Security Experts Call For Boycott of RSA Conference In NSA Protest 112
Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"
money boycott (Score:5, Interesting)
"'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.
Reuters reported it. (Score:4, Interesting)
Reuters reported that they did. [reuters.com]
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.
So, who's going to sue them? And on what grounds?
Has anybody seen the actual "evidence"? (Score:1, Interesting)
I asked this when this original story first broke headlines. There are allegations, but has anybody ACTUALLY seen proof they compromised security on the NSAs wishes for a paltry $10M?
When I attended the conferences back in the 1990's, the NSA was there...they even presented findings on the strength of DES and the need for a newer algorithm. Skipjack and Clipper, promoted by Al Gore, was the scare at the time.
Back then, licensing of the libraries (BSafe and TIPEM) came in two flavors - the low-cost Mom/Pop shop licensing (with 10% royalties paid on profits and $10K for a license to distribute and $250K+lower royalties for larger organizations. Being a little guy, the Mom/Pop deal made sense. Larger corporations would easily pay out $10M from royalties alone.
The licensing has since changed - probably because of the expiration of the RSA related patents. Perhaps, the new owners, EMC, felt that they should take the money (they are publicly traded, right?). RSA Labs was private in the past (and, had a reputation to uphold). It was well known at the time there were values that would make algorithms such as RSA and Diffie-Hellman and DES/3DES weak. Discussions centered on how to eliminate those weaknesses. EC was just coming into existence outside of the academic circles. Given source was available (for a price) and compilable, there was plenty of opportunity to examine the code for holes. The biggest, publiclly, known threat we knew of was when SecureId and SecureToken was compromised - that was admitted by the company. Too much money, particulary in secure systems design and certification was to be made - why build upon a loosely constructed house of cards?
So, did RSA/EMC intentionally weaken their products for a paltry $10M? Where is the proof, beyond circumstantial supposition, that this occurred? Can somebody point me to links showing this evidence? Or, is this conjecture based on documents that Snowden supposedly "leaked"? If so, how was the veracity and authenticity of these "admissions" proven? Is there a check, signed contract or ledger book showing the transaction(s) actually took place?
Sadly, so many in the security field will do anything to make a name for themselves - 15 minutes of fame. If there is real proof, then the call for a boycott and public raking over the coals is justified. I am asking to see the proof.
A bigger problem we, as consumers and businesses, are now facing are all the compromised wireless routers that was revealed last week. Given that the shutdown of Blackhole malware kit and no suitable replacement, we are seeing a rise of Ransom-ware. But, a single compromised machine on a wireless network behind one of these routers opened up the entire network - the attackers could access ANY machine without having to go through the originally infected host at will. We should be asking how THAT happened and insist upon inspection of the hardware and firmware by respected engineers and cryptographers (under NDA) for any critical parts or components sold for use in our routers. Their stamp would put their reputations on the line if an easily manifested exploit were found. And, did any of the companies selling products with these vulnerabilities know of the backdoors in their products? Just wondering.
Re:money boycott (Score:5, Interesting)
boycotting the conference is the first step and will add to their reputation, companies not doing business is the natural consequence that will follow
Missed point - off topic comment to follow (Score:3, Interesting)
We're all running systems based on some derivative of Unix. The user based permission model was fine for 1970s computer science departments, but it's totally crap for the world we now live in. We all should be running systems that are at least Orange Book A1 level secure, but we aren't. The resources are available to do it, we could totally pump this out in a year or two in the open source world.... but we won't.
Everyone thinks they have secure enough systems... but they don't, not by a country mile. Nobody seems to understand that trusting applications to do their jobs, and not subvert the systems, is a stupid thing.
We have persistently insecure computing... encryption, even if done perfectly, doesn't help fix that.
Re:Hmmmm (Score:5, Interesting)
ok then, let's have it (Score:5, Interesting)