Security Experts Call For Boycott of RSA Conference In NSA Protest 112
Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"
Comment removed (Score:5, Interesting)
Re:money boycott (Score:5, Insightful)
"'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.
That relies on your company having people who see security as more than ticking a box to cover them if something goes wrong.
Re: (Score:2, Informative)
How ticking the bo "bought RSA product" could cover their asses now? If they were the only one to know about the backdoor, they'd could do it but now others knwo they know about RSA backdooring their product.
Re: (Score:3)
Depends on the company. Lots of places will probably still happily spend enormous sums of money on RSA products, even though everyone knows they're backdoored. It's a big company, and as they say, "you can't get fired for buying from $BIG_VENDOR".
Just look at how many large corporations and governments continue to buy products from big, overpriced enterprise software firms, even though that software is all crap. Hell, look at how many companies still spend millions to license and use IBM/Rational ClearCa
Re: (Score:2)
This is doubly true because $BIG_VENDOR denied it. So if it were true that a backdoor did exist, you could doubly blame $BIG_VENDOR.
It's like ticking that box twice.
Re: (Score:2)
Two wrongs don't make a right.
Re: (Score:2)
Re: (Score:2)
I don't see the difference.
Scenario A: "Software A is a horrible piece of shit that costs a fortune and is far, far worse than Software B, C, D, E, etc., which are all free (not to mention G, H, I, and J which are all expensive and proprietary but still far better than A), but Software A's vendor insists it's great so we believe him and we're buying it anyway."
Scenario B: "Software A claims to be highly secure, even though there's evidence that it's not, which has been aired by multiple reputable media outl
Re: (Score:2)
The problem here is that RSA's software actually does do its job, just not 100%. It's more than 0%: their products will, presumably, protect your data and systems from being accessed by most attackers. It just doesn't protect your data and systems from the NSA, because they have a back door. As long as that exploit (and how to do it, not just its existence) doesn't become public knowledge, then RSA's systems will make you secure, in the same way that a strong door with a key-lock makes you safe from ever
Re:money boycott (Score:5, Interesting)
boycotting the conference is the first step and will add to their reputation, companies not doing business is the natural consequence that will follow
Cheap (Score:4, Insightful)
The only thing interesting about this affair is that RSA only got $10M.
Re: (Score:3)
The only thing interesting about this affair is that RSA only got $10M.
That we know about...
Re: (Score:2)
How does that equate to us working class? A $5 whore?
Why aren't there any lawsuits yet? (Score:1)
I don't know if they sold their products with some clever fine-print disclaimers, but shouldn't those who bought their products bring them into court and demand damage payments?
Or everyone in the industry has slept with the NSA so they don't want to set a precedent by suing RSA?
Re: (Score:3, Insightful)
Reuters reported it. (Score:4, Interesting)
Reuters reported that they did. [reuters.com]
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.
So, who's going to sue them? And on what grounds?
Re: (Score:2)
This is still hearsay. Where's the evidence other than Snowden's claims? Where are these documents, and who has validated them as authentic other than Reuters? Yes there's enough here to warrant an investigation but everyone's assuming they already know what happenened because of confirmation bias.
Re:Why aren't there any lawsuits yet? (Score:5, Insightful)
you can defend them all you want.
at this point, anything that comes to light about NSA and shows them in a bad light, I will fully believe until THAT is proven otherwise.
given the reputation, it sounds more likely than not. we're seeing the true color of the 'security' industry, here, and its about time!
and anyone who defends the nsa or rsa, well, you've shown YOUR true colors, as well.
Re: (Score:1, Insightful)
Re:Why aren't there any lawsuits yet? (Score:5, Insightful)
Not necessarily. Before the leaks, who really thought that much about the NSA and what it was doing? Maybe some of us really thought about it and suspected the NSA was spying on us all, but most of us were unaware; it just wasn't something that came up on our radar. Now that there's lots of evidence about what the NSA's been doing, including admissions from the NSA themselves (and a lot of nasty statements by NSA leadership about various people who oppose their spying programs), the onus is on the NSA to disprove any new allegations that arise. At this point, for me (and the OP I'm sure), the NSA has proven themselves to be completely untrustworthy, so for any new allegations against them, I'll choose to believe the allegations until the NSA can really prove them wrong. Why would I do otherwise? It's all about trust: without good evidence, you can only go on trust (and knowledge of what's really feasible; e.g., the NSA monitoring our thoughts by brain implants is obviously fantasy so allegations that aren't feasible like that can be dismissed). Since I distrust the NSA completely, I'll always believe the other side until they're proven wrong.
