Forgot your password?
typodupeerror
Communications Encryption Government Privacy

'Obnoxious' RSA Protests, RSA Remains Mum 99

Posted by timothy
from the where-it-hurts dept.
An anonymous reader writes "By 'buying out' the most obvious lunch spot nearest the RSA conference yesterday, opponents and truth-seekers regarding RSA's alleged deal with the NSA raised awareness amongst attendees in the most brutal way possible: by taking away tacos and tequila drinks. Robert Imhoff, Vegas 2.0 co-founder, says, 'RSA could begin to fix this by going on the record with a detailed response about the accusations.'" I tried to get attendees of the conference to comment on camera — even a little bit — on what they thought of the NSA spying revelations, and not a single person I approached would do so. The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell. Especially at a conference where the NSA is surrounded by vendors who sell the hardware and software that enables your "mere" metadata to be captured and sifted, plenty of the people on the floor know that the companies they work for are or might one day be seeking contracts to do all that capturing and sifting, even if they'd rather not be subject to it personally, so their don't want their face shown saying so.
This discussion has been archived. No new comments can be posted.

'Obnoxious' RSA Protests, RSA Remains Mum

Comments Filter:
  • > 'RSA could begin to fix this by going on the record with a detailed response about
    > the accusations.'"

    Which we'd all of course believe.

    • Re: (Score:2, Interesting)

      by wiredog (43288)

      They already did.

      • Re:On the record (Score:5, Interesting)

        by thue (121682) on Thursday February 27, 2014 @11:49AM (#46357835) Homepage

        Are you referring to this RSA's CTO Sam Curry's "defense", which Mathew Green and Matt Blaze has had so much fun ridiculing? http://blog.cryptographyengine... [cryptograp...eering.com]

        RSA Security really haven't made anything close to a coherent defense.

        • by Soulskill (1459) Works for Slashdot

          What would amount to a coherent defense, to you?

          Situations like this are pretty hard to unravel. RSA can protest until they're blue in the face, but the nature of the accusation is such that their statements are already suspect. Add to that the level of distrust associated with the NSA, and the NSA's potential power over RSA. Evaluating any unprovable denial simply boils down to whether we trust RSA or not -- which is the same question we're already facing.

          So, what about provable denials -- what evidence co

          • by thue (121682)

            For starters, they can come clean. All their press releases have been exercises in trying to say as little as possible, and be as misleading as possible whiile still not literally lying. For example, their non-denial of the $10,000,000 deal with NSA had half the press falsely reporting that RSA claimed there never any $10,000,000 deal [bbc.com].

            Dual_EC_DRBG has been documented since 2006/2007 to be an insecure CSPRNG, even without the backdoor. I knew about it for example, and I do not even work in that field. The on

            • by Darinbob (1142669)

              By saying "come clean" you are automatically assuming they are guilty. Thus any denial they make would be rejected.

              • by thue (121682)

                I freely admit that I assume they are guilty because of 1) all the damning evidence 2) their refusal to defend themselves.

                And I submit that all reasonable persons should assume they are guilty for the same reasons. Assuming they are not guilty would be incredibly stupid.

        • by Darinbob (1142669)

          But part of that is true: elliptic curve was in vogue, and is in use in many places. However the Dual_EC is the one we're talking about.

          Overall though, I get a very strong feeling that everyone is reacting at a gut level, as there is no evidence of collusion or a backdoor. All we have is a past presentation about how Dual_EC has some problems, RSA uses it anyway, and a journalist paraphrasing something Snowden said. What has changed is not any direct proof but instead the tenuous trust between organizati

    • by tomhath (637240)
      While they're at it they should also produce Obama's birth certificate.
  • by korbulon (2792438) on Thursday February 27, 2014 @10:31AM (#46356811)
    As if the NSA doesn't already know what they really think.
  • by TWX (665546) on Thursday February 27, 2014 @10:38AM (#46356877)
    First, they came for my tacos. But I did not speak out because I was not a taco...

    Then they came for my tequila drinks. But I did not speak out because I was not a tequila drink...
  • by sirwired (27582) on Thursday February 27, 2014 @10:41AM (#46356897)

    I don't think this little stunt has anything to say about a "problem with a surveillance society"; they have something to say about a problem with some a$$hole ambushing some geeks at a tech conference that just want to get their lunch and get back to the conference sessions.

    And the RSA did go on record. They said it wasn't true. As far as going into the gory details of the contract? Contract details of any contract, with any customer, are generally not something a security company is ever going to disclose. That's not surveillance-state paranoia or evidence of evildoing; it's routine business practice.

    • routine (Score:1, Insightful)

      by Anonymous Coward

      If the contract is such that you are abetting the government in unconstitutional searches, then well, it seems worthy of getting pissed off about and definitely worthy of being labeled "surveillance state".

      As a long time (and lazily anonymous, sue me) reader of slashdot I'm always amazed at how many commenters seem willing to give companies/corporations/government a pass because it's just "routine" business practice.

