Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Obnoxious' RSA Protests, RSA Remains Mum

Posted by timothy on from the where-it-hurts dept.

An anonymous reader writes "By 'buying out' the most obvious lunch spot nearest the RSA conference yesterday, opponents and truth-seekers regarding RSA's alleged deal with the NSA raised awareness amongst attendees in the most brutal way possible: by taking away tacos and tequila drinks. Robert Imhoff, Vegas 2.0 co-founder, says, 'RSA could begin to fix this by going on the record with a detailed response about the accusations.'" I tried to get attendees of the conference to comment on camera — even a little bit — on what they thought of the NSA spying revelations, and not a single person I approached would do so. The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell. Especially at a conference where the NSA is surrounded by vendors who sell the hardware and software that enables your "mere" metadata to be captured and sifted, plenty of the people on the floor know that the companies they work for are or might one day be seeking contracts to do all that capturing and sifting, even if they'd rather not be subject to it personally, so their don't want their face shown saying so.

64 of 99 comments (clear)

  1. On the record by Threni · · Score: 2

    > 'RSA could begin to fix this by going on the record with a detailed response about
    > the accusations.'"

    Which we'd all of course believe.

    1. Re:On the record by wiredog · · Score: 1, Interesting

      They already did.

      --

      Best Slashdot Co
    2. Re:On the record by thue · · Score: 4, Interesting

      Are you referring to this RSA's CTO Sam Curry's "defense", which Mathew Green and Matt Blaze has had so much fun ridiculing? http://blog.cryptographyengine...

      RSA Security really haven't made anything close to a coherent defense.

    3. Re:On the record by Soulskill · · Score: 1

      What would amount to a coherent defense, to you?

      Situations like this are pretty hard to unravel. RSA can protest until they're blue in the face, but the nature of the accusation is such that their statements are already suspect. Add to that the level of distrust associated with the NSA, and the NSA's potential power over RSA. Evaluating any unprovable denial simply boils down to whether we trust RSA or not -- which is the same question we're already facing.

      So, what about provable denials -- what evidence could RSA show us that would reinstate our trust? What if that evidence is damning in other ways? (Perhaps their decisions were spurred by incompetence rather than greed.) I'm not even sure exactly what that evidence should look like — documents can be forged or omit details communicated orally.

      I dunno -- I'd hate to be in RSA's shoes.

    4. Re:On the record by thue · · Score: 2

      For starters, they can come clean. All their press releases have been exercises in trying to say as little as possible, and be as misleading as possible whiile still not literally lying. For example, their non-denial of the $10,000,000 deal with NSA had half the press falsely reporting that RSA claimed there never any $10,000,000 deal.

      Dual_EC_DRBG has been documented since 2006/2007 to be an insecure CSPRNG, even without the backdoor. I knew about it for example, and I do not even work in that field. The only way nobody at RSA Security (a huge company specializing in security) could not have heard about it is by putting their hands over their ears and yelling LALALA. And they didn't put 2 and 2 together about why NSA paid them $10,000,000 when the possible backdoor was discussed in the media and the cryptographic community?

      I can accept that RSA Security might have been fooled in 2004. But they have not even tried to explain why they kept using Dual_EC_DRBG after 2006/2007. They have been caught with the hand in the cookie jar, and refuse to even try to defend themselves. Why should I try to invent explanations for their innocence for them?

      > what evidence could RSA show us that would reinstate our trust

      The point is that the circumstantial evidence is so hugely strong. This is not unfair - this is reality.

      It is like finding you standing over a corpse in a pool of blood and a knife in your hand, with a $10 million payment to your account from the victims worst enemy. And you refusing to talk about how you got there, or why the victim's worst enemy sent you the $10 million. Do you think I have no right to make assumptions in that case?

    5. Re:On the record by Darinbob · · Score: 1

      But part of that is true: elliptic curve was in vogue, and is in use in many places. However the Dual_EC is the one we're talking about.

      Overall though, I get a very strong feeling that everyone is reacting at a gut level, as there is no evidence of collusion or a backdoor. All we have is a past presentation about how Dual_EC has some problems, RSA uses it anyway, and a journalist paraphrasing something Snowden said. What has changed is not any direct proof but instead the tenuous trust between organizations has dissolved. That's what is more interesting in so many ways, the web of trust that security sits on top of is not a good foundation.

