General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsWow! I work in the Network Security business and this piece blows me away.
I know RSA very well and have worked with the product discussed in this piece. When you compromise a company that is supposed to protect you from being compromised, well then--- everyone is compromised.Oh and thank you Ed Snowden.
Exclusive: Secret contract tied NSA and security industry pioneer
(Reuters) - As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
<snip>
The earlier disclosures of RSA's entanglement with the NSA already had shocked some in the close-knit world of computer security experts. The company had a long history of championing privacy and security, and it played a leading role in blocking a 1990s effort by the NSA to require a special chip to enable spying on a wide range of computer and communications products.
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
woo me with science
(32,139 posts)There is no spinning this level of rank corruption and criminality away.
cantbeserious
(13,039 posts)eom
woo me with science
(32,139 posts)The page just reloads without a rec.
Will try again in a bit.
trumad
(41,692 posts)woo me with science
(32,139 posts)I slipped a rec through. Distracted them with my morning emails.
Clearing cache and cookies may have helped, too.
Enthusiast
(50,983 posts)woo me with science
(32,139 posts)nothing is outside the range of possibilities.
ProdigalJunkMail
(12,017 posts)however, I was able to get the DU REC to work... perhaps a glitch in the page refresh. it does show two rec's now...
sP
woo me with science
(32,139 posts)But I do believe the NSA is not happy with trumad.
ProdigalJunkMail
(12,017 posts)christmas cookies... off a plate
my wife and kids and their friends went cookie-insane last night (let's put it this way, Santa has his work cut out for him so i am just doing my part to help out) and now i am all hopped-up on sugar and gingerbread...
ok, TMI... have an NSA-free day!
sP
woo me with science
(32,139 posts)I don't think it's possible to have an NSA-free day anymore.
840high
(17,196 posts)surrealAmerican
(11,364 posts)k & r
cantbeserious
(13,039 posts)Trust - Government - Never Again
reformist2
(9,841 posts)A generation or two of complacency, combined with the tendency for power to corrupt, has brought us to the current state of affairs.
loudsue
(14,087 posts)never recover from the republican mess we have found ourselves in. They have infiltrated the democratic party, and own the supreme court. Republicans are a cancer on the world.
woo me with science
(32,139 posts)rhett o rick
(55,981 posts)The scourge is bigger than the Republicans. Whoever is in power transcends parties. While we are watching the REpublicans, corrupt Democrats are picking our pockets. IMO it's possible that Pres Obama is truly working to help the lower classes, but he may be severely restricted in what he can do. That appears especially true in the area of the intelligence agencies.
truedelphi
(32,324 posts)Denouncing Ed Snowden.
Or spending Tuesday afternoons deciding which brown-skinned people our drones should fall on.
Recursion
(56,582 posts)cantbeserious
(13,039 posts)eom
hobbit709
(41,694 posts)jtuck004
(15,882 posts)and is not under our control...
You know, when I heard there was a guy who kept a list about who was naughty and nice, I thought, "We are in deep shit"
Now I find that these people, along with a lot of others, have a list too...and it bothers me much, much more.
hobbit709
(41,694 posts)Inside my skull.
jtuck004
(15,882 posts)Romulox
(25,960 posts)Ever do your taxes? Do you have a driver's license? A bank account?
You haven't kept your sensitive data from anyone, and you have a false sense of security.
hobbit709
(41,694 posts)I've always assumed that is data they know about. Anything they know about is no longer secret.
Romulox
(25,960 posts)I couldn't begin to imagine what "secrets" you store in your offline computer (or why you'd announce the same here on a public forum,) but rest assured all the "sensitive data" that they care to know--SS#, bank accounts, medical history, educational history, etc-- they already have.
hobbit709
(41,694 posts)Once you get a SS# you are in the government database. Same with bank accounts, etc.
I expect no privacy from any of that. As long as that data isn't obtained by non need to know people to use for their own ends. Even if someone got my financial data, they wouldn't get far with what little there is in my accounts.
We don't have an actual thought police yet so my mind is still secure.
Romulox
(25,960 posts)You are obviously deflecting away from the NSA spying scandal, as if that could possibly work.
I'll leave you to your inviolable "secrets"...
hobbit709
(41,694 posts)I'm not deflecting from the NSA. I would be perfectly happy if it was abolished, along with about half the Pentagon.
you obviously half a false sense of security about your data-I have no such illusions.
