F-Secure's Mikko Hypponen Cancels RSA Talk In Protest

An anonymous reader writes "In a letter to RSA executives, F-Secure's Mikko Hypponen says he is canceling his talk at the 2014 RSA Conference, due to the company's deal with the NSA, and how the agency has treated foreigners." From the letter: " I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are american anyway — why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the U.S. intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event."

I support Mr. Mikko Hyppone

[Taco+Cowboy]

As an American, I am giving my moral support to Mr. Hyppone for his courage to speak up against the unspeakable and despicable things that NSA has done !

Re:I support Mr. Mikko Hyppone

Americans don't have that key on our keyboards.

Re:I support Mr. Mikko Hyppone

[fustakrakich]

Sö whät?

Re:I support Mr. Mikko Hyppone

[beelsebob]

Just type alt-u, then o ö.

Re:I support Mr. Mikko Hyppone

[onkelonkel]

Yes we do. How else could we type Mötörhead.

Re:I support Mr. Mikko Hyppone

Fuck, why does my browser have a menu item "utilities | open goatse"???

Re:I support Mr. Mikko Hyppone

[murdocj]

Or do what everyone does, which is use the closest equivalent on the keyboard.

Re:I support Mr. Mikko Hyppone

[RichardDeVries]

Motörhead.

Re:I support Mr. Mikko Hyppone

[scubamage]

If you're using a mac, you can press and hold the "o" key and it will pop up as an option. I'm sure there's some FOSS out there that does the same thing too. Windows folks, well, go learn some alt codes.

Re:I support Mr. Mikko Hyppone

[Smauler]

No... it's not normal. Governments spy on governments generally, not on citizens.

If you consider it normal for the NSA to spy on EU citizens, then you must consider it normal for GCHQ, MI6, and all the other European agencies to spy on US citizens. Most of the western agencies share a lot of their intelligence, so most of the stuff MI6 knows about you goes straight back to the NSA and other agencies anyway, without them having to spy on you.

Do you consider it normal and acceptable for European agencies to be spying on American citizens? Really?

Re:I support Mr. Mikko Hyppone

[JohnVanVliet]

Also AS AN AMERICAN i give a big "here-here " for Mr. Hyppone

more people INCLUDING us citizens should do this !!!!!

Re:I support Mr. Mikko Hyppone

[cheekyjohnson]

Spying on citizens of other countries is normal.

What's normal or not normal is irrelevant to me.

ALL countries do it, throughout history.

Even if true, that's utterly irrelevant.

Having the NSA spy on Americans is what citizens of the USA should be protesting.

I'm protesting both.

Re:I support Mr. Mikko Hyppone

[xyzzymage]

I'm sure there's some FOSS out there that does the same thing too.

Linux has the compose key; I set mine to CapsLock. Best use for the blasted key I can think of — though I'm obviously still too lazy to compose-key my apostrophe into a proper curly one 99% of the time...

Re:I support Mr. Mikko Hyppone

[donscarletti]

Why is it that whenever I see one of you countryman's names (excluding Swedish ones), my immediate thought is "why would a F1 racing driver be speaking at a security conference anyway?"

Re:I support Mr. Mikko Hyppone

[flyingfsck]

Said like a real American. If you were British, then you would have known that the word is 'hear-hear'.

Re:I support Mr. Mikko Hyppone

Wow... by that logic, I shouldn't get mad at murderers for trying to murder me, or at rapists for trying to rape people. I mean it's right there in the job description.

Re:I support Mr. Mikko Hyppone

[Alioth]

But beware, if you do that you might end up typing something stupid or embarrassing.

Consider: "Feliz año nuevo" - it means "Happy new year". The ñ isn't merely an accented character, it's a letter in its own right, and choosing the letter "n" instead seems innocent enough, but "Feliz ano nuevo" means "happy new anus".

Re:I support Mr. Mikko Hyppone

[skovnymfe]

A Møøse once bit my sister... No realli! She was Karving her initials on the møøse with the sharpened end of an interspace tøøthbrush given her by Svenge - her brother-in-law - an Oslo dentist and star of many Norwegian møvies: "The Høt Hands of an Oslo Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"

Americans not targeted?

[rubycodez]

Hypponnen needs better news sources.

Re:Americans not targeted?

[matthewv789]

I think he's being a bit sarcastic.

As an american...

[g4c]

Most of your speakers are american anyway â" why would they care about surveillance thatâ(TM)s not targeted at them but at non-americans.

