RSA Flatly Denies That It Weakened Crypto For NSA Money 291
The Register reports that RSA isn't taking quietly the accusation reported by Reuters, based on documents released by Edward Snowden, that the company intentionally used weaker crypto at the request of the NSA, and accepted $10 million in exchange for doing so. RSA's defends the use of the Dual Elliptic Curve Deterministic Random Bit Generator, stating categorically "that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
Trust none of them (Score:5, Insightful)
If this story turns out to be true, then RSA's name is mud. Only a complete and utter moron would buy from them after this.
Same goes for the other companies who have been selling us out. Even Google and Microsoft who are now leaking stories about them boldly protecting their backbones from the NSA have been handing over our data, and in the case of Microsoft took cold hard cash to add backdoors to Skype and God knows what else. If you trust *any* of these companies you are a complete and utter moron.
Not that strongly worded (Score:5, Insightful)
The problem is that the NSA has been lying to everyone with doublespeak--asking permission for X warrants when the warrants really covered umpteen billion warrants, things like that. So while this press release categorically denies "that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries[,]" it could still be truthful even if any ONE of the facts in that list is false.
For example, "known" flawed random number generator--suppose the NSA knew it was flawed and RSA didn't. This denial does not contradict that.
In the context of a topic where companies and government agencies are lying regularly by using careful diction, even a "strong" "categorical" denial has to eliminate the possibility of loopholes in order for it to be believable.
Comment removed (Score:5, Insightful)
Re:Not that strongly worded (Score:5, Insightful)
That was my read of the statement as well. Essentially all they're denying is that they openly sold the rights to backdoor their software. It could still be the case that they wink-wink sold those rights. Or it could be the case that they were just dupes rather than in cahoots with the NSA; it's not entirely implausible that they thought they were helping out the NSA by making the change for a reason unrelated to backdooring the software.
Oh, Sure... (Score:4, Insightful)
I believe them.
Just as much as I believe that Nigerian Prince's nephew's super deal for helping him get funds out of the country.
C'mon, RSA guys. I know you're pretty butt-hurt about this revelation from the Snowden release. Heck, I can even understand that you guys may well have received an "offer you can't refuse" from the NSA, et al.
You'd be much better off playing that angle, rather than attempt a laughably-preposterous and totally unbelievable denial. The denial gets you no sympathy or possible assistance out of your situation at all from the public, only hatred, vitriol, and the ends of many of your careers.
Remember that when making deals with the Empire, Darth has a nasty habit of "altering the deal". Though you "pray" he "doesn't alter it further", it never fails to eventually happen. Neville Chamberlain, 'nuff said.
Strat
Come On (Score:5, Insightful)
The government has a new encryption algorithm that is "amazingly strong". Only they are paying YOU to use it? And that does not throw up any red flags in a company based on SECURITY?
Foreign crypto market should boom? (Score:3, Insightful)
Given the state of affairs in the United States, I would think that every country on earth should be reviewing their reliance on American tech (especially in cryptography). Do you really want your parliament having discussions over skype? Or using Microsoft Windows to conduct their Seriously Secret activity? Microsoft is implicated in compromising Skype, so there is every reason to suspect they have also compromised Windows and every other piece of software they make. Google mail? Apple phones? RSA security? The list goes on.
If I were a foreign government I would dump serious subsidies into my domestic software development industry. This extends to our allies as well. After all, if the USA is willing to spend insane resources and flaunt the law/morality by spying upon its own citizenry to a degree hardly less severe than 1984... why wouldn't they be using the very same backdoors on you?
It's a very sad day (Score:5, Insightful)
It's a very sad day when we have media which prostituting themselves to the BIG BROTHER and companies betraying the trust of their customers for some breadcrumbs.
If all that happened in a banana republic we may say "Oh, but they are banana republics".
But no. All these are happening in the United States in America !
What hath my beloved country turned into ?
Re:RSA's name is now mud (Score:5, Insightful)
As for your theory that competitors leaked this to damage RSA, you have not offered a shred of evidence, and your premise that the Guardian can print untrue stories without being sued for libel is false.
Re:Actually ... (Score:5, Insightful)
And, of course, the weasel words. Their intention was not to weaken the crypto, that was a side effect. The intention was to pocket $10mil and perhaps a favor to be named later.
Re:Sorry RSA (Score:5, Insightful)
I don't think you could prove they were lying even if they were open source. All looking at the source code would tell you is that they implemented Dual_EC_DRBG; exactly the same as looking at the OpenSSL source code will tell you. I doubt there would be a handy comment saying "/* Implemented a known-weak method on behalf of the NSA. */" around it.
