Analytics // Security Monitoring
12/23/2013
12:37 PM
Connect Directly
RSS
E-Mail

RSA Denies Trading Security For NSA Payout

EMC security subsidiary accused of accepting $10 million from the NSA to purposefully use encryption for which the intelligence agency enjoyed backdoor access.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
asksqn
50%
50%
asksqn,
User Rank: Apprentice
1/4/2014 | 6:56:04 PM
We Didn't Sell no stinkin' backdoor for $10M
Sorry, but I'm not buying the "who me" routine by RSA.  Either it built in backdoors (as evidenced by the 2006 contract and testimony of former employees) or it did not.  RSA cannot have it both ways.  Only uninformed rubes and stockholders will believe their obfuscations and lies.
Faye Kane, homeless brain
50%
50%
Faye Kane, homeless brain,
User Rank: Apprentice
12/27/2013 | 5:32:23 AM
Re: Why in the world is everybody up in arms?? For the sake of privacy?
 

Yeah, for the sake of privacy! 

I know that's laughable to you NSA spooks, but we don't want the government reading our email, tracking our location, and doing network analysis on our phone calls.

Until we can drag you out of your Secure Location and throw you up against the wall, I expect you to ignore those wishes, but don't insult us by playing stupid.

-flk
Faye Kane, homeless brain
100%
0%
Faye Kane, homeless brain,
User Rank: Apprentice
12/27/2013 | 5:13:07 AM
How did anyone get fooled by this?
The random seeds of a crypto algorithm can be anything, as long as they're not all the same and everyone knows what they are. "Nothing up my sleeve numbers" are used specifically to insure that sleazy stuff like this doesn't happen.

As I remember, before 9/11 the random seeds for SHA were the cube roots of the first N digits of the fractional part of e.  But three weeks after 9/11, the NSA told NIST that those weren't "robust enough for future encryption", and handed them a list of magic numbers, with no explanation of what was wrong with the old ones or what was better about the new ones.

Amazingly, NIST said "Okay, no problem!" to what, to me, would have been obvious shenanigans — almost certainly a backdoor.

Sure, a couple of mathematicians like Schneider called bulls hit, but nobody really cared since the NIST said it was cool. Then—surprise!  The NSA turns out to have backdoored the hash function.

Who could EVER have imagined?

My question now is one I have myself been asked many times: How can someone so smart be so stupid??

Do crypto experts just rubber-stamp whatever comes along while waiting for lunchtime?  Didn't anyone find the 9/11 timing suspicious?  Why didn't anyone ask why we needed new random seeds?

These are not rhetorical questions and I would very much like to know the answers.  Unfortunately, I'm not in a position to demand answers, and the people who are, are either too inimidated, too lazy, too timid, or too bribed by the NSA to ask them.

I long ago learned not to trust code written by anyone other than myself, and more recently learned not to trust anyone at all, in any domain.  But there are people who have a lot at stake in secure systems.

Where are they, and why aren't they raising high holy hell?

--faye kane girl brain, sexiest astrophysicist you'll ever see naked
danielcawrey
50%
50%
danielcawrey,
User Rank: Apprentice
12/24/2013 | 3:06:15 PM
Re: What Schneier says... is good enough for me
This is a problem, but it also feels like an opportunity for companies to strengthen security around their products. 

