RSA Boycot Group Sets Up Rival Conference 84
judgecorp writes "The group of security experts who urged people to boycot the RSA conference (over allegations that the security firm RSA has taken a $10 million bribe from the NSA to weaken the security of its products) have put together a rival conference called TrustyCon just down the road from San Francisco's Moscone Center, where the EMC-owned firm will have its conference at the end of February."
Re:Better Hope ... (Score:4, Interesting)
What other security researchers have accepted $10,000,000?
No one is "without sin," but there are some boundaries at which you stop being a normal person who has to bend his principles for the real world and become a complete dick who doesn't deserve to be a respected member of the white hat community.
Anyway, got my W2, so I have to go get back to making my yearly donation to the government; I sure hope they won't blow it on multimillion dollar bribes.
Re: (Score:2)
Re: (Score:3)
Well they could have started with a better name.
Trustycon sounds like an oxymoron right out of the gate, like someone's idea of a sick joke.
The problem we have is that the industry is defined now, whereas when it was starting out, there
were not entire infrastructures available for every task. Just getting a new mechanism employed by
web servers and web browsers has a huge inertia today. And the industry has made almost zero
headway in the task of getting people to even sigh e-mail by default, let alone encry
Re:Better Hope ... (Score:4, Interesting)
What is killing us is the industry settling for "good enough". SSL is "good enough", with the assumption that CAs won't be compromised. This was true back in the 1990s, but Diginotar and other CAs have shown that the single, ultimate trust model will fail.
Then there are devices. Even though I have a client key for one E-mail address, because iOS requires an Exchange server, no S/MIME for me unless I JB the device. PGP/gpg is doable, but some apps don't like being switched out and start glitching when they get switched back in. Android is better because of utilities that have better OpenPGP support (K9 Mail for example.)
Once app makers and Apple can be convinced to have usable encryption (OpenPGP and S/MIME) on the individual E-mail level, the big hurdle will be getting users to work on webs of trust, or even just signing/decrypting messages. This isn't rocket science, but security is oftentimes tossed in the back seat compared to virtually anything else. It can be done, though. Most people lock their doors before they leave for the day, so getting them to click on the sign/encrypt button may be eventually doable, given the consequences of not doing so.
Re: (Score:2)
Agreed, the CAs are a weak spot, which governments and spies can easily co-opt. Single point of trust also become something of ponzi racket, taking your money but still not sure of who you are, and surrendering the keys to the castle upon any governmental whim.
As for the webs of trust, I'm not sure that matters for most people. The concept is cool, but unless you are signing code or some such, it really doesn't matter in everyday life. When I send email to my family members, business associates, etc. and
Re:Better Hope ... (Score:4, Informative)
You know you can generate a certificate in Keychain and distribute that out of band, then send encrypted email using apple mail. Obviously both you and your recipients need to do this if you want to do anything more complicated than simply signing your mail.
The thing that I'm upset about is that Apple still uses the compromised Comodo root for the certificates they use to sign patches with...
Re: (Score:1)
Even worse, there is no way to yank it out of the cert database. You trust what Apple trusts, or you use something else.
Re: (Score:2)
You can set the trust level on any certificate in the keychain to "never trust." The problem is that you are going to need to fiddle with it every time a new patch gets pushed out through the app store.
Not a Tony Bennett fan, eh? (Score:1)
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
What terrible things have the NSA done to people who attended previous similar conferences?
Re: (Score:3, Funny)
Spy on them. Oh wait, that did this on all citizens on the planet ..
Re:It's a trap! (Score:5, Insightful)
Convinced people things were secure when in fact it's significantly weakened to allow the NSA to spy on people.
If we're to believe news reports, we all suffer from much worse internet security because the NSA et al wanted to be able to monitor stuff.
So, internet banking, internet shopping, and pretty much everything is suspected to now have flaws in the cryptography.
They've done this to all of us, regardless of if we've been to the conference.
Re: (Score:2)
Yeah. So you didn't answer my question at all.
Re:It's a trap! (Score:5, Insightful)
You didn't ask me, but I can still provide an answer. "What has the NSA done to people?"
No frigging clue, because everything done is "secret". You can assume that they have done nothing, and I can assume they have done everything. Both of those are assumptions and neither could be proven.
