
Sorry, RSA, I'm just not buying it - dmix
https://gist.github.com/0xabad1dea/8101758
======
ChuckMcM
True/sad story. So at Sun when I was building crypto tools for Java I wanted
to be able to use the RSA public key algorithm in the class loader (part of a
capabilities based security system). We negotiated with RSA for a right to use
their patent in Java, which proceeded right up until the final contract came
back (which our lawyer signed but I did not get a chance to review) where the
wording was changed to be a license to BSAFE rather than the patent. Clearly I
wasn't going to put BSAFE into the JVM, I l already had an implementation of
their algorithm in Java. There was never a good explanation for how the lawyer
got so "confused" at the last minute and "forgot" to have these changes
reveiwed by the engineer leading the project.

Given the sort of shenanigans we've been reading about I would not be
surprised to hear that someone who was neither a Sun or RSADSI employee said
"spike this deal".

[edit: clarity]

~~~
pydave
I don't understand your "spike this deal" idiom. I can't make sense of an
analogy to a spiked drink (rufie) or spiked football (scoring a point). The
closest I can find is "spike somebody's guns" meaning "to spoil someone's
plans". Do you mean someone wanted to prevent you from using RSA's patent in
the JVM?

(I initially assumed you meant "force this deal".)

~~~
ChuckMcM
Sorry, it means to 'deny successful execution of the plan'. Originally spiking
gun barrels a modern example was environmentalists driving spikes into old
growth redwood trees that would cause massive damage to a chain saw blade
should a logger try to harvest tree. Generally doing something which prevents
a deal from actually working to make up for the fact that you were
unsuccessful in preventing the deal from being agreed to in the first place.

~~~
ams6110
Let's get our terms right. Tree-spikers are not environmentalists, they are
vicious extremists. They are terrorists. The spikes don't just damage saw
blades, they send sharp steel shards flying in all directions with the intent
to to seriously injure or kill loggers or sawmill workers.

~~~
aaronem
No argument on substance; someone who has no problem maiming or murdering in
order, not even to save the life of a tree, but merely to punish people for
having in some way been associated with a tree's demise, so places himself far
beyond any civilized pale. Such a person deserves at the very least a stiff
term in prison; should he succeed in his vile endeavor, he is best rewarded
with a cigarette, if he wants one, and a nice sunny place to stand and enjoy
it. (In case that's not sufficiently clear, I am talking about execution by
firing squad.)

But you might want to avoid that word 'terrorist'. It tends to give people an
excuse to shut off their brains and feel good about it, where convoluted
rhetoric like mine tends to serve as an attractive nuisance ("I could give up
on this, but then whoever wrote it might look smarter than me") for long
enough to get a point across.

~~~
vdaniuk
Advocating extreme violence (an execution with a firing squad) for a group as
a punishment for violence( against tree loggers). Amazing hypocrisy.

~~~
aaronem
Hypocrisy, sir? You astonish me. Is it hypocrisy to suggest that the
punishment for maiming or murder, with the vilest of malice aforethought,
should be judicial execution? -- a life, ended quickly and without suffering,
for a life irrevocably ruined or destroyed in gory, agonizing horror? I think
not!

------
morsch
Not sure if this tidbit made Hacker News -- the OpenSSL project added
Dual_EC_DRBG support at the request of a paying customer:
[http://openssl.6102.n7.nabble.com/Consequences-to-draw-
from-...](http://openssl.6102.n7.nabble.com/Consequences-to-draw-from-the-
latest-Snowden-revelations-td46453.html#a46455)

They're under NDA and cannot reveal the customer's name. The thread doesn't
say how much the customer paid, does anybody know? A friend told me 600k USD
last night, but I cannot find any sources that back this up.

~~~
ajross
It's worth pointing out that at the scale mentioned, there's no reason that
the "paying customer" had to be The United States National Security Agency. It
was a published algorithm, and OpenSSL is used in countless commercial
projects. It would have been entirely reasonable for one of these to have come
to OpenSSL requesting implementation (albeit as part of a NSA-funded internal
project with a 400% markup), and the request would have seemed entirely
reasonable.

I don't think you can tar the OpenSSL folks with this without much better
evidence.

