NSA & RSA

NSA & RSA...

...Jim Thompson

--
| James E.Thompson                                 |    mens     | 
| Analog Innovations                               |     et      | 
 Click to see the full signature
Reply to
Jim Thompson
Loading thread data ...

Yup, figures. Of course the article claims that the only backdoor is in the RNG, which is sort of hard to believe, given past performance.

comp.risks is a good read on all this sort of stuff.

Cheers

Phil Hobbs

Reply to
Phil Hobbs

"But the NSA was determined to read what it wanted, and the quest gained urgency after the September 11, 2001 attacks."

The Stasi would be proud. No, check that--jealous. Orwell would wet himself.

Benjamin Franklin warned us about crap like this.

James Arthur

Reply to
dagmargoodboat

On Sat, 21 Dec 2013 09:47:34 -0800 (PST), snipped-for-privacy@yahoo.com Gave us:

As did men like John Adams.

Reply to
DecadentLinuxUserNumeroUno

--
And David Eisenhower: 

http://www.youtube.com/watch?v=8y06NSBBRtY 
 Click to see the full signature
Reply to
John Fields

formatting link

Reply to
krw

You gotta fight the power.

Reply to
miso

Classic.

Reply to
dagmargoodboat

Y'ever think, of all the shit you DO know, how much is out there you DON'T know ?

Reply to
jurb6006

If we knew that, the answer to your question would be "zero."

Cheers, James Arthur

Reply to
dagmargoodboat

I suppose this will be the end of RSA. You can never trust them again because they are sensitive for bribing. If they don't deliver secure software they are useless. . All users of Bsafe should sue them.

Reply to
tuinkabouter

My point of view has always been... there is NO code that is uncrackable... thus do not E-mail anything you want to be absolutely private. Likewise cellphone conversations or text messages. So NSA can listen in all they want... the most technical discussion they'll catch will be me helping my 13 year old granddaughter with her Algebra homework ;-) ...Jim Thompson

--
| James E.Thompson                                 |    mens     | 
| Analog Innovations                               |     et      | 
 Click to see the full signature
Reply to
Jim Thompson

Thanks JF!

formatting link
Once the religious, the hunted and weary Chasing the promise of freedom and hope Came to this country to build a new vision Far from the reaches of Kingdom and pope Like good Christians some would burn the witches Later some got slaves to gather riches But still from near and far to seek America They came by thousands, to court the wild But she just patiently smiled and bore a child To be their spirit and guiding light And once the ties with the crown had been broken Westward in saddle and wagon it went And till the railroad linked ocean to ocean Many the lives which had come to an end While we bullied, stole and bought a homeland We began the slaughter of the red man But still from near and far to seek America They came by thousands to court the wild But she just patiently smiled and bore a child To be their spirit and guiding light The Blue and Grey they stomped it They kicked it just like a dog And when the war was over They stuffed it just like a hog And though the past has its share of injustice Kind was the spirit in many a way But its protectors and friends have been sleeping Now it's a monster and will not obey The spirit was freedom and justice And its keepers seemed generous and kind Its leaders were supposed to serve the country But now they won't pay it no mind Cause the people grew fat and got lazy Now their vote is a meaningless joke They babble about law and order But it's all just an echo of what they've been told Yeah, there's a monster on the loose It's got our heads into the noose And it just sits there watchin' The cities have turned into jungles And corruption is stranglin' the land The police force is watching the people And the people just can't understand We don't know how to mind our own business 'Cause the whole world's got to be just like us Now we are fighting a war over there No matter who's the winner we can't pay the cost 'Cause there's a monster on the loose It's got our heads into the noose And it just sits there watchin' America, where are you now Don't you care about your sons and daughters Don't you know we need you now We can't fight alone against the monster America, where are you now Don't you care about your sons and daughters Don't you know we need you now We can't fight alone against the monster America...America...America...America...