    6. Re:On the record by Darinbob · · Score: 1

      By saying "come clean" you are automatically assuming they are guilty. Thus any denial they make would be rejected.

    7. Re:On the record by thue · · Score: 1

      I freely admit that I assume they are guilty because of 1) all the damning evidence 2) their refusal to defend themselves.

      And I submit that all reasonable persons should assume they are guilty for the same reasons. Assuming they are not guilty would be incredibly stupid.

  2. It's not like saying nothing will be of any use by korbulon · · Score: 2

    As if the NSA doesn't already know what they really think.

  3. And when the came for me... by TWX · · Score: 2

    First, they came for my tacos. But I did not speak out because I was not a taco...

    Then they came for my tequila drinks. But I did not speak out because I was not a tequila drink...

    --
    Do not look into laser with remaining eye.
    1. Re:And when the came for me... by jythie · · Score: 1

      yeah but they did not put out a long form official statement! They must still be hiding the truth!

    2. Re:And when the came for me... by CyberKnet · · Score: 3, Funny

      First they came for the tacos, and I did not speak out -- because we had a CmDrTaCo.
      Then they came for the tequila drinks, and I did not speak out -- because I was more a fan of Wine.
      Then they came for the chips 'n dips, and I did not speak out -- because everyone had moved on to Slashdot
      Then they came for Slashdot, -- there was no one left to speak for it...

      ... because beta had already driven everyone away.

      --
      Video meliora proboque deteriora sequor - Ovidius
    3. Re:And when the came for me... by TangoMargarine · · Score: 1

      (sig)

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    4. Re:And when the came for me... by TWX · · Score: 1

      For great justice

      --
      Do not look into laser with remaining eye.
    5. Re:And when the came for me... by TangoMargarine · · Score: 1

      You have no chance to survive make your time.

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
  4. What did you expect? by sirwired · · Score: 4, Insightful

    I don't think this little stunt has anything to say about a "problem with a surveillance society"; they have something to say about a problem with some a$$hole ambushing some geeks at a tech conference that just want to get their lunch and get back to the conference sessions.

    And the RSA did go on record. They said it wasn't true. As far as going into the gory details of the contract? Contract details of any contract, with any customer, are generally not something a security company is ever going to disclose. That's not surveillance-state paranoia or evidence of evildoing; it's routine business practice.

    1. Re:What did you expect? by fuzzyfuzzyfungus · · Score: 4, Insightful

      Pity the poor hatchetmen, cruelly interrupted during lunch. I, for one, fear for the future of a society that respects the privacy of others so little...

      Do I think that Our Fearless Correspondent is even remotely effective in his stated aims? Not with those tactics, he'd be hard pressed to get someone to tell him the time.

      Should we care about that? Do RSA's little minions deserve to throw a veil of contractual secrecy over their lunch hour, lest their delicate feelings be offended by the sight of disapproval?

      In a situation where legal redress is, in all probability, a fantasy; but displeasure is very real, isn't social disapproval an excellent response? Wouldn't it be delightful if admitting to working for a spook contractor was about as pleasant as admitting that you take the long way around that school zone because you are a convicted sex offender? Now, especially without good evidence tying individual people to individual pieces of work, you don't want to go overboard; but it would be downright wholesome if the penalty for collaboration was constant exposure to contempt.

    2. Re:What did you expect? by Guppy06 · · Score: 1

      some geeks at a tech conference

      They're called "enablers."

    3. Re:What did you expect? by thue · · Score: 1

      > And the RSA did go on record. They said it wasn't true.

      What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.

      If you read the keynote from the current RSA Conference, RSA's defense is that they stopped independently creating and verifying the cryptographical algorithms, instead just getting them straight from NIST and ANSI. And they knew or should have known that Dual_EC_DRBG was written by NSA.

      > "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

      Meanwhile RSA Security ignored all the independent research showing that Dual_EC_DRBG was radioactive. So RSA Security's defense is that they stopped doing any due diligence, and instead just copied everything straight from NSA. And because they stopped even trying to do independent cryptography, they were not aware of the possible backdoor. And you think RSA Security's statements in their defense are not laughable, and that people protesting this is just "a$$holes"?

