Skip the navigation
News

Security researcher cancels talk at RSA conference in protest

Mikko Hypponen, chief research officer of F-Secure, said he was protesting reports of a secret RSA-NSA deal

By John Ribeiro
December 24, 2013 01:06 AM ET

IDG News Service - Security researcher Mikko Hypponen has canceled his talk at an RSA security conference in San Francisco, in response to a report that the security division of EMC allegedly received $10 million from the National Security Agency to use a flawed random number generator in one of its products.

In an open letter on Monday to Joseph M. Tucci, EMC's chairman and CEO, and Art Coviello, executive chairman of RSA, Hypponen, who is chief research officer at Finnish security company F-Secure, referred to a Reuters news service report which stated that RSA accepted a random number generator from the NSA, and set it as the default option in its product BSafe, in return for the payment from the NSA.

The RSA took money "secretly" from the NSA to embed the Dual EC DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) technology into its BSafe toolkit, according to the report on Friday.

The number generator used in a 2006 standard from the National Institute of Standards and Technology came under scrutiny after former NSA contractor Edward Snowden suggested it provided back-door entry to NSA snooping, according to reports.

RSA denied entering into a secret contract with the NSA. "We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption," it said in a statement Sunday.

Hypponen said RSA had not denied receiving $10 million from the NSA to use the random number generator. "You had kept on using the generator for years despite widespread speculation that NSA had backdoored it," he wrote.

The researcher said he didn't expect EMC or the conference to suffer as a result of the alleged deals with the NSA. Nor did he expect other conference speakers to cancel. Most of the speakers at the conference are American so why would they care about surveillance that's not targeted at them but at non-Americans, Hypponen wrote.

Surveillance operations by U.S. intelligence agencies are targeted at foreigners, he added.

"However I'm a foreigner. And I'm withdrawing my support from your event," the Finnish researcher wrote. He had earlier tweeted that "If the Reuters story is true, I - for one - will be cancelling my invited talk and my panel participation in the upcoming RSA Conference."

The RSA conference runs from Feb 24 to 28. Among the keynote speakers and other speakers, listed on the website for the conference, are executives from Microsoft, Juniper Networks, Cisco, McAfee, Symantec and Hewlett-Packard. Hypponen was to speak on "Governments as Malware Authors" at the conference. The researcher said he had spoken eight times at RSA conferences in the U.S., Europe and Japan. "You've even featured my picture on the walls of your conference walls among the 'industry experts,'" he wrote in the letter.

EMC could not be immediately reached for comment on Hypponen's decision.

John Ribeiro covers outsourcing and general technology breaking news from India for The IDG News Service. Follow John on Twitter at @Johnribeiro. John's e-mail address is john_ribeiro@idg.com

Reprinted with permission from IDG.net. Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies
Blog Spotlight
Sharky

This state transportation department uses computer science students from a local university as programming interns, and everyone is happy with the arrangement -- until one intern learns how to bring down the mainframe.

Richi Jennings
Richi Jennings