We all know that creating a truly random number generator to base crypto keys on is one of the most difficult tasks in cryptography. Back in September, the New York Times announced that NSA has a backdoor into encryption implementations (see here) and later that NSA wrote a widely used random number generator (sarcastically the article there was called Government Announces Steps to Restore Confidence on Encryption Standards).
Last Friday a story broke that RSA was even paid to use the backdoor by NSA:.
This now caused Mikko Hypponen, the research head of F-Secure to write an open letter to the CEOs of RSA and EMC: An Open Letter to the Chiefs of EMC and RSA.
There are a lot of questions raised by events like this:
- Whom in the software industry can we trust or do we need to distrust everybody?
- Whom can we trust in the press industry? So, how well are the articles really researched or are they just following rumors and speculations?
- If we distrust the software industry, what can we realistically do against it? This is a lot about monitoring etc. but what is realistic?
- Do we really care (unless you are a terrorist)?
- We did not hear too much about backdoors in hardware, yet. Is it really only the US trying to get into software? Most of the hardware is manufactured in Asia, how many backdoors do we have in hardware?
- As the Europeans do not control any of these markets, what does this mean for the European agencies? We know that they spread malware to spy but what else?
- Does the end-user really care? I have not seen a lot of changesâ€¦
- I guess the businesses really do but what can be done against it? To be clear: I do not give up at all (my job is to protect our customer’s data) but I think we need to shift focus as we can only partly trust the platform we are sitting on.
As I said, interesting times with probably more questions than answers.