NSA

NSA Connection Has Attendees Fleeing Encryption Company's Conference

|

Back door
GFDL and CC-BY 2.5 granted by photographer

The National Security Agency continues to wield its commercial kiss of death, causing business to flee from American firms that have, inadvertently or deliberately, been involved in the snooping. Last month, Boeing lost a multi-billion dollar contract with Brazil over the NSA's shenanigans. More billions in European business are at risk for U.S. companies feared as direct conduits to the spies. And now attendees are dropping out of the cybersecurity-oriented RSA Conference after sponsoring company, RSA Security LLC, was revealed to have accepted millions of dollars in return for building a backdoor into its encryption software.

Just before Christmas, DailyTech reported:

Former U.S. National Security Agency (NSA) contractor Edward Snowden has brought many NSA secrets to light this year, the most recent being a "secret" contract between the agency and security industry leader RSA. 

According to more documents leaked by Snowden, the NSA entered into a $10 million contract with RSA to place a flawed formula within encryption software (which is widely used in personal computers and other products) to obtain "back door" access to data. 

The RSA software that contained the flawed formula was called Bsafe, which was meant to increase security in computers. The formula was an algorithm called Dual Elliptic Curve, and it was created within the NSA. RSA started using it in 2004 even before the National Institutes of Standards and Technology (NIST) approved it.

RSA insists it was duped and that using a flawed algorithm supplied by the NSA was not deliberate. But the damage was done. Now CNet reports:

Mikko Hypponen, chief technology officer of F-Secure with decades under his belt as a security researcher, canceled his annual presentation at the American-hosted RSA Conference, to be held in San Francisco in February. …

The day before Hypponen canceled his talk in December, Josh Thomas, the "Chief Breaking Officer" at security firm Atredis, canceled his scheduled talk via Twitter.

Jeffrey Carr, another security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further. Yesterday, he publicly called for a boycott of the conference, saying that RSA had violated the trust of its customers.

Other prominent cybersecurity figures have followed suit, seeking to punish the company and, no doubt, wishing to distance themselves from the black hole of ethical choices and commercial opportunities that surrounds the intersection of the NSA with anything. Expressing the sentiments of the cybersecurity community regarding RSA's actions, Carr said, "I can't imagine a worse action, short of a company's CEO getting involved in child porn."

Truly, government has a magic ability to ruin everything it touches.

If you're going to be a back door man, this is how you do it:

NEXT: Suicide Bombing at Baghdad Recruiting Center Kills 12

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Neal Stephenson couldn’t have come up with a more crooked and disturbing tale.

  2. This should be the end of RSA. I bet they are pretty pissed off at Edward Snowden right now.

  3. Thanks for some early morning Wolf. 300 lbs of love.

  4. Good. Fuck RSA and the NSA. And the TSA.

    1. And the DEA!

      And the NOAA.

      1. And the North Pole.

  5. We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.

    It seems inconceivable to me that at any point the industry thought that the NSA was interested in strengthening encryption for anyone other than the government.

    1. The NSA gives you an algorithm, and you don’t check it for back doors?

      If you haven’t been bought off, it means you are full of weapons grade stupidity.

      1. and you don’t check it for back doors

        That’s not as easy as it sounds.

        Still, this is BAD. This is not just egg on your face bad. This is RSA, and potentially the entire private encryption industry in the US, goes out of business.

        The full fallout from this particular revelation is still years away. I would suggest that this is worse than the phone company collaboration or the NSA hacking into private Intranets.

        THIS IS BAD.

        1. This is RSA, and potentially the entire private encryption industry in the US, goes out of business.

          I woudln’t say it’s bad. There is a market for encryption. So people who didn’t collaborate with the Feds to fuck over their custoemrs now have a chance to sell to consumers.

          Personally, I am glad this is happening. As an IEEE member, I am pretty appalled at how many brilliant computer guys are quislings when it comes to protecting civil society from the government.

