back to article Infosec experts boycott RSA conflab over alleged 'secret' NSA contract

More security researchers are boycotting next month's US edition of the RSA Conference in protest against an alleged "secret deal" the company is said to have struck with the National Security Agency. Last month Reuters reported that the NSA "secretly paid" RSA Security $10m in return for making the Dual_EC_DRBG random number …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Like he said..

    "...you get caught backdooring your security for the NSA, you should go out of business.."

    Simple as that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Like he said..

      It's worth remembering that IBM modified the DES / 3DES encryption system on the suggestion of the NSA, at the time lots of people claimed that it was to weaken the system, but it has latterly turned out that it strengthened it against a form of attack which wasn't generally known at the time.

      I don't see any reason to think that RSA knowingly put a back door into their product and $10M isn't very much to corrupt your company, when it's the size of RSA.

      1. Miek
        Linux

        Re: Like he said..

        "I don't see any reason to think that RSA knowingly put a back door into their product and $10M isn't very much to corrupt your company, when it's the size of RSA."

        I understand from a previous article [citation needed] that at the time of the deal RSA was not as big and ubiquitous as it now is. I can imagine the "deal" along the lines of "Take the deal and you will be $10M up on the books and your business will become the de facto security provider for businesses, governments and military units around the world. Alternatively, we will see to it that you go out of business sooner rather than later"

        1. NumptyScrub

          Re: Like he said..

          quote: "I understand from a previous article [citation needed] that at the time of the deal RSA was not as big and ubiquitous as it now is."

          If you mean this article it appears to say that the BSafe crypto tools division of RSA was, at the time, bringing in an alleged $27.5m in total. Compared to that, a $10m deal would look to be a healthy slice of change to "adjust our defaults in line with government NIST recommendations".

  2. Anonymous Coward
    Anonymous Coward

    further Snowden blowback

    UAE allegedly asks for a couple of US (crypto?) components to be removed from a nearly completed French Thales/Italian space communications satellite according to this allegation:

    http://www.defensenews.com/article/20140105/DEFREG04/301050006

  3. Anonymous Coward
    Anonymous Coward

    Complicit or incompetent

    "The reason isn't that I'm upset at RSA, or think that they are evil. I think RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products."

    ISTR a commenter in a previous article about this came to the conclusion RSA are either complicit or incompetent as this chap suggests. Now the NSA are no evidently no mugs but the timeline for this suggests that RSA would've been fully aware.

  4. Anonymous Coward
    Anonymous Coward

    Just How Deep Does This Go ?

    Are there deliberate flaws in x86 cpu designs ? No wonder the US is paranoid about Chinese hardware as America has been up to this for years.

    1. Anonymous Coward
      Anonymous Coward

      Re: Just How Deep Does This Go ?

      "No wonder the US is paranoid about Chinese hardware as America has been up to this for years"

      Indeed, probably at least 13 years according to this nugget from El Reg many years ago about the NSA's own fab plant.

      http://www.theregister.co.uk/2001/01/10/nsa_runs_best_fab/

      In fact, considering the NSA's plant was considered world class back then, just think what they're churning out now and infesting your gadgets with!

      Sleep tight.

      1. Boris Winkle

        Re: Just How Deep Does This Go ?

        Nice link re fab plant..

        Just hopped on over to the NSA careers (http://www.nsa.gov/careers/) page, and I love the quote:

        Intelligence. It's the ability to think abstractly. Challenge the unknown. Solve the impossible. And at NSA, it's about protecting the Nation. A career at NSA offers the opportunity to work with the best, shape the course of the world, and secure your own future. Isn't it time to put your intelligence to work?

        Particularly:

        '...shape the course of the world...'

  5. btrower

    Trust nothing

    Anybody doing a security design these days should address all aspects of security as if every single thing from silicon up is compromised. Only fairly wide-spread joint custody can provide a reasonable sense of security.

    Even with extremely strong security, we still need legislation to curb abuses. No entity, certainly not an ethically challenged one like the NSA, should be able to make any legal use of ill-gotten information.

    We have gone so far over the line that it seems even our experts have lost the plot.

