> They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.

RSA Security also have not yet given a good explanation for why they ignored the multitude of red flags until 2013. As cryptographer Matthew Green writes:

> So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow -- which has real performance implications -- it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.

If RSA Security makes secret contracts that impacts other people's security, I don't see why RSA Security should get any benefit of the doubt. Why should we trust a company cloaked in secrecy who has shown themselves to be overwhelmingly incompetent and/or malicious?

> There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely. But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine...

Jeffrey Carr has a good point from the RSA Conference keynote:

> "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech

So up until then, they apparently considered all the criticism of RSA security without merit? On what basis? The research was obviously right.

http://jeffreycarr.blogspot.dk...

If you read a bit more in the actual keynote, there is actually an unexpectedly frank explanation:

> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

But they ignore most of the input of the larger community, in favor of taking $10,000,000 from NSA to use their backdoored algorithm.

What we have seems to be standard exploitation of a valuable acquired brand which is no longer profitable. Take a high-quality brand with an outstanding reputation for independent quality checking. Fire everybody skilled (and expensive), and sell as many cheap commodity products under that brand as you can get away with, with as little expensive quality control as possible. Their claim is that they expected to get the quality control for free from NIST, which they knew was dominated by the NSA. Meanwhile, RSA Security choose to totally ignore any contradicting independent research.

Personally I believe the amount of incompetence and cluelessness claimed by RSA Security as defense strains credulity beyond breaking point.

There are lots of Linux titles, but they are mostly indie games. Indie games don't seem to have any problem posting to Linux.

Go buy some Humble Bundles - most games in those have Linux support (and Steam keys).

Obviously the update should not be applied while the car is turned on... car companies are not that stupid.

Did the summary just link to a PDF file... in Finnish? It wasn't enough that the same file was already linked from the mail article, but was judged useful enough to link from the summary? Really?

The trick to good linking is to avoid overlinking, to avoid confusing the reader. This summary fails.

> The shi-fu ('kung-fu masters,' meaning the scientists and engineers)

According to Wikipedia, shifu means master craftsman. Though that obviously also covers kung-fu masters, I don't think that is what the Chinese were alluding to!

I think somebody has been watching too many Hong Kong kung-fu movies.

Dropping USB keys in parking lots is a known way to infect a network. Any Google employee competent enough to use bitcoin should hopefully also know that picking up random USB keys is a bad idea.

https://www.schneier.com/blog/...

I once got asked a question which I found hurtful and offensive, and felt tempted to 'blow up' the interview at that point. Fortunately, I resisted the temptation. As it turns out, the question was his way of introducing the next thing, which was telling me that he was offering me the job.

Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.

Here's my report on the actual ruling which is being reviewed: 2nd Circuit affirms denial of plaintiffs' preliminary injunction motion in WNET v Aereo

I guess it would take a litigator to notice this, but it's quite unusual that a preliminary injunction denial would be getting this kind of appellate attention.

In the first place, it was unusual for an interlocutory appeal to be granted from the denial of the preliminary injunction motion. In federal court usually you can only appeal from a final judgment.

Similarly, apart from the fact that it's always rare for a certiorari petition to be granted, it's especially tough where the appeal is not from a final judgment, but just from a preliminary injunction denial which does not dispose of the whole case.

"Any headline which ends in a question mark can be answered by the word no."

> Then all that happens is we adopt those other schemes faster

But what of all the encrypted old traffic that the NSA has stored?