Much like everyone else on the planet... (Score:4, Insightful)
I agree; barring incontrovertible evidence to the contrary, the NSA will never be believed again.
Time to dismantle the entire operation and start over with new people; obviously none of these people understand what Domestic enemies are: People who are destroying the Constitution.
It is being destroyed because it is being ignored in the name of "National Security"; that bill of rights is so inconvenient for Despots.
They didn't need to repeal it; take a look around; they know there's nothing we can do about it.
Congress is likely being blackmailed into silence; in our society, everyone is guilty of something, are they not?
And here we always thought the "tinfoil hat" and gun nuts were just crazy... :facepalm:
Re: (Score:2)
i am reminded:
"It is the certainty that they possess the truth that makes men cruel."
Re: (Score:2)
Re: (Score:2)
Not only that, but James Clapper, head of the NSA, perjured himself before congress and was not held accountable. It's hard to trust a proven liar.
Re: (Score:1)
Before the leaks, who really thought that much about the NSA and what it was doing?
People who actually paid attention?
Re:Why aren't there any lawsuits yet? (Score:4, Informative)
Even if it can be proven that they received 10M$ and that they knowingly introduced the backdoor, it is hard to prove that the money was payment for introducing the backdoor. However, it might be sufficient to prove, that they knowingly introduced the backdoor. What payment they received for it, shouldn't affect the outcome of the case, because it is not the payment, which is hurting the customers, it is the backdoor.
Can we prove that RSA knew about the backdoor? Maybe not, but most likely it can be proven that given the knowledge RSA had, RSA should have assessed the algorithm to be most likely backdoored, at the time where they introduced it.
In cryptography it is generally accepted best practice, that any constant whose value isn't justified in some way, should be assumed to be a backdoor until proven otherwise. That is a principle, which RSA knows about. Additionally it has been public knowledge for many years that DECDRBG was relying on a constant whose value was not justified, moreover it had been formally proven, that there was a way to hide backdoor in that constant. It's like finding a smoking gun and saying we can't be sure anybody fired that gun, it could be smoking for so many other reasons.
The fact that DECDRBG uses asymmetrical primitives for a task, which is usually done with symmetrical primitives, is in itself suspect. Symmetrical primitives are usually faster, and there is a wide range of attack techniques that could be applied on asymmetrical primitives but not on symmetrical primitives. Good reasons for asymmetrical primitives is when you are working on a task, which cannot be done symmetrically. In the case of DECDRBG the introduction of a backdoor could not have been done symmetrically.
I don't think the full story is out... (Score:2)
The industry as a whole is responsible for accepting and adopting Dual_EC_DRBG. According to Wikipedia [wikipedia.org], "Members of the ANSI standard group, to which Dual_EC_DRBG was first submitted, were aware of the exact mechanism of the potential backdoor and how to disable it, but did not take sufficient steps to unconditionally disable the ba
Re: (Score:2, Insightful)
Standard or not, it's been shown, since 2006, that Dual_EC_DRBG is at best cryptographically flawed, and at worst backdoored. There have been better suited algorithms available and supported before, during, and after 2006. So how quickly did this security company update their software? When did RSA stop using a poor and vulnerable algorithm as the default? September 2013.
That's either incompetence or malice. Neither of which should be supported or trusted in a supposed "security" company.
Bad Analogy (Score:4, Insightful)
As child porn wouldn't effect the customers bottom line.
This is more like Bernie Madoff hosting an ethics conference.... today.
Why not just recast the conference as a black hat/government contractor conference and show the tiniest amount of honesty.
Re: (Score:2)
They could market it with a twist on google's "do no evil" motto:
RSA 2014 - All evil, all the time. F security, F US technology, and F YOU!
Re: (Score:3)
Swearing was implied, but I figured if someone at RSA wanted to own their evil, they'd want to jab at F-Secure for their vocal opposition.
"The researchers and experts who have pulled out include Mikko Hypponen, chief research officer of Finland-based antivirus provider F-Secure, and Adam Langley and Chris Palmer, who work on security practices at Google."
Re:Bad Analogy (Score:4, Informative)
What RSA has done is lose my trust in the company (which includes the CEO and the highest level decision makers in the company). Criminal personal actions of the CEO would only affect my perception of him and that he should be prosecuted -- and not necessarily the company if he had continued to make good business decisions on the company's behalf.
Re: (Score:2)
Is that the worst you can say about that analogy? How about this:
The actions of one person doesn't say anything about the company as a whole. Even if it is the CEO. If the CEO had indeed been involved in child pornography, the response from the company and its employees says more about the company, than the actions of the CEO.
But what is even more disturbing is coming up with involvement in child pornography as the worst a person can possibly do.
Give this guys some cake (Score:2)
About time more americans started acting snowde-like. As in ballsy
Re:Give this guys some cake (Score:5, Insightful)
Privacy in America is complicated. The majority argument in the Supreme Court decision that legalized abortion, Roe v. Wade [wikipedia.org], was based on a right to privacy. Since then (1973), the Republican Party has refused to accept that a right to privacy exists, because that would imply that Roe v. Wade is based on a sound principle and therefore abortion has to remain legal. This puts us in the unfortunate position of privacy rights being collateral damage in the culture war. Any Federal court nominee is going to get asked in his/her confirmations hearings whether there exists a right to privacy, and an affirmative answer means the Republicans will block that nominee. Most nominees prevaricate.
It's not the only reason privacy is a suppressed issue in mainstream American politics. Both parties have an authoritarian streak a mile wide (manifested in slightly different ways, so they can hate each other anyway) and privacy is the enemy of authority.
A lot will have to change before America is willing to make privacy a priority. What I find encouraging about Snowden's relevations is that it looks like enough people are talking about privacy that the issue might not crawl away to die again. Give it time.
Re:Hmmmm (Score:5, Interesting)
Re: (Score:1)
Holy shit, I never thought about that. Republicans are the real threat to privacy.
Republicans are the real threat to reason. (Score:2)
n/t.
Re: (Score:2)
If you think Republican leaders really care about abortion, I have a small research project for you.
Roe vs. Wade did not simply legalize abortions. It laid down guidelines as to under what circumstances abortions could be banned. How many legislatures passed laws that went up to the border of the Supreme Court decision, and no further? How many Republicans supported such laws? I didn't find any, personally, and neither did a friend who did more research on it.
Instead, we see laws of questionable co
Re: (Score:2)
The majority argument in the Supreme Court decision that legalized abortion, Roe v. Wade, was based on a right to privacy. Since then (1973), the Republican Party has refused to accept that a right to privacy exists, because that would imply that Roe v. Wade is based on a sound principle and therefore abortion has to remain legal.
Your conclusion does not follow from your argument. The "right to privacy" is only one part of the abortion debate and even if one accepts the specific "right to privacy" that the court created to cover Roe V. Wade one can still be opposed to abortion.
Your assumption that Republicans oppose "the right to privacy" as a whole because they oppose the SCOTUS invention of a right to support federally funded abortion is also suspect. There is a fourth amendment that tells us what we have a right to be secure in
Re:Give this guys some cake (Score:5, Insightful)
If all Americans started acting just a little Snowden-like, there would be another revolution in this country. That on the other hand is just some guy renowned in a very narrow, very specialized field, sulking.
It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.
Re:Give this guys some cake (Score:5, Insightful)
america's response is based on FEAR of the three letter agencies.
even congress is not above them, and if they can't get honesty from the org, how can we even hope to get a fair shake?
there won't be a revolution. the government has us locked up too much with fear and they also have more firepower and the fight would be horrible. no one wants that.
peaceful ways won't work and we can't use any other ways.
we feel helpless.
what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control? what exactly do you propose when the powerful hold ALL the cards?
fighting a less powerful government could be possible, but fighting the US government is not going to happen anytime soon.
I think people care but they feel utterly unable to do a single thing to fight it or bring about change. I'd love to hear what you think we COULD do, for real, that will have any effect.
Re: (Score:3)
what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control? what exactly do you propose when the powerful hold ALL the cards?
fighting a less powerful government could be possible, but fighting the US government is not going to happen anytime soon.
I think people care but they feel utterly unable to do a single thing to fight it or bring about change. I'd love to hear what you think we COULD do, for real, that will have any effect.
Who's "we"? America
Re: (Score:2)
> what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control?
> what exactly do you propose when the powerful hold ALL the cards?
You mean the late 18th century British?
Re: (Score:3)
The American media's response to this absolute outrage has been a big, fat, shameful nothing, so most Americans still don't even know what's going on!
Re: (Score:2)
It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.
