Security Experts Call For Boycott of RSA Conference In NSA Protest

Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"

Re:money boycott

[Anonymous Coward]

How ticking the bo "bought RSA product" could cover their asses now? If they were the only one to know about the backdoor, they'd could do it but now others knwo they know about RSA backdooring their product.

Not a cipher...

[Anonymous Coward]

Not a cipher, but a pseudo-random number generator. Which means that every cipher, signature, or other algorithm that used random keys was compromised.

Re:Bad Analogy

[DickBreath]

I agree. The child porn analogy is a bad one. If the CEO were found with it, that would make me think differently of him, but not necessarily the company itself. (Unless he had somehow created a culture of this throughout the company.)

What RSA has done is lose my trust in the company (which includes the CEO and the highest level decision makers in the company). Criminal personal actions of the CEO would only affect my perception of him and that he should be prosecuted -- and not necessarily the company if he had continued to make good business decisions on the company's behalf.

Re:Why aren't there any lawsuits yet?

[kasperd]

Kind of hard to build a case on hearsay. Prove they received 10M, and they will be sued into nothingness. But this is "he said she said" - ain't worth shit.

Even if it can be proven that they received 10M$ and that they knowingly introduced the backdoor, it is hard to prove that the money was payment for introducing the backdoor. However, it might be sufficient to prove, that they knowingly introduced the backdoor. What payment they received for it, shouldn't affect the outcome of the case, because it is not the payment, which is hurting the customers, it is the backdoor.

Can we prove that RSA knew about the backdoor? Maybe not, but most likely it can be proven that given the knowledge RSA had, RSA should have assessed the algorithm to be most likely backdoored, at the time where they introduced it.

In cryptography it is generally accepted best practice, that any constant whose value isn't justified in some way, should be assumed to be a backdoor until proven otherwise. That is a principle, which RSA knows about. Additionally it has been public knowledge for many years that DECDRBG was relying on a constant whose value was not justified, moreover it had been formally proven, that there was a way to hide backdoor in that constant. It's like finding a smoking gun and saying we can't be sure anybody fired that gun, it could be smoking for so many other reasons.

The fact that DECDRBG uses asymmetrical primitives for a task, which is usually done with symmetrical primitives, is in itself suspect. Symmetrical primitives are usually faster, and there is a wide range of attack techniques that could be applied on asymmetrical primitives but not on symmetrical primitives. Good reasons for asymmetrical primitives is when you are working on a task, which cannot be done symmetrically. In the case of DECDRBG the introduction of a backdoor could not have been done symmetrically.