In the security field trust is everything. And now RSA has lost that trust with recent revelations of them accepting a $10 million bribe from the NSA to make the flawed Dual Elliptic Curve random number generator the default in their BSafe crypto suite.
Purposely inserting backdoors can be a tricky business decision. Not only could others discover and use these same flaws for their own mischief (e.g., stealing SecureID token seeds), but public disclosure of them is sure to hurt international sales (something RSA is probably pretty concerned with right now).
Of course I think most of us in the security field expected activities like this were already happening. Still, it is a bit disheartening that companies we have entrusted with our secrets have betrayed that trust in exchange for a few million dollars to raise their bottom line in the short-term. The question RSA, and other companies like them, will have to ask themselves is “Was it worth it in the long-term?”
The bigger questions to ponder are the unknowns though. For example, what other security algorithms and products have RSA, and perhaps other US companies, purposely backdoored. And taking this example a step further, what companies in other countries are also accepting bribes from their NSA-equivalent organization to do the same thing with their products or services.
It’s a sad day in the security field but hopefully disclosures like this will help make the industry more secure in the long run. I’m sure some companies out there are re-evaluating their past decisions to include backdoors even as I write this post. And those organizations that have not caved will be much more reluctant to offer flawed products and services in exchange for a few million dollars.
Today’s post pic is from BusinessTech.co.za. See ya!