Romulox
(25,960 posts)I have no interest in further "debating" these nonsense points with you.
woo me with science
(32,139 posts)"I would be perfectly happy if..."
That was a very odd way of phrasing an opinion about an abusive, criminal governmental surveillance machine.
hobbit709
(41,694 posts)woo me with science
(32,139 posts)So far your comments here suggest that you see no big problem... that people just need to keep their data offline.
What do you think about the criminality and corruption here?
YOHABLO
(7,358 posts)capable of doing with this information on U.S. citizens ... the Nazis used IBM to track down ''dissidents'' and Jews and what have you. Say it ain't so Joe. We never thought the U.S. would turn into a police state .. but proof is in the pudding.
JDPriestly
(57,936 posts)I drive around town. So I don't care if the government knows my tax data, my driver's license information or the status of my bank account.
I don't want them taking notes on how many times I call my mom, my husband, my kids, my friends, my doctor, my lawyer, etc.
The biggest problem is with the NSA observing who calls which lawyers. That's where our most basic rights, the rights that we rely on when we think we might have a serious problem, divorce, a dispute at work, a car accident, a dispute about a bill, perhaps a drunk driving charge, a drug charge if not against ourselves, against someone we know or care about, maybe a family member or even a worse legal problem, we want privacy. The NSA should not be looking at who is calling their lawyer and who is not. So you call your lawyer and then you call some friend. That should not be the NSA's business.
Same with your calls to your doctor, your pastor, any person to whom you turn when you have a problem. That's the information the NSA should not be getting.
Romulox
(25,960 posts)The biggest problem is with the NSA observing who calls which lawyers. That's where our most basic rights, the rights that we rely on when we think we might have a serious problem, divorce, a dispute at work, a car accident, a dispute about a bill, perhaps a drunk driving charge, a drug charge if not against ourselves, against someone we know or care about, maybe a family member or even a worse legal problem, we want privacy. The NSA should not be looking at who is calling their lawyer and who is not. So you call your lawyer and then you call some friend. That should not be the NSA's business.
But if they physically followed you to your lawyer's office, it's fine? Again, I fail to see any logical distinction.
JDPriestly
(57,936 posts)They are too sneaky and underhanded for that.
Phone calls are a private means of communication. I do care if the government listens.
We used to care about the fact that the East German government listened to its citizens' phone calls. Ditto for the Russian government.
Suddenly, because it's the US government doing it and it's only the metadata (which crunched in a computer reveals unbelievable amounts of our personal information and thinking), we think it's OK?
Not me. It simply is not OK. It never will be.
It's just repugnant.
It's wrong.
JDPriestly
(57,936 posts)order. They would then have to show specific cause as to why they were following me. I have a right to privacy even on the street.
A person who follows another person can expect to be called to court and have a restraining order issued against them. That is precisely what should happen to the NSA when it follows us online or collects our private communications information.
Rosa Luxemburg
(28,627 posts)what you keep offline!
ucrdem
(15,512 posts)and now, in Obama time, a Carlyle "leaker" leaks the predictable news. Per the Reuters link.
Sorry but I'm not feelin' the outrage.
Maedhros
(10,007 posts)The NSA and RSA are both guilty of consumer fraud.
The NSA encouraged, and paid, RSA to offer a product that was specifically designed NOT to perform as advertised.
You're OK with government agencies colluding with the private sector to defraud consumers?
I suppose I can't convince you to care. What is really strange is your perceived need to come into this thread and dissuade others from caring.
ucrdem
(15,512 posts)Maedhros
(10,007 posts)to abuses by the NSA?
Maybe it's old news to you, but "you" aren't "everyone." Others can learn from our discussion, and that can only be a good thing in a democracy.
Hissyspit
(45,788 posts)There are all kinds of details coming out that are important that we haven't known about. And even if suspected, confirmation makes a difference.
quakerboy
(13,921 posts)If anyone publicly states their suspicions about something wrong happening/about to happen, then they are just "concerned" and to be ignored because its all just fantasy's they are making up.
And once the proof comes out, its old news, stuff everyone already knew anyway.
ucrdem
(15,512 posts)I posted my analysis of the article. You popped in to correct my thinking. Fine, it's a discussion board, but where are you getting that I'm trying to discourage anyone from basking in their 15 minutes?
