Feeds

back to article RSA comes out swinging at claims it took NSA's $10m to backdoor crypto

RSA has hit back at allegations stemming from Edward Snowden's latest whistleblowing – specifically, the claim that it secretly took US$10m from the NSA in exchange for using the deliberately knackered Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) in its encryption products. The EMC-owned security outfit …

COMMENTS

This topic is closed for new posts.

Page:

"At that time, the NSA had a trusted role in the community-wide effort to strength, not weaken, encryption"

Wait, am I reading that right? Why would it ever be in the NSA's interest to make encryption stronger for the masses?

I mean, it wasn't until that long ago that encryption tools required a munitions licence to distribute because they were weapons of a sort. Seems to me that keeping an eye on the industry and maybe slipping the odd slight hurdle into it, on the sly, would absolutely be SOP for them. But maybe I'm just too cynical.

21
1
Silver badge
Holmes

Because their job is (was?) ALSO to make sure US companies had the tools to net get slurped by evil commie or french or persian spies. Hence the stadardization effort for DES and later AES, accompanied by efforts to persuade people to make the key maybe not too long.

6
1

Why trust NSA?

Agreed.

Additionally, NSA is made of full load of high quality geniuses. They come from all sorts academic mines and in academics, trust in a theory is only allowed till you have studied it.

So, might be RSA hired non-academics. Sorry for the innocence of industrialization.

0
0
Anonymous Coward

They definitely took the money.. They didn't deny it in case it comes out on the next round of leaks, and when it does they will sack someone as a sacrifice (who incidentally will get a Hugh pay off) and say they had no idea they had been involved.

4
1
Anonymous Coward

Where do you get the idea the NSA's job is to make sure US companies have tools to "not get slurped by evil commie or french or persian spies"?

Is that stated anywhere else on the internet, except in your comment in this thread?

I don't believe that's ever been the NSA's job.

1
2
Bronze badge

NSA *HAS* strengthened encryption

I certainly get the skepticism here, but there has been at least one notable case where the NSA has meddled with a standard to improve it.

When DES was being developed, a part of the algorithm involved some lookup tables that were used to transform input to output as part of the encryption process. Shortly before the final version of the standard, NSA published a new set of tables and requested them to be adopted for the standard.

Years later, crypto researchers analyzed what the NSA did, and found that the original tables had some serious weaknesses that badly hurt DES. The new tables fixed the problem.

Now, I think this is a totally different situation. The problem with dual EC is not that it's weak as such (though it was actually the slowest performing of any of the randomizers in the standard by an ORDER OF MAGNITUDE), but that it is possible to create a relationship between the parameters of the curve that in effect creates a "master key" shortcut to decrypting the data, and there's no way to tell if that relationship exists. Guess who picked the curve for dual EC?

RSA had no good reason, short of money, to use this algorithm by default. It's quite possible they didn't know about the weakness (it took 3 years for mere mortals to figure out). But the fact remains, Dual EC was the worst choice of the three in the standard, by far, so why make it the default?

I've heard that some versions of Internet Explorer use it by default too, but I don't know if that's true. Dirty business.

4
0
Anonymous Coward

@Peter Spicer

To be fair the NSA suggested changes to DES which -as I recall - included a shorter key. Years later it was discovered that their suggestions strengthened DES, so there is a precedent. Odd course, you could argue that they thought they were weakening DES, and what happened was unexpected.

0
0
Silver badge

But following on from more than a decade of fighting strong encryption products like PGP, weakening existing standards and secretly reducing the key length in commercial products exported.

You would have to be very niave and very out of touch not to be suspicious.

Although it is possible that all the world class security experts at RSA never use the internet, or read the newspapers or watch TV or follow the news in anyway.

2
0
Silver badge
Big Brother

Where do you get the idea the NSA's job is to make sure US companies have tools to "not get slurped by evil commie or french or persian spies"?

Is that stated anywhere else on the internet, except in your comment in this thread?

I don't believe that's ever been the NSA's job.

Maybe. But if you want to make your comms somewhat secure (in the 80s or the 90s, say), who you gonna call? That's right, the friendly government bureau who knows about those things.

