Exclusive: Secret contract tied NSA and security industry pioneer

[Juan Garofalo]

	I just occured to me. These fine gentlemen named their criminal
organization, I mean, their admirable firm, R-S-A as some kind of joke(that
is on them), or to make it clear who they work for? 

	


> 
> 
> http://news.yahoo.com/exclusive-secret-contract-tied-nsa-security-industr
> y-pioneer-001729620--finance.html
> 
> 
> By Joseph Menn 
> SAN FRANCISCO (Reuters) - As a key part of a campaign to embed encryption
> software  that it could crack into widely used computer products, the
> U.S.  National Security Agency arranged a secret $10 million contract
> with  RSA, one of the most influential firms in the computer security 
> industry, Reuters has learned.
> Documents leaked by former NSA contractor Edward Snowden show that the 
> NSA created and promulgated a flawed formula for generating random 
> numbers to create a "back door" in encryption products, the New York 
> Times reported in September. Reuters later reported that RSA became the 
> most important distributor of that formula by rolling it into a software
> tool called Bsafe that is used to enhance security in personal  computers
> and many other products.
> Undisclosed until now was that RSA received $10 million in a deal that 
> set the NSA formula as the preferred, or default, method for number 
> generation in the BSafe software, according to two sources familiar with
> the contract. Although that sum might seem paltry, it represented more 
> than a third of the revenue that the relevant division at RSA had taken 
> in during the entire previous year, securities filings show.
> The earlier disclosures of RSA's entanglement with the NSA already had 
> shocked some in the close-knit world of computer security experts. The 
> company had a long history of championing privacy and security, and it 
> played a leading role in blocking a 1990s effort by the NSA to require a
> special chip to enable spying on a wide range of computer and 
> communications products.
> RSA, now a subsidiary of computer storage giant EMC Corp, urged 
> customers to stop using the NSA formula after the Snowden disclosures 
> revealed its weakness.
> RSA 
> and EMC declined to answer questions for this story, but RSA said in a 
> statement: "RSA always acts in the best interest of its customers and 
> under no circumstances does RSA design or enable any back doors in our 
> products. Decisions about the features and functionality of RSA products
> are our own." The NSA declined to comment.
> The RSA deal shows one way the NSA carried out what Snowden's documents
> describe as a key strategy for enhancing surveillance: the systematic 
> erosion of security tools. NSA documents released in recent months 
> called for using "commercial relationships" to advance that goal, but 
> did not name any security companies as collaborators.
> The NSA came under attack this week in a landmark report from a White 
> House panel appointed to review U.S. surveillance policy. The panel 
> noted that "encryption is an essential basis for trust on the Internet,"
> and called for a halt to any NSA efforts to undermine it. Most of the
> dozen current and former RSA employees interviewed said  that the company
> erred in agreeing to such a contract, and many cited  RSA's corporate
> evolution away from pure cryptography products as one of the reasons it
> occurred. But several said that RSA also was misled by government
> officials, who portrayed the formula as a secure technological advance.
> "They did not show their true hand," one person briefed on the deal  said
> of the NSA, asserting that government officials did not let on that they
> knew how to break the encryption. STORIED HISTORY
>  View gallery    
> A National Security Agency (NSA) data gathering facility is seen in
> Bluffdale, about 25 miles (40 km … Started by MIT professors in the
> 1970s and led for years by ex-Marine Jim Bidzos, RSA and its  core
> algorithm were both named for the last initials of the three  founders,
> who revolutionized cryptography. Little known to the public,  RSA's
> encryption tools have been licensed by most large technology  companies,
> which in turn use them to protect computers used by hundreds  of millions
> of people.
> At 
> the core of RSA's products was a technology known as public key 
> cryptography. Instead of using the same key for encoding and then 
> decoding a message, there are two keys related to each other 
> mathematically. The first, publicly available key is used to encode a 
