Once it was discovered the Dual EC DRBG was developed to be cracked, NIST recommended it not be used. RSA then dropped the technology from BSAFE.
Because the NSA is a top-secret organization with the job of supporting national security, companies are legally bound to remain silent on any dealings they may have with the agency. Given the tight restrictions, there is nothing a company can do if asked to cooperate with the NSA, which can only be reigned in through new laws passed by Congress.
Therefore, a company has to accept the risk when choosing a security vendor.
"The reality is that at some point you're going to have to trust someone; what you need to be careful of is who you trust, how much, and for how long," Joseph DeMesy, senior security analyst for Bishop Fox, said.
Sign up for CIO Asia eNewsletters.