You want Internet wisdom? I call on ... JIMBO:

The Mission

Role in scientific research and development

0
0
Alien

None of this would be a problem if it was done right the first time

TOR suffers from the same fundamental flaw that SSL does, namely the fact that it's a single-path system. While multi-path isn't fool proof, it certainly makes the interception and tracking a lot harder. For a lot of purposes, the added latency is quite acceptable, and with a little thought, protocols can be envisioned that prioritize information so the less important goes the lower-latency pathways to increase the apparent responsiveness while the "important stuff" goes the tougher to intercept multi-pathways.

In a similar way, cloud services can be made more secure by having clients utilize liner functions. (i.e. Instead of encapsulating a complex function with a simple to call wrapper function, you "line" a complex storage functionality by lining it to make it appear simple.) For example, a locally encrypted virtual drive has its container file hosted on cloud(s) drives. If the cloud vendor proves untrustworthy by backdooring their services to others, the "other" gets the container file, and still has to compromise that to get its contents. (e.g. Something like Truthcrypt with the container file RAID 2 stripped, with part of the container file striped on Dropbox and part striped on Google Drive, yet looking like one Truecrypt drive to the user.) Tougher to get the "whole enchilada" container file, and then even if you did get it, you still have the fact that it's encrypted, and you have to deal with that.

0
0
Bronze badge

NSA and Lucifer / DES

To be fair the NSA suggested changes to DES which -as I recall - included a shorter key. Years later it was discovered that their suggestions strengthened DES, so there is a precedent. Odd course, you could argue that they thought they were weakening DES, and what happened was unexpected.

Argh (and argh also to Pet Peeve, who posted a better but still agonizingly vague summary of the story).

Really, in the time it takes to write a post like this, you could, y'know, look it up. The whole thing is in Applied Cryptography and no doubt many online sources.

1973-1975: NBS, the precursor to NIST, sends out a call for a cipher to establish as a standard. IBM creates Lucifer, as part of its research into block ciphers. (Many notables in the crypto industry were involved: Feistel, Coppersmith, etc.) IBM submits Lucifer to NBS, agreeing to license it without charge.

1975: NBS asks NSA to evaluate the algorithm and suggest changes. NSA makes various changes, in particular shortening the key (effectively to 56 bits) and changing the S-boxes. This is the NSA acting in its official "help US business" role, as DAM said. And many people were suspicious, in their public responses to NBS - contradicting RSA's ridiculous claim "hey, we all used to trust the NSA without reservation" (I paraphrase).

1976-1977: NBS holds public workshops to evaluate the revised Lucifer. There is much debate, but NBS standardizes it as DES anyway.

Schneier notes: "Off the record, NSA has characterized DES as one of their biggest mistakes". Why? Because the standard described it as a hardware cryptosystem, but provided enough information to implement it in software. Apparently someone high up at NSA thought DES would only ever appear in hardware, which would be much easier to keep under export control.

In the '80s, various other groups (ANSI, some ISO working groups) adopted DES as a general standard, or as part of other standards. It became entrenched (later in 3DES form to fix the short key).

1977-1981: Various researchers show just how vulnerable DES's short key is. Specifically, they come up with informed estimates for DES brute-force cracking machines (between $5m and $50m) and estimate how long such a machine would take to crack a ciphertext (on the order of a few days; remember this is for circa 1980). There's widespread suspicion that NSA shortened the key so well-funded adversaries (i.e., the NSA) could decrypt communications they felt were particularly interesting.

There was also a lot of worry that DES was a group, possibly a pure or even closed group; that would make multiple-encryption pointless (3DES would be no stronger than DES), and if closed would cut the effective key length in half, to 28 bits (via a meet-in-the-middle attack). The associated concern was that the NSA knew DES was a group, and possibly had made it a group by mucking with the S-boxes. In 1992 this was publicly disproven (DES is not a group), and Coppersmith says IBM always knew it wasn't a group, but kept the details secret (because, hey, they're IBM).

What about those S-boxes? They're the non-linear part of DES, and the only real security. Each S-box is a substitution table with a 6-bit input and a 4-bit output. IBM submitted Lucifer with one set of S-boxes; the NSA sent it back with a different set. IBM couldn't find anything wrong with the NSA's set. Some found this worrying.