    4. Re:What did you expect? by thue · · Score: 1

      > What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal.

      That should of course have been:

      > What RSA Security has specifically said is that they didn't know about the backdoor when they made the $10,000,000 deal.

    5. Re:What did you expect? by Opportunist · · Score: 1

      If the allegation is that the contract violates constitutional laws and especially if one of the partners in said contract is a branch of the government, I'd at the very least expect a general attorney to take a look at the contract. The accusation here is nothing less than RSA conspiring with a government agency to undermine constitutional rights of US citizens.

      That's not enough to get a GA moving? Really? Guess they first have to torrent a few movies.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    6. Re:What did you expect? by mmell · · Score: 1
      Well, to quote a famous fictional hero, "I got bits falling off my ship, I got a crew ain't been paid and, oh yeah, a powerful need to eat sometime this month".

      Somehow, I don't think giving the NSA the middle finger they so richly deserve is going to make that any easier.

    7. Re:What did you expect? by TangoMargarine · · Score: 1

      Although after watching a show quite a number of times, I'm no longer convinced Mal was this ethical paragon that people make him out to be. He seemed to go out of his way to make his crew think he was about to do something bad and say, "Just trust me." It turned out a minute of screen time later that that *wasn't* what he was going to do, but he seemed to be intentionally misleading.

      That, and his whole "you're on the crew, you're family" mantra seemed to be veeeery malleable when he wanted it to be.

      Although this reinforces my saying that there's a Firefly quote for every occasion ;)

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    8. Re:What did you expect? by Darinbob · · Score: 1

      And please list all the companies you've ever worked for, to see if we should blacklist you as well.
      Wait, you're still posting on Slashdot, and they're owned by Dice, so clearly you're all in favor of the corporate takeover of open free speech sites.

    9. Re:What did you expect? by Darinbob · · Score: 1

      They've invented color photography decades ago, and they even have color televisions now. Why is your world still in black and white?

    10. Re:What did you expect? by david_thornley · · Score: 1

      When I read what they had to say, what they seemed to be explicitly denying is that they specifically knew they were putting a back door in at the time. There was a lot of other fluff, but no substantive statement.

      Here's one scenario consistent with what I read: RSA accepted $10M from the NSA to put in certain specific values in their cryptosystem, and did not at the time bother to look if it might be a back door. It was in fact a back door, and they continued pushing it for years. AFAIK, they haven't denied that one.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    11. Re:What did you expect? by hackajar1 · · Score: 1

      Did you RTFA? They only turned away people who PAID to be at the conference. "Expo Only" passes, I.e. plain old tech people, were allowed access. It is also worth noting that you are attempting to claim something as a "tech conference" and blatantly ignoring fact that it is a SECURITY CONFERENCE. How many free lunches has RSA given you? is probably a better question, seeing all of your pro-rsa talk on these topic.

  5. Bad inference by DoofusOfDeath · · Score: 4, Insightful

    The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell.

    Stupid reasoning. There are plenty of other reasons these people might not want to publicly comment. The most likely is that they're not authorized to speak for their employers, and fear rebuke or dismissal at their workplaces if they speak publicly on the topic.

    1. Re:Bad inference by Trepidity · · Score: 2

      Also, the pained facial expressions might be related to the lack of tacos and/or tequila drinks.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    2. Re:Bad inference by jythie · · Score: 1

      Or even the rather pedestrian 'people do not like random bloggers shoving a camera in their face and just want to go about their business'. When someone does that to me, I do not care what the topic or question is, they still annoy me and I am not in a mood to cooperate or even interact with them.

    3. Re:Bad inference by fulldecent · · Score: 1

      If someone stole my tequila, my response would be elevated from the TFS to TFH

      --

      -- I was raised on the command line, bitch

  6. routine by Anonymous Coward · · Score: 1, Insightful

    If the contract is such that you are abetting the government in unconstitutional searches, then well, it seems worthy of getting pissed off about and definitely worthy of being labeled "surveillance state".

    As a long time (and lazily anonymous, sue me) reader of slashdot I'm always amazed at how many commenters seem willing to give companies/corporations/government a pass because it's just "routine" business practice.

    If it's routine for a company not to tell me how it makes it's product, okay fine (maybe).
    If it's routine for a company to give away all my information to the government (who yes , absolutely is supposed to have a warrant) then I say, "fuck routine."

