Forgot your password?
typodupeerror
Security

Security Experts Call For Boycott of RSA Conference In NSA Protest 112

Posted by Unknown Lamer
from the how-to-add-yourself-to-a-watch-list dept.
Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"
This discussion has been archived. No new comments can be posted.

Security Experts Call For Boycott of RSA Conference In NSA Protest

Comments Filter:
  • money boycott (Score:5, Interesting)

    by schneidafunk (795759) on Thursday January 09, 2014 @09:52AM (#45905975)

    "'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.

    • Re:money boycott (Score:5, Insightful)

      by Chrisq (894406) on Thursday January 09, 2014 @09:54AM (#45905983)

      "'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.

      That relies on your company having people who see security as more than ticking a box to cover them if something goes wrong.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        How ticking the bo "bought RSA product" could cover their asses now? If they were the only one to know about the backdoor, they'd could do it but now others knwo they know about RSA backdooring their product.

        • by Grishnakh (216268)

          Depends on the company. Lots of places will probably still happily spend enormous sums of money on RSA products, even though everyone knows they're backdoored. It's a big company, and as they say, "you can't get fired for buying from $BIG_VENDOR".

          Just look at how many large corporations and governments continue to buy products from big, overpriced enterprise software firms, even though that software is all crap. Hell, look at how many companies still spend millions to license and use IBM/Rational ClearCa

          • by BobMcD (601576)

            This is doubly true because $BIG_VENDOR denied it. So if it were true that a backdoor did exist, you could doubly blame $BIG_VENDOR.

            It's like ticking that box twice.

    • Re:money boycott (Score:5, Interesting)

      by kry73n (2742191) on Thursday January 09, 2014 @10:27AM (#45906149)

      boycotting the conference is the first step and will add to their reputation, companies not doing business is the natural consequence that will follow

  • Cheap (Score:4, Insightful)

    by Anonymous Coward on Thursday January 09, 2014 @09:53AM (#45905977)

    The only thing interesting about this affair is that RSA only got $10M.

  • by Anonymous Coward

    I don't know if they sold their products with some clever fine-print disclaimers, but shouldn't those who bought their products bring them into court and demand damage payments?

    Or everyone in the industry has slept with the NSA so they don't want to set a precedent by suing RSA?

    • Re: (Score:3, Insightful)

      by Dunbal (464142) *
      Kind of hard to build a case on hearsay. Prove they received 10M, and they will be sued into nothingness. But this is "he said she said" - ain't worth shit.
      • Reuters reported it. (Score:4, Interesting)

        by Anonymous Coward on Thursday January 09, 2014 @10:07AM (#45906069)

        Reuters reported that they did. [reuters.com]

        Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.

        Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.

        So, who's going to sue them? And on what grounds?

        • by Darinbob (1142669)

          This is still hearsay. Where's the evidence other than Snowden's claims? Where are these documents, and who has validated them as authentic other than Reuters? Yes there's enough here to warrant an investigation but everyone's assuming they already know what happenened because of confirmation bias.

      • by TheGratefulNet (143330) on Thursday January 09, 2014 @10:12AM (#45906091)

        you can defend them all you want.

        at this point, anything that comes to light about NSA and shows them in a bad light, I will fully believe until THAT is proven otherwise.

        given the reputation, it sounds more likely than not. we're seeing the true color of the 'security' industry, here, and its about time!

        and anyone who defends the nsa or rsa, well, you've shown YOUR true colors, as well.

        • Re: (Score:1, Insightful)

          by Anonymous Coward
          Right on, brother! I, too, accept as fact anything that confirms what I already believe, and I too believe anyone who thinks different than me is a complete ignorant asshole with absolutely no worth as a human being. You, obviously, are an upstanding guy in my opinion. There needs to be more people like us in Washington to break all this partisan bickering.
      • by kasperd (592156) on Thursday January 09, 2014 @12:06PM (#45907011) Homepage Journal

        Kind of hard to build a case on hearsay. Prove they received 10M, and they will be sued into nothingness. But this is "he said she said" - ain't worth shit.

