Today Reuters reported that the NSA paid RSA, a security company and subsidiary of EMC, $10 million to use a flawed random generator technology as the “preferred” option in its BSafe software, increasing its popularity.
In September of this year, the New York Times reported that the NSA was working to, in its own words, “break widely used Internet encryption technologies.” That the NSA wanted to get past encryption was not surprising.
How far along it was, however, came as a shock. An NSA memo was blunt in its assessment of its own progress: “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”
After being implicated in the NSA’s efforts to get around encryption, RSA told its customers that they should stop using the flawed algorithm. As the Wall Street Journal reported at that time, the warning was “one of the first instances of a security company acknowledging the U.S. government may have been involved in propping open a backdoor into a product.”
Reuters’ revelation that the NSA had paid RSA $10 million to use the flawed algorithm changes the discussion. Instead of the NSA being some sort of evil mastermind, bent on making popular security standards obsolete, it was instead buying its way into companies.
And for small sums to boot. Who wants to wager that this is the only time the NSA paid a security company to use flawed code that it prefers so that it can better beat back encryption?
And if it can get a company with as long a history as RSA to bend so far to its quarter for a mere ten million dollars, the NSA could have bought any sort of access and influence that it wanted.
Depressing, but probably true.
Top Image Credit: Flickr