Did the NSA use subtly-weak S-boxes (i.e., ones with hidden algebraic structure) so they could break DES? Did they change the S-boxes because they were worried IBM might have put a similar backdoor in their original set? Did they know something that wasn't in the published literature?

In 1990, we got a strong indication that the answer to the last question was "yes", when Biham and Shamir published their work on differential cryptanalysis. DES is "vulnerable" to DC, in the sense that there are better-than-brute-force attacks against DES with DC. But the S-boxes in DES turn out to be optimized against DC. What a coincidence! Coppersmith has said that IBM and NSA knew about DC back when DES was created.

In 1993, Matsui published on linear cryptanalysis. It turns out the DES S-boxes are not optimized against LC. You can crack stock DES with around 243 known plaintexts using LC.

So: Did the NSA not know about LC in 1976? Did they know about it, and keep it as their own backdoor? Did they know about it, but also know about something worse that made it impossible to optimize the S-boxes against both DC and LC and mystery-analysis? Only their tobaccanist knows for sure.

tl;dr: The NSA both strengthened and weakened DES, almost certainly deliberately. Their involvement was always controversial.

1
0
Bronze badge

Duh

"...we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use..."

Well, you would have to be pretty dumb to put your sneaky business on record with a contract or setting up a project to do so, wouldn't you?

13
0

They would say that

wouldn't they.

10
0
g e
Silver badge

Re: They would say that

Oh I dunno. They could always fess up and shut the business the same afternoon

0
0
Go

Re: They would say that

"You may very well think that but I couldn't possibly comment"

1
0

And all the color printer manufacturers just decided one day to print identifying information on every single print issuing from their machines. Coincidence? Would have to be otherwise it would be a violation of some anti-trust law. (The yellow ink cartel?)

Remember, when folks accuse you of being a conspiracy buff, politely answer in the affirmative and ask them, "Are you a coincidence buff?" (HT to Daniel Sheehan)

16
0
Bronze badge

Are you a coincidence buff?

Actually, yes. If events A and B have no causal connection, then you have maximum information entropy. More for your money!

1
0
Silver badge

It's True

It isn't a backdoor if it's put there intentionally for use by a select group. It's more of a service entrance really.

17
1
Mushroom

You'll notice they don't deny taking the $10M.

Dual_EC_DRBG was known to be weak and slow and suspect even before it was adopted as a standard.

RSA made it the default in mid 2006 in spite of the known concerns.

By 2007, both Schneider, Microsoft, and others had shown it was fatally weak and flawed.

RSA kept using it as the default till late 2013.

They were either in the NSA's pocket or stunningly incompetent at security, which is supposedly the one thing in the world they were the best at.

14
0
Mushroom

Regarding RSA's competence or lack thereof, I'll just leave this link here.

http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/

4
0
Bronze badge

Indeed. Rivest, Shamir, and Adleman are certainly very competent. The corporation that bears their initials, on the other hand, has something of a mixed record.

That said, it's hard to believe that making Dual EC DRBG the default for BSAFE was an honest mistake. When it was first published people began to question its utility, since it's slow and has no obvious advantages over competitors.

And, of course, the standard has an appendix that says, in effect, "hey, here's how you can generate your own points on the curve, rather than using the ones we gave you, which you have no reason to trust". Using your own points doesn't affect FIPS certification or any of the other patently bogus justifications RSA Corp is now spouting.

So either incompetence (i.e., some PHB decided to make stock Dual EC DRBG the default, and none of the techies called him on it), or malice. Take your pick.

1
0
Anonymous Coward

"Why would it ever be in the NSA's interest to make encryption stronger for the masses?"

They are presumably in the business of providing security to national interests against outside attacks, so it would arguably be in their best interest to provide the national infrastructure with secure encryption to protect them from being monitored by outside groups. Of course, such outsiders themselves would undoubtedly obtain those tools as well, so it makes sense that they'd support a method that included a weakness only they knew about. For that matter though, any number of other algorithms could have weaknesses known only to their creators and select groups they share the details with, or perhaps flaws not known to their creators, but discovered by others. RSA might not have fully trusted the algorithm, but then again, no such algorithm should be completely trusted.

