'Obnoxious' RSA Protests, RSA Remains Mum 99
An anonymous reader writes "By 'buying out' the most obvious lunch spot nearest the RSA conference yesterday, opponents and truth-seekers regarding RSA's alleged deal with the NSA raised awareness amongst attendees in the most brutal way possible: by taking away tacos and tequila drinks. Robert Imhoff, Vegas 2.0 co-founder, says, 'RSA could begin to fix this by going on the record with a detailed response about the accusations.'" I tried to get attendees of the conference to comment on camera — even a little bit — on what they thought of the NSA spying revelations, and not a single person I approached would do so. The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell. Especially at a conference where the NSA is surrounded by vendors who sell the hardware and software that enables your "mere" metadata to be captured and sifted, plenty of the people on the floor know that the companies they work for are or might one day be seeking contracts to do all that capturing and sifting, even if they'd rather not be subject to it personally, so their don't want their face shown saying so.
On the record (Score:2)
> 'RSA could begin to fix this by going on the record with a detailed response about
> the accusations.'"
Which we'd all of course believe.
Re: (Score:2, Interesting)
They already did.
Re:On the record (Score:5, Interesting)
Are you referring to this RSA's CTO Sam Curry's "defense", which Mathew Green and Matt Blaze has had so much fun ridiculing? http://blog.cryptographyengine... [cryptograp...eering.com]
RSA Security really haven't made anything close to a coherent defense.
Re: (Score:2)
What would amount to a coherent defense, to you?
Situations like this are pretty hard to unravel. RSA can protest until they're blue in the face, but the nature of the accusation is such that their statements are already suspect. Add to that the level of distrust associated with the NSA, and the NSA's potential power over RSA. Evaluating any unprovable denial simply boils down to whether we trust RSA or not -- which is the same question we're already facing.
So, what about provable denials -- what evidence co
Re: (Score:3)
For starters, they can come clean. All their press releases have been exercises in trying to say as little as possible, and be as misleading as possible whiile still not literally lying. For example, their non-denial of the $10,000,000 deal with NSA had half the press falsely reporting that RSA claimed there never any $10,000,000 deal [bbc.com].
Dual_EC_DRBG has been documented since 2006/2007 to be an insecure CSPRNG, even without the backdoor. I knew about it for example, and I do not even work in that field. The on
Re: (Score:2)
By saying "come clean" you are automatically assuming they are guilty. Thus any denial they make would be rejected.
Re: (Score:2)
I freely admit that I assume they are guilty because of 1) all the damning evidence 2) their refusal to defend themselves.
And I submit that all reasonable persons should assume they are guilty for the same reasons. Assuming they are not guilty would be incredibly stupid.
Re: (Score:2)
But part of that is true: elliptic curve was in vogue, and is in use in many places. However the Dual_EC is the one we're talking about.
Overall though, I get a very strong feeling that everyone is reacting at a gut level, as there is no evidence of collusion or a backdoor. All we have is a past presentation about how Dual_EC has some problems, RSA uses it anyway, and a journalist paraphrasing something Snowden said. What has changed is not any direct proof but instead the tenuous trust between organizati
Re: (Score:1)
It's not like saying nothing will be of any use (Score:3)
Re: (Score:2)
Maybe (Score:2)
Re: (Score:2)
You mean, you'd like some privacy? You do get the horror of that, don't you?
And when the came for me... (Score:3)
Then they came for my tequila drinks. But I did not speak out because I was not a tequila drink...
Re: (Score:2)
Re:And when the came for me... (Score:4, Funny)
First they came for the tacos, and I did not speak out -- because we had a CmDrTaCo.
Then they came for the tequila drinks, and I did not speak out -- because I was more a fan of Wine.
Then they came for the chips 'n dips, and I did not speak out -- because everyone had moved on to Slashdot
Then they came for Slashdot, -- there was no one left to speak for it...
