
Secret contract tied NSA and security industry pioneer - bbatsell
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
======
suprgeek
NSA invents weak (Back Door present) crypto algo.

Pushes RSA to make it a Default in a key function (RNG) by giving them $10
Million.

NSA points to RSA as an early adopter and gets NIST to certify it.

Millions of systems are now protected by an RSA product that the NSA
deliberately weakened.

Any sufficiently skilled rogue actor can attack virtually any business that
uses these RSA products -

NSA (Cyber security Command) gets even more money to "Protect" us from said
Rogue actors.

So all-in-all good investment on their part

Edit: Spelling fixed per commenter pointing out the difference between rouge
and rogue. I did imply malicious actors not red-cheeked actors (not that they
are mutually exclusive).

~~~
jballanc
There's enough wrong with what the NSA has been doing, and enough reasons to
encourage people to take an interest in how to curtail, or at least better
police, their actions without resorting to tawdry conspiracy theories.

The NSA doesn't "protect" anyone. They are an intelligence agency. Their
mandate is to collect information. The group you're thinking of, the one
that's actually supposed to "protect" the network, is US Cyber Command:
[http://en.wikipedia.org/wiki/United_States_Cyber_Command](http://en.wikipedia.org/wiki/United_States_Cyber_Command)

~~~
nitrogen
"As part of the National Security Presidential Directive 54/Homeland Security
Presidential Directive 23 (NSPD 54), signed on January 8, 2008 by President
Bush, the NSA became the lead agency to monitor _and protect_ all of the
federal government's computer networks from cyber-terrorism." [Emphasis added]

[https://en.wikipedia.org/wiki/NSA#Mission](https://en.wikipedia.org/wiki/NSA#Mission)

~~~
snowwrestler
Yes but their funding is not dependent on how secure RSA tokens are.

NSA did this to advance their mission, not to make a few extra bucks.

~~~
nitrogen
The point is that it advanced the intelligence gathering half of their mission
while seriously compromising the protective half of their mission.

------
lawnchair_larry
Eagerly awaiting tptacek's retraction to his insistence that this was not a
backdoor.

Edit: Nevermind, apparently he already did a mere 8 hours ago, replying to my
own comment. Shortly before this broke.

[https://news.ycombinator.com/item?id=6941366](https://news.ycombinator.com/item?id=6941366)

~~~
mcphilip
Your reaction to this story was wondering if it can be used to demonstrate
another member of HN being wrong in the past? Petty

~~~
SamReidHughes
When 'tptacek is wrong, he's obnoxiously wrong, _especially_ in his inability
to believe in government misbehavior, and his willingness to denigrate
"message board nerds" on that sort of matter. (See also his attacks on
Greenwald when the Snowden story started.) So personally I was looking forward
to seeing somebody comment about him.

~~~
atmosx
Yeah, I get that a lot too. Also his attitude towards _open source_
cryptography related projects is strange and totally unjustified imho.

~~~
SamReidHughes
He's had a perfectly friendly attitude towards GPG, and in the case of others
you can see ample evidence that his skepticism is justified. Maybe if the open
source cryptography projects you're referring to weren't _bad_ projects then
the attitude would be strange.

------
zepolud
> [...] but RSA said in a statement: "RSA always acts in the best interest of
> its customers [...]

True, you just have to keep in mind that their customer is the NSA.

~~~
blazespin
RSA is thinking they can claim ignorance in the case of the DRBG being weak /
possibly backdoored.

~~~
nathan_long
They were either corrupt or incompetent. This can't look OK for them.

------
rhizome
From the BSAFE product page:

"RSA BSAFE Crypto Kernel offers versions of popular cryptographic algorithms
optimized for both small code size and high performance. _Unlike alternatives
such as open source, our technology is backed by highly regarded cryptographic
experts._ " [emphasis added]

~~~
icambron
Typo; they left out "door".

------
smtddr
_> >
[https://news.ycombinator.com/item?id=6942165](https://news.ycombinator.com/item?id=6942165)
tptacek 5 hours ago | link I am not generally a believer in the theory that
NSA actively subverts Internet standards† †(my best guess is that the
standards NSA was actively subverting were about international telephony;
subverting the IETF is a little like subverting the Linux kernel --- doable,
but bad tradecraft)_

Does this count?(not trying to be sarcastic or a smart-a##), I just want to
get a handle on what I should or should not trust these days. Seeing that RSA
SecurID VPN dongle pic in the article scared me. I've pretty much been looking
to your comments to give me a baseline.