    1. Re:routine by jythie · · Score: 1

      Ahm.. not posting private contracts is a pretty reasonable 'routine' business practice. That is not a 'pass' it is a 'of course they are not going to publish it', and looking to it as proof they were up to something nefarious is just another 'if you are not guilty you have nothing to hide' argument.

    2. Re:routine by Darinbob · · Score: 1

      You're mixing two things together. First you assume a-priori that they must be guilty in assisting in spying or in adding a backdoor. Second they got a contract. You conflate the two into assuming that they got a contract in order to add the back door. No one is saying it is routine to give away our info to the government, and no one is defending that.

      All we really have right now are accusations but no real evidence. Now the contract from NSA would be fishy if it was the only contract they ever got and if no one else got a similar contract and if contracts were really rare. Given that the NSA has worked very often in the past strengthening crypto schemes and has worked closely with many companies and researchers in this area, it is not unusual for a prominent crytpo company to get some money from the NSA. Yes it _could_ have been a bribe to add a back door but there's no evidence of that. Ie, it's circumstantial.

  7. On what basis can you make this demand? by sirwired · · Score: 2, Insightful

    The RSA has already explicitly said the contract doesn't say what they are accused of it saying. What else do you want them to do? They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

    Now, I'm not saying that RSA isn't lying, but if they were, would you believe that any contract they produced was an accurate one? Probably not. Talk about "Damned if you do, damned if you don't."

    1. Re:On what basis can you make this demand? by Goldsmith · · Score: 3, Insightful

      Sure, they can release the details of that contract. Government contracts are supposed to be public. Go take a look at usaspending.gov and fpds.gov There are plenty of security contracts posted there, just not any between RSA and NSA. It's not the easiest system in the world to navigate, you have to know a lot about government contracting to make sense of it.

      But, you'll see military hardware contracts, homeland security database contracts, all of them are published on federal websites as a matter of course (you have to get special approval to not post a contract publically). The government mandates this so that competing companies and the public can see that they're getting a "fair deal". Never mind that a lot of these show they weren't competed, no one actually takes advantage of government transparency when it's available.

    2. Re:On what basis can you make this demand? by thue · · Score: 1

      > They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

      Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.

      RSA Security also have not yet given a good explanation for why they ignored the multitude of red flags until 2013. As cryptographer Matthew Green writes:

      > So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow -- which has real performance implications -- it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.

      If RSA Security makes secret contracts that impacts other people's security, I don't see why RSA Security should get any benefit of the doubt. Why should we trust a company cloaked in secrecy who has shown themselves to be overwhelmingly incompetent and/or malicious?

    3. Re:On what basis can you make this demand? by tomhath · · Score: 1

      Government contracts are supposed to be public.

      Actually, no. They're usually kept confidential.

    4. Re:On what basis can you make this demand? by Goldsmith · · Score: 3, Informative

      I worked as a government employee overseeing R&D contracts. It wasn't that long ago. We were required to post the contracts publically. They're on the websites I mentioned...

    5. Re:On what basis can you make this demand? by Arker · · Score: 2

      "The RSA has already explicitly said the contract doesn't say what they are accused of it saying."

      Link? Because what I remember reading from them was more of a very carefully calculated non-answer. Did not deny the elements of the crime, but very vaguely denied any intent. An evasive, lawyerly answer, not a straightforward denial at all.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
    6. Re:On what basis can you make this demand? by tomhath · · Score: 1

      Depends on the contract. Some years ago I worked for a company that did contract work with the government. Sometimes even the existence of a contract is kept classified.

    7. Re:On what basis can you make this demand? by sjames · · Score: 1

      Proving it would be good.

      Imagine an FBI agent. He has been spotted accepting a large sum of money from a prominent mob boss. He 'just happens' to have recently made a few odd decisions in his investigation that were very favorable to the very same mob boss. Do you expect anyone to just accept when he says 'it wasn't a bribe'?

      That's why FBI agents avoid having private transactions with shady characters.

      RSA chose to lie down with dogs and so they now have fleas.

