December 21, 2013 Review Group Falsly Claims No NSA Backdoors in U.S. Software In its 28th recommendation Obama's NSA Review Group, which included no technological experts, asserted (pdf via emptywheel): Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access. Like other seemingly assuring assertions from the NSA and related entities this one turns out to be false: As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned. Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products. Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. RSA security products, widely used so far, are not secure. The NSA paid RSA to use a weak encryption which the NSA can easily break. If the NSA can break these others can too. They thereby have a backdoor into RSA software and whoever uses those insecure products should do away with them. If the NSA Review Group was unaware of paid for NSA backdoors in commercial products how many of its other recommendations tackle the real problems? Yeah. Thought so. Posted by b on December 21, 2013 at 5:53 UTC | Permalink Comments