RSA Boycot Group Sets Up Rival Conference 84
judgecorp writes "The group of security experts who urged people to boycot the RSA conference (over allegations that the security firm RSA has taken a $10 million bribe from the NSA to weaken the security of its products) have put together a rival conference called TrustyCon just down the road from San Francisco's Moscone Center, where the EMC-owned firm will have its conference at the end of February."
Re:It's a trap! (Score:5, Interesting)
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.
You mean like when people who develop encrypted messaging systems or encrypted phone applications get added to watch lists [infosecuri...gazine.com] and get harassed every time they enter the country even though they are citizens?
Re:Better Hope ... (Score:4, Interesting)
What other security researchers have accepted $10,000,000?
No one is "without sin," but there are some boundaries at which you stop being a normal person who has to bend his principles for the real world and become a complete dick who doesn't deserve to be a respected member of the white hat community.
Anyway, got my W2, so I have to go get back to making my yearly donation to the government; I sure hope they won't blow it on multimillion dollar bribes.
Re:It's a trap! (Score:4, Interesting)
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
Sure they can be kept secret. And we don't know how many people fall into this category. But any such losses would be simply lost in the local mystery that every town has, namely the huge number of missing persons.
Take a look at these numbers reported by CNN [cnn.com] using data from the FBI NCIC [fbi.gov].
There a a vast forest of people missing in which you could hide a lot of "disappeared" people. Someone quietly working in a field without a huge public exposure (whether white hat or black hat) could go missing from his basement lair, get reported, and forgotten by all but his mom and the world would never take notice.
Re:Better Hope ... (Score:4, Interesting)
What is killing us is the industry settling for "good enough". SSL is "good enough", with the assumption that CAs won't be compromised. This was true back in the 1990s, but Diginotar and other CAs have shown that the single, ultimate trust model will fail.
Then there are devices. Even though I have a client key for one E-mail address, because iOS requires an Exchange server, no S/MIME for me unless I JB the device. PGP/gpg is doable, but some apps don't like being switched out and start glitching when they get switched back in. Android is better because of utilities that have better OpenPGP support (K9 Mail for example.)
Once app makers and Apple can be convinced to have usable encryption (OpenPGP and S/MIME) on the individual E-mail level, the big hurdle will be getting users to work on webs of trust, or even just signing/decrypting messages. This isn't rocket science, but security is oftentimes tossed in the back seat compared to virtually anything else. It can be done, though. Most people lock their doors before they leave for the day, so getting them to click on the sign/encrypt button may be eventually doable, given the consequences of not doing so.