Petition: Stephen Colbert, don't speak at the RSA conference

[quote=“hallam, post:35, topic:19255”]As for telling them which way to go. No, they are the ones trying to tell me what I have to do. This is the industry I helped build. Cory was not there.

It is not your place here to decide our tactics. You have not earned that right.[/quote]
This smacks of a guild - or the Catholic church, or the Boy Scouts of America - closing ranks to rotect one of their own after they’d done something egregious.

This is not your fight only, and you are not the only person who gets to decide tactics.

That’s exactly the incident I was thinking of. He opened up a can of righteous shame on not only the President, but the warmonger-enabling members of the press who invited him and paid his speaker fees.

As I have told Cory in private mail. Very happy to have BoingBoing on side here but we need to talk and we need to have discussions. If Cory wants to go ahead after he has all the facts then fine.

Yes, we do close ranks to protect our own and we make no apologies. We were in the Crypto wars a long time and before it was fashionable. And we were the ones getting threatened and harassed.

At least before the BBS it generally seemed that situations like this, where the moderators took issue with the acceptability of small portions of content in otherwise informative and constructive comments, those sections were disemvoweled or otherwise changed, rather than having the entirety of a comment by someone (Hallam-Baker) who does appear rather notable in the field removed without a trace. Have practices changed? It’s rather irksome as I had initially seen the comment, and came back to this thread specifically to read it, only to find no evidence that it was ever there.

I also have to wonder somewhat at the appropriateness of at once repeatedly and harshly criticizing a commenter for perceived hostility and needlessly inflammatory tone while also deriding the commenter with terms like “nerdesterone.” If anything, the way the situation was dealt with seems to have escalated the hostility and disrupted the thread more than even doing nothing would have done. Surely a redaction of the offending portion, or even a reminder of the rules, would not have resulted in a calmer discussion and less disruption?

The fact that the amount was only $10m, and that RSA contributes $1b to EMC’s bottom line, is an indication that there’s something wrong with the received wisdom. Dr. Hallam-Baker’s argument – that RSA understood this as USG trying to jump-start the use of a more secure PRNG – makes more sense than RSA suddenly getting in bed with NSA for a tiny amount of money.

Remember, the story here is that nobody thought NSA would deliberately weaken standards. TAO and zero-day exploits? Sure. Drop acres of computing power to crack keys? Of course. But compromise standards bodies to gain an advantage? Unprecedented. (And remember that the deal was three years before the possible exploit in Dual_EC_DRBG was discovered.)

I assume that within NSA, the idea was that Dual EC is a better PRNG, and that the compromise was a tiny enough wedge that no other actor could find it. Of course, if an actor does get ahold of the values that allow state space prediction of the PRNG, then they also pwn crypto, so it’s kind of a big gamble to take even if you support the idea of NSA breaking standards. It’s hard to imagine RSA going along with such behavior, especially for 3 1/2 days worth of revenue.

The reason I reacted as I did initially was that I was offended by Cory’s claim that RSA was aware that they were being tricked. I see no evidence that that is the case.

He threw the first stone here, not me.

The people who have signed on so far for his boycott are rather less prominent in the industry than I am. … This is the industry I helped build. Cory was not there.

Your self-aggrandizement aside, can you please explain why that matters considering all the prominent people in the security industry that support the criticism of the RSA? Keep in mind, entire security firms oppose the RSA at this point as well. Do you trump them as well?

Do you happen to be more prominent than every security entity in the world that’s disturbed by the RSA actions (and inactions), lack of transparency and crafty “non-denying denial”?

https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html

http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

It is a pity that only arguments in favor of Cory’s boycott are permitted here.

That’s incorrect, my response to your post was deleted as well.

I said that the boycott was stupidity.

My feelings exactly with the actions of the RSA.

