back to article How much did NSA pay to put a backdoor in RSA crypto? Try $10m – report

The mystery of why RSA would use a flawed, NSA-championed algorithm as the default random number generator for several of its encryption products appears to be solved, and the answer is utterly banal, if true: the NSA paid it to. Reuters reports that RSA received $10m from the NSA in exchange for making the agency-backed Dual …

COMMENTS

This topic is closed for new posts.
  1. This post has been deleted by its author

    1. Fill

      A different era?

      True, although back then the NSA had a lot more respectability. RSA might have honestly thought the NSA was recommending the algorithm to help protect national interests, not undermine them. It's a bit naive today to ask "Why would the NSA want to work against us to weaken our encryption?" knowing what we know now, but back then?

      1. frank ly
        Facepalm

        @Fill Re: A different era?

        I recommed _this_ lock/key system, which I developed, for you to use in your worldwided premises protection system. You have doubts and questions? I'm so convinced that I'll give you $10 million to use it. Oh, I see that you are now convinced that it's the best choice.

        1. Jordan Davenport

          Re: @Fill A different era?

          I imagine it more went along the lines of "Here's a new encryption algorithm we developed to boost security. If you use it, we'll give you $10,000,000 to cover development costs for inserting it into your encryption products and make implementation worthwhile for you."

          1. Fill

            Re: @Fill A different era?

            "I imagine it more went along the lines of "Here's a new encryption algorithm we developed to boost security. ..."

            It was a random number generation method (Dual Elliptical). The NSA played on that it was what they used internally. Had nothing to do with the actual encryption methods, but a bad random number generator is going to defeat RSA.

            1. Jordan Davenport

              Re: @Fill A different era?

              Er, right, I read that. My train of thought derailed when someone else grabbed my attention before I responded. Let me amend that, then... "Here's a new pseudorandom number generator we developed that provides a more random seed than other algorithms."

              Have a vote-up for catching my derp.

      2. Yet Another Anonymous coward Silver badge

        Re: A different era?

        > RSA might have honestly thought the NSA was recommending the algorithm to help protect national interests,

        And people might honestly have thought that the Tories were privatising Royal Mail to ensure a better service for little old ladies and better pay and conditions for the posties

      3. cnd

        Honest cryptographic mistake? - no chance

        They removed the existing PRNG and inserted a new one (in exchange for a $10M payment) which they admitted was suspicious (was 1000x slower than normal, and had no security proof - their words, not mine).

        The problem is that PRNG's get SAFER if you add (xor) them together - there is never any reason to REMOVE one.

        They ABSOLUTELY knew they were reducing the security, because they took DELIBERATE cryptographic steps to make sure they did this (removing the secure PRNG, instead of keeping it with xor). No crypto coder would EVER do that without knowing why (which, of course, was that $10M)

        (and, to state the bleeding obvious - the NSA will have made them sign an agreement for that $10M, or else face incarceration, so we will never really know the full truth... at least... not until Snowden leaks it :-)

      4. Anonymous Coward
        Anonymous Coward

        Honest cryptographic mistake? - no chance

        They removed the existing PRNG and inserted a new one (in exchange for a $10M payment) which they admitted was suspicious (was 1000x slower than normal, and had no security proof - their words, not mine).

        The problem is that PRNG's get SAFER if you add (xor) them together - there is never any reason to REMOVE one.

        They ABSOLUTELY knew they were reducing the security, because they took DELIBERATE cryptographic steps to make sure they did this (removing the secure PRNG, instead of keeping it with xor). No crypto coder would EVER do that without knowing why (which, of course, was that $10M)

        (and, to state the bleeding obvious - the NSA will have made them sign an agreement for that $10M, or else face incarceration, so we will never really know the full truth... at least... not until Snowden leaks it :-)

        1. tom dial Silver badge

          Re: Honest cryptographic mistake? - no chance

          "They removed the existing PRNG and inserted a new one ...". I do not think reports made any such statement. Bruce Schneier's article in 2007 describes the problem with dual_ec_drbg clearly and quite at odds with much of what has been written recently.

          https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html

          In particular: "Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does." While it would make no difference as to whether anyone should use Dual_EC_DRBG, it would be interesting to know if anyone has found evidence that NIST or NSA does, in fact, know the secret numbers to enable a back door.

    2. ACx

      Yeah. What you do is use the word "patriot". For an American its like a magic word that suspends brain activity and relaxes the rectum.

      And no, Im not joking. just look in to American schools. They teach allegiance to the flag like christians teach the good book. American children are literally brainwashed into believing in American supremacy. Such that, if you question that allegiance and patriotism you get a fairly disproportionate reaction. So, to get otherwise decent people to go along with questionable government policies, all they have to do is question their patriotism.

      Frankly, Im surprised it cost the NSA $10M.

      1. P_0

        American children are literally brainwashed into believing in American supremacy.

        I'm sorry, where in the pledge of allegience is there any mention of American supremecy?

        Such that, if you question that allegiance and patriotism you get a fairly disproportionate reaction.

        Kind of like a TV presenter preferring not to where a poppy on her collar. Just watch the disproportionate reaction.

        1. Christoph

          "I'm sorry, where in the pledge of allegience is there any mention of American supremecy?"

          The brainwashing isn't in that bit. It's in things like their 'history' lessons, where anything that shows the US in a less than perfect light is sanitised out. They are taught over and over that the US is better than any other nation and doesn't do anything wrong.

          1. Graham Dawson Silver badge

            Want to know a funny thing?

            The pledge of allegiance, veneration of the flag and "the republic" as unitary entity all date from the end of the 19th century and were originally introduced by christian socialists, who wanted to break the bond between the states and their citizens in order to craft the perception of the USA as a unitary nation. At the time, US citizens identified themselves by their state, the state government was their primary means of representation, and the federal government was still a remote thing with little impact on their lives.

            It's amusing that what was once a very left-wing project is now taken as a very right-wing ideal.

            1. SleepyJohn
              Big Brother

              ... said the spider to the fly

              Those without their heads in the sand can see exactly the same thing going on much closer to the English Channel.

              PS This was a reply to @Graham_Dawson's comment "Want to know a funny thing" - don't know how it got here. However, it sits quite well after the Russian thing.

            2. This post has been deleted by its author

            3. h4rm0ny

              "It's amusing that what was once a very left-wing project is now taken as a very right-wing ideal."

              Left Wing and Right Wing do not respectively mean 'things we like and things we don't'. Pledging allegiance to the flag is neither socialist nor none-socialist. It's just propaganda and indoctrination, something common to either end of the Left-Right spectrum.

              This is what biased media leads to: attribution of anything negative to the faction you oppose. Racism? Homophobia? These must be things that are Right Wing because I am Left-Wing.

              1. Graham Dawson Silver badge

                @h4rm0ny

                Notice I made no comment on the "goodness" of the pledge; just that the perception of its political alignment has changed.

                1. Tom 13

                  Re: @h4rm0ny

                  It wasn't just the perception but the pledge itself. As originally written there was to God which turns out to be an inherently anti-communist concept. As it was re-written it is a good model for any country to adopt. But then I expect a bunch of militant agnostics and atheists won't quite see why it works.

