A representative of a Finnish security vendor has pulled out of speaking at next year's RSA Conference following allegations that RSA worked with the US' National Security Agency (NSA) to weaken security standards.
In an open letter to the chiefs of RSA and parent company EMC, F-Secure's chief research officer Mikko Hyppenon confirmed he is cancelling his talk at the popular San Francisco event, which will take place at the end of February 2014.
At issue is a Reuters article from last week alleging that RSA accepted a random number generator from the NSA and set it as the default option in one of its products, in exchange for $10m.
Although RSA yesterday responded with a blog on the topic, Hyppenon claimed its rebuttal lacked an overt denial on the central allegation in the story, something other onlookers - including independent security consultant Graham Cluley - have also noted.
"As my reaction to this, I'm cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014," wrote Hyppenon, who has spoken no fewer than eight times at either RSA Conference USA, RSA Conference Europe or RSA Conference Japan.
"Aptly enough, the talk I won't be delivering at RSA 2014 was titled ‘Governments as Malware Authors'."
According to CRN's US media partner Channelnomics, several speakers slated to speak at the well-respected event (pictured above, in 2011) are rethinking their attendance in protest, with others planning on changing their remarks, saying they want to address the collusion issue directly.
However, Hyppenon himself said he wasn't expecting other conference speakers to cancel.
"Most of your speakers are American anyway - why would they care about surveillance that's not targeted at them but at non-Americans," he said. "Surveillance operations from the US intelligence agencies are targeted at foreigners. However I'm a foreigner. And I'm withdrawing my support from your event."
RSA was not available for comment at the time this article was published. Whether or not RSA's rebuttal went far enough is up for debate, so in the interests of fairness we are featuring the entire blog below.
"Recent press coverage has asserted that RSA entered into a "secret contract" with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.
We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security.
Key points about our use of Dual EC DRBG in BSAFE are as follows:
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.
We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.
RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential ‘backdoors' into our products for anyone's use."
Highlander MD Steve Brown tells CRN about the skills he learned on the pitch and brought to the boardroom
Reports suggest Dell is pursuing a straightforward IPO, contradicting existing plans to buy out tracking stock holders
Analysts predict upturn in PC market next year, but 2018 to remain plagued by components shortages
Neil Sawyer claims he has 'never seen so many conversations about a new method of investing in workplace technology'