Remember… War is peace, freedom is slavery and “anonymity is the enemy of privacy”.

source: Head Of Computer Security Firm Says Anonymity Is The Enemy Of Privacy | Techdirt

This is our fight, not Cory’s. We are going to decide tactics, not him … It is not your place here to decide our tactics. … He threw the first stone here, not me… You have not earned that right. … Yes, we do close ranks to protect our own and we make no apologies.

That’s the kind of attitude that causes problems in the first place. And, who is this “we” you speak for? Are you a representative for the RSA? Why not just issue a formal statement for them?

Cory is echoing the concerns of many security experts all over the world. Also, our civil rights is Cory’s fight and all of our fight, not just yours.

The deal was known about at the time. There was even a press release.

Let’s avoid that kind of weasel-wording, please.

The RSA has admitted it was a secret deal. There was no “press release” back then for the NSA giving the RSA 10 millions dollars in a secret deal. Was it a secret press release?

We all agree that RSA got punked.

No, we don’t. Give me 10 million dollars, I want to be “punked”.

The NSA screwed them over as well.

You keep acting like it wasn’t done in secret and the RSA has come clean (when they haven’t). The only reason we know about this secret NSA deal is because of Snowden’s whistleblowing.

The RSA has failed to produce a legitimate explanation that proves anything other than that it purposely promoted a bad product to developers.

DUAL_EC_DRNG was not the first one where a hidden parameter could cause the seed to be released by a long way. It took ten years before we even started to realize that it was a potential problem. … “Ever since RSA got caught sabotaging its own products” is asserting that RSA knew what they were doing. I don’t see any evidence that makes that even likely.

Via link above:

1. The RSA has still failed to disclose the terms of RSA’s agreement with the NSA to use Dual EC DRBG. It also paints RSA as naive as to the NSA’s motives which is ludicrous once you know what happened 10 years earlier with Clipper Chip.

2. Also, the RSA is trying to pass off the responsibility for using a back-doored Random Number Generator to the user. It became a NIST standard because RSA took the NSA’s money in the first place. Concerns about the algorithm were raised in 2006 and were included in NIST SP 800-90A as being unresolved. By 2007, RSA should have been sufficiently alarmed to investigate on its own. To say that they relied upon NIST as the arbiter is merely an attempt to shift responsibility away from itself as the producer and onto NIST.

3. RSA cannot escape responsibility for offering a compromised BSAFE product for the last 9 years by saying “we just followed NIST” and “our customers had a choice”. This is a gross violation of its own mission statement not to mention its own illustrious history of defending the integrity of encryption against government attempts to weaken it.

More:

RSA tried to suggest that Dual EC DRBG was fairly standard when it decided to make it the default, but that wasn’t the case. In fact, as a few others have pointed out as well, the NSA actually used the fact that RSA had made it the default in its BSAFE toolkit to push Dual EC DRBG forward as a key standard via NIST, leaving out the tidbit where they had paid RSA $10 million. Carr further notes that, not too long before that, RSA’s former President and CEO, Jim Bidzos, had clearly stated that RSA needed to recognize that the NSA believed that RSA was the enemy:

…For almost 10 years, I’ve been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we’re the real enemy, we’re the real target."

While Bidzos was long gone from RSA when this deal was concluded, anyone working at RSA had to know that the NSA’s interests and RSA’s interests were not aligned. The fact that RSA appears to have, at least, looked the other way concerning the security of Dual EC DRBG, while quietly pocketing the money, is really damning.

source: Rsa conference stories at Techdirt.

And, once again, a non-denying denial doesn’t cut it. Why should it unless one is to be an apologist for the RSA?

The fact that the amount was only $10m, and that RSA contributes $1b to EMC's bottom line, is an indication that there's something wrong with the received wisdom.

Well, with that kind of logic, we could also say that your single purpose account is an indication that there’s something wrong with your post and a sign of RSA astroturfing.

Remember, the story here is that nobody thought NSA would deliberately weaken standards.

