Edward Snowden says (according to Reuters) that RSA Security accepted $10 million from the National Security Agency in exchange for installing (or allowing to have installed) a secret backdoor so the NSA could decrypt messages as it pleased. Hell no says RSA (a division of storage vendor EMC), stating in very strong terms that this was not at all the case. But then in a second day look at the RSA/EMC statement bloggers began to see the company as dissembling, their firm defense as really more of a non-denial denial. So what’s the truth here and what’s the lesson?
For the truth I reached deep into the bowels of elliptic cryptography to an old friend who was one of the technology’s inventors.
“RSA is lying,” said my friend. “No room for ambiguity on this one. The back-doored RNG was a blatantly obvious scam and they made it the default anyway.”
My friend has no reason to lie and every reason to know what’s what in this tiny corner of technology, so I believe him. Besides, the Snowden revelations have all proven true so far.
What’s with EMC, then?
Forget for a moment about right and wrong, good or evil and think of this in terms of a company and one of its largest customers — the U.S. Government. It’s more than just that $10 million NSA payday EMC has to see as being at risk. With the Obama Administration’s back against the wall on this one, EMC has to see its entire federal account as endangered.
That’s the only reason I can imagine why an NSA contractor would say that they didn’t know the backdoor existed (we are incompetent, hire us) or that once they did know it existed they waited years to do anything about it.
These are not the kind of admissions corporate PR wants to make unless; a) they are being forced to do it, or; b) the real truth is even worse.
I’m guessing that EMC sees itself as taking one for the team. The problem, of course, is what team are they on? It certainly doesn’t seem to be that of the American people.
Full disclosure is the best course here and if full disclosure is prohibited by security regulations and spook laws then the thing to do is to get out of the business. I’m serious. EMC could and probably should simply resign the NSA account, which would say more about this case than any detailed explanation.
RSA can’t be the only company that took NSA money to compromise clients.
I look forward to future Snowden revelations.
Future revelations? Likely none. Greenwald (keeper of the documents) has made a $100M deal with media giant(s) to keep it secret. He gets a movie, etc. out of it.
And see this: https://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html#
This thinking, combined with an amnesty offer, might just dry up the well.
Greenwald’s response to accusations like yours.
http://utdocuments.blogspot.com.br/2013/12/questionsresponses-for-journalists.html
Why on earth would you post such…er….stuff?
Greenwald has made no such deal. That’s the smear talking points you’re repeating there, and there’s simply no support for what you allege. Further. Greenwald is not the only reporter with these documents. Barton Gelman of the WaPo has ’em. The Guardian (if I understand correctly) has them. Laura Poitras has them.
Because since this story broke there’s been both a shameless pro-security state faction and a defend-the-president-no-matter-what-he-does faction that have used every chance they have to smear the messenger. They fabricate the most outrageous lies about both Snowden and Greenwald in hopes that something might stick. Fortunately, as the story has progressed, their shrill cries have been exposed as they continue to marginalize themselves.
If this is in fact true, and I have very little doubt that it is, then what is left to come from the rest of Snowden disclosure could be what everyone is looking for – the start of a revolution the world is well overdue for.
As some really astute person once said, “Power tends to corrupt and absolute power corrupts totally.” Or words to that effect. So what is absolute power and who has it? Absolute power is the ability to send millions of people to their death. Only governments have this kind of power. Compared to governments, terrorist groups are a minor irritation. Governmental leaders and “intelligence” agents are the champions of raw power and self entitled behavior. And the best part of this state of affairs, for governments not the people, is that most citizens are loath to believe how corrupt their governments have become.
Well put.
Lord Acton: power tends to corrupt, absolute power corrupts absolutely.
I think a more astute observation is “power reveals.”
An uncorrupt person, with solid character, won’t become corrupt because he’s stumbled into power.
Steve Jobs said he hoped, was determined, that success wouldn’t change him. Many other’s have said the same. These are people aware of the potential to be blind sided by success, or power, but otherwise intend on not be affected by it. Other than that, if you were uncorrupt before you gained power, power will reveal that. On the other hand, if you always had Culigulia type apitites, or merely Charlie Sheen ones, but could never afford them, then power will enable you to exercise them. In doing so you will be revealing to the world just who you are.
