A growing number of security and privacy technology experts, disillusioned by news that security firm RSA was paid by the National Security Agency to use an exploitable algorithm in its encryption technology, feel they can no longer trust the company. They've called for a boycott of RSA’s annual conference in San Francisco in February, and now a group of them has taken this effort a step further—creating their own “trust-based” conference just a few blocks from RSA’s event.
"TrustyCon" will be held on February 27 at the AMC Metreon Theater in San Francisco. That's the same day as the RSA's event, and the location is a multiplex cinema just around the corner from the Moscone Convention Center. To add fuel to this dissenting fire, TrustyCon has already picked up sponsorships from Microsoft, Cloudflare, and security firm iSEC Partners.
The RSA concerns started with documents leaked by Edward Snowden and published by the New York Times in December. These indicated that the NSA had worked with the National Institute of Standards and Technology to create a “backdoor” in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), a pseudorandom number generator designated as a standard for encryption. Reuters reported last month that in 2004—even before NIST approved it as a standard—the NSA paid RSA $10 million to use Dual EC DRGB as part of its RSA BSAFE cryptographic library. If the allegation is true, much of the encryption software sold by RSA would allow the NSA to break the encryption using the known backdoor. RSA, for its part, has denied that it took money to put a backdoor in its encryption software. The company said that it followed NIST’s guidance on use of the code. But that hasn’t been enough to convince many security experts who believe the Snowden documents that state the RSA conspired with the NSA.
Read 3 remaining paragraphs | Comments