    8. Re:On what basis can you make this demand? by Darinbob · · Score: 1

      So have you stopped beating your wife? Trouble with that sort of question is that you can't say yes and you can't say no, and it's intentionally designed to be highly provocative so the answer is very likely to be "fuck off you, go bother someone else."
      So when someone is asked "please give us details of the crime we all know you committed" you are going to get that sort of answer.

    9. Re:On what basis can you make this demand? by Darinbob · · Score: 1

      Except that many many people are working with the NSA. It was common place to do this for a very long time. Companies and researchers worked with them because NSA was the undisputed expert in crypto. Their mission statement was not to spy on US citizens, that is only a recent discovery. For much of their history they worked to improve and strengthen crypto standards and this is documented.

      Right now there is a hint that there is a backdoor, a hint that RSA took money, and these hints are troubling. However the fact that RSA and NSA have worked together in the past is to be expected.

    10. Re:On what basis can you make this demand? by sjames · · Score: 1

      It's a wee bit more specific. RSA made a truly bizarre choice to default to a broken RNG that had absolutely no benefit and many risks (it was slower, more memory hungry and untested). We know the NSA created that RNG to be subtly weak. We know that RSA took a largish payoff.

      They either got suddenly stupid or they took a payoff. Neither suggests confidence in their products or recommendations.

      Yes, many have worked with the NSA in the past. Some stopped after the world found out the NSA was not what they thought it was, others continue. RAS continues.

      RSA really should have known better. The NSA is now known to be toxic and contagious. RSA hopped into bed with it and now it has cooties.

  8. What lie? by sirwired · · Score: 1

    They were accused of taking a $10M bribe to backdoor an encryption algorithm. RSA says it's not true. There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

    If they truly were going to compromise the security of every one of their customers, why would they have agreed to accept a paltry $10M?

    1. Re:What lie? by guises · · Score: 1

      They might not have know the details about the weakness, but why else would the NSA be paying them to use a particular algorithm? They thought they were getting money for no reason?

    2. Re:What lie? by thue · · Score: 1

      > There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

      It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely. But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine...

    3. Re:What lie? by Agent+ME · · Score: 1

      Yeah, if RSA didn't take a bribe, then they're just grossly incompetent and should still be villified anyway.

    4. Re:What lie? by Darinbob · · Score: 1

      The money may be for many reasons. Maybe it sounds like a lot of money to you, but it could be supplied for many legitimate reasons. Both RSA and NSA are involved in standards committees, and creating a standard is not done for free. RSA could have been paid to work on a standard, do some research, provide a product, and so forth.

      If there is indeed a backdoor the most we have proof of is that RSA were played for fools. Which actually is damning enough to cause them to lose all the credibility that they are losing today.

      The other thing in the picture is that RSA is not a person, it is composed of many employees. Not all of them are evil people seeking to subvert peope's freedoms. And yet every single employee with RSA and every customer still working with them are being treated as if they've done something wrong; is in some obnoxious blogger ambushing them while trying to have lunch.

    5. Re:What lie? by hackajar1 · · Score: 1

      This argument is very valid when you consider RSA is not directly in the encryption business, they only repackage other peoples ciphers, and have no one on staff who could verify anything. Oh wait...

  9. Re:stupid by jythie · · Score: 1

    I had a similar thought, though without seeing video of the author's behavior it is impossible to tell how much of their reaction was due to the subject vs the person doing the asking. Given that the blogger in question has built a bit of a brand and pride around being obnoxious, I would not be surprised if the latter played a role.

  10. RSA considered Dual_EC research without merit? by thue · · Score: 1

    Jeffrey Carr has a good point from the RSA Conference keynote:

    > "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech

    So up until then, they apparently considered all the criticism of RSA security without merit? On what basis? The research was obviously right.

    http://jeffreycarr.blogspot.dk...

    If you read a bit more in the actual keynote, there is actually an unexpectedly frank explanation:

    > "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

    But they ignore most of the input of the larger community, in favor of taking $10,000,000 from NSA to use their backdoored algorithm.

    What we have seems to be standard exploitation of a valuable acquired brand which is no longer profitable. Take a high-quality brand with an outstanding reputation for independent quality checking. Fire everybody skilled (and expensive), and sell as many cheap commodity products under that brand as you can get away with, with as little expensive quality control as possible. Their claim is that they expected to get the quality control for free from NIST, which they knew was dominated by the NSA. Meanwhile, RSA Security choose to totally ignore any contradicting independent research.

