NSA Paid Security Firm $10M For Backdoor Access

[HardOCP News]

It is astounding that nothing is still being done about the NSA spying and, adding insult to injury, these multi-million dollar bribes are paid with tax dollars.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

 

[Ashbringer]

I see a big boom in open source. Also, why you think zero-day exploit's exist?

 

[Machupo]

Steve, we're too worried what a "reality TV" douche says that we don't have time to try and solve the important stuff.

 

[chockomonkey]

le sigh.

 

[MCRAYGSX]

Are they not ashamed of themselves ? Wasting millions of dollars like that ?

 

[robcreepy]

Are they not ashamed of themselves ? Wasting millions of dollars like that ?

Why would you consider it a waste?

 

[jojo69]

I see a big boom in open source. Also, why you think zero-day exploit's exist?

they have moles in the dev teams, has been known for a while

we are coming up on a very dangerous period here

 

[Parmenides]

they have moles in the dev teams, has been known for a while

we are coming up on a very dangerous period here

Imagine if Snowden has names of devs from all sorts of companies. Now I can see how NSA considered breaking a deal.

 

[Abditive]

I'm just going to let the government plug a chip into my brain and monitor my thoughts so they can rest easy at night. Maybe even have my new futuristic toilet report bowel movements and they can tell me how to improve my diet with their FDA approved GMO foods.

Just trying to do my part, which appears to be perpetually wage enslaved by an overreaching gov.

 

[Red Falcon]

This talks about it.

 

[Dayaks]

I'm just going to let the government plug a chip into my brain and monitor my thoughts so they can rest easy at night. Maybe even have my new futuristic toilet report bowel movements and they can tell me how to improve my diet with their FDA approved GMO foods.

Just trying to do my part, which appears to be perpetually wage enslaved by an overreaching gov.

At least someone at [H] forums finally gets it. Stop fighting it, just bend over already.

 

[J Macker]

LOL. The link is broken.

NSA had them take it down?

 

[Parmenides]

When Russia's president Putin is jealous and amazed how easily Obama gets away with it, you know something is up.

 

[LeninGHOLA]

No. WE paid our tax dollars for backdoor access to spy on ourselves.

 

[BladeVenom]

Very little of Snowden's documents have leaked yet. Wait till the get to the ones about Microsoft.

 

[temujin987]

Are they not ashamed of themselves ? Wasting millions of dollars like that ?

they are absolutely convinced that they are doing the right thing in this "war against terror" and smell a terrorist, traitor or heretic every few hundred meters.

 

[Ashbringer]

Are they not ashamed of themselves ? Wasting millions of dollars like that ?

The whole Iraq war makes this look like a deal. Fact is, corporations run our government. They'll do whatever lobbyist says.

 

[GlowingGhoul]

Don't worry, the Obama administration would never, ever abuse their access to the information in the NSA's archives.

 

[GlowingGhoul]

The whole Iraq war makes this look like a deal. Fact is, corporations run our government. They'll do whatever lobbyist says.

The government now works hand in hand with corporations in a mutually beneficial relationship. Look at how many Obama donors got hundreds of millions in funding via federal grants and loan guarantees.

 

[shade91]

RSA is finished after this revelation. There's absolutely no way they can spin this in any positive light. No serious technician working in security will recommend their products and will recommend against them.

 

[Twisted Kidney]

Lack of oversight and accountability seems to be a recurring theme here.

 

[viscountalpha]

Am I missing something but when did our government change from "For the people" to this nonsense?

Don't forget your 2nd amendment. It's directly from the abusive nature of governments.

 

[dgz]

Very little of Snowden's documents have leaked yet. Wait till the get to the ones about Microsoft.

Oh man, I can't wait until it is revealed pretty much all computing has been compromised on a hardware level.

Many of these american tech companies are going down. Good for the rest of us.

 

[RealityCrunch]

I find this report very anti-American. The NSA is doing all this for our own safety. Hating on what they do is tantamount to wishing us to be unsafe.

 

[bexamous]

Don't worry, the Obama administration would never, ever abuse their access to the information in the NSA's archives.

What does Obama have to do with this? What year do you think this happened in?

 

[bexamous]

Very little of Snowden's documents have leaked yet. Wait till the get to the ones about Microsoft.

You realize that Microsoft is the ones who discovered/published the flaw in the random number generator the NSA is supposed to have paid RSA to use?

 

[bexamous]

Also FWIW here is article talking about flaw:
https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html


It is difficult to make sense of what everyone's motives were. The NSA has a better history of letting public know of flawed algorithms long before anyone in the public is able to discover the flaw. Eg NSA published SHA-1 to replace SHA about a decade before anyone outside NSA was able to figure out what was wrong with SHA.

 

[EndlessRed]

Very little of Snowden's documents have leaked yet. Wait till the get to the ones about Microsoft.

Good job, bet it must have took you a whole hour to think of that one.