I’ll go further and say that government is not the problem, but how we structure it creates the problem. If we have a problem with government then it’s either because it is not democratic enough, or it’s fully democratic and we are thoroughly corrupt as a people. Make the government more democratic, and it will become less corrupt. Neither you nor I voted to make the NSA what it is today.If we believe in democracy and that our system is democracy and that we all are the citizens, then we must injecct our values into that government.
“Neither you nor I voted to make the NSA what it is today.” I voted for no more 9-11s. If letting the government snoop on me is the what it costs, that’s fine with me. At least when the government snoops, it’s to protect us all. When Google snoops, it’s to annoy me with creepy personalized ads, that they, not I, consider relevant.
It seems to me terrorists have already won. Less than 3000 people died in the 9/11 attacks – about a month’s worth of US traffic fatalities. President Obama himself is on record stating that your chance of dying in a terrorist attack are far less than of dying in a traffic accident. To be “protected” from this risk we’ve bankrupted our country, sent more of our young citizens to their death in needless wars than were killed in the 9/11 attack, and begun to construct a police state that would make the Stasi envious. You’re OK with this? Sorry but I’m not.
In addition, due to generalized American douchbaggery all over the world, there are now many more “terrorists” than ever before.
@chicken You can’t blame the victim for the crime. The less fortunate will be envious of the western standard of living and some of them will choose to act unproductively on that envy instead of productively. Defense and preparedness will always be the primary role of a national government.
@mike Government snooping was what I was referring to. But which wars were “needless” is a matter of opinion. WWII and the cold war confrontations could be considered needless since we could have lived peacefully under Nazi, Japanese, or communist rule.
The problem with any human organization is not its structure, it’s the fact that human nature affects all such organizations. It’s well and good to stand outside some organization and critique it in a logical manner. But when you are actually inside an organization and using its power, you usually are not controlled by logic or reality. Instead, you usually are controlled by human nature and its reliance on assumptions, beliefs, bias, conventional wisdom, preconceptions, etc. which seldom equates to logic or reality. .
.
The only people who use logic and reality to more or less control their actions at work are lower level architects, engineers, inventors and some scientists. These people have the unusual trait of relying on provable cause and effect, rigorous experimentation and testing, and the pursuit of verifiable knowledge.
I feel complimented as an engineer and insulted as a human being. Perhaps “seldom” should be replaced by “not always”.
You are correct, Ronc. I just get very angry every time I think about the needless wars, the corruption and greed of the leaders of big banks, big businesses, and big governments, and the collapse of great civilizations. All these problems are so unnecessary. They are all a result of the imperfections of human nature.
[…] I, Cringely […]
What about all the money In-Q-Tel (CIA) invests in all the Silicon Valley tech companies? What do they get in return? Is this a new way to by-pass Congressional oversight?
The next big one to confess will be Blackberry. Their so-called secure VPN technology is thoroughly penetrated by the CES (the Canadian equivalent of the NSA) on behalf of the NSA and the British GCHQ.
[…] ← RSA takes one for the team, but which team? […]
RSA played both sides of the street:
– “We’re the best encryption/security provider” to sell to business
–
RSA played both sides of the street:
– “We’re the best encryption/security provider” to sell to business
– “We can do the best backdoors” to sell to the government (and anyone else with a clue)
Money rolls in both from business and the government…….high security for some, creepy spying for others.
Capitalism at its best…..until the truth gets into the media.
Multiple news organizations are publishing Snowden documents, including these about RSA. Greenwald has said there are over 15,000 documents. Saying future revelations will be drying up is wishful thinking.
Why does the ginned-up Snowden wedging sound like inter-agency warfare by proxy? If one takes mostly at face value the Pando axis’s claims of Snowden’s allegiances lying with the CIA, it starts to look like like Team Unaccountable SIGINT vs. Team Unaccountable HUMINT, just another palace intrigue that doesn’t actually make more food or energy…
Thanks to scross, I get your point now. But I would imagine any backlash against the NSA would apply equally to the CIA, if not more so: “…they both have a history of spying, the CIA is probably more widely known for its large plots for assassinations, etc. but both are involved in intelligence/espionage operations to varying degrees. Post 9/11 both of these organizations have been working together more closely as part of the effort to integrate intelligence gathering…”
http://answers.yahoo.com/question/index?qid=20071210210812AA9DfaU
If you’re not paying, you’re not the customer; you’re the product.
