Vulnerabilities / Threats
1/8/2014
01:46 PM
Connect Directly
RSS
E-Mail
50%
50%

9 Security Experts Boycott RSA Conference

Several leading security experts have pulled out of the RSA conference over unanswered questions concerning the NSA's $10 million payment to RSA.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

Why did security firm RSA accept $10 million from the National Security Agency in 2004?

That unanswered question is behind the decision by at least nine leading information security and privacy experts to boycott next month's RSA Conference in San Francisco.

Contacted via email, a spokesman for EMC -- which purchased RSA in 2006 -- declined to offer further details about the nature of the NSA's $10 million payment to RSA, and declined to comment on conference speakers' threatened boycott of the RSA conference, which is owned by EMC but independently run. (Full disclosure: InformationWeek's parent company, UBM LLC, owns the Black Hat security conferences.) RSA conference program committee chairman Hugh Thompson -- who is CTO of Blue Coat and not an RSA employee -- didn't immediately respond to an emailed request for reaction to the threatened boycott.

The NSA's previously secret $10 million contract with RSA was first reported by Reuters on December 20, 2013. That report, which was based on interviews with a dozen current and former RSA employees, alleged that RSA accepted the money in exchange for selecting a weak random number generator as the default for its BSAFE encryption libraries, which developers use to add encryption to their products.

In response, EMC issued a "RSA response to media claims regarding NSA relationship" statement, saying that its decision to use the NSA-promoted Dual Elliptic Curve algorithm as the default for BSAFE was made "in the context of an industry-wide effort to develop newer, stronger methods of encryption." It also said that "at that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

[What is in store for 2014? Read 7 InfoSec Predictions For 2014: Good, Bad & Ugly.]

Many information security and privacy experts, however, have said that RSA's explanation didn't go far enough. In particular, they've called on the company to come clean about whether it -- knowingly or not -- compromised customers' security in exchange for a $10 million licensing contract.

Some security experts, however, have gone further. Indeed, less than 24 hours after RSA released its statement, Mikko Hypponen, chief research officer at F-Secure, published an open letter to EMC and RSA saying that he would be canceling his planned RSA Conference, titled "Governments as Malware Authors." He later updated that letter to say that no one from F-Secure would be attending or exhibiting at the conference.

Hypponen, whose past RSA talks have been well regarded and highly attended, said the rationale for his boycott was, in part, personal: He's a Finn, and thus any surveillance operations that the RSA may have abetted could affect him personally. "I don't really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA," he wrote in his letter to EMC and RSA. "In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway -- why would they care about surveillance that's not targeted at them but at non-Americans."

But the boycott quickly spread beyond Europe. By Wednesday, notably, eight more RSA conference speakers or panel participants said they planned to either boycott their presentations, or the conference altogether. They include Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project; Google senior staff software engineer Adam Langley; attorney Marcia Hofman; and Taia Global CEO Jeffrey Carr.

Carr said the issue for him isn't whether RSA worked with the NSA. "The reason why I pulled my talk (and why most if not all of us did) is not b/c of RSA's 'NSA ties,' " he said in a comment posted to a Washington Post story. "It's because RSA has refused to explain why it took $10m from the NSA to use its encryption algorithm in its BSAFE product in 2004."

The ACLU's Soghoian, meanwhile, was more blunt. "I've given up waiting for RSA to fess up to the truth," he said via Twitter.

Another scheduled speaker who plans to boycott the conference is Dave Kearns, senior analyst at KuppingerCole. Like some other security experts, he's called on would-be attendees to boycott the entire show. "While boycotting the conference won't have a big impact on the company's bottom line, the resulting publicity will," Kearns said in an InformationWeek opinion column. "Security is hard enough without having to worry that our suppliers have -- either knowingly or unknowingly -- aided those who wish to subvert our security measures."

Robert David Graham, CEO of Errata Security, said in a blog post that he hadn't presented at RSA in years. But from now on, he said he'll boycott anything with "RSA" in the title, and likewise called on everyone else to do so as well too. "The reason isn't that I'm upset at RSA, or think that they are evil," he said. "I think RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products. Instead, what I care about is sending the message to other corporations, that they should fear this sort of things happening to them."

"If you are a security company, and you get caught backdooring your security for the NSA, you should go out of business," he said.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Strategist
1/15/2014 | 1:28:21 PM
Nice...
I have to applaud the speakers for standing up.  I personally think that if you are a security company who is entrusted with protecting data for millions of customers, citizens, and other corporate assets, you need to be held accountable for the morals behind it.  By agreeing to take government funds to inherently weaken a product doesn't reflect well on RSA, or EMC for that matter.  Why should security folks then want to be associated with a company who has been shown to think more about profits and deals than the strength of their product?  When they had a large breach, people still kept faith in RSA, maybe this is what it takes for people to realize that sometimes corporate sponsored events require some thought about what it means to be associated with such an organization.
Tommmmy
50%
50%
Tommmmy,
User Rank: Apprentice
1/9/2014 | 9:56:34 AM
Defund the NSA - Cut Their Water & Power in Utah
I am IMPRESSED.  There are 9 people left in this world with morals and ethics that know when to do the right thing.  I fully support these heroic American professionals.

We have a corrupt and criminal government and military that are secretly taking over the world and the nation's "Big 6" media outlets are mostly silent on this criminal take-over.  This nation is being run by the largest CRIMINAL MAFIA outfit ever witnessed by man.

Thanks to the heroic freedom-fighter and whistle-blower Edward J. Snowden we now know that an army of private contractors and the US Military unlawfully monitors everyone's telephone traffic, all your contact lists, text messages, passwords, GPS locations with dates and time, Facebook posts & pictures, LinkedIn pages & pictures, your search engine keywords entered (yes – even the keywords typed in but you don't press the enter key), all web sites visited, all your credit card numbers, all your inbound and outbound e-mail messages, your voice-print, and facial image (for facial recognition devices planted around the world used to identify your movement). They have also now installed traffic cameras in all major metro areas and on police cars that scan license plate tags and store that information in databases. I believe those databases are shared with the NSA. They store all that information permanently, under your name, at the US Military's new massive Utah Data Center and can pull it up at any time in the future. They can even freely tap into the microphone and/or camera on your smart phone, tablet, laptop, PC, automobile's OnStar system, xBox and similar Internet connected devices. Rest assured – if it connects to the Internet – the US Military can tap into it and illegally monitor you. 

And now we have learned they have back door access into all of RSA's encryption tools.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Moderator
1/8/2014 | 5:08:33 PM
Re: Hey RSA, you're goin' down in flames after this stunt
Sadly, I doubt the boycott will have much meaning when the prevailing attitude in Washington is that the law is for the little folk.
asksqn
50%
50%
asksqn,
User Rank: Apprentice
1/8/2014 | 4:47:44 PM
Hey RSA, you're goin' down in flames after this stunt
This is a revelation and should rightfully serve as a cautionary tale to any company that either directly or indirectly crawls into bed with government surveillers - such coziness will not be tolerated nor should it be in an allegedly free country.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2014 | 4:13:40 PM
Who's defending RSA?
Good analysis of the the faces and issues behing the RSA boycott, Mat. It sure will be interesting to hear what RSA has to say when (or if) the come forward with a better defense of their actions. 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.