          1. There is a market for encryption.

            A black market, if you catch my drift.

          2. Problem is, no one can be sure who collaborated. The safest route is to refuse to buy from any US company.

            1. Are the Russians or the Germans better? Maybe less competent but certainly not less willing.

              Safest route is open source.

              1. Safest route is open source.

                DING! DING! DING! DING!

                1. winner!

                  Crypto is very hard to do correctly and requires years of review and study. DEC was a situation where the NSA understood a weakness (as a result of their part in developing it) and kept it to themselves so that it could be exploited. Then they went on a full court press to get DEC adopted as a standard.

                  RSA was negligent for ever working with a government but it is understandable that they would not have known of the weakness.

                  For the record PGP, AES, SHA-256, Blofish, etc. are all still good math. Now, the protocols in how you use them and where may be compromised but the math is still solid.

          3. So people who didn’t collaborate with the Feds to fuck over their custoemrs now have a chance to sell to consumers.

            Which people are those? The problem is now a lack of trust. Why would anyone believe that a US company didn’t bend over and do the bidding of the NSA, no matter what type of promises they make?

            1. Why would anyone believe that a US company didn’t bend over and do the bidding of the NSA, no matter what type of promises they make?

              Given the fact that U.S. engineers have repeatedly proven themselves to be quislings, the lack of trust is completely warranted.

              Eventually there will be someone trustworthy with the appropriate technical expertise that manifests themselves.

              I don’t understand why you keep saying that it’s bad, when now consumers have more accurate information than they did before. It’s good.

              1. It’s bad if you believe that having a US based private encryption market is a good thing.

                It’s bad if you believe that having trust in the privacy of Internet commerce is a good thing.

                It’s VERY GOOD to have this exposed. But the full commercial effects of this revelation are still likely years away.

                1. It’s bad if you believe that having a US based private encryption market is a good thing

                  As long as the business stays on good old Earth and isn’t dominated by those godless Martians, I am cool with it.

                  It’s bad if you believe that having trust in the privacy of Internet commerce is a good thing.

                  Trust is only good if it is justified. Unjustified trust is bad. What we have now is unjustified trust.

                  Again, U.S. engineers deserve to have this thrown in their faces. I socialize with guys in various IEEE organizations here in Boston, and these guys are quislings – the moment the US govt offers them money or prestige, they whore themselves out and screw over their customers. The guys who are willing to shut down their businesses rather than cooperate are rare.

                  1. The guys who are willing to shut down their businesses rather than cooperate are rare.

                    Rare in any line of work. I’m not sure if I could do it if it were me. I’d like to think so but I’m probably deluding myself.

              2. Eventually there will be someone trustworthy with the appropriate technical expertise that manifests themselves

                and gets clobbered by TPTB.

        2. THIS IS BAD.

          Bad “of Biblical proportions”.

          When the economic ripple effects kick in the screaming will begin in earnest.

          1. Screaming for bailouts? I hope not.

            1. Oh, you can count on it.

        3. Surely they would have gotten the source code for this algorithm and really looked it over, if for no other reason than to validate functionality and try to spot defects.

          1. This is the random number generator — it’s not so much that there’s a backdoor in it, it’s that it takes constant initialization values. If you choose those initialization valueds, you could predict what it will provide.

            So, the right way to do pick those initialization values would be with a bingo roller in front of a bunch of trusted tech people. If you do that, it’s probably just fine. Instead, they came down from the mountain with the values set on stone tablets.

            It’s not obvious from looking at the algorithm that there’s a backdoor in it, it’s that the values chosen make it very possible (and the secret contract to make it the default is confirmation enough for me.)

            1. What happened to Count Negroni? Were you stripped of your title?

              1. The late night folks harassed me into going back. Especially ’cause of a joke that flopped as Count Negroni.

                Today: Sweating Gin and Rye

            2. Trust no random number generator where the seed was not created by you personally. That’s how PGP/GPG does it.

        4. If it’s really hard, then why even use it? Did RSA think NSA was in the business of helping them build better encryption? They have to assume that NSA is up to no good.