~~~
guelo
Personally, I think one of the things you can't trust these days are comments
by tptacek.

~~~
napoleond
Either you're insinuating that 'tptacek is a malicious actor, or that he's
incompetent. That's a pretty serious allegation to make without providing any
evidence whatsoever. Do you have any? I'm sure you can dig up a few examples
of things that he said which were incorrect, but very few of those will not
have been followed by a correction at some point, and either way your
insinuations seem to go beyond "being wrong some of the time".

HN is incredibly fortunate to count members like 'tptacek as part of its
community. We should be behaving in ways which encourage _more_ comments and
commenters of his ilk, not less.

~~~
ewoodrich
Unsurprisingly you're already being down-voted. For a community that prides
itself on being rational and home to spirited debate, when it comes to the
NSA, any contrarian opinions (or even alternative perspectives) tend to be
quickly attacked and silenced.

If you read some of the first threads when the NSA revelations broke out,
there are heated discussions with various viewpoints and arguments. Now, it
appears that most of these users have become tired of being instantly
downvoted, and instead avoid these subjects entirely.

I hope that tptacek continues to participate in these security policy
discussions, not only for his extensive domain knowledge, but also because he
is not afraid to voice beliefs that disagree with prevailing opinion. And
right or wrong, its very refreshing.

~~~
PavlovsCat
> If you read some of the first threads when the NSA revelations broke out,
> there are heated discussions with various viewpoints and arguments.

Always mixed with a steady groan of "enough of NSA stories" and "none of this
is surprising". The heated discussions were in no small part about wether this
was even the problem it was made out to be and wether it should even be
discussed (to this extent).

Not that I agree with downvoting instead of replying, or with bashing tptacek
(Everybody loves telling experts "I told you so". Doesn't make us experts tho
:P), but I don't agree with your narrative either. It's not falsifiable,
anyway. People might just as well have given up on trying to downplay this,
and walked away instead, which would be even worse. Why speculate. Bashing and
downvoting for disagreement without argument sucks either way.

------
undoware
...which is why Theo Deraadt is now suddenly everyone's best friend, despite
his personality. :) OpenSSH and its mother project, OpenBSD, are now all that
is left of our civilization's freedom to think.

Thanks, Theo, for never selling us out; for being such an uncompromising
bastard; for not being like the RSA. May Athena gird you for war against the
Spartans.

~~~
RexRollman
Most of what Deraadt says makes sense and I almost always agree with him but
he can be an asshole. It has turned a lot of people off, from what I can see.

------
dpratt
I wonder if any of the executives involved with this deal will have a moment
of clarity and make a public statement - "I was directly told by
representatives of the U.S. Government that if we did not take this deal there
would be direct and material consequences for both my company and myself. Here
is the names of the people I met with, here is a log of the meetings. If I am
jailed or in some other fashion publicly discredited through an otherwise
seemingly unrelated matter in the future, you should always remember that I
have made this public statement."

~~~
ye
Think of it from the executives perspective:

Option A: keep mouth shut, make a shit ton of money

Option B: become a martyr, face prison time

People like Snowden are rare.

~~~
enraged_camel
>>People like Snowden are rare.

In all honesty, Snowden is a 30 year old single dude, and as far as I know, he
doesn't have kids. Do you think he would have done what he did if he had a
family to look after?

In my opinion a person's first responsibility is to their family. So yeah, if
you're married (like these executives probably are) and you're facing the
choice between option A and option B, you should absolutely pick option A.

~~~
obstacle1
So the nuclear family combined with a distributed economy is basically a
convenient tool for justifying atrocities of all kinds. Just feeding the kids,
right?

Maybe _not_ having kids is actually the morally correct choice, then?

~~~
bennyg
Don't be a fool. You would let your children go hungry and live a worse life
(directly because of your actions) out of principle? It's not simple. Having a
family can be a beautiful thing. Not having one and spilling the beans on
something morally reprehensible can be too.

~~~
obstacle1
>Don't be a fool.

Classy.

>You would let your children go hungry and live a worse life

No. Read what I wrote. The words are right there.

If the choice is "have children and commit evil to feed them" and "don't have
children and don't commit evil", I choose the former. As should, I think, any
right-thinking person.

The question is probabilistic. What are the chances that the former happens?
What are the chances that the latter happens?

Choose accordingly.

The question is also systemic. There exists the possibility that forces larger
than the individual have decided to normalize the nuclear family (and also
romanticize the vision of having said family) in order to serve evil ends.
What is the probability that that is the case? As time goes on, it looks _far_
more probable than we once thought. People like you think families are _in
themselves_ beautiful. Any means justify the ends of preserving them. Seems
like an _excellent_ tool for keeping a population right where you want them.

Look up the history of the nuclear family. Notice it didn't exist pre-
industrialization. Why's that?

You're taking humans -> have children for granted. I'm arguing _against_ that
dogma. Because as paradoxical as it may sound, it _is_ trite dogma at this
point in wealthy societies. We don't _need_ these additional people, we don't
_need_ this extravagant life. It's not a matter of survival anymore. So what
is it all accomplishing? What's the end?

>Having a family can be a beautiful thing.

For my morality, concerns of beauty don't trump concerns of humanity. If my
having children perpetuates a cycle of exploitation, murder, pain, suffering,
etc. etc. etc, then I don't have children. Regardless of how "beautiful" my
experience of those children may be. It really _is_ that simple.

And if a (wo)man tells me "I just did it to feed my kids" after committing
some reprehensible act, I sympathize, because (s)he made a terrible decision
in having children to start with. But I still condemn him/her.

~~~
vdaniuk
That's a good point actually. Maybe we need more ethical loners without
emotional attachments in a positions of power.

~~~
dllthomas
Like a celibate priesthood?

~~~
obstacle1
I here note that one can be sexually active without reproducing. No children
doesn't imply celibacy.

~~~
dllthomas
Certainly the case. Historically, less the case but still the case...

------
salient
The end of RSA (the company)? I find it absurd that a _security_ company no
less, would hear many veteran cryptographers say this is backdoored a decade
ago, and _still_ going ahead and using it - as the default! Who stakes the
whole reputation of their company in the field for a meager $10 million (I
assume RSA was pretty big back then, too)? It's insane.

RSA, much like NIST, can not, and should not be trusted any longer. All of
their customers should be warned, and advised to quit them ASAP. Companies
need to learn this is just unacceptable.

~~~
jtbigwoo
Serious question: Is there an alternative? I've never seen a secure fob that
wasn't from RSA.

~~~
ggreer
I like Yubikeys: [https://www.yubico.com/](https://www.yubico.com/). They show
up as a USB keyboard, so you don't have to type the codes in.

There are some disadvantages. Yubikeys use a shared secret instead of public
key crypto. Also, the one-time password is iteration-based, not time-based. On
the bright side, you can program Yubikeys with your own secrets. They may not
be as secure as properly configured RSA tokens, but they're much better than
authing with just a password or client cert.

~~~
beagle3
Yubikey NEO (latest revision) is like the one you already have + a java card
that comes with a PGPcard app (and supposedly, you can write your own apps)

They don't have a timer like the RSA key fobs, and need a USB or NFC
connection - but are generally very reliable, and given their constraints.

The questiion, of course, is what reason you have to believe that yubico (and
for that matter, gemalto, g10code and the rest) are not similarly in bed with
the NSA.

~~~
apaprocki
Trusting trust :) This is one of, but not the main reasons why we build our
own (Bloomberg B-Unit, PDF is the only good pic I see:
[http://www.bloomberg.com/professional/files/2013/11/b-unit_3...](http://www.bloomberg.com/professional/files/2013/11/b-unit_3_user_guide.pdf))

~~~
PhantomGremlin
Quis custodiet ipsos custodes?

Speaking of "trust", Bloomberg lost quite a lot of it when their reporters
spied on their customers.

Bloomberg Spying Went On For Years After Execs Knew: Report
[http://www.valuewalk.com/2013/08/bloomberg-spying-went-on-
fo...](http://www.valuewalk.com/2013/08/bloomberg-spying-went-on-for-years-
after-execs-knew-report/)

You were probably just as horrified as most of the other employees at
Bloomberg when that info became public. The bad apples cost Bloomberg a lot of
reputation. My point is that "trust" is very elusive, very easy to lose, very
hard to gain.

OTOH, are the "bad apples" at Bloomberg who condoned that behavior still in
positions of power? Did they even get a slap on the wrist? If _I_ were at
Goldman, JPM, Citi, etc. I wouldn't "trust" Bloomberg until I saw some higher
up people fall on their sword for that fiasco.

~~~
a3n
If I were at Goldman et al. I would expect Bloomberg to treat employees that
successfully use underhanded tactics, as business as usual, the same way I
would probably have seen such employees (and maybe myself) treated by my own
organization: "Job well done boys, but you better cool it for awhile. BWA ha
ha ha! Have a cigar and a hooker."

------
dpratt
Perhaps I am not reading the article correctly, but it sounds to me like RSA
products can no longer be trusted.

~~~
bowlofpetunias
No, it sounds like no product from any American company can be trusted as long
as the current regime is in place.

At least that's the message that comes through loud and clear in the rest of
the world.

~~~
tedivm
What makes you think the NSA isn't willing to work with countries outside of
the US, either directly or through another spy agency?

~~~
SideburnsOfDoom
Willing, sure, but probably less able, at least outside of the close allies
like the UK.

~~~
gejjaxxita
Why less able?

~~~
SideburnsOfDoom
Are you seriously asking why a branch of the the USA's government has less
power outside of the USA?

~~~
enkephalin
if you consider the fact that the nsa and cia often collaborate closely, and
then look at the amount of influence the cia has often displayed in the past,
towards foreign countries/regimes etc., gejjaxxita's question seems quite
reasonable.

~~~
brdrak
Plus the blackmail opportunities spying affords.

------
fragsworth
The NSA's story about how they need to secretly do these things to fight the
war on terror makes less sense with each new revelation.

Terrorists don't use VPN dongles.

What is really going on here?

~~~
jballanc
Heh...I certainly had a good chuckle at this comment. I don't honestly think
that the NSA ever paid more than lip-service to the "war on terror". They've
been doing the same job since long before Sept. 11, 2001. Before the "war on
terror" it was the "cold war", there just happens to have been an awkward gap
in between...

The NSA is in the business of Signals Intelligence. Their job, plainly stated,
is to have access to _as much_ communication between _non-US_ entities as
humanly possible. What makes their job difficult is that, over the course of
the last few decades, it's become increasingly the case that much of the
communication between non-US entities travels via US-based channels using
technology originated in the US. Somewhere along the line, when forced to
balance "as much communication" and "non-US entities", the NSA clearly chose
in favor of accessing those communications at any cost.

~~~
angersock
This is a very well-put comment.

The core cause there would seem to be sharing comm channels with foriegn
actors--the same thing that makes our position with regards to the 'net so
awesome also means that the NSA is kind of forced to get involved closer to
home. It's a tricky tradeoff.

~~~
jballanc
It's the same reason you never see James Bond negotiating with foreign heads
of state. You don't send an assassin to do a diplomat's job. Everything that
is being revealed about the NSA's actions, this buying of influence
especially, is positively reprehensible... _BUT_ it is important to keep an
eye on where the blame really lies: with the people that let their assassins
dictate their foreign policy and domestic priorities.

------
kabdib
Not surprised.

One of the security guys who worked for General Magic (GM made an early mobile
OS with some security features) told me that he had a visit from the NSA. The
NSA tried to get him to leak bits of the keys in the GM protocols. "Just here
and there. I've got dozens of these," said one of the NSA reps.

This would have been early 90s.

The NSA has been doing domestic stuff like this for a long time.

------
raverbashing
$10Mi? That's a very cheap price for trashing your companies reputation.

More importantly, it confirms that DRBD is backdoored or at least weak enough
to be subverted.

~~~
tedunangst
"it represented more than a third of the revenue that the relevant division at
RSA had taken in during the entire previous year"

------
yuhong
Lucky Green was the first to mention this:
[http://lists.randombit.net/pipermail/cryptography/2013-Septe...](http://lists.randombit.net/pipermail/cryptography/2013-September/005341.html)