The problem Dual_EC_DRBG, as far as I can tell, is in the choice of constants used in it; the constants are defined by the NIST standard.
I don't trust anyone (Score:5, Insightful)
I do not trust Snowden just because he is Snowden. I do not know that guy in person. I only heard of his name after what he has disclosed what NSA had done - PRISM / GCHQ / tapping on foreign leaders, and so on.
Every single "story" about a leak that has been linked to Snowden file is just that, a "story".
After reading them, I re-traced the link back to the matter itself. If there are articles related to the matter, I give them a good read up.
The case regarding RSA for example - there have been case studies since 2006 (and earlier) that can be used as reference to what has just been reported.
That is why I say it is a very sad day when my country has turned into something worse than a banana republic.
Re:Links (Score:3, Insightful)
Re:Come On (Score:4, Insightful)
the concept of paying for a specific feature to be implemented is extremely common.
I agree with that, but that is the company developing said feature. That makes a lot of sense.
What raises eyebrows is not saying "add this feature", but "add this feature and BTW here's the exact algorithm you will use, oh and BTW2 we aren't going to add any schedule constraints, and BTW3 can you make sure it's the default all of your OTHER customers will be using?"
Re:Trust none of them (Score:3, Insightful)
Weaselly language:
> "that we have never entered into any contract or engaged in any project with the
> intention of weakening RSA's products, or introducing potential 'backdoors' into our
> products for anyone's use."
So, potential backdoors are out. How about backdoor? Known, functional backdoors, not the prospect of future backdoors?
Weakening? Nobody mentioned weakening. That $10,000,000 you took from that spy organisation - that was to strengthen, not weaken.
Contract? No contract. I rewarded my daughter for tidying her room. At no point was a contract, written or otherwise, created.
The guy might be gullible, but does he think we are?
Re:I don't trust anyone (Score:5, Insightful)
If they didn't do it for the NSA, why did they make a slow and vulnerable RNG the default? Of course we can apply the principle "Never attribute to malice that which can adequately be explained by incompetence". In which case it's immaterial anyway to our company's purchasing decisions on security products: we either avoid RSA because they are in cahoots with the NSA, or the alternative - because they are flat out incompetent (which is entirely believable, given their earlier security breaches).
Re:It's a very sad day (Score:5, Insightful)
2. How much can you trust Snowden Up to this point he was just making claims against an agency that largely cannot (or will not) comment about their practices. Now he is making claims against a public company that could pursue him civilly for libel
Eh? Really? Repeat that back to yourself and see if it makes any more sense the second time around...
Snowden is wanted for serious crimes against the government of the United States of America, the penalties for which involve spending the rest of his life in a 8x10 foot concrete cell by himself.
I think he is way, way past civil liabilities against a company or any suing it might do against him in a court of law.
Let's see.. who should we trust? (Score:5, Insightful)
Snowden: 100% accuracy so far.
RSA: For profit company that looks really bad right now and there's no downside to them lying.
I'll go with the 100% guy with nothing to gain.
Yes, and US companies are losing billions (Score:5, Insightful)
And before you have pity on US firms losing this cash, remember that they have been knowingly aiding the NSA and the CIA and any other government entity that came knocking for years, and they would still be handing over our data (and they probably still are) without any concerns had Snowden not exposed the extent of the NSA's illegal, immoral, unconstitutional, and and brazenly stupid surveillance program.
When Angela Merkel is comparing the NSA to the Stasi, we've got problems. When Chinese tech firms become more trusted than American tech firms, we've got problems. When a schmuck wearing a military costume -- which is a disgrace to people who served their country instead of their government -- lies to congress about spying on Americans and gets away with it, we've got problems. "General" Keith B. Alexander was head of Army Intelligence and missed the piles of evidence pointing towards 9/11, and even after he helped the state security apparatus morph into the world's largest and most expensive spying effort, the organization under his control has still failed to stop a single terrorist attack.
The NSA, the CIA, and Mr. Alexander are a disgrace to our country, but they are unfortunately typical of American government, and the corporations that have been colluding with them for years. They're more interested in their own careers and dollar signs than they are about upholding the Constitution, but when they are caught, they hide behind their military titles and bullshit legalese because they have no redeeming qualities as individuals or as organizations.
If it seems personal, its because it is personal. It may just be a coincidence that I am flagged constantly when I cross the border for "random" searches, but I live in a country where I can't even find out why I seem to be a magnet for the attention of the security state. For my own protection, I am not allowed to know what my government is doing. And now that the NDAA has passed, an American agent could pick me up and detain me indefinitely without a trial.
