I think David Meyer’s headline captures the essence of the RSA story: Security firm denies knowingly including NSA backdoor — but not taking NSA cash.
RSA posts in its defense:
We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.
…
When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.
…
RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.
So, if I had given the RSA $10 million on a contract, would that give me “a trusted role in the community-wide effort to strengthen, not weaken, encryption?”
Given the NSA mission to break encryption used by others, it isn’t clear how the NSA could ever have a “trusted role” in public encryption efforts.
To be sure, the NSA also has an interest in robust encryption for the U.S. government, but it has no interest in making those methods publicly available.
Quite the contrary, the only sensible goal of the NSA is to have breakable encryption used by everyone but the NSA and its clients. Yes?
The NSA was pursuing a rational strategy for a government spy agency and RSA was simply naive to believe otherwise.
As usual, cui bono (“to whose benefit?”), is the relevant question.
PS: If you need help asking that question, I was professionally trained in a hermeneutic of suspicion tradition that was centuries old when the feminists “discovered” it.