Inviolate Security

"As you are no doubt aware RSA provides encryption for the House of Commons, including RSA SecurID electronic keys.
"Such a break in security has implications for the security and confidentiality of members and their staff to conduct business without being monitored by foreign governments or those who could exploit such a loophole."
Peter Julian, NDP caucus chair

"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'back-doors into our products for anyone's use."
RSA Security LLC

The chief executive of RSA, Art Coviello, speaking at a conference in 2010. Photograph: Kevin Bocek/Flickr

An Open Letter to the Chiefs of EMC and RSA	Posted by Mikko @ 21:46 GMT

23rd of December 2013

An Open Letter to:
Joseph M. Tucci - Chairman and Chief Executive Officer, EMC
Art Coviello - Executive Chairman, RSA

Dear Joseph and Art,

I don’t expect you to know who I am.

I’ve been working with computer security since 1991. Nowadays I do quite a bit of public speaking on the topic. In fact, I have spoken eight times at either RSA Conference USA, RSA Conference Europe or RSA Conference Japan. You’ve even featured my picture on the walls of your conference walls among the 'industry experts'.

On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of the your products, in exchange of $10 million. Your company has issued a statement on the topic, but you have not denied this particular claim. Eventually, NSA’s random number generator was found to be flawed on purpose, in effect creating a back door. You had kept on using the generator for years despite widespread speculation that NSA had backdoored it.

As my reaction to this, I’m cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.

Aptly enough, the talk I won’t be delivering at RSA 2014 was titled "Governments as Malware Authors".

I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are american anyway – why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.

Sincerely,

Mikko Hypponen
Chief Research Officer
F-Secure

Now there's blowback from an outraged Finnish expert in Internet security and malware.  And this is directly related to the fact that Canada's House of Commons security has been asked to review its use of a private encryption device. In view of the fact that it has now been revealed that the U.S. National Security Agency paid the RSA security firm $10-million to accede to its request to build a back-door access point to the device, enabling NSA intelligence entry surveillance.

Reuters reported that the IT security company had agreed to a secret deal with the NSA. That it would weaken the code in its encryption software, enabling the American spy agency access to what should be secure files, tampering with the security of other countries, including Canada. Two unnamed sources familiar with the agreement between RSA and NSA spoke of the loophole.

And that, according to both Reuters and the New York Times, NSA created a flawed formula generating random numbers which it then had inserted into the RSA security product in question. A furtive, unauthorized activity that compromises unequivocally the security of its customer base. Giving NSA access to multitudes of computers thereby.

NDP Member of Parliament has asked House Speaker Andrew Scheer  to have the security gap and obvious risk to Canadian security intelligence duly investigated. RSA was quick to deny the report of a "secret contract" entered into with NSA "to incorporate a known flawed random number generator" into its devices. A protest and attestation of non-compromise of product and authority that has not convinced Mikko Hypponen, scheduled to speak at RSA's February conference.

As a sign of his dismay and disgust at the actions of RSA and NSA, he will absent himself from the conference, while condemning the action taken by RSA. Which company has given no explanation for having accepted that ten million from NSA, despite protesting their innocence of wrong-doing. Ironically, Mr. Hypponen was scheduled to deliver a talk on government use of malware.

He also noted that he has no expectation that other speakers (most of whom are Americans) will see fit to follow suit and also boycott the February RSA conference. NSA's attempts to compromise security standards are not seen to affect them, he contends. On the other hand, it isn't entirely out of contention that other principled security experts regardless of nationality, will feel as he does, and opt not to attend.