As an american, I don't believe for one second that it's not targeted at us, too. Mr. Hypponen has my support, as well.

As an American

[djbckr]

Let me just say that, by far, most of us Americans *do* care about the surveillance going on in our country. And we're horrified by it.

Re:As an American

Exactly. I keep hearing Europeans going on and on about how we (Americans) are "totally fine with it." It's utter bullshit. There's a difference between liking something and being unable to stop it. The reasoning behind this is that since Americans aren't rioting, apparently we're in full support of it (or something like that; it is never made clear). Strangely enough, I don't see anything like that happening in any other country, either, yet your governments are all doing the same thing as ours.

It is important to remember that we're all in this together. It is a world problem, not a US problem. It just so happens that the story broke in the US and a major player has been held to light.

I promise you, we Americans support you withdrawing from dealing with the criminals and their friends.

Re:As an American

[jones_supa]

The reasoning behind this is that since Americans aren't rioting

Why are you not rioting then? The image that you are just sitting on your asses and doing nothing is not completely unfounded.

It is important to remember that we're all in this together. It is a world problem, not a US problem.

Maybe, but the scale and depth of the NSA surveillance projects are way beyond anything else on this planet. You clearly are the biggest offender.

Re:As an American

[dAzED1]

"Why are you not rioting then?" - several riots were attempted to be formed, but the NSA learned about them through their surveillance programs, and blew up the areas in question with drones, declaring them terrorist attacks. They then used their control over the internet to squash all news about it.

Re:As an American

Why are you not rioting then? The image that you are just sitting on your asses and doing nothing is not completely unfounded.

For the same reason you aren't. Did you even read what I wrote? Every country is up to the exact same thing. We've got Canada, UK, and others that are making absolutely no push to stop their country's wrong-doings. We've got France that is openly jealous of the NSA and says they want to increase their own amount of surveillance. Then we have the US, where we are slowly making legal process and trying to get this shit shut down in a non-violent matter. And yet, it is non-Americans complaining that we aren't doing anything?

Seriously. Explain that.

Re:As an American

[Opportunist]

Protests and even riots do happen. But you don't think your news media would cover them, do you?

Our media learned that they don't even have to lie to skew our view on the world. They just have to select the things they report about carefully. Tell me: How much, and what, have you heard about the protests that border on riots in the Ukraine?

Re:As an American

[murdocj]

Rioting? Really? That's going to help?

See, in the USA, unlike most of the world, we have this concept of "rule of law". It's a little slower than rioting, but it generally produces better results.

Re:As an American

[bargainsale]

Man's right.

The UK is a major offender with GCHQ, but our government has been shamingly successful in closing down debate on the issue compared with what's happening in the US. The main response from our wonderful government has been to threaten the Guardian. This in a country where (happily) you still don't risk life and limb by opposing the government. The sad fact is that people here don't care about their freedom as much as Americans do.

As I often point out to the pretty numerous people I meet who object to some new lunacy in American politics - you may complain about this, but whatever you think about [whatever], be sure there are Americans who care just as much about [whatever] and are actually trying to do something about it.

Re:As an American

[fisted]

Except your current little problem of your own government not giving a fuck about the law

Re:As an American

[TheGratefulNet]

You seriously expect people to rise up in public against the Schutzstaffel or Komitet gosudarstvennoy bezopasnosti and protest them?

before I order all that, I need to know how much those cost and whether they go better with white or red wine.

Re:As an American

[TheGratefulNet]

Tell me: How much, and what, have you heard about the protests that border on riots in the Ukraine?

I tried getting close, but those ukraine girls really knocked me out.

Re:As an American

[SlovakWakko]

"Why are you not rioting then?" - several riots were attempted to be formed, but the NSA learned about them through their surveillance programs, and blew up the areas in question with drones, declaring them terrorist attacks. They then used their control over the internet to squash all news about it.

Who would mod this "funny"?? It should be "insightful".

Unfortunately the NSA Gathers Data on EVERYONE

[BBF_BBF]

Good for Mikko for taking a stand. Unfortunately, the NSA was monitoring Americans as well as foreigners, they just had to obfuscate their spying on American Citizens because it's illegal for them to target Americans without secret court permission.

Re:Unfortunately the NSA Gathers Data on EVERYONE

A secret court in a "free" country is fucking scary.

RSA and American software

The bottom line is that the world is no longer confident about software written in the US, and will seek alternatives sourced from Europe, Russia, China and elsewhere to regain the security and privacy which they believe they have lost.