4
0
Linux

You've got to be kidding. The NSA does what it does, and dosen't give a sh*t about outside, inside or in between. It is in the business of gathering information even if they don't have a use for it. It's in the busines of spying and to accomplish its mission through clandestine means. It's budget is not made public. Even the number of NSA employees is classified. It's more than big brother, it's big sister, mother father and is not accountable to anyone, even the President and Congress.

7
1
Bronze badge
Big Brother

NSA are in the business of providing security?

"They are presumably in the business of providing security to national interests"

Going on recent revelations, its the NSA that are the threat to national interests. What with live fire military excercises being carried out in US cities, all it's take is for some right-wing demagogue to declare martial law. And the likes of NSA are on stream to provide total information awareness.

"it would arguably be in their best interest to provide the national infrastructure with secure encryption to protect them from being monitored by outside groups"

The NSAs function is to spy on people, not protect them from being spied on by 'outside groups'. As for 'secure encryption', see above, you can't have 'secure encryption' that isn't really secure. That's why DES was crap in the first place ...

1
2
Bronze badge

It is in the business of gathering information even if they don't have a use for it.

It's also in the business of making the same activity harder for its competitors in other nations, nitwit.

0
0
Paris Hilton

we're not in it just for the money

honest!

0100001001010011

1
0

or introducing potential ‘backdoors’ into our products for anyone’s use.

They didn't really say that... they did... OK. Wow!

The NSA says they have to say that. To say anything else would be in breach of their contract with the NSA. The consequences of violating that contract are, AFAIK, unknown. Eddy?

2
0
Silver badge

Truism

Anyone who's ever told a whopper of a lie, has kids, or remembers their childhood, knows you never dish out more than a single helping of bullshit per seating. You've got to keep it simple.

Not only is crossing the streams of your bullshit the worst way to lie, it's also the best indicator of when you're being lied to. Telling the truth is always a straightforward thing and doesn't need 'proofs'. Speak the truth and if people don't believe you then that's their problem. It's easier that way and ethically sound as if they can't handle the truth, there's fuck all you can do about it.

Truths are delivered in nice, neat little packages, that are attractive and easy to open. Bullshit on the other hand is delivered in big, bulky crates that you've got to disassemble with a hammer then wade through 350lbs of packing peanuts the get at the useful contents and you're still on the hook for disposing of the crate and the waste from opening the package.

10
1
Silver badge

Re: Truism

@Don Jefe

I'd agree, broadly, but of course politics shows us time-and-again that the "nice, neat little packages" are often the lies as an accurate understanding sometimes requires more information than can fit in a soundbite.

I like the point-form format of RSA's response but an accurate representation of the facts requires additional points:

  • The Dual EC DRBG is only one of four PRNGs in the NIST standards document.
  • The Dual EC DRGB was known to be created with input from the NSA* (this is mentioned in the NIST document).
  • The Dual EC DRGB is significantly slower than the other three RNGs in the NIST standard.
  • The NIST document contains no proof (nor does one exist) of Dual EC DRGB's strength (which would serve to offset the extreme computational expense).
  • Very shortly after the publication of the NIST standard, two independent teams discovered that the Dual EC DRBG contains a noticeable bias which could be exploited, given access to other information.
  • Potential for such a bias is well known in cryptography and avoiding it is trivial.
  • A year later, another pair of researchers found that that operation of the standard (specifically, the fixed choice of ellipse points) enables the bias flaw to be exploited by anyone with access to information about how the points were chosen.
  • While it is possible no one has this information, the only people who could have it are the NSA and NIST.
  • Even if no one has that information now, the fixed nature of these points means that if they were ever determined at any time, every implementation of the cryptography would be forever broken and all messages rendered trivial to decrypt.

The lack of proof should have caused RSA to examine the standard more closely before making it the default PRNG. Failing that, the findings of bias in 2006 should have been enough to warrant caution and a review by RSA. Failing that, the presentation by Ferguson & Shumow a year later should have raised such flags as to prompt RSA to immediately alter their default PRNG and inform their customers of the potential vulnerability.

