Well, they're clearly claiming that the "secret contract" as reported did not exist.
If you're going to call them out on being liars about that (go for it!), might want to make it less ambiguous.
For all its worth, I think RSA probably did help out the NSA with Dual EC DRBG, but:
a) Until I see some source documents from Snowden's stash, it's going to be all very annoying because until you see the terms of the contract (and no, you can't just go by some journalist's summary), you have no idea what RSA/NSA are dancing around
b) Whatever deal there was was probably set up in some fun way to make it all nicely deniable and even plausible sounding.
> Well, they're clearly claiming that the "secret contract" as reported did not exist.
Crap. They're only denying a carefully-worded strawman. They leave open:
1.) Adding support for a known-flawed PRNG for free and then entering into a secret contract with the NSA to make the already-supported PRNG the default.
2.) Entering into a secret contract with someone else (FBI?) to "incorporate" a known-flawed PRNG.
3.) Entering into a secret contract with the NSA to use a PRNG that they didn't yet know to be flawed because they didn't look at it.
Edit: You're right, they did deny it 'as reported', with "Recent press coverage has asserted ...". This could involve a creative reading of "[r]ecent press coverage", or a lie.
Edit: Also, "Crap." wasn't directed at you. I'm sorry. It was directed at RSA; these stories always get me in a lather.
The other thing that gets me is what while they sort of hint that there was no such secret contract, they simultaneously (and rather clearly) state that they cannot divulge customer contracts. So, whether or not it's a "secret" contract is moot; they aren't going to release information about any and all contracts. I guess that effectively makes them all secret, but it seems to me that debating whether or not these contracts are or are not secret is a pointless endeavor. We cannot find out the details of them through RSA (they are contractually obligated not to provide this information), so we must instead rely on the leaked documents Snowden has been providing, assuming it's true. And it probably is.
I think the real kicker here isn't that RSA was intentionally including maliciously modified algorithms as much as the NSA simply bribed^Woffered them $10 million to, err, "prioritize" its inclusion. This is probably more a lesson on distrusting government offers for lucrative contracts in exchange for nifty tools more than anything, IMO.
They also said "... we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products ...". You know, I'm having trouble finding a hole in that one. The full sentence is:
"RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use."
Maybe it hinges on misleading commas and the odd "for anyone’s use" part. With some gymnastics, I might be able to interpret that as meaning "we have entered into a contract and engaged in a project with the intention of weakening RSA’s products for some people's use".
They only say that they've never entered into a contract with the intention of weakening their products, not that they've never entered into a contract that did weaken their products without realising it at the time.
If you're going to call them out on being liars about that (go for it!), might want to make it less ambiguous.
For all its worth, I think RSA probably did help out the NSA with Dual EC DRBG, but:
a) Until I see some source documents from Snowden's stash, it's going to be all very annoying because until you see the terms of the contract (and no, you can't just go by some journalist's summary), you have no idea what RSA/NSA are dancing around
b) Whatever deal there was was probably set up in some fun way to make it all nicely deniable and even plausible sounding.