    1. Anonymous Coward
      Anonymous Coward

      Re: Trust nothing

      "Anybody doing a security design these days should address all aspects of security as if every single thing from silicon up is compromised. Only fairly wide-spread joint custody can provide a reasonable sense of security."

      Trouble is, that includes the PEOPLE as well, and people tend to be the weak links. There's no way to guard against an insider expertly sabotaging things at the design stage.

      "Even with extremely strong security, we still need legislation to curb abuses. No entity, certainly not an ethically challenged one like the NSA, should be able to make any legal use of ill-gotten information."

      Security can work itself ABOVE the law, simply by holding the rest of the government hostage. After that point, no law will touch them because the government itself can be blackmailed.

      "We have gone so far over the line that it seems even our experts have lost the plot."

      Not so much lost the point as having been tained by The Corruption. And this corruption has shown elements of rising above simple countries and politics.

      So if you live in a world where the only people around you are accomplices and enemies, how can one establish a trust system? IIRC this goes to one of the "hard" problems of security: how to confirm identities without some form of intermediary. So far as we can tell, the prevailing answer is, "You can't."

  6. phil dude
    WTF?

    IBM DES and what not..

    First, let's put something to bed. The people who worked for the NSA in 1976 are almost certainly retired, and so there bugger all chance this is a useful data point. It is perhaps a very good example of that the NSA *should* be doing, but I find no comfort whatsoever that they did so.

    The point is, perhaps 10 years ago or more the govt started getting ideas above its station. The tragedy of Sept 11th has been compounded by the complete clustersmeg that politicians have done with civil rights since.

    With laws like the Patriot Act which make it legal to lie , illegal to tell the truth, and basically make a complete mockery of the constitution, it is no surprise a company took cash from the govt to put in a backdoor.

    The fact they did (allegedly, in case there are twitchy UK lawyers) whether it was for a backdoor or not, is sufficiently naive that I am not sure I want them as a security company.

    It is a good thing that crypto maths doesn't need govt permission to work. It is a bad thing it is sufficiently difficult that the govt feels the need to be involved.

    P.

    1. asdf

      Re: IBM DES and what not..

      >The point is, perhaps 10 years ago or more the govt started getting ideas above its station.

      Try about 20 years. I thought it was weird how quickly and quietly the NSA and Government dropped the Clipper chip fight. Guess we know why now.

    2. Anonymous Coward
      Anonymous Coward

      Regarding DES

      There was no hidden crap ongoing with DES. Everybody with a clue knew that 56 bits could be iterated (brute-forced).

      There was and is 3DES for those who need a strong cipher.

      1. tom dial Silver badge

        Re: Regarding DES

        DES was issued in 1977. It was brute-forced first (publicly) in 1997 using a coalition of 10,000+ systems in 96 days, and in 1998 by the EFF using a purpose-built machine in 56 hours. While some nation states might have afforded the equipment for a brute force search in the late seventies/early eighties, DES probably gave adequate security for its intended purpose - commercial encryption - for at least its first 10 years.

    3. Anonymous Coward
      Anonymous Coward

      Regarding 9/11

      Just "connect the dots" about this affair and it becomes almost crystal-clear that the MIC badly needed a new enemy.

      The Russkies were bankrupt and in some aspects still are. Too much secrecy, too much Russkie MIC, too much socialism.

      So the American MIC built their own enemy, in order to keep the pork barrels rolling. Freedom Fighters/Terrorists replaced the Russkies. 700 billion dollars per year revenue assured.

      Without 9/11 the American military would be at 1/10th of ifs current size. That threatens about 4 million well-paid jobs in the US.

  7. Anonymous Coward
    Anonymous Coward

    "... legal to lie , illegal to tell the truth ..."

    Brilliant! Sorry I couldn't give you more than one upvote because you really deserve a lot more than that.

  8. Anonymous Coward
    Anonymous Coward

    RSA deserves what it gets...

    Sounds like they probably did take the payoff in order to weaken encryption. Customers tend to dislike getting sold out by a vendor that is supposed to protect them.