Maedhros
(10,007 posts)because of the timing of the release and because it came from a Carlyle leak. Both irrelevant to the issue: the NSA conspired with RSA to commit consumer fraud.
"Sorry, not feeling the outrage" reads as a passive-aggressive swipe at those who express concerns about this problem.
ucrdem
(15,512 posts)Maedhros
(10,007 posts)Why focus on that, instead of the wrongdoing on the part of the NSA?
ucrdem
(15,512 posts)bemildred
(90,061 posts)I didn't know the means, but I was pretty sure they had whatever they wanted. We are a corrupt, decadent imperial power in steep decline, we kissed lawfuilness off some time back, and we never gave it much respect.
I followed Zimmerman's crusade back in the 90s, and I have never believed the spooks would accept any limits on their powers to watch everybody all the time.
Hand-rolled high-grade open-source encryption is the only thing I have much faith in.
myrna minx
(22,772 posts)sabrina 1
(62,325 posts)Thanks again Edward Snowden.
At least people know they are being spied on now. No longer can they be called CTs about anything regarding their Government.
shireen
(8,333 posts)I understand the need for some level of surveillance for the sake of national security, but the NSA has totally been abusing their position. Heads need to roll for this!
Laelth
(32,017 posts)-Laelth
mother earth
(6,002 posts)johnnyreb
(915 posts)Reuters also recently reported the Pentagon's unaccounted 8.5 TRillion. GOOD JOB, y'all!
November 18, 2013
(....)
That means that the $8.5 trillion in taxpayer money doled out by Congress to the Pentagon since 1996, the first year it was supposed to be audited, has never been accounted for.
http://www.reuters.com/investigates/pentagon/#article/part2
woo me with science
(32,139 posts)as do the sources who dare to speak to them in this climate of government surveillance and intimidation.
Rosa Luxemburg
(28,627 posts)DireStrike
(6,452 posts)It's the only way we have a shot at keeping the internet safe from malicious governments and private companies.
randome
(34,845 posts)[hr][font color="blue"][center]Don't ever underestimate the long-term effects of a good night's sleep.[/center][/font][hr]
DireStrike
(6,452 posts)rhett o rick
(55,981 posts)randome
(34,845 posts)Would you allow child pornographers to be able to encrypt the contents of their crimes? How would we ever get evidence to use against them?
Law enforcement decryption measures have been in force since at least the 90s.
[hr][font color="blue"][center]Don't ever underestimate the long-term effects of a good night's sleep.[/center][/font][hr]
rhett o rick
(55,981 posts)if you gave up all your Constitutional rights, would you go for it?
If security is what you want over all else, prison is the place for you.
trumad
(41,692 posts)and they use that tool when a judge allows them to use that tool.
As we know---the NSA does what they want.
mike_c
(36,281 posts)That's ALWAYS the justification for totalitarianism. Yes, I would rather preserve personal privacy that might be abused, than make everyone maximally safe by utterly eliminating privacy.
eggplant
(3,913 posts)Should we ban food?
randome
(34,845 posts)I'm not calling for banning anything. I'm saying law enforcement has put decryption in place since at least the 90s, as I linked below.
I don't see how we would ever get evidence of crimes if child pornographers or human traffickers could keep the contents of their communications safe.
[hr][font color="blue"][center]Don't ever underestimate the long-term effects of a good night's sleep.[/center][/font][hr]
eggplant
(3,913 posts)Are you suggesting that people shouldn't (or don't) have the right to use publicly verifiable unbreakable (for the moment) encryption? People who haven't been accused or convicted of any crime? That somehow the existence and availability of such tools is inherently bad?
Do you honestly think that it is the security of the encryption that causes people traffic in child porn or slaves? *That's* what's keeping us from catching them? Really? Do you really think that if unbreakable encryption is made illegal, that this would in any way affect the behavior of people who traffic in such things?
Why not require that all physical locks be pickable? That houses can't have curtains? That the titles of the books I choose to read be made available without a warrant?
The fifth amendment gives us the right to not self-incriminate. If I am forced to use encryption with known flaws, then I lose the right to private communication, which could be incriminating. I shouldn't have to demonstrate that I'm not using it for bad things by making it freely readable by others.
joshcryer
(62,276 posts)Security only goes so far. There's also behavior. 99% of people aren't going to be equipped to be completely immune from investigative actions if they are seen as a threat.
cprise
(8,445 posts)People are not islands unto themselves, connected only by the panopticon. The ones who are equipped to investigate can inform others.
