Cyber Security Experts Boycott, Refuse to Speak at RSA Conference After NSA Deal
January 9, 2014 4:17 PM
comment(s) - last by
NSA entered into a $10 million contract with RSA to place a flawed formula within encryption software
Security industry leader
RSA was caught working with the U.S. National Security Agency
(NSA), and now it's seeing some backlash from former allies.
According to a new report from
, some leaders in the computer security world who were scheduled to speak at the RSA Conference next month have backed out due to recent discoveries about the RSA's connections with the NSA.
The report said Mikko Hypponen, chief technology officer of F-Secure; Josh Thomas, the Chief Breaking Officer at security firm Atredis, and Jeffrey Carr, another security industry veteran who analyzes espionage and cyber warfare methods, have all canceled their presentations at the RSA Conference.
Carr and Hypponen have taken it a step further by boycotting the conference. Hypponen said "nationality" was the reason for his cancellation while Carr said the RSA had violated its customers' trust.
"I don't want to send mixed messages, so I have canceled all my appearances at RSA 2014," said Hypponen.
Once Carr announced his boycott, others followed, including Marcia Hoffman, privacy attorney and former Electronic Frontier Foundation lawyer; Alex Fowler, Mozilla privacy and public policy expert; Christopher Soghoian, American Civil Liberties Union advocate and privacy expert; Adam Langley, Google security expert, and Chris Palmer, Google Chrome security engineer.
The RSA Conference is scheduled for next month in San Francisco.
Jeffrey Carr [SOURCE: jeffreycarr.blogspot.com]
According to documents leaked by former NSA contractor Edward Snowden, the NSA entered into
a $10 million contract with RSA
to place a flawed formula within encryption software (which is widely used in personal computers and other products) to obtain "back door" access to data. The RSA software that contained the flawed formula was called Bsafe, which was meant to increase security in computers. The formula was an algorithm called Dual Elliptic Curve, and it was created within the NSA. RSA started using it in 2004 even before the National Institutes of Standards and Technology (NIST) approved it.
RSA said it had no idea that the algorithm was flawed, or that it gave the NSA back door access to countless computers and devices. The NSA reportedly sold the algorithm as an enhancement to security without letting the RSA in on its real intentions.
"Recent press coverage has asserted that RSA entered into a 'secret contract' with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation," said RSA in a
Many in the security community were surprised at RSA's entanglement with the NSA, but the latest news of a $10 million contract as well has really shocked the industry.
RSA is known as a pioneer in the realm of computer security, and has notoriously fought off the NSA in previous attempts at breaking encryption in the 1990s.
"I can't imagine a worse action, short of a company's CEO getting involved in child porn," said Carr. "I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.”
This article is over a month old, voting and posting comments is disabled
RE: Real Believable
1/10/2014 11:58:59 AM
The problem here is not that they didn't check, it's that no one outside of the NSA thought that the algorithm using dual elliptic curves was breakable with current technology. Cryptography based on dual elliptic curve pseudo-random number generation has been around for a while, and was widely considered to be secure. I find it more surprising that the NSA was the only organization that found a way to break it; I expect that others (the Chinese, Russians, maybe some black hat hackers at the least) cracked it as well, but haven't been caught yet.
RE: Real Believable
1/10/2014 5:38:25 PM
They didn't break it so much as the version they provided was broken, extremely subtly. So subtle in fact that it's still an open debate if this back door even actually exists (personally I believe it does, for whatever that is worth).
The algorithm uses a few random numbers for the seed, even if you know what the numbers are you can't break anyone's use of it; that would have been detected and flagged immediately. No, what the NSA did was provide some numbers for the seed that had a very special relationship with one another. Knowing the numbers, and the relationship, they can look at the last few random numbers out of the algorithm and guess the next one.
Did RSA know that such a thing was possible? At the time it was pure conjecture that such an attack was possible. It's since been shown to be practical by white hat researchers. You also need to keep in mind that one of the NSA's charters is to provide and strengthen publicly available cryptography. Offering their expertise to RSA was entirely appropriate and expected. That doesn't, IMO, wash away RSA's responsibility to do due diligence, which they failed to do when they didn't demand the details of how the "random" seed values were generated (or better yet, generate their own).
"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer
RSA Responds to Claim that it Gave NSA Back Door Access in Exchange for $10M
December 23, 2013, 11:43 AM
Microsoft Wants Windows 8.1 Inside Children's Toys, Appliances
August 20, 2014, 3:20 PM
Report: Windows 9 “Threshold” Tech Preview Coming Next Month
August 15, 2014, 11:29 AM
EA Access Subscription Gaming Service Now Open to All Xbox One Users
August 11, 2014, 4:32 PM
Quick Note: Windows Phone Store Surpasses 300,000 Apps
August 8, 2014, 12:30 PM
China Kicks Symantec, Kaspersky Off Approved Software List
August 4, 2014, 1:48 PM
Nintendo Reports Yet Another Quarterly Loss, Sells 510,000 Wii U Consoles
July 30, 2014, 12:00 PM
Most Popular Articles
Lumia 830 Gets Major Upgrades Including New 20.1 Megapixel Toshiba Sensor
August 15, 2014, 6:00 PM
Windows Phone, BlackBerry Smartphone Market Share Falls to 2.5%, 0.5% Respectively
August 15, 2014, 9:44 AM
GM Concedes That the Cadillac ELR Doesn’t Really Compete with the Tesla Model S
August 15, 2014, 5:42 PM
Cell Phone Thief Calls 911 After Her Victim Chases Her and Her Male Cohort
August 14, 2014, 12:11 PM
Smarter Wired, Wireless Chargers Set to Shake Up Mobile Industry
August 14, 2014, 6:39 PM
Latest Blog Posts
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information