Re: (Score:2)
(sig)
Re: (Score:2)
Re: (Score:2)
You have no chance to survive make your time.
What did you expect? (Score:5, Insightful)
I don't think this little stunt has anything to say about a "problem with a surveillance society"; they have something to say about a problem with some a$$hole ambushing some geeks at a tech conference that just want to get their lunch and get back to the conference sessions.
And the RSA did go on record. They said it wasn't true. As far as going into the gory details of the contract? Contract details of any contract, with any customer, are generally not something a security company is ever going to disclose. That's not surveillance-state paranoia or evidence of evildoing; it's routine business practice.
routine (Score:1, Insightful)
If the contract is such that you are abetting the government in unconstitutional searches, then well, it seems worthy of getting pissed off about and definitely worthy of being labeled "surveillance state".
As a long time (and lazily anonymous, sue me) reader of slashdot I'm always amazed at how many commenters seem willing to give companies/corporations/government a pass because it's just "routine" business practice.
If it's routine for a company not to tell me how it makes it's product, okay fine (maybe).
If
On what basis can you make this demand? (Score:3, Insightful)
The RSA has already explicitly said the contract doesn't say what they are accused of it saying. What else do you want them to do? They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.
Now, I'm not saying that RSA isn't lying, but if they were, would you believe that any contract they produced was an accurate one? Probably not. Talk about "Damned if you do, damned if you don't."
Re:On what basis can you make this demand? (Score:4, Insightful)
Sure, they can release the details of that contract. Government contracts are supposed to be public. Go take a look at usaspending.gov and fpds.gov There are plenty of security contracts posted there, just not any between RSA and NSA. It's not the easiest system in the world to navigate, you have to know a lot about government contracting to make sense of it.
But, you'll see military hardware contracts, homeland security database contracts, all of them are published on federal websites as a matter of course (you have to get special approval to not post a contract publically). The government mandates this so that competing companies and the public can see that they're getting a "fair deal". Never mind that a lot of these show they weren't competed, no one actually takes advantage of government transparency when it's available.
Re: (Score:2)
Government contracts are supposed to be public.
Actually, no. They're usually kept confidential.
Re:On what basis can you make this demand? (Score:4, Informative)
I worked as a government employee overseeing R&D contracts. It wasn't that long ago. We were required to post the contracts publically. They're on the websites I mentioned...
Re: (Score:2)
Not all contracts are public (Score:2)
The defense and intelligence parts of the budget have very large parts that are a "black box". As well they should be. It's a bit difficult to carry out secret projects if all your contracts are open to anybody that wants to read them.
Yes, such contracts are vulnerable to abuse and oversight problems. But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.
Re: (Score:2)
But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.
Because WikiLeaks doesn't exist?
Re: (Score:2)
> They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.
Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.
RSA Security also have not yet given a good explanation for why they ignored the multitude of red fl
Re: (Score:3)
Link? Because what I remember reading from them was more of a very carefully calculated non-answer. Did not deny the elements of the crime, but very vaguely denied any intent. An evasive, lawyerly answer, not a straightforward denial at all.
Re: (Score:2)
So have you stopped beating your wife? Trouble with that sort of question is that you can't say yes and you can't say no, and it's intentionally designed to be highly provocative so the answer is very likely to be "fuck off you, go bother someone else."
So when someone is asked "please give us details of the crime we all know you committed" you are going to get that sort of answer.
Re: (Score:2)
Proving it would be good.
Imagine an FBI agent. He has been spotted accepting a large sum of money from a prominent mob boss. He 'just happens' to have recently made a few odd decisions in his investigation that were very favorable to the very same mob boss. Do you expect anyone to just accept when he says 'it wasn't a bribe'?
That's why FBI agents avoid having private transactions with shady characters.
RSA chose to lie down with dogs and so they now have fleas.
