RSA is now open to a huge class action lawsuit. They have promoted their product as the gold standard of security. They intentionally lied to the public about the security of their product. And worse, they were paid to insert a security flaw.
Good post.
Here’s a clip from the original Reuters piece:
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220
RSA EVOLVES
RSA and others claimed victory when export restrictions relaxed.
But the NSA was determined to read what it wanted, and the quest gained urgency after the September 11, 2001 attacks.
RSA, meanwhile, was changing. Bidzos stepped down as CEO in 1999 to concentrate on VeriSign, a security certificate company that had been spun out of RSA. The elite lab Bidzos had founded in Silicon Valley moved east to Massachusetts, and many top engineers left the company, several former employees said.
And the BSafe toolkit was becoming a much smaller part of the company. By 2005, BSafe and other tools for developers brought in just $27.5 million of RSA’s revenue, less than 9% of the $310 million total.
“When I joined there were 10 people in the labs, and we were fighting the NSA,” said Victor Chan, who rose to lead engineering and the Australian operation before he left in 2005. “It became a very different company later on.”
By the first half of 2006, RSA was among the many technology companies seeing the U.S. government as a partner against overseas hackers.
New RSA Chief Executive Art Coviello and his team still wanted to be seen as part of the technological vanguard, former employees say, and the NSA had just the right pitch. Coviello declined an interview request.
An algorithm called Dual Elliptic Curve, developed inside the agency, was on the road to approval by the National Institutes of Standards and Technology as one of four acceptable methods for generating random numbers. NIST’s blessing is required for many products sold to the government and often sets a broader de facto standard.
RSA adopted the algorithm even before NIST approved it. The NSA then cited the early use of Dual Elliptic Curve inside the government to argue successfully for NIST approval, according to an official familiar with the proceedings.
RSA’s contract made Dual Elliptic Curve the default option for producing random numbers in the RSA toolkit. No alarms were raised, former employees said, because the deal was handled by business leaders rather than pure technologists.
“The labs group had played a very intricate role at BSafe, and they were basically gone,” said labs veteran Michael Wenocur, who left in 1999.
Within a year, major questions were raised about Dual Elliptic Curve. Cryptography authority Bruce Schneier wrote that the weaknesses in the formula “can only be described as a back door.”
After reports of the back door in September, RSA urged its customers to stop using the Dual Elliptic Curve number generator.
But unlike the Clipper Chip fight two decades ago, the company is saying little in public, and it declined to discuss how the NSA entanglements have affected its relationships with customers.
The White House, meanwhile, says it will consider this week’s panel recommendation that any efforts to subvert cryptography be abandoned.
(Reporting by Joseph Menn; Editing by Jonathan Weber and Grant McCool)
FILED UNDER:
Politics
“Looks like to me the founder of RSA, a marine by the way, left, and the company went to the dogs.”