          2. phil dude
            Meh

            unlike in the UK....

            where they had to "invent" a citizenship test to keep the population in order?

            But seriously, a lot of that comes from the reality that America saved the world (i.e Europe) some 70 years ago.

            Its just a shame, that the politics have created such a toxic atmosphere.

            Although the rise in military/industrial complex didn't help....

            P.

            1. Anonymous Coward
              Anonymous Coward

              Re: unlike in the UK....

              See, it's true. The US really do believe they helped win WW2.

              In fact the Russians lost 20 times the number of soldiers as the US fighting the Germans.

              Who broke the enigma code? the UK did.

              1. phil dude
                Pint

                Re: unlike in the UK....

                i was thinking of things like the Marshall plan etc... If you think Europe is in a mess now, imagine what it would have been like without American assistance. Enlightened self-interest it may have been, but we all benefited. The British cracked enigma with help from the Polish and a great deal of astonishing ingenuity. But also a degree of Nazi incompetence. If the Americans had not sent the massive amount of support they did (leased or otherwise), history could have been very different without D-day.

                I got a few thumbs down for saying it, but the American constitution and system of government is a historically amazing human achievement. It was an isolated event drawing much inspiration from the French revolution (via B.Franklin ), and coming "hot on the heels" of the English civil war. But the ideal of "life, liberty and the pursuit of happiness" is simply an amazing observation.

                The complete rejection of the farce that was royalty in 1776, is just as relevant today.

                It is just a shame we find ourselves in the short sighted situation that the amazing human achievement of the internet, actually has the governments and trans-national corporations, deliberately making it less useful for the public, to suit their own ends.

                Beer, as it ferments ideas as it quenches thirst.

                P.

                1. Christoph

                  Re: unlike in the UK....

                  "I got a few thumbs down for saying it, but the American constitution and system of government is a historically amazing human achievement. It was an isolated event drawing much inspiration from the French revolution (via B.Franklin ), and coming "hot on the heels" of the English civil war. But the ideal of "life, liberty and the pursuit of happiness" is simply an amazing observation."

                  Unfortunately one of the reasons it's isolated is that many other countries who established democratic governments found themselves invaded or subverted by the US to put in dictatorships who would be more amenable to doing what the US wanted rather than what their populations had voted for.

                2. ThomH

                  Re: unlike in the UK....

                  "I got a few thumbs down for saying it, but the American constitution and system of government is a historically amazing human achievement. It was an isolated event drawing much inspiration from the French revolution (via B.Franklin ), and coming "hot on the heels" of the English civil war. But the ideal of "life, liberty and the pursuit of happiness" is simply an amazing observation."

                  The American constitution and system of government is nothing like an isolated event. It is explicitly a fork of the British system, run locally so as to be answerable to local needs. It was designed to be bicameral with one house that lots of people are elected to and the one house that a small number of people are chosen for by other important people. It uses an adversarial, precedential legal system based on the premise that everything is legal unless explicitly proscribed. It explicitly adopted all British case law up to the cut off. Major political party for the first half century? The Whigs.

                  The British system, of course, directly descends from that imported from Normandy by William the Conqueror in 1066. Ever wondered why we have mortgages, a few of which are puisne, or why civil wrongs other than those arising due to contracts are called torts?

                  Converting Locke's "life, liberty, and estate" to "life, liberty and the pursuit of happiness" does not an isolated event make.

                  1. Yet Another Anonymous coward Silver badge

                    Re: unlike in the UK....

                    Given that one of the main aims of the constitution was to prevent the formation of an all powerful central government in the hands of a few imperial families and largley influenced by religous extremists - I would give it 5/10

                  2. Tom 13

                    Re: nothing like an isolated event.

                    The author may have chosen his specific words poorly, but his point stands. No country before or since has encapsulated in a single document as much liberty for its people as this document did. The French had at least 3 more tries after we created the template and still haven't gotten it right. You Brits improved a bit for a while, then fell into the mistakes of Marxism, which despite Maggie's tenure, persist and cripple your country to this day.

                    Yes, it builds on specific British events and law (most notably the Magna Carta). But it took them to their logical and natural law conclusions and developed a government that until Wilson and FDR largely kept government functions closest to their proper sphere of execution. That the US has since fallen to the same socialist forces as Britain does not negate that.

                    1. ThomH

                      Re: nothing like an isolated event. (@Tom 13)

                      If we're going to stick to America versus the UK, highlighting the existence of the constitution doesn't make a lot of sense because the UK is almost unique in being designed around not having one — the UK has a series of distinct documents that are considered as being of constitutional significance (ie, are not subject to implicit repeal per Factortame) but everything else is up for grabs or dictated by case law. For example, the protection against arbitrary imprisonment in England is the court's ability to issue a writ of habeas corpus. Does that make it any less of a protection? The only thing that stops the monarch from grabbing back absolute power is the certainty of what the public would do as a result. Does that make a sudden switch from democracy to dictatorship somehow more likely?

                      History further shows that the USA has been no faster to gift liberties in practice.

                      In the British Empire, trading in slaves became illegal in 1807 and keeping them at all became illegal in 1833. The USA banned the import of slaves in 1807 but didn't manage to abolish slavery until 1865. So which nation was ahead in liberty?

                      Nowadays the UK doesn't execute prisoners because it learnt the hard way that criminal systems are fallible no matter how many rights of appeal are offered. It has free comprehensive healthcare not just on humanitarian grounds — the belief is that healthcare is a fundamental right — but on purely functional ones: if a significant proportion of your population has worse health then that means you're likely to have worse health too, since many types of bad health are contagious and public spaces are shared.

                      Those are things a European mindset would suggest are advances but with which a USA mindset wouldn't agree. But that's just more evidence that most of the world does not recognise the American norms as some sort of ideal.

                3. harry1867

                  Re: unlike in the UK....

                  The French Revolution came well after the Declaration of Independence (16 Years). Though no doubt the ideas of Voltaire, Diderot et al were in the air.

                  The authors of the federal papers, Declaration, and Constitution were all educated in the classics, read Latin and in some cases Greek. They were well aware of the strengths and weaknesses of Athenian democracy and Roman republicanism, and crafted their foundational documents accordingly. It has been a remarkable success, though in many ways that seems to be grinding to a halt as it did for their ideological forebears.

                  Americans are so immersed in self-love that they are incapable of crediting a person of any other nationality as producing anything of benefit. A simple example: The rotten Phillip's Head screw (an American invention) totally dominated over the Robertson's Head (A Canadian invention). Only recent re-branding as Square Recess after the inventor has been forgotten and patent rights expired has led to Robertson's Head gaining decent market share.

              2. Ken Hagan Gold badge

                Re: unlike in the UK....

                "In fact the Russians lost 20 times the number of soldiers as the US fighting the Germans"

                The Russians were *only* fighting the Germans, and didn't lose significantly more soldiers than the other side. Meanwhile the UK and US were also fighting the Japanese. Indeed, Stalin's complaint that they were *only* fighting the Japanese was an understandable one even if exaggerated. The Russians also had a 1000-mile land border with the Germans whereas we had a handy stretch of water, so perhaps this was an inevitable division of labour.

                Then there's the problem of looking at 1940 through the lens of 2013. It is hard to realise that the UK was still a world empire at that time whereas Russia was an agricultural backwater that had only recently discovered heavy industry (and fighting perhaps the most industrially advanced country in Europe). The war effort meant that the post-war world saw the dis-mantling of the UK's empire but the Cold War created the Soviet war machine that most of us were taught to fear during *our* childhoods.

                "Who broke the enigma code? the UK did."

                Well. you have a point there. On the one hand, we had the actual device to look at so it wasn't surprising that our team cracked the code first. On the other hand, the perversion of history by certain Hollywood execs is frankly tasteless when one considers the extent of losses on all sides. Enough US personnel died in WW2 that (one would have thought) the generation of Americans that came afterwards would feel obliged to simply be honest about this period.

                1. Thorne Kontos 1

                  Re: unlike in the UK....

                  Yes, we all know the Brits are never wrong...nor should they be chastised for being "brit-centric"

                  just as Americans are "american-centric" in theirs.

                  Brief historical interlude follows:

                  >In 1939, cryptography expert William Friedman was hired by the U.S. Army to work on breaking the Purple cipher. Eighteen months into his work Friedman suffered a mental breakdown and was institutionalized. Fortunately, he was able to make some progress before this and, using his incomplete work, other members of his team were able to make continued progress. A substantial chunk of the code was broken, and even though a Purple Machine had never been seen by American code breakers, eight functional replicas of the Machine were created. Eventually, Purple Machine’s method of encryption was completely discovered. This, however, did not mean that the messages could be broken because the daily keys being used were still a mystery to code breakers.

                  In time, Lt. Francis A. Raven discovered a pattern being used by the Japanese in their daily keys. He noticed that each month was broken into three ten day segments in which a pattern was discerned. With the final touches made to the puzzle by Lt. Raven, the Purple cipher was effectively broken and Japanese secrets were exposed.

              3. James Gosling

                America in WW2

                America entered the war after Pearl Harbour, to serve it's own interests not to save the world from Fascism. Whereas Britain bankrupted itself fighting WW2, as a result of the US's late entry into the war they emerged as the new economic world power. And whilst the US loaned money to Britain to help it rebuild (at a favorable rate of 2%) it extracted a lot of other terms, such as Britain giving up most of its territorial claims abroad, access to resources for their heavy industry and lots of other agreements which all added up to a golden ticket for America.

                1. Tom 13

                  Re: America in WW2

                  The US entered the war long before Pearl Harbor (note the correct spelling, as the name of a place it is not correct to add the British "u"). The lend lease program and other activities were all part of FDR's foreign policy which aimed to thwart Axis objectives. In fact, you can argue that it was those actions that caused the Japanese to attack Pearl when they did.

                  As to the terms of the agreements, consider it evening the accounts for the mercantilism we experienced when we were a colony.

                2. Thorne Kontos 1

                  Re: America in WW2

                  Having the only intact industrial base certainly helped matters as well. Since then, Americans have learned to be their own worse enemies... A majority elected Barack Obama... twice! (based on snake-oil salesmenship deliverred courtesy of a teleprompter and off stage speech writers.)

              4. Tom 13

                Re: unlike in the UK....

                Who threw more Shermans at them than they had artillery shells?

                Oh that's right, the US did.

                Who pumped money into Old Blighty before the US entered the war to keep them going?

                Oh, that's right the US did.

                Who f*cked up while lying to his people and proclaiming he'd secured "peace in our time"?

                Oh that's right another patriotic twit from the UK who hadn't a clue about what he was up against. The same sort of twit who was happy Mussolini had finally gotten the trains running on time in Italy.

                Oh, and as the greatest Army general of all time noted: "You don't win wars by dying for your country. You win by making the other bastard die for his." That this also conveniently eliminated opposition for Stalin was probably only a fortunate coincidence. Not!

                1. ElReg!comments!Pierre

                  Re: unlike in the UK.... @Tom13

                  I think you'll find that by the time the US got involved in Europe, USSR had pretty comprehensively thrashed Germany. All the valid troops were busy on the East front trying to contain the Russians; all that was left on the West "front" on D-day was a shell of concrete vaguely manned by kids and geezers. The last real westward effort of Germany was the Battle of Britain, which they lost to the Brits.

                  The US did beat the crap out of Japan, that we can all agree on.

            2. RegGuy1 Silver badge

              Re: unlike in the UK....

              from the reality that America saved the world (i.e Europe) some 70 years ago

              Only because they helped to fuck up the world ten years ealier. Then they were a naive, insular nation that didn't care about the rest of the world. 70 years ago they were very frightened that a certain soviet threat may remove significant markets for them, so they intervened, having learned their lesson that their nation interest lay in being aware of and manipulating the world beyond their borders. [The UK had done this the century before.]

              Their self interest (as with ALL countries) drove their behaviour. The Marshal Plan and all that followed was singularly aimed at stopping the soviet advancement. Hell, they even told Italy that if it wanted the money (and of course it did) it should not let the communists back in.

              You need to be objective when you think about these things -- take things at face value and you will miss the real reason why they are done.

            3. Andy Davies

              Re: unlike in the UK....

              ... correction: Russia and America saved the world (i.e Europe) some 70 years ago.

              1. Anonymous Coward
                Anonymous Coward

                Re: unlike in the UK....

                "... correction: Russia and America saved the world (i.e Europe) some 70 years ago."

                correction correction: Britain and Russia saved the world but had to buy in much of the equipment to do it from the US. The US made a huge profit on the deal; indeed the US is the only country to make a profit out of either world war and managed to do it in BOTH.

                When you save the day by hiring mercenaries, you don't normally give much credit to the mercenaries.

        2. JLV
          Headmaster

          >allegience

          >where a poppy on her collar

          >supremecy

          For heaven's sake, you have the correct spelling right in front of you, in the OP. Additionally, since ragging on Yanks is a well-known Reg pass time, one assumes that defenders like yourself are mostly... American. i.e. it is your native tongue you are butchering.

          If you spell at the level of a 2nd grader who needs to be held behind, do you expect us to pay attention to your arguments?

          'sides it's not like you are making cogent arguments anyway and I mostly agree with the OP. Except that I think the brain off-switch w.r.t. patriotism is present in most countries, with the US just having an unusually potent version of it.

          1. Blitterbug
            Happy

            re: ragging on Yanks is a well-known Reg pass time

            Think you mean passtime. But I digress; The Reg is a UK site so I s'pose you are largely right!

            1. Anonymous Coward
              Anonymous Coward

              Re: re: ragging on Yanks is a well-known Reg pass time

              Or even 'Pastime', Not that I would ever wish to criticise.

            2. Steve Renouf

              Re: re: ragging on Yanks is a well-known Reg pass time

              actually, I think he meant pastime...

              OH! I was a bit late. Someone beat me to it!

