Speak at the RSA shindig … or not. This is going to be good fodder for satire, ridicule, and …ultimately…another few shots across the bow of an approaching dystopia.
RSA is likely to lose a lot of business for its decision. It certainly has it coming. I have no idea whether it will make a long term difference…but I hope Colbert shreds them.
I took down your comment in Cory’s post due to the way it was started. Claiming stupidity on the part of our editors and telling them the direction to go means your comments will be deleted.
I said that the boycott was stupidity. I didn’t call your editors stupid.
As for telling them which way to go. No, they are the ones trying to tell me what I have to do. This is the industry I helped build. Cory was not there.
It is not your place here to decide our tactics. You have not earned that right.
Now I have sent Cory a longer message explaining the situation. A situation of which I have a lot more visibility than he does. If he wants to continue this then I suggest that he contact me first and I will explain what I think the outcome we need to achieve here is. I can guarantee that it is a lot more significant than anything he has proposed so far.
Now I am sorry if you misinterpreted my post. But what you are proposing here would only harm our side if you are successful.
@Chenille, they deleted my post where I gave the reasons why it is a bad idea to boycott a trade show where we are teaching people how to defend themselves against the NSA attacks. You can’t see it because it was deleted.
There is no evidence that RSA knew that the algorithm was sabotaged and absolutely no reason for the NSA to tell them. Explaining what they were up to would only reduce the chance of success.
RSA was for many years the principal opponent of the NSA. They used to produce posters with ‘sink clipper’. Can you imagine the people from Fort Meade risking approaching those people with a bribe? The most likely outcome would be that they would talk. They might not talk in public but the news would have got out.
The deal was known about at the time. There was even a press release. The amount was known in the industry as was the cover story that it was to put EC crypto in BSafe.
This kind of trapdoor in a random number generator is actually quite common. DUAL_EC_DRNG was not the first one where a hidden parameter could cause the seed to be released by a long way. It took ten years before we even started to realize that it was a potential problem.
We all agree that RSA got punked. Even RSA published an admission they got punked. But we still don’t have any proof that they knew they were being punked. As Cory points out, this was a really small amount to sell out for. That should cause people to ask if they really did sell out or if they were being socially engineered.
If the amount was $100m then there would be no doubt that this was a bribe. But they wouldn’t pay out that kind of money that way. And they wouldn’t bribe the company, they would have to bribe the person who was taking the decision.
I am saying that Cory is wrong to claim that RSA knowingly colluded with the NSA here. We do not have evidence of that yet and as Cory points out, the bribe wasn’t big enough for it to make sense.
We only have evidence of malfeasance by the NSA at the point. We only have evidence of negligence on the part of RSA’s part at best. We do not have evidence of intent at this point.
“Ever since RSA got caught sabotaging its own products” is asserting that RSA knew what they were doing. I don’t see any evidence that makes that even likely. This was not an under the table deal. It was insider knowledge at the time if not actual public knowledge.
The engineers who would have to work on the proposal care a lot more about their personal brand than their current job. We can all find work very easily.
I was actually hoping to see what Cory had to say in rebuttal to your statements. Instead, I was surprised/not surprised to see your entire post deleted! Disappointed with boingboing this morning.
Hallam was welcome to repost the meat of his comment (and seems to have done), sans needlessly inflammatory insult. We generally don’t permit that sort of nerdesterone between commenters either: this isn’t usenet or a mailing list. It’s a heavily-moderated forum with, literally, a draconian ruler.
Well, I’ll tell you what would have happened if Colbert had not spoken at the WHCD–the world would then lack one of the most beautiful and searing roasts of all time. I’m still amazed Bush didn’t have the plug pulled (or some other similar shenanigan). Colbert’s performance that night was absolutely epic–let’s hope he pulls off another speech of that magnitude.
I am sorry about the comment being perceived as an insult. It was not intended as such.
If you guys want to help here with the fight back against the NSA then we would love to have you on board. But having random boycotts being called isn’t helping here.
Calling for a boycott on our one annual international trade show does not help us fight back against the NSA. That has to take precedence over punishing people even if it is proven they are guilty. I need the people from my tribe to be at that show so that they can tell people what they need to know.
Cory made a very strong accusation and the facts just don’t support it.
If you want to help then get in touch and we can make a serious campaign of it. But nothing is won by firing off at random targets. You don’t make or back a call for a boycott till you know that you have enough support for it to be credible. Otherwise you are making a test of strength that you can’t be sure you will win.
There has to be a demand as well. Punitive boycotts don’t work. They have to be forward looking and require some change. Demanding someone confess to something they didn’t do is not a logical demand.
If you really want to have a boycott I can give you a much better target: NIST has an annual conference on PKI. Sabotaging that would hit far closer to the source. It is a technical conference and we can easily set up a rival conference on the same dates with much bigger names.
We can easily replace internal industry events. We cannot easily replace outreach events where people from outside the industry attend. We only have one of those.
The R, S, and A in RSA the company and RSA the crypto algorithm both stand for the same thing - Rivest, Shamir, Adleman.
The three people who invented the algorithm in 1977, founded the company in 1982. The patent on RSA the algorithm was the starting basis for the profits of RSA the company.