Review Group Falsly Claims No NSA Backdoors in U.S. Software

December 21, 2013

In its 28th recommendation Obama's NSA Review Group, which included no technological experts, asserted (pdf via emptywheel):

Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data. Moreover, it appears that in the vast majority of generally used, commercially available encryption software, there is no vulnerability, or “backdoor,” that makes it possible for the US Government or anyone else to achieve unauthorized access.

Like other seemingly assuring assertions from the NSA and related entities this one turns out to be false:

As a key part of a campaign to embed encryption software that it could crack into widely used computer products, the U.S. National Security Agency arranged a secret $10 million contract with RSA, one of the most influential firms in the computer security industry, Reuters has learned.

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.

RSA security products, widely used so far, are not secure. The NSA paid RSA to use a weak encryption which the NSA can easily break. If the NSA can break these others can too. They thereby have a backdoor into RSA software and whoever uses those insecure products should do away with them.

If the NSA Review Group was unaware of paid for NSA backdoors in commercial products how many of its other recommendations tackle the real problems?

Yeah. Thought so.

Posted by b on December 21, 2013 at 05:53 UTC | Permalink

Comments

It’s the capitalist way – any commercial organization, if offered enough, will sell out to a government. With the rampant nationalism that currently exists in the US, it’s not difficult for business leaders to convince themselves that it’s their patriotic duty to do their government’s bidding. You have to ask, who else has taken the government shilling? Does the NSA control Google? Who knows? Is this the end of global domination by US software companies? It should be but many people are so enamoured of the USG that I doubt it will be.

Posted by: blowback | Dec 21 2013 8:22 utc | 1

Not sure if this has been linked to
http://www.atimes.com/atimes/Global_Economy/GECON-02-231213.html

Posted by: Mina | Dec 21 2013 8:23 utc | 2

The relationship between Google and CIA has long been common knowledge
Anybody who understands what “semantic web” means knows this is logical. We are handing our data over deliberately and foolishly.

Posted by: somebody | Dec 21 2013 8:40 utc | 3

It ought to be lawsuit time for RSA. How can they justify setting a vulnerable algorithm as a default ? Sue them ! And sue the USG too, when RSA claims they ‘were only following orders’.

Posted by: john francis lee | Dec 21 2013 10:53 utc | 4

and again…a same story! And yet people still asking ridiculous questions/comments like in #1 and #4.
We are all know definition of lunacy given by Einstein. But who is the most hurt by this and similar stories!? The US companies that make that so-called security appliances and software. China stop buying IBM and Cisco stuff.

IBM’s CFO Mark Loughridge “We were talking 40%, 50%,” he said; drop, of course. What did they expected… double digit growth.

“Our top five emerging markets declined 21%,” Chamber said, “with Brazil down 25%, Mexico down 18%, India down 18%, China down 18%, and Russia down 30%. Cisco CEO John Chambers said.

But you won’t heard the word NSA from them, because there is collusion between the corporate world and the government. By definition a fascism.

Posted by: neretva’43 | Dec 21 2013 14:04 utc | 5

By the way, Brazil picked Sweden’s SAAB Gripen as its fighter jet, not Boing’s F/A-18 which was seen as a top contender. This is direct results of spying on Brazil and its President.
http://www.businessweek.com/articles/2013-12-19/did-boeing-lose-brazils-fighter-order-as-payback-for-nsa-spying
Deal in question: $5 Billions!!!
So an analytical question Cui Bono is obviously out of consideration in policy makers and cryptographers circles of the Deep State who are infested by systemic racism and chauvinism.
All this leave us that the Security State is busy pretending they are doing something, namely spying on ordinary citizens who suffer from Willful Blindness while their economic situation deteriorate day by day. It is all futile. Wheel of history, political and social dynamics is turning against them. Any foreign government will easily protect themselves against the NSA, and retaliate, so this and similar articles are for domestic consumption.

Posted by: neretva’43 | Dec 21 2013 14:59 utc | 6

See the story in the UK-based The Register today:
How much did NSA pay to put a backdoor in RSA crypto? Try $10m – report

Posted by: William Bowles | Dec 21 2013 15:26 utc | 7

@ # 5: “because there is collusion between the corporate world and the government. By definition a fascism.”
True, how true, and this model is expanding around the globe.