 

[SGA76]

One thing is for certain...
Ten million dollars for backdoor access is just downright crazy.
No hooker in her right mind charges that!

 

[EndlessRed]

One thing is for certain...
Ten million dollars for backdoor access is just downright crazy.
No hooker in her right mind charges that!

Depends on the quality of the hooker.

If that hooker is used and abused, then yeah sure, snowball's chance in hell.

But if that hooker is worshiped by everyone as clean and pristine (if there's such a thing for a hooker), value goes way up.

RSA is now in the used and abused group, after having found it was secretly in bed with big bro.

 

[JayteeBates]

No. WE paid our tax dollars for backdoor access to spy on ourselves.

So we effectively gave ourselves a reach around?

 

[ktk_ace]

I find this report very anti-American. The NSA is doing all this for our own safety. Hating on what they do is tantamount to wishing us to be unsafe.

hehehe

 

[snowcrash]

Nothing new I guess. Just reinforces the "Anybody can be bought for the right price." saying.

 

[michael.pa2]

Steve, we're too worried what a "reality TV" douche says that we don't have time to try and solve the important stuff.

The sad part is that this is so true. All those years we spent in a cold war against communism,and here we are with our own version of the KGB. And all we hear about is what some redneck idiot has to say.

 

[bucketlist]

I'm just going to let the government plug a chip into my brain and monitor my thoughts so they can rest easy at night. Maybe even have my new futuristic toilet report bowel movements and they can tell me how to improve my diet with their FDA approved GMO foods.

Just trying to do my part, which appears to be perpetually wage enslaved by an overreaching gov.

Battle Angel Alita brain chips come to mind...

 

[WaltC]

So again we have another he-said, she-said story, alleging secret deals with companies that the companies deny emphatically--the allegations being completely unsubstantiated by anything remotely resembling proof.

IMO, nothing printed on the Internet without solid corroboration and substantiation should be believed for even one second. (BTW, linking to other unsubstantiated rumors is certainly not proof of anything...) But this article has no links at all!

Websites like [H] should, imo, be very selective when repeating and linking to "news" stories which have zero attribution to back up their allegations. I think it is kind of a mass-hysteria/panic sort of thing--people notice notice the fact that the allegations aren't actually substantiated in an article, but are afraid to say anything for fear of the mobs who believe immediately. (Not wanting to be "different" from the mob, etc.)

Best policy: you read an allegation which is not in any way substantiated, reject it instantly as not being worth your time--it is certainly not worth a link. It's amazing these days how often I have to do that personally (no one seems to know what "news" is, anymore.)

 

[bucketlist]

NSA "How does that feel RSA?"
RSA "Mmm, feels great, keep it up!"

Originally Posted by Abditive View Post
I'm just going to let the government plug a chip into my brain and monitor my thoughts so they can rest easy at night. Maybe even have my new futuristic toilet report bowel movements and they can tell me how to improve my diet with their FDA approved GMO foods.

Just trying to do my part, which appears to be perpetually wage enslaved by an overreaching gov.

 

[Koolthulu]

The backdoor has been known about for years in the security community, but of course anytime someone brought it up everyone else just started talking about "tinfoil hats".

 

[RealityCrunch]

Looks like RSA responded with an advisory:

Affected Products:

All versions of RSA BSAFE Toolkits, including all versions of Crypto-C ME, Micro Edition Suite, Crypto-J, Cert-J, SSL-J, Crypto-C, Cert-C, SSL-C.

All versions of RSA Data Protection Manager (DPM) server and clients.


Summary:

RSA is providing guidance on usage of Dual Elliptic Curve Deterministic Random Bit Generation (Dual EC DRBG).


Details:

Due to the debate around the Dual EC DRBG standard highlighted recently by the National Institute of Standards and Technology (NIST), NIST re-opened for public comment its SP 800-90 standard which covers Pseudo-random Number Generators (PRNG). For more information about the announcement see:

http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-A Rev 1 B and C

The ITL Security Bulletin mentioned in this announcement includes the following:

“Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used.”

The currently released and supported versions of the BSAFE libraries (including Crypto-J 6.1.x and Crypto-C ME 4.0.x) and of the RSA DPM clients and servers use Dual EC DRBG as the default PRNG, but most libraries do support other PRNGs that customers can use. We are providing guidance to our customers on how to change the PRNG from the default in their existing implementation.

In the current product documentation, RSA has provided technical guidance for RSA BSAFE Toolkits and RSA DPM customers to change the PRNG in their implementation.

RSA will change the default RNG in RSA BSAFE Toolkits and RSA DPM as appropriate and may update the algorithm library as needed.


Recommendation:

To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual EC DRBG and move to a different PRNG. Technical guidance, including how to change the default PRNG in most libraries, is available in the most current product documentation. In addition to the product documentation, technical guidance, including how to change the default PRNG to another PRNG in most libraries, is also available at (link removed)

 

[Talyrius]

Sickening...