So has the NSA turned over documents to Police agencies, employers, the IRS, etc.. that have led to investigations or damages? I believe we have enough circumstantial evidence to believe the first and third of those examples have happened. I'm not trying to patronize, but you can look at Parallel investigations and the IRS investigating non-profits for more information. It was impossible to tell if you were defending them or not, so you may already have knowledge of the subjects.
This is why we should all be demanding transparency from the agency and accountability from the whole Government. We don't know what they are doing because they label everything "secret". I find it logical to assume that if they are immoral in one area, we can assume that they are immoral in more areas. Wrong follows wrong, always has and always will.
The same concerns we have over the NSA should exist with a company like RSA who only apologized and told customers to change practices _after_ they were caught taking money from a government agency at the expense of customers. They never refunded a penny to customers either, so they are more than deserving of a boycott.
Re: (Score:2)
You didn't ask me, but I can still provide an answer. "What has the NSA done to people?"
No frigging clue, because everything done is "secret". You can assume that they have done nothing, and I can assume they have done everything.
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.
Re: (Score:3)
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The NSA doesn't care whether you agree or disagree with them. They care about other things. For example, they might care that you once had a phone conversation with someone who once sat on the same bus as someone who is related to a terrorist. If you then disappeared, without having ever disagreed with the NSA, without ever having had anything to do with terrorists as far as you know, who would connect your disappearance with the NSA?
Re:It's a trap! (Score:5, Insightful)
This is wrong on just about ever level. Fact: The NSA is not a Law Enforcement agency, and has no authority to arrest or detain people. We know through leaks that they do provide data to various law enforcement agencies, then those agencies have been instructed to (illegally) reconstruct the data to keep the NSA out of the picture. We know the NSA provided data to the IRS who then audited political groups.
I can see questioning the use of "honeypot conference", or lacking knowledge of what crossing them would lead to. I don't agree with you painting them as innocent because we have enough facts to know they are not innocent. How guilty they are is a valid question.
Re:It's a trap! (Score:5, Interesting)
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.
You mean like when people who develop encrypted messaging systems or encrypted phone applications get added to watch lists [infosecuri...gazine.com] and get harassed every time they enter the country even though they are citizens?
Re: (Score:2)
Your link goes to a article that says it is "possible" the guy was put on a watch list but there is no actual evidence of him being put on such a list. Unfounded assumptions do not translate into facts.
Re: (Score:2)
You can see if you are on a no flight list by contacting a TSA officer at any airport. If you are stopped and searched beyond normal procedures you can also ask if you are on any other type of list that would prevent you from normal travel between countries.
Re:It's a trap! (Score:4, Interesting)
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
Sure they can be kept secret. And we don't know how many people fall into this category. But any such losses would be simply lost in the local mystery that every town has, namely the huge number of missing persons.
Take a look at these numbers reported by CNN [cnn.com] using data from the FBI NCIC [fbi.gov].
There a a vast forest of people missing in which you could hide a lot of "disappeared" people. Someone quietly working in a field without a huge public exposure (whether white hat or black hat) could go missing from his basement lair, get reported, and forgotten by all but his mom and the world would never take notice.
Re: (Score:2)
Who knows, perhaps you'll eat some really bad shellfish, or wrap a steel cable around your neck and step on the gas. Or a bunch of illegal drugs will turn up in your car (No idea how it got there? SUUUUUURE!). Perhaps a few classified documents in your briefcase.
I doubt it would be the same thing every time. Some interesting combination of accidents, suicide, unexpected crimes (complete with neighbors saying he seemed so normal), etc.
And surely not everyone. The real crackpots will never be silenced, they d
Re: (Score:2)
The real crackpots will never be silenced, they do to much to discredit the NSA protesters.
Good news for you then.
Re: (Score:2)
For amusement, at least some of what I wrote was drawn from OLD headlines. So you accuse me of being a crackpot for suggesting that something that happened over a decade ago is possible? (*GIGGLE*)
Re: (Score:2)
Old headlines from prisonplanet.com?
Re: (Score:2)
Thank you for your irrelevant, biased, and fallacy ridden input Cold Fjord. Now that you stopped using your personal karma poor account please create a new named account so that it's easier to ignore you.
Your red herring and false analogy arguments are identical no matter how you log in. Go pound some sand and choke on your master's wanker.
Re: (Score:2)
If we're to believe news reports...
There's your first mistake.