Simply saying they "[relied] upon NIST" is utterly inadequate, given that NIST provided no proof of the security of the PRNG**, while independent researchers had proven that there are real, exploitable flaws in it. What justification did the RSA have to rely on a body that provided no proofs?

The short version of the whole affair is that RSA is one (or more) of the following:

  • Complicit (in NSA weakening of cryptography)
  • Ignorant (of cryptographic research)
  • Lazy
  • Stupid

In denying the first (as they are), RSA is effectively admitting to one of the others. None are good for a company in the business of protecting users' privacy.

* - We now know that they were the sole author but we must assume RSA did not know this at the time.

** - There can be none.

18
0
Silver badge
Trollface

Re: Truism

The Album of the soundtrack of the trailer...

Interviewer: An excerpt from Carl French's latest film. Carl, we're all a little mystified by your claim that your new film stars Marilyn Monroe.

Carl French: It does, yes.

Interviewer: Who died over ten years ago?

Carl French: Uh, that's correct.

Interviewer: Are you lying?

Carl French: No, no, it's just that she'e very much in the public eye at the moment.

Interviewer: Does she have a big part?

Carl French: She is the star of the film.

Interviewer: And dead.

Carl French: Well, we dug her up and gave her a screen test, a mere formality in her case, and...

Interviewer: Can she still act?

Carl French: Well... well, she-she's still has this-this enormous, ah-ah, kinda indefinable, uh...no.

0
0
Silver badge
Trollface

Re: Truism

Simply saying they "[relied] upon NIST" is utterly inadequate, given that NIST provided no proof of the security...

Actually, RSA was using it even before NIST was done with approval, maybe even before the approval process was even started.

From the reuters article:

RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings.

6
0
Silver badge

Re: Truism

@D.A.M.

Yup. Two years earlier, in fact. You'd reckon that would imply that they had examined it and approved it independetly of NIST. You know, being a leading provider of cryptographic solutions and all . . .

I like the part where RSA talk about "newer, stronger methods of encryption". ECC is definitely designed to address issues with older cryptographic methods - specifically the need for ever-longer keys. In other words, the idea is to make it more efficient. Except, you know, this particular implementation of ECC is orders of magnitude LESS efficient. And has gaping holes, just for laughs.

It's like deciding on a diesel engine over petrol only to choose a car that drives at 1kmph and has wheels attached with cable ties.

6
0
Silver badge
Meh

Re: Truism

A major problem with any government is that it's required, by default, the be the final authority on everything inside its boundaries. The ultimate decision on any matter must be someone's responsibility and we've chosen the government to be that someone.

One of the ways that causes problems is that if the government decrees (x) to be a certain way, then you have no liability in choosing to accept their decree. That decree is retroactive and allows citizens/company's to offset what would otherwise be their own responsibilities and it's an unavoidable fact of having a government. It obviously has both up and downsides.

In this case RSA can't be held liable, at all, for using an NIST approved algorithm, the ultimate authority had already ruled. But at the same time, the government being that final authority is what allows the common person (that's us :) to seek redress when we have been wronged and provide protections to (in theory) minimize the chances of being wronged to begin with.

The downsides are an enormous problem. You can't put ultimate authority in the hands of private entities, but putting in the hands of government, any government, guarantees that ultimate authority is completely vulnerable to politics and the inefficiencies and bureaucracy that are inherent it governance of any sort. Short of making me Supreme Chancellor of Earth I don't know how to solve the problem.

The core issue is one of enormous philosophical depth: Where does, and where should, the ultimate authority in a society rest? It is not a matter of technologies or politics and the trouble is most people, and all governments, really suck at the contemplation, analysis and answers to those kinds of issues. It used to be the Church, and I think what we've got now is somewhat of an improvement. At least governments change and can be changed. Trying to dispute a supernatural being who only communicates with Humans via an old white man is nearly impossible.

3
0
Silver badge

Re: Truism

No RSA can't be held liable for being ordered by a secret court to do as it was told - just like Huawei can't be held liable in China for doing the same thing.

But all RSA's foreign customers can now decide that it is about as trustworthy as Huawei and be about as likely to use if to for important stuff. Its US customers will ask themselves if secured by RSA now means - "copied to the IRS" and every other government agency.

