NSA & RSA...
...Jim Thompson
NSA & RSA...
...Jim Thompson
-- | James E.Thompson | mens | | Analog Innovations | et |
Yup, figures. Of course the article claims that the only backdoor is in the RNG, which is sort of hard to believe, given past performance.
comp.risks is a good read on all this sort of stuff.
Cheers
Phil Hobbs
"But the NSA was determined to read what it wanted, and the quest gained urgency after the September 11, 2001 attacks."
The Stasi would be proud. No, check that--jealous. Orwell would wet himself.
Benjamin Franklin warned us about crap like this.
James Arthur
On Sat, 21 Dec 2013 09:47:34 -0800 (PST), snipped-for-privacy@yahoo.com Gave us:
As did men like John Adams.
-- And David Eisenhower: http://www.youtube.com/watch?v=8y06NSBBRtY
You gotta fight the power.
Classic.
Y'ever think, of all the shit you DO know, how much is out there you DON'T know ?
If we knew that, the answer to your question would be "zero."
Cheers, James Arthur
I suppose this will be the end of RSA. You can never trust them again because they are sensitive for bribing. If they don't deliver secure software they are useless. . All users of Bsafe should sue them.
My point of view has always been... there is NO code that is uncrackable... thus do not E-mail anything you want to be absolutely private. Likewise cellphone conversations or text messages. So NSA can listen in all they want... the most technical discussion they'll catch will be me helping my 13 year old granddaughter with her Algebra homework ;-) ...Jim Thompson
-- | James E.Thompson | mens | | Analog Innovations | et |
Thanks JF!
By Joseph Menn
SAN FRANCISCO Fri Dec 20, 2013 5:07pm EST Photo caption: A National Security Agency (NSA) data gathering facility is seen in Bluffdale, about 25 miles (40 km) south of Salt Lake City, Utah, De cember 16, 2013. Jim Urquhart/ (Reuters) - As a key part of a campaign to embed encryption software that i t could crack into widely used computer products, the U.S. National Securit y Agency arranged a secret $10 million contract with RSA, one of the most i nfluential firms in the computer security industry, Reuters has learned. Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to c reate a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distri butor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products. Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of t he revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show. The earlier disclosures of RSA's entanglement with the NSA already had shoc ked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a lea ding role in blocking a 1990s effort by the NSA to require a special chip t o enable spying on a wide range of computer and communications products. RSA, now a subsidiary of computer storage giant EMC Corp, urged customers t o stop using the NSA formula after the Snowden disclosures revealed its wea kness. RSA and EMC declined to answer questions for this story, but RSA said in a statement: "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own ." The NSA declined to comment. The RSA deal shows one way the NSA carried out what Snowden's documents des cribe as a key strategy for enhancing surveillance: the systematic erosion of security tools. NSA documents released in recent months called for using "commercial relationships" to advance that goal, but did not name any secu rity companies as collaborators. The NSA came under attack this week in a landmark report from a White House panel appointed to review U.S. surveillance policy. The panel noted that " encryption is an essential basis for trust on the Internet," and called for a halt to any NSA efforts to undermine it. Most of the dozen current and former RSA employees interviewed said that th e company erred in agreeing to such a contract, and many cited RSA's corpor ate evolution away from pure cryptography products as one of the reasons it occurred. But several said that RSA also was misled by government officials, who port rayed the formula as a secure technological advance. "They did not show their true hand," one person briefed on the deal said of the NSA, asserting that government officials did not let on that they knew how to break the encryption. STORIED HISTORY Started by MIT professors in the 1970s and led for years by ex-Marine Jim B idzos, RSA and its core algorithm were both named for the last initials of the three founders, who revolutionized cryptography. Little known to the pu blic, RSA's encryption tools have been licensed by most large technology co mpanies, which in turn use them to protect computers used by hundreds of mi llions of people. At the core of RSA's products was a technology known as public key cryptogr aphy. Instead of using the same key for encoding and then decoding a messag e, there are two keys related to each other mathematically. The first, publ icly available key is used to encode a message for someone, who then uses a second, private key to reveal it. From RSA's earliest days, the U.S. intelligence establishment worried it wo uld not be able to crack well-engineered public key cryptography. Martin He llman, a former Stanford researcher who led the team that first invented th e technique, said NSA experts tried to talk him and others into believing t hat the keys did not have to be as large as they planned. The stakes rose when more technology companies adopted RSA's methods and In ternet use began to soar. The Clinton administration embraced the Clipper C hip, envisioned as a mandatory component in phones and computers to enable officials to overcome encryption with a warrant. RSA led a fierce public campaign against the effort, distributing posters w ith a foundering sailing ship and the words "Sink Clipper!" A key argument against the chip was that overseas buyers would shun U.S. te