Slashdot Mirror
Security Experts Call For Boycott of RSA Conference In NSA Protest
Hugh Pickens DOT Com writes "ZDNet reports that at least eight security researchers or policy experts have withdrawn from RSA's annual security conference in protest over the sponsor's alleged collaboration with the National Security Agency. Last month, it was revealed that RSA had accepted $10 million from the NSA to use a flawed default cipher in one of its encryption tools. The withdrawals from the highly regarded conference represent early blowback by experts who have complained that the government's surveillance efforts have, in some cases, weakened computer security, even for innocent users. Jeffrey Carr, a security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further calling for a boycott of the conference, saying that RSA had violated the trust of its customers. 'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr. 'I don't know what worse action a security company could take than to sell a product to a customer with a backdoor in it.' Organizers have said that next month's conference in San Francisco will host 560 speakers, and that they expect more participants than the 24,000 who showed up last year. 'Though boycotting the conference won't have a big impact on EMC's bottom line, the resulting publicity will,' says Dave Kearns. 'Security is hard enough without having to worry that our suppliers — either knowingly or unknowingly — have aided those who wish to subvert our security measures.'"
"'Though boycotting the conference won't have a big impact on EMC's bottom line"... not buying their products because there's a f-cking backdoor in it will.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
The only thing interesting about this affair is that RSA only got $10M.
As child porn wouldn't effect the customers bottom line.
This is more like Bernie Madoff hosting an ethics conference.... today.
Why not just recast the conference as a black hat/government contractor conference and show the tiniest amount of honesty.
If all Americans started acting just a little Snowden-like, there would be another revolution in this country. That on the other hand is just some guy renowned in a very narrow, very specialized field, sulking.
It's better than nothing though - as the American public's response to the absolute outrage that is this whole affair has only been a big, fat, shameful nothing.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Reuters reported that they did.
Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September. Reuters later reported that RSA became the most important distributor of that formula by rolling it into a software tool called Bsafe that is used to enhance security in personal computers and many other products.
Undisclosed until now was that RSA received $10 million in a deal that set the NSA formula as the preferred, or default, method for number generation in the BSafe software, according to two sources familiar with the contract.
So, who's going to sue them? And on what grounds?
'I can't imagine a worse action, short of a company's CEO getting involved in child porn,' says Carr.
The CEO getting involved in child porn means his personal life is tainted and he goes to jail and hell and all that.
This is bad news for the company because people lose their trust on the company. No one needs to identify with the CEO of a company... but not trusting a company in the security field doesn't bode well for said company.
you can defend them all you want.
at this point, anything that comes to light about NSA and shows them in a bad light, I will fully believe until THAT is proven otherwise.
given the reputation, it sounds more likely than not. we're seeing the true color of the 'security' industry, here, and its about time!
and anyone who defends the nsa or rsa, well, you've shown YOUR true colors, as well.
--
"It is now safe to switch off your computer."
america's response is based on FEAR of the three letter agencies.
even congress is not above them, and if they can't get honesty from the org, how can we even hope to get a fair shake?
there won't be a revolution. the government has us locked up too much with fear and they also have more firepower and the fight would be horrible. no one wants that.
peaceful ways won't work and we can't use any other ways.
we feel helpless.
what are we SUPPOSED to do, when the world's biggest (and essentially only) superpower has us fully under its control? what exactly do you propose when the powerful hold ALL the cards?
fighting a less powerful government could be possible, but fighting the US government is not going to happen anytime soon.
I think people care but they feel utterly unable to do a single thing to fight it or bring about change. I'd love to hear what you think we COULD do, for real, that will have any effect.
--
"It is now safe to switch off your computer."
Privacy in America is complicated. The majority argument in the Supreme Court decision that legalized abortion, Roe v. Wade, was based on a right to privacy. Since then (1973), the Republican Party has refused to accept that a right to privacy exists, because that would imply that Roe v. Wade is based on a sound principle and therefore abortion has to remain legal. This puts us in the unfortunate position of privacy rights being collateral damage in the culture war. Any Federal court nominee is going to get asked in his/her confirmations hearings whether there exists a right to privacy, and an affirmative answer means the Republicans will block that nominee. Most nominees prevaricate.
It's not the only reason privacy is a suppressed issue in mainstream American politics. Both parties have an authoritarian streak a mile wide (manifested in slightly different ways, so they can hate each other anyway) and privacy is the enemy of authority.
A lot will have to change before America is willing to make privacy a priority. What I find encouraging about Snowden's relevations is that it looks like enough people are talking about privacy that the issue might not crawl away to die again. Give it time.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
The wikipedia entry is good on this:
http://en.wikipedia.org/wiki/RSA_Security#NSA_backdoor
RSA has not disputed any of the facts but only argued that they did it out of ignorance. $10 million buys a lot of stupid. $10 million is peanuts for EMC but for RSA at the time, it was quite a bit.