6
0
Silver badge
Unhappy

Re: Truism

Agreed. This is actually a situation in which 'voting' with your wallet could actually be effective. It could be the IT Security sectors horror story example for the 21st century. It could appear in university ethics textbooks and organizational management training seminars for decades. It should be he horror story.

But I don't think it will. If there are more than a handful of defections I wold be truly surprised. I would be shocked if a top tier customer abandoned RSA over this. A lot of people will pay lip service to the idea of changing providers, but I doubt a single one of those people will be decision makers. It's a sad state of affairs, but I've found that most people value a discount on future purchases over most anything else.

3
1

Re: Truism

If those decision makers share a belief set with NSA and friends then they would not have a serious objection to NSA being able to read their documents, so they would see no need to change suppliers.

Those who see themselves as outside the 'group' might well decide to consider alternatives.

0
1
Silver badge

Re: Truism

They can consider all they want, but unless they actually have the capacity to affect change it's all just tough guy talk and nothing will happen. Those outside the group have no effective influence, leverage or ability to make decisions large enough to cause RSA any damage.

1
0
Silver badge

Re: Truism

"Trying to dispute a supernatural being who only communicates with Humans via an old white man is nearly impossible."

Actually, that does sound a bit like the government. At least the one we have in Australia and certainly the previous POTUS.

I get the bent of your argument but I think it's a little flawed in applying it to this specific case.

Working from the standpoint that RSA was not helping the NSA to weaken cryptographic standards (benefit of the doubt), we need to look at what they were trying to achieve.

The first thing to note is that there is no requirement to use any of the PRNGs in the standard when making a cryptographic product.

Even when aiming to comply with FIPS 140-2 there is certainly no requirement for any particular algorithm to be used, just so long as there is support for at least one of the DRBGs specified in NIST Special Publication 800-90A.

You don't have to implement all of them as there is at least one certified product that ONLY uses the Dual EC DRBG. Even if you use all of them, there is no requirement to have one or another as the default.

The RSA might not be "liable" for using a NIST approved algorithm, but they are certainly answerable to their customers for using an algorithm that is known to be flawed. NIST did not provide rigorous (let alone formal) proofs. RSA evidently did not conduct these on their own. Other people did and found serious issues. At that point, RSA could have both maintained their FIPS compliance and increased the security of their toolkit - all it would have taken was to remove the Dual EC DRBG generator or, at the least, stop making it the default. At least until they had independently (of NIST/NSA) verified the security of the algorithm.

Remember, RSA were at the vangaurd of challenging the NSA in its restriction of cryptographic software exports and it's development of the 'Clipper' chip. It's worth noting that the Clipper chip came from the MOU between the NSA and NIST and it is this same MOU that, as summarised in the link, states that:

"NIST responsibilities include . . . recognising NSA certified ratings of evaluated trusted systems without requiring additional evaluation . . ."

This explains why the Dual EC DRBG was included in the NIST standard - it was 'vouched for' by the NSA. This also explains why there is no proof. What it doesn't explain, is why RSA - a company with a history of challenging the NSA on cryptography and security - decided to simply take the word of NIST, who in turn took the word of the NSA.

And it definitely doesn't explain why they continued to do so, even in the face of evidence that the algorithm was flawed.

2
0

Remember When...

Hacking was something computer hardware/software enthusiasts did to maximise the use of their equipment. Then suddenly, in seemingly an instant, MS was on a lot of desktops. As hackers played with this equipment, they found that there were many backdoors, even from the early DOS days, before Windows. MS did next to little about these backdoors that hackers were finding for very long periods of time. Why?

9
0
Anonymous Coward

Re: Remember When...

As hackers played with this equipment, they found that there were many backdoors, even from the early DOS days, before Windows. MS did next to little about these backdoors that hackers were finding for very long periods of time. Why?

That may not always have been with evil intent - I personally suspect that came much later. Early days computing was more about keeping the damn things running against all odds :). I recall the TSR fights: trying to push as much as possible into high memory to keep enough of that that precious 640k free so you could actually get some work done whilst keeping the box on the network.

To illustrate the point, the early generation Linux (think Slackware on 14 floppies) was not exactly solid in terms of security either. The Net was in those days more about communicating and less about commerce - even USENET was still of some use then.

