[Cryptography] Fwd: [IP] RSA Response to Media Claims Regarding NSA Relationship

ianG iang at iang.org
Thu Dec 26 03:57:58 EST 2013


On 24/12/13 05:29 AM, Theodore Ts'o wrote:
> On Mon, Dec 23, 2013 at 08:40:12AM -0500, Kent Borg wrote:
>>   - We were too stupid to have an opinion about Dual EC DRBG, we
>> didn't know it had any problems.  Just because we have legendary
>> initials as our name doesn't change that we are just ignorant
>> businessmen, honest, we don't know any better.
>
> Actually, I believe this.  Never attribute to malice what can be what
> can adequately explained by incompetence.


Yes.  The reported evidence suggests that RSA lost some of its core 
crypto mojo in the early 2000s, and that this deal was done by business 
folk not the crypto lab.

For the business folk, this is called cash cow.  Likely, you'll find 
that EMC purchased the company for its deal flow, and under-invested. 
They've probably made their money back by now.


> That might not change my opinion, though, if someone asked me for
> advice about whether to buy products from RSA --- would *you* want to
> buy products from a company that (a) allowed to have their SecureID
> tokens get compromised[1], and (b) allowed themselves to be suckered
> by the NSA?
>
> [1] http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/
>
> As for the rest, the lesson we should take from this is, moving
> forward, if any company in the future hears the words, "I'm from the
> NSA and I'm here to help", they should run away, as fast their legs
> can carry them.


Yep.  And aggresively document the method of attack, so that others can 
learn and defend.

The RSA breach is a beautiful thing;  all the elements are in place and 
documented.  We have the full case story.  I wish we had it for the 
other 10-100 methods.


iang



More information about the cryptography mailing list