~~~
gojomo
OTOH, the fact that the delivered code had a bug rendering it unusable
suggests whoever requested it didn't really need to _use_ it – or they'd have
discovered the bug earlier. That's vaguely suggestive the client may have paid
for its inclusion for mere show, or as a favor for another entity.

I wonder: is the client which paid for the non-functional implementation,
which if I understand correctly is now scheduled for deletion rather than fix,
entitled to a refund?

~~~
mst
"Implement ALL the algoirthms" sounds like a requirement drafted by somebody
enamoured of the standard rather than by somebody looking at what they were
actually going to use.

"Our product is compatible with all of <impressive sounding standard>" may,
indeed, have been worth the money to the customer even if the value was
marketing rather than technoloogy

------
salient
NSA didn't need to backdoor DES when they just forced everyone to use weak
keys:

> 1979 - Present, DES: The Data Encryption Standard was altered by the NSA to
> make it harder to mathematically attack but easier to attack via Brute Force
> methods. The original version of DES, called Lucifer, used a block and key
> length of 128-bits and was vulnerable to differential cryptanalysis. NSA
> requested that the already small DES key size of 64-bits be shrunk even more
> to 48-bits, IBM resisted and they compromised on 56-bits11. This key size
> allowed the NSA to break communications secured by DES.

[http://ethanheilman.tumblr.com/post/70646748808/a-brief-
hist...](http://ethanheilman.tumblr.com/post/70646748808/a-brief-history-of-
nsa-backdoors)

This is why any known NSA employee from security standards groups (including
IETF and Trusted Computing Group [1]) must be forbidden to participate in the
making of that standard. Their role there can only be seen as to facilitate
weakening of the standards, either by weakening the algorithms themselves, or
if that's too hard and/or obvious, to convince everyone else to use a weaker
version of it (which NIST kind of tried to do with SHA-3 recently, too).

As long as there's any chance of NSA being involved even remotely in a
security standard, I'm going to lose faith in that whole standard and the
group.

[1] - [http://www.securitycurrent.com/en/writers/richard-
stiennon/i...](http://www.securitycurrent.com/en/writers/richard-stiennon/it-
is-time-for-the-trusted-computer-group-to-repudiate-the-nsa)

~~~
abadidea
I did consider trying to work in the part where they shortened the keys and
eventually DES became useless because of it, but it was a bit of a diversion
from the salient (heh) reason I put this on the timeline, that they improved
the s-boxes without explanation and that colors any subsequent requests they
made to do similar.

------
jusben1369
I think there are two types of commentators on this issue. Those who've been
involved in negotiating agreements like this and those who haven't. Those who
have can see how something like this happens. Those who haven't cannot believe
how something like this could happen. It's important to remember/realize that
_no one_ , outside a handful of folks, understood what the NSA was up to until
the last 12 months. Heck, at one point not too far back it was probably
prestigious to mention you worked closely with the NSA on developing your
technology. Help you impress a few corporate execs and close some deals.

~~~
Lagged2Death
_It 's important to remember/realize that no one, outside a handful of folks,
understood what the NSA was up to until the last 12 months._

There were loads of people - members of the general public, security
researchers, government watchdog types, privacy advocates, crazy conspiracy
nuts, etc. - who very strongly suspected, for good reason, exactly what turned
out to be going on.

ECHELON started in the 1960s. Rumors about it were everywhere by the early
1990s. It became so famous it was featured in pop-culture movies, TV shows,
and video games.

There was at least one good book (note 2005 publication) that showed how it
was possible to piece together some pretty good guesses about what was
happening from unclassified information:

[http://www.amazon.com/Chatter-Dispatches-Secret-Global-
Eaves...](http://www.amazon.com/Chatter-Dispatches-Secret-Global-
Eavesdropping/dp/1400060346/ref=sr_1_2)

In short, that book argues the NSA was expanding its eavesdropping
capabilities so enormously, so quickly, that the only reasonable target for it
was "everything." There simply weren't enough top-secret, diplomatic, or
encrypted messages to justify the infrastructure devoted to the task; the NSA
had to be developing the ability to listen to absolutely anything it wanted
to.