MS had (and has) a very simple, binary focus: does the effort contribute to income? If not, don't do it. There's nothing more to it. As long as CLIENTS do not make alternative choices because of whatever deficiency, MS couldn't care less. Security is at best a sales statement for them, not a goal per se.

10
1
Silver badge

Re: Remember When...

@AC

Points for reminding me of endless hours fiddling with LH/DH - most memorably in trying to get spech synthesis working in Dune II.

I remember having several custom AUTOEXEC.BAT/CONFIG.SYS pairs that I would swap in for various programs/games before restarting the PC. Kids these days have it too easy etc . . .

It has, however, spilled over into a pathological need to trim Windows down as lean as it will go.

3
0

Re: Remember When...

Those v were the days - when you had boot floppy (if others used the PC) which had ended up having a menu for each game. If I recall, it was also possible to group config.sys settings for specific games too.

Now I just curse surgeon simulator for not having shadows on Linux - you have no idea how difficult it is to do a brain transplant in an ambulance going over speed bumps when you have no sense of depth!

1
0
Anonymous Coward

They are all lying

There is money involved.

4
0
Anonymous Coward

Follow the money?

Couldn't some investigative journalism into the company's published accounts provide independent supporting or disconfirming evidence for this?

1
0
(Written by Reg staff) Silver badge

Re: Follow the money?

Sure - we've already shown that $10m would have been 30% of Bsafe's annual revenue at the time (Register passim), so we're on it.

C.

8
0
Silver badge

Re: Follow the money?

Follow the money? In the US or the UK you could easily implement laws that allow money to be followed. But the elected governments seem to know this means their money could be followed too so it never happens.

If the $10million was paid you can guarantee that the encryption used to shift it around would not be leaky. We need someone on a tropical island with a pocket line-printer.

0
0
Silver badge

Re: Follow the money?

If there was a $10M invoice to NSA for "services rendered" - then yes

If there was a $10M higher bid that was accepted somewhere in EMC's $15Bn of sales to the government - probably not

3
0
Silver badge

Re: Follow the money?

Following money isn't easy to do. No matter how many resources you have to devote to finding it. You can completely disappear quite a bit of money and never leave a trail a reporter or law enforcement officer can follow.

Just because a company is publicly traded doesn't mean you get to look at their detailed books. Those are confidential, even for major shareholders. Besides, detailed books are so complex that you can devote entire teams of financial forensics experts to an audit that takes months or even over a year and still not figure out how it all works.

The actual financial information companies are required to disclose is so high level that it's fairly useless beyond how much money was made vs lost. That's why analysts and brokers are so consistently wrong. On top of that, it's a lot easier to hide money when the people who are giving it to you are the people who make the rules about telling them about it.

2
0
Silver badge

Re: Follow the money?

Hell - earnings reports don't even have to break down sales/revenue by territory.

Without some verifiable internal documentation, this is going to remain in the accusation-denial stage.

As I said above, I don't know what's worse - a security company helping the NSA to weaken encryption or a security company being so utterly inept as to disregard the research of their fellow security professionals.

I always got the impression that the security world was a fairly small group, with all the big names well known to each other and, even when they disagree, showing mutual respect. How did they answer the claims from their fellow security researchers?

"That's very interesting and you are smart lads, but we think we'll trust these people over here. Yes, the ones who won't provide any proofs. Thanks anyway . . . "

1
0
Silver badge
Thumb Up

Re: Follow the money?

You're spot on about the security world, I hadn't even considered the intra-peer group implications. I would think it really would dent ones reputation to be implicated in this, I know an abuse of client trust like this in my industry would be a real career speed bump.

I can't believe every computer security professional is an ethically deficient pseudo-spy though. I would assume only a small group knew the facts, the rest were guilty only of doing their jobs and trusting others. I realize being effective in any sort professional security role requires a healthy level of distrust by default, but effective security also requires higher than average levels of trust between security operatives and their clients. There can be no security, of any sort, without trust, which is why it's so extra screwed up when those near the top of the chain abuse that trust. The repercussions end up getting on everybody's shoes.

2
0

Page:

This topic is closed for new posts.