Security is also not a black-and-white, yes-or-no matter.
With open source, there is a much better chance the average user will find out about problems through the press, social media, etc, and there is a whole class of technicians who are empowered to rectify problems in the OS even if a vendor won't.
joshcryer
(62,276 posts)I think that's demonstrably false as simply decrypting stuff and spying on people isn't all investigators have at their disposal.
cprise
(8,445 posts)joshcryer
(62,276 posts)I thought I'd replied to #42 when I re-read the subthread, DU's threading is weird.
Anyway I just wanted to say that anonymity isn't the end all, people make mistakes, word analysis is easily achieved, personal details worked out. It's why that one guy sending death threats over Tor got arrested. Tor, which btw the NSA has yet to hack because it's that good and it will only get better. That guy who used Tor just was questioned, as were all the other Tor users in the school, about 60 of them, and he was found out just by interviewing him and doing basic behavior analysis.
So, no, you don't need to get rid of anonymity to catch criminals.
You need to do your job.
cprise
(8,445 posts)And the more people that use them, the better. Of course, one also expects the state of the art will get better over time (no doubt, the NSA + DEA have an even harder time against I2P). When people start using this kind of networking by default, they gain at least some control over their online identity and privacy.
This is important today because our establishment has decided to pursue a goal of total access to private information, so I don't think its going overboard to suggest everyone start using I2P (Tor, I have reservations about).
You make a good point about real investigation, one that I think got lost when it comes to today's policy makers.
joshcryer
(62,276 posts)Sorry if I wasn't clear there. It's just that anonymous tools don't stop them from doing their job. The Silk Road, ran on Tor, was taken down because the idiot who set it up used his real name the very first time he advertised it. They literally caught him by using ... Google.
cprise
(8,445 posts)progressoid
(49,999 posts)Maybe 60 Minutes could take care of that.
closeupready
(29,503 posts)TBF
(32,090 posts)I think the NSA has given up all hope and just ignores me ...
randome
(34,845 posts)They are, I believe, currently working with Microsoft for much the same thing. http://www.wired.com/threatlevel/2008/04/microsoft-gives/
You cannot have 100% secure communications because that opens the door very widely for criminal organizations -including pornographers, human trafficking operations, and, yes, terrorists- to operate with absolutely no fear of detection.
Law enforcement has always worked toward this. Even back in the 90s. http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
And for anyone who thinks we should have 100% secure communications, be so kind as to tell us how you would stop the organizations I listed above.
[hr][font color="blue"][center]You should never stop having childhood dreams.[/center][/font][hr]
Major Hogwash
(17,656 posts)However, the maddening crowd doesn't care, they want to scream and holler.
What I want to know is, who is going to play Snowden in the upcoming movie.
I've heard that Matt Damon already turned down the part.
I know that Greenwald is going to be portrayed as a cross between Superman and Batman, complete with a super secret Batcave, but I don't know who they would get to play his part, either.
The "movie company" that will make the movie will probably be something like what Jerome Corsi has, an ad hoc film company that is thrown together just for this purpose.
randome
(34,845 posts)Snowden would be a kind of Composite Robin.
[hr][font color="blue"][center]Don't ever underestimate the long-term effects of a good night's sleep.[/center][/font][hr]
closeupready
(29,503 posts)if you would be willing to surrender all your Constitutional rights in order to stop child pornography.
Please be so kind as to answer that question here.
randome
(34,845 posts)No one is asking anyone to surrender all our Constitutional rights. And I asked a question, too. How would law enforcement be able to produce evidence of child pornography or human trafficking if encryption was fool proof?
There is always a fine line to be tread between freedom and privacy. Always.
[hr][font color="blue"][center]Don't ever underestimate the long-term effects of a good night's sleep.[/center][/font][hr]
cprise
(8,445 posts)hootinholler
(26,449 posts)There are a lot of people around here owe me an apology!
They told me in June I was nuts to even think that RSA could be compromised! 256 bits! Impossible to crack! They didn't want to hear that a subtle flaw in the random number generation could allow keys to be deduced.
Vindication!