The NSA will be directly responsible for a shift away from US standards, US software and US protocols ... because without confidence, those standards, software and protocols don't mean a damn thing. RSA, by simply going along with the NSA has damaged its brand name, possibly irreparably.

Re:RSA and American software

[Opportunist]

That's pretty much the main danger behind it: The US are going to be seen as worse than China when it comes to security.

China has a pretty bad rep in that department. Allegedly they pushed malware on some of the electronic gadgets they produce. Or ... did the US just tell us they do so we'd buy their stuff?

Now, it's pretty hard to get around China when you're buying electronics. Pretty much everything is built over there. OTOH, it's much easier to avoid US goods. Pretty much everything produced in the US is also produced in the EU at similar quality and price.

Re:RSA and American software

EOL on XP coiniciding with all these revelations and doubts will hopefully inspire the businesses and governments fo the world to turn their eyes to OSS. Of course there are those that can't or at least think they can't but can at least test, examine or add a few lines of code. How many of those that can have customers or partners tied to the same programs as them? How much can be run from XP images in virtual machines?

Some have already moved to OSS, some are in the process and some are just thinking about it. Those that despise the US government for its behaviour should help each other out and move completely away from closed source software and do something about everything being forced through a limited number of US centric telcom bottlenecks.

I sincerely hope there is a movement in the works better planned and worded then my weak attempts at it. Time for some changes.

Re:Guilty and impossible to prove innocent

[Rick+Zeman]

RSA has categorically denied that they cut a deal with the NSA. But Mr. Hypponen and the rest of the internet has declared them guilty based on unseen evidence. How is that fair?

First, no one said that life was fair. Secondly, RSA didn't categorically deny anything. Go parse their statement carefully. They've denied a specific scenario with several criteria, that's it.

Company Value?

How did the stock market react? RSA's mother company is EMC, isn't it? There doesn't seem to be much of an effect, on the contrary, gaining half a percent today? Or am I looking at the wrong data?

Re:Company Value?

[VortexCortex]

You mean the stock market that the NSA controls? If they receive beams of light, they can send them, scramble them, cause packet delays, etc. In a world of super low latency high frequency trades, PRISM rules.

Good (non) job

[BringsApples]

I support anyone that's willing to hit the breaks these days. Without people, nothing can succeed, nothing at all. If the only card we have to play - in this world of bullshit, lies and damn lies - is non-participation, then we have to play it. To keep going on like "everything is just what it is and there's nothing that we can do to change it" is to play into the continuation of the problem. To see others acting upon this truth is heart-warming and gives hope to others that are doing it.

Re:Good (non) job

[ImOuttaHere]

Noam Chomsky noted in a lecture I heard him give a few years ago that it's only in America that people ask things like "... well, what can we do?" Everywhere else he lectures, he says people come up to him and tell him what they personally are doing to combat inequity and injustice.

If Americans can personalize the injustices and inequities they face, maybe they can begin to figure out what they can do to fight back. There certainly is no incentive for US government agencies and US corporate interests to do anything but they currently are.

Re:Guilty and impossible to prove innocent

[pla]

RSA has categorically denied that they cut a deal with the NSA. But Mr. Hypponen and the rest of the internet has declared them guilty based on unseen evidence. How is that fair?

You can expect that to become a trend. The NSA has well and truly fucked over the entire American IT security industry. Even ultra-low-end "security" products like home broadband routers have become suspect, thanks to their interference.

Fair? No. Obvious consequence of the NSA's actions? Absolutely. People haven't trusted them for decades - Anyone remember Tempest? Or the improved S-Boxes that made DES more resistant to an attack that wouldn't exist for another 25 years? But in the back of our minds, we always told ourselves they might count as completely scary bastards, but at least they counted as our completely scary bastards. Now we know better - They have zero regard for US law and work for no one but themselves.

On a positive note, I'd still rather see the TSA disbanded first. But at this point, they both need to go.

Then again, this just follows a loooong history of ineffective, illegal, self-serving "intelligence" agencies in the US, from Hoover's FBI to Bush-the-elder's CIA to our current situation, you'd think we'd eventually learn and say "no more". Sadly, most people don't even have a clue we have a problem, or worse, outright support giving up our freedoms if it will protect us from the evil brown people across the sea.

Pathetic, the whole lot of us.

Re:Guilty and impossible to prove innocent

[Just+Brew+It!]

Please read the complete RSA press release and parse it carefully: https://blogs.rsa.com/news-media-2/rsa-response/

They don't deny that they entered into a deal. They deny that they entered into a deal "with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products". In other words, there was a deal, but they are insisting that they didn't realize at the time that the algorithm had a backdoor.

If there was no deal at all, they wouldn't have felt a need to qualify the denial with the above quoted text.

Re:Guilty and impossible to prove innocent

You haven't done your research.

It has been known for years that the RSA pushed an unsecure algorithm by default, and suspected it was intended as a backdoor. What wasn't known was their motivation behind it. We recently have been given information that the NSA gave them money in exchange for their service. Sure, you can claim it was all made up, but everything else given to us by Snowdown to date has been accurate. Meanwhile, those that would be negatively impacted by these revelations (such as the NSA, the president, various large tech companies, etc.) have been caught lying non-stop about it. I wouldn't exactly say it is hard to imagine that the RSA is going to claim they weren't involved in an attempt to save themselves.

RSA has categorically denied that they cut a deal with the NSA.

Not quite. They have done no such thing. The RSA has not denied working with the NSA, accepting money, nor weakening encryption. They simply said they did not create a contract with the NSA. It was nothing but deflection using weasel words.

No matter how you want to spin in, the RSA are not the victims here. Citizens across the globe are. That is what is not fair.

Two Different Companies

[databeast]

As symbolic as this is, It's worth pointing out that the RSA Conference and RSA Security are two separate corporate entities (and I worked with both, producing RSA Security's own booth content at RSA Conference 2011). They do however, all funnel back up to EMC (y'know.. the world's largest storage systems corporation).

Re:Guilty and impossible to prove innocent

[deconfliction]

You can expect that to become a trend. The NSA has well and truly fucked over the entire American IT security industry. Even ultra-low-end "security" products like home broadband routers have become suspect, thanks to their interference.

Much as I truely *loathe* the NSA crimes of late, I must stand in their defense on this one- at least with how you stated it. The security of *all* (low and high end) security products like home broadband routers was *extremely* suspect even before the Snowden revelations. The mere fact that the industry is allowed to operate like this (mobile phones that never get security updates are as bad or worse), is what clued people like me into the scope of what could be revealed by someone like Snowden. It's been 6 months and it still almost feels unreal, just because of how unreal the prior decade felt. And it felt that way *because the NSA were actively hiding from the public, domestic and foreign, the swiss-cheese fabric of our internet and computing security*. But you can't be a typical slashdot reading techie, certainly now in retrospect, and say "oh, _now_ the security of these devices has become suspect". It was suspect all along. I would have expected to see monthly patches rolling out to my home router, if I imagined the device was being actively security-supported in any way. And the companies were probably just quid-pro-quo happy to not have to invest in real security for the devices. I'm sure the NSA probably leaked to the companies or the public, those security holes it wanted fixed, but kept to itself the ones it didn't want. Open source, many eyes folks. It's the first step toward the only real hope I see.

Re:Guilty and impossible to prove innocent

[Trax3001BBS]

RSA has categorically denied that they cut a deal with the NSA. But Mr. Hypponen and the rest of the internet has declared them guilty based on unseen evidence. How is that fair?

Oh no you didn't...

RSA was aware that the Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) had been back doored since 2007,
http://yro.slashdot.org/story/13/12/23/0357228/rsa-flatly-denies-that-it-weakened-crypto-for-nsa-money?utm_source=rss1.0mainlinkanon&utm_medium=feed

They waited an ample 5 years before they warned that it shouldn't be used.
http://it.slashdot.org/story/13/09/21/2143250/rsa-warns-developers-not-to-use-rsa-products
I'm sure they just wanted to double check their findings first.

Re:Guilty and impossible to prove innocent

[icebike]

Secondly, RSA didn't categorically deny anything. Go parse their statement carefully. They've denied a specific scenario with several criteria, that's it.

The quote is right there on the RSA's site..
and the first sentence says:

Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.

They rattle on about with a bunch of marginally relevant stuff, then follow up with:

RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.

Two "categoricallys" within the half a page of text, and you missed both of them.
So right away, you are wrong. Clearly you didn't bother to read their statement at all.

The word categorically can never apply to a specific scenario.

Can they be innocent in all this. Its not inconceivable, they could have been duped by the NSA. But in that case they are incompetent, so the stigma still attaches.

