If you read the article then you'll see that the OpenBSD explicitly rejects FIPS certification as a goal.
FIPS certification is why OpenSSL includes the NSA backdoor DUAL EC pseudo random number generator. The code doesn't work but it's still included and can't be fixed. Anything which leads to an outcome like this... Disgust. Disgust and revulsion.
This code could have easily been detected with static analysis. It's a common failure pattern. You just taint data from the network as untrusted and look for when invalid use cases.
I do static analysis like this on the linux kernel for a living.
It's not clear that USAID was at the front on this opperation. They were funding it secretly through shell companies. When it comes to clandestine operations the CIA has better qualifications. It's just stupid, and more stupid.
The government already has the CIA for this stuff. It was amazingly dumb of USAID to start doing the CIA's job. The head of USAID should resign followed by a full investigation.
But that won't happen because the government has stopped caring about appearances any more.
Obviously LOVEINT is one example. But more details are coming out about how David Patraues was caught having an affair because of "metadata" collected by the NSA.
http://www.charlotteobserver.com/2013/06/17/4111871/metadata-helped-reveal-gen-petraeus.html#.Utlud2nfqCg
When Jill Kelley first reported getting threatening emails about Patraues, the FBI read all her emails as part of "a routine step".
http://www.nytimes.com/2014/01/06/us/from-petraeus-scandal-an-apostle-for-privacy.html
They didn't have a warrant to read her email, they just hacked into google and made a copy of everyone's email. If you report a crime to the FBI they read your email. Simple as that.
Typically these leaks are very small and are no danger to the public, which is why they are allowed to persist.
You didn't read the article. You didn't even read the summary. There were 12 which were dangerous. They reported them and the gas company had only fixed 3 of them four months later.
The 8 mile thing was an NSA transmitter in a helicopter. It was used to hack someone's system through a bug in their wifi drivers.
The wikipedia entry is good on this:
http://en.wikipedia.org/wiki/RSA_Security#NSA_backdoor
RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit.
Reasonable people don't believe that Angela Merkel is a terrorist. Instead talking about terrorism, it's more important to talk about how the NSA spying benifits us during trade negotiations.
Technically, I suppose it doesn't benifit all of "us"... Oh well. Sucks to be you I guess.
The NSA documents on this have been leaking for a while. There are ones that dealt with pushing DUAL_EC through NIST. The documents dealing with RSA are separate corroborating documents which fill in some details.
It's likely that the NSA documents on subverting OpenSSL will leak eventually. Anonymous government sources estimate that at the current rate the NSA leaks will take two more years before they have all been released.
They're just claiming again that they assumed the NSA were good people.
This all happened in 2006. RSA adopted DUAL_EC. RSA was sold to EMC. NIST released the standard. Microsoft researchers showed the flaws in DUAL_EC. The flaws in DUAL_EC have been known since 2006, the only thing we didn't know was that they were deliberate.
Also it's interesting to note that an anonymous organization paid for the same DUAL_EC algorithm to be added to Open SSL. With Open SSL at least they didn't make it the default but it's not far off from what RSA did.
http://arstechnica.com/security/2013/12/nsas-broken-dual_ec-random-number-generator-has-a-fatal-bug-in-openssl/
You just revoke the keys and suddenly the machine can't boot.
It's funny how the NSA accuses China of inserting back doors but Snowden shows how the NSA inserts back doors. China hacks into systems but Snowden shows the NSA has hacked into tens of thousands of networks. And now the NSA is bragging about preventing a shutdown button when we already know it did the exact same thing.
We can be pretty sure that the NSA data gathering was a part of how General Petraeus was forced to resign.
The NSA shares its data with 11 other federal agencies such as the FBI (crime stoppers), IRS (tax collectors), DEA (drug wars). It may be that the FBI acted alone using already shared metadata information from the NSA. Or it may be that the NSA was more actively involved. If they were involved, that information would be classified.
Petraeus stood a reasonable chance of being elected president. The information was there because the NSA collected it. At a certain point it was decided to force him to resign. That decision was a political one because it has a political impact.
It doesn't forbid it. GCC doesn't even warn about it when it silently removes things. In the kernel, we turn most of these optimizations off now but before then it did cause kernel security bugs.
My guess is that you didn't read the PDF?
Math is like love -- a simple idea but it can get complicated. -- R. Drabek
