Prestigious speaker Mikko Hypponen cancels RSA talk to protest NSA deal

Friday's report that RSA received $10 million to make an NSA-favored random number generator the default setting in its BSAFE crypto tool aren't yet creating any problems on Wall Street, with stock for parent company EMC rising two percent on Monday. That doesn't mean the revelations don't have important public relations fallout for the encryption software maker.

On Monday, Mikko Hypponen, chief research officer of Finland-based antivirus provider F-Secure, publicly canceled the talk he was scheduled to deliver at the RSA Conference USA 2014, which is slated for February. A highly sought-after security researcher who regularly speaks at Black Hat, Defcon, Hack in the Box, in addition to the more mainstream Ted and South by Southwest conferences, Hypponen said his cancellation was in protest of the recently revealed $10 million contract to make the NSA-influenced Dual EC_DRBG BSAFE's default pseudo random number generator (PRNG). Hypponen also cited RSA's decision to keep Dual EC_DRBG the default PRNG for more than five years after serious vulnerabilities were uncovered in it and Monday's non-denying denial from RSA in response to Friday's report from the Reuters news agency.

"I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA," Hypponen wrote in an open letter to Joseph M. Tucci and Art Coviello, the CEO of EMC and the executive chairman of RSA respectively. "In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway–why would they care about surveillance that's not targeted at them but at non-Americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I'm a foreigner. And I'm withdrawing my support from your event."

Read 3 remaining paragraphs | Comments

RSA issues non-denying denial of NSA deal to favor flawed crypto code

RSA has issued a statement denying allegations stemming from Friday's bombshell report that the encryption software provider received $10 million from the National Security Agency (NSA) in exchange for making a weak algorithm the preferred one in its BSAFE toolkit.

The press release went live on Sunday, two days after Reuters said the secret contract was part of an NSA campaign to embed encryption software that the agency could break into widely used computer products. RSA's statement was worded in a way that didn't clearly contradict any of the article's most damaging accusations. For instance:

Recent press coverage has asserted that RSA entered into a "secret contract" with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.

Later in the release, RSA officials wrote: "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."

Read 6 remaining paragraphs | Comments

Researchers Crack 4096-bit RSA Encryption With a Microphone

So this is a pretty interesting acoustic based cryptanalysis side-channel attack which can crack 4096-bit RSA encryption. It’s been a while since we’ve seen anything hardware based, and RSA 4096 is pretty strong encryption, I wonder how they figured this one out. It makes sense though when you think about it, although I wouldn’t...

Read the full post at darknet.org.uk