        Even if it can be proven that they received 10M$ and that they knowingly introduced the backdoor, it is hard to prove that the money was payment for introducing the backdoor. However, it might be sufficient to prove, that they knowingly introduced the backdoor. What payment they received for it, shouldn't affect the outcome of the case, because it is not the payment, which is hurting the customers, it is the backdoor.

        Can we prove that RSA knew about the backdoor? Maybe not, but most likely it can be proven that given the knowledge RSA had, RSA should have assessed the algorithm to be most likely backdoored, at the time where they introduced it.

        In cryptography it is generally accepted best practice, that any constant whose value isn't justified in some way, should be assumed to be a backdoor until proven otherwise. That is a principle, which RSA knows about. Additionally it has been public knowledge for many years that DECDRBG was relying on a constant whose value was not justified, moreover it had been formally proven, that there was a way to hide backdoor in that constant. It's like finding a smoking gun and saying we can't be sure anybody fired that gun, it could be smoking for so many other reasons.

        The fact that DECDRBG uses asymmetrical primitives for a task, which is usually done with symmetrical primitives, is in itself suspect. Symmetrical primitives are usually faster, and there is a wide range of attack techniques that could be applied on asymmetrical primitives but not on symmetrical primitives. Good reasons for asymmetrical primitives is when you are working on a task, which cannot be done symmetrically. In the case of DECDRBG the introduction of a backdoor could not have been done symmetrically.

    • From what I've read, it may be too quick to gang up on RSA. It sounds like they accepted a payment from the NSA to make Dual_EC_DRBG preferred/default, not to accept a backdoor.

      The industry as a whole is responsible for accepting and adopting Dual_EC_DRBG. According to Wikipedia [wikipedia.org], "Members of the ANSI standard group, to which Dual_EC_DRBG was first submitted, were aware of the exact mechanism of the potential backdoor and how to disable it, but did not take sufficient steps to unconditionally disable the ba
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Standard or not, it's been shown, since 2006, that Dual_EC_DRBG is at best cryptographically flawed, and at worst backdoored. There have been better suited algorithms available and supported before, during, and after 2006. So how quickly did this security company update their software? When did RSA stop using a poor and vulnerable algorithm as the default? September 2013.
        That's either incompetence or malice. Neither of which should be supported or trusted in a supposed "security" company.

  • Bad Analogy (Score:4, Insightful)

    by Anonymous Coward on Thursday January 09, 2014 @09:57AM (#45906011)

    As child porn wouldn't effect the customers bottom line.

    This is more like Bernie Madoff hosting an ethics conference.... today.

    Why not just recast the conference as a black hat/government contractor conference and show the tiniest amount of honesty.

    • by qwijibo (101731)

      They could market it with a twist on google's "do no evil" motto:

      RSA 2014 - All evil, all the time. F security, F US technology, and F YOU!

    • Re:Bad Analogy (Score:4, Informative)

      by DickBreath (207180) on Thursday January 09, 2014 @11:21AM (#45906571) Homepage
      I agree. The child porn analogy is a bad one. If the CEO were found with it, that would make me think differently of him, but not necessarily the company itself. (Unless he had somehow created a culture of this throughout the company.)

      What RSA has done is lose my trust in the company (which includes the CEO and the highest level decision makers in the company). Criminal personal actions of the CEO would only affect my perception of him and that he should be prosecuted -- and not necessarily the company if he had continued to make good business decisions on the company's behalf.
    • by kasperd (592156)

      As child porn wouldn't effect the customers bottom line.

      Is that the worst you can say about that analogy? How about this:

      The actions of one person doesn't say anything about the company as a whole. Even if it is the CEO. If the CEO had indeed been involved in child pornography, the response from the company and its employees says more about the company, than the actions of the CEO.

      But what is even more disturbing is coming up with involvement in child pornography as the worst a person can possibly do.