    Personally I believe the amount of incompetence and cluelessness claimed by RSA Security as defense strains credulity beyond breaking point.

  11. Maybe by justthinkit · · Score: 1

    Maybe the author was wearing Google Glass.

    --
    I come here for the love
  12. NSA vs USA by mtrachtenberg · · Score: 1

    Look, the NSA has already done more damage to the United States technology industry than any other enemy. RSA and the rest are just private branches of the state. Fuck them.

  13. "Minions?" Hardly by sirwired · · Score: 1

    Most of the attendees at a tech conference are front-line IT grunts (and their managers) sent their by their boss to learn about new products, techniques, etc. Most of them don't work for RSA, nor will most have been in charge of the buying decision to purchase RSA products.

    This isn't a "veil of contractual secrecy" being thrown... this is some more-or-less random schmoe having a complete stranger asking him questions on camera on something on which he doesn't have enough information to make an intelligent reply.

  14. This by sl3xd · · Score: 1

    +1 to this.

    It's fairly common for companies to have required IT products, such as RSA. Then they send their employees out to improve their knowledge of the "blessed" product(s).

    The employees are often obligated to attend the conference, and are also (due to corporate policy) unable to say much, just in case those comments can be construed as company opinion.

    So yeah... you have these poor attendees who are pretty much like "Look, I don't know anything anyway, my attendance was mandated by someone else. Why are you harassing me?"

    --
    -- Sometimes you have to turn the lights off in order to see.
    1. Re:This by Darinbob · · Score: 1

      There are a lot of RSA customers, so it is reasonable to expect them to show up at RSA conference. Similarly those customers should not be expected to do a recall of all their product lines and rewrite all the code so thast they can ditch RSA as soon as possible (especially if not using Dual_EC!). Second, the RSA conference, despite the name, is not only about RSA products. It's an important venue to go to in order to learn about new products from a large variety of vendors, to network with other people in the field, and to listen to respected speakers in the field. To treat all these people like they were all sub-subcontractors for NSA is stupid.

  15. Re: stupid by Catbeller · · Score: 1

    You mean, you'd like some privacy? You do get the horror of that, don't you?

  16. Not all contracts are public by sirwired · · Score: 1

    The defense and intelligence parts of the budget have very large parts that are a "black box". As well they should be. It's a bit difficult to carry out secret projects if all your contracts are open to anybody that wants to read them.

    Yes, such contracts are vulnerable to abuse and oversight problems. But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.

    1. Re:Not all contracts are public by BobMcD · · Score: 1

      But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.

      Because WikiLeaks doesn't exist?

  17. Re:heresy, everywhere heresy by TangoMargarine · · Score: 1

    Not sure which is worse: you calling someone a faggot for not reason, or not even knowing how to spell it properly...

    --
    Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
  18. Re:heresy, everywhere heresy by TangoMargarine · · Score: 1

    *for no reason

    http://en.wikipedia.org/wiki/M...

    --
    Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
  19. Seriously? by sirwired · · Score: 1

    "Plain old tech" people get paid conference passes all the time. Your company buys X amount of stuff from Y vendor (or a business partner), the vendor account rep provides your company with Z full conference passes gratis, and most of those passes end up in the hand of front-line IT grunts (they are the ones most of the education classes are targeted for.) These grunts are no more likely to be familiar with the particular facts of what they were getting interrogated on than any other geek.

    Also, it IS a tech conference; RSA just happens to be a security vendor; pretty much every single large tech vendor runs one of these conferences. A "security conference" would be something like DEFCON, one of the several conferences the IEEE runs on security, etc.

    And quit with your paranoia about how much RSA is bribing me. I work from home, so it'd be pretty tough for RSA to buy me lunch. The organization I work for (part of a larger IT company) is not an RSA customer. Not everyone that voices vocal disagreement is a sock-puppet; I thought the whole point of the Slashdot comment section was to comment.

    All my so-called "pro-RSA" talk on this topic has been motivated by the obnoxious tactics of these protestors, and the knee-jerk silence-equals-guilty attitude. You'd get the same reaction from me if this was a story about PETA sticking microphones in the face of somebody trying to buy some chicken for dinner.