Vulnerabilities / Threats
1/8/2014
01:46 PM
50%
50%

9 Security Experts Boycott RSA Conference

Several leading security experts have pulled out of the RSA conference over unanswered questions concerning the NSA's $10 million payment to RSA.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

Why did security firm RSA accept $10 million from the National Security Agency in 2004?

That unanswered question is behind the decision by at least nine leading information security and privacy experts to boycott next month's RSA Conference in San Francisco.

Contacted via email, a spokesman for EMC -- which purchased RSA in 2006 -- declined to offer further details about the nature of the NSA's $10 million payment to RSA, and declined to comment on conference speakers' threatened boycott of the RSA conference, which is owned by EMC but independently run. (Full disclosure: InformationWeek's parent company, UBM LLC, owns the Black Hat security conferences.) RSA conference program committee chairman Hugh Thompson -- who is CTO of Blue Coat and not an RSA employee -- didn't immediately respond to an emailed request for reaction to the threatened boycott.

The NSA's previously secret $10 million contract with RSA was first reported by Reuters on December 20, 2013. That report, which was based on interviews with a dozen current and former RSA employees, alleged that RSA accepted the money in exchange for selecting a weak random number generator as the default for its BSAFE encryption libraries, which developers use to add encryption to their products.

In response, EMC issued a "RSA response to media claims regarding NSA relationship" statement, saying that its decision to use the NSA-promoted Dual Elliptic Curve algorithm as the default for BSAFE was made "in the context of an industry-wide effort to develop newer, stronger methods of encryption." It also said that "at that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

[What is in store for 2014? Read 7 InfoSec Predictions For 2014: Good, Bad & Ugly.]

Many information security and privacy experts, however, have said that RSA's explanation didn't go far enough. In particular, they've called on the company to come clean about whether it -- knowingly or not -- compromised customers' security in exchange for a $10 million licensing contract.

Some security experts, however, have gone further. Indeed, less than 24 hours after RSA released its statement, Mikko Hypponen, chief research officer at F-Secure, published an open letter to EMC and RSA saying that he would be canceling his planned RSA Conference, titled "Governments as Malware Authors." He later updated that letter to say that no one from F-Secure would be attending or exhibiting at the conference.

Hypponen, whose past RSA talks have been well regarded and highly attended, said the rationale for his boycott was, in part, personal: He's a Finn, and thus any surveillance operations that the RSA may have abetted could affect him personally. "I don't really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA," he wrote in his letter to EMC and RSA. "In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway -- why would they care about surveillance that's not targeted at them but at non-Americans."

But the boycott quickly spread beyond Europe. By Wednesday, notably, eight more RSA conference speakers or panel participants said they planned to either boycott their presentations, or the conference altogether. They include Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project; Google senior staff software engineer Adam Langley; attorney Marcia Hofman; and Taia Global CEO Jeffrey Carr.

Carr said the issue for him isn't whether RSA worked with the NSA. "The reason why I pulled my talk (and why most if not all of us did) is not b/c of RSA's 'NSA ties,' " he said in a comment posted to a Washington Post story. "It's because RSA has refused to explain why it took $10m from the NSA to use its encryption algorithm in its BSAFE product in 2004."

The ACLU's Soghoian, meanwhile, was more blunt. "I've given up waiting for RSA to fess up to the truth," he said via Twitter.

Another scheduled speaker who plans to boycott the conference is Dave Kearns, senior analyst at KuppingerCole. Like some other security experts, he's called on would-be attendees to boycott the entire show. "While boycotting the conference won't have a big impact on the company's bottom line, the resulting publicity will," Kearns said in an InformationWeek opinion column. "Security is hard enough without having to worry that our suppliers have -- either knowingly or unknowingly -- aided those who wish to subvert our security measures."

Robert David Graham, CEO of Errata Security, said in a blog post that he hadn't presented at RSA in years. But from now on, he said he'll boycott anything with "RSA" in the title, and likewise called on everyone else to do so as well too. "The reason isn't that I'm upset at RSA, or think that they are evil," he said. "I think RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products. Instead, what I care about is sending the message to other corporations, that they should fear this sort of things happening to them."

"If you are a security company, and you get caught backdooring your security for the NSA, you should go out of business," he said.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
1/15/2014 | 1:28:21 PM
Nice...
I have to applaud the speakers for standing up.  I personally think that if you are a security company who is entrusted with protecting data for millions of customers, citizens, and other corporate assets, you need to be held accountable for the morals behind it.  By agreeing to take government funds to inherently weaken a product doesn't reflect well on RSA, or EMC for that matter.  Why should security folks then want to be associated with a company who has been shown to think more about profits and deals than the strength of their product?  When they had a large breach, people still kept faith in RSA, maybe this is what it takes for people to realize that sometimes corporate sponsored events require some thought about what it means to be associated with such an organization.
Tommmmy
50%
50%
Tommmmy,
User Rank: Apprentice
1/9/2014 | 9:56:34 AM
Defund the NSA - Cut Their Water & Power in Utah
I am IMPRESSED.  There are 9 people left in this world with morals and ethics that know when to do the right thing.  I fully support these heroic American professionals.

We have a corrupt and criminal government and military that are secretly taking over the world and the nation's "Big 6" media outlets are mostly silent on this criminal take-over.  This nation is being run by the largest CRIMINAL MAFIA outfit ever witnessed by man.

Thanks to the heroic freedom-fighter and whistle-blower Edward J. Snowden we now know that an army of private contractors and the US Military unlawfully monitors everyone's telephone traffic, all your contact lists, text messages, passwords, GPS locations with dates and time, Facebook posts & pictures, LinkedIn pages & pictures, your search engine keywords entered (yes – even the keywords typed in but you don't press the enter key), all web sites visited, all your credit card numbers, all your inbound and outbound e-mail messages, your voice-print, and facial image (for facial recognition devices planted around the world used to identify your movement). They have also now installed traffic cameras in all major metro areas and on police cars that scan license plate tags and store that information in databases. I believe those databases are shared with the NSA. They store all that information permanently, under your name, at the US Military's new massive Utah Data Center and can pull it up at any time in the future. They can even freely tap into the microphone and/or camera on your smart phone, tablet, laptop, PC, automobile's OnStar system, xBox and similar Internet connected devices. Rest assured – if it connects to the Internet – the US Military can tap into it and illegally monitor you. 

And now we have learned they have back door access into all of RSA's encryption tools.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Moderator
1/8/2014 | 5:08:33 PM
Re: Hey RSA, you're goin' down in flames after this stunt
Sadly, I doubt the boycott will have much meaning when the prevailing attitude in Washington is that the law is for the little folk.
asksqn
50%
50%
asksqn,
User Rank: Ninja
1/8/2014 | 4:47:44 PM
Hey RSA, you're goin' down in flames after this stunt
This is a revelation and should rightfully serve as a cautionary tale to any company that either directly or indirectly crawls into bed with government surveillers - such coziness will not be tolerated nor should it be in an allegedly free country.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2014 | 4:13:40 PM
Who's defending RSA?
Good analysis of the the faces and issues behing the RSA boycott, Mat. It sure will be interesting to hear what RSA has to say when (or if) the come forward with a better defense of their actions. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.