A Bunch Of Security Researchers Cancel Appearance At RSA's Conference To Protest Selling Out To NSA

from the good-for-them dept

A few weeks ago, there was quite a big story concerning how the NSA paid $10 million to RSA to make its compromised random number generator the "default" in a key RSA product. The RSA issued a ridiculously stupid "categorical denial" of the report, which actually denied something entirely different, more or less confirming the original report. Following this, one of the most well-known security researchers around, Mikko Hypponen, announced that he was cancelling his planned talk at RSA's big conference in February. Since then, additional security experts, including Chris Soghoian, Jeffrey Carr and Josh Thomas have each announced that they're cancelling their own talks as well.

Carr also has a good post debunking some of the key claims in RSA's non-denial denial. For example, RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn't the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million to sell its soul. Carr further notes that, not too long before that, RSA's former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:
"For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we're the real enemy, we're the real target."
While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA's interests and RSA's interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning. It's good to see security experts speaking up and taking a stand against the company, not just for the deal, but for its totally bogus fake denial.


Reader Comments (rss)

(Flattened / Threaded)

  1. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Jan 7th, 2014 @ 1:27pm

    I was skeptical of public key "cryptography" from mid-80's.

    Any system not fully understood is subject to trickery. Any three-card monte dealer should be able to convince you of that in ten minutes. Complex math in particular requires long analysis by maniacs to even be likely safe.

    But mainly, any system in which money can sway morality is inherently corrupt. And I'm pretty sure that includes all human activiities.

    Google's tailoring to YOU can selectively substitute, omit, and lie. You can't trust anything on the net, neither what you see nor what you don't see!

    09:27:20[k-730-2]

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jan 7th, 2014 @ 1:45pm

    I'm adding RSA to my "doomed companies" list

    No matter what the current management of RSA thought their products were, they were really selling trust to their customers. Now, they have nothing to sell.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Jan 7th, 2014 @ 1:51pm

    They are guilty as charged. They took the money which was 1/3 of their revenue, with no costs attached, just to make that NSA-backed algorithm the default, and they didn't think anything is suspicious about that? Or how about keep using it as a the default, even after several well known cryptographers called it a backdoor by name? Even then they didn't think something is wrong?

    Give me an effing break. We're not toddlers. RSA deserves to die as a company. Period.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Aaron T (profile), Jan 7th, 2014 @ 2:06pm

    Re: I was skeptical of public key "cryptography" from mid-80's.

    Not sure what you're talking about. Dual EC DRBG has nothing to do with public key crypto (RSA/DSA/etc). Instead it is classified as a CSPRNG (cryptographically secure psudo-random number generator).

    Also, nothing revealed so far has put into question any public key crypto algorithms.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Jan 7th, 2014 @ 2:12pm

    Re: I was skeptical of public key "cryptography" from mid-80's.

    You have obviously not looked at the problem, the basis of public key cryptography is easy to understand, Factorising very large numbers is extremely time consuming, with the best algorithms a minor optimisation on try every prime less than the square root of the number to be factorised, with finding primes essentially being the same problem.
    Computers simply allowed the necessary operations used in encrypting and decrypting using very large numbers to be carried out in reasonable time.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jan 7th, 2014 @ 3:35pm

    Re: I was skeptical of public key "cryptography" from mid-80's.

    Any system not fully understood is subject to trickery.

    Just because you don't understand it doesn't mean most people don't. It just means you're not very smart.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Jan 7th, 2014 @ 4:35pm

    Hey, Mike, have you read these posts?

    Sorry, RSA, I'm just not buying it
    Dual EC, The Saga Continues

    I was shocked to learn that there was essentially a patent on backdooring Dual EC.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jan 7th, 2014 @ 6:55pm

    It's good to see that some people still have a backbone.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Jan 7th, 2014 @ 7:28pm

    I love how the current RSA executives claim they were simply relying on NIST's judgement about Dual Elliptical Curve' security integrity. Yet, Dual EC would have never been a NIST standard, if RSA would have never blessed the random number generator with their own stamp of approval to begin with.

    All these facts together show just how greedy and deceitful the executives in charge of RSA, really are. RSA is now known as a company who will do anything for easy money. Including selling out every last soul on this world, for 10 million dollars.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Ninja (profile), Jan 8th, 2014 @ 1:45am

    Re: I'm adding RSA to my "doomed companies" list

    Let me guess the top company on your list: Prenda Law!

    Right, right?

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    That One Guy (profile), Jan 8th, 2014 @ 5:50am

    Re: Re: I'm adding RSA to my "doomed companies" list

    They just need to change careers and they could strike gold.

    Off the top of my head I'd suggest either circus performers(plenty of practice with that in court), or muses-for-hire(they always seem to bring out the best/eloquent/funny in judges.)

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This