When the news about DUAL_EC_DRBG first came out, RSA defended their actions of inclusion and making it a default option by stating that it was at the time a popular choice. Back then I was aghast that a noted security company would make choices based on pure hipsterism. (My apologies to all hipsters, but in this case the word is in place.)
This news on the other hand makes it clear that RSA was not only being incompetent. They were being actively malicious. We've already seen anecdotes in this thread about NSA making house calls to security product vendors as far back as the 90's, so we must assume they haven't given up that venue and are still pushing their ideas, as well as pushing the vendors.
With that proof comes something a lot bigger: every single security product from a US company is now suspect. By logical extension, I will say that similar paranoia should be applied to all security products from Five Eyes countries.
The long-term financial fallout should be interesting material for future chroniclers.
This news on the other hand makes it clear that RSA was not only being incompetent. They were being actively malicious. We've already seen anecdotes in this thread about NSA making house calls to security product vendors as far back as the 90's, so we must assume they haven't given up that venue and are still pushing their ideas, as well as pushing the vendors.
With that proof comes something a lot bigger: every single security product from a US company is now suspect. By logical extension, I will say that similar paranoia should be applied to all security products from Five Eyes countries.
The long-term financial fallout should be interesting material for future chroniclers.