Updated: The mere act of paying does not in itself make you the customer. Sometimes the fact of the transaction is the product (such as in licenses for invalid patents or other “knowledge economy” transactions).
When I worked for the U.S. Army I once asked about a building on post that had no windows and I only ever saw uniformed soldiers go in and out. I was told that for buildings like that it is best to not wonder what happens inside the building but what happens UNDER the building. As others have said – I wonder how far down this encryption “rabbit hole” goes. Does it end with RSA? What about other encryption methods? A few years ago there used to be export restrictions on browsers that had 128-bit encryption – does that rule still apply or does the US Government not worry about it anymore because they can easily break any encryption in browser communication? I seriously hope the rabbit hole ends here with RSA.
I guess you got your answer on why export restrictions were lifted for “strong encryption” “products”. Understandaby why Mr. Hyponnen is pissed off as his company sells security products that probably use that “strong encryption”. Security = trust and when trust is gone, well there’s a problem. I hope that RSA got a lot more than 10M for their reputation.
http://it.slashdot.org/story/13/12/23/2326212/f-secures-mikko-hypponen-cancels-rsa-talk-in-protest
DES on chip has been suspect for a long time. for what that algorithm was worth, RSA is not alone. I suspect everybody doing encryption products has received a “courtesy call” from folks in suits who are vague about what branch of government they work in. “uh, yeah, I — I’m with NIST. sure. that’s it. here’s my card — oh, wait, I’ll give you this new one, instead…”
I’d like to take this opportunity to wish all those Americans, who don’t think that “National Security” is an excuse for anything, a Merry Xmas.
Seconded.
It’s sad seeing Americans live as the Soviets used to.
And why would you not also wish a Merry Christmas to those who believe “National Security” is an excuse for some things? National security is really just national defense, which everyone supports.
I was offered a chance at a government contract and turned it down knowing I’d forever be at the mercy of the government trough. Which hurts since they are such a large part of the economy now. Avoiding the government as a customer cuts out 50%? of the money being spent in the economy. I can see why most people and companies would look the other way if offered government largesse. (40% of GDP according to the chart I’m looking at now.)
A law that violates the constitutional is not a valid law. What are these spook laws you speak of ?
Bob may be referring to such things a classified documents or the ability to keep secrets from the general public in the interest of national security. Surely there must be laws that allow secrets or at least no laws that prevent the keeping of secrets.
Why don’t articles like this bother to explain what products are affected by the weakened security? The media, Cringely included, are next to useless and deserve the ridicule and derision being heaped upon them daily.
And you, Joe, fail at your duty to be an informed citizen. Cringely never claimed to be useful. If you were paying attention, you would know what he was talking about.
Everybody who has been paying attention will know that this is referring to the BSAFE product line. You could look up for yourself, what types of processes use BSAFE. Or, if your data are so important to you, you could find out from your own encryption providers, which cryptographic libraries they’re using. https://www.emc.com/security/rsa-bsafe.htm
If one part of RSA Security has been caught in this huge lie, and another part keeps having security problems (SecurID), I don’t see why people should trust EMC or RSA anymore. It doesn’t matter what product.
The sad thing is that EMC, et al, think that they’re actually working for the American people. I mean, isn’t it what you were taught in your civics class? The government is elected by the people, and rules by the consent of the people that they represent. So if you’re working for the government, then you’re working for the people.
Dianne Feinstein is trying to legitimize the NSA’s snooping, by writing and passing laws to legalize it. I’m certain that she believes she is working for the good of the American citizens, expanding the power of all levels of government to protect you and (as with gun control) removing the power of citizens to hurt each other. She was just reelected last year with the largest number of popular votes that any Senator has ever received, ever. She certainly feels like she’s governing by the consent of the people.