Re: (Score:2)
Except that many many people are working with the NSA. It was common place to do this for a very long time. Companies and researchers worked with them because NSA was the undisputed expert in crypto. Their mission statement was not to spy on US citizens, that is only a recent discovery. For much of their history they worked to improve and strengthen crypto standards and this is documented.
Right now there is a hint that there is a backdoor, a hint that RSA took money, and these hints are troubling. Howe
Re: (Score:2)
It's a wee bit more specific. RSA made a truly bizarre choice to default to a broken RNG that had absolutely no benefit and many risks (it was slower, more memory hungry and untested). We know the NSA created that RNG to be subtly weak. We know that RSA took a largish payoff.
They either got suddenly stupid or they took a payoff. Neither suggests confidence in their products or recommendations.
Yes, many have worked with the NSA in the past. Some stopped after the world found out the NSA was not what they tho
Re: (Score:2)
Re: (Score:2)
You're mixing two things together. First you assume a-priori that they must be guilty in assisting in spying or in adding a backdoor. Second they got a contract. You conflate the two into assuming that they got a contract in order to add the back door. No one is saying it is routine to give away our info to the government, and no one is defending that.
All we really have right now are accusations but no real evidence. Now the contract from NSA would be fishy if it was the only contract they ever got and
What lie? (Score:2)
They were accused of taking a $10M bribe to backdoor an encryption algorithm. RSA says it's not true. There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.
If they truly were going to compromise the security of every one of their customers, why would they have agreed to accept a paltry $10M?
Re: (Score:2)
Re: (Score:2)
The money may be for many reasons. Maybe it sounds like a lot of money to you, but it could be supplied for many legitimate reasons. Both RSA and NSA are involved in standards committees, and creating a standard is not done for free. RSA could have been paid to work on a standard, do some research, provide a product, and so forth.
If there is indeed a backdoor the most we have proof of is that RSA were played for fools. Which actually is damning enough to cause them to lose all the credibility that they
Re: (Score:2)
> There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.
It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely [cryptograp...eering.com]. But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine... [cryptograp...eering.com]
Re: (Score:2)
Yeah, if RSA didn't take a bribe, then they're just grossly incompetent and should still be villified anyway.
Re: (Score:1)
Re: (Score:2)
Somehow, I don't think giving the NSA the middle finger they so richly deserve is going to make that any easier.
Re: (Score:2)
Although after watching a show quite a number of times, I'm no longer convinced Mal was this ethical paragon that people make him out to be. He seemed to go out of his way to make his crew think he was about to do something bad and say, "Just trust me." It turned out a minute of screen time later that that *wasn't* what he was going to do, but he seemed to be intentionally misleading.
That, and his whole "you're on the crew, you're family" mantra seemed to be veeeery malleable when he wanted it to be.
Althoug
Re: (Score:2)
And please list all the companies you've ever worked for, to see if we should blacklist you as well.
Wait, you're still posting on Slashdot, and they're owned by Dice, so clearly you're all in favor of the corporate takeover of open free speech sites.
Re:What did you expect? (Score:5, Insightful)
Do I think that Our Fearless Correspondent is even remotely effective in his stated aims? Not with those tactics, he'd be hard pressed to get someone to tell him the time.
Should we care about that? Do RSA's little minions deserve to throw a veil of contractual secrecy over their lunch hour, lest their delicate feelings be offended by the sight of disapproval?
In a situation where legal redress is, in all probability, a fantasy; but displeasure is very real, isn't social disapproval an excellent response? Wouldn't it be delightful if admitting to working for a spook contractor was about as pleasant as admitting that you take the long way around that school zone because you are a convicted sex offender? Now, especially without good evidence tying individual people to individual pieces of work, you don't want to go overboard; but it would be downright wholesome if the penalty for collaboration was constant exposure to contempt.
"Minions?" Hardly (Score:2)
Most of the attendees at a tech conference are front-line IT grunts (and their managers) sent their by their boss to learn about new products, techniques, etc. Most of them don't work for RSA, nor will most have been in charge of the buying decision to purchase RSA products.