NealK
(1,879 posts)Poll_Blind
(23,864 posts)PB
Egalitarian Thug
(12,448 posts)Thanks for bringing it up, I doubt many will even understand the implications, let alone break away from the perpetual soap opera long enough to object.
trumad
(41,692 posts)we sell RSA to secure networks---but yet they're (RSA) doing secret deals with Big Gov to undue that security.
Basically RSA has given the NSA the keys to their castle--- and as we all know---the NSA can't keep their own shit secure.
Hissyspit
(45,788 posts)joshcryer
(62,276 posts)NIST got's egg on its face.
And any good secure networking guy would've been informed not to use Dual EC DRBG. I feel for you if you used any secure networks without being aware of it.
Bruce Schneier called out as far back as 2007 when it was originally proposed: https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
OpenSSL has never used it (in fact, because of the clever 'bug' in their implementation no version of OpenSSL has ever used it since no one discovered it was intentionally non-compliant until recently): http://marc.info/?l=openssl-announce&m=138747119822324&w=2
AAO
(3,300 posts)And what the NSA has done is unfortunately not surprising, but the RSA is used at my company to access our internal networks, and the same can be said for thousands more. I am very angry at RSA for betraying the trust of so many. There should be convictions, but it probably won't happen.
Corruption Inc
(1,568 posts)We live in a country with torture camps, huge propaganda networks, paid for elections, rigged markets and for-profit wars, of course they're spying on everyone and lying about it every step of the way.
WillyT
(72,631 posts)jsr
(7,712 posts)sulphurdunn
(6,891 posts)"Behind the ostensible government sits enthroned an invisible government owing no allegiance and acknowledging no responsibility to the people."
Theodore Roosevelt
The difference now is that the real government is becoming confident enough to step out of the shadows.
Th1onein
(8,514 posts)RSA sells security software and they sold to the NSA the right to build a backdoor in their security software.
If that's correct, they are going to be subject to a lot of lawsuits.
Yavapai
(825 posts)Because the NSA is the only US government agency the actually listens to the people!
Solly Mack
(90,785 posts)Warren Stupidity
(48,181 posts)OnyxCollie
(9,958 posts)I would like to know who is so intellectually shallow that they would excuse this. And I would like to laugh at them.
riderinthestorm
(23,272 posts)Its pretty amazing how hard they're working to downplay this.
neverforget
(9,436 posts)to the Constitution. They can justify any wrongdoing with "it's old news" to "yeah but..."," he's Libertarian" and "the judge was a Bush appointee." It's rationalizing wrongdoing for the sake of the party.
RKP5637
(67,112 posts)come from within by runaway agencies like the NSA that even presidents don't know the full extent of WTF is going on, and presidents come and go, these agencies stay, growing more and more powerful.
jimlup
(7,968 posts)... just say'n
Recursion
(56,582 posts)Unfortunately I can't find any laptops with PCMCIA slots anymore...
me b zola
(19,053 posts)joshcryer
(62,276 posts)Renew Deal
(81,871 posts)Just my opinion
Kablooie
(18,641 posts)It is supposed to be secure.
Reportedly there was a drive with supposedly illegal material on it that the FBI tried to open for months but couldn't do it.
The audit examines all the algorithms in the software to see if they are what they are supposed to be.
Since this is open source the audit can be double checked by anyone who has the training.
If the audit proves it to be what it is supposed to be it can make data extremely secure.
So secure that they don't expect it to be crackable anytime in the near future.
Recursion
(56,582 posts)Those were developed in a completely open manner.
Warpy
(111,339 posts)We always suspected nothing was particularly secure except some of our mail. Now we know it was even worse than we suspected.
The problem with the NSA is that it no longer had a mission when the USSR fell. It should have been defunded right then.
Instead, it was allowed to search for a mission, and that meant us.
WillyT
(72,631 posts)Midnight Writer
(21,795 posts)He was working on a book called "The Octopus" about the U. S. government distributing software to foreign and domestic agencies ( The Inslaw case) that included a backdoor access that our intelligence agencies could use to monitor their data.
Danny was found dead in a motel bathtub and the files and notes for his book were missing.
Of course, this is all just conspiracy theory bullshit, so feel free to ignore it.
Doctor_J
(36,392 posts)It sure as hell ain't rank and file voters, and it ain't our "elected officials" either. It's the Cock Brothers, the BFEE, and a handful of others you've never heard of.