------
vikas5678
"RSA, now a subsidiary of computer storage giant EMC Corp, urged customers to
stop using the NSA formula after the Snowden disclosures revealed its
weakness." \- Just shake my head at this. As news is revealed that all these
companies were complicit, they cry foul and "warn" users? RSA deserves to lose
all international customers who refuse to buy their products because of hidden
backdoors.

~~~
judk
Quote possible that one arm of the company was an aware of the other arms
actions. Probable, in fact. If most of the company knew of the backdoor, it
would have leaked.

------
bostik
When the news about DUAL_EC_DRBG first came out, RSA defended their actions of
inclusion and _making it a default option_ by stating that it was at the time
a popular choice. Back then I was aghast that a noted security company would
make choices based on pure hipsterism. (My apologies to all hipsters, but in
this case the word is in place.)

This news on the other hand makes it clear that RSA was not only being
incompetent. They were being _actively malicious_. We've already seen
anecdotes in this thread about NSA making house calls to security product
vendors as far back as the 90's, so we must assume they haven't given up that
venue and are still pushing their ideas, as well as pushing the vendors.

With that proof comes something a lot bigger: every single security product
from a US company is now suspect. By logical extension, I will say that
similar paranoia should be applied to all security products from Five Eyes
countries.

The long-term financial fallout should be interesting material for future
chroniclers.

------
mathattack
Shouldn't this destroy RSA as a company? If your in security, and your
security can't be trusted...

~~~
mcantelon
It should, but AT&T's still in business and their collaboration with the state
to spy on customers has been known for a long time.

~~~
mathattack
AT&T is explicitly selling "we connect you", not "we secure you."

------
midas007
RSA is commercially dead. There's no excuse.

Also, closed-source hardware HSMs are blackboxes that are fundamentally
paranoia-inducing. There's no reason to trust that the vendor, supply chain
and/or manufacturers didn't backdoor them or introduce other attack surfaces.
The only way to trust an implementation is decap a sample of ASICs and match
features against masks you generated... from sources you trust (whether open
source or yours).

If it's a black box, there's no way to trust it (all modern CPUs, N/S-bridge,
memory, flash (ssd), hd controllers, on and on.)

Conclusion: We need more open-source hardware that is production-quality (BSD
licensed)! This would be very expensive in terms of people time, but it's
necessary move since corporations can't be trusted.

~~~
blazespin
Not necessarily. Organisations which wish to cooperate with the government
(and they are legion) may still consider RSA. Though one wonders if NSA
advised government organisations to avoid RSA. Hmmm.

------
wil421
I use one of these tokens for work. Spying is one thing but destroying
encryption is another evil thing to do. If the NSA has introduced bugs in
crypto then who's to say someone else can exploit the same crypto.

~~~
VladRussian2
i wonder if Snowden has any detailed info on the NSA indroduced/forced
backdoors (he obviously was aware about their existence in general like pretty
much everybody in the world who isn't a tptacek's religious follower) and this
or something like this is what keeps him alive - ie. NSA is afraid of dead man
switch while other side(s) hopes that Snowden will reveal more and
specifically useful for actual hacking info with time.

~~~
x0x0
so that's the thing that scares me

a nsa official just did an obvious trial-balloon of pardoning snowden in
exchange for return of all the docs [1]

but now that snowden is in russia, you have to assume that many nation-states
have seen all these docs. so really, the nsa is worried that _you and I_ will
see them

fucking amazing

[1] [http://www.theguardian.com/world/2013/dec/15/nsa-edward-
snow...](http://www.theguardian.com/world/2013/dec/15/nsa-edward-snowden-
amnesty-documents)

~~~
a3n
The conditions for the pardon have never made sense, because as I understand
it Snowden has already shared most if not all of his information with at least
Greenwald and Poitras. He no longer has control over what will be shared with
the public.

------
steven2012
Who in their right mind would use an American technology product at this
point? You would be an idiot to think that it wasn't backdoored by the NSA.

~~~
obstacle1
Unfortunately, I think there's still a pretty large market of people who just
don't give a crap about being NSA'd. Nothing to hide, and all of that.

That said it's likely individual consumers who are likely to have this
attitude rather than businesses.

------
fiatmoney
Seems like their customers now have an excellent case for commercial fraud
against RSA.

------
andrewcooke
the r in rsa is ron rivest who was responsible for some very elegant ideas.
his papers, that i've read, are generally very simple and clear. but he also
wrote md2 [an old hash, n longer used] which contains some "magic numbers"
that no-one can explain. they are supposed to be derived from pi, but no-one
knows how... [http://crypto.stackexchange.com/questions/11935/how-is-
the-m...](http://crypto.stackexchange.com/questions/11935/how-is-the-md2-hash-
function-s-table-constructed-from-pi) (i even emailed him, but was shrugged
off; i know it's silly and paranoid, but...)

anyway, i wonder what happens now to all the customers that use rsa dongles?
big, international, political organisations...

------
aortega
TLDR: "RSA's contract made Dual Elliptic Curve the default option for
producing random numbers in the RSA toolkit."

