Skip to content



Computer security company RSA has been working with the National Security Agency to install backdoors in some of its products. Although once considered a top foe of the NSA according to its former president, RSA began working with the NSA in a $10 million deal, according to a report by Reuters. By placing secret code in some of its products, the NSA has been given the ability to access information the RSA products are meant to be protecting.


Reuters Exclusive: NSA infiltrated RSA security more deeply than thought – study of NSA corrupted encryption


Short read: On the Practical Exploitability of Dual EC in TLS Implementations

Actual paper:

On the Practical Exploitability of Dual EC in TLS

  1. It’s a tough one to swallow, because it could mean one of two things:
    a) Art Coveillo was outright bullshitting in his RSA keynote speech, and his company had knowingly sold/distributed crypto that wasn’t for for purpose.
    b) RSA failed to carry out even the basic checks against their Dual EC, and were unknowingly distributing crypto that wasn’t fit for purpose.

    Working with the NSA itself wasn’t a bad thing, but screwing their own customers is always a big no no.


    • I don’t think you can work for the NSA and not be screwing over your customers… it’s a symbiotic arrangement. However, i agree that selling out your customers is a massive no-no. It’s seems like we’re in the eye of the storm.

      Everyone is asking where do we go from here?

      If you sleep with the NSA, public trust in your products is lost and you go bankrupt.
      Or you go the way of Lavabit, and shut down to protect your customers. It’s “checkmate” out there.

      The easy solution is to relocate your business to Europe. Use EU Data Protection to sidestep FISA. The Safe Harbour agreement is in tatters, everyone knows it’s a joke. So you don’t use a US subsidiary, or have satellite offices in the US. European bases only.


  2. Well, you could. The NSA has a department for undermining security (which is making the news), and another department for making technology more secure (which never makes the news) – it was really a question of which of these RSA was collaborating with.

    Where do we go from here? The best we can do is everything in our ability to make technologies more secure, with whatever can be trusted. Even the most advanced malicious hacking groups still need exploits and rootkits to operate, and they can be countered – the problem is we’ve relied on commercial products to defend against the knowns.
    As for the governments and the corporations, there are changes happening by those on the ground, a repairing of the damage done, but it’ll take them years (decades?) to rebuild trust.


    • There was a brilliant article written, which claimed that you cannot mix an offensive and defensive capability, as the offensive will win out. I’ve forgotten who wrote this, but it’s critical thinking at it’s best. The NSA can either be offensive… against Europe. Or defensive, in that it offers the best encryption (they’ve never done that in their entire history, think back to all the nonsense about 56 bit DES and how they prosecuted PGP’s Zimmerman for releasing privacy crypto). Nar, the NSA can’t do defensive. So we have to accept they are offensive.
      Crypto forums and developers can then safely ignore anything the NSA says related to weakening a system (which is their standard line of attack).


      • Such is the reputation the NSA now has (even though some of us tin foil hatters already knew about the intercept stuff for years).

        Bruce Schneier made the same argument for years, which inavariably appears to hold true, that a technology cannot be backdoored and secure. It’s also computationally true – encryption that allows a third-party to access the content is automatically insecure by definition.

        Most governments in Europe are engaged in roughly the same thing anyway. The NSA just got caught with its hand in the cookie jar.


      • Schneiers argument is one you have to agree with. Susan Landau testified to Congress that the Greek government had been wiretapped for some 9 months. They’d bought router equipment that allowed wiretapping..
        Some external party turned it on.. and wiretapped the Greek government (prime minister, treasury etc) the whole time. It was only when some message went missing that they discovered the software based wiretapping was switched on. It makes you wonder. Why on earth would you buy a router that allowed wiretapping? DUH!! The same applies to TV’s that listen in to your conversations at home. Hello… Stupid calling…

        I can imagine all the neighbours hacking in and listening to your conversations. Talk about hours of fun 🙂


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: