Security Experts Call For Boycott of RSA Conference In NSA Protest 112
Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"
Cheap (Score:4, Insightful)
The only thing interesting about this affair is that RSA only got $10M.
Re:money boycott (Score:5, Insightful)
"'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.
That relies on your company having people who see security as more than ticking a box to cover them if something goes wrong.
Bad Analogy (Score:4, Insightful)
As child porn wouldn't effect the customers bottom line.
This is more like Bernie Madoff hosting an ethics conference.... today.
Why not just recast the conference as a black hat/government contractor conference and show the tiniest amount of honesty.
Re:Why aren't there any lawsuits yet? (Score:3, Insightful)
Re:Give this guys some cake (Score:5, Insightful)
If all Americans started acting just a little Snowden-like, there would be another revolution in this country. That on the other hand is just some guy renowned in a very narrow, very specialized field, sulking.
It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.
This is worse than child porn (for the company) (Score:5, Insightful)
'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr.
The CEO getting involved in child porn means his personal life is tainted and he goes to jail and hell and all that.
This is bad news for the company because people lose their trust on the company. No one needs to identify with the CEO of a company... but not trusting a company in the security field doesn't bode well for said company.
Re:Why aren't there any lawsuits yet? (Score:5, Insightful)
you can defend them all you want.
at this point, anything that comes to light about NSA and shows them in a bad light, I will fully believe until THAT is proven otherwise.
given the reputation, it sounds more likely than not. we're seeing the true color of the 'security' industry, here, and its about time!
and anyone who defends the nsa or rsa, well, you've shown YOUR true colors, as well.
Re:Give this guys some cake (Score:5, Insightful)
america's response is based on FEAR of the three letter agencies.
even congress is not above them, and if they can't get honesty from the org, how can we even hope to get a fair shake?
there won't be a revolution. the government has us locked up too much with fear and they also have more firepower and the fight would be horrible. no one wants that.
peaceful ways won't work and we can't use any other ways.
we feel helpless.
what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control? what exactly do you propose when the powerful hold ALL the cards?
fighting a less powerful government could be possible, but fighting the US government is not going to happen anytime soon.
I think people care but they feel utterly unable to do a single thing to fight it or bring about change. I'd love to hear what you think we COULD do, for real, that will have any effect.
Re:Give this guys some cake (Score:5, Insightful)
Privacy in America is complicated. The majority argument in the Supreme Court decision that legalized abortion, Roe v. Wade [wikipedia.org], was based on a right to privacy. Since then (1973), the Republican Party has refused to accept that a right to privacy exists, because that would imply that Roe v. Wade is based on a sound principle and therefore abortion has to remain legal. This puts us in the unfortunate position of privacy rights being collateral damage in the culture war. Any Federal court nominee is going to get asked in his/her confirmations hearings whether there exists a right to privacy, and an affirmative answer means the Republicans will block that nominee. Most nominees prevaricate.
It's not the only reason privacy is a suppressed issue in mainstream American politics. Both parties have an authoritarian streak a mile wide (manifested in slightly different ways, so they can hate each other anyway) and privacy is the enemy of authority.
A lot will have to change before America is willing to make privacy a priority. What I find encouraging about Snowden's relevations is that it looks like enough people are talking about privacy that the issue might not crawl away to die again. Give it time.
Re:Why aren't there any lawsuits yet? (Score:1, Insightful)
Re:Has anybody seen the actual "evidence"? (Score:4, Insightful)
The wikipedia entry is good on this:
http://en.wikipedia.org/wiki/RSA_Security#NSA_backdoor [wikipedia.org]
RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit [theregister.co.uk].
Re:Has anybody seen the actual "evidence"? (Score:5, Insightful)
I was also skeptical when I first saw the news articles (like this one [bbc.co.uk]) that said that RSA had published a statement where they supposedly refuted the existence of that NSA deal. The existence of the deal was originally broken by Reuters in this article [reuters.com], where they cite "two sources familiar with the contract" as their sources. But then, after more in-depth analysis of the RSA blog post [rsa.com] where they supposedly "denied" the existence of the deal, it was revealed that actually RSA neither denied nor acknowledged that such deal existed [techdirt.com] in their statement. They are just using general wording to give an impression, that they would certainly never do such thing. But they are not directly denying the existence of the deal.
Now, thinking logically, it's pretty damn clear that they would have denied that such a deal was ever made, if they were in the position of making such a claim. But given they don't directly deny the claims presented by Reuters, it would seem a much more logical explanation that the deal indeed was made, and RSA just went into damage control mode after the publication of the Reuters article. Lying to the public would have meant more damage if Reuters would have later been able to present the actual paper of the deal, so I suppose we can take their lack of directly denying this deal's existence as an admission of sorts. This is also the reason why speakers are canceling their appearance in the conference ("Your company has issued a statement on the topic, but you have not denied this particular claim." [f-secure.com])
So, I think we have grounds to believe that there is actually quite much truth to the original story by Reuters. As they say, the deal was "handled by business leaders rather than pure technologists". I am pretty sure that this is a yet-another example of a major manager-level f*ck up. Tech companies very often have all the expertise on the technical personnel level, while managers are a "necessary evil" who often have much fewer insight into the technical field where the company actually operates. Of course, anyone with even the slightest idea of how the IT security field functions, would never ever endanger their company's credibility (at least for such little reward as $10 million), because deals like this tend resurface in the public sphere sooner or later. All we can assume that someone in the management made a very major f*ck-up and made this secret deal with NSA without much consulting from the technical folks. But I am pretty sure that now that this deal has surfaced in the public sphere, it will end up costing RSA a great deal more in lost sales than what the "business leaders" anticipated they could gain in short term from making the deal with NSA.
Re:I don't think the full story is out... (Score:2, Insightful)
Standard or not, it's been shown, since 2006, that Dual_EC_DRBG is at best cryptographically flawed, and at worst backdoored. There have been better suited algorithms available and supported before, during, and after 2006. So how quickly did this security company update their software? When did RSA stop using a poor and vulnerable algorithm as the default? September 2013.
That's either incompetence or malice. Neither of which should be supported or trusted in a supposed "security" company.
Re:Why aren't there any lawsuits yet? (Score:5, Insightful)
Not necessarily. Before the leaks, who really thought that much about the NSA and what it was doing? Maybe some of us really thought about it and suspected the NSA was spying on us all, but most of us were unaware; it just wasn't something that came up on our radar. Now that there's lots of evidence about what the NSA's been doing, including admissions from the NSA themselves (and a lot of nasty statements by NSA leadership about various people who oppose their spying programs), the onus is on the NSA to disprove any new allegations that arise. At this point, for me (and the OP I'm sure), the NSA has proven themselves to be completely untrustworthy, so for any new allegations against them, I'll choose to believe the allegations until the NSA can really prove them wrong. Why would I do otherwise? It's all about trust: without good evidence, you can only go on trust (and knowledge of what's really feasible; e.g., the NSA monitoring our thoughts by brain implants is obviously fantasy so allegations that aren't feasible like that can be dismissed). Since I distrust the NSA completely, I'll always believe the other side until they're proven wrong.
Much like everyone else on the planet... (Score:4, Insightful)
I agree; barring incontrovertible evidence to the contrary, the NSA will never be believed again.
Time to dismantle the entire operation and start over with new people; obviously none of these people understand what Domestic enemies are: People who are destroying the Constitution.
It is being destroyed because it is being ignored in the name of "National Security"; that bill of rights is so inconvenient for Despots.
They didn't need to repeal it; take a look around; they know there's nothing we can do about it.
Congress is likely being blackmailed into silence; in our society, everyone is guilty of something, are they not?
And here we always thought the "tinfoil hat" and gun nuts were just crazy... :facepalm: