Channelnomics

F-Secure Exec Shuns RSA Confab in NSA Protest

Plusone Twitter Facebook Linkedin Digg Email

A representative of a Finnish security vendor has pulled out of speaking at next year’s RSA Conference following allegations that RSA worked with the National Security Agency (NSA) to weaken security standards.

In an open letter to the chiefs of RSA and parent company EMC Corp., F-Secure’s chief research officer Mikko Hyppönen confirmed he is cancelling his talk at the popular San Francisco event, which will take place at the end of February.

At issue is a Reuters article from last week alleging that RSA accepted an intentionally flawed random number generator from the NSA and set it as the default option in one of its products, in exchange for $10 million.

Although RSA yesterday responded with a blog on the topic, Hyppönen claimed its rebuttal lacked an overt denial on the central allegation in the story, something other onlookers — including independent security consultant Graham Cluley – have also noted.

“As my reaction to this, I’m cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014,” wrote Hyppönen, who has spoken eight times at either RSA Conference USA, RSA Conference Europe or RSA Conference Japan.

“Aptly enough, the talk I won’t be delivering at RSA 2014 was titled ‘Governments as Malware Authors’.”

Several other speakers slated for the RSA Conference have told Channelnomics they are reconsidering their attendance in protest. Others are planning on changing their remarks, saying they want to address the collusion issue directly.

However, Hyppönen himself said he wasn’t expecting most conference speakers to cancel, despite the wall-to-wall coverage the controversial issue has received in the United States.

“Most of your speakers are American anyway — why would they care about surveillance that’s not targeted at them but at non-Americans,” he said. “Surveillance operations from the U.S. intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.”

RSA was not available for comment at the time this article was published. Whether or not RSA’s rebuttal went far enough remains up for debate. The company’s entire blog post is reprinted below:

“Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.

Key points about our use of Dual EC DRBG in BSAFE are as follows:

We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.

This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.

We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.

When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.

RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”

For more UK channel coverage from CRN, visit www.channelweb.co.uk.

Related Articles:

Leave a Reply