The non-surprising, horrendously shocking, news about the National “Security” Agency’s perfidy gets worse. Again, we’re dealing with something that’s been speculated about for years but whose real bogeyman shape has only now materialized thanks to Edward Snowden.
Wired has one take on it — and some doubts.
A friend whose profession is data center security has a more apocalyptic take (the second half of what he says is what we all need to be aware and beware of):
RSA has now admitted that they pushed a known flawed random number generator in most if not of all of their products …. I know a bit about the firm. It is chock full of serious crypto people.
The flawed code was known in 2006 and widely discussed in 2007 and since at crypto conferences, hacker cons, Schneier’s blog, etc. There is absolutely no way that RSA just made a mistake. They were coerced or willing accomplices in making a flawed PRNG the default in their products.
I’ve asked for an emergency session at the upcoming data center conference; I don’t know if I will get it. Here is the gist of what I think most people are missing.
Snowden was not the first to steal NSA data. He is only the first to publicize it.
The NSA’s massive database is essentially impossible to secure even with competent help and leadership. They have neither. Snowden was just a sysadmin, no special skills. Yet to this day the NSA has no idea what he took or when.
This means that other people can and will take information from the NSA and sell it to interested parties. You can think about that list as long as you would like.
Why did Willie Sutton rob banks? When the NSA leadership decides to “vacuum it all up,” and “collect everything” where do they go? Data centers. The banks of the information age.
Every data center of any size, every one of them, has been attacked. We must assume that, it is almost certainly true. Even if the NSA hasn’t the time or interest to break the crypto on the data streams, they are recorded.
This means there are huge sacks of digital treasures stored at the NSA. Pick your target. Credit cards? Stock info? Automate stock buy./sell strategies? Oil fields? Diplomatic cables? All of them are there, insecurely stored at the laughably misnamed NSA, waiting for thieves.
And we know that the thieves can get not only the data, they can get the keys to the weakened crypto protecting that data.
Every firm in the Fortune 500 must assume that they are compromised. No matter what they think about the NSA and the fedgov, they have to now think about what to do with the knowledge that their adversaries can almost certainly get access to every byte passed into or out of their data centers in the 21st century.
The Guardian, the outfit that’s broken most of the Snowden-related news, opened a story:
A major American computer security company has told thousands of customers to stop using an encryption system that relies on a mathematical formula developed by the National Security Agency (NSA)
I have to believe that one reason people aren’t reacting more strongly to this is that the problem is so huge that it’s hard to grasp the implications.
Again, this isn’t talking about the crypto we keep on our computers and use for email or document privacy. This is about the “security” that’s supposed to protect the Internet. Banking. Buying. Medical data. Credit cards. Everything.
If the news is true, then the NSA — and its accomplices in alleged private enterprise — have not only broken the Internet, but they have put the safety and security of every person who uses the Internet at dire risk. They have opened everyone’s “private” data to thieves and villains of every stripe — that is, thieves and villains even outside of the thieving, villainous NSA itself.
Oh, what a travesty to commit in the name of “security.”
(Wired story via Borepatch.)