A Bunch Of Security Researchers Cancel Appearance At RSA's Conference To Protest Selling Out To NSA

from the good-for-them dept

A few weeks ago, there was quite a big story concerning how the NSA paid $10 million to RSA to make its compromised random number generator the “default” in a key RSA product. The RSA issued a ridiculously stupid “categorical denial” of the report, which actually denied something entirely different, more or less confirming the original report. Following this, one of the most well-known security researchers around, Mikko Hypponen, announced that he was cancelling his planned talk at RSA’s big conference in February. Since then, additional security experts, including Chris Soghoian, Jeffrey Carr and Josh Thomas have each announced that they’re cancelling their own talks as well.

Carr also has a good post debunking some of the key claims in RSA’s non-denial denial. For example, RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn’t the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million to sell its soul. Carr further notes that, not too long before that, RSA’s former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:

“For almost 10 years, I’ve been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we’re the real enemy, we’re the real target.”

While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA’s interests and RSA’s interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning. It’s good to see security experts speaking up and taking a stand against the company, not just for the deal, but for its totally bogus fake denial.

Filed Under: , , , , , , ,
Companies: rsa

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “A Bunch Of Security Researchers Cancel Appearance At RSA's Conference To Protest Selling Out To NSA”

Subscribe: RSS Leave a comment
out_of_the_blue says:

I was skeptical of public key "cryptography" from mid-80's.

Any system not fully understood is subject to trickery. Any three-card monte dealer should be able to convince you of that in ten minutes. Complex math in particular requires long analysis by maniacs to even be likely safe.

But mainly, any system in which money can sway morality is inherently corrupt. And I’m pretty sure that includes all human activiities.

Google’s tailoring to YOU can selectively substitute, omit, and lie. You can’t trust anything on the net, neither what you see nor what you don’t see!


Aaron T (profile) says:

Re: I was skeptical of public key "cryptography" from mid-80's.

Not sure what you’re talking about. Dual EC DRBG has nothing to do with public key crypto (RSA/DSA/etc). Instead it is classified as a CSPRNG (cryptographically secure psudo-random number generator).

Also, nothing revealed so far has put into question any public key crypto algorithms.

Anonymous Coward says:

Re: I was skeptical of public key "cryptography" from mid-80's.

You have obviously not looked at the problem, the basis of public key cryptography is easy to understand, Factorising very large numbers is extremely time consuming, with the best algorithms a minor optimisation on try every prime less than the square root of the number to be factorised, with finding primes essentially being the same problem.
Computers simply allowed the necessary operations used in encrypting and decrypting using very large numbers to be carried out in reasonable time.

Anonymous Coward says:

They are guilty as charged. They took the money which was 1/3 of their revenue, with no costs attached, just to make that NSA-backed algorithm the default, and they didn’t think anything is suspicious about that? Or how about keep using it as a the default, even after several well known cryptographers called it a backdoor by name? Even then they didn’t think something is wrong?

Give me an effing break. We’re not toddlers. RSA deserves to die as a company. Period.

Anonymous Coward says:

I love how the current RSA executives claim they were simply relying on NIST’s judgement about Dual Elliptical Curve’ security integrity. Yet, Dual EC would have never been a NIST standard, if RSA would have never blessed the random number generator with their own stamp of approval to begin with.

All these facts together show just how greedy and deceitful the executives in charge of RSA, really are. RSA is now known as a company who will do anything for easy money. Including selling out every last soul on this world, for 10 million dollars.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...