          1. They have to assume that NSA is up to no good.

            The do now. They didn’t then. It was perceived to be in the best interests of the United States to have secure mechanisms. NSA expertise in encryption was thought to be benevolent.

            Clearly a wrong perception. But that is what was.

            1. The USG has been talking about getting back-doors into encryption since at least the early 90s. Even I, someone not involved in the encryption industry, knows that. If RSA wasn’t at least a wee bit suspicious, then they are stupid. And I don’t believe they are stupid.

              1. I’m with you, Adam. There is no possible defense for collaborating with the NSA if you are in the security biz. The only reasons for it are (a) terminal naivete, (b) incredible stupidity or (c) corruption.

                None of those are acceptable in a security context.

              2. RSA fought against Clinton’s clipper chip. (Or at least, the appeared to have.) They should have known full well what the NSA was about here.

  6. Businesses in bed with the NSA are losing business? Good. They had better learn the right lesson from this.

    1. Oh, and thanks for the Howlin’ Wolf, 2Chilly. Nothin’ like a little Blues.

    2. qui cum canibus concumbunt cum pulicibus surgent

      Lie down with dogs, wake up with fleas.

  7. This is how government protects American jobs and American competitiveness.

  8. Saving and creating jobs…
    Over there.

  9. Most Transparent Administration Eva?… thanks entirely to whistleblowers.

  10. File this one under creative destruction. Those firms that are not fit are ashcanned in favor of those who are.

    My default assumption now is that there is no security available to me on the internet; that everything I do is fully visible to the NSA, and that means is also potentially visible to any and all hackers.

    I’m pulling back on the amount of e-commerce I do, generally, until I have a more secure way of doing it.

  11. Sorry, but I don’t buy the RSA story. The RSA algo is used in GnuPG, the most common, open source, public/private key encryption. If there was a backdoor, someone would have found it. If for nothing more than to say, “I cracked PGP”.

    We’ve been though this before with Skipjack and the Diffie-Hellman. Even the governmetn isn’t stupid enough to try that again. But don’t hold me to that.

    1. This is RSA the company vs. RSA the algorithm. RSA the company produces an encryption library, and made a secret contract with the NSA to use a specific random number generator as the default.

      The algorithm mentioned is DUAL_EC_DRBG — random number generator.

      1. This is correct, it needs to be emphasized that RSA the algo is solid. The RNG you use may not be.

        1. Thanks for clarifying that. I can’t stand some of these people that claim PGP can be cracked by the NSA and what not. It seems to be coming from the goldbugs that hate bitcoin, for whatever reason.

        2. And in the PGP implementation, the seed for the random number generator comes from you randomly typing on your keyboard until you are told to stop, not from what is effectively a table of seeds.

  12. Back when Clinton was office I remember a lot of talk about outlawing encryption, or at least mandating back doors the government could use. Then, suddenly, the government just dropped it. I had always assumed that was because the NSA had found a way to crack common encryption methods without the industry’s help.

    1. I had always assumed that was because the NSA had found a way to crack common encryption methods without the industry’s help.

      Instead it seems the NSA just got the industry to bend over, grab their ankles, and let them have the backdoor.

      1. I’d bet real money that a senior officer of RSA was caught humping veal and this was pro quid quo for staying out of prison.

  13. NSA people are also getting kicked off standards committees:

    http://www.ietf.org/mail-archi…..03556.html

    1. yeah this hit hacker news a while back. Bruce Schniere left BT too but he says it wasnt due to the revelations.

  14. RSA insists it was duped and that using a flawed algorithm supplied by the NSA was not deliberate.

    They just learned about it today on the news. Hey, it works for everyone else.

    1. Yeah, I just don’t see “We’re too stupid not to trust the NSA” as being very reassuring.

Please to post comments

Comments are closed.