For starters, they can come clean. All their press releases have been exercises in trying to say as little as possible, and be as misleading as possible whiile still not literally lying. For example, their non-denial of the $10,000,000 deal with NSA had half the press falsely reporting that RSA claimed there never any $10,000,000 deal.

Dual_EC_DRBG has been documented since 2006/2007 to be an insecure CSPRNG, even without the backdoor. I knew about it for example, and I do not even work in that field. The only way nobody at RSA Security (a huge company specializing in security) could not have heard about it is by putting their hands over their ears and yelling LALALA. And they didn't put 2 and 2 together about why NSA paid them $10,000,000 when the possible backdoor was discussed in the media and the cryptographic community?

I can accept that RSA Security might have been fooled in 2004. But they have not even tried to explain why they kept using Dual_EC_DRBG after 2006/2007. They have been caught with the hand in the cookie jar, and refuse to even try to defend themselves. Why should I try to invent explanations for their innocence for them?

> what evidence could RSA show us that would reinstate our trust

The point is that the circumstantial evidence is so hugely strong. This is not unfair - this is reality.

It is like finding you standing over a corpse in a pool of blood and a knife in your hand, with a $10 million payment to your account from the victims worst enemy. And you refusing to talk about how you got there, or why the victim's worst enemy sent you the $10 million. Do you think I have no right to make assumptions in that case?

> What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal.

That should of course have been:

> What RSA Security has specifically said is that they didn't know about the backdoor when they made the $10,000,000 deal.

Are you referring to this RSA's CTO Sam Curry's "defense", which Mathew Green and Matt Blaze has had so much fun ridiculing? http://blog.cryptographyengine...

RSA Security really haven't made anything close to a coherent defense.

> And the RSA did go on record. They said it wasn't true.

What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.

If you read the keynote from the current RSA Conference, RSA's defense is that they stopped independently creating and verifying the cryptographical algorithms, instead just getting them straight from NIST and ANSI. And they knew or should have known that Dual_EC_DRBG was written by NSA.

> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

Meanwhile RSA Security ignored all the independent research showing that Dual_EC_DRBG was radioactive. So RSA Security's defense is that they stopped doing any due diligence, and instead just copied everything straight from NSA. And because they stopped even trying to do independent cryptography, they were not aware of the possible backdoor. And you think RSA Security's statements in their defense are not laughable, and that people protesting this is just "a$$holes"?

> They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.

RSA Security also have not yet given a good explanation for why they ignored the multitude of red flags until 2013. As cryptographer Matthew Green writes:

> So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow -- which has real performance implications -- it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.

If RSA Security makes secret contracts that impacts other people's security, I don't see why RSA Security should get any benefit of the doubt. Why should we trust a company cloaked in secrecy who has shown themselves to be overwhelmingly incompetent and/or malicious?

> There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely. But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine...

Jeffrey Carr has a good point from the RSA Conference keynote:

> "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech

So up until then, they apparently considered all the criticism of RSA security without merit? On what basis? The research was obviously right.

http://jeffreycarr.blogspot.dk...

If you read a bit more in the actual keynote, there is actually an unexpectedly frank explanation:

> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

But they ignore most of the input of the larger community, in favor of taking $10,000,000 from NSA to use their backdoored algorithm.

What we have seems to be standard exploitation of a valuable acquired brand which is no longer profitable. Take a high-quality brand with an outstanding reputation for independent quality checking. Fire everybody skilled (and expensive), and sell as many cheap commodity products under that brand as you can get away with, with as little expensive quality control as possible. Their claim is that they expected to get the quality control for free from NIST, which they knew was dominated by the NSA. Meanwhile, RSA Security choose to totally ignore any contradicting independent research.

Personally I believe the amount of incompetence and cluelessness claimed by RSA Security as defense strains credulity beyond breaking point.

There are lots of Linux titles, but they are mostly indie games. Indie games don't seem to have any problem posting to Linux.

Go buy some Humble Bundles - most games in those have Linux support (and Steam keys).

Obviously the update should not be applied while the car is turned on... car companies are not that stupid.

Did the summary just link to a PDF file... in Finnish? It wasn't enough that the same file was already linked from the mail article, but was judged useful enough to link from the summary? Really?

The trick to good linking is to avoid overlinking, to avoid confusing the reader. This summary fails.

> The shi-fu ('kung-fu masters,' meaning the scientists and engineers)

According to Wikipedia, shifu means master craftsman. Though that obviously also covers kung-fu masters, I don't think that is what the Chinese were alluding to!

I think somebody has been watching too many Hong Kong kung-fu movies.

Dropping USB keys in parking lots is a known way to infect a network. Any Google employee competent enough to use bitcoin should hopefully also know that picking up random USB keys is a bad idea.

https://www.schneier.com/blog/...

Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.

"Any headline which ends in a question mark can be answered by the word no."