        3. Dodgy Geezer Silver badge

          Getting a bit circular...

          ...American children are literally brainwashed into believing in American supremacy.

          I'm sorry, where in the pledge of allegience is there any mention of American supremecy?...

          I'm sorry, where in the original post is there any mention of pledge of allegience (sic)?

        4. Anonymous Coward
          Anonymous Coward

          "I'm sorry, where in the pledge of allegience is there any mention of American supremecy?"

          The bit where it mentions that America is God's own country. It doesn't take much to then transfer the supremacy of God to his country.

          Ironically, of course, America is far more powerful than the god in question who is a lot less substantial than a submarine full of nukes.

      2. Tom 7

        When I were little

        and my Dad was teaching at a university in the states, my brother refused to pledge allegiance to the flag wot wiv being english an all and was nearly kicked out of school as a result. It took some serious high level influence to talk some sense into those involved.

        1. oiseau

          Re: When I were little

          Hello:

          I lived and went to school in the US between late 1966 and mid 1970.

          In elementary school, the class would recite the pledge of alliegance every morning but this was not so in junior high.

          Being only 10, I did it basically because every one else in class did it.

          I recall that one of the first times I did, one of my classmates brought up the question of my doing so in class, as I was not a US citizen. My teacher clearly informed me that was under no obligation to recite the pledge of alliegance along with the rest of the class.

          I understand that this may not have been so everywhere.

          Cheers.

      3. Captain Queeg

        @ACx - Great comment...

        Very fair commentary, but the next 50 years will knock it out of Americans in the same way the 2nd half of the 20th century knocked it out of the British.

        Time was to many of my countrymen that if it was owner by, occupied by or made in Britain it was automatically sub standard.

        The reality of 50 years of being owned by the Americans has done to the UK what 50 years of being owned by the Chinese will do to the USA.

      4. John Smith 19 Gold badge
        Unhappy

        "And no, Im not joking. just look in to American schools. They teach allegiance to the flag like christians teach the good book. "

        True

        Much as in the Soviet era Russia did the same with Russian school children.

    3. VernonDozier
      Boffin

      I remember reading about this back in the 1990s; and in the days of BBSs. If memory serves me correctly, there was another encryption scheme, similar to RSA called PGP (Pretty Good Privacy).

      There was something that happened back then with the FBI being unable to crack PGP. The inventor was investigated by authorities; I think there was even an international case; Somewhere in Europe, that needed backdoor access. They engaged the FBI and perhaps the NSA also. I think the software developer's name was Philip Zimmerman.

      I think PGP was an open-sourced project (One of the first), the NSA and FBI were unable to crack it, even with the sourcecode. Encryption technologies are protected from export, and enforced by the Federal Trade Commission.

      So RSA was born as a commercial product, that used some of the PGP technology.

      Most of these types of suggestions occur through standards-bodies. Remember, SSL used to have keys for encryption that were only 128-bits. Then, as technology progressed, the standard became 256-bit, and then 512-bit. Some sites on the internet today, use 1024-bit encryption as well as 2048-bits.

      If memory serves me correctly, the NSA and/or the FBI also had a say in how fast home computers would be allowed to get. I remember reading an article in Scientific American from the early 1990s, where IBM said they had the technology to develop CPUs that run up to 4GHz using RISC technology (competes with CISC; or what Intel/AMD primarily use.) However, this technology was never brought to market. CPUs today, can accomplish similar speeds with multiple cores. Parallel processing makes it more difficult to brute-force decrypt.

      Paired-Key encryption and password technology is one of the most secure. Passwords can be captured using keylogger software, or dictionary attacks.

      My guess is that computer speeds plateaued as a result of Government intervention; and fear that home computers would, in time, have the computing power and ability to break encryption. Around this timeframe, Microsoft also introduced "Trusted Computing Platform". My guess, is the ability to use signed code, would be created as a Government project, and allow desktop machines to continue to advance in technology and speed, while also limiting the ability to use encryption tools.

      Instead, Apple developed a new formfactor- tablets and smartphones and this stunned the industry, when everyone was seemingly collaborating to develop the next speed chips, on a single-core platform. The new iPhones and tablets solved a problem of selling hardware.

      1. phil dude
        Linux

        correlation...

        I must say the in my pre-caffeine haze, it sound plausible....

        However, they would have banned quantum computers by now, as they really are a threat to these types of algorithms...

        Parallel processing is a one-time cost...and I imagine these algorithms are low communication types...

        So perhaps are right to be paranoid? M$ dreams up trusted computing NOT to stop Linux running, but as an NSA backdoor? I mean 2 birds one stone?

        Perhaps the obvious thing about this whole affair, is we can't trust the government because they don't play by the rules. We can't trust corporations, as they're in it for the cash.

        What's the cold war phase? Trust but verify?

        P.

      2. Destroy All Monsters Silver badge
        Facepalm

        @VernonDozier: What the hell am I reading?

        So RSA was born as a commercial product, that used some of the PGP technology.

        Wrong. RSA was sitting on its patents and unable to monetize the stuff properly (not to mention being hindered by ITAR and COCOM.)

        Zimmermann wanted to use the RSA algorithm in PGP. But it was patented. So he finagled the fact that basically someone at RSA said over a beer that he could build an implementation. (Building an implementation is not hard to do; we did it at school). Then someone exported the code as a printout to Norway and Finland to be "legally in the right" about that as I remember. End of story.

        These were interesting times. Also the times when Clinton wanted to get into your phone via Clipper chip and "key escrow" retardation.

        I remember reading an article in Scientific American from the early 1990s, where IBM said they had the technology to develop CPUs that run up to 4GHz using RISC technology

        Must have been very simple CPUs (like, a few trransistors) using experimental GaAs or Josephon Junctions. "We are doing it in the lab" is not "You can have it at the retailer".

        Parallel processing makes it more difficult to brute-force decrypt.

        LOLWHAT. Brute-force decryption is "embarrassingly parallel" problem.

        My guess is that computer speeds plateaued as a result of Government intervention

        Time for bed, Mulder!!

        See also: RSA Company History

        See also: PGP history

        1. Destroy All Monsters Silver badge

          Re: @VernonDozier: What the hell am I reading?

          A blast from the past

          Date: Thu, 29 May 1997 15:54:20 -0400

          From: freematt@coil.com (Matthew Gaylor)

          Subject: Newsflash: PGP approved for export of strong crypto

          [Just in case you haven't already heard...]

          Hello Friends,

          Around here, this is what we call "pretty good news." The other good news is that it's NOT April Fools Day (yes, this is for real.). Best of all: no key escrow! :)

          Have a Pretty Good Day,

          dave

          ................................. cut here .................................

          CONTACT:

          Mike Nelson

          Director of Corporate Communication

          Pretty Good Privacy, Inc.

          415.524.6203

          PRETTY GOOD PRIVACY RECEIVES GOVERNMENT APPROVAL TO EXPORT STRONG ENCRYPTION

          SAN MATEO, Calif., May 28, 1997 -- Pretty Good Privacy, Inc. (www.pgp.com), the world leader in digital privacy and security software, today announced that the U.S. Department of Commerce has approved the export of Pretty Good Privacy's encryption software to the overseas offices of the largest companies in the United States. This makes Pretty Good Privacy the only U.S. company currently authorized to export strong encryption technology not requiring key recovery to foreign subsidiaries and branches of the largest American companies (see list of companies below).