Reply to
Greegor

formatting link
formatting link

20131220 Exclusive: Secret contract tied NSA and security industry pioneer

By Joseph Menn

SAN FRANCISCO Fri Dec 20, 2013 5:07pm EST Photo caption: A National Security Agency (NSA) data gathering facility is seen in Bluffdale, about 25 miles (40 km) south of Salt Lake City, Utah, De cember 16, 2013. Jim Urquhart/ (Reuters) - As a key part of a campaign to embed encryption software that i t could crack into widely used computer products, the U.S. National Securit y Agency arranged a secret $10 million contract with RSA, one of the most i nfluential firms in the computer security industry, Reuters has learned. Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to c reate a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distri butor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products. Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of t he revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show. The earlier disclosures of RSA's entanglement with the NSA already had shoc ked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a lea ding role in blocking a 1990s effort by the NSA to require a special chip t o enable spying on a wide range of computer and communications products. RSA, now a subsidiary of computer storage giant EMC Corp, urged customers t o stop using the NSA formula after the Snowden disclosures revealed its wea kness. RSA and EMC declined to answer questions for this story, but RSA said in a statement: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own ." The NSA declined to comment. The RSA deal shows one way the NSA carried out what Snowden's documents des cribe as a key strategy for enhancing surveillance: the systematic erosion of security tools. NSA documents released in recent months called for using "commercial relationships" to advance that goal, but did not name any secu rity companies as collaborators. The NSA came under attack this week in a landmark report from a White House panel appointed to review U.S. surveillance policy. The panel noted that " encryption is an essential basis for trust on the Internet," and called for a halt to any NSA efforts to undermine it. Most of the dozen current and former RSA employees interviewed said that th e company erred in agreeing to such a contract, and many cited RSA's corpor ate evolution away from pure cryptography products as one of the reasons it occurred. But several said that RSA also was misled by government officials, who port rayed the formula as a secure technological advance. "They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption. STORIED HISTORY Started by MIT professors in the 1970s and led for years by ex-Marine Jim B idzos, RSA and its core algorithm were both named for the last initials of the three founders, who revolutionized cryptography. Little known to the pu blic, RSA's encryption tools have been licensed by most large technology co mpanies, which in turn use them to protect computers used by hundreds of mi llions of people. At the core of RSA's products was a technology known as public key cryptogr aphy. Instead of using the same key for encoding and then decoding a messag e, there are two keys related to each other mathematically. The first, publ icly available key is used to encode a message for someone, who then uses a second, private key to reveal it. From RSA's earliest days, the U.S. intelligence establishment worried it wo uld not be able to crack well-engineered public key cryptography. Martin He llman, a former Stanford researcher who led the team that first invented th e technique, said NSA experts tried to talk him and others into believing t hat the keys did not have to be as large as they planned. The stakes rose when more technology companies adopted RSA's methods and In ternet use began to soar. The Clinton administration embraced the Clipper C hip, envisioned as a mandatory component in phones and computers to enable officials to overcome encryption with a warrant. RSA led a fierce public campaign against the effort, distributing posters w ith a foundering sailing ship and the words "Sink Clipper!" A key argument against the chip was that overseas buyers would shun U.S. te chnology products if they were ready-made for spying. Some companies say th at is just what has happened in the wake of the Snowden disclosures. The White House abandoned the Clipper Chip and instead relied on export con trols to prevent the best cryptography from crossing U.S. borders. RSA once again rallied the industry, and it set up an Australian division that coul d ship what it wanted. "We became the tip of the spear, so to speak, in this fight against governm ent efforts," Bidzos recalled in an oral history. RSA EVOLVES RSA and others claimed victory when export restrictions relaxed. But the NSA was determined to read what it wanted, and the quest gained urg ency after the September 11, 2001 attacks. RSA, meanwhile, was changing. Bidzos stepped down as CEO in 1999 to concent rate on VeriSign, a security certificate company that had been spun out of RSA. The elite lab Bidzos had founded in Silicon Valley moved east to Massa chusetts, and many top engineers left the company, several former employees said. And the BSafe toolkit was becoming a much smaller part of the company. By 2

