A Bunch Of Security Researchers Cancel Appearance At RSA's Conference To Protest Selling Out To NSA
from the good-for-them dept
A few weeks ago, there was quite a big story concerning how the NSA paid $10 million to RSA to make its compromised random number generator the "default" in a key RSA product. The RSA issued a ridiculously stupid "categorical denial" of the report, which actually denied something entirely different, more or less confirming the original report. Following this, one of the most well-known security researchers around, Mikko Hypponen, announced that he was cancelling his planned talk at RSA's big conference in February. Since then, additional security experts, including Chris Soghoian, Jeffrey Carr and Josh Thomas have each announced that they're cancelling their own talks as well.Carr also has a good post debunking some of the key claims in RSA's non-denial denial. For example, RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn't the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million to sell its soul. Carr further notes that, not too long before that, RSA's former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:
"For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we're the real enemy, we're the real target."While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA's interests and RSA's interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning. It's good to see security experts speaking up and taking a stand against the company, not just for the deal, but for its totally bogus fake denial.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: chris soghoian, jeffrey carr, josh thomas, mikko hypponen, nsa, researchers, rsa conference, security
Companies: rsa
Reader Comments
Subscribe: RSS
View by: Time | Thread
I was skeptical of public key "cryptography" from mid-80's.
But mainly, any system in which money can sway morality is inherently corrupt. And I'm pretty sure that includes all human activiities.
Google's tailoring to YOU can selectively substitute, omit, and lie. You can't trust anything on the net, neither what you see nor what you don't see!
09:27:20[k-730-2]
[ link to this | view in chronology ]
Re: I was skeptical of public key "cryptography" from mid-80's.
Also, nothing revealed so far has put into question any public key crypto algorithms.
[ link to this | view in chronology ]
Re: I was skeptical of public key "cryptography" from mid-80's.
Computers simply allowed the necessary operations used in encrypting and decrypting using very large numbers to be carried out in reasonable time.
[ link to this | view in chronology ]
Re: I was skeptical of public key "cryptography" from mid-80's.
Just because you don't understand it doesn't mean most people don't. It just means you're not very smart.
[ link to this | view in chronology ]
I'm adding RSA to my "doomed companies" list
[ link to this | view in chronology ]
Re: I'm adding RSA to my "doomed companies" list
Right, right?
[ link to this | view in chronology ]
Re: Re: I'm adding RSA to my "doomed companies" list
Off the top of my head I'd suggest either circus performers(plenty of practice with that in court), or muses-for-hire(they always seem to bring out the best/eloquent/funny in judges.)
[ link to this | view in chronology ]
Give me an effing break. We're not toddlers. RSA deserves to die as a company. Period.
[ link to this | view in chronology ]
Sorry, RSA, I'm just not buying it
Dual EC, The Saga Continues
I was shocked to learn that there was essentially a patent on backdooring Dual EC.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
All these facts together show just how greedy and deceitful the executives in charge of RSA, really are. RSA is now known as a company who will do anything for easy money. Including selling out every last soul on this world, for 10 million dollars.
[ link to this | view in chronology ]