  • About time more americans started acting snowde-like. As in ballsy

    • by Rosco P. Coltrane (209368) on Thursday January 09, 2014 @10:05AM (#45906051)

      If all Americans started acting just a little Snowden-like, there would be another revolution in this country. That on the other hand is just some guy renowned in a very narrow, very specialized field, sulking.

      It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.

      • by TheGratefulNet (143330) on Thursday January 09, 2014 @10:16AM (#45906109)

        america's response is based on FEAR of the three letter agencies.

        even congress is not above them, and if they can't get honesty from the org, how can we even hope to get a fair shake?

        there won't be a revolution. the government has us locked up too much with fear and they also have more firepower and the fight would be horrible. no one wants that.

        peaceful ways won't work and we can't use any other ways.

        we feel helpless.

        what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control? what exactly do you propose when the powerful hold ALL the cards?

        fighting a less powerful government could be possible, but fighting the US government is not going to happen anytime soon.

        I think people care but they feel utterly unable to do a single thing to fight it or bring about change. I'd love to hear what you think we COULD do, for real, that will have any effect.

        • by Grishnakh (216268)

          what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control? what exactly do you propose when the powerful hold ALL the cards?

          fighting a less powerful government could be possible, but fighting the US government is not going to happen anytime soon.

          I think people care but they feel utterly unable to do a single thing to fight it or bring about change. I'd love to hear what you think we COULD do, for real, that will have any effect.

          Who's "we"? America

        • > what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control?
          > what exactly do you propose when the powerful hold ALL the cards?

          You mean the late 18th century British?

      • It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.

        The American media's response to this absolute outrage has been a big, fat, shameful nothing, so most Americans still don't even know what's going on!

        • It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.

          What do you expect from what has become the defacto US Department of Propaganda? With little Jay Carney as Secretary.. He lies really good, but of course, he *has* to, to be able to cover up the lies his boss tells..

  • by Arrepiadd (688829) on Thursday January 09, 2014 @10:12AM (#45906089)

    'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr.

    The CEO getting involved in child porn means his personal life is tainted and he goes to jail and hell and all that.
    This is bad news for the company because people lose their trust on the company. No one needs to identify with the CEO of a company... but not trusting a company in the security field doesn't bode well for said company.

    • by Alsee (515537) on Thursday January 09, 2014 @11:00AM (#45906403) Homepage

      I'm going to have to disagree. A company's CEO getting involved in child porn would definitely be worse.

      What sort of company has a child as CEO?

      -

      • > What sort of company has a child as CEO?

        Most of them?

      • by fatphil (181876)
        Well, I know one whose CEO only knew 4 words...

        developers, developers, developers, and developers.

        Surprised the nappy never fell down during his monkey dance.
    • A CEO into child porn would have the top interest in software security. That's the type of CEO you need. Money isn't the motivation.
      • I hate this thread but: Is the NSA worse than child porn? I think I taste vomit.
        • I'd say so. The NSA is a government organization that's violating just about everyone's rights; that's many orders of magnitudes worse than the child porn bogeyman.

          • Rofl so the NSA maybe having compromised one RNG which nobody even uses is as bad as child molestation. Get some freaking perspective.
            • "Is the NSA worse than child porn?"

              That was the question. Since the NSA is gathering data (metadata is data) on just about everyone--that is, violating people's rights--I do believe they are far worse than the child porn bogeyman. For one thing, the production of child porn doesn't affect nearly as many people.

  • I asked this when this original story first broke headlines. There are allegations, but has anybody ACTUALLY seen proof they compromised security on the NSAs wishes for a paltry $10M?

    When I attended the conferences back in the 1990's, the NSA was there...they even presented findings on the strength of DES and the need for a newer algorithm. Skipjack and Clipper, promoted by Al Gore, was the scare at the time.

    Back then, licensing of the libraries (BSafe and TIPEM) came in two flavors - the low-cost Mom/Pop

    • by Error27 (100234) <error27&gmail,com> on Thursday January 09, 2014 @10:57AM (#45906385) Homepage Journal

      The wikipedia entry is good on this:

      http://en.wikipedia.org/wiki/RSA_Security#NSA_backdoor [wikipedia.org]

      RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit [theregister.co.uk].