          The approval allows Pretty Good Privacy to export strong, 128-bit encryption without a requirement that the exported products contain key recovery features or other back doors that enable government access to keys. More than one-half of the Fortune 100 already use PGP domestically to secure their corporate data and communications.

          "Now we are able to export strong encryption technology to the overseas offices of more than 100 of the largest companies in America, without compromising the integrity of the product or the strength of the encryption," said Phil Dunkelberger, President of Pretty Good Privacy, Inc. "We worked closely with the State Department when they controlled the export of encryption, and are now working with the Commerce Department. And we have never had a license application denied."

          The license allows export of strong encryption technology, without government access to keys, to the overseas subsidiaries and branch offices of more than 100 of the largest American companies, provided that the offices are not located in embargoed countries, namely Cuba, Iran, Iraq, Libya, North Korea, Sudan or Syria.

          "As far as we know, Pretty Good Privacy, Inc. is now the only company that has U.S. government approval to sell strong encryption to the worldwide subsidiaries and branch offices of such a large number of U.S. corporations, without having to compromise on the strength of the encryption or add schemes designed to provide government access to keys," said Robert H. Kohn, vice president and general counsel of Pretty Good Privacy. "Pretty Good Privacy still opposes export controls on cryptographic software, but this license is a major step toward meeting the global security needs of American companies."

          The U.S. government restricts the export of encryption using key lengths in excess of 40 bits. However, 40-bit cryptography is considered "weak," because it can be broken in just a few hours. Generally, the U.S. government will grant export licenses for up to 56-bit encryption if companies commit to develop methods for government access to keys. For anything over 56 bits, actual methods for government access must be in place.

          Pretty Good Privacy's license permits the export of 128-bit or "strong" encryption, without any requirement of a key recovery mechanism that enables government access to the data. A message encrypted with 128-bit PGP software is 309,485,009,821,341,068,724,781,056 times more difficult to break than a message encrypted using 40-bit technology. In fact, according to estimates published by the U.S. government, it would take an estimated 12 million times the age of the universe, on average, to break a single 128-bit message encrypted with PGP.

          "Pretty Good Privacy, Inc. has been working diligently to ensure compliance with the export control laws. Clearly, the Commerce Department recognizes the needs of reputable American companies to protect their intellectual property and other sensitive business information using strong cryptography," said Roszel C. Thomsen II, partner at the law firm of Thomsen and Burke LLP.

          "User demand for strong cryptography is growing worldwide," said Marc Rotenberg, director of Electronic Privacy Information Center, and a leading privacy-rights advocate. "This is just one more example of the need to remove obstacles to the export of the best products the U.S. can provide."

          Companies that are approved for the export of Pretty Good Privacy's strong encryption should contact Pretty Good Privacy's sales office at 415.572.0430 or visit the company's web site at www.pgp.com. Companies that are not currently on the list of licenses obtained by Pretty Good Privacy, but would like to gain approval to use strong encryption in their branch offices and subsidiaries around the world, should also contact Pretty Good Privacy at 415.572.0430 for information about how to be included in future government-approved export licenses for PGP.

          About Pretty Good Privacy, Inc.

          Pretty Good Privacy (www.pgp.com), founded in March 1996, is the leading provider of digital-privacy products for private communications and the secure storage of data for businesses and individuals. Pretty Good Privacy's original encryption software for email applications (PGP) was distributed as freeware in 1991 by Phil Zimmermann, Chief Technical Officer and Founder of Pretty Good Privacy, and allowed individuals, for the first time, to send information without risk of interception. With millions of users, it has since become the world leader in email encryption and the de facto standard for Internet mail encryption. Over one half of the Fortune 100 companies use PGP. In order to provide only the strongest encryption software, Pretty Good Privacy publishes all of its encryption source code and algorithms for extensive peer review and public scrutiny. The company can be reached at 415.572.0430; http://www.pgp.com.

          Immediately followed by

          Date: Thu, 29 May 1997 18:46:08 -0400

          From: "Tom Betz" <tbetz@pobox.com>

          Subject: Re: Newsflash: PGP approved for export of strong crypto

          On 29 May 97 at 15:54, Matthew Gaylor wrote:

          > SAN MATEO, Calif., May 28, 1997 -- Pretty Good Privacy, Inc. (www.pgp.com), the world leader in digital privacy and security software, today announced that the U.S. Department of Commerce has approved the export of Pretty Good Privacy's encryption software to the overseas offices of the largest companies in the United States. This makes Pretty Good Privacy the only U.S. company currently authorized to export strong encryption technology not requiring key recovery to foreign subsidiaries and branches of the largest American companies (see list of companies below).

          Hokay... does anyone know the exact date the NSA cracked PGP?

          1. phil dude
            Boffin

            Re: @VernonDozier: What the hell am I reading?

            nice summary.

            As for cracking PGP, one thing that has always made my "mathematical antennae" twitch, is that it is not *provably hard*. If we were in the Eagle n Child, I could try and explain my reasoning...

            Besides, I went to the D-wave talk at Sc13, and now I know it is crackable, with enough cash...

            P.

            1. Andy Davies

              Re: @VernonDozier: What the hell am I reading?

              iirc Messrs. Rivest, Shamir & Adelman discovered an encryption method based on the fact that with known methods it takes an infeasible amount of computation to factorise the product of two large primes.

              RSA Inc. may have had encryption patents but they weren't on the basic method - even in the USA you can't patent mathematics.

          2. heyrick Silver badge

            Shouldn't this have been a clue as to the usefulness of "official" encryption products?

            "Generally, the U.S. government will grant export licenses for up to 56-bit encryption if companies commit to develop methods for government access to keys. For anything over 56 bits, actual methods for government access must be in place."

          3. VernonDozier

            Re: @VernonDozier: What the hell am I reading?

            That looks familliar; likely what was posted on Fidonet back in the day...

            Thank you.

        2. VernonDozier

          Re: @VernonDozier: What the hell am I reading?

          Thank you for the updates and corrections. I was going off memory...

          That happened twenty years ago!

        3. Anonymous Coward
          Anonymous Coward

          Re: @VernonDozier: What the hell am I reading?

          Dan Bernstein sued the US Government over ITAR in the mid-90s and again over EAR which they replaced it with when his lawsuit was successful. His subsequent suit was also successful.

          http://cr.yp.to/export.html

          Dan is an internet security researcher, and his lawsuits were in response to the US Government effectively censoring his research into cryptography

      3. OldWarrior
        FAIL

        If I remember right, back in around 1980 Atari developed a true random number generator that was based upon inevitable voltage variations that occur on the input power. No matter how good a regulator you put in, even micro-volt variations will happen. I never understood why this was never bought and adopted. I don't know the technology, but I do remember that Mr. Bill insisted on a programmed generator rather than this true random seed.