Posted by: ben | Dec 21 2013 15:28 utc | 8

While it hasn’t been leaked yet in the Snowden documents, Windows 8 has been found to have a backdoor that allows the NSA to remotely control the computer.

German publication Zeit Online has obtained leaked documents that purportedly show that IT experts within the German government believe that Windows 8 contains back doors that the NSA could use to remotely control any computers that have it installed. The German officials specifically worry about how Windows 8 interacts with Trusted Platform Modules (TPMs) and are concerned that once Windows machines are paired with TPM 2.0 in 2015, they won’t be able to deactivate it on their machines if they don’t want it.

The German government even warned National Agencies and German companies not to use Windows 8 and to continue working on Windows 7 (which still has the backdoor program, but it can be disabled).

Posted by: Colm O’ Toole | Dec 21 2013 16:00 utc | 9

The German government even warned National Agencies and German companies not to use Windows 8 and to continue working on Windows 7 (which still has the backdoor program, but it can be disabled).

Several years ago the smart City of Munich built their own version of a Linux OS – they ditched Windows and switched entirely to their own customised OS. If nothing else they save a bundle in MS Licensing Fees alone
They’d probably make a mint translating/re-jigging it’s major parts and re-packaging them for other Cities/Gov’ts to use

Posted by: foff | Dec 21 2013 16:09 utc | 10

The backdoor, called “Trusted Computing”!?!?, is project of American IT companies AMD, Cisco, Hewlett-Packard, IBM, Intel, Microsoft, and Wave Systems. It has been created a decade ago.
http://redmondmag.com/articles/2013/08/22/windows-8-security-issues.aspx

“NSA Dream”
The Zeit Online article cites an interview (in German) with Dr. Rüdiger Weis of the Beuth Hochschule für Technik Berlin institution who said that “together with the procedures implemented by Microsoft within Windows 8 (particularly secure boot) the control over its own hardware and software is removed from largely the user” (Bing translation). Weis added that “the TPM chip for the NSA is a dream” (translation), in the wake of Edward Snowden’s disclosures about broad U.S. National Security Administration spying.
Microsoft has embraced the “secure boot” security procedure, which is part of the Unified Extensible Firmware (UEFI) specification. Secure boot is a protection scheme that works with Windows 8 to sign bootloaders with a certificate before the operating system loads to protect against rootkits that currently go undetected. Secure boot can be disabled in x86 Windows 8 systems, but it can’t be disabled in Windows RT systems, Berger explained, in another interview. In addition, there is collaboration between Microsoft and antimalware software vendors at an “early launch antimalware” (ELAM) stage of the boot process that enables antimalware vendors to check the boot loader firmware.
Microsoft has denied that it provides back-door access to the U.S. government via its software. It claims to only respond to requests for specific data via legal demand. However, Snowden has asserted that NSA analysts require no legal process to tap Internet traffic using PRISM, contradicting Microsoft’s claims. Snowden’s leaked documents showed that Microsoft was the very first service provider to sign up for participation in the NSA’s PRISM program.

Posted by: neretva’43 | Dec 21 2013 16:36 utc | 11

The Trusted Computing Group is led by a board that includes Microsoft, Advanced Micro Devices, Cisco Systems, Fujitsu, Hewlett-Packard, IBM, Infineon Technologies, Intel, Juniper Networks, Lenovo and Wave Systems.

This is the Trusted Computing Group.
Ironically, it includes Infineon, German chip-maker.

