Security firm RSA issues lame non-denial of Reuters' report on NSA deal

Today, Ars Technica reports on RSA's statement issued Sunday, denying-but-not-actually-denying Friday's Reuters exclusive that the security software firm received $10 million from the NSA "in exchange for making a weak algorithm the preferred one in its BSAFE toolkit." [Ars Technica]

Notable Replies

  1. Look to RSA to start shedding clients like an old mangy dog sheds its fur.

  2. Take this for what it's worth from an infrastructure server admin rather than someone in IT security, but I've always thought that those RSA tokens are more of a way to let people in than keep them out..
    If someone's using those damn things as one of their primary ways with which to harden their security, have fun.

  3. The concept is actually fairly clever. The fact that RSA, more or less quietly, held on to the initialization time and seed value (everything you need to reconstruct the passcode a given fob will display at any time during its life) for every fob they sold... Less clever.

    Quite embarrassing when persons unknown breached RSA's network and recovered those, then went on a defense contractor hacking spree(this is what finally forced them to admit that anything had happened, they'd been weaseling around about how harmless the hack had been up until that point).

    At the time we all thought that RSA was just being wildly incompetent and/or pandering to customers who lose the key material for their authentication servers and come whinging for it. Now, I'm not so sure... Perhaps somebody else was interested in seeing that material stored.

    Even now, after that incident, I'm pretty sure that they still don't offer the option to key-fill them yourself, on your site, without a third party involved (and it wouldn't be hard, the contacts are just under a little sticker on the back, a few pogo pins and knowing what probably ttl-level serial commands to send, and that'd be that. But no. At least they are damned expensive.)

    What I love about RSA's 'denial' is that they never actually deny having backdoored a product, or having worked for the NSA, merely that 'we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products'.

    That definitely leaves having unintentionally backdoored a product on the table, and (in strictest logic chopping) might even include developing the intention to weaken a product, so long as the intention developed after the contract or project was engaged.

    Keep it classy, RSA, keep it classy.

  4. They've got too not very attractive options here:

    1. They knowingly took money to weaken BSAFE (if not in 2004,
      surely by 2007).
    2. They were stunningly incompetent and ignorant of the literature in their area of expertise.

    They've gone with #2.

  5. I hope they go out of business and I start finding RSA keyfobs in the bargain bin at Best Buy.

    Edit: No, I hope I find them in the bargain bin at Staples.

Continue the discussion

4 more replies