    4. Anonymous Coward
      Anonymous Coward

      Now then Now then

      Now we find that the NSA have really been a law unto themselves, without oversight in any shape or form.

      A Government inside a Government where even the President of the USA has no idea what has been going on.

      1. FetchIt

        Re: Now then Now then

        Re: NSA a "law unto themselves"...

        Let's just tell it like it is: LAWLESS!

        Of course any law outside the USA was summarily ignored. However, any law that interfered with collecting the haystack inside the border was subverted by one means or another.

        For the premier "security" agency to deliberately and forcibly corrupt encryption security is beyond mind boggling.

      2. tom dial Silver badge
        Stop

        Re: Now then Now then

        Obviously never read any of the articles, let alone the actual released documents that describe what NSA is doing.

        "Without oversight" despite that the Senators and Representatives on the respective Intelligence committees had access to much of it, however much they now backpedal and claim ignorance (indicating that they were not doing a significant part of the job for which we elected them).

        '"Without oversight" despite that the published evidence indicates rather strongly that there were well defined limits expressed in documents prepared by the Department of Justice and signed by the Attorney General.

        "Without oversight" despite that the programs were reviewed by the FISC, and on some occasions were found wanting as to lawfulness and were modified or ended as a result.

        "Where even the President of the USA has no idea what has been going on" despite that the programs were operated on the authority of the Secretary of Defense and reviewed by the Attorney General, both of whom report directly to the President and meet with him frequently, and that the programs provided much of the information in his daily intelligence briefing.

        It is one thing to oppose these programs and quite another to be willfully blind to the facts about their. origin and operation.

    5. Anonymous Coward
      Anonymous Coward

      Back in the 70s

      IBM developed DES. The NSA recommended some changes which IBM implemented - changes to the S boxes and SHORTENING of the key length. For 15 years there was speculation that the NSA had recommended those changes to weaken it. When 'differential cryptanalysis' was publicly discovered, it was found that the NSA's changes had strengthed DES significantly versus IBM's original implementation - even despite the smaller key length.

      Specifically the S box changes, had that not been made, would have left it very vulnerable to that type of attack. Thus demonstrating, that at that time at least, that the NSA was at least 15 years ahead of the state of the art in the public sphere. With all the funding they've received in the past decade, they're probably even further ahead now.

      Given that the NSA had previously recommended changes that helped, without explaining why, maybe RSA thought (or wanted to believe) that this was the same sort of deal....though maybe the $10 million should have tipped them off that something was fishy.

      I wonder if any RSA senior execs happened to get a bonus that year due to higher "profit" thanks to that $10 million payment. If that was the case, and I was an EMC shareholder, I'd be looking for a lawyer to file a class action lawsuit against those senior exec(s). Yeah, I know the lawyers are really the only winners in such lawsuits, but I'd be doing it more to take away the ill gotten gains of the senior exec(s) and make their lives hell than to try to cash in personally. Serve as a deterrent to the execs of other companies when faced with a similar decision to breach fiduciary duty in exchange for personal gain!

      1. Don Mitchell

        Re: Back in the 70s

        IBM did a cipher called Lucifer which used a larger block and key size, but was actually weaker than DES. The NSA knew about so-called "bent functions", s-boxes designed to be extremely nonlinear and therefore more resistant to linear-approximation attacks.

    6. Anonymous Coward
      Anonymous Coward

      This just undescores

      How some country, like Switzerland, could clean up in large IT areas by passing IT privacy laws similar to their older banking privacy laws, and then start cloud-hosting-etc companies.

      The one thing that is really clear in all of this is that no US or British company can be trusted with anyone's private data, and no encryption from a US or British company can be trusted at all.

      1. Yes Me Silver badge
        Black Helicopters

        Switzerland and Crypto AG [Re: This just undescores...]

        I think you need to look into Crypto AG a bit before being too bullish about Switzerland.

    7. Hoe

      Depends how it was offered....

      NSA: $10m for a Backdoor?

      CO: Sod Off.

      NSA: $10m for a Backdoor or we force you to do it under the official secrets act for nothing?

      CO: Hm well actually now you say it, it does seem like a good idea!

      But then they would never use that act for such things sur...oh wait.

      1. Charles Manning

        or more likely

        NSA: Install backdoor.

        CEO: Sure we can, but we're a bit tight right now and it will cost us a bit of money to do the work and testing etc.

        NSA: Will $1M cover expenses?

        CEO: Sure.

        NSA: Well here's 10.

  2. cracked
    Devil

    Really, 10M, just to include it?!

    Look! This is great, they said.

    Hmmm, said RSA. Maybe it is.

    It's so good, they claimed, that we'll pay you to include it in your stuff!

    Well now ... pay, said RSA ... that's a word we don't often hear, around 'ere

    And so it came to pass. They paid up.

    And, dutifully, RSA included it

    And then RSA nerfed their code so that their system wasn't using it.

    Win all round. No?

  3. corestore

    Of course...

    "RSA always acts in the best interest of its customers…"

    Of course it does.

    And if you want to find the customer, follow the money…

    If someone else is paying for it, you're not the customer, you're the product being sold. Down the river in this case, it seems.

  4. This post has been deleted by its author

    1. Jamie Jones Silver badge

      Re: Reputation

      I can't say I agree or disagree with your assertion.

      However, our spooks here in the UK were complicit, and should expect the same outcome, as should all the other countries in the 'five ears' (or whatever it's called... It's late here!)

  5. Anonymous Coward
    Anonymous Coward

    Thank you Mr Snowdon

    1. Primus Secundus Tertius

      Re Mr Snowden

      Mr Snowden is a self-indulgent pompous prig who has no idea what it means to live in a genuinely repressive regime. But perhaps he will learn something from his year in Moscow.

      I have met Germans who had brushes with the Gestapo. Snowden and his ilk whinge about hypothetical situations.

      1. Destroy All Monsters Silver badge
        Thumb Down

        Re: Re Mr Snowden

        > I have met Germans who had brushes with the Gestapo.

        Guess you must regret not having been the Gestapo.

      2. Anonymous Coward
        Anonymous Coward

        Re: Re Mr Snowden

        @first second third - there's an old saying that I think it would do you we'll to heed.

        It is better to stay silent and be thought of as a fool, than to open your mouth and remove all doubt

        Oh and pick a new handle please. You're give those of us who know Latin a bad name.

      3. Charles Manning

        Comparing to Naziism and Stalinism does not boulster your case.

        USA is, according to its own PR, "Leader of the free world".

        If it was we'd be surely comparing USA with some countries high up on the various freedom indices

        But here all people can say is: "Well USA is arguably better than Nazi Germany or Stalinist USSR".

        For example: http://en.rsf.org/press-freedom-index-2013,1054.html . USA at 32, UK at 29. Well after many former Warsaw pact nations (Poland, Czech Republic).

        How's that First Amendment working for you now?

        1. Don Jefe

          Re: Comparing to Naziism and Stalinism does not boulster your case.