The story here is that the RSA was very well aware that the NSA’s goals were not in line with their own in the past (see the RSA on the Clipper Chip) and still implemented weak security at the NSA’s bidding after a $10 million dollar payout.

Try to reframe that all you want, but that’s the story.

I guess I just didn’t understand why you were responding to my little post about the word “piddling” when you were actually disagreeing with Cory.

Wouldn’t a new comment saying “Cory is wrong” be more to the point?

If you are going to accuse people of conflict of interest, Jeffrey Carr’s company runs a rival conference ‘suits and spooks’ that has been trying to make a niche in the cyber-engagement world so if you are going to dismiss my comments on the presumption that someone who disagrees with you must have a conflict I think you need to quote from people who don’t have an actual conflict.

Nine years later the chance that RSA has any idea whether the deal was secret or not is small. They probably don’t even know who was on the sales team. The only person I know that is still there from that era is Art himself.

Answering your other claim that RSA should have known that NSA can’t be trusted. That is an assertion being made with a heck of a lot of hindsight. Of course if you read the Snowden docs you can come to that view. But that does not mean that it is reasonable to have come to that conclusion at the time the decision was taken.

I did not expect the NSA to be so stupid as to set the precedent that civil nuclear power plants are fair game for cyber-attacks. But that is what they went and did. So now there is no doubt a team in Russia and China and Iran all looking at ways to attack our civil nuclear plants.

On the contrary, if anything it’s much more permissive now. The previous moderator would probably have just banned the guy.

It’s generally OK to be snarky and we like to avoid tone policing. But theres a line–directly addressing someone by name, for example, as a prelude to an insulting remark–which takes it too far. What is too far? Among other things, something likely to generate retaliatory flaming, or which which is likely to convince others that the discussion has gone toxic and is not worth joining.

A number of posts responding in hostile fashion to Hallam’s deleted post were also taken down, for example.

Answering your other claim that RSA should have known that NSA can’t be trusted.

It’s not a “claim”, it’s a statement of fact considering the NSA’s past and the RSA’s own past statements to the fact.

Jeffrey Carr's company runs a rival conference

Right, practice character assassination of Jeffery Carr and imply he’s corrupt instead of dealing with the facts brought forward. You’re in league with global warming deniers at this point. I’ve already informed Carr and others of your statements here about him.

How do you explain all the other security experts that are upset with the RSA right now? Is it a vast conspiracy where they are corrupt and are all trying to bring support to their own rival conferences?

Instead of addressing facts or questions brought forward, you jump into character assassination. Is this how you want to represent the RSA? You’re just digging a deeper hole.

Cory didn’t delete it and the fact that you think he cares that much about contrary opinions is adorable. There are plenty of comments disagreeing with Cory. How very strange that they remain!!

Phillip, we can disagree on the facts but when you lower yourself to character assassination, you lose the argument. My event is nothing like RSAC or any other security con. It provides a safe place for speakers and attendees to debate issues having to do with national security challenges, such as RSA’s decision to follow the NSA’s advice and make their back-doored algorithm BSAFE’s default option.

I see that you were at Verisign. Do you think that Jim Bidzos would have followed the NSA’s advice on making Dual EC DRBG BSAFE’s default if he were still in charge at RSA in 2004?

And really, this isn’t about the RSA Conference, or at least it shouldn’t be. It’s about boycotting RSA until it comes clean about why it collaborated with the NSA in 2004 at all, let alone for an alleged $10M payment. The conference boycott is just a symbolic act to raise awareness about RSA’s breach of trust with its customers.

What I said is that if people are going to start arguing about hypothetical conflicts of interest then actual ones are on the table. Pointing out a conflict of interest does not amount to character assassination in our business.

I think that Jim would have left the decision to his chief scientist who remained at RSA Labs at the time. And I am very certain his loyalties lie in the right place. The NSA story was very plausible. They had been pushing EC for a decade. Lots of early RNGs have the same flaw. We have been discussing them at length.

