Petition: Stephen Colbert, don't speak at the RSA conference

Yes, they were doing it openly in the 90’s and failed. They found a way to do it covertly in 2004-06 and succeeded. Nothing changed regarding the NSA’s objective to weaken commercial encryption between 1994 and 2004. The only thing that changed was the tactics.

I’m not a cryptographer, but I can read the work of at least a half dozen cryptographers who warned NIST about that encryption algorithm. And, thanks to the work by New York Times and Reuters journalists who also aren’t cryptographers but who can read NSA memos, we know that RSA was either incompetent or complicit. Neither should be acceptable to its customers or to the security industry.

Yes, why shy away from anyone – it implies that someone else is bigger threat than you are…

Wait, WTF do they need to drag out old footage of Nixon for?
Can’t we just show the current inhabitant of 1600 Penn as he glibly brushes aside Constitutional and civil rights arguments?

I know its standard Boomer rhetoric to drag out Nixon as the penultimate evil, but the current scope of domestic spying and the lying about it from the executive office is something Nixon only could’ve imagined in his sweetest dreams.

You can read the intelligence but you are doing a disservice to others by insisting on your own analysis.

Take a look at this post by Mathew Green (provided to me by Jon Callas).

He points out that Schnorr and Micali proposed RNGs with essentially the same flaw but based on RSA.

I would not have used that RNG back then. I always fold all crypto through a one way hash precisely to prevent any contamination. But that is because I don’t trust any algorithm completely unless I need to.

You are underestimating the subtlety of the NSA approach. Before you start calling for boycotts come and discuss this with us on the cryptography lists.

I need people to be in San Francisco so that we can tell them how to defend themselves. There is too much collateral damage in that particular sanction.

Can't we just show the current inhabitant of 1600 Penn as he glibly brushes aside Constitutional and civil rights arguments?

They showed Obama's NSA guy do that and Obama's implications are implied except to anyone who has been living on another planet.

Wait, WTF do they need to drag out old footage of Nixon for?

I dunno, just to irk pedants? ;) I think the references to Nixon were quite self-explanatory in the video.

I don’t know why you’re complaining to me about it, contact the people that made the video and offer your constructive criticism (if that’s your goal) or you can put together a superior video if you’ve got the impetus to do so.

Do they at least get points for trying or are you only able to find negatives in the video?

You can read the intelligence but you are doing a disservice to others by insisting on your own analysis.

Speak for yourself, I and many others have found his analysis to be quite a service. You, on the other hand, not so much. You're also conveniently leaving out the fact that many other security experts share his concerns.

You are underestimating the subtlety of the NSA approach.

So your defense for the RSA is that the NSA is “sneaky”? Once again, that’s no excuse considering the NSA’s past and the RSA’s own past statements on the NSA in that regard. Carr and others have already addressed this multiple times, but you continue to ignore him, his links and the links I’ve provided you.

That’s also no excuse for the RSA’s current “non-denial denial” fiasco.

Also, how do you keep missing things like this? Please read this time:

https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html

If you are going to make very pointed accusations about other companies working for the NSA then you have to be prepared to have your own position challenged.

Hmmm… that sounds very similar to the NSA and the corporate mass media attacks on Edward Snowden’s character after his whistleblowing. Also, you continue to attack Jeffery Carr’s character, not his positions. Which, once again, reminds me of the attacks on Snowden.

It’s also amazing you can say something like that without any sense of irony after some of the things you said earlier such as:

… This is our fight, not Cory’s. We are going to decide tactics, not him … It is not your place here to decide our tactics. … He threw the first stone here, not me… You have not earned that right. … Yes, we do close ranks to protect our own and we make no apologies. … "

I need people to be in San Francisco so that we can tell them how to defend themselves. There is too much collateral damage in that particular sanction

Once again, reminds me of the NSA rhetoric. There'll be dangerous consequences (collateral damage) if there's a boycott of one RSA conference.

Maybe the RSA should have thought of that before they signed a 10 million dollar deal with the devil in secret?

Besides, if the unlikely truth of the matter is this is nothing more than gross ineptitude on the part of the RSA (as you keep implying), then their conference loses credibility just on that alone.

There’s other conferences that exist and security experts will very much thrive without the RSA conference that bases itself on either gross ineptitude and negligence or corrupt collusion with the NSA.

Only RSA Conference has a significant trade show. Black Hat is focused on a particular segment.

And yes, of course I have read Bruce’s blog and the papers. I know Bruce I have met him several times since Snowdonia hit. I read the DUAL_EC stuff when it came out. But you don’t have context. The papers only show that there was the potential to do something malicious.

We had the same situation back in the DES days and some people proposed using DES with random S boxes. Turns out that it makes the cipher vulnerable to differential cryptanalysis if you do that. In that case what people alleged was a trick was actually strengthening the system.

You are basing all your statements on hindsight.

The part that has not yet been demonstrated is how the backdoor could be weaponized unless someone was being very careless. I don’t know of anyone using BSafe for SSL, all the crypto libs have their own schemes. Dumping the seed would certainly be a threat there. Using BSafe to generate a public key pair is more likely but the leaked key is only going to show into the private key components at best.