Posted by: neretva’43 | Dec 21 2013 16:44 utc | 12

netzpolitik.org: Are there apart from the much-discussed access of secret additional technical problems?
Rüdiger Weis: Some. Frightening, particular that massive steps in the wrong direction have also been undertaken on some more controversial issues, the latest standard. To cite just two examples: Misguided integration and broken crypto functions.
The fact that not as required by safety experts, the TPM functionality is implemented only by a certified own chip, opening up further opportunities for attack. It’s not particularly brave predict successful hardware attacks. In this example, the poorly protected areas are to be read physically. Particularly vulnerable are likely integration into network chip and a System on a Chip (SoC). This also applies to so-called Side Chanel attacks wherein about the power consumption or the timing behavior can be analyzed in order to access the secret key.
There is only understood in the art that cryptographic hash functions play a central focal point of security solutions. They are indispensable among others, integrity checks, certificates and digital signatures. The Trusted Computing standard allows the re-use of the SHA1 hash function broken. Of this for more than a decade has been warned. These cryptographic weakness are of practical use for many years. So it is not only a driver for friendly hackers like Jacob Applebaum et al possible rather sinister things with certificates. What is new is that an analysis of Stuxnet revealed that the NSA has techniques to attack the hash functions MD4 family-based, which were previously not known in public research.
Spoken American, this is a ‘smoking gun’.
Translated with google.

Posted by: neretva’43 | Dec 21 2013 17:16 utc | 13

The computer: a general purpose machine
Evolving the computer as a general purpose machine over the past decades, our society has created a powerful tool to perform all kinds of tasks with a single machine. Now IT manufacturers have discovered that they may have an economic interest to arbitrarily limit what these machines can achieve. With “Secure Boot” the owners of IT devices will not be able to independently determine the usage of their machines, as they cannot decide which software to run.
The entity who eventually controls which software can be executed on a device and thus determines the specific functions the device performs, ultimately can control any data processed and stored by the device. In result, the owner of an IT device may not be in sole control of their own data any more.

Posted by: neretva’43 | Dec 21 2013 17:33 utc | 14

well, Neretva, Ubuntu have managed to get hold of the keys for the Windows UEFI secure boot, which is just as well, because if they hadn’t I would not have been able to install Ubuntu on my HP CQ58, which came with Windows 9.

Posted by: Rowan Berkeley | Dec 21 2013 17:51 utc | 15

Don’t get too smug about being an Ubuntu user, because according to https://prism-break.org/

Amazon ads and data leaks

Fix Ubuntu

One could always try this solution

Whonix

VirtualBox

~~stuck~~

WHONIX is slow, due to being routed through TOR, but fairly reliable, as far as these things go – as long as one remembers that TOR software is after all indirectly funded by the US-Military (Good ol Jacob Appelbaum, eh?)

Posted by: foff | Dec 21 2013 18:05 utc | 16

There is something called Compatibilty Support Module (CSM). The hardware Microsoft policy dictate that the CSM is disabled by default. According to some, there is some danger of data loss.
More about Linux support on UEFI motherboards.
http://blog.hansenpartnership.com/linux-foundation-uefi-secure-boot-system-for-open-source/

Posted by: neretva’43 | Dec 21 2013 18:18 utc | 17

Last funny story about Tor is that kid who had threatened with explosive at Harvard Univ.
“According to an FBI criminal complaint, Kim took basic steps to mask his identity while sending the threats. It’s claimed the emails were sent from the free Guerrilla Mail service, which was accessed via the Tor network.”
TOR has been made to support “revolutions” abroad, for those – disident – who are behind Great Firewall and the like.

Posted by: neretva’43 | Dec 21 2013 18:33 utc | 18

BTW, TOR and Cryptohome are both funded by US Naval Research would you believe.

Posted by: William Bowles | Dec 21 2013 19:09 utc | 19

TOR has been made to support “revolutions” abroad, for those – dissident – who are behind Great Firewall and the like.
YES, that certainly is the propaganda behind the TOR legend, and the people behind it certainly claimed that that was why they invented it but equally one could assert that TOR has been cobbled together (initially by direct US MIL employees and, later, by people being paid by a foundation which receives income from the US Mil) to con people into believing that they are anonymous when using it.
The fact that Tor programmer and alleged Assange-Snowden evangelist Jacob Appelbaum gets to portray himself as a rebellious white hat security hacker while being paid indirectly by the US Military makes me laugh everytime I think about it.
Every single assumption I ever made in the last 10/12 yrs, no matter how paranoid, regarding US Gov monitoring (ways and means) of communications has been shown to be correct – my suspicions regarding Mr Appelbaum and the hilariousness of such a self-proclaimed “dissident” being indirectly in the pay of the US Mil will probaly turn out to be correct too.

