Tuesday, June 07, 2011

For everyone expecting me to comment in detail on the SecureID thing...

I can't.

I am a senior technology executive at a large financial institution, who is a customer of RSA (EVERY large financial institution is a customer of RSA. I mean that literally. I don't know of anyone in this business that DOESN'T use SecureID). I also have what might be construed as inside knowledge, because of friends still working with RSA and their direct partners. 

I can't make definitive or specific public statements.

There are a couple things I can say.

First, this is someone not speaking for my company, nor relating anything that has happened at my company,  or to my direct personal knowledge any other company excepting those already admitted and released publicly. 

I am speaking as a security expert who knows the market and the players very well; as well as a certified RSA SecureID Administrator, Systems Engineer, and a certified instructor (though my certs have expired, the technology hasn't changed); who has taught thousands of other SecureID admins and engineers. 

This compromise is bad. It's very very bad. It's worse than you think it is from reading the already quite bad (though spun so hard it created its own gravity) admission and letter to RSA customers.

It's as bad as I thought it might be in the post I wrote about the breech at RSA a few months back. 

If you remember, the title of that post was "Oh SHIT! Really just doesn't cover it".

Also, and this is entirely speculation on my part, thought it is informed speculation based on what I know of some of the large contracts RSA has...

The compromise is bad enough...


Their response to the compromise, combined with indemnification agreements, and contract requirements in place with some very large customers...

Well, if I were a lawyer working for some of these companies (and municipalities, and federal governments for that matter) I would already be filing a lawsuit claiming malfeasance and breach of contract on the part of RSA.

It's very clear to me, simply from publicly available information (and to any other expert on the technology) that RSA could have, and should have, foreseen the reasonable possibility of actual injury, and acted accordingly to protect their customer base. From what information is available today, it appears they did not.

In addition to the actual cost of addressing the breach, which could climb into the 2 billion range; the claims of tortius injury could run into the tens of billions.

This may very well put RSA out of business permanently. I'm not sure of the exact structure of the company, but if RSA does go down, it could even take down their parent company EMC (RSA is not a separate operating company or wholly owned subsidiary of EMC, it is a semi-autonomous organic division of the company. There may be no legal firewall between them).