    • by hydrofix (1253498) on Thursday January 09, 2014 @11:03AM (#45906423)

      I was also skeptical when I first saw the news articles (like this one [bbc.co.uk]) that said that RSA had published a statement where they supposedly refuted the existence of that NSA deal. The existence of the deal was originally broken by Reuters in this article [reuters.com], where they cite "two sources familiar with the contract" as their sources. But then, after more in-depth analysis of the RSA blog post [rsa.com] where they supposedly "denied" the existence of the deal, it was revealed that actually RSA neither denied nor acknowledged that such deal existed [techdirt.com] in their statement. They are just using general wording to give an impression, that they would certainly never do such thing. But they are not directly denying the existence of the deal.

      Now, thinking logically, it's pretty damn clear that they would have denied that such a deal was ever made, if they were in the position of making such a claim. But given they don't directly deny the claims presented by Reuters, it would seem a much more logical explanation that the deal indeed was made, and RSA just went into damage control mode after the publication of the Reuters article. Lying to the public would have meant more damage if Reuters would have later been able to present the actual paper of the deal, so I suppose we can take their lack of directly denying this deal's existence as an admission of sorts. This is also the reason why speakers are canceling their appearance in the conference ("Your company has issued a statement on the topic, but you have not denied this particular claim." [f-secure.com])

      So, I think we have grounds to believe that there is actually quite much truth to the original story by Reuters. As they say, the deal was "handled by business leaders rather than pure technologists". I am pretty sure that this is a yet-another example of a major manager-level f*ck up. Tech companies very often have all the expertise on the technical personnel level, while managers are a "necessary evil" who often have much fewer insight into the technical field where the company actually operates. Of course, anyone with even the slightest idea of how the IT security field functions, would never ever endanger their company's credibility (at least for such little reward as $10 million), because deals like this tend resurface in the public sphere sooner or later. All we can assume that someone in the management made a very major f*ck-up and made this secret deal with NSA without much consulting from the technical folks. But I am pretty sure that now that this deal has surfaced in the public sphere, it will end up costing RSA a great deal more in lost sales than what the "business leaders" anticipated they could gain in short term from making the deal with NSA.

      • by chihowa (366380) *

        The blame for this can't be kept entirely off of the techie's shoulders, though. While management may have made the deal and pocketed the money, management isn't capable of actually altering the product. At some point the product they shipped was made to be different than the product the technical side originally designed and it took cooperation from the technical team to make that change happen.

        • by hydrofix (1253498)
          That might be somewhat mitigated by the fact that the deal and the alteration to the software were done in 2004, but the first researcher analyses to hint of problems with this algorithm weren't published until 2006. When making the change, the developers were not necessarily told that NSA had paid RSA to use that algorithm. It might have passed as just another security improvement to the product.
          • by chihowa (366380) *

            Good point wrt withholding the knowledge of the payment. Being paid to use the algorithm is certainly sketchy, but if the technical team received only the word that the NSA had advised they use a particular algorithm it could certainly seem like advice worth following.

    • by Alsee (515537)

      Huh?

      I'll break this issue down into three levels. First there's the compromised algorithm itself. The algorithm and source code for it is public. Anyone can trivially test that it's about a hundred times SLOWER than the alternative algorithms. It has zero redeeming features. And anyone with the slightest security knowledge can see that it was covered in huge red flags all over it (unexplained magic numbers pulled out of the algorithm-submitter's ass are a HUGE security no-no). It had squat track record of b

      • The BSafe and TIPEM source code are NOT "freely" available. You license the binaries by default. If you license the source, it is under NDA. Licensing the source is not cheap. Consequently, I suspect few have had the opportunity to examine the source. Perhaps, some may have decompiled it. But, the source is not public.

        There are open source variants of the libraries out there - OpenSSL being one of them. But, it isn't the BSafe or TIPEM code.

        More likely, the NSA paid for a source code license at $10M..

