Add Josh Thomas to the list of security experts cutting ties with RSA Security after the Snowden leaks.
“If the allegations are true, a company that’s sole purpose to build trust – and that’s what cryptography is – and they can’t be trusted, then I don’t want to be part of that,” Thomas said to Raw Story. Thomas, “Chief Breaker” of Atreidis Partners, had been lined up to speak at the annual RSA conference in February. The conference gathers computer security researchers to discuss the latest in cryptography and security.
But the RSA brand is radioactive territory after Reuters published accusations that the firm colluded with the NSA to market flawed encryption. The conference is separate from the company, he noted. “They share a name and nothing else. To punish the conference for the company is probably not fair. The problem is that they do share a name. They are furthering the RSA brand. Everyone who gets on stage is furthering the credibility of the company.”
Mikko Hypponen, chief researcher for Finnish computer security firm F-Secure, withdrew in protest from a speaking engagement at conference, citing the Edward Snowden revelations as tainting the event published an open letter Monday describing his concerns to RSA and its parent firm, EMC Corp.
“On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of the your products, in exchange of $10 million. Your company has issued a statement on the topic, but you have not denied this particular claim,” Hypponen wrote in an open letter.
“Eventually, NSA’s random number generator was found to be flawed on purpose, in effect creating a back door. You had kept on using the generator for years despite widespread speculation that NSA had backdoored it. As my reaction to this, I’m cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.”
Hypponen’s decision reverberated within the security community through social media. F-Secure is one of the most important anti-virus and computer security firms in the world, and Hypponen is a world-renowned expert at defeating computer viruses and worms. In a Twitter message, Hypponen said the title of the talk he would have delivered at RSA 2014 was “Governments as Malware Authors.”
A Reuters report last week, relying on information provided by fugitive former NSA contractor Edward Snowden, accused the security division of EMC of received $10 million from the NSA to use a flawed random number generator in one of its products. RSA denied entering into a secret contract … but has not denied taking money from the NSA.
“We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption,” it said in a statement Sunday.
Spokespeople for the conference have not yet returned requests for comment.