertarian nut job that stole data that compromised the safety of the United States-and who then fled to the arms of a authoritarian leader isn’t helping the cause that Techdirt agitates about.

Anonymous Coward says:

“(CNN) — In 2011, I was on a panel, organized by the security company RSA, with two retired National Security Agency directors, Michael Hayden and Kenneth Minihan. During the course of our debate, I raised concerns, as the only non-American on the panel, that their plans and preferences for having the NSA secure cyberspace for the rest of us were not exactly reassuring. To this, Minihan replied that I should not describe myself as “Canadian” but rather “North American.””

So many things are falling into place. Odds are, the previously “stolen” RSA keys were not actually stolen either. Time to reexamine everything we already know about the RSA in light of these new revelations.

Anonymous Coward says:

All I understand ...

… from this is: Stay away! Don’t buy any US software or hardware! Don’t use any US based service! And the most funny thing is the irony of the whole story. The NSA is performing industrial espionage to help US industry, but it has overdone everything and started to harm the US industry. Well done!

Ryan says:

Lost Coin Recovery Agency

It’s a sad experience to lose your money to these wallets…I lost mine to Paxful in Dec 2021. A huge amount was stolen but I was lucky to recover it back after weeks of mails with no positive response from Paxful. I finally met a tech guy who tracked and recovered my trading $ with my stolen coin. If you have a similar issue, you can reach out: Jimfundsrecovery at consultant dot com.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...