Did RSA open the door for the NSA?

Just as I was shutting down for the day and getting ready to enjoy my holiday, Reuters dropped an explosive story. One that I cannot wrap my head around it fully just yet.

The story that came out was one from a file released in the Snowden leaks. The story is that the National Security Agency had allegedly paid the security vendor RSA $10 million to cripple encryption and ship their own products to customers. This would then allow the NSA to be able to monitor communications that would otherwise be thought to be secure. 

From Reuters:

Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

 

Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.

This evening I reached out to RSA seeking comment.

Call me a Pollyanna if you must but, I did actually received a reply back from RSA. Rather than take the leaked document solely on face value I figured I'd take a novel approach and ask the company for comment. 

This is the email that I received,

From: [REDACTED]

Subject: Re: Seeking Comment Regarding the NSA / RSA Story

Date: 20 December, 2013 8:58:08 PM EST

To: "Dave Lewis [Liquidmatrix]" 

 

Hi Dave,

 

RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own.

 

Regards,

 

[REDACTED]

 

Sent from my iPhone

 

The exact same response that they gave to Reuters. I do appreciate RSA taking the time to answer me. I think that since this story only just broke today I'm sure they're going to need some time to pull together a more succinct and detailed response. Previous documents leaked by Snowden have proven themselves out and I'm afraid that RSA will have a lot of explaining to do over the coming days.

So much for a happy holiday.

My curiousity with this report is that, if this story does in fact has merit, why would the contract for something such as this have only been for $10 million? Was this an over zealous sales person or team? The more I think about this the more questions that spring to mind. 

Is it just me or does that price seem decidedly low in the grand scheme? My parting question would be, is this the first of more such disclosures? 

If this RSA story turns out to be true, this will dominate the conversation for months to come. 

[UPDATE] Dec 22, 2013: RSA responds to the Reuters article.

(Image used under CC from Justin Smiley)

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.