[Cryptography] Fwd: [IP] RSA Response to Media Claims Regarding NSA Relationship
Theodore Ts'o
tytso at mit.edu
Mon Dec 23 21:29:39 EST 2013
On Mon, Dec 23, 2013 at 08:40:12AM -0500, Kent Borg wrote:
> - We were too stupid to have an opinion about Dual EC DRBG, we
> didn't know it had any problems. Just because we have legendary
> initials as our name doesn't change that we are just ignorant
> businessmen, honest, we don't know any better.
Actually, I believe this. Never attribute to malice what can be what
can adequately explained by incompetence.
That might not change my opinion, though, if someone asked me for
advice about whether to buy products from RSA --- would *you* want to
buy products from a company that (a) allowed to have their SecureID
tokens get compromised[1], and (b) allowed themselves to be suckered
by the NSA?
[1] http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/
As for the rest, the lesson we should take from this is, moving
forward, if any company in the future hears the words, "I'm from the
NSA and I'm here to help", they should run away, as fast their legs
can carry them.
- Ted
More information about the cryptography
mailing list