In a letter to Joseph Tucci, and Art Coviello, F-Secure's Mikko Hypponen says he is canceling his talk at the 2014 RSA Conference, due to the company's deal with the NSA.
Mikko Hypponen, a widely known security expert and speaker, has given many presentations at the RSA Conference over the years. However, his talk scheduled for the 2014 RSA Conference in February, "Governments as Malware Authors" isn't going to happen.
"On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of the your products, in exchange of $10 million. Your company has issued a statement on the topic, but you have not denied this particular claim," Hypponen wrote in an open letter.
"Eventually, NSA’s random number generator was found to be flawed on purpose, in effect creating a back door. You had kept on using the generator for years despite widespread speculation that NSA had backdoored it. As my reaction to this, I’m cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014."
A copy of the open letter is available here.
In a statement on Sunday, RSA responded to the Reuters story, proclaiming that they've "...never entered into any contract or engaged in any project with the intention of weakening RSA’s products..."
However, their statement didn't deny the claim made by Reuters that they were paid $10 million by the NSA to use Dual EC_DRBG, a fatally flawed pseudo random number generator (PRNG) developed by the NSA. That RSA was using the PRNG in commercial products, helped with the process of it being approved by the NIST.
The question is now; will Hypponen be the only speaker to back out from what is arguably the largest security conference in the U.S.? Will the vendors that have invested hundreds of thousands of dollars in expo floor space break their contracts in protest too?
Hypponen doesn't expect so:
"...I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway – why would they care about surveillance that’s not targeted at them but at non-Americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event."
While the RSA Conference isn't RSA the company, they still have a horse in the race, and the passive admission that they took $10 million to use a broken PRNG isn't sitting well with security experts.