chnology products if they were ready-made for spying. Some companies say th at is just what has happened in the wake of the Snowden disclosures. The White House abandoned the Clipper Chip and instead relied on export con trols to prevent the best cryptography from crossing U.S. borders. RSA once again rallied the industry, and it set up an Australian division that coul d ship what it wanted. "We became the tip of the spear, so to speak, in this fight against governm ent efforts," Bidzos recalled in an oral history. RSA EVOLVES RSA and others claimed victory when export restrictions relaxed. But the NSA was determined to read what it wanted, and the quest gained urg ency after the September 11, 2001 attacks. RSA, meanwhile, was changing. Bidzos stepped down as CEO in 1999 to concent rate on VeriSign, a security certificate company that had been spun out of RSA. The elite lab Bidzos had founded in Silicon Valley moved east to Massa chusetts, and many top engineers left the company, several former employees said. And the BSafe toolkit was becoming a much smaller part of the company. By 2
005, BSafe and other tools for developers brought in just $27.5 million of RSA's revenue, less than 9% of the $310 million total. "When I joined there were 10 people in the labs, and we were fighting the N SA," said Victor Chan, who rose to lead engineering and the Australian oper ation before he left in 2005. "It became a very different company later on. " By the first half of 2006, RSA was among the many technology companies seei ng the U.S. government as a partner against overseas hackers. New RSA Chief Executive Art Coviello and his team still wanted to be seen a s part of the technological vanguard, former employees say, and the NSA had just the right pitch. Coviello declined an interview request. An algorithm called Dual Elliptic Curve, developed inside the agency, was o n the road to approval by the National Institutes of Standards and Technolo gy as one of four acceptable methods for generating random numbers. NIST's blessing is required for many products sold to the government and often set s a broader de facto standard. RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue success fully for NIST approval, according to an official familiar with the proceed ings. RSA's contract made Dual Elliptic Curve the default option for producing ra ndom numbers in the RSA toolkit. No alarms were raised, former employees sa id, because the deal was handled by business leaders rather than pure techn ologists. "The labs group had played a very intricate role at BSafe, and they were ba sically gone," said labs veteran Michael Wenocur, who left in 1999. Within a year, major questions were raised about Dual Elliptic Curve. Crypt ography authority Bruce Schneier wrote that the weaknesses in the formula " can only be described as a back door." After reports of the back door in September, RSA urged its customers to sto p using the Dual Elliptic Curve number generator. But unlike the Clipper Chip fight two decades ago, the company is saying li ttle in public, and it declined to discuss how the NSA entanglements have a ffected its relationships with customers. The White House, meanwhile, says it will consider this week's panel recomme ndation that any efforts to subvert cryptography be abandoned. (Reporting by Joseph Menn; Editing by Jonathan Weber and Grant McCool) Posted under the FAIR USE exceptions to US copyright law. Non-profit and for the purpose of discussion.With the resources of the NSA you would think the Feds could enforce the do not call list. I say put the NSA to work on that!
Mark
Whats with the Do Not Call List crap.
If a thief knocks on your door, do you say "Oh, I don't allow you here" does he says "OK" and leaves !
The "Do Not Call List" was "The Tail that Waged the Dog".
Congress did something for the benefit of the public good, their job was done.
Whether is was good or not, their job was done.
hamilton
I'm sure the NSA and the military could come up with an effective solution using drones
-Lasse
My, my, I think we have a teabagger, here.
Well, except in certain circumstances, they are supposed to delete the info once the transaction is cleared through the payment processor. That should happen daily, at the longest. The Payment Card Industry has tons of standards documents on how to comply with all that stuff. But, an outfit like Target could lose millions of $ if a computer crashed and lost all the info on charges that hadn't completed yet, so they want to keep the data until they are sure it has cleared the payment processor.
Most likely, this stolen info problem is like a few others, where unauthorized software was installed on Target's servers and was intercepting the credit card data and sending it in batches to the criminals. So, Target doesn't need to store the info, just pass it from their back room servers to their payment gateway, for it to be intercepted by the crook's programs. That's what happened at our local grocery chain. They are required to keep their server very secure, and use it only for credit transaction work. But, they apparently used it as the central computer in the store, and had people using it to log on to merchant's web sites to order new stock. Somebody likely checked a few web sites and let a virus in, then POW, the crooks were able to log in and compromise the security.
The TJ Maxx incident was different, stripe reading devices were affixed to the credit card readers in the stores, left in place for some time, and then retrieved by the crooks to harvest the recorded stripe data.
Jon
OOps, sorry,, the TJ Maxx breach was also a computer server breach. Not sure what incident was the rather large one with the stripe readers added to the terminals.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.