Look to RSA to start shedding clients like an old mangy dog sheds its fur.
Take this for what it's worth from an infrastructure server admin rather than someone in IT security, but I've always thought that those RSA tokens are more of a way to let people in than keep them out..
If someone's using those damn things as one of their primary ways with which to harden their security, have fun.
We had dozens of the things at my last workplace. People would dangle them from their lanyards and lose them around the office. Several times I found one on a desk and took it to the IT security guy.
The concept is actually fairly clever. The fact that RSA, more or less quietly, held on to the initialization time and seed value (everything you need to reconstruct the passcode a given fob will display at any time during its life) for every fob they sold... Less clever.
Quite embarrassing when persons unknown breached RSA's network and recovered those, then went on a defense contractor hacking spree(this is what finally forced them to admit that anything had happened, they'd been weaseling around about how harmless the hack had been up until that point).
At the time we all thought that RSA was just being wildly incompetent and/or pandering to customers who lose the key material for their authentication servers and come whinging for it. Now, I'm not so sure... Perhaps somebody else was interested in seeing that material stored.
Even now, after that incident, I'm pretty sure that they still don't offer the option to key-fill them yourself, on your site, without a third party involved (and it wouldn't be hard, the contacts are just under a little sticker on the back, a few pogo pins and knowing what probably ttl-level serial commands to send, and that'd be that. But no. At least they are damned expensive.)
What I love about RSA's 'denial' is that they never actually deny having backdoored a product, or having worked for the NSA, merely that 'we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products'.
That definitely leaves having unintentionally backdoored a product on the table, and (in strictest logic chopping) might even include developing the intention to weaken a product, so long as the intention developed after the contract or project was engaged.
Keep it classy, RSA, keep it classy.
I'm really hoping the blow back for RSA on this is significant. The more companies that have worked with the NSA that now get burned for it the better. Hopefully it will make any business thinking of working with the NSA think long and hard before getting into bed with them. Sadly, I think it's a long ways off from getting to that point, but the more of this kind of stuff that comes out the more likely it will eventually lead to public backlash and that's probably the only way things will have a chance to change.
It's an unpleasant situation: If you set up RSA auth, it is entirely possible to lock out any user who doesn't have their fob. your password + fob code replaces your password. No fob, no login, so sorry.
Shockingly enough, this is... not popular... with people just trying to get work done, and management who just want them to do so. Pressure mounts on IT to relax policy, and 'temporarily' remove people from the RSA auth group, so that their static passwords get them in again. Once it becomes clear that the fobs are effectively optional, who cares about keeping an eye on yours?
Unless an organization has some hardass in high places (either internal, or some sort of regulatory thing), any inconvenience tends to founder in the face of user resistance. IT has the ability to drop the hammer; but they almost never have the organizational power to follow through. It doesn't help that RSA wants a small fortune for those things, and they (no doubt despite heroic efforts on RSA's part to reduce power consumption) have a fixed shelf life. They come from the factory already ticking down, and soon enough it's time to buy some more.
Also, while I don't know if their credential provider software is any good, their GINA replacement sucked, which always made things extra fun.
They've got too not very attractive options here:
- They knowingly took money to weaken BSAFE (if not in 2004,
surely by 2007).
- They were stunningly incompetent and ignorant of the literature in their area of expertise.
They've gone with #2.
I hope they go out of business and I start finding RSA keyfobs in the bargain bin at Best Buy.
Edit: No, I hope I find them in the bargain bin at Staples.
This topic was automatically closed after 5 days. New replies are no longer allowed.