~~~
runn1ng
Frankly, if somebody started talking about ECHELON about 1 year ago, I
immediately put him into "9/11 truthers and other conspiracy theorist"
category.

~~~
hornytoad
Instead of revealing your ignorance, you could read up on ECHELON, which was
becoming a bigger issue in Europe already in the 90's, there was an
investigation by the European Parliament in 2000/2001, and coincidentally 9/11
is probably the reason why the US&Britain didn't get to bear the cost at the
time. Now they are (Boeing, CISCO, IBM, ...) and will probably continue to for
some time to come.

~~~
alan_cx
Given the lack of mass outrage, I think people are still in some sort of
denial. Or perhaps its seen as being too huge to really do anything meaningful
about. In the UK, politicians are still mostly trying to sort of shrug it off.
Even across Europe, there is not real outrage at the fact that the UK, as a
sort of internet EU to US hub, is selling out the EU to the US. Its all too
muted for my liking. Cant help thinking that behind the scenes the US is
trying to broker some sort of deal. I dunno, intelligence sharing or whatever.

------
ska
Are EMC/RSA denying that they took money from the NSA? That alone seems
damning, since I can't think of any way that the existence of such a contract
for any stated purpose doesn't undermine the credibility of the company
fatally.

~~~
JoachimSchipper
Really, "implement this, it'll help us get our pet standard through the
process" isn't _that_ unlikely a request to get - standard processes are rife
with shenanigans at the best of times, and more companies/agencies than you'd
hope take part in those.

Also, note that "the NSA is backdooring American crypto" has not always been
considered a likely proposition.

(Of course, all of the above is bad/wrong; it's just not _that_ much worse
than you'd expect. " _That_ much worse than you'd expect" is
[http://en.wikipedia.org/wiki/RSA_Security#Security_breach.](http://en.wikipedia.org/wiki/RSA_Security#Security_breach.))

~~~
ska
Sure, it's exactly the sort of request you would expect.

It's also exactly the sort of request you need to stay well shut of if you
want credibility as a crypto provider to business and consumers. Any
interactions with agencies like the NSA taint you, regardless of the intent.
By their very nature they are suspect in this context.

------
diminoten
I don't think the, "We trusted the NSA" explanation makes them look stupid or
negligent. This article does reference the fact that people are now
retroactively claiming understanding of some of these revelations, but I think
the writer forgets that this might apply to him as well.

NOW it makes perfect sense to see how terrible this is, but we haven't always
just blatantly assumed the NSA was out to get us. They used to not have the
worst reputation in the world in the security community, right? I'm not the
best authority for this, but from what I could gather they played a kind of
spooky-but-helpful role prior to the Snowden leaks in the intelligence
community - that is, you could generally _trust_ they were thought to have the
community's best interest at heart, even if they couldn't say why.

~~~
rz2k
"It's not true. It's not true. It's not true.

"...

"It's old news."

I'm loosely quoting a source I can't remember, but I think it was ridiculing a
repeated tactic of some candidate. It's a dynamic that seems to play out a lot
if you know to look for it in issues that involve a lot of public relations
games.

I think you are right to emphasize how little we remember when we learned
what. That's why the above tactic works so well. It lets politicians' dance
around their tactical mistakes and change positions without undermining their
own base. It is also how disingenuous people can now able to talk about
"welcoming debate" and have a large portion of the population perceive this as
advocating some reasonable middle ground.

~~~
a3n
"It's not true. It's not true. It's not true.

"...

"It's old news."

Anyone older than 22 or so who doesn't recognized that as a time-worn and
common tactic hasn't been thinking critically.

~~~
alttab
Not sure why this continues to work myself.

~~~
a3n
I think people get into rhythms and follow the script they've learned. This
plays out in the large and in the small. We've all probably had multiple
arguments where A says one thing, and B automatically retorts in defense
rather than thinking about what we're talking about or even just letting it
go. I think a lot of marriages run like that.

