Get PJ Media on your Apple

VodkaPundit

The New Corporatism

December 23rd, 2013 - 10:01 am

RSA

Good lord:

As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

This comes via John Gruber who adds, “If this is true, RSA might as well just shut their doors and turn out the lights, because no one will ever trust them again.”

What I can’t glean from the story is when this payment occurred.

Comments are closed.

All Comments   (5)
All Comments   (5)
Sort: Newest Oldest Top Rated
Please note that the source of this disclosure, Edward Snowden, could easily have forged such a claim to sow his own FUD into the system.
16 weeks ago
16 weeks ago Link To Comment
Things the MSM shouldn't report on:

1) Airplanes.
2) Cars.
3) Firearms.
4) Anything remotely related to computer technology.

They always get it quite hilariously wrong with varying degrees of FUD thrown in for flavor.

Whatever RSA did or didn't do, this involves a relatively obscure and old PRNG library that isn't likely to affect anyone of note. If they actively did take a payoff to intentionally degrade the security of one of their products, certainly the market will punish them accordingly. However, the odds that anyone is actually using that library in any modern encryption implementation is pretty remote, the odds of it actually having been exploited by someone, NSA or otherwise, more remote still.
16 weeks ago
16 weeks ago Link To Comment
16 weeks ago
16 weeks ago Link To Comment
Looks like RSA is an easy date...
16 weeks ago
16 weeks ago Link To Comment
I agree with John Gruber, if anybody really cares about security, this should be the end of RSA. RSA is everywhere, however, and people may decide it's just too much trouble to divest of them.
16 weeks ago
16 weeks ago Link To Comment
View All