Posted by: foff | Dec 21 2013 20:40 utc | 20

US/Israel client state collapsing
http://www.aljazeera.com/news/africa/2013/12/us-military-plane-hit-south-sudan-20131221124842778597.html

Posted by: spiuk1 | Dec 22 2013 1:28 utc | 21

The only thing they understand is money, so the disruption in ‘growth’ is something to be cheered.

Posted by: jeff | Dec 22 2013 2:03 utc | 22

10m seems very cheap for fundamentally breaking a security product. Maybe it was 10m or jail for the ceo?

Posted by: Crest | Dec 22 2013 2:25 utc | 23

Godfather of Austerity, IMF, blasts Ukraine, demands it freeze its citizens http://larouchepac.com/node/29282 ” ~ #howtodestroynations

Posted by: brian | Dec 22 2013 2:34 utc | 24

Michael Moore to make film on israel and palestine
http://iacknowledge.net/michael-moore-says-he-is-going-to-make-a-movie-on-israel-and-palestine/

Posted by: brian | Dec 22 2013 2:49 utc | 25

Navsteva ‏@Navsteva 23m
@con_agius the people who attacked the hospital did so in name pic.twitter.com/dcatuJW68J
what does Allah think of having his name associated with destroying a hospital?

Posted by: brian | Dec 22 2013 3:23 utc | 26

foff #15:

Don’t get too smug about being an Ubuntu user, because according to https://prism-break.org/, Canonical’s Ubuntu is not recommended here because it contains Amazon ads and data leaks by default. See Fix Ubuntu if you are already running it and want to quickly disable the privacy invasive parts.

Honestly, that is not an issue, just a minor irritant. As the links you put in explain, there is a simple switch in the GUI to turn that function off. It is an irritant in that by default it is turned on, but the off switch is easily accessible in the GUI.

Posted by: Rowan Berkeley | Dec 22 2013 7:19 utc | 27

besides you can use one of the dozen ubuntu/debian-based distributions, starting with all versions not coming with that awful unity shell which brings you the ads, it’s not like there isn’t choice ^^

Posted by: zingaro | Dec 22 2013 12:02 utc | 28

As the links you put in explain, there is a simple switch in the GUI to turn that function off. It is an irritant in that by default it is turned on, but the off switch is easily accessible in the GUI.
Yes, but many people do not know that there is such a switch in the awful unity shell

Posted by: foff | Dec 22 2013 12:43 utc | 29

@3#
Reason that when one tries to find info about ” Google constellation of satellites” and the companies who are participating in that project, one is faced with a “blank”

Posted by: Yul | Dec 22 2013 16:12 utc | 30

Given the timing of this, with Israel formally linking concessions in Palestinian negotiations with the release of Pollard, and the questions about Greenwald, it’s possible Snowden’s real purpose was to weaken the US vis-a-vis Israel:

Edward Snowden, after months of NSA revelations, says his mission’s accomplished
Barton Gellman, WaPo, Dec 23 2013

Posted by: Rowan Berkeley | Dec 24 2013 8:37 utc | 31

And Susan Rice says, “NSA officials didn’t lie, they INADVERTENTLY MADE FALSE REPRESENTATIONS”..
I saw a quote from some public affairs officer for the DoD, I don’t know when it was said but he was a high ranking official, by title, in public affairs at least. He told Mory Shafer (sp?), paraphrasing,
If you think any US official is going to tell you the truth, you’re stupid. Did you hear that? Stupid.
So, there you go. Read the wording of the statement in question closely, too, it’s pretty wordy. All the better to deny with later. F*cking liars, the lot of em. I can’t hardly stand to listen to anyone representing the govt, in the govt, or defending the govt (and in social media, they may be one and the same)- including village presstitutes. Obviously. I only listen to see what the propaganda is, and basically assume the opposite of whatever they’re saying to be true. That’s pretty sad. Merry effin Christmas.

Posted by: Colinjames | Dec 26 2013 4:57 utc | 32

Back to Main