Dual_EC_DRBG was a NIST standard.

~~~
throwaway_yy2Di
From the article:

 _" RSA adopted the algorithm even before NIST approved it. The NSA then cited
the early use of Dual Elliptic Curve inside the government to argue
successfully for NIST approval, according to an official familiar with the
proceedings."_

------
dergachev
If it only cost $10m to bribe one of the biggest security companies around,
how much does it cost to bribe a single open source developer who volunteers
on tools like OpenSSL? What if you add blackmail to the mix?

Makes me realize that we need bitcoin-style "hack or bruteforce our encryption
schemes and you can legitimately get paid lots of money" bug bounties.

~~~
pasbesoin
This is why you want some people who are _not_ primarily motivated by money.
(Neither necessarily ascetics.)

In turn, why you want a society where a decent quality of life is not just
obtainable but reliable without an all-consuming level of competition with
others. (E.g. an independent researcher can actually gain access to and
participate in a large and reasonably priced health insurance risk pool. And
where money is not the overriding, if not sole, determination of judicial
proceedings.)

Going _very_ general in my comment, security is both a community effort and a
personal responsibility. The more we "outsource" our own security ("Just trust
us." \-- Three Letter Agencies and private contractors), the more the price
goes up while the quality of the results goes down.

You get the government you pay for, or... if you are more concerned about a
quality, effective government, the government _you participate in_.

Hopefully, the pendulum is beginning to swing back from "pay for" to
"participate in".

~~~
morganherlocker
> In turn, why you want a society where a decent quality of life is not just
> obtainable but reliable without an all-consuming level of competition with
> others.

Is financial instability really a problem for most people qualified for this
type of work? I imagine most of these people are approaching or well within
the 6 figure range and that accepting some sort of bribe would just be icing
on top.

------
somethingnew
Reminds me of [http://xkcd.com/538/](http://xkcd.com/538/) except instead of a
$5 wrench, it was $10 Million and a few handshakes.

------
mrobot
I remember looking over EMC's acquisitions when all of this starting breaking.
EMC acquisitions just read like someone building a surveillance system: RSA,
multiple deep packet inspection companies, enterprise clustered postgres,
elitigation, forensics and threat analysis, Government-risk-analysis... and if
you google around you'll see they kept their investments as secret as they
could.

[https://angel.co/emc](https://angel.co/emc)

EMC bought every single major corporate partner technology in 2009/2010\. EMC
is the private honeypot for the entire program. The corporate store is EMC and
only EMC. EMC and EMC ventures can go to hell for building this, knowing about
it, and continually profiting from it. Profit from investment in a partner of
an illegal government program specifically designed to make illegal money from
human rights violations should be considered illegal. All of the major money
behind EMC knew what was going on. If you did a private benefit analysis, it
would be all EMC. Thank you. =)

------
chime
In case you didn't know, EMC bought RSA in 2006. Shutting down RSA just means
re-branding all the products as something else.

------
Bud
Reuters just broke this link. So here's the new one:

[http://www.reuters.com/article/2013/12/21/us-usa-security-
rs...](http://www.reuters.com/article/2013/12/21/us-usa-security-rsa-
idUSBRE9BJ1C220131221)

------
rurban
I believe we heard that some months before already. The biggest problem is
IMHO their libcrypto still being used in Java and MS Windows.

------
summerdown2
From Mikko Hypponnen:

[https://twitter.com/mikko/status/414147944984485889](https://twitter.com/mikko/status/414147944984485889)

"I'm ashamed on behalf of the whole industry."

------
rdl
It's going to be interesting what this does to the RSA Conference in SF 24-28
FEB; I wonder if people will pull out, or what?

I'm looking at how to incorporate this as an example in my talk.

------
mbrameld
> "RSA always acts in the best interest of its customers and under no
> circumstances does RSA design or enable any back doors in our products.
> Decisions about the features and functionality of RSA products are our own."

This means one of two things: Either this is a blatant lie by RSA, or RSA is
not competent enough to evaluate cryptograpic algorithms. Neither possibility
paints them in a favorable light.

~~~
a3n
"under no circumstances _does_ RSA bla bla ..."

"Does." Present tense. Doesn't say anything about what happened in the past.
Maybe their contract even included NSA services to launder language to be
plausibly deniable, since that has also emerged as one of the NSA's core
competencies.

