Recently, people have been asking me my take on the RSA-NSA privacy drama, in which the security firm was accused of accepting $10m from the NSA to compromise encryption software to deliberately weaken user privacy.
This scandal has led to lots of security experts scheduled to speak at the RSA Security Conference next month to drop out. Whether RSA intentionally did this or not is questionable, but either way it’s quite bad.
Intentionally including spyware is a serious breach of user privacy. Unintentionally including spyware is almost worse because the so-called security experts unknowingly included extremely dangerous code in a security product without knowledge.
From my perspective, the REAL story here is about how proprietary software vendors bring product to market versus open source vendors. Would this scandal have happened if RSA’s products were open source?
That is, if you had a deadly peanut allergy would you rather eat a meal that includes a list of all known ingredients or eat a surprise meal with no list of ingredients?
At ForgeRock our community is constantly helping us throughout the entire development process to identify new features, bugs and even security vulnerabilities. They can do this because they can deploy our software and also view the source code – the published recipe used to produce our products.
With proprietary vendors, viewing the source code is not possible. Proprietary vendors treat their source as “secret sauce” only available to a few select eyes.
Companies such as RSA, Oracle, CA and IBM give you little to no insight around what ingredients constitute their identity offerings.
Maybe the solution is requiring all proprietary identity vendors to include a label on their products stating “MAY CONTAIN TRACES OF NSA SPYWARE.”
Is your vendor peanut rich or peanut free? RSA was caught, but maybe that’s just the tip of the iceberg.