So an anonymous manager - manager! - thinks it isn't a big deal. They couldn't find an actual cryptographer to quote? While all the cryptographers do think it is a big deal. This is not an issue where there is real discussion. It is not me who are exaggerating, it is you who are understating the issue.

Many news articles in mainstream media have pointed out that it is a non-denial. If RSA Security was innocent, it would be the easy to just issue a new press release saying unambiguously that no contract existed. Why hasn't RSA Security done that?

I think the backdoored Dual_EC_DRBG still as forward security. xorshift64 doesn't have forward security, if nothing else then because the period is small enough that you can brute force search it.

If you can choose P and e, then you can easily calculate Q=eP. It it only if you start with P and Q given that you can't find e.

> In short, as is the case with many conspiracy theories all you have is a collection of things that are suggestive, not definitive.

When you design a standard, one of the design criteria is that it does not allow for even a potential a backdoor. See fx https://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number . It is most definitive that Dual_EC_DRBG should never have been approved given the knowledge available at the time of how to prevent any possible backdoor.

You need to read it like a lawyer. Take the first claim for example

> Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

Note what is not denied:

* It is not denied that the contract existed
* It is not denied that they set Dual_EC_DRBG as default as a result of the contract
* It is not denied that the contract was secret (they do later deny that their relationship with NSA in general was not secret, which is correct, but does not preclude one contract from being secret)

They only thing they deny is that they knew that Dual_EC_DRBG contained a backdoor when they made the secret contract to set it as the default.

The same with their other non-denials.

I have been adding various facts to the Wikipedia article on Dual_EC_DRBG. A good deal of the most interesting points have not been reported in mainstream media.

* The ANSI group which standardize Dual_EC_DRBG were aware of the potential for a backdoor.
* Three RSA Security employees were listed as being in that ANSI group, making RSA Security's claim innocence claim shaky, since it is less likely that RSA Security didn't know about the back door when NSA paid them $10 million to use Dual_EC_DRBG as default.
* Two Certicom members of the ANSI group wrote a patent which describes the backdoor in detail, and two ways to prevent it.
* Somehow the ways to prevent the backdoor only make it into the standard as non-default options.
* Somehow the people on the ANSI group forget to publicize the potential for a backdoor. Especially Daniel brown of Certicom (co-author of the patent), who also wrote an attempt at a mathematical security reduction for Dual_EC_DRBG, but somehow forgets to explicitly mention the backdoor. The conclusion in Brown's paper also seems very determined to hype Dual_EC_DRBG, whereas the other papers about Dual_EC_DRBG seem excited to hype the errors they find.
* The potential backdoor only becomes public knowledge in 2007.
* Daniel Brown writes in December 2013 that "I'm not sure if this was obvious." and "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se.".

Certicom is the main inventor and patent-holder for elliptic curve cryptography. The two Certicom employees failing to warn or prevent the backdoor they clearly know was possible doesn't reflect well on Certicom.

According to Dan Shumow and Niels Ferguson's 2007 presentation, finding the private key e corresponds to solving one instance of the elliptic curve discrete log problem, which is believed to be a very hard problem indeed, and probably not even doable for a any current supercomputer.

> Like RSA they will just keep denying it and hope there is nothing to directly contradict them.

Yup. And now John Kelsey (who authored the NIST report) says that the potential for the Dual_EC_DRBG backdoor was brought up in an ANSI group meeting, in a group that had three formal RSA Security members (whether they were actually present at the meeting we don't know). And two Certicom members of the same group wrote a patent exactly describing the back door in January 2005, which presumably all the ANSI group members had access to. But RSA Security's know-nothing defense is looking ever-more ridiculous.

I have been updating Wikipedia: https://en.wikipedia.org/wiki/Dual_EC_DRBG . At some point I guess the journalists will wake up?

Also there is no way at least Daniel Brown of Certicom (co-author of the patent) wasn't aware there were probably a backdoor. But he seems to have kept it fairly low-key. And now in 2013 he says: "All considered, I don't see how the ANSI and NIST standards for Dual_EC_DRBG can be viewed as a subverted standard, per se."... And at least Daniel Brown knew exactly how to neutralize the back door, but little was done.

Minix was explicitly considered a toy operating system by Andrew Tanenbaum, who refused to accept patches to add functionality because the complexity would have made Minix less suited as a teaching tool.

> Has the manipulation of currencies masked the real changes in our currencies vs gold?

The main currencies (dollar and euro) have been relatively stable to each other and to a basket of commodities, while gold has not. The result is what counts.

As for there being manipulation: Central banks exist to manipulate currency prices to be stable. That is a feature, not a bug - stability is good. But the US Central bank's manipulation has actually had the goal weakening the dollar (by printing more) compared to doing nothing, not strengthening it. There is no reason to believe that the US Central Reserve has been manipulating the US dollar in a dangerous way - if the dollar was to begin falling, it could sell of some of the many assets it has been buying for newly printed dollars, thereby unprinting those dollars again (reducing the money supply), which would make the remaining dollars worth more.

> http://www.indexmundi.com/commodities/?commodity=food-price-index&months=120

On your food price chart: I remember a number of global food crisises caused by crop failures in recent years, such as the drought in Russia. That food prices have been swinging a lot says something about the wheat market, but doesn't necessarity say anything about the dollar. To get a fuller picture of combined dollar price swings, you have to average the price swings of all commodities. Such an averaged price index is called an inflation index, and shows the dollar to be stable (and the price of gold not to be stable).

> Excuse me if I'm just showing my ignorance but can we really determine what is changing in those graphs? Is it the value of the currencies to which it is measured against that changes or the value of the gold?

The prices in dollars of commodities in inflation indexes have been relatively stable. For example the price of gold doubled between 2009 and 2011 - do you remember the dollar-price of commodities doubling in the same time interval, as would be the case if it was just the dollar halving in value and gold being stable? No, obviously not.

There is no real doubt that it has been the price of gold which is unstable, and not the price of dollars.

Betteridge's law of headlines seems to apply here, though it isn't exactly a headline.

> At the same time the fact that these codecs are being pushed opposite the existing MPEG codecs only fractures the market and slows the adoption of new video technologies. We end up with Mozilla and Google flailing around with alternative codecs rather than buckling down and doing what's necessary to secure the rights to use the MPEG codecs in the first place, only finally doing the right thing after they've exhausted every other option. Web browsers should have fully supported H.264 years ago.

It is not just a license to decode video in the browser. People should also have to be able to generate content for the web without asking permission, so everybody also need to have a free license to encode H.265.

If NSA has a complete record of which tweets you read, then the NSA already knows a lot about you.