Slashdot Mirror
RSA Boycot Group Sets Up Rival Conference
judgecorp writes "The group of security experts who urged people to boycot the RSA conference (over allegations that the security firm RSA has taken a $10 million bribe from the NSA to weaken the security of its products) have put together a rival conference called TrustyCon just down the road from San Francisco's Moscone Center, where the EMC-owned firm will have its conference at the end of February."
Does anyone know if Steven Colbert is still headlining the conference?
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Spy on them. Oh wait, that did this on all citizens on the planet ..
Convinced people things were secure when in fact it's significantly weakened to allow the NSA to spy on people.
If we're to believe news reports, we all suffer from much worse internet security because the NSA et al wanted to be able to monitor stuff.
So, internet banking, internet shopping, and pretty much everything is suspected to now have flaws in the cryptography.
They've done this to all of us, regardless of if we've been to the conference.
Lost at C:>. Found at C.
What the fuck? A boycot in Sand Francisco? Does Samzenpus even read this stuff?
Slashdot: providing anti-social weirdos a soapbox, since 1997.
If I'm going to choose between who is more credible, the people providing examples and evidence of what they're doing ... or the lawmakers who keep braying that it's all legal ... then I'm afraid I'm more inclined to trust the news reports based on the leaks from Snowden.
By rather a considerable margin.
We already know the people defending this have lied about what they really do, which means they're not really deserving of any of our trust.
Lost at C:>. Found at C.
The alternate response is that if RSA did knowingly weaken commercial security, then you more or less have to stop trusting them.
Acting like they've had a change of heart, and promise to never do it again is meaningless.
In other words, the rest of the security community is turning their back on RSA for not being trustworthy -- and when you're a security company, that's a big deal.
Lost at C:>. Found at C.
You didn't ask me, but I can still provide an answer. "What has the NSA done to people?"
No frigging clue, because everything done is "secret". You can assume that they have done nothing, and I can assume they have done everything. Both of those are assumptions and neither could be proven.
So has the NSA turned over documents to Police agencies, employers, the IRS, etc.. that have led to investigations or damages? I believe we have enough circumstantial evidence to believe the first and third of those examples have happened. I'm not trying to patronize, but you can look at Parallel investigations and the IRS investigating non-profits for more information. It was impossible to tell if you were defending them or not, so you may already have knowledge of the subjects.
This is why we should all be demanding transparency from the agency and accountability from the whole Government. We don't know what they are doing because they label everything "secret". I find it logical to assume that if they are immoral in one area, we can assume that they are immoral in more areas. Wrong follows wrong, always has and always will.
The same concerns we have over the NSA should exist with a company like RSA who only apologized and told customers to change practices _after_ they were caught taking money from a government agency at the expense of customers. They never refunded a penny to customers either, so they are more than deserving of a boycott.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
No Government Spooks (nor their hand maidens).
The word is boycott.
systemd is Roko's Basilisk.
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The NSA doesn't care whether you agree or disagree with them. They care about other things. For example, they might care that you once had a phone conversation with someone who once sat on the same bus as someone who is related to a terrorist. If you then disappeared, without having ever disagreed with the NSA, without ever having had anything to do with terrorists as far as you know, who would connect your disappearance with the NSA?
This is wrong on just about ever level. Fact: The NSA is not a Law Enforcement agency, and has no authority to arrest or detain people. We know through leaks that they do provide data to various law enforcement agencies, then those agencies have been instructed to (illegally) reconstruct the data to keep the NSA out of the picture. We know the NSA provided data to the IRS who then audited political groups.
I can see questioning the use of "honeypot conference", or lacking knowledge of what crossing them would lead to. I don't agree with you painting them as innocent because we have enough facts to know they are not innocent. How guilty they are is a valid question.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
The root post warns of the unstated repercussions of attending this "honeypot" conference. I want to know what those repercussions are.
You mean like when people who develop encrypted messaging systems or encrypted phone applications get added to watch lists and get harassed every time they enter the country even though they are citizens?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
What other security researchers have accepted $10,000,000?
No one is "without sin," but there are some boundaries at which you stop being a normal person who has to bend his principles for the real world and become a complete dick who doesn't deserve to be a respected member of the white hat community.
Anyway, got my W2, so I have to go get back to making my yearly donation to the government; I sure hope they won't blow it on multimillion dollar bribes.
Well they could have started with a better name.
Trustycon sounds like an oxymoron right out of the gate, like someone's idea of a sick joke.
The problem we have is that the industry is defined now, whereas when it was starting out, there
were not entire infrastructures available for every task. Just getting a new mechanism employed by
web servers and web browsers has a huge inertia today. And the industry has made almost zero
headway in the task of getting people to even sigh e-mail by default, let alone encrypt it.
Now that email clients update themselves, rather than being installed and never touched
again, the single thing that get most people's correspondence out of the hands of governments and
advertising giants is opportunistic encryption built into the clients.
It doesn't matter how secure your algorithms are if people won't use it.
Sig Battery depleted. Reverting to safe mode.
If people who disagreed with the NSA were arrested, or lost their jobs, or were audited, or were deported, or disappeared in the middle of the night, we would know about it. Those things can't be kept secret.
Sure they can be kept secret. And we don't know how many people fall into this category. But any such losses would be simply lost in the local mystery that every town has, namely the huge number of missing persons.
Take a look at these numbers reported by CNN using data from the FBI NCIC.
There a a vast forest of people missing in which you could hide a lot of "disappeared" people. Someone quietly working in a field without a huge public exposure (whether white hat or black hat) could go missing from his basement lair, get reported, and forgotten by all but his mom and the world would never take notice.
Sig Battery depleted. Reverting to safe mode.
I'm not particularly inclined to trust anybody affirming or denying anything outright. None of it can be independently verified.
That's not true. We can witness the behaviors of the organization. Note how they started with denial, then moved towards excuses, and now have clammed up entirely. This tells us something about their behavior, and if we assume that behavior makes sense in context with the truth, then we get a glimpse of that truth as well.
Sort of like the Keppler telescope.
The alternate response is that if RSA did knowingly weaken commercial security, then you more or less have to stop trusting them.
And if they didn't Knowingly weaken security, but rather did so unwittingly, then you also have to stop trusting them.
If they are that incompetent they had no clue, they probably don't belong in the business.
They only came out and told people to stop using their broken software AFTER Snowden made it known that it was compromised.
NIST is pretty much in the same predicament.
Sig Battery depleted. Reverting to safe mode.
What is killing us is the industry settling for "good enough". SSL is "good enough", with the assumption that CAs won't be compromised. This was true back in the 1990s, but Diginotar and other CAs have shown that the single, ultimate trust model will fail.
Then there are devices. Even though I have a client key for one E-mail address, because iOS requires an Exchange server, no S/MIME for me unless I JB the device. PGP/gpg is doable, but some apps don't like being switched out and start glitching when they get switched back in. Android is better because of utilities that have better OpenPGP support (K9 Mail for example.)
Once app makers and Apple can be convinced to have usable encryption (OpenPGP and S/MIME) on the individual E-mail level, the big hurdle will be getting users to work on webs of trust, or even just signing/decrypting messages. This isn't rocket science, but security is oftentimes tossed in the back seat compared to virtually anything else. It can be done, though. Most people lock their doors before they leave for the day, so getting them to click on the sign/encrypt button may be eventually doable, given the consequences of not doing so.
Something else many slashdotters may be in a position to do is to vote with their dollars. Even if you can't actually attend or help fund one conference or the other, take note of which companies attend which. Follow the money, and promote those who don't agree with the actions of the NSA and, by extension, with RSA. If attending the RSA conference is a mark against themselves in the eyes of potential customers, fewer companies will attend. If the sponsors and attendees of the new conference get extra business out of it, they'll be better placed to keep doing it, and the next time something similar to RSA's bribe comes to light, their competitors will be more ready to take away their conferences and customers.
Don't forget also that these conferences are networking opportunities. Everybody who doesn't attend the RSA con is missing out on the opportunity to hobnob with all those other attendees. Reward them for standing on principles, and for standing up for their customers. That's how the positive feedback loop which is supposed to encourage companies to behave well works.
Disclosure: I work for one of the companies who will be at TrustyCon instead of RSA.
There's no place I could be, since I've found Serenity...
You know you can generate a certificate in Keychain and distribute that out of band, then send encrypted email using apple mail. Obviously both you and your recipients need to do this if you want to do anything more complicated than simply signing your mail.
The thing that I'm upset about is that Apple still uses the compromised Comodo root for the certificates they use to sign patches with...
Can you be Even More Awesome?!
Sand Francisco: gateway to Silica Valley.