Security expert snubs RSA over $10M ‘backdoor’ deal with US agency

Mikko Hypponen, a respected Finnish researcher who is a regular guest at computer security conferences, says he will not appear at RSA’s February conference because the firm took money from America’s National Security Agency to weaken its cryptographic standards.

“[Y]our company accepted a random number generator from the National Security Agency, and set it as the default option in one of the your products, in exchange of $10 million,” wrote Hypponen in an open letter published this week. “[The] random number generator was found to be flawed on purpose, in effect creating a back door.”

Hypponen’s decision represents a wave of anger at RSA which, as my colleague David Meyer noted, has yet to directly address why it took the $10 million from the NSA, a decision that some have characterized as a betrayal of its customers.

RSA produces a fob used at many companies that displays random numbers that are required to securely log-in to a network; the alleged “backdoor” would make it easier for outsiders to learn the number sequence and invade the network.

In his letter, Hypponen stated that it was ironic that the talk he was scheduled to give at the RSA conference was on government use of malware. He also wrote that he did not expect other speakers to follow his boycott, noting that most of them are Americans and that the NSA’s efforts to compromise security standards aren’t aimed at them.

Hypponen’s announcement was retweeted hundreds of times of Twitter, and received messages of support on sites for computer insiders like Slashdot.

But, as Ars Technica notes, RSA’s recent stock price suggests investors do not seem to care about NSA news.