People unfortunately think a well spoken response is the same as a truthful
response. If the PR flack or representative or CEO seems otherwise calm and
unflustered - smooth - then that serves the "reasonable response and
explanation" part of that scenario's script.

We are very, very easily lead.

------
VLM
"As a bonus, all the other algorithms are apparently faster and that’s
generally a desirable property."

I apologize for discussing a technical topic in whats likely to be a political
crypto-rage flamewar, but I've been digesting some thoughts about this and the
figure of merit of processing required per bit of randomness is probably
interesting, in that for a given set of professional grade RNGs (not
algorithms implemented by idiots) the more processing required to generate a
bit of randomness, the more likely it is someone's sticking a nasty backdoor
in.

Or rephrased the more time you spend sticking magic "nothing up my sleeves"
constants into a bit, the more likely something unpleasant is getting stuck in
there.

(edited to add I'm talking about "real" RNGs not implying the worlds simplest
shortest LFSR is magically better than a real RNG just because its really
fast... I'm talking about more "in class" performance comparisons than joke vs
real.)

~~~
Guvante
It depends on what you are talking about, sometimes you want a slow protocol,
since it makes bruteforcing the original value more complicated.

I can't wrap my head around why that would matter for a PRNG, but it sometimes
does have value.

~~~
ogreyonder
And that's exactly what had everyone else scratching their heads, too!

There are plenty of slow random number generators. They're easily built from
cryptographic hash functions [1]. Heck, use something like Bcrypt as your hash
and you can get as many seconds per number as you like. The reason we don't
use them even though they work perfectly well is that they are too slow.

The challenge is making a fast PRNG that can maintains the properties of
cryptographic randomness. That's why everyone was so confused with dual EC.

[1]
[http://en.wikipedia.org/wiki/Cryptographic_hash_function#Use...](http://en.wikipedia.org/wiki/Cryptographic_hash_function#Use_in_building_other_cryptographic_primitives)

------
mrobot
Here's a question: Do we think Snowden is intentionally misleading us to
attack RSA and EMC, or that he's actually releasing as little information as
he can to get us on the right track toward fixing things? Why would this
particular piece of information be selected if it was not a real problem?

~~~
mikevm
I'm tired of having to correct people on this, but here goes: Snowden is not
leaking anything anymore. He leaked most of the documents he had to some
selected journalists a long time ago and it is now up to them to analyze them
and responsibly report whatever interesting information there is to be learned
from them.

~~~
mrobot
Thank you for clarifying, Mike.

Deciding what is responsible is likely a coordinated effort. I think the same
argument applies. Do we think someone might be being irresponsible here?
Sensationalism, or real problem?

~~~
willows
Yeah, I'm not too knowledgeable about the whole situtation, but I wish Snowden
had leaked the documents to the public. It sucks having to trust the press.
Assumedly if Snowden didn't like how they were handling it he'd step in in
some way, though.

~~~
salient
If he did, they'd just yell that he put everyone in life-threatening danger,
like they did with Manning and also Wikileaks. I guess he wanted to avoid that
level of accusations, although people like Mike Rogers still say that about
him anyway:

[http://www.techdirt.com/articles/20131223/02311625673/rep-
mi...](http://www.techdirt.com/articles/20131223/02311625673/rep-mike-rogers-
goes-national-tv-to-lie-about-nsa-programs-snowden.shtml)

~~~
wiml
A post by Greenwald on the subject of "dump it all" vs. "vet and dribble":

[http://utdocuments.blogspot.com.br/2013/12/questionsresponse...](http://utdocuments.blogspot.com.br/2013/12/questionsresponses-
for-journalists.html)

------
RSAInsecurity
We're responding to our valued customers as fast as we can over on Twitter.
[https://twitter.com/RSAInsecurity](https://twitter.com/RSAInsecurity)

~~~
alan_cx
$10M says the NSA is a valued customer.

------
PaulHoule
Note up until this transition around 2001 the NSA was focused on controlling
the key length of cryptography available.