Now it is very likely that there is yet more cleverness that I can’t see through and the NSA had a way to cash out this particular scheme. But so far nobody has found a system that would be made vulnerable through this hole. Which is not evidence that it does not exist but it is evidence someone should go look for them.

You are basing all your statements on hindsight.

Hindsight is basis for almost all statements. :smiley:

Look, don’t get me wrong, I think we’re on the same side of many issues including our mutual derision and distrust of the NSA, etc. - I can even empathize with you that the RSA conference is (typically) a force for good.

But, we’ll just have to agree to disagree that it’s a good idea to attack those who decide to boycott the RSA conference due to the RSA’s sketchy “non-denying denial” which is the crux of most of the contempt thus far.

Once the RSA is more forthcoming and offers some proper explanations, I think then we’ll be more back in line together, perhaps. Until then, I agree with the boycotts or at the very least criticisms and distrust of the RSA. You don’t agree, but many of us think that the RSA still has some splainin to do.

It’s not the money: it’s his ability to skewer that matters. And these people sound like they need skewering!

This is the only thing I could imagine why it was taken down. But I agree with Hallam’s take below: “this stupidity” referred to Cory’s chosen course of action, supported by the weight of the contributor’s knowledge of the field as compared to Cory’s; it did not read as a personal attack. The rest of the post was a highly informed and articulate argument against Cory’s course of action. If this is not permitted as a course of policy, then that’s a huge loss for the BBS because you’re missing out on valuable contributions.

(I wouldn’t dream of telling you the direction to go in terms of moderation policy, mind you. See how much that definition excludes though?)

The rest of the post was a highly informed and articulate

Not really. Calling the boycott an action of stupidity right off the bat? Comparing hacktivists to organized crime? Saying “we” don’t need to be told by “outsiders” what to do, etc.? The post was insulting and full of over the top, shrill hubris.

Wait a sec, why are you still whining about that post? He’s reposted most of it minus the most ridiculous parts and that’s still here in this thread. Time to get over it, I think.

The great post deletion of 2014 shall be remembered forever. I lost a post there too and I’m still shaking in horror. Start a website in its honor or something and lets try to move on.

@hallam’s continuing posts may have been articulate on some technical level (the specifics of the technology and timeline are well beyond my feeble comprehension). However, they’ve struck me as being woefully inarticulate in any human sense.

As far as I can see, the bulk of his argument has been that he is a very, very prominent person, more prominent even than any of the other people. If that’s not convincing enough, he’s also been doing a thing for a long, long time. Also, he knows some drop-worthy names.

It’s been kind of amazing to observe, actually, as someone without a dog in the fight. Specifically, to see how someone with an apparently vast knowledge of the back-end of internet stuff can fail so completely at using the front end.

I have repeatedly asked Cory to come talk to the community and help decide what our tactics should be. If he wants to be involved that is great. But he has to be willing to listen to more of us than just the people he thinks already agree with the course of action he had already set.

We do security. We spend our time thinking about attacks and vulnerabilities. We are a lot more practiced at getting the effect we want than he is.

But he does not seem to be interested in talking with us. That is the problem. I have been talking to the people he cites as calling for a ‘boycott’ and his representation of their position. I don’t think he has all the information.

What this amounts to is a ‘drive by’. I am not impressed when someone unilaterally decides and then promotes a course of action that will damage our industry response to the biggest attack we have ever seen and then disappears.

As for the issue of ‘hactivists’ being a problem like organized crime: Absolutely.

Having an opinion, a keyboard and hacking tools does not turn someone into an ethical human being. There are hactivists on both sides of every dispute and many are far more engaged in personal promotion than their causes.

The Israeli and Palestinian hactivists have been going at each other for over a decade since a bunch of Israeli hactivists tried to take Hamas and Hezbolah offline. Then Palestinian hactivists started attacking Israeli firms and the dispute has been escalating round after round ever since. At this point the Palestinian hacktivists seem to have the upper hand since they have a ‘target rich’ environment while there is virtually nothing left for the Israelis to pwn. So the Israeli hacktivists have turned themselves into pricey security consultants teaching people to protect themselves against the attacks they personally provoked.

And there are plenty of hactivists who are also organized crime rings. The Russian Business Network used to host the Web site of a Russian fascist organization that beats up people suspected of opposing Putin.

Unless you buy the story that there is a group of retired NSA staffers selling hacking services to US corporations wanting to attack political opponents, ‘Climategate’ was a hactivist attack. We don’t need cyber attacks to prove climate change is true.

And there are plenty of hactivists who are also organized crime rings.

You can say that about people who wear hats as well.

Specifically, to see how someone with an apparently vast knowledge of the back-end of internet stuff can fail so completely at using the front end.

It's often par for the course. He's one of those guys you keep in the basement of the office building and hide from most clients, etc. ;)

Granted, he does know his tech stuff and has an impressive tech history, but he’s just not able to connect some dots at certain levels of granularity once it gets complicated with messy, societal stuff. Ego, brain wiring, etc. can really cloud the waters for beautiful minds as well.

This topic was automatically closed after 5 days. New replies are no longer allowed.