Security researcher protests alleged RSA, NSA ties; cancels talk at RSA conference
Mikko Hypponen, Chief Research Officer at F-Secure, has cancelled his talk at the RSA conference in protest of the recent reports linking RSA, NSA and a $10m payoff for inclusion of Dual EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) in encryption products developed by RSA.
Hypponen, in an open letter to the chiefs of RSA and EMC, wrote briefly about the report on Reuters and said “As my reaction to this, I’m cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.” Hypponen was slated for a talk on the topic “Governments as Malware Authors”.
The F-Secure executive noted that he doesn’t expect EMC or RSA or lose business following recent revelations and neither does he expect other speakers to withdraw as most of them are Americans and they wouldn’t care as NSA surveillance targets non-Americans.
“I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I’m not expecting other conference speakers to cancel. Most of your speakers are american anyway – why would they care about surveillance that’s not targeted at them but at non-americans”, he wrote.
“Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.” he added.
The RSA, NSA ties emerged after Reuters reported that the National Security Agency had paid RSA $10m to get the company use Dual EC DRBG as the preferred random number generator in its BSafe crypto libraries. The report also claimed that once the algorithm was incorporated by RSA, the NSA used this ‘early adoption’ in its favour to influence NIST’s approval as well.
RSA has already denied the allegations claiming that the report is false and it has been been using the random number generator in question since 2004 – two years earlier than the dates mentioned in the Reuters report.
“RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use”, stated RSA.