      If it's routine for a company not to tell me how it makes it's product, okay fine (maybe).
      If

      • The RSA has already explicitly said the contract doesn't say what they are accused of it saying. What else do you want them to do? They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

        Now, I'm not saying that RSA isn't lying, but if they were, would you believe that any contract they produced was an accurate one? Probably not. Talk about "Damned if you do, damned if you don't."

        • by Goldsmith (561202) on Thursday February 27, 2014 @11:29AM (#46357501)

          Sure, they can release the details of that contract. Government contracts are supposed to be public. Go take a look at usaspending.gov and fpds.gov There are plenty of security contracts posted there, just not any between RSA and NSA. It's not the easiest system in the world to navigate, you have to know a lot about government contracting to make sense of it.

          But, you'll see military hardware contracts, homeland security database contracts, all of them are published on federal websites as a matter of course (you have to get special approval to not post a contract publically). The government mandates this so that competing companies and the public can see that they're getting a "fair deal". Never mind that a lot of these show they weren't competed, no one actually takes advantage of government transparency when it's available.

          • by tomhath (637240)

            Government contracts are supposed to be public.

            Actually, no. They're usually kept confidential.

          • The defense and intelligence parts of the budget have very large parts that are a "black box". As well they should be. It's a bit difficult to carry out secret projects if all your contracts are open to anybody that wants to read them.

            Yes, such contracts are vulnerable to abuse and oversight problems. But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.

            • by BobMcD (601576)

              But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.

              Because WikiLeaks doesn't exist?

        • by thue (121682)

          > They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

          Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.

          RSA Security also have not yet given a good explanation for why they ignored the multitude of red fl

        • by Arker (91948)
          "The RSA has already explicitly said the contract doesn't say what they are accused of it saying."

          Link? Because what I remember reading from them was more of a very carefully calculated non-answer. Did not deny the elements of the crime, but very vaguely denied any intent. An evasive, lawyerly answer, not a straightforward denial at all.
          • by Darinbob (1142669)

            So have you stopped beating your wife? Trouble with that sort of question is that you can't say yes and you can't say no, and it's intentionally designed to be highly provocative so the answer is very likely to be "fuck off you, go bother someone else."
            So when someone is asked "please give us details of the crime we all know you committed" you are going to get that sort of answer.

        • by sjames (1099)

          Proving it would be good.

          Imagine an FBI agent. He has been spotted accepting a large sum of money from a prominent mob boss. He 'just happens' to have recently made a few odd decisions in his investigation that were very favorable to the very same mob boss. Do you expect anyone to just accept when he says 'it wasn't a bribe'?

          That's why FBI agents avoid having private transactions with shady characters.

          RSA chose to lie down with dogs and so they now have fleas.

          • by Darinbob (1142669)

            Except that many many people are working with the NSA. It was common place to do this for a very long time. Companies and researchers worked with them because NSA was the undisputed expert in crypto. Their mission statement was not to spy on US citizens, that is only a recent discovery. For much of their history they worked to improve and strengthen crypto standards and this is documented.

            Right now there is a hint that there is a backdoor, a hint that RSA took money, and these hints are troubling. Howe

            • by sjames (1099)

              It's a wee bit more specific. RSA made a truly bizarre choice to default to a broken RNG that had absolutely no benefit and many risks (it was slower, more memory hungry and untested). We know the NSA created that RNG to be subtly weak. We know that RSA took a largish payoff.

              They either got suddenly stupid or they took a payoff. Neither suggests confidence in their products or recommendations.

              Yes, many have worked with the NSA in the past. Some stopped after the world found out the NSA was not what they tho

      • by jythie (914043)
        Ahm.. not posting private contracts is a pretty reasonable 'routine' business practice. That is not a 'pass' it is a 'of course they are not going to publish it', and looking to it as proof they were up to something nefarious is just another 'if you are not guilty you have nothing to hide' argument.
      • by Darinbob (1142669)

        You're mixing two things together. First you assume a-priori that they must be guilty in assisting in spying or in adding a backdoor. Second they got a contract. You conflate the two into assuming that they got a contract in order to add the back door. No one is saying it is routine to give away our info to the government, and no one is defending that.

        All we really have right now are accusations but no real evidence. Now the contract from NSA would be fishy if it was the only contract they ever got and

    • by fuzzyfuzzyfungus (1223518) on Thursday February 27, 2014 @11:32AM (#46357537) Journal
      Pity the poor hatchetmen, cruelly interrupted during lunch. I, for one, fear for the future of a society that respects the privacy of others so little...

      Do I think that Our Fearless Correspondent is even remotely effective in his stated aims? Not with those tactics, he'd be hard pressed to get someone to tell him the time.

      Should we care about that? Do RSA's little minions deserve to throw a veil of contractual secrecy over their lunch hour, lest their delicate feelings be offended by the sight of disapproval?

      In a situation where legal redress is, in all probability, a fantasy; but displeasure is very real, isn't social disapproval an excellent response? Wouldn't it be delightful if admitting to working for a spook contractor was about as pleasant as admitting that you take the long way around that school zone because you are a convicted sex offender? Now, especially without good evidence tying individual people to individual pieces of work, you don't want to go overboard; but it would be downright wholesome if the penalty for collaboration was constant exposure to contempt.
      • Most of the attendees at a tech conference are front-line IT grunts (and their managers) sent their by their boss to learn about new products, techniques, etc. Most of them don't work for RSA, nor will most have been in charge of the buying decision to purchase RSA products.

        This isn't a "veil of contractual secrecy" being thrown... this is some more-or-less random schmoe having a complete stranger asking him questions on camera on something on which he doesn't have enough information to make an intelligent

    • by Guppy06 (410832)

      some geeks at a tech conference

      They're called "enablers."

      • by Darinbob (1142669)

        They've invented color photography decades ago, and they even have color televisions now. Why is your world still in black and white?

    • by thue (121682)

      > And the RSA did go on record. They said it wasn't true.

      What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.

      If you read the keynote from the current RSA Conference [blogspot.dk], RSA's defense is that they stopped independently creating and verifying the cryptographical algorithms, instead just gett

      • by thue (121682)

        > What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal.

        That should of course have been:

        > What RSA Security has specifically said is that they didn't know about the backdoor when they made the $10,000,000 deal.

    • If the allegation is that the contract violates constitutional laws and especially if one of the partners in said contract is a branch of the government, I'd at the very least expect a general attorney to take a look at the contract. The accusation here is nothing less than RSA conspiring with a government agency to undermine constitutional rights of US citizens.

      That's not enough to get a GA moving? Really? Guess they first have to torrent a few movies.

    • When I read what they had to say, what they seemed to be explicitly denying is that they specifically knew they were putting a back door in at the time. There was a lot of other fluff, but no substantive statement.

      Here's one scenario consistent with what I read: RSA accepted $10M from the NSA to put in certain specific values in their cryptosystem, and did not at the time bother to look if it might be a back door. It was in fact a back door, and they continued pushing it for years. AFAIK, they haven'

    • Did you RTFA? They only turned away people who PAID to be at the conference. "Expo Only" passes, I.e. plain old tech people, were allowed access. It is also worth noting that you are attempting to claim something as a "tech conference" and blatantly ignoring fact that it is a SECURITY CONFERENCE. How many free lunches has RSA given you? is probably a better question, seeing all of your pro-rsa talk on these topic.
      • "Plain old tech" people get paid conference passes all the time. Your company buys X amount of stuff from Y vendor (or a business partner), the vendor account rep provides your company with Z full conference passes gratis, and most of those passes end up in the hand of front-line IT grunts (they are the ones most of the education classes are targeted for.) These grunts are no more likely to be familiar with the particular facts of what they were getting interrogated on than any other geek.

        Also, it IS a te

  • Bad inference (Score:5, Insightful)

    by DoofusOfDeath (636671) on Thursday February 27, 2014 @10:46AM (#46356945)

    The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell.

    Stupid reasoning. There are plenty of other reasons these people might not want to publicly comment. The most likely is that they're not authorized to speak for their employers, and fear rebuke or dismissal at their workplaces if they speak publicly on the topic.

    • by Trepidity (597)

      Also, the pained facial expressions might be related to the lack of tacos and/or tequila drinks.

    • by jythie (914043)
      Or even the rather pedestrian 'people do not like random bloggers shoving a camera in their face and just want to go about their business'. When someone does that to me, I do not care what the topic or question is, they still annoy me and I am not in a mood to cooperate or even interact with them.
    • by sl3xd (111641)

      +1 to this.

      It's fairly common for companies to have required IT products, such as RSA. Then they send their employees out to improve their knowledge of the "blessed" product(s).

      The employees are often obligated to attend the conference, and are also (due to corporate policy) unable to say much, just in case those comments can be construed as company opinion.

      So yeah... you have these poor attendees who are pretty much like "Look, I don't know anything anyway, my attendance was mandated by someone else. Why a

      • by Darinbob (1142669)

        There are a lot of RSA customers, so it is reasonable to expect them to show up at RSA conference. Similarly those customers should not be expected to do a recall of all their product lines and rewrite all the code so thast they can ditch RSA as soon as possible (especially if not using Dual_EC!). Second, the RSA conference, despite the name, is not only about RSA products. It's an important venue to go to in order to learn about new products from a large variety of vendors, to network with other people

  • Jeffrey Carr has a good point from the RSA Conference keynote:

    > "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech

    So up until then, they apparently considered all the criticism of RSA sec

  • Look, the NSA has already done more damage to the United States technology industry than any other enemy. RSA and the rest are just private branches of the state. Fuck them.

Facts are stubborn, but statistics are more pliable.

Working...