Thanks for protecting American ideals from those totalitarian invaders, Mr. Alexander. You're doing a heckuva job.
Re:I don't trust anyone (Score:5, Insightful)
"we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."
Their 'categorical denial' of the story is not a denial that they did enter a contract or engage in a project that did weaken RSA's product and introduce a backdoor into their products for somebody's use; but merely the assertion that they never did so intentionally. Slightly different things there...
Still Can't Trust U.S. Companies (Score:4, Insightful)
Let's assume, for the same of argument, that RSA is being completely honest and sincere: their product is not compromised by the U.S. Government. Given that the U.S. Government can just slap any company in the U.S. with a National Security Letter; the violation of which comes with prison time, and which prohibits the recipient from even saying they got one; we can't trust any U.S. (or U.K., for that matter) company's word that they haven't been compromised by the Government.
So as our computer security companies start to decline, and our economy (which has a huge computer company component to it) declines even further, we can all tip our hats to the corrupt polititians that gave our three-letter agencies the power to deal a body blow to the very country they are supposed to be protecting; and to the agencies that use that power to harm us more than any terrorist plot ever could.
Re:I don't trust anyone (Score:5, Insightful)
All they're denying is that they "secretly knew Dual EC DRBG was flawed".
No mention of $10 million payout. Until they deny receiving the money then this is just hot air and the Streisand effect will kill their company.
Re:It's a very sad day (Score:4, Insightful)
Are you seriously suggesting that Snowden is not trustworthy? I would definitely support the guy that had to run away from his country because of a massive information leak than some crude government/corporation propaganda. It truly makes me wonder why you are posting as an anonymous coward and spread FUD about the only way we could have found out about such things in the first place.
Re:Here's a better one. (Score:5, Insightful)
The test is simple. If Snowden lied, then the NSA and the President have nothing to charge him with. It is simple. They tried claling him a liar and a traitor guilty of treason in the same paragraph. When it was pointed out he couldn't be both they quickly stopped pretending he was lying.
Re:I don't trust anyone (Score:5, Insightful)
If they didn't do it for the NSA
I know you're stating that rhetorically, but I'd like to answer it anyway. Read their relevant parts of their "denial" again:
Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use.
They never denied entering a contract with the NSA. All they denied was that they entered a contract with the intention of undermining their own products, which is not something that they were being accused of by most reasonable people. As you said, it's far easier to attribute this to incompetence than malice, and most of us aren't accusing them of intentionally sabotaging their own products; we're accusing them of being negligent in their duties by not being careful enough in accepting gifts from players in the game who have competing interests. Moreover, as a publicly traded company, they've already had to disclose the budget of the division that received the funds, so we know that the funds were received and that a contract does exist.
TL;DR: It's a standard non-denial denial. They denied the worst possible stuff that the sensationalists were accusing them of, while using strong words like "categorical" to give the impression they were denying everything, when really, they were merely denying a set of claims taken in whole, leaving wide open the accusations of the very realistic misdeeds they stood accused of.
Both sides could be lying ... (Score:3, Insightful)
Are you seriously suggesting that Snowden is not trustworthy? I would definitely support the guy that had to run away from his country because of a massive information leak than some crude government/corporation propaganda. It truly makes me wonder why you are posting as an anonymous coward and spread FUD about the only way we could have found out about such things in the first place.
Different AC here ... You are making a very naive assumption. That if one side is lying the other side is telling the truth. That's silly. Both sides may be lying.
The truth is Snowden has an agenda. It is therefore plausible that he is exaggerating. He is also under the control of dubious masters, formerly China and now Russia. It is mildly plausible that he needed to keep China or needs to keep Russia happy with his leaks and/or believe he is valuable asset so that they continue to protect him.
Or to put things another way, you should NOT drop your skepticism because someone's claims match your expectations or politics. That is how you get conned. You sell what people are predisposed to believe.
Re:It's a very sad day (Score:5, Insightful)
Snowden has made no such claims. The claim originated from a leaked document. He provided the document to journalists. The document speaks for itself.
Is the document genuine? That is an entirely different question. I suspect that it is, though no one at the NSA will say. How do you confirm the authenticity of the document? Well, a simple initial approach may be to consider the accuracy of previous document releases. By that standard, it's genuine.
Re:I don't trust anyone (Score:4, Insightful)
In any case, if they didn't accept the $10m to weaken security, what did they accept it for? (of course they haven't admitted or denied taking the $10m, instead saying "RSA never divulges details of customer engagements").