http://www.networkworld.com/news/2014/012214-trustycon-rsa-nsa-277956.html
By Ellen Messmer
Network World
January 22, 2014
Who do you trust? That's a question asked increasingly by a security
industry with a growing sense that the National Security Agency (NSA) has
sought to weaken encryption or get backdoors into computers, based on
documents leaked by Edward Snowden to the media. Now, trust is also the
theme of a new conference called TrustyCon that will vie for attention on
Feb. 27 in San Francisco while the big RSA Conference for security pros is
also taking place in that city.
TrustyCon, organized by iSec Partners, the Electronic Frontier Foundation
(EFF) and Defcon, pretty much sold out in a few days after it was
announced last week. Microsoft and Cloudflare are sponsoring the event,
with others expected to join them, and proceeds go to the EFF. The rise of
TrustyCon has been fueled by industry backlash against the NSA, which the
security industry widely believes weakened the crypto algorithm called
Dual Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) to
be a backdoor for the agency.
A document on the National Institute of Standards and Technology (NIST)
website suggests computer scientists there, who opened up a review of the
NSA-influenced Dual EC DRBG last year, suspect it is a backdoor too, and
will recommend removing Dual EC DRBG as a NIST standard.
TrustyCon is also a backlash against security company RSA, which organizes
the huge annual RSA Conference. A recent Reuters report said RSA accepted
$10 million from the NSA to make Dual EC DRBG as the default in its BSAFE
toolkit. RSA in late December awkwardly responded to this investigative
news story by saying there was no “'secret contract’ with the NSA to
incorporate a known flawed random number generator into its BSAFE
encryption libraries. We categorically deny this allegation.” Since the
BSAFE topic arose, RSA has emphasized it would not knowingly do anything
to hurt its customers.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
