The furore around allegations that computer security firm RSA received $US10 million from the NSA to include a non-random encryption code in its software as a default setting are not going away: One of the speakers at its conference has cancelled his talk and there is talk of a wider boycott of the company.
The speaker, Mikko Hypponen, wrote an open-letter to Joseph M. Tucci, the CEO of RSA’s parent company:
I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I’m not expecting other conference speakers to cancel. Most of your speakers are american anyway — why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.
In the wider non-tech world, the story is an obscure one. But in the world of tech security, it’s huge because it cuts straight to the heart of the anger over the NSA’s domestic surveillance of Americans and foreign citizen. Basically, RSA developed a cryptographic product that encoded, and made secure, information created by RSA’s clients. On Dec. 20, Reuters reported that the NSA had paid RSA to use a non-random number generator in that product which the NSA knew how to crack — thus giving the agency the ability to crack RSA’s products if it wanted to.
The NSA’s domestic spying program has particularly annoyed people in the tech world because of allegations that the U.S. government was hacking into data that large companies such as Google and Microsoft thought was being kept private.
RSA has denied the Reuters report, but its denial admits that it has a relationship with the NSA and that its products used the code in question.
Now, the question is whether Hypponen’s boycott will spread wider, with tech workers steering clear of RSA’s products or refusing to take jobs at the company.
Ars Technica noted that the public doesn’t seem to care, because stock in RSA’s parent, EMC, has risen since the allegations were made:
It’s possible the outrage over the NSA contract is limited mainly to engineering and security circles that are insulated from the people who decide how their companies spend money.