Many organizations have little incentive to operate within the NSA's rules; rather they may have to comply if asked. But there just might be a value proposition in having the ability to offer better security than that of the next rival. That's something to think about. 
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
12/24/2013 | 1:10:21 PM
Re: Who's Against Who?
The right to Privacy is a Constitutional guarantee in this country. Your comments indicate that you should actually take the time to truly understand what that means. Learn about the architecture of our system of government, why it was created that way, what history has taught us about various forms of government, and how our constitution guides and protects that system. We (the US and ostensibly others) now have the technology to snoop on just about every aspect of our daily lives. That doesn't mean that we should just throw down the gauntlet and surrender our Constitutional rights just because some Government authority says you will sleep better at night. Yeah, go ahead and give the NSA the power to scrape all the info they want. And then, think about how one guy like Snowden can walk out the door with all of that in a briefcase. That's the kind of power that can potentially bring down entire countries.
cheesemoma
0%
100%
cheesemoma,
User Rank: Apprentice
12/24/2013 | 12:35:31 PM
Re: What Schneier says... is good enough for me
checkoutthenetworthofsomeofrsa'sinvestors.financebloombergsportsenterpriseproductsenterprisesolutionstradingsolutionsbloomberganywheresearchsavedregistersigninsigninsearch thissiteusescookies.bycontinuingtobrowsethesiteyouareagreeingtoouruseofcookies.xpleaseupgradeyourbrowserforabetteruserexperience.recentmovertwitterinctwtr(nyse)69.36+4.82+7.47%homenewsquickopinionmarketspersonalfinancetechpoliticssustainabilityluxuryvideoradiomorestoriesgetthebloombergwashingtonnewsletter.learnmorenewsattheintersectionofpoliticsandtheeconomy.deliveredweekdaymorningsestcheckyouremailandconfirmyouraddresstostartreceivingnewsletters.resendconfirmationyouaresubscribedtothebloombergwashingtonnewsletter.subscribetomorenewsletters.signup> headlinespopularlatestrecommended'duckdynasty'dadrisks$500millionwithgay-sinremarksecrethandshakesgreetfratbrothersonwallstreetrussiacrisishauntsdeutschebank'ssmithseeingchinabustfordf-150seenborrowingmilitaryarmortoshieldprofitbritishairways747'swingslicesintojohannesburgbuildingwas2013theyearwelostchina?u.s.stocksrisebeforeholidayondurables,housingdatasalesofnewhomesinu.s.exceedforecasts,staynearfiveyearhighkhodorkovskypardonsignalsputinriftwithrussiaoilczarkalashnikovshouldhavemadefarmtoolschinaconfrontsworkforcedropwithretirement-agedelaybestof2013:howroubiniwouldinvest$1,000nowbasedonyourreadinghistoryyoumaylike'duckdynasty'dadrisks$500millionwithgay-sinremarksecrethandshakesgreetfratbrothersonwallstreetrussiacrisishauntsdeutschebank'ssmithseeingchinabustfordf-150seenborrowingmilitaryarmortoshieldprofitbritishairways747'swingslicesintojohannesburgbuildingwas2013theyearwelostchina? couldcadillacbethebest-sellingluxurycarby2019?britishairwaysjumbojetstrikesabuildingwhytheu.s.leavesitscredit-cardsystemvulnerabletofraudmeetthenavy'snew$150msubmarine-destroyingjetthedollarwillneverfalltobitcoinsponsoredcontentsponsoredcontentpromotedcontentpromotedcontentrecommendedvideos02:3902:39senatedelaysyellenvoteaslawmakersleavetown 01:5701:57obamacaregoodenoughforobama? 00:2500:25senatepassesbudgetplanthateasesspendingcuts 09:3609:36carperonfiskeruseofformergmplantindelaware 00:5200:52senateadvancesyellennominations 04:5404:54mcconnellonsenaterules,budget,debtceiling bytaboolabytaboola [replacedtest15]src="http://www.bloomberg.com/bcom/article/iframe/google-adwords"frameborder="0"scrolling="no">postajobsearchjobstaxadvisorspecialistparttimecpaor...intuit-tucson,azsenioraccountant-considerowninga...selectingafranchise.com-unitedstatesinternalwholesalerdavisselectedadvisers-tucson,azdynamicsnav/navision-accountant-nyc-...nigelfrankinternational-unitedstatesaccountantuniversityofarizona-tucson,azjobsby[replacedtest15]id="google_ads_iframe_/5262/blp.persfin/save-invest//story_1"style="border:0pxcurrentcolor;border-image:none;vertical-align:bottom;"name="google_ads_iframe_/5262/blp.persfin/save-invest//story_1"src="[replacedtest3]"<html><bodystyle='background:transparent'></body></html>""frameborder="