This isn't a "veil of contractual secrecy" being thrown... this is some more-or-less random schmoe having a complete stranger asking him questions on camera on something on which he doesn't have enough information to make an intelligent
Re: (Score:1)
some geeks at a tech conference
They're called "enablers."
Re: (Score:2)
They've invented color photography decades ago, and they even have color televisions now. Why is your world still in black and white?
Re: (Score:2)
> And the RSA did go on record. They said it wasn't true.
What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.
If you read the keynote from the current RSA Conference [blogspot.dk], RSA's defense is that they stopped independently creating and verifying the cryptographical algorithms, instead just gett
Re: (Score:2)
> What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal.
That should of course have been:
> What RSA Security has specifically said is that they didn't know about the backdoor when they made the $10,000,000 deal.
Re: (Score:2)
If the allegation is that the contract violates constitutional laws and especially if one of the partners in said contract is a branch of the government, I'd at the very least expect a general attorney to take a look at the contract. The accusation here is nothing less than RSA conspiring with a government agency to undermine constitutional rights of US citizens.
That's not enough to get a GA moving? Really? Guess they first have to torrent a few movies.
Re: (Score:2)
When I read what they had to say, what they seemed to be explicitly denying is that they specifically knew they were putting a back door in at the time. There was a lot of other fluff, but no substantive statement.
Here's one scenario consistent with what I read: RSA accepted $10M from the NSA to put in certain specific values in their cryptosystem, and did not at the time bother to look if it might be a back door. It was in fact a back door, and they continued pushing it for years. AFAIK, they haven'
Re: (Score:1)
Seriously? (Score:2)
"Plain old tech" people get paid conference passes all the time. Your company buys X amount of stuff from Y vendor (or a business partner), the vendor account rep provides your company with Z full conference passes gratis, and most of those passes end up in the hand of front-line IT grunts (they are the ones most of the education classes are targeted for.) These grunts are no more likely to be familiar with the particular facts of what they were getting interrogated on than any other geek.
Also, it IS a te
Bad inference (Score:5, Insightful)
Stupid reasoning. There are plenty of other reasons these people might not want to publicly comment. The most likely is that they're not authorized to speak for their employers, and fear rebuke or dismissal at their workplaces if they speak publicly on the topic.
Re: (Score:3)
Also, the pained facial expressions might be related to the lack of tacos and/or tequila drinks.
Re: (Score:2)
If someone stole my tequila, my response would be elevated from the TFS to TFH
Re: (Score:2)
This (Score:2)
+1 to this.
It's fairly common for companies to have required IT products, such as RSA. Then they send their employees out to improve their knowledge of the "blessed" product(s).
The employees are often obligated to attend the conference, and are also (due to corporate policy) unable to say much, just in case those comments can be construed as company opinion.
So yeah... you have these poor attendees who are pretty much like "Look, I don't know anything anyway, my attendance was mandated by someone else. Why a
Re: (Score:2)
There are a lot of RSA customers, so it is reasonable to expect them to show up at RSA conference. Similarly those customers should not be expected to do a recall of all their product lines and rewrite all the code so thast they can ditch RSA as soon as possible (especially if not using Dual_EC!). Second, the RSA conference, despite the name, is not only about RSA products. It's an important venue to go to in order to learn about new products from a large variety of vendors, to network with other people
Re: (Score:2)
Not sure which is worse: you calling someone a faggot for not reason, or not even knowing how to spell it properly...
Re: (Score:2)
*for no reason
http://en.wikipedia.org/wiki/M... [wikipedia.org]
RSA considered Dual_EC research without merit? (Score:2)
Jeffrey Carr has a good point from the RSA Conference keynote:
> "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech
So up until then, they apparently considered all the criticism of RSA sec
NSA vs USA (Score:2)
Look, the NSA has already done more damage to the United States technology industry than any other enemy. RSA and the rest are just private branches of the state. Fuck them.