Re:It's a trap! (Score:5, Insightful)
If I'm going to choose between who is more credible, the people providing examples and evidence of what they're doing ... or the lawmakers who keep braying that it's all legal ... then I'm afraid I'm more inclined to trust the news reports based on the leaks from Snowden.
By rather a considerable margin.
We already know the people defending this have lied about what they really do, which means they're not really deserving of any of our trust.
Re: (Score:2, Insightful)
The media companies have been lying for their own profit for far longer and far more frequently than the NSA.
I'm not particularly inclined to trust anybody affirming or denying anything outright. None of it can be independently verified.
Re:It's a trap! (Score:5, Insightful)
I'm not particularly inclined to trust anybody affirming or denying anything outright. None of it can be independently verified.
That's not true. We can witness the behaviors of the organization. Note how they started with denial, then moved towards excuses, and now have clammed up entirely. This tells us something about their behavior, and if we assume that behavior makes sense in context with the truth, then we get a glimpse of that truth as well.
Sort of like the Keppler telescope.
Re: (Score:2)
That strongly indicates that something is being hidden from the public. It does not corroborate (or invalidate) the elaborate conspiracy theories being hyped.
Re: (Score:2)
Convinced people things were secure when in fact it's significantly weakened to allow the NSA to spy on people.
Not sure what's the right thing to do, though. If the NSA tries that again on the RSA conference, wouldn't we want to have as many security experts present as possible?
Re:It's a trap! (Score:5, Insightful)
The alternate response is that if RSA did knowingly weaken commercial security, then you more or less have to stop trusting them.
Acting like they've had a change of heart, and promise to never do it again is meaningless.
In other words, the rest of the security community is turning their back on RSA for not being trustworthy -- and when you're a security company, that's a big deal.
Re:It's a trap! (Score:5, Insightful)
The alternate response is that if RSA did knowingly weaken commercial security, then you more or less have to stop trusting them.
And if they didn't Knowingly weaken security, but rather did so unwittingly, then you also have to stop trusting them.
If they are that incompetent they had no clue, they probably don't belong in the business.
They only came out and told people to stop using their broken software AFTER Snowden made it known that it was compromised.
NIST is pretty much in the same predicament.
colbert (Score:5, Funny)
Does anyone know if Steven Colbert is still headlining the conference?
Re: (Score:3)
*Stephen
Get rid of Samzenpus (Score:5, Insightful)
What the fuck? A boycot in Sand Francisco? Does Samzenpus even read this stuff?
Re: (Score:2)
Also "weaken ithe security"? And this was a pretty short summary...
Sheesh - a third grader would've caught that.
Re: (Score:1)
That one was actually added by samzenpus himself.
Re: (Score:2)
Re: (Score:2)
No, it was like that in the original submission.
So what? Editors are supposed to "edit".
Re: (Score:2)
So what? Editors are supposed to "edit".
GP claimed the typo was added by the editor. I was just pointing out that it was already there in the submission and the editor just failed to take it out, that's all.
Re: (Score:2)
Also, why don't spell checkers cope with names or common phrases made or more than one word yet?
Re: (Score:2)
I read it as BSA Boyscout group..., then got confused and had to RTFS (I know, I know, I'm sorry) to figure it out.
Bylaw Number One (Score:3)
Spelling (Score:5, Informative)
The word is boycott [wikipedia.org].
Re: (Score:2)
Good for them! (Score:2)
I hope the conference has a good turnout and results in something useful that pisses off the feds.
Re: (Score:2)
Don't worry. They will be attending. And taking names.
Re: (Score:3)
Something else many slashdotters may be in a position to do is to vote with their dollars. Even if you can't actually attend or help fund one conference or the other, take note of which companies attend which. Follow the money, and promote those who don't agree with the actions of the NSA and, by extension, with RSA. If attending the RSA conference is a mark against themselves in the eyes of potential customers, fewer companies will attend. If the sponsors and attendees of the new conference get extra busin
TrustyCon (Score:2)
With a name like that, what is not to trust?
good old (Score:1)
Boycott the USA next time? (Score:2)
Maybe I'm becoming jaded, but I don't think the United States is a good place to hold a security conference. I know, this year the TrustyCon organizers have to accommodate previous arrangements, but next time they should hold the conference in a place less likely to arrest security researchers [infotoday.com] and harass pioneers whose work is featured in every computer on every desk and in every smartphone. [fas.org]