0"marginwidth="0"marginheight="0"scrolling="no"width="300"height="250">advertisements[replacedtest15]id="google_ads_iframe_/5262/blp.persfin/save-invest//story_2"style="border:0pxcurrentcolor;border-image:none;vertical-align:bottom;"name="google_ads_iframe_/5262/blp.persfin/save-invest//story_2"src="[replacedtest3]"<html><bodystyle='background:transparent'></body></html>""frameborder="0"marginwidth="0"marginheight="0"scrolling="no"width="88"height="31">[replacedtest15]id="google_ads_iframe_/5262/blp.persfin/save-invest//story_3"style="border:0pxcurrentcolor;border-image:none;vertical-align:bottom;"name="google_ads_iframe_/5262/blp.persfin/save-invest//story_3"src="[replacedtest3]"<html><bodystyle='background:transparent'></body></html>""frameborder="0"marginwidth="0"marginheight="0"scrolling="no"width="88"height="31">[replacedtest15]id="google_ads_iframe_/5262/blp.persfin/save-invest//story_4"style="border:0pxcurrentcolor;border-image:none;vertical-align:bottom;"name="google_ads_iframe_/5262/blp.persfin/save-invest//story_4"src="[replacedtest3]"<html><bodystyle='background:transparent'></body></html>""frameborder="0"marginwidth="0"marginheight="0"scrolling="no"width="88"height="31"> [replacedtest15]id="google_ads_iframe_/5262/blp.persfin/save-invest//story_0"style="border:0pxcurrentcolor;border-image:none;vertical-align:bottom;"name="google_ads_iframe_/5262/blp.persfin/save-invest//story_0"src="[replacedtest3]"<html><bodystyle='background:transparent'></body></html>""frameborder="0"marginwidth="0"marginheight="0"scrolling="no"width="728"height="90">senateleadersmillionairesinfinancial-disclosuredatabyjonathand.salantandgreggirouxmay22,20139:00pmmt9commentsemailprintsharefacebooktwittergoogle+linkedinemailprintsavephotographer:chipsomodevilla/gettyimagessenatemajorityleaderharryreidandsenatebudgetcommitteechairmanpattymurray...readmoresenatemajorityleaderharryreidandsenatebudgetcommitteechairmanpattymurrayanswerreportersquestionsatthecaptiolonmay9,2013inwashington,dc.closecloseopenphotographer:chipsomodevilla/gettyimagessenatemajorityleaderharryreidandsenatebudgetcommitteechairmanpattymurrayanswerreportersquestionsatthecaptiolonmay9,2013inwashington,dc.[replacedtest15]id="google_ads_iframe_/5262/blp.persfin/save-invest//story_5"style="border:0pxcurrentcolor;border-image:none;vertical-align:bottom;"name="google_ads_iframe_/5262/blp.persfin/save-invest//story_5"src="[replacedtest3]"<html><bodystyle='background:transparent'></body></html>""frameborder="0"marginwidth="0"marginheight="0"scrolling="no"width="300"height="600">senatemajorityleaderharryreidandminorityleadermitchmcconnellreportedtheirnetworthinthemillionsofdollarsastheu.s.senatereleasedpersonalfinancialdisclosurereportsforitsmembers.reid,anevadademocrat,reportedassetsofbetween$2.8millionand$6.3million,includingminingclaimsinhishometownofsearchlightvaluedfrom$100,000to$250,000.kentuckyrepublicanmcconnellandhiswife,elainechao,whoservedasu.s.laborsecretaryunderformerpresidentgeorgew.bush,hadassetsofbetween$9.2millionand$36.5million.chao'sincomeincludedfeesfromsittingoncorporateboards,includingrupertmurdoch'snewscorp.(nwsa)andwellsfargo&co.(wfc)lawmakers,requiredtodisclosetheirfinancialassetsonceayear,reporttheirholdingsinbroadranges.mostsenatedemocraticandrepublicanleadersreportedassetswithupperrangesofatleast$1million.thechamber'sthird-rankingdemocrat,charlesschumerofnewyork,reportedthathiswife,irisweinshall,acityuniversityofnewyorkvicechancellor,earnedmorethanhedidlastyear.hersalarywas$234,368whilehiswas$172,887.theyreportedassetsofbetween$368,000and$1million.thesenatedemocraticconferencesecretary,pattymurrayofwashington,reportedwithherhusbandassetsofbetween$565,000and$1.5million.senatemajoritywhipricharddurbinofillinoisreceivedanextensionofthemay15filingdeadline.credit-carddebtontherepublicanside,minoritywhipjohncornynoftexasreportedassetsofbetween$460,000and$1.4million,andacredit-carddebtofbetween$15,000and$50,000.cornyn,aformertexasattorneygeneralandaformerjudgeonthetexassupremecourtjudge,received$58,939fromtwostateretirementfunds.policycommitteechairmanjohnbarrasso,awyomingrepublican,reportedassetsofbetween$2.7millionand$8.6million.anorthopedicsurgeon,hereceivedbetween$500,000and$1millionfromthesaleofhismedicalpractice,andwaspaid$33,391fromthemedicalpartnershiphewaspartof.republicanconferencechairmanjohnthuneofsouthdakotareportedassetsofbetween$173,000and$596,000.richermembersofthechamberincludesenatecommercecommitteechairmanjayrockefeller,awestvirginiademocrat.hereportedatleast$89millioninassets;amoreprecisenumberisunavailablebecausehelistedhislargestholdingasmorethan$50million.wisconsinrepublicanronjohnson,whofoundedaplasticscompany,reportedassetsbetween$9.2millionand$39.7million.johnsonreportedowninga5percentinterestinthecompany,valuedat$4.5million.rubio'sroyaltiesontheotherhand,senatormarcorubiooffloridareportedapotentiallynegativenetworth,withassetsofbetween$259,000and$860,000andliabilitiesofbetween$450,000and$1million.rubio,aprospective2016republicanpresidentialcandidate,received$800,000inroyaltiesfrompenguingroupusainc.forhis2012memoir,"anamericanson."hepaidoffhisremainingstudentloansofbetween$100,000and$250,000."whenifinishedschool,iowedover$100,000instudentloans,adebtipaidoffjustafewmonthsago,"rubiosaidinfebruaryashedeliveredtheofficialrepublicanresponsetopresidentbarackobama'sstateoftheunionaddress.theyoungestu.s.senator,freshmandemocratchrismurphyofconnecticut,andhiswifeeachowedbetween$15,000and$50,000instudentloans,hisreportshowed.murphy,39,reportedassetsofbetween$70,000and$225,000.warren'sholdingsfreshmansenatorelizabethwarren,amassachusettsdemocratandharvarduniversityemeritusprofessor,andherhusbandbrucemann,aharvardlawprofessor,reportedassetsofbetween$3.8millionand$10.2million.mostofitwasintiaa-creffunds,includingonevaluedatbetween$1millionand$5million.warrenreceived$59,417fromaspenpublishersforaseriesofbooks,including"bankruptcyandarticle9"and"securedcredit:asystemsapproach,"and$103inroyaltiesfromyaleuniversitypressfor"thefragilemiddleclass."senatortedcruz,atexasrepublicanelectedlastnovember,tookapaycuttocometowashington.hewaspaid$1millionlastyearbyhislawfirm.hereportedassetsofbetween$2.2millionand$5.1million,includingan$843,000loantohiscampaignasofdec.31,2012.liabilitiesincludeagoldmansachsgroupinc.(gs)marginloanofbetween$250,000and$500,000.senatorrandpaul,akentuckyrepublicanalsomentionedasapossible2016presidentialcontender,receivedanextensionofthedeadlinetofile.tocontactthereportersonthisstory:jonathand.salantinwashingtonatjsalant@bloomberg.net;greggirouxinwashingtonatggiroux@bloomberg.net.[replacedtest32]
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
12/24/2013 | 9:57:18 AM
Who to Trust?
Schneier hits it on the head.  "We no longer know whom to trust.  This is the greatest damage the NSA has done to the Internet, and will be the hardest to fix."  Who DO you trust?  Management in many industries does not like security.  It's invasive, slows them down, makes it harder to use their smartphones when driving.  Now they have more excuses to do nothing.
DovA648
50%
50%
DovA648,
User Rank: Apprentice
12/24/2013 | 9:22:08 AM
Who's Against Who?
The NSA is busy keeping you (us) protected from organized terror, etc. Why in the world is everybody up in arms and shooting themselves in the foot?? For the sake of privacy? Governments have had their agents and double agents around for over a hundred years, why is everybody waking up just now? Our taxes from our hard-earned money go to the NSA. So who's exactly against who??
Fill
100%
0%
Fill,
User Rank: Apprentice
12/23/2013 | 7:31:57 PM
Re: Quid pro what?
WKash, good thougts.  I guess it is just unfortunate that they cashed in their trust, skirted around the law and constitution, and (at best) mislead Congress under oath.  During 2000, I was an active Linux kernel maintainer and was quite enthralled with SELinux.  At the time I was proud to tout that our IT department was adopting security tools released by the NSA.  Today, I'd be laughed at if not dismissed for making the same claims.
WKash
100%
0%
WKash,
User Rank: Apprentice
12/23/2013 | 7:02:12 PM
Re: Quid pro what?
Fill, it's certainly speculation to guess what the NSA and the administration were thinking since 2000. But NSA Dir. Gen. Alexander has made it apparent in the speeches I've heard him give over the past three yeas that 9/11 attacks (yes during the Bush/Cheney years) cast the work of NSA under a heavier mandate to track down terrorists. At the same time, the resouces became available to tackle much larger volumes of information but not the time to crack the encryption on all that data. So they had to find ways around the problem.    
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.