Mikko says "time to act"

[Pav]

In Mikkos own words it's time to act. I guess this means he is taking his own advice. I have in my own very small way been pushing up the price of surveilance : https everywhere, disconnect, duckduckgo etc... haven't been motivated enough for Tor yet because I share a slow connection. Still, we can and must act in small ways in our browsing behavior, purchasing decisions, and any other ways we can come up with. We're lucky that others of us are already acting in not so small ways, and we must support them.

TED

[jones_supa]

BTW here's Mikko's recent TED talk on the topic if you haven't seen it yet.

Re:I am dropping RSA

[WaffleMonster]

I am dropping RSA as my SSO secuity system and prepping for another now.

I would have hoped ya'll would have got that hint in 2011 after a breach at RSA compromised their customers FOBs... better late than never.

lol

Dude... seriously? You think the rule of law is going to have any impact on this situation? Admit it... we are all cowards

Re:Guilty and impossible to prove innocent

[vux984]

Do they categorically deny taking a 10 million dollar payment from the NSA?

No. On that all they said was they "don't divulge details".

Do they categorically deny they incorporated Dual EC DRBG random number generator into its BSAFE encryption libraries?

No. They can't deny that. Because its clearly something they did in fact do.

Do they categorically deny they took 10 million dollars from the NSA to incorporate Dual EC DRBG into BSAFE?

Well... again.. no, not really. They categorically deny they ever intended to weaken products or incorporate known flaws.

Basically all they are categorically deny is that they KNEW what they were doing. Here's a decent article on it...

http://www.techdirt.com/articles/20131222/23532125671/rsas-denial-concerning-10-million-nsa-to-promote-broken-crypto-not-really-denial-all.shtml

Me, I havent' seen the documents alleging the connection bewtween 10M and setting Dual EC DRBG as default in BSAFE... and I would dearly like to see how much of a smoking gun it really is.

Re:Guilty and impossible to prove innocent

[Smauler]

GP was speaking metaphorically. That have categorically denied some things that were not relevant, but they were not the things they were accused of. Did they get paid $10m by the NSA to use a poor cryptographic solution? Yes, they did, and neither of their categorical statements address this.

Re:Guilty and impossible to prove innocent

[vux984]

Not quite.

They denied a "secret contract" to incorporate a known flawed RNG into BSAFE.

They did NOT deny a secret contract to incorporate DRBG.

If they did not know, at the time they made the deal that the RNG was flawed, then they could truthfully claim they did not knowingly take money to incorporate a known flawed RNG.

The pedant in me would like them to categorically deny any link between the $10million and incorporating Dual EC DBRG.

They didn't actually do that.

Given just how much scrutiny they KNEW their statement would be put under; and the fact that their lawyers would have reviewed the thing before it going up, it is striking that so many news sources are identifying it as a dodge rather than a head o denial.

Here's another article...

http://www.theverge.com/2013/12/23/5237788/rsa-nsa-backdoor-non-denial

Its hard to believe, again, given just how much scrutiny they KNEW their statement would be under, that the lack of certainty was anything but calculated.

Re:Guilty and impossible to prove innocent

[icebike]

If they got it with the help of or input from the NSA , and they take it at face value, they are either incompetent, or naive. So guilty, naive, or incompetent. Does it really matter? Goose cooked. Either way.

Other countries would do the same

[Britz]

I hate to be *that guy*, but everyone needs to understand two significant points:

1. After a couple month of watching the PRISM scandal unforld I now believe this is a "Hiroshima moment". Never before in human history was it possible to spy on everyone. To have a file on everyone. The secret services (the bad as well as the good) always had to focus on a select few. No more. We are living in 1984.

2. I firmly believe the main reason why other spy agencies are not doing what the NSA is doing is because of their limited capabilities. Both in less money and resources, but also in reach. Google, Facebook, Apple and Microsoft are US based. Many important internet exchanges as well. This point is especially important, because of the US tradition of transparency and whistleblowing. As American as the NSA may be, Snowden is even more so. I can't imagine a Chinese Snowden. And even if he existed, would they have a broad discussion on that subject in China? How about Russia? Or even the UK? GHCQ has been as bad as the NSA, yet do we see a broad and honest discussion about it in London?

I hate the constant and ubiquitous surveillance, but the technology advances were the ones that brought them here. The NSA were only the first and foremost ones that took advantage of the new tools. They become cheap fast. Soon every spy agency will have them. This is a very useful and helpful discussion we are having right now. Because we either need to encrypt everything and move everyone onto Tor, or get used to having a file on everyone. There is no "gentlemen's agreement" (no-spy-agreement, UN accord, whatever), because there is no way to enforce it.