005, BSafe and other tools for developers brought in just $27.5 million of RSA's revenue, less than 9% of the $310 million total. "When I joined there were 10 people in the labs, and we were fighting the N SA," said Victor Chan, who rose to lead engineering and the Australian oper ation before he left in 2005. "It became a very different company later on. " By the first half of 2006, RSA was among the many technology companies seei ng the U.S. government as a partner against overseas hackers. New RSA Chief Executive Art Coviello and his team still wanted to be seen a s part of the technological vanguard, former employees say, and the NSA had just the right pitch. Coviello declined an interview request. An algorithm called Dual Elliptic Curve, developed inside the agency, was o n the road to approval by the National Institutes of Standards and Technolo gy as one of four acceptable methods for generating random numbers. NIST's blessing is required for many products sold to the government and often set s a broader de facto standard. RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue success fully for NIST approval, according to an official familiar with the proceed ings. RSA's contract made Dual Elliptic Curve the default option for producing ra ndom numbers in the RSA toolkit. No alarms were raised, former employees sa id, because the deal was handled by business leaders rather than pure techn ologists. "The labs group had played a very intricate role at BSafe, and they were ba sically gone," said labs veteran Michael Wenocur, who left in 1999. Within a year, major questions were raised about Dual Elliptic Curve. Crypt ography authority Bruce Schneier wrote that the weaknesses in the formula " can only be described as a back door." After reports of the back door in September, RSA urged its customers to sto p using the Dual Elliptic Curve number generator. But unlike the Clipper Chip fight two decades ago, the company is saying li ttle in public, and it declined to discuss how the NSA entanglements have a ffected its relationships with customers. The White House, meanwhile, says it will consider this week's panel recomme ndation that any efforts to subvert cryptography be abandoned. (Reporting by Joseph Menn; Editing by Jonathan Weber and Grant McCool) Posted under the FAIR USE exceptions to US copyright law. Non-profit and for the purpose of discussion.
Reply to
Greegor

With the resources of the NSA you would think the Feds could enforce the do not call list. I say put the NSA to work on that!

Mark

Reply to
makolber

Whats with the Do Not Call List crap.

If a thief knocks on your door, do you say "Oh, I don't allow you here" does he says "OK" and leaves !

The "Do Not Call List" was "The Tail that Waged the Dog".

Congress did something for the benefit of the public good, their job was done.

Whether is was good or not, their job was done.

hamilton

Reply to
hamilton

I'm sure the NSA and the military could come up with an effective solution using drones

-Lasse

Reply to
Lasse Langwadt Christensen

My, my, I think we have a teabagger, here.

Reply to
krw

Well, except in certain circumstances, they are supposed to delete the info once the transaction is cleared through the payment processor. That should happen daily, at the longest. The Payment Card Industry has tons of standards documents on how to comply with all that stuff. But, an outfit like Target could lose millions of $ if a computer crashed and lost all the info on charges that hadn't completed yet, so they want to keep the data until they are sure it has cleared the payment processor.

Most likely, this stolen info problem is like a few others, where unauthorized software was installed on Target's servers and was intercepting the credit card data and sending it in batches to the criminals. So, Target doesn't need to store the info, just pass it from their back room servers to their payment gateway, for it to be intercepted by the crook's programs. That's what happened at our local grocery chain. They are required to keep their server very secure, and use it only for credit transaction work. But, they apparently used it as the central computer in the store, and had people using it to log on to merchant's web sites to order new stock. Somebody likely checked a few web sites and let a virus in, then POW, the crooks were able to log in and compromise the security.

The TJ Maxx incident was different, stripe reading devices were affixed to the credit card readers in the stores, left in place for some time, and then retrieved by the crooks to harvest the recorded stripe data.

Jon

Reply to
Jon Elson

OOps, sorry,, the TJ Maxx breach was also a computer server breach. Not sure what incident was the rather large one with the stripe readers added to the terminals.

Reply to
Jon Elson

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.