> The shi-fu ('kung-fu masters,' meaning the scientists and engineers)
According to Wikipedia, shifu means master craftsman. Though that obviously also covers kung-fu masters, I don't think that is what the Chinese were alluding to!
I think somebody has been watching too many Hong Kong kung-fu movies.
Dropping USB keys in parking lots is a known way to infect a network. Any Google employee competent enough to use bitcoin should hopefully also know that picking up random USB keys is a bad idea.
Being limited by floppy disk support requirement sounds like a bad joke. Is that really relevant for any computer which is not hopelessly antiquated in 2014? For reference, Apple stopped shipping floppy disk drives by default in 1998.
"Any headline which ends in a question mark can be answered by the word no."
> Then all that happens is we adopt those other schemes faster
But what of all the encrypted old traffic that the NSA has stored?
> the developers are staying anonymous because they probably fear the inevitable copyright lawsuits
So Kanye West wrote the code for the platform, and therefore owns the copyright to the code, and they pirated it? Why else would they fear a copyright lawsuit?
So an anonymous manager - manager! - thinks it isn't a big deal. They couldn't find an actual cryptographer to quote? While all the cryptographers do think it is a big deal. This is not an issue where there is real discussion. It is not me who are exaggerating, it is you who are understating the issue.
Many news articles in mainstream media have pointed out that it is a non-denial. If RSA Security was innocent, it would be the easy to just issue a new press release saying unambiguously that no contract existed. Why hasn't RSA Security done that?
I think the backdoored Dual_EC_DRBG still as forward security. xorshift64 doesn't have forward security, if nothing else then because the period is small enough that you can brute force search it.
If you can choose P and e, then you can easily calculate Q=eP. It it only if you start with P and Q given that you can't find e.
> In short, as is the case with many conspiracy theories all you have is a collection of things that are suggestive, not definitive.
When you design a standard, one of the design criteria is that it does not allow for even a potential a backdoor. See fx https://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number . It is most definitive that Dual_EC_DRBG should never have been approved given the knowledge available at the time of how to prevent any possible backdoor.
You need to read it like a lawyer. Take the first claim for example
> Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
Note what is not denied:
* It is not denied that the contract existed
* It is not denied that they set Dual_EC_DRBG as default as a result of the contract
* It is not denied that the contract was secret (they do later deny that their relationship with NSA in general was not secret, which is correct, but does not preclude one contract from being secret)
They only thing they deny is that they knew that Dual_EC_DRBG contained a backdoor when they made the secret contract to set it as the default.
The same with their other non-denials.
I have been adding various facts to the Wikipedia article on Dual_EC_DRBG. A good deal of the most interesting points have not been reported in mainstream media.
* The ANSI group which standardize Dual_EC_DRBG were aware of the potential for a backdoor.
* Three RSA Security employees were listed as being in that ANSI group, making RSA Security's claim innocence claim shaky, since it is less likely that RSA Security didn't know about the back door when NSA paid them $10 million to use Dual_EC_DRBG as default.
* Two Certicom members of the ANSI group wrote a patent which describes the backdoor in detail, and two ways to prevent it.
* Somehow the ways to prevent the backdoor only make it into the standard as non-default options.
* Somehow the people on the ANSI group forget to publicize the potential for a backdoor. Especially Daniel brown of Certicom (co-author of the patent), who also wrote an attempt at a mathematical security reduction for Dual_EC_DRBG, but somehow forgets to explicitly mention the backdoor. The conclusion in Brown's paper also seems very determined to hype Dual_EC_DRBG, whereas the other papers about Dual_EC_DRBG seem excited to hype the errors they find.
* The potential backdoor only becomes public knowledge in 2007.
* Daniel Brown writes in December 2013 that "I'm not sure if this was obvious." and "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se.".
Certicom is the main inventor and patent-holder for elliptic curve cryptography. The two Certicom employees failing to warn or prevent the backdoor they clearly know was possible doesn't reflect well on Certicom.
According to Dan Shumow and Niels Ferguson's 2007 presentation, finding the private key e corresponds to solving one instance of the elliptic curve discrete log problem, which is believed to be a very hard problem indeed, and probably not even doable for a any current supercomputer.
> Like RSA they will just keep denying it and hope there is nothing to directly contradict them.
Yup. And now John Kelsey (who authored the NIST report) says that the potential for the Dual_EC_DRBG backdoor was brought up in an ANSI group meeting, in a group that had three formal RSA Security members (whether they were actually present at the meeting we don't know). And two Certicom members of the same group wrote a patent exactly describing the back door in January 2005, which presumably all the ANSI group members had access to. But RSA Security's know-nothing defense is looking ever-more ridiculous.
I have been updating Wikipedia: https://en.wikipedia.org/wiki/Dual_EC_DRBG . At some point I guess the journalists will wake up?
Also there is no way at least Daniel Brown of Certicom (co-author of the patent) wasn't aware there were probably a backdoor. But he seems to have kept it fairly low-key. And now in 2013 he says: "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se."... And at least Daniel Brown knew exactly how to neutralize the back door, but little was done.
The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.