    And let's not forget that RSA rather incompetently let itself get hacked a couple years ago, compromising tens or hundreds of thousands of two-factor security devices.

    Corrupt?, or incompetent? I vote none of the above.

    1. asdf

      Re: RSA deserves what it gets...

      Corrupt?, or incompetent? I vote all of the above.

      FIFY.

      1. Bucky 2

        Re: RSA deserves what it gets...

        That's exactly the problem, isn't it? They're either one, the other, or perhaps both.

        They are, at the very very best, an inappropriate agency to trust with security.

  9. Anonymous Coward
    Anonymous Coward

    It's all good

    I'm sure the NSA want's to distance itself from idiots too stupid to understand the NSA has their back when it comes to security. Better to let them learn the hard way how the real world works. Then when they pull their heads outta their arses, they'll have a lot more respect and appreciation for the hard work that the NSA does to protect us all.

  10. dssf

    Makes me wonder whether Snowden curated his trove

    Or just made a few massive digital dives before dumping his booty into the hands that are leaking it all out in dribbles and bits...

    The stuff that just keeps coming out is... Mind-blowing and sobering.

  11. John Tserkezis

    "In response, RSA issued a carefully worded denial that it had never knowingly put a backdoor in its BSAFE toolkit at the behest of the NSA or anyone else."

    They do realise that plausible deniability only works if it really is, ahem, plausible?

    Just to be fair, I would have been on their side if they didn't take $10mil as part of the deal. Kinda like them being stopped at their local airport customs for transporting pot in a suitcase. "But the NSA paid us to transport this suitcase from A, to B. For security reasons, we didn't ask what was inside....

    1. Fluffy Bunny
      Big Brother

      People are talking as if BSAFE was backdoored, but where is the evidence? Was it a real backdoor, or just badly written security code (which happens all the time).

      1. tom dial Silver badge

        The bottom line appears to be that we who are not NSA do not know*, and the NSA are most unlikely to say one way or the other. Accordingly, caution dictates either not using Dual_EC_DRBG or going through the process described in Appendix A of NIST Special Publication 800-90A and generating your own constants different from those recommended by NIST.

        Upvoted for not joining in the present moral panic and paranoia.

        * It would be extremely interesting if anyone who can cite evidence (other than speculation and hearsay) would do so.

      2. Michael Wojcik Silver badge

        People are talking as if BSAFE was backdoored, but where is the evidence? Was it a real backdoor, or just badly written security code (which happens all the time).

        It's not "just badly written security code" (and that should most definitely not "happen all the time" at RSA, a firm which exists to sell well-written "security code"). Try actually reading the articles.

        BSAFE used Dual_EC_DRBG as its default CPRNG. That's not in dispute.

        Cryptographers expressed suspicions about Dual_EC_DRBG almost since the moment of its publication, and pointed out that it had obvious drawbacks and no obvious advantages. That's not in dispute.

        There is now significant evidence that the NSA set the default parameters for Dual_EC_DRBG specifically so they could reproduce the bitstream and break the generator. That evidence isn't in serious dispute, and while it's not compelling, it's pretty strong. No one has offered a plausible alternative explanation.

        NIST 800-90A, the publication that describes Dual_EC_DRBG, explains how to calculate a different set of constants. That would be a good idea for anyone using the generator, regardless of whether they thought the default constants were associated with a backdoor. Any competent contemporary cryptographer should know that. RSA chose to use the default constants.

        Therefore, the person or persons who made the decision to make Dual_EC_DRBG the default CPRNG, with default constants, is either incompetent (because it's a lousy generator and they should at least have chosen different constants) or malicious. This isn't a mistake; it's a series of bad decisions.

  12. AbeSapian

    How to Become Radioactive In One Easy Lesson

    Fukushima required an earthquake and cost money. RSA did it all by their little lonesome and got $10M in the process.

  13. Anonymous Coward
    Anonymous Coward

    Nothing New Here

    Google for Crypto AG and read up on a Mr Hagelin, founder of said company.

    It is always funny how people, including some governments, can be stuffed by application of ridiculous memes.

    But having said that, Dönitz wasn't much better than the Iranians.

This topic is closed for new posts.