        • by Alsee (515537)

          The BSafe and TIPEM source code are NOT "freely" available.

          I never said they were.
          I said, "The algorithm and source code for it is public".
          And they are. The Dual_EC_DRBG algorithm is a standard published by the U.S. government.

          We know the code in the RSA products are functionally identical to the published algorithm and code because if it weren't then they would fail the test suite and never have received certification.

          More likely, the NSA paid for a source code license at $10M..made a modification and then put the modified source back into their source control - perhaps removing the old code in the process.

          You seem to be misunderstanding the problem here. There was no code modification, there was no need for code modification. The algorithm as original

  • by MitchDev (2526834) on Thursday January 09, 2014 @10:43AM (#45906271)

    for not truthfully advertising their products as "Insecurity Solutions"

  • by ka9dgx (72702) on Thursday January 09, 2014 @10:51AM (#45906347) Homepage Journal

    We're all running systems based on some derivative of Unix. The user based permission model was fine for 1970s computer science departments, but it's totally crap for the world we now live in. We all should be running systems that are at least Orange Book A1 level secure, but we aren't. The resources are available to do it, we could totally pump this out in a year or two in the open source world.... but we won't.

    Everyone thinks they have secure enough systems... but they don't, not by a country mile. Nobody seems to understand that trusting applications to do their jobs, and not subvert the systems, is a stupid thing.

    We have persistently insecure computing... encryption, even if done perfectly, doesn't help fix that.

    • Revelations of back doors are, as I suspect, limited - perhaps there are many more that we don't know of yet. And since that's the case, since people are more into making money than they are into making sense, then "computers" themselves cannot be "trusted". That doesn't mean that we can't use them as they are however. I'm not about to go off and learn what the shit "systems that are at least Orange Book A1 level secure" even means. I'm going to continue to use commercial software and hardware, because
  • Not a cipher... (Score:2, Informative)

    by Anonymous Coward

    Not a cipher, but a pseudo-random number generator. Which means that every cipher, signature, or other algorithm that used random keys was compromised.

  • by BringsApples (3418089) on Thursday January 09, 2014 @11:19AM (#45906549)
    What end-user products should one avoid in order to avoid this back door?
    • by mrjimorg (557309)
      The problem is that these products don't exist to large extent. The reason is that people are unwilling to accept any performance degradation in exchange for security. So, instead they use insecure systems, then they install 'anti-virus' which seeks to un-infect a system during/after an infection. This is like telling doctors "You don't need a hazard suit for that Ebola patient. If you get Ebola we'll give you some drugs". So, in order to protect ourselves we run virtual machines so that threats such as vir
      • by Anonymous Coward

        This sounds like the HURD, the design principles of which seem to me possibly better than the current monolithic approach of the Linux kernel. Is the HURD the closest (free software) thing we have to a solution like this?

        • by mrjimorg (557309)
          Honestly, I think Qubes is a better match. Although, last time I looked at HURD there were no virtualization extensions
  • No way, go there and freaking trash the place. Go all "occupy" on them or plan silly string attacks or flash mob protests in the middle of presentations. THAT would send them more of a message than slightly lower than average attendance.
  • by Anonymous Coward

    Those security conferences are packed with government contractors that know better than to bite the hand that feeds them.

  • So in summary, there's discounted tickets available now...
  • Uh, hello pinhead. HELLO PINHEAD!

    NOT going to the conference is EXACTLY what the NSA wants you to do!

    If you DO go to the conference, then you get to discuss the issue with like minds and with the source of the issue.

    If you "boycott" the conference, trust me, there's already a prepared script for handling that "quote" "contingency" "quote".

    I would have some serious questions for whomever first pitched the idea of boycotting the conference as some kind of political statement. Can it be traced to a person or c

    • Can it be traced to a person or circle of people? What is / are their identity(ies)?

      IIRC, the head of R&D at F-Secure.

It is clear that the individual who persecutes a man, his brother, because he is not of the same opinion, is a monster. - Voltaire

Working...