I was also skeptical when I first saw the news articles (like this one) that said that RSA had published a statement where they supposedly refuted the existence of that NSA deal. The existence of the deal was originally broken by Reuters in this article, where they cite "two sources familiar with the contract" as their sources. But then, after more in-depth analysis of the RSA blog post where they supposedly "denied" the existence of the deal, it was revealed that actually RSA neither denied nor acknowledged that such deal existed in their statement. They are just using general wording to give an impression, that they would certainly never do such thing. But they are not directly denying the existence of the deal.
Now, thinking logically, it's pretty damn clear that they would have denied that such a deal was ever made, if they were in the position of making such a claim. But given they don't directly deny the claims presented by Reuters, it would seem a much more logical explanation that the deal indeed was made, and RSA just went into damage control mode after the publication of the Reuters article. Lying to the public would have meant more damage if Reuters would have later been able to present the actual paper of the deal, so I suppose we can take their lack of directly denying this deal's existence as an admission of sorts. This is also the reason why speakers are canceling their appearance in the conference ("Your company has issued a statement on the topic, but you have not denied this particular claim.")
So, I think we have grounds to believe that there is actually quite much truth to the original story by Reuters. As they say, the deal was "handled by business leaders rather than pure technologists". I am pretty sure that this is a yet-another example of a major manager-level f*ck up. Tech companies very often have all the expertise on the technical personnel level, while managers are a "necessary evil" who often have much fewer insight into the technical field where the company actually operates. Of course, anyone with even the slightest idea of how the IT security field functions, would never ever endanger their company's credibility (at least for such little reward as $10 million), because deals like this tend resurface in the public sphere sooner or later. All we can assume that someone in the management made a very major f*ck-up and made this secret deal with NSA without much consulting from the technical folks. But I am pretty sure that now that this deal has surfaced in the public sphere, it will end up costing RSA a great deal more in lost sales than what the "business leaders" anticipated they could gain in short term from making the deal with NSA.
Not quite. I am telling you that because of abortion, no one is willing to stop the NSA putting back doors in software.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
What end-user products should one avoid in order to avoid this back door?
Politics; n. : A religion whereby man is god.
Not necessarily. Before the leaks, who really thought that much about the NSA and what it was doing? Maybe some of us really thought about it and suspected the NSA was spying on us all, but most of us were unaware; it just wasn't something that came up on our radar. Now that there's lots of evidence about what the NSA's been doing, including admissions from the NSA themselves (and a lot of nasty statements by NSA leadership about various people who oppose their spying programs), the onus is on the NSA to disprove any new allegations that arise. At this point, for me (and the OP I'm sure), the NSA has proven themselves to be completely untrustworthy, so for any new allegations against them, I'll choose to believe the allegations until the NSA can really prove them wrong. Why would I do otherwise? It's all about trust: without good evidence, you can only go on trust (and knowledge of what's really feasible; e.g., the NSA monitoring our thoughts by brain implants is obviously fantasy so allegations that aren't feasible like that can be dismissed). Since I distrust the NSA completely, I'll always believe the other side until they're proven wrong.
Even if it can be proven that they received 10M$ and that they knowingly introduced the backdoor, it is hard to prove that the money was payment for introducing the backdoor. However, it might be sufficient to prove, that they knowingly introduced the backdoor. What payment they received for it, shouldn't affect the outcome of the case, because it is not the payment, which is hurting the customers, it is the backdoor.
Can we prove that RSA knew about the backdoor? Maybe not, but most likely it can be proven that given the knowledge RSA had, RSA should have assessed the algorithm to be most likely backdoored, at the time where they introduced it.
In cryptography it is generally accepted best practice, that any constant whose value isn't justified in some way, should be assumed to be a backdoor until proven otherwise. That is a principle, which RSA knows about. Additionally it has been public knowledge for many years that DECDRBG was relying on a constant whose value was not justified, moreover it had been formally proven, that there was a way to hide backdoor in that constant. It's like finding a smoking gun and saying we can't be sure anybody fired that gun, it could be smoking for so many other reasons.
The fact that DECDRBG uses asymmetrical primitives for a task, which is usually done with symmetrical primitives, is in itself suspect. Symmetrical primitives are usually faster, and there is a wide range of attack techniques that could be applied on asymmetrical primitives but not on symmetrical primitives. Good reasons for asymmetrical primitives is when you are working on a task, which cannot be done symmetrically. In the case of DECDRBG the introduction of a backdoor could not have been done symmetrically.
Do you care about the security of your wireless mouse?
I agree; barring incontrovertible evidence to the contrary, the NSA will never be believed again.
Time to dismantle the entire operation and start over with new people; obviously none of these people understand what Domestic enemies are: People who are destroying the Constitution.
It is being destroyed because it is being ignored in the name of "National Security"; that bill of rights is so inconvenient for Despots.
They didn't need to repeal it; take a look around; they know there's nothing we can do about it.
Congress is likely being blackmailed into silence; in our society, everyone is guilty of something, are they not?
And here we always thought the "tinfoil hat" and gun nuts were just crazy... :facepalm:
Truth isn't Truth - Guliani