The NSA paid $10 million to RSA so the security company would make flawed encryption the default, Reuters reports. Sources said the secret $10 million deal was so RSA would make the Dual_EC_DRBG pseudorandom number-generating algorithm the default algorithm in its BSafe crypto library, so the NSA "could crack into widely used computer products."
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.
Although the company stated "under no circumstances does RSA design or enable any back doors in our products," the Reuters report suggests the opposite...that the RSA did create a "back door" into encryption.
The NSA must stop undermining the security of the Internet, according to the President's Review Group on Intelligence and Communications Technologies. The group issued 46 recommendations that include reforming the NSA to ensure the protection of Americans' privacy and civil liberties. Regarding global communications, the review group recommended:
The US Government should take additional steps to promote security, by (1) fully supporting and not undermining efforts to create encryption standards; (2) making clear that it will not in any way subvert, undermine, weaken, or make vulnerable generally available commercial encryption; and (3) supporting efforts to encourage the greater use of encryption technology for data in transit, at rest, in the cloud, and in storage.
When the word "balance" is used to describe a happy medium between Americans' privacy and security matters carried out by the Intelligence Community, civil liberties and privacy usually are on the losing end of that balancing act. However, in Liberty and Security in a Changing World [pdf], the report states:
When the Constitution was ratified, We the People-in whom sovereignty resides-made commitments, at once, to the protection of the common defense, securing the blessings of liberty, and ensuring that people are "secure in their persons, houses, papers, and effects." In the American tradition, liberty and security need not be in conflict. They can be mutually supportive. This understanding lies at the foundation of our culture and our rights, and it is shared by many of our close friends and allies.
Reforming the Intelligence Community will "safeguard the privacy and dignity of American citizens," while still allowing the government "to respond to genuine threats." The review group called for "institutional reforms designed to ensure that NSA remains a foreign intelligence collection agency."
All that hovering up of Americans' phone records for mass surveillance? Stop it. "The government should not be permitted to collect and store all mass, undigested, non-public personal information about individuals to enable future queries and data-mining for foreign intelligence purposes."
Regarding the surveillance of U.S. citizens, the review group recommended:
a series of significant reforms. Under section 215 of the Foreign Intelligence Surveillance Act (FISA), the government now stores bulk telephony meta-data, understood as information that includes the telephone numbers that both originate and receive calls, time of call, and date of call. (Meta-data does not include the content of calls.). We recommend that Congress should end such storage and transition to a system in which such meta-data is held privately for the government to query when necessary for national security purposes.
The U.S. government has been called the "biggest buyer of zero-day vulnerabilities." Some people believe these may be used on Americans as trojan horse warrants for remote searches. Recommendation 30 of the review group states:
We recommend that the National Security Council staff should manage an interagency process to review on a regular basis the activities of the US Government regarding attacks that exploit a previously unknown vulnerability in a computer application or system. These are often called “Zero Day” attacks because developers have had zero days to address and patch the vulnerability. US policy should generally move to ensure that Zero Days are quickly blocked, so that the underlying vulnerabilities are patched on US Government and other networks. In rare instances, US policy may briefly authorize using a Zero Day for high priority intelligence collection, following senior, interagency review involving all appropriate departments.
The ACLU highlighted the "nine most important things you need to know" about the recommended reforms.
- The phone records program doesn't work, invades Americans' privacy, and threatens our freedoms
- National Security Letter (NSL) authorities should effectively be revoked.
- US Person information collected through Section 702 programs, such as PRISM, should be deleted or protected by a warrant.
- Non-US persons have privacy rights that should be respected.
- The government should fully support secure communications, not subvert them.
- The government should be more transparent.
- The secretive FISA court needs to hear from the other side.
- The NSA itself should be reformed.
- The Privacy and Civil Liberties Oversight Board should be expanded.
As the ACLU pointed out, the report "unequivocally rejected the notion that privacy and civil liberties must be sacrificed in order to achieve a balance with national security."
Like this? Here's more posts:
- Lulzy Christmas: Hackers buy presents for the poor with gov't officials' credit cards
- How Microsoft invented, or invisibly runs, almost everything
- Bruce Schneier leaving 'security futurologist' position at telco employer BT
- Drivers beware: Roadblocks where cops collect 'voluntary' blood and saliva samples
- Microsoft fails to mention Skype in promises to protect users from NSA surveillance
- 300-pound crime-predicting mobile robot: Crime-preventing precog or 'R2D2's evil twin'?
- Porn-surfing corporate bosses infect networks, then keep data breaches a secret
- How to change Windows 8.1 to local account with no Microsoft email account required
- Stressed out? Virtual nature via Microsoft's new 3D Photosynth will soothe you
- 6 agencies under DHS rule still using Windows XP: IG finds DHS cybersecurity holes
- Privacy plays an important part in cloud predictions for 2014
Follow me on Twitter @PrivacyFanatic