A Bunch Of Security Researchers Cancel Appearance At RSA's Conference To Protest Selling Out To NSA
from the good-for-them dept
A few weeks ago, there was quite a big story concerning how the NSA paid $10 million to RSA to make its compromised random number generator the “default” in a key RSA product. The RSA issued a ridiculously stupid “categorical denial” of the report, which actually denied something entirely different, more or less confirming the original report. Following this, one of the most well-known security researchers around, Mikko Hypponen, announced that he was cancelling his planned talk at RSA’s big conference in February. Since then, additional security experts, including Chris Soghoian, Jeffrey Carr and Josh Thomas have each announced that they’re cancelling their own talks as well.
Carr also has a good post debunking some of the key claims in RSA’s non-denial denial. For example, RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn’t the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million to sell its soul. Carr further notes that, not too long before that, RSA’s former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:
“For almost 10 years, I’ve been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we’re the real enemy, we’re the real target.”
While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA’s interests and RSA’s interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning. It’s good to see security experts speaking up and taking a stand against the company, not just for the deal, but for its totally bogus fake denial.
Filed Under: chris soghoian, jeffrey carr, josh thomas, mikko hypponen, nsa, researchers, rsa conference, security
Companies: rsa
Comments on “A Bunch Of Security Researchers Cancel Appearance At RSA's Conference To Protest Selling Out To NSA”
I was skeptical of public key "cryptography" from mid-80's.
Any system not fully understood is subject to trickery. Any three-card monte dealer should be able to convince you of that in ten minutes. Complex math in particular requires long analysis by maniacs to even be likely safe.
But mainly, any system in which money can sway morality is inherently corrupt. And I’m pretty sure that includes all human activiities.
Google’s tailoring to YOU can selectively substitute, omit, and lie. You can’t trust anything on the net, neither what you see nor what you don’t see!
09:27:20[k-730-2]
Re: I was skeptical of public key "cryptography" from mid-80's.
Not sure what you’re talking about. Dual EC DRBG has nothing to do with public key crypto (RSA/DSA/etc). Instead it is classified as a CSPRNG (cryptographically secure psudo-random number generator).
Also, nothing revealed so far has put into question any public key crypto algorithms.
Re: I was skeptical of public key "cryptography" from mid-80's.
You have obviously not looked at the problem, the basis of public key cryptography is easy to understand, Factorising very large numbers is extremely time consuming, with the best algorithms a minor optimisation on try every prime less than the square root of the number to be factorised, with finding primes essentially being the same problem.
Computers simply allowed the necessary operations used in encrypting and decrypting using very large numbers to be carried out in reasonable time.
Re: I was skeptical of public key "cryptography" from mid-80's.
Any system not fully understood is subject to trickery.
Just because you don’t understand it doesn’t mean most people don’t. It just means you’re not very smart.
I'm adding RSA to my "doomed companies" list
No matter what the current management of RSA thought their products were, they were really selling trust to their customers. Now, they have nothing to sell.
Re: I'm adding RSA to my "doomed companies" list
Let me guess the top company on your list: Prenda Law!
Right, right?
Re: Re: I'm adding RSA to my "doomed companies" list
They just need to change careers and they could strike gold.
Off the top of my head I’d suggest either circus performers(plenty of practice with that in court), or muses-for-hire(they always seem to bring out the best/eloquent/funny in judges.)
They are guilty as charged. They took the money which was 1/3 of their revenue, with no costs attached, just to make that NSA-backed algorithm the default, and they didn’t think anything is suspicious about that? Or how about keep using it as a the default, even after several well known cryptographers called it a backdoor by name? Even then they didn’t think something is wrong?
Give me an effing break. We’re not toddlers. RSA deserves to die as a company. Period.
Hey, Mike, have you read these posts?
Sorry, RSA, I’m just not buying it
Dual EC, The Saga Continues
I was shocked to learn that there was essentially a patent on backdooring Dual EC.
It’s good to see that some people still have a backbone.
I love how the current RSA executives claim they were simply relying on NIST’s judgement about Dual Elliptical Curve’ security integrity. Yet, Dual EC would have never been a NIST standard, if RSA would have never blessed the random number generator with their own stamp of approval to begin with.
All these facts together show just how greedy and deceitful the executives in charge of RSA, really are. RSA is now known as a company who will do anything for easy money. Including selling out every last soul on this world, for 10 million dollars.