RSA takes one for the team, but which team?
Edward Snowden says (according to Reuters) that RSA Security accepted $10 million from the National Security Agency in exchange for installing (or allowing to have installed) a secret backdoor so the NSA could decrypt messages as it pleased. Hell no says RSA (a division of storage vendor EMC), stating in very strong terms that this was not at all the case. But then in a second day look at the RSA/EMC statement bloggers began to see the company as dissembling, their firm defense as really more of a non-denial denial. So what’s the truth here and what’s the lesson?
For the truth I reached deep into the bowels of elliptic cryptography to an old friend who was one of the technology’s inventors.
"RSA is lying," said my friend. "No room for ambiguity on this one. The back-doored RNG was a blatantly obvious scam and they made it the default anyway".
My friend has no reason to lie and every reason to know what’s what in this tiny corner of technology, so I believe him. Besides, the Snowden revelations have all proven true so far.
What’s with EMC, then?
Forget for a moment about right and wrong, good or evil and think of this in terms of a company and one of its largest customers -- the US Government. It’s more than just that $10 million NSA payday EMC has to see as being at risk. With the Obama Administration’s back against the wall on this one, EMC has to see its entire federal account as endangered.
That’s the only reason I can imagine why an NSA contractor would say that they didn’t know the backdoor existed (we are incompetent, hire us) or that once they did know it existed they waited years to do anything about it.
These are not the kind of admissions corporate PR wants to make unless; a) they are being forced to do it, or; b) the real truth is even worse.
I’m guessing that EMC sees itself as taking one for the team. The problem, of course, is what team are they on? It certainly doesn’t seem to be that of the American people.
Full disclosure is the best course here and if full disclosure is prohibited by security regulations and spook laws then the thing to do is to get out of the business. I’m serious. EMC could and probably should simply resign the NSA account, which would say more about this case than any detailed explanation.