I saw that, and that’s what triggered my question. Do you know what the weakness was, and what standard it applied to? The article was vague, but I thought I remembered reading something on slashdot a few years ago about the same thing.
Apparently it refers to the Dual_EC_DRBG random number generator, which isn’t really random if you have the backdoor “skeleton key”.
Thanks! And, thanks for starting this thread. While the earlier NSA stories were shocking to me, this part of it was by far the most disturbing. When I first read the NY Times article, I wanted to start a thread, but thought I couldn’t do it justice. It would have been, “Look at this! I’m flabbergasted.”
It seems reasonable now to assume that virtually every US technology company from hardware manufacturers and operating system developers upwards is either compromised or has been forced to insert backdoors into its software and hardware, disclose private keys, help install man-in-the-middle attacks, and so on. In which case why would anybody not from the US want to use those company’s services, especially if you’re a company providing services or developing competing products with an American company (as it’s now pretty obvious that the NSA is also conducting widespread economic espionage — see the massive and otherwise inexplicable spying against Germany, for instance)?
It seems in its quest to know about everything that everybody is doing online in the name of “national security” the NSA considers the same tech-economy that makes their activities possible a fair sacrifice.
Well, without all of those back doors and monitoring, they never could have stopped those guys who wanted to bomb the Boston Marathon using pressure cookers.
On the other hand, this angle offers some hope of reform – they aren’t just pissing off the peasants, they are lowering the levels of some Scrooge McDuck pools and pissing off people with real power.