F-Secure's Mikko Hypponen Cancels RSA Talk In Protest

An anonymous reader writes "In a letter to RSA executives, F-Secure's Mikko Hypponen says he is canceling his talk at the 2014 RSA Conference, due to the company's deal with the NSA, and how the agency has treated foreigners." From the letter: " I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are american anyway — why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the U.S. intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event."

Re:I support Mr. Mikko Hyppone

[Anonymous Coward]

As an Finn, l am informing that his last name is neither Hypponen nor Hyppone, but Hyppönen. Thanks. :)

Unfortunately the NSA Gathers Data on EVERYONE

[BBF_BBF]

Good for Mikko for taking a stand. Unfortunately, the NSA was monitoring Americans as well as foreigners, they just had to obfuscate their spying on American Citizens because it's illegal for them to target Americans without secret court permission.

Re:I support Mr. Mikko Hyppone

[beelsebob]

Just type alt-u, then o ö.

Re:Guilty and impossible to prove innocent

[Rick Zeman]

RSA has categorically denied that they cut a deal with the NSA. But Mr. Hypponen and the rest of the internet has declared them guilty based on unseen evidence. How is that fair?

First, no one said that life was fair. Secondly, RSA didn't categorically deny anything. Go parse their statement carefully. They've denied a specific scenario with several criteria, that's it.

Two Different Companies

[databeast]

As symbolic as this is, It's worth pointing out that the RSA Conference and RSA Security are two separate corporate entities (and I worked with both, producing RSA Security's own booth content at RSA Conference 2011). They do however, all funnel back up to EMC (y'know.. the world's largest storage systems corporation).

Re:Guilty and impossible to prove innocent

[Trax3001BBS]

RSA has categorically denied that they cut a deal with the NSA. But Mr. Hypponen and the rest of the internet has declared them guilty based on unseen evidence. How is that fair?

Oh no you didn't...

RSA was aware that the Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) had been back doored since 2007,
http://yro.slashdot.org/story/13/12/23/0357228/rsa-flatly-denies-that-it-weakened-crypto-for-nsa-money?utm_source=rss1.0mainlinkanon&utm_medium=feed [slashdot.org]

They waited an ample 5 years before they warned that it shouldn't be used.
http://it.slashdot.org/story/13/09/21/2143250/rsa-warns-developers-not-to-use-rsa-products [slashdot.org]
I'm sure they just wanted to double check their findings first.

Mikko says "time to act"

[Pav]

In Mikkos own words it's time to act [youtube.com]. I guess this means he is taking his own advice. I have in my own very small way been pushing up the price of surveilance : https everywhere, disconnect, duckduckgo etc... haven't been motivated enough for Tor yet because I share a slow connection. Still, we can and must act in small ways in our browsing behavior, purchasing decisions, and any other ways we can come up with. We're lucky that others of us are already acting in not so small ways, and we must support them.

TED

[jones_supa]

BTW here's Mikko's recent TED talk [youtube.com] on the topic if you haven't seen it yet.

Re:Guilty and impossible to prove innocent

[vux984]

Do they categorically deny taking a 10 million dollar payment from the NSA?

No. On that all they said was they "don't divulge details".

Do they categorically deny they incorporated Dual EC DRBG random number generator into its BSAFE encryption libraries?

No. They can't deny that. Because its clearly something they did in fact do.

Do they categorically deny they took 10 million dollars from the NSA to incorporate Dual EC DRBG into BSAFE?

Well... again.. no, not really. They categorically deny they ever intended to weaken products or incorporate known flaws.

Basically all they are categorically deny is that they KNEW what they were doing. Here's a decent article on it...

http://www.techdirt.com/articles/20131222/23532125671/rsas-denial-concerning-10-million-nsa-to-promote-broken-crypto-not-really-denial-all.shtml [techdirt.com]

Me, I havent' seen the documents alleging the connection bewtween 10M and setting Dual EC DRBG as default in BSAFE... and I would dearly like to see how much of a smoking gun it really is.

Re:Guilty and impossible to prove innocent

[vux984]

Not quite.

They denied a "secret contract" to incorporate a known flawed RNG into BSAFE.

They did NOT deny a secret contract to incorporate DRBG.

If they did not know, at the time they made the deal that the RNG was flawed, then they could truthfully claim they did not knowingly take money to incorporate a known flawed RNG.

The pedant in me would like them to categorically deny any link between the $10million and incorporating Dual EC DBRG.

They didn't actually do that.

Given just how much scrutiny they KNEW their statement would be put under; and the fact that their lawyers would have reviewed the thing before it going up, it is striking that so many news sources are identifying it as a dodge rather than a head o denial.

Here's another article...

http://www.theverge.com/2013/12/23/5237788/rsa-nsa-backdoor-non-denial [theverge.com]

Its hard to believe, again, given just how much scrutiny they KNEW their statement would be under, that the lack of certainty was anything but calculated.