------
tommis
This is going to end RSA

~~~
midas007
The reaction from the average IT architect is to just select another vendor
that provides yet another closed-source, blackbox hardware security solution,
backdoored by who know which government(s) &| other entities. Open source
hardware is (un)fortunately a necessary requirement (verilog/vhdl, firmware
sources and no blackbox SoCs), samples of which are periodically verified by
destructive and nondestructive means. Very, very costly, but doable and raises
confidence.

------
cratermoon
We already knew back in September that this was happening. All this story adds
is details about the actual contract between RSA and NSA.

------
babesh
Its a sad commentary on a lack of ethics in parts of the tech industry. This
industry isn't leading us where we want to go.

~~~
gress
It is taking us towards a libertarian utopia where those with money decide
where we go.

------
socialnerdia
Privacy: Pre-internet term(from Latin: privatus "separated from the rest,
deprived of something, esp. office, participation in the government", from
privo "to deprive") used to describe the ability for human beings to seclude
themselves or information about themselves and thereby reveal themselves
selectively.

------
akulbe
Please forgive my ignorance of these kinds of security issues....

I remember at one point, way back when, it was recommended to use RSA keys
over DSA, when creating an SSH public key. Is this this the same algorithm, by
the same company?

Does this mean that SSH can't be trusted if you're using an RSA key, versus
some other type?

~~~
SamReidHughes
No, it doesn't mean that at all. RSA is the same algorithm based on
[https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29](https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29)
as it always was, and it and its use in openssh have received lots of
scrutiny. That the company has the same name is immaterial.

------
yuhong
This reminds me of the MS-Novell deal, which was done in a similar way and has
similar problems.

~~~
judk
But "everyone" agreed it wasn't actually a backdoor. I wonder if that will get
walked back finally.

------
Nelson69
Was this money tax free? How does that sort of thing work?

I hope bsafe licensees sue. Any one know of any serious efforts to replace
some of the standard cipher suites in common code? AES -> Serpent, SHA ->
Whirlpool etc...

------
genwin
Wikipedia is updated:
[http://en.wikipedia.org/wiki/RSA_(security_firm)](http://en.wikipedia.org/wiki/RSA_\(security_firm\))

------
gejjaxxita
I'm getting a "Page Not Found" message.Here's another version of the article:
[http://www.reuters.com/article/2013/12/20/us-usa-security-
rs...](http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-
idUSBRE9BJ1C220131220)

~~~
RDeckard
That did not work for me either.

------
middleclick
What implications does this have for RSA?

~~~
wavefunction
Hopefully the end of them. It's the only thing that matters to these
mercenaries...

~~~
PhantomGremlin
I strongly agree.

Crypto is something where reputation is sine qua non. After the 2011 data
breech they lost a lot of it. Now how can anyone trust them ever again?

------
babesh
[http://www.techweekeurope.co.uk/news/rsas-art-coviello-
anony...](http://www.techweekeurope.co.uk/news/rsas-art-coviello-anonymity-
enemy-privacy-130539)

Paid shill

Want to see money flow from federal government to RSA and EMC over time.

------
wgx
What is the likelihood that anyone will face investigation or prosecution over
this?

------
davidmartin
Any European citizen know what is needed for the European Commission for
Competition to put a tariff to American imports so they stop destroying the
European industry making undeclared and illegal subsidies?

------
primelens
Louis Althusser's coinage of RSA as "Repressive State Apparatus" in _Lenin and
Philosophy_ seems deliciously ironic now.

------
spikels
Goodbye RSA and thanks for all monopolistic practices and shitty products. ALL
CRYPTO SHOULD BE OPEN SOURCE AND PATENT FREE!

------
nnieiss
NIST, NIST, NIST.... wait, aren't those the same guys we were supposed to
trust on the 9/11 commission report....

------
locusm
10M sounds like a downpayment, I dont believe RSA would lay their cred on the
line for such a paltry amount.

------
fantasticfears
So RSA sells its customers for $10 million, and NSA wastes $10 million.

------
w_t_payne
EMC own RSA. We just purchased a bunch of EMC kit. Can we trust it?

------
shocks
Are my RSA PGP keypairs now compromised? How do I tell?

------
ye
I'd love to see a class-action lawsuit.

This shit must be punished.

------
nilved
I don't know anything about RSA as a company. What does this say about RSA as
an algorithm and the company's founders?

------
notdrunkatall
How does this affect the average consumer?