They gave up on that and chose to focus instead on stealing the keys

~~~
alan_cx
Is this to do with when a certain strength of cryptology was catagorised as a
weapon and there for not allowed to be exported from the USA? Does this mean
that that was relaxed becasue the NSA, or whoever, eventually got a back door
or whatever?

~~~
PaulHoule
Yes.

It wasn't just a matter of one "back door" but a matter of knowing that (1)
people usually use codes incorrectly or screw up the key management and (2) if
you give them a little help the key management will always be screwed up.

------
davidgerard
tl;dr point by point on why RSA's press statement makes them lying liars who
lie, and that they were wilfully negligent from 2007-2013 _at the very least._

~~~
macspoofing
I really needed someone to summarize the article in one sentence (who has time
to read more than one) and at the same time editorialize. Now I don't have to
read the article or reason. Super convenient. Thanks!

------
chris_wot
What did you expect? RSA got purchased by EMC in 2006. That's the kiss of
death in terms if any semblance of ethics. Someone in EMC would have known
about this and swayed decision making.

------
uptown
And the stock-market shrugged.

[https://www.google.com/finance?q=NYSE:EMC](https://www.google.com/finance?q=NYSE:EMC)

~~~
MichaelGG
EMC bought RSA for $2bn. With a market cap of $51BN, why would you expect RSA
to be a major component? The $10M NSA payment was apparently 30% of that
particular RSA group's revenue.

And even if RSA was standalone, should we expect a major impact on the
company's sales? It's not like Wells Fargo is going to stop using RSA keyfobs
because of this. Although I admit I don't know where most of their income
comes from.

~~~
marcosdumay
> why would you expect RSA to be a major component?

Now that everything is public, would you choose to trust your data to EMC
hardware and software?

~~~
MichaelGG
I highly doubt that, at the level that EMCs deals take place, this news will
have much impact. Only once have I tried to deal with RSA, and their software
was so difficult to use (this was around 2006), there's no way we'd choose it
by technical merits.

And something RSA did before EMC bought them doesn't really have any impact on
EMC or VMWare anyways.

------
crystaln
"we continued to rely upon NIST as the arbiter of that discussion"

This seems like a reasonable position to me, but I'm not in the field. Can
someone tell me why it's not reasonable, in the face of all sorts of theories
and suspicions being thrown about, to rely on the leading standards body as to
whether the algorithm is flawed?

------
nullc
> assume it was publicly documented at the time that BSAFE defaulted to Dual
> EC

Was it? Before it was revealed to be the BSAFE default I was going around
saying that no one would have chosen to use it anyways, so it was probably a
pretty ineffectual backdoor except if it ever was option for a downgrading
attack.

------
atmosx
That's a dead corp imho. Do we have any famous customer's list floating
around?

~~~
wavefunction
We use RSA tokens at the financial institution I work for. I'll be checking in
with our CTO tomorrow (was out sick today) to see about removing them from our
systems.

------
ozten
With a quarterly income of $587 million in Q2 of 2012, isn't 10 million
dollars "chump change" for EMC? Perhaps it's more of a lubricant for the
larger picture of deals and pressures.

~~~
drig
I worked for RSA back in the 1990s. Back then at least, the sales staff's pay
was based heavily on commission. It has a sliding structure that meant that
people who sold more got a higher percentage. $10m might not have been a lot
to EMC, but to the sales guy it probably meant over $50k, maybe over $100k.
That one sale alone would have blasted him/her past the quota and bumped up
the commission percentage.

------
aaronchriscohen
NSA deserves an award for accomplishing this for just $10 million.

------
thearn4
Kind of odd: this seems like something better suited to a blog post than a
Gist.

~~~
abadidea
My blog has been accruing more personal things and whiny rants lately. I
decided to separate this from my doubtlessly profound philosophical ramblings
about the meaning of life and Skyrim. All in all, a list of markdown gists is
just about as functional as tumblr...

~~~
idan
Which is why I made gist.io:

[http://gist.io/8101758](http://gist.io/8101758) (the OP's content, but nicely
formatted for reading on any size screen, and with attention to typographic
detail.)

------
onedev
What if we literally didn't buy it?