What do you expect from what has become the defacto US Department of Propaganda? With little Jay Carney as Secretary.. He lies really good, but of course, he *has* to, to be able to cover up the lies his boss tells..
Re: (Score:1)
Better than facing death sentence for actually doing a good thing, IMHO. The time of martyrs is long gone: we have attained a maturity level, as a species and a global society, which should prevent us from taking irrational action such as murdering people because they read the bible (North Korea) or they export an encryption algorithm to foreign countries (US). He just decided it was better to be labeled a false traitor than a dead one.
This is worse than child porn (for the company) (Score:5, Insightful)
'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr.
The CEO getting involved in child porn means his personal life is tainted and he goes to jail and hell and all that.
This is bad news for the company because people lose their trust on the company. No one needs to identify with the CEO of a company... but not trusting a company in the security field doesn't bode well for said company.
Re:This is worse than child porn (for the company) (Score:4, Funny)
I'm going to have to disagree. A company's CEO getting involved in child porn would definitely be worse.
What sort of company has a child as CEO?
-
Re: (Score:2)
> What sort of company has a child as CEO?
Most of them?
Re: (Score:2)
developers, developers, developers, and developers.
Surprised the nappy never fell down during his monkey dance.
Re: (Score:3)
Re: (Score:1)
Re: (Score:1)
I'd say so. The NSA is a government organization that's violating just about everyone's rights; that's many orders of magnitudes worse than the child porn bogeyman.
Re: (Score:2)
Re: (Score:1)
"Is the NSA worse than child porn?"
That was the question. Since the NSA is gathering data (metadata is data) on just about everyone--that is, violating people's rights--I do believe they are far worse than the child porn bogeyman. For one thing, the production of child porn doesn't affect nearly as many people.
Has anybody seen the actual "evidence"? (Score:1, Interesting)
I asked this when this original story first broke headlines. There are allegations, but has anybody ACTUALLY seen proof they compromised security on the NSAs wishes for a paltry $10M?
When I attended the conferences back in the 1990's, the NSA was there...they even presented findings on the strength of DES and the need for a newer algorithm. Skipjack and Clipper, promoted by Al Gore, was the scare at the time.
Back then, licensing of the libraries (BSafe and TIPEM) came in two flavors - the low-cost Mom/Pop
Re:Has anybody seen the actual "evidence"? (Score:4, Insightful)
The wikipedia entry is good on this:
http://en.wikipedia.org/wiki/RSA_Security#NSA_backdoor [wikipedia.org]
RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit [theregister.co.uk].
Re:Has anybody seen the actual "evidence"? (Score:5, Insightful)
I was also skeptical when I first saw the news articles (like this one [bbc.co.uk]) that said that RSA had published a statement where they supposedly refuted the existence of that NSA deal. The existence of the deal was originally broken by Reuters in this article [reuters.com], where they cite "two sources familiar with the contract" as their sources. But then, after more in-depth analysis of the RSA blog post [rsa.com] where they supposedly "denied" the existence of the deal, it was revealed that actually RSA neither denied nor acknowledged that such deal existed [techdirt.com] in their statement. They are just using general wording to give an impression, that they would certainly never do such thing. But they are not directly denying the existence of the deal.
Now, thinking logically, it's pretty damn clear that they would have denied that such a deal was ever made, if they were in the position of making such a claim. But given they don't directly deny the claims presented by Reuters, it would seem a much more logical explanation that the deal indeed was made, and RSA just went into damage control mode after the publication of the Reuters article. Lying to the public would have meant more damage if Reuters would have later been able to present the actual paper of the deal, so I suppose we can take their lack of directly denying this deal's existence as an admission of sorts. This is also the reason why speakers are canceling their appearance in the conference ("Your company has issued a statement on the topic, but you have not denied this particular claim." [f-secure.com])
So, I think we have grounds to believe that there is actually quite much truth to the original story by Reuters. As they say, the deal was "handled by business leaders rather than pure technologists". I am pretty sure that this is a yet-another example of a major manager-level f*ck up. Tech companies very often have all the expertise on the technical personnel level, while managers are a "necessary evil" who often have much fewer insight into the technical field where the company actually operates. Of course, anyone with even the slightest idea of how the IT security field functions, would never ever endanger their company's credibility (at least for such little reward as $10 million), because deals like this tend resurface in the public sphere sooner or later. All we can assume that someone in the management made a very major f*ck-up and made this secret deal with NSA without much consulting from the technical folks. But I am pretty sure that now that this deal has surfaced in the public sphere, it will end up costing RSA a great deal more in lost sales than what the "business leaders" anticipated they could gain in short term from making the deal with NSA.