I don’t accept symbolic acts that have collateral damage. Encouraging people to skip out on our principal trade show is hurting our cause.

Now you are reduced to just hurling insults.

I do not represent RSA, they are a competitor.

Now you are reduced to just hurling insults.

Please stop projecting. I hurled facts, questions and called you out on your character assassination of Jeffery Carr by implying he has ulterior motives for his RSA opinions.

I do not represent RSA

Then you might stop acting liking it within this thread. I have a feeling even the RSA would appreciate it at this point as well.

Pointing out a conflict of interest does not amount to character assassination in our business.

Oh, please. You didn’t just randomly point out that Carr had what you perceived as a conflict of interest, you implied much more.

You’re obviously saying that Carr’s own desire to have people attend his own conference is sullying his approach to the RSA. Of course, that completly falls apart once anyone realizes that Carr had already chosen to speak at the RSA conference and only pulled out once the RSA issued its terrible “non-denial denial”.

Once again, how do you explain all the other security experts that are upset with the RSA right now? Is it a conspiracy where they are corrupt and are all trying to bring support to their own rival conferences or other supposed conflicts of interest? Do you really want to go there?

Maybe it’s time for an apology to Carr and let’s get back to the issues?

There is no “actual conflict of interest” between RSAC and Suits and Spooks. That’s my point. Your claiming one doesn’t make it so. It does, however, smack of grasping for whatever excuse is handy to support your argument.

I’m also amazed that you think that the same team that fought Clipper Chip would approve of an NSA endorsed encryption algorithm, or that Bidzos who frequently and publicly denounced the NSA’s attempts to weaken RSA encryption would just “pass off” any such request? I’ll take a hit of whatever you’re smoking, Philip. Here’s how the RSA Labs FAQ defined the NSA in 1998: “the NSA is widely viewed to be following policies that have the practical effect of limiting and/or weakening the cryptographic tools used by law-abiding U.S. citizens and corporations” (Source:http://www.emc.com/emc-plus/rsa-labs/standards-initiatives/nsa.htm)

RSA Security has broken trust with its customers and needs to explain how and why that occurred. Until that happens, if it ever happens, I propose that the company and its products be boycotted.

This thread seems like the perfect place for this video as a reminder of what we’re fighting for:

h/t to Jacob Appelbaum via twitter

If you are going to make very pointed accusations about other companies working for the NSA then you have to be prepared to have your own position challenged. You are accusing RSA of fraud, of lying, of an intentional breach of trust. That is a pretty serious set of charges to make. Yet when it is pointed out that you are also in the conference business you claim that this is completely out of bounds.

I remember when the RSA conference was half a day and a hundred people showed up. Having a much smaller small conference does not mean you are not in competition. Obviously knocking out the main conference is going to allow someone else to take over and everyone else has a chance to move up a rung. Your claiming that there is no conflict of interest does not make it so either. It certainly does not mean that it is illegitimate to point it out.

When the piece you quote from 1998 was written the NSA was preventing the export of crypto with a cipher strength greater than 56 bits, a strength known to be weak at the time. Now I don’t expect you to know the context because I don’t remember you being around then. But that is what is being referenced. When the NSA was weakening crypto in the 1990s they were doing it directly and entirely openly. It was not a backdoor, it was a front door and everyone knew it was there.

Are you a cryptographer or designer of crypto protocols? I don’t remember ever meeting you at IETF or W3C or any of the crypto circuit cons. Why do you think you are qualified to know what RSA should or should not have expected from the NSA? Do you know that almost all the crypto algorithms we use come from NIST or that these algorithms are the same ones that the federal government uses to secure its own resources?

That is why it appeared to be so unbelievable that NSA would have put in a backdoor. But it seems that the backdoor is actually a little more subtle. The backdoor only exists if you don’t change the curve used to generate the random numbers. Which is how they can make a device which is secure for government use but has a backdoor for non government use because most people would not know to change it.