However, I do agree with Cringely’s cynicism. I didn’t vote for Feinstein. I didn’t vote for my other Senator, Barbara Boxer. I didn’t vote for my representative, Nancy Pelosi. Every time they came up for reelection, I voted for somebody else. (Not Carly Fiorina, though. She’s awful. I can’t imagine endorsing her for anything.) Somebody else always lost. With our extremely low voter turnout and our extremely un-representative representation, I don’t have a strong faith in US governance and laws.
R, I’m not surprised you’re cynical. You just criticized 3 Democrats and a Republican. As a conservative, I agree with you’re Democratic criticism, but on the few occasions I heard Carly speak, usually Meet the Press, she sounds like a fiscal conservative, so I don’t understand what you have against her.
I criticized the Democrats because they’re the ones currently in Congress from my area. Also, I didn’t vote for Obama, nor my City Supervisor, nor Assemblyman Tom Ammiano, nor State Senator Leland Yee, nor State Senator Mark Leno, nor Governor Jerry Brown. I voted for losing people every time. I consider the major party candidates, but usually I can’t stand them and vote third-party.
Fiorina talks a great social and fiscal conservative game, but I’m discouraged by her performance at HP. She took Dell’s 2 biggest competitors in the PC market (HP and Compaq), and turned them into a single PC company smaller than Dell. She executed on the plan to kill 2 of the highest-performance CPU architectures (Alpha and PA-RISC), instead investing HP’s resources into the Itanic. She killed the HP Way, presiding over the spin-out of Agilent and restructuring the company to be more boring. I just don’t like her performance as CEO.
Also, her demon sheep ad campaign was ridiculous.
Thanks for the clarification. HP has a long history and it’s hard to say what might have been. Shake-outs and buy-outs are not unusual. Perhaps she should have gone straight into politics, skipping the whole CEO thing. I can remember even in the 70s HP test equipment seemed antiquated compared to Tektronix, yet I’m still using the HP LaserJet 5 printer I bought almost 20 years ago.
If this was done by the US government to RSA, what other products were compromised by other governments?
What product can I trust?
Or should I just settle for a state of affairs where I know my data is “secure” only from non-government bodies? Unless they find the same backdoor implanted by an intelligence agency…
I would ask Steve Gibson’s opinion. He mentioned the RSA “default” encryption choice on his podcast months ago. He said no self-respecting security person would have chosen the default simply because it was very complex, slow, bloated, and clearly no better than the other choices in the list. He made it sound like the NSA got nothing for their $10M since no one would use that default. When we choose an encryption service, we are putting our trust in the security experts who have thoroughly investigated the options which are non-propriety and open source. The NSA doesn’t have a big enough budget to buy off the entire security community.
If they resign they get taken to The Village.
But seriously, if they resign the NSA contract then they will be admitting the truth of the matter. They are likely liable by some terms of the contract if they more or less let secrets out.
AND, they then have to either make a new version or they lose all their market share; they just don’t gain anything on this by honesty.
Corporations do the bidding of the government. That is why the insurance companies are dragging their feet and not revealing all the flaws of ObamaCare.
The flaws are obvious but people want to believe they’re getting something for their tax dollars.
Germany’s Enigma code in WWII was broken because of not following laid down protocols. In the Anonymous Spy subcontractor break-ins some years back I followed its progress on the net. What I got is an arrogance of divine righteousness that the USA and its subcontractor believed in and the litany of off-the-shelf break-in points that Windows had. Microsoft’s cohabits with the Feds so much so that Windows 8 has automatic entry code for the NSA world wide that has caused the Germans consternation AND which will cause idiot Microsoft’s Empire’s eventual downfall in the 2020s.
Bush43 has outsourced the whole USA government to subcontracts* who live off political connections for that gold mine of money – USA tax payers oh and the Chinese cash.
* In the battle between Google and Apple – I’m going for Google because USA courts and Dept of Justice are one eyed followers of Google! Go to last sentance now!
Like the Japanese in the 50’s who went for transistors and stole the whole electronic consumer industry from under the noses of RCA, Motorola et al, the Chinese will and are doing it now, because dickheads run big government and big business in USA.
Sorry mate! USA is history!
USA & NSA backlash already starting!
See:
http://gigaom.com/2014/01/08/a-quarter-of-british-and-canadian-businesses-want-their-data-taken-out-of-u-s-according-to-peer1/