Re: (Score:2)
The blame for this can't be kept entirely off of the techie's shoulders, though. While management may have made the deal and pocketed the money, management isn't capable of actually altering the product. At some point the product they shipped was made to be different than the product the technical side originally designed and it took cooperation from the technical team to make that change happen.
Re: (Score:2)
Re: (Score:2)
Good point wrt withholding the knowledge of the payment. Being paid to use the algorithm is certainly sketchy, but if the technical team received only the word that the NSA had advised they use a particular algorithm it could certainly seem like advice worth following.
Re: (Score:3)
Huh?
I'll break this issue down into three levels. First there's the compromised algorithm itself. The algorithm and source code for it is public. Anyone can trivially test that it's about a hundred times SLOWER than the alternative algorithms. It has zero redeeming features. And anyone with the slightest security knowledge can see that it was covered in huge red flags all over it (unexplained magic numbers pulled out of the algorithm-submitter's ass are a HUGE security no-no). It had squat track record of b
Re: (Score:2)
The BSafe and TIPEM source code are NOT "freely" available. You license the binaries by default. If you license the source, it is under NDA. Licensing the source is not cheap. Consequently, I suspect few have had the opportunity to examine the source. Perhaps, some may have decompiled it. But, the source is not public.
There are open source variants of the libraries out there - OpenSSL being one of them. But, it isn't the BSafe or TIPEM code.
More likely, the NSA paid for a source code license at $10M..
Re: (Score:2)
The BSafe and TIPEM source code are NOT "freely" available.
I never said they were.
I said, "The algorithm and source code for it is public".
And they are. The Dual_EC_DRBG algorithm is a standard published by the U.S. government.
We know the code in the RSA products are functionally identical to the published algorithm and code because if it weren't then they would fail the test suite and never have received certification.
More likely, the NSA paid for a source code license at $10M..made a modification and then put the modified source back into their source control - perhaps removing the old code in the process.
You seem to be misunderstanding the problem here. There was no code modification, there was no need for code modification. The algorithm as original
Re: (Score:2)
I find the slow researcher withdrawal more than a little disconcerting.
All depends what you're researching and who with.
Re: (Score:2)
People go to these conferences for the networking opportunities, not necessarily because they care about the flagship product of the main sponsor.
Can they be sued... (Score:3)
for not truthfully advertising their products as "Insecurity Solutions"
Missed point - off topic comment to follow (Score:3, Interesting)
We're all running systems based on some derivative of Unix. The user based permission model was fine for 1970s computer science departments, but it's totally crap for the world we now live in. We all should be running systems that are at least Orange Book A1 level secure, but we aren't. The resources are available to do it, we could totally pump this out in a year or two in the open source world.... but we won't.
Everyone thinks they have secure enough systems... but they don't, not by a country mile. Nobody seems to understand that trusting applications to do their jobs, and not subvert the systems, is a stupid thing.
We have persistently insecure computing... encryption, even if done perfectly, doesn't help fix that.
Re: My off topic post (Score:3)
Not a cipher... (Score:2, Informative)
Not a cipher, but a pseudo-random number generator. Which means that every cipher, signature, or other algorithm that used random keys was compromised.
ok then, let's have it (Score:5, Interesting)
Re: (Score:2)
Re: (Score:1)
This sounds like the HURD, the design principles of which seem to me possibly better than the current monolithic approach of the Linux kernel. Is the HURD the closest (free software) thing we have to a solution like this?
Re: (Score:1)
not showing up? Really? (Score:2)
Boycott won't work (Score:1)
Those security conferences are packed with government contractors that know better than to bite the hand that feeds them.
Discounted, surplus tickets available for 50% off (Score:2)
Stupid, stupid, stupid. (Score:2)
Uh, hello pinhead. HELLO PINHEAD!
NOT going to the conference is EXACTLY what the NSA wants you to do!
If you DO go to the conference, then you get to discuss the issue with like minds and with the source of the issue.
If you "boycott" the conference, trust me, there's already a prepared script for handling that "quote" "contingency" "quote".
I would have some serious questions for whomever first pitched the idea of boycotting the conference as some kind of political statement. Can it be traced to a person or c
Re: (Score:2)
Can it be traced to a person or circle of people? What is / are their identity(ies)?
IIRC, the head of R&D at F-Secure.