Is “Bribery” a Demand, or a Polite Request?

Back when the NSA sent its employees home with a claim that said,

NSA does not and will not demand changes by any vendor to any product, nor does it have any authority to demand such changes.

I said,

Again, watch the language carefully. NSA denies it demands changes (presumably meaning to the security of software and hardware producers). It doesn’t deny it sometimes asks for changes. It doesn’t deny it sometimes negotiates unfairly to get those changes. It doesn’t deny it steals data on those changes.

It just doesn’t demand those changes.

The NSA Review Group used almost precisely the same formulation in its non-denial denial that NSA corrupts encryption.

NSA will not demand changes in any product by any vendor for the purpose of undermining the security or integrity of the product, or to ease NSA’s clandestine collection of information by users of the product;

Yesterday, Reuters explained how computer security firm, RSA, came to use the encryption standard, Dual_EC_DRBG, the NSA corrupted. 

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back door” in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract. Although that sum might seem paltry, it represented more than a third of the revenue that the relevant division at RSA had taken in during the entire previous year, securities filings show.

So I guess NSA considers “provide a third of a division’s revenue” a polite request, not a demand.

That’s not all that surprising. Before we’re done with this scandal, I expect we’ll learn the NSA is getting all sorts of cooperation via strong-armed cooperation. For example, we have reason to believe the NSA is relying on telecoms “voluntarily” providing “foreign” telecom communications. And there are a lot of tech and software companies that have divisions with falling revenues.

Remember — as William Ockham noted and security prof Matthew Green has emphasized on Twitter — this standard doesn’t appear in the Appendix the Review Group used to support their claim that “Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data,” the statement which appears just before they say they don’t “demand” these changes.

Which is yet further proof that that section of the Report was meant to minimize corporate risk, not end-user risk.

15 replies
  1. What Constitution? says:

    @Saul Tannenbaum: Is this just another example of government contracting: build a system to affect the very structure of digital security on an international scope — contracted to the lowest bidder? Not that I’m complaining … ten million here, ten million there, pretty soon you’re talking real money. Maybe not $52 Billion “real”, but it does leave more money for creating the next cool logo or a better cupholder on the Captain’s Chair in Alexander’s control room. Though I’d rather the government used some of whatever money it saved by using RSA instead of, oh, Microsoft to prosecute Clapper.

  2. orionATL says:

    finally, we’re getting to the good stuff – the blatant corruption and, soon, the criminality.

    i wonder how much longer nsa/doj/whitehouse can hold up

    before they fold up.

    already, prez’s most recent statements suggest weakening, shaky knees.

    we hearing repeats of the earlier “we don’t really know what snowden took” (i guess that must mean hijacking david miranda at heathrow didn’t work as well as hoped.

    we’re suddenly hearing, from inside the nsa citadel, stern statements (read: water-testing pleas) suggesting the “possibility” of amnesty for snowden – but only if he surrender abjectly.

    diane feinstein has suddenly engaged radio silence.

    only ex-fbi blowhard congr. mike ford is still trying to blow wind into n.s.a. pintafore’s sail.

    and we haven’t even gotten to the corruption part of nsa/doj’s conduct.

    ho, boy. i can’t wait to watch glen greenwald’s two-tiered system of american justice at work on this one.

  3. P J Evans says:

    ‘Nice little company you have here – be a shame if anything were to happen to it, now’

    Polite bribery vs outright theft?

  4. Snoopdido says:

    Today’s ODNI document dump over at their ICon tumblr:

    ●DNI McConnell 2007 Shubert State Secrets Declaration
    ●DNI Blair 2009 Jewel State Secrets Declaration
    ●DNI Blair 2009 Shubert State Secrets Declaration
    ●DNI Clapper 2012 Jewel State Secrets Declaration
    ●DNI Clapper 2013 Jewel Shubert State Secrets Declaration
    ●NSA Alexander 2007 Shubert Declaration
    ●NSA Bonanni 2009 Jewel Declaration
    ●NSA Alexander 2009 Shubert Declaration
    ●NSA Fleisch 2012 Jewel Declaration
    ●NSA Fleisch 2013 Jewel Shubert Declaration

  5. earlofhuntingdon says:

    Nor does it deny active involvement earlier in the process, such as in designing in and funding “options” and “features” it wants in the first place.

