from the good-for-them dept
A few weeks ago, there was quite a big story concerning how the NSA paid $10 million to RSA to make its compromised random number generator the “default” in a key RSA product. The RSA issued a ridiculously stupid “categorical denial” of the report, which actually denied something entirely different, more or less confirming the original report. Following this, one of the most well-known security researchers around, Mikko Hypponen, announced that he was cancelling his planned talk at RSA’s big conference in February. Since then, additional security experts, including Chris Soghoian, Jeffrey Carr and Josh Thomas have each announced that they’re cancelling their own talks as well.
Carr also has a good post debunking some of the key claims in RSA’s non-denial denial. For example, RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn’t the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million to sell its soul. Carr further notes that, not too long before that, RSA’s former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:
“For almost 10 years, I’ve been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we’re the real enemy, we’re the real target.”
While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA’s interests and RSA’s interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning. It’s good to see security experts speaking up and taking a stand against the company, not just for the deal, but for its totally bogus fake denial.