c: SecureID RSA tokens are apparently completely broken now
Err no more than they ever were, and this story is actually about the "software version" not the hardware version.
Overly simplisticaly the RSA token has a start value (seed) that sets the internal state of a pseudo random number generator which is then clocked every 90 seconds. This is the same for both the hardware token and software application. Thus when the user presses the button on the token or icon on the software app it outputs a number derived from part of the PRNG state. The algorithm by which they work is now "known publicaly" so you can write your own app all you need to make it work is the PRNG "seed" and you can generate the required values your self.
So the entire secrecy of the device rests on not being able to get at or work out the "seed"...
Now with the token the "seed" is effectivly embeded in the device which makes it very difficult to get at.
But with the application software the seed gets stored in some format in a file. So access to the file on the machine will give you the seed (hint this is something I've been waiting for targeted malware with "root kit" level access to appear for almost as long as I knew about the "server" end of the RSA system, which is quite a long time now).
What RSA have tried to do is mitigate is the simple process of copying of the file containing the seed onto another machine. From what has been indicated RSA use a combination of bits of information to make up a key to effectivly encrypte the seed in the file.
Thus the problem of recovring the seed is not as simple as just copying the file, you also need to know the information to make up the key. Sadly for RSA as the researchers have shown, this information is not exactly difficult to get.
So far so good, however I don't agree with the TPM conclusion, because no matter how seductive the idea of TPM is it's implementation using MS OS's means that MS amongst others will still be able to get at the seed either directly or in a usable form. So TPM does not solve the security problem it simply moves it somewhere else.
The correct conclusion is "don't store the seed in any form on a hardware platform that has an uncontroled communications path".
Thus with the PC platform and most smart phone platforms "don't put the seed in any form on it", so don't use the software application version of the RSA token, it cannot be made both secure and usable, use the hardware token only if you want real security.
And RSA should be honest enough to come out and say it to customers, but judging by their previous behaviour the will go with "fudging techniques" and hope the problem goes away so as to get back to "business as usuall".