Vulnerabilities / Threats
1/8/2014
01:46 PM
Connect Directly
RSS
E-Mail
50%
50%

9 Security Experts Boycott RSA Conference

Several leading security experts have pulled out of the RSA conference over unanswered questions concerning the NSA's $10 million payment to RSA.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

Why did security firm RSA accept $10 million from the National Security Agency in 2004?

That unanswered question is behind the decision by at least nine leading information security and privacy experts to boycott next month's RSA Conference in San Francisco.

Contacted via email, a spokesman for EMC -- which purchased RSA in 2006 -- declined to offer further details about the nature of the NSA's $10 million payment to RSA, and declined to comment on conference speakers' threatened boycott of the RSA conference, which is owned by EMC but independently run. (Full disclosure: InformationWeek's parent company, UBM LLC, owns the Black Hat security conferences.) RSA conference program committee chairman Hugh Thompson -- who is CTO of Blue Coat and not an RSA employee -- didn't immediately respond to an emailed request for reaction to the threatened boycott.

The NSA's previously secret $10 million contract with RSA was first reported by Reuters on December 20, 2013. That report, which was based on interviews with a dozen current and former RSA employees, alleged that RSA accepted the money in exchange for selecting a weak random number generator as the default for its BSAFE encryption libraries, which developers use to add encryption to their products.

In response, EMC issued a "RSA response to media claims regarding NSA relationship" statement, saying that its decision to use the NSA-promoted Dual Elliptic Curve algorithm as the default for BSAFE was made "in the context of an industry-wide effort to develop newer, stronger methods of encryption." It also said that "at that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

[What is in store for 2014? Read 7 InfoSec Predictions For 2014: Good, Bad & Ugly.]

Many information security and privacy experts, however, have said that RSA's explanation didn't go far enough. In particular, they've called on the company to come clean about whether it -- knowingly or not -- compromised customers' security in exchange for a $10 million licensing contract.

Some security experts, however, have gone further. Indeed, less than 24 hours after RSA released its statement, Mikko Hypponen, chief research officer at F-Secure, published an open letter to EMC and RSA saying that he would be canceling his planned RSA Conference, titled "Governments as Malware Authors." He later updated that letter to say that no one from F-Secure would be attending or exhibiting at the conference.

Hypponen, whose past RSA talks have been well regarded and highly attended, said the rationale for his boycott was, in part, personal: He's a Finn, and thus any surveillance operations that the RSA may have abetted could affect him personally. "I don't really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA," he wrote in his letter to EMC and RSA. "In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway -- why would they care about surveillance that's not targeted at them but at non-Americans."

But the boycott quickly spread beyond Europe. By Wednesday, notably, eight more RSA conference speakers or panel participants said they planned to either boycott their presentations, or the conference altogether. They include Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project; Google senior staff software engineer Adam Langley; attorney Marcia Hofman; and Taia Global CEO Jeffrey Carr.

Carr said the issue for him isn't whether RSA worked with the NSA. "The reason why I pulled my talk (and why most if not all of us did) is not b/c of RSA's 'NSA ties,' " he said in a comment posted to a Washington Post story. "It's because RSA has refused to explain why it took $10m from the NSA to use its encryption algorithm in its BSAFE product in 2004."

The ACLU's Soghoian, meanwhile, was more blunt. "I've given up waiting for RSA to fess up to the truth," he said via Twitter.

Another scheduled speaker who plans to boycott the conference is Dave Kearns, senior analyst at KuppingerCole. Like some other security experts, he's called on would-be attendees to boycott the entire show. "While boycotting the conference won't have a big impact on the company's bottom line, the resulting publicity will," Kearns said in an InformationWeek opinion column. "Security is hard enough without having to worry that our suppliers have -- either knowingly or unknowingly -- aided those who wish to subvert our security measures."

Robert David Graham, CEO of Errata Security, said in a blog post that he hadn't presented at RSA in years. But from now on, he said he'll boycott anything with "RSA" in the title, and likewise called on everyone else to do so as well too. "The reason isn't that I'm upset at RSA, or think that they are evil," he said. "I think RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products. Instead, what I care about is sending the message to other corporations, that they should fear this sort of things happening to them."

"If you are a security company, and you get caught backdooring your security for the NSA, you should go out of business," he said.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/8/2014 | 4:13:40 PM
Who's defending RSA?
Good analysis of the the faces and issues behing the RSA boycott, Mat. It sure will be interesting to hear what RSA has to say when (or if) the come forward with a better defense of their actions. 
asksqn
50%
50%
asksqn,
User Rank: Apprentice
1/8/2014 | 4:47:44 PM
Hey RSA, you're goin' down in flames after this stunt
This is a revelation and should rightfully serve as a cautionary tale to any company that either directly or indirectly crawls into bed with government surveillers - such coziness will not be tolerated nor should it be in an allegedly free country.
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Moderator
1/8/2014 | 5:08:33 PM
Re: Hey RSA, you're goin' down in flames after this stunt
Sadly, I doubt the boycott will have much meaning when the prevailing attitude in Washington is that the law is for the little folk.
Tommmmy
50%
50%
Tommmmy,
User Rank: Apprentice
1/9/2014 | 9:56:34 AM
Defund the NSA - Cut Their Water & Power in Utah
I am IMPRESSED.  There are 9 people left in this world with morals and ethics that know when to do the right thing.  I fully support these heroic American professionals.

We have a corrupt and criminal government and military that are secretly taking over the world and the nation's "Big 6" media outlets are mostly silent on this criminal take-over.  This nation is being run by the largest CRIMINAL MAFIA outfit ever witnessed by man.

Thanks to the heroic freedom-fighter and whistle-blower Edward J. Snowden we now know that an army of private contractors and the US Military unlawfully monitors everyone's telephone traffic, all your contact lists, text messages, passwords, GPS locations with dates and time, Facebook posts & pictures, LinkedIn pages & pictures, your search engine keywords entered (yes – even the keywords typed in but you don't press the enter key), all web sites visited, all your credit card numbers, all your inbound and outbound e-mail messages, your voice-print, and facial image (for facial recognition devices planted around the world used to identify your movement). They have also now installed traffic cameras in all major metro areas and on police cars that scan license plate tags and store that information in databases. I believe those databases are shared with the NSA. They store all that information permanently, under your name, at the US Military's new massive Utah Data Center and can pull it up at any time in the future. They can even freely tap into the microphone and/or camera on your smart phone, tablet, laptop, PC, automobile's OnStar system, xBox and similar Internet connected devices. Rest assured – if it connects to the Internet – the US Military can tap into it and illegally monitor you. 

And now we have learned they have back door access into all of RSA's encryption tools.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
1/15/2014 | 1:28:21 PM
Nice...
I have to applaud the speakers for standing up.  I personally think that if you are a security company who is entrusted with protecting data for millions of customers, citizens, and other corporate assets, you need to be held accountable for the morals behind it.  By agreeing to take government funds to inherently weaken a product doesn't reflect well on RSA, or EMC for that matter.  Why should security folks then want to be associated with a company who has been shown to think more about profits and deals than the strength of their product?  When they had a large breach, people still kept faith in RSA, maybe this is what it takes for people to realize that sometimes corporate sponsored events require some thought about what it means to be associated with such an organization.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.