from the good-for-them dept
Carr also has a good post debunking some of the key claims in RSA's non-denial denial. For example, RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn't the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million to sell its soul. Carr further notes that, not too long before that, RSA's former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:
"For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we're the real enemy, we're the real target."While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA's interests and RSA's interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning. It's good to see security experts speaking up and taking a stand against the company, not just for the deal, but for its totally bogus fake denial.