[148739] in cryptography@c2.net mail archive
Re: [Cryptography] Fwd: [IP] RSA Response to Media Claims Regarding
daemon@ATHENA.MIT.EDU (ianG)
Thu Dec 26 13:47:52 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 26 Dec 2013 11:57:58 +0300
From: ianG <iang@iang.org>
To: Theodore Ts'o <tytso@mit.edu>, Kent Borg <kentborg@borg.org>
In-Reply-To: <20131224022939.GB26944@thunk.org>
Cc: Cryptography List <cryptography@metzdowd.com>,
Bill Cox <waywardgeek@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 24/12/13 05:29 AM, Theodore Ts'o wrote:
> On Mon, Dec 23, 2013 at 08:40:12AM -0500, Kent Borg wrote:
>> - We were too stupid to have an opinion about Dual EC DRBG, we
>> didn't know it had any problems. Just because we have legendary
>> initials as our name doesn't change that we are just ignorant
>> businessmen, honest, we don't know any better.
>
> Actually, I believe this. Never attribute to malice what can be what
> can adequately explained by incompetence.
Yes. The reported evidence suggests that RSA lost some of its core
crypto mojo in the early 2000s, and that this deal was done by business
folk not the crypto lab.
For the business folk, this is called cash cow. Likely, you'll find
that EMC purchased the company for its deal flow, and under-invested.
They've probably made their money back by now.
> That might not change my opinion, though, if someone asked me for
> advice about whether to buy products from RSA --- would *you* want to
> buy products from a company that (a) allowed to have their SecureID
> tokens get compromised[1], and (b) allowed themselves to be suckered
> by the NSA?
>
> [1] http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/
>
> As for the rest, the lesson we should take from this is, moving
> forward, if any company in the future hears the words, "I'm from the
> NSA and I'm here to help", they should run away, as fast their legs
> can carry them.
Yep. And aggresively document the method of attack, so that others can
learn and defend.
The RSA breach is a beautiful thing; all the elements are in place and
documented. We have the full case story. I wish we had it for the
other 10-100 methods.
iang
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