          The Amendments aren't at issue here. 100% of their value stems from a government willing to uphold the principals they enshrine. The system was designed to be ridiculously liberal in the very few limitations it created. The idea being you could do whatever you wanted as long as none of those limitations were exceeded. If you couldn't find a way to do what you wanted within those limitations then you couldn't do it. Full stop.

          The greatest failing in Democracy is highlighted by the fact those who are capable of being elected are not people who operate on principal. They hold nothing 'sacred' except their own desires and will exceed any limitations imposed on them in order to realize those desires. Those who operate by principal are incapable of being elected because they would be going against the very principals they uphold by lowering themselves to engage with an unprincipled ass who offers nothing more than a nice smile and a pocket full of an Angry Jewish God.

          Great men who will place limitations on themselves in order to uphold a set of self imposed principals in pursuit of the greatest good are treated as simple or foolish. Full speed ahead and principals be damned has become the rallying cry of a manner of man so weak, so cowardly and impotent they cannot function within the confines of an orderly social system. It is sad that the best are overlooked in favor of the champion. Winning matters not if you cannot win within the rules, anyone can do that. Our champions, the winners of our system, are not made of the stuff of even the meanest peasant who, though poor and wanting, still begins and ends each day upholding a set of principals. Fuck those unprincipled men who would take and do as they will with no regard for the greater good, for principal, for even their fellow man. Fuck them I say. Fuck them right in the ass.

          1. Steve Renouf

            Re: Comparing to Naziism and Stalinism does not boulster your case.

            Hear! Hear!

          2. ElReg!comments!Pierre

            Re: Don Jefe "Comparing to Naziism and Stalinism does not boulster your case."

            Who are all these principals you keep referring to? Some very principled persons it seems. Some friends of that Mr Boulster you mention in the title? Though Charles Manning is to blame for this one I suppose.

            I somewhat agree with your point but those really hurt my poor lil' eyes.

      4. oddie

        Re: Re Mr Snowden

        Mr Snowden is a self-indulgent pompous prig who has no idea what it means to live in a genuinely repressive regime. But perhaps he will learn something from his year in Moscow.

        -Do you mean that not being able to return to the US for a year will teach him that the US is not a genuinly repressive regime, or that by spending a year in moscow he will realise that the US doesn't look as bad if you compare it with someone worse?

        1. Primus Secundus Tertius

          Re: Re Mr Snowden

          @oddie

          I mean the latter: USA and my UK are less worse then many places.

          The Nazis did not like pacifists. I met one who had been thrown into an asylum.

          @David Glasgow

          Perhaps after a year in Moscow Mr Snowden will tell us what the Russkies get up to.

          1. Don Jefe

            Re: Re Mr Snowden -What's Wrong with Moscow?

            Moscow is a fun city. Its got everything London or Los Angeles has and is, in my opinion, much more aligned with a typically 'Western' idea of things to do that aren't work with fewer 'weird' surprises.

            The work and workers are the same as anywhere else, workers think their managers are just as dumb as anywhere else. The women are pretty and friendly, the booze is good and affordable, and any luxuries you want are just as available as they are in any other big city as long as you've got the money, just like in any other big city.

            So much of Russia lives in the imagination of people who learned about the USSR through 40 years of propaganda. Sure there are bad aspects, but that's true in London or New York too. Violence is less prevalent than in South America and the Russians aren't nearly as openly aggressive toward strangers as they are where I'm originally from in the mountains of East Tennessee.

            Moscow is cold, Russia altogether is cold. Moscow has some industrial sections that look like video game settings, but overall it's certainly no worse than London or New York or Los Angeles and its a fuck of a lot nicer than Miami or anywhere in Texas. It certainly isn't anywhere close to the worst place you could be exiled to. You should visit sometime.

            1. Primus Secundus Tertius

              Re: Re Mr Snowden -What's Wrong with Moscow?

              Add to that, they have so generously just pardoned Mr Khodorkovsky and Pussy Riot.

              Er, what was it they had done wrong?

            2. Stevie

              Re: It certainly isn't anywhere close to the worst place you could be exiled to

              No. That would be Harlow New Town - self professed Nuclear Free Zone (and ironically the one place in the UK that would unquestionably benefit from a direct hit by a co-operative theromostellar device).

      5. David Glasgow

        Re: Mr Snowden is a self-indulgent pompous prig

        1/ In what way (exactly) do these alleged personality traits reveal themsleves?

        2/ Even if present, do they in any way detract from the service he has rendered exposing what is being done to us and others by those who claim a mandate to act on our behalf.

  6. Anonymous Coward
    Anonymous Coward

    From the economic stand point it does not matter how much money is in the bank. It matters that money is being used, as in a transaction. Metaphorically, how much water is coming out of the faucet, not how much is in the reservoir.

    Oddly, the moneys spent need not be had by legitimate means. This is why the low encryption level is really not a problem, even for financial institutions.

  7. Anonymous Coward
    Anonymous Coward

    "RSA always acts in the best interest of its customers…"

    Clearly, its biggest and most important customer is the US government. I guess the lesson here is not to buy stuff from RSA - so that they may learn from their "mistake"

  8. ewozza
    Holmes

    Perhaps, and this is only speculation, the $10 million went directly to whoever made the decision to use the flawed algorithm - RSA bosses might not have known anything about it.

    1. Don Jefe
      Alert

      Absolutely not. The decision makers were rewarded via other government payment vehicles. You don't think the people that get investment invitations to In-Q-Tel and their portfolio companies learn about those opportunities at VC forums do you?

      Personal payoffs by the US government are never made directly to US Citizens in cash or even money. They just tell you which horse to bet on. You've got to come up with your own investment capital. But, since all the other horses are guaranteed to experience fatal medical conditions on the backside of turn 3, you'll have no trouble finding someone to loan you the money you need. Don't have any friends like that? 'No problem either, just make sure (x) gets implemented and we'll hook you up with our finance guy'.

      Bribery is illegal you know ;)

  9. Awil Onmearse
    Black Helicopters

    Plausible deniability?

    "For its part, however, RSA maintains that it never conspired with the NSA to compromise the security of its products"

    Pro tip, RSA: "plausible deniability" contains the word "plausible".

  10. Anonymous Coward
    Anonymous Coward

    Asshats

    See title

  11. Anonymous Coward
    Anonymous Coward

    I guess this is the way it went IMHO:

    Dear RSA,

    Please include our random number generator in your solution. We use it internally and want to make it an internal standard. We don't want to see you out of pocket. Here's $10m for customization expenses.

    If you don't include it, you'll never get another government contract. Not ever. Make it the default, while you are on. (Note to self: For Christ's sake, remember for us to not use it on stuff we care about).

    Yours truly,

    NSA.

  12. Don Jefe
    Unhappy

    Standards Truths and Finance.

    There is no such thing as an internationally recognized standard, in any field, that's not been bribed, lobbied and beaten into the form most desired by those who are impacted by it. None. Not one. Zero. Everybody thinks standards development is done by people in a closed environment who have a mission of negotiating a best middle ground definition of something, but that's simply not the case. Standards development is one of the most openly corrupt processes on the planet, no matter what governing body it is or in what country. It's far worse than politics.

