In a time when the recent end of net neutrality is causing split concern between those who fear the FCC’s new, vast authority over regulating the Internet, and those who worry about ISPs and content providers having free reign in a digital Wild West, certain incidents prove the dangers that can arise when government agencies and private companies collude to work around consumer interests.
It doesn’t take a database manager to know, the purpose of encryption security is to protect information from those whom you do not want to access it, whether they are malicious intruders or employees at your own company. When purchasing encryption software, then, from a third party vendor, the expectation is that this basic criterion will be met. Security firm RSA, a subsidiary of EMC Corp, is one such seller that has prided itself for many years on being a venerable name in online data protection, which would make the allegations currently facing them all the more damning if true.
A Reuters report, sourcing documents leaked by whistleblower Edward Snowden back in September 2013 indicated that RSA had accepted $10 million in bribe money from the NSA, in turn allowing the intelligence agency to make its Dual Elliptic Curve algorithm the default for random number generation in RSA’s BSafe encryption software – basically creating a back door for the NSA to sidestep security protocols in pursuit of protected information.
Outrage was instant, following the report. For their part, RSA vehemently denied that it had made secret its business relationship with the NSA, or that it had ever "entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use." Nevertheless, several industry figures were quick to boycott RSA’s annual February conference on cybersecurity, including Mozilla privacy chief Alex Fowler, cybersecurity analyst Jeffrey Carr, and Google software engineer Adam Langley, who tweeted, “I've become convinced that a public stance serves more than self-aggrandizement, so: I've pulled out of the Cryptographers Panel at RSA 2014.” Privacy rights advocates have even extended their desire for a boycott to Comedy Central funnyman and frequent recursive portrait subject Stephen Colbert, who is scheduled to deliver an address at the conference. Colbert has not issued a comment on the subject.
But the significance extends beyond panels and speeches: as security expert Bruce Schneier points out, “You think they [the NSA] only bribed one company in the history of their operations? What's at play here is that we don't know who's involved…You have no idea who else was bribed, so you don't know who else you can trust.” Indeed, a December report by German magazine Der Spiegel indicated that, whether with the knowledge of the infiltrated or not, “an NSA division called ANT [Advanced or Access Network Technology]has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.”
Not that any of this is itself that surprising, but, if organizations like the RSA, who in its past have played parts in stopping government plans to spy on people, are now complicit in the very same acts, the trust of their consumers will be fast eroded. If true, RSA will need to convince its future customers that their product does not have secret backdoors installed.
Written by Jonathan Weicher
http://www.netlib.com/blog/application-security/Through-the-Back-Door.asp
No comments:
Post a Comment