Slashdot Mirror
Security Experts Call For Boycott of RSA Conference In NSA Protest
Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"
"'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
The only thing interesting about this affair is that RSA only got $10M.
As child porn wouldn't effect the customers bottom line.
This is more like Bernie Madoff hosting an ethics conference.... today.
Why not just recast the conference as a black hat/government contractor conference and show the tiniest amount of honesty.
About time more americans started acting snowde-like. As in ballsy
Kind of hard to build a case on hearsay. Prove they received 10M, and they will be sued into nothingness. But this is "he said she said" - ain't worth shit.
Seven puppies were harmed during the making of this post.
Reuters reported that they did.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.
So, who's going to sue them? And on what grounds?
'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr.
The CEO getting involved in child porn means his personal life is tainted and he goes to jail and hell and all that.
This is bad news for the company because people lose their trust on the company. No one needs to identify with the CEO of a company... but not trusting a company in the security field doesn't bode well for said company.
you can defend them all you want.
at this point, anything that comes to light about NSA and shows them in a bad light, I will fully believe until THAT is proven otherwise.
given the reputation, it sounds more likely than not. we're seeing the true color of the 'security' industry, here, and its about time!
and anyone who defends the nsa or rsa, well, you've shown YOUR true colors, as well.
--
"It is now safe to switch off your computer."
for not truthfully advertising their products as "Insecurity Solutions"
We're all running systems based on some derivative of Unix. The user based permission model was fine for 1970s computer science departments, but it's totally crap for the world we now live in. We all should be running systems that are at least Orange Book A1 level secure, but we aren't. The resources are available to do it, we could totally pump this out in a year or two in the open source world.... but we won't.
Everyone thinks they have secure enough systems... but they don't, not by a country mile. Nobody seems to understand that trusting applications to do their jobs, and not subvert the systems, is a stupid thing.
We have persistently insecure computing... encryption, even if done perfectly, doesn't help fix that.
The wikipedia entry is good on this:
http://en.wikipedia.org/wiki/RSA_Security#NSA_backdoor
RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit.
I was also skeptical when I first saw the news articles (like this one) that said that RSA had published a statement where they supposedly refuted the existence of that NSA deal. The existence of the deal was originally broken by Reuters in this article, where they cite "two sources familiar with the contract" as their sources. But then, after more in-depth analysis of the RSA blog post where they supposedly "denied" the existence of the deal, it was revealed that actually RSA neither denied nor acknowledged that such deal existed in their statement. They are just using general wording to give an impression, that they would certainly never do such thing. But they are not directly denying the existence of the deal.
Now, thinking logically, it's pretty damn clear that they would have denied that such a deal was ever made, if they were in the position of making such a claim. But given they don't directly deny the claims presented by Reuters, it would seem a much more logical explanation that the deal indeed was made, and RSA just went into damage control mode after the publication of the Reuters article. Lying to the public would have meant more damage if Reuters would have later been able to present the actual paper of the deal, so I suppose we can take their lack of directly denying this deal's existence as an admission of sorts. This is also the reason why speakers are canceling their appearance in the conference ("Your company has issued a statement on the topic, but you have not denied this particular claim.")
So, I think we have grounds to believe that there is actually quite much truth to the original story by Reuters. As they say, the deal was "handled by business leaders rather than pure technologists". I am pretty sure that this is a yet-another example of a major manager-level f*ck up. Tech companies very often have all the expertise on the technical personnel level, while managers are a "necessary evil" who often have much fewer insight into the technical field where the company actually operates. Of course, anyone with even the slightest idea of how the IT security field functions, would never ever endanger their company's credibility (at least for such little reward as $10 million), because deals like this tend resurface in the public sphere sooner or later. All we can assume that someone in the management made a very major f*ck-up and made this secret deal with NSA without much consulting from the technical folks. But I am pretty sure that now that this deal has surfaced in the public sphere, it will end up costing RSA a great deal more in lost sales than what the "business leaders" anticipated they could gain in short term from making the deal with NSA.
Not a cipher, but a pseudo-random number generator. Which means that every cipher, signature, or other algorithm that used random keys was compromised.
Standard or not, it's been shown, since 2006, that Dual_EC_DRBG is at best cryptographically flawed, and at worst backdoored. There have been better suited algorithms available and supported before, during, and after 2006. So how quickly did this security company update their software? When did RSA stop using a poor and vulnerable algorithm as the default? September 2013.
That's either incompetence or malice. Neither of which should be supported or trusted in a supposed "security" company.
Not quite. I am telling you that because of abortion, no one is willing to stop the NSA putting back doors in software.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
What end-user products should one avoid in order to avoid this back door?
Politics; n. : A religion whereby man is god.
Not necessarily. Before the leaks, who really thought that much about the NSA and what it was doing? Maybe some of us really thought about it and suspected the NSA was spying on us all, but most of us were unaware; it just wasn't something that came up on our radar. Now that there's lots of evidence about what the NSA's been doing, including admissions from the NSA themselves (and a lot of nasty statements by NSA leadership about various people who oppose their spying programs), the onus is on the NSA to disprove any new allegations that arise. At this point, for me (and the OP I'm sure), the NSA has proven themselves to be completely untrustworthy, so for any new allegations against them, I'll choose to believe the allegations until the NSA can really prove them wrong. Why would I do otherwise? It's all about trust: without good evidence, you can only go on trust (and knowledge of what's really feasible; e.g., the NSA monitoring our thoughts by brain implants is obviously fantasy so allegations that aren't feasible like that can be dismissed). Since I distrust the NSA completely, I'll always believe the other side until they're proven wrong.
Revelations of back doors are, as I suspect, limited - perhaps there are many more that we don't know of yet. And since that's the case, since people are more into making money than they are into making sense, then "computers" themselves cannot be "trusted". That doesn't mean that we can't use them as they are however. I'm not about to go off and learn what the shit "systems that are at least Orange Book A1 level secure" even means. I'm going to continue to use commercial software and hardware, because life's simply to short, and I only care so much about privacy - as long as I'm not being charged with some bullshit charge (and I have been charged with some bullshit charge in the past) that I cannot prove is a bullshit charge (I was able to prove that what I was charged with was total bullshit and it got thrown out), aka some terrorist plot or something like that.
"Computers" should be treated like girls that have a stinky vagina. There's obviously something wrong, but that doesn't mean that she's not cool to talk to, ask questions of, play games with.
Politics; n. : A religion whereby man is god.
Huh?
I'll break this issue down into three levels. First there's the compromised algorithm itself. The algorithm and source code for it is public. Anyone can trivially test that it's about a hundred times SLOWER than the alternative algorithms. It has zero redeeming features. And anyone with the slightest security knowledge can see that it was covered in huge red flags all over it (unexplained magic numbers pulled out of the algorithm-submitter's ass are a HUGE security no-no). It had squat track record of being vetted by the global security community for flaws. No one with the slightest security expertise would ever willingly use it, much less set it as a default algorithm.
Second, there's RSA's products. Anyone who bought it can check the configuration to see that the compromised algorithm is in there, and that it's set as the default. Anyone with an internet connection can do a search and check the product specs. I'll admit I haven't personally checked this detail, but it's beyond implausible that the story has run this long without anyone here posting a fact-check on it if it were false.
So that just leaves the third aspect. Whether RSA got paid twenty pieces of silver.... errr.... I mean ten million dollars....to set the compromised algorithm as the default in their products. I would say that is a forgone issue when RSA's response on the story was an astonishingly lame we-didn't-know-it-was-compromised and we-would-never-knowingly-compromise-our-customer's-security. If they hadn't been paid $10 million by the NSA to do, then the first words out of their mouths would have been to deny the $10 million NSA payment.
So that just leaves us with two possibilities. Either RSA knowingly took a $10 million payoff to look the other way and install a compromised back door as the default setting in their products, or they don't have a single competent security person on their entire staff.
It's hard to say which of those two possibility would be worse for a security company, but we don't have to ponder which applies here. It is utterly implausible that RSA doesn't have competent security experts on staff. They make highly sophisticated security products. They know damn well how to make products that will strongly protect you from attack by random hackers. However they are also willing to sell out your security so that the US Government has a back door into your system.
So... if you want top tier security products to protect your business and you don't give a hoot that it comes with a back door for US spook agencies, sure, go with RSA. They've got some of the top security experts. But if you want security products that don't come with back doors, there are other world-class security companies to turn to. World class security companies with world class security experts who, even in a drunken stupor, would neverselect an unproven absurdly slow ugly blatantly-backdoored random number generator to use.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Even if it can be proven that they received 10M$ and that they knowingly introduced the backdoor, it is hard to prove that the money was payment for introducing the backdoor. However, it might be sufficient to prove, that they knowingly introduced the backdoor. What payment they received for it, shouldn't affect the outcome of the case, because it is not the payment, which is hurting the customers, it is the backdoor.
Can we prove that RSA knew about the backdoor? Maybe not, but most likely it can be proven that given the knowledge RSA had, RSA should have assessed the algorithm to be most likely backdoored, at the time where they introduced it.
In cryptography it is generally accepted best practice, that any constant whose value isn't justified in some way, should be assumed to be a backdoor until proven otherwise. That is a principle, which RSA knows about. Additionally it has been public knowledge for many years that DECDRBG was relying on a constant whose value was not justified, moreover it had been formally proven, that there was a way to hide backdoor in that constant. It's like finding a smoking gun and saying we can't be sure anybody fired that gun, it could be smoking for so many other reasons.
The fact that DECDRBG uses asymmetrical primitives for a task, which is usually done with symmetrical primitives, is in itself suspect. Symmetrical primitives are usually faster, and there is a wide range of attack techniques that could be applied on asymmetrical primitives but not on symmetrical primitives. Good reasons for asymmetrical primitives is when you are working on a task, which cannot be done symmetrically. In the case of DECDRBG the introduction of a backdoor could not have been done symmetrically.
Do you care about the security of your wireless mouse?
I agree; barring incontrovertible evidence to the contrary, the NSA will never be believed again.
Time to dismantle the entire operation and start over with new people; obviously none of these people understand what Domestic enemies are: People who are destroying the Constitution.
It is being destroyed because it is being ignored in the name of "National Security"; that bill of rights is so inconvenient for Despots.
They didn't need to repeal it; take a look around; they know there's nothing we can do about it.
Congress is likely being blackmailed into silence; in our society, everyone is guilty of something, are they not?
And here we always thought the "tinfoil hat" and gun nuts were just crazy... :facepalm:
Truth isn't Truth - Guliani