    When you're working on a standard your job is not to define the best thing/process, it is to define the thing/process that is most compliant with the desires of the heavyweights who are involved, and there's always a heavyweight, even if you're dealing with hand soap.

    The governing bodies like to claim transparency but the only parts that are transparent are the parts the public sees. Draft specs and test specs are written by industry and widely circulated outside tye 'official' process and they serve as the list of demands you've got to meet. Your job is balancing those demands in a way that favors one thing or another, based on what industry wants. Want a nice ski vacation in Chile with your wife? Make sure the test specs include (x) and you can review the final proposal from your chalet. That's just how it's done. If you've got any sort of influence in the process you're heavily lobbied by industry and nobody is going to make a fuss, because Chile is a fun place to go.

    My point is, all standards are weighted through pressure. In this case the pressure just came from the NSA instead of MS or Adobe... While the government shouldn't be doing things like this, the real problem lies in the way standards are really developed. That's got to be addressed before any real change can happen.

  13. Richard Boyce
    Big Brother

    RSA sale?

    I imagine that EMC will be trying to offload RSA now, or at the very least moving the pieces around under a new brand name. It's not easy to sell security after you've been caught selling your soul. The shareholders will not be happy. More litigation will follow, I assume.

    1. Gordon 10

      Re: RSA sale?

      Doubt it - don't forget this is the company who had all their seeds and algorithms stolen for their RAS tokens and still managed to bullshit their customers and keep 90% of them.

  14. Don Jefe

    $10M is a fuckton of money. The tech world in particular has a weird view of money because the news is covered up in the billion dollar escapades of a few companies, but those are all fringe cases. Even inside those big companies you won't find anyone who isn't willing to kill for $10M.

    The attitude that $10M is a small sum is lunacy and unfortunately, that attitude is part of why so many businesses fail and why governments burn through such tremendous amounts of money. They have no concept of the value of the money they're throwing around. It's why those people never have $10M of their own to spend.

    1. Yet Another Anonymous coward Silver badge

      emc (RSA's) parent company has an income of $15Bn - or at least it did last year.

      How many foreign customers it will have at the end of this year remains to be seen.

      How much is a fuckton of money if it means nobody trusts your security company anymore?

      1. Don Jefe

        Unfortunately, as others have noted, they'll likely manage through this and wind up no worse for the wear. People will start to make 'pragmatic' and 'economic' excuses arguments justifying why it's no big deal, and people who haven't done anything wrong have nothing to be concerned about and moving away from RSA would just be complicated and open up new threats. Crap like that.

        The correct response to this, as you've identified, is to move this back to EMC. RSA is their baby now, are repercussions of actions RSA took beforehand. When you buy a company you're buying their liabilities too. In fact offloading your troubles onto someone else is a primary factor in many buyouts.

        EMC can absorb the direct RSA damages. Losing the money would suck, but certainly not substantially harm the company. They can't absorb blowback into their storage products though. All income is not created or valued equally, and when bolt on expansions start harming sales of your core products you take more aggressive action to correct the issue(s). Will it happen? Will people not do business with EMC because of their associations with RSA? Unfortunately, I don't think so.

  15. Captain Queeg

    Non-denial denial then...

    "Decisions about our products are our own..."

    Less than emphatic then? I can only ponder that the legal dept had issues with them issuing a flat denial of a back door.

    It's getting to the point now where to remain reasonably secure, popping something in the post is becoming relatively secure.

    1. Don Jefe

      Re: Non-denial denial then...

      Legal may have edited the statement, who knows, but they probably wouldn't have had to. Part of being a 'good' leader of a corporation or large organization or even country is that you're incapable of making a statement that might be falsified.

      Everyone thinks corporate/leadership types are 'yes men' but that isn't the case, they're anything but 'yes or no men', any kind of remotely straight answers aren't their strong points. Even in the rate events they do give you a straight answer it nearly always references something that isn't straightforward and can be interpreted however best suits them.

  16. John Smith 19 Gold badge
    Unhappy

    Increased the division's turnover by 50% over its *original* turnover, makeing VP look briliant

    Performance related bonus do you think?

    Why do I hear the words "I had guaranteed orders, upgrade programmes, who cares if it didn't work" in my head.

    The real price should be that no one in their right mind should trust RSA for encryption.

    1. Don Jefe
      Unhappy

      Re: Increased the division's turnover by 50% over its *original* turnover, makeing VP look briliant

      There's a saying 'sales wash away all sins' and there's a whole lot of truth in that. The problem comes about when you combine that with a complete lack of ethics or morals. That saying is very valid in business, but it came about in a time when workers and management were emotionally invested in the products they produced. They were proud to work for (x).

      The business climate has gotten so incredibly shitty over the last 30 years and now it's company vs employee vs customer vs shareholder and not one of them gives the slightest fuck about anything beyond their paycheck. I think it's a sad state of affairs and, as usual, the consumer and average citizen is who gets screwed in all of that.

  17. Sanctimonious Prick

    Stop It Eddy!

    Shit! Man! How much more leaking can there be on cryptography? Give us the UFO files, Eddy!

    1. Don Jefe

      Re: Stop It Eddy!

      They're encrypted.

  18. Philip Hands

    RSA==tossers ... How is that news?

    I used to maintain ssh for Debian back in the day when one was supposed to use librsa (from RSA) in order to comply with their patent, so we had the real version of ssh in non-us, and the librsa-linked one for US based users that felt the need to comply with the patent.

    librsa was a piss poor implementation of "their" algorithm, so when it also caused some build failures I just forgot to produce the US patent friendly version.

    Nobody complained, because anyone with any sense had already decided to ignore the patent.

    I've had no respect for RSA ever since -- they failed to fix reported bugs for ages too IIRC -- I had chalked that down to lazy incompetence founded on having the patent to protect them from proper competition, but it seems that there might have been a spot of corruption in the mix too.

    On the other hand, having a product that appeals to the clueless is a great way to get rich, so I don't suppose most of their customers will take the slightest notice, or even realise the implications of this.

  19. ops4096

    Customers ???

    In .au EMC/RSA does not sell encryption products to individual mug punters like you and I. It only sells to corpratz. Well that's O.K. then innit !!!

  20. tom dial Silver badge

    I expect copious downvotes for this, but want to ask anyhow.

    First, it would be of interest to see the text of the contract claimed to exist between NSA and RSA. While it certainly would not describe the claimed quid pro quo, but it would indicate something about how the parties intended it to be understood.

    Second, all the references I have seen to a backdoor in dual_ec_dbrg go back to Shumow and Ferguson's report in 2007 and secondarily to Schneier's description in the same year. Both of them provide plenty of reasons not to use this particular DBRG, based on the knowledge that IF NSA knew the secret numbers that are related to the magic numbers in the algorithm it would provide them a nice back door. Has anyone uncovered anything that establishes that NSA actually knows the numbers, or is it simply presumed that since they provided the RNG they must know?

  21. Stevie

    Bah!

    Vill you pliss stop talkink about ze var? You are upsettink meine wife!

This topic is closed for new posts.

Other stories you might like