> message for someone, who then uses a second, private key to reveal it.
> From RSA's earliest days, the U.S. intelligence establishment worried 
> it would not be able to crack well-engineered public key cryptography. 
> Martin Hellman, a former Stanford researcher who led the team that first
> invented the technique, said NSA experts tried to talk him and others 
> into believing that the keys did not have to be as large as they  planned.
> The stakes rose 
> when more technology companies adopted RSA's methods and Internet use 
> began to soar. The Clinton administration embraced the Clipper Chip, 
> envisioned as a mandatory component in phones and computers to enable 
> officials to overcome encryption with a warrant.
> RSA led a fierce public campaign against the effort, distributing 
> posters with a foundering sailing ship and the words "Sink Clipper!"
> A key argument against the chip was that overseas buyers would shun 
> U.S. technology products if they were ready-made for spying. Some 
> companies say that is just what has happened in the wake of the Snowden 
> disclosures.
> The White House abandoned the Clipper Chip and instead relied on export
> controls to  prevent the best cryptography from crossing U.S. borders.
> RSA once again rallied the industry, and it set up an Australian division
> that could  ship what it wanted.
> "We became the tip of the spear, so to speak, in this fight against
> government efforts," Bidzos recalled in an oral history. RSA EVOLVES
> RSA and others claimed victory when export restrictions relaxed.
> But the NSA was determined to read what it wanted, and the quest gained
> urgency after the September 11, 2001 attacks. RSA, meanwhile, was
> changing. Bidzos stepped down as CEO in 1999 to  concentrate on VeriSign,
> a security certificate company that had been  spun out of RSA. The elite
> lab Bidzos had founded in Silicon Valley  moved east to Massachusetts,
> and many top engineers left the company,  several former employees said.
> And the BSafe toolkit was becoming a much smaller part of the company. By
> 2005, BSafe and other tools for  developers brought in just $27.5 million
> of RSA's revenue, less than 9%  of the $310 million total.
> "When I joined there were 10 people in the labs, and we were fighting the
> NSA," said Victor Chan, who rose to  lead engineering and the Australian
> operation before he left in 2005.  "It became a very different company
> later on."
> By the first half 
> of 2006, RSA was among the many technology companies seeing the U.S. 
> government as a partner against overseas hackers.
> New RSA Chief Executive Art Coviello and his team still wanted to be 
> seen as part of the technological vanguard, former employees say, and 
> the NSA had just the right pitch. Coviello declined an interview 
> request.
> An algorithm called Dual Elliptic Curve, developed inside the agency, was
> on the road to  approval by the National Institutes of Standards and
> Technology as one  of four acceptable methods for generating random
> numbers. NIST's  blessing is required for many products sold to the
> government and often  sets a broader de facto standard.
> RSA adopted the algorithm even before NIST approved it. The NSA then 
> cited the early use of Dual Elliptic Curve inside the government to 
> argue successfully for NIST approval, according to an official familiar 
> with the proceedings.
> RSA's 
> contract made Dual Elliptic Curve the default option for producing 
> random numbers in the RSA toolkit. No alarms were raised, former 
> employees said, because the deal was handled by business leaders rather 
> than pure technologists.
> "The labs group had played a very intricate role at BSafe, and they were
> basically gone," said labs veteran Michael Wenocur, who left in 1999.
> Within a year, major questions were raised about Dual Elliptic Curve. 
> Cryptography authority Bruce Schneier wrote that the weaknesses in the 
> formula "can only be described as a back door."
> After reports of the back door in September, RSA urged its customers to
> stop using the Dual Elliptic Curve number generator. But unlike the
> Clipper Chip fight two decades ago, the company is  saying little in
> public, and it declined to discuss how the NSA  entanglements have
> affected its relationships with customers.
> The White House, meanwhile, says it will consider this week's panel 
> recommendation that any efforts to subvert cryptography be abandoned.
> (Reporting by Joseph Menn; Editing by Jonathan Weber and Grant McCool)