  6. bloodypitchfork says:

    @orionATL:quote”ho, boy. i can’t wait to watch glen greenwald’s two-tiered system of american justice at work on this one.”unquote

    Glenn Greenwald’s two-tiered system of american justice???????? ummm, while I too can’t wait, it isn’t HIS system. The DOJ owns that baby. Unfortunately for them, the whole rotten system is about to blow up in their face. For one, some Senator’s are calling for Clapper’s head and sooner or later, Holder is gonna face the Fast&Furious consequences as well, not to mention the DOJ’s unmitigated dereliction in deferring prosecution of HSBC criminals. “I can’t wait” is a massive understatement. Personally, I’d give up my SS to see a few of these scumbags face a guillotine.

    quote:”Before we’re done with this scandal, I expect we’ll learn the NSA is getting all sorts of cooperation via strong-armed cooperation.”unquote
    This “scandal” notwithstanding, if Greenwald et al don’t get assassinated before they can release the next revelations, I submit before we’re done with the balance of Snowdens revelation scandals, the USG will be the laughing stock of the planet for stupidity alone, if not cause insurrection of Biblical proportions. The consequences of Snowdens current revelations already makes the Church committee look like childs play and may even reduce the Iran/Contra debacle to second place in the annuls of Great Moments in USG Criminality. youbetcha..I can’t wait. Especially for the Congressional inquisition. I’d pay good money to watch these scumbags squirm, LIVE on teh veh.

  7. earlofhuntingdon says:

    The range of opportunities to hinder or enable corporate power is considerable (as is the reverse). It might be useful to know in advance, for example, whether the EU competition commissioner was going to investigate, penalize or ignore mergers, acquisitions or other concentrations of power and market abuses. The US Justice Department abandoned its role as economic regulator of market dominance and abuses about the time the 386 chip was top of the line technology.

  8. earlofhuntingdon says:

    What a luscious quote you have there, EW:

    “Upon review, however, we are unaware of any vulnerability created by the US Government in generally available commercial software that puts users at risk of criminal hackers or foreign governments decrypting their data”.

    It is difficult to appreciate how many tax dollars roll out the door every hour in order to pay lots and lots of people for explicitly thinking up such stupendous bits of marketing imagineering. The wriggle room is stupendous.

    Which people in or out of government, exactly, are “unaware of any vulnerability” and why? Is “vulnerability” meant to be inclusive or exclusive?

    Does the author include in “created by the US Government” all those things created at its behest? Or does it exclude them, leaving the fields of private contractors untouched? How really do the combined modifiers “generally available,” and “commercial” limit the range of software affected?

    The wriggle room gets broader: Is the idea of putting “users” at risk universal, or is it meant to include only the “specific purpose” of putting users at risk? Are the risks coming from “illegal hackers” and “foreign governments” our biggest concern? What about legally authorized or immunized hackers? What about the USG or its designees? Are risks generated only from “decrypting” our data, or are we worried about data copied, distributed, stored and analyzed without restraint or accountability, without our knowledge or consent?

  9. lefty665 says:

    Made them an offer they did not want to refuse. Something like this maybe…

    Not asking you to take anything out, but offering financial support, a token of our appreciation, for giving our method default status. That was likely paired with the pitch that NSA is better than anyone else at this stuff so it is really just common sense to protect users, and patriotic to boot.

    RSA was no longer the engineering shop that had fought the Clipper Chip, but had been transformed to a division of a larger company. The techies had moved on. As usual, the MBAs went for the cash. Marx wrote, “A capitalist will sell you the rope to hang him with”; or, in this case, to hang his customers and the rest of us.

    Ask for, pay for, threaten for, cajole for, no inducement short of a demand is a demand. The whole rest of the statement is subordinate to “NSA will not DEMAND…”. They can (and did) make sweeping statements after that. AKA non denial denials.

    This is one more exercise that smells like Alexander and Inglis, another piece of their personal over-reach that enables tyranny. For what is being done, look at the institution. For why, look at who is driving.

  10. joanneleon says:

    ““Upon review, however, we are unaware of any vulnerability created by the US Government”

    Well, I don’t know if that statement would hold up in court if they did know about the RSA and $10 million. So maybe the US Govt didn’t create it but they paid for it. They created the situation where the flawed random number generator got out there and was adopted.

Comments are closed.