[Cryptography] Boing Boing pushing an RSA Conference boycott

Salz, Rich rsalz at akamai.com
Wed Jan 15 15:33:55 EST 2014 

> I never said they were evil, but it might be evil to reinterpret words to defend the indefensible, dunno.

Perhaps you haven't.  But others have.

> As has been repeatedly mentioned in this list, RSA were tricked.  They and the people within were not evil nor are they evil.
> Rather, *there but for the grace of the crypto gods go we all*.

Agree.  So why is a boycott a good thing?  Why punish someone for being tricked?  (Not specifically directed to Ian).  It seems to me the better object lesson is one of the strongest cryptography companies in the world (at the time) was tricked into possibly making many of their customers vulnerable.  How can we move forward from this?

	/R$

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA



-----Original Message-----
From: ianG [mailto:iang at iang.org] 
Sent: Wednesday, January 15, 2014 2:29 PM
To: cryptography at metzdowd.com
Subject: Re: [Cryptography] Boing Boing pushing an RSA Conference boycott

On 15/01/14 21:29 PM, Salz, Rich wrote:
>> Also, we have the fact that they ignored the warnings that came out about DUAL_EC, from around 2007 - 2013.
>> In short, their highly regarded cryptographic experts were not deployed, not available, not on that job.
> 
> Perhaps their experts had different opinions.


Could have been, but that isn't the case.  There is enough background info to conclude that the experts were not consulted on the deal.  Not that it makes much difference, remember the clanger.


> Or perhaps the marketing literature you quoted was somewhat exaggerated; wow, like that's never happened before.


There are some things that can be exaggerated ... and some things that can't be passed off as mere bluster and marketing.

https://en.wikipedia.org/wiki/I_know_it_when_I_see_it


> It's easy to look backwards and say "they must have been evil."



(You're right about the looking back part for myself, I never even heard of a DUAL_EC before this blew up.)


> But unless you were there, or can read minds, that's just an opinion.


As has been mentioned, we are in a different space - the attacker refuses to play fair with us and appear in court to answer our prosecution.  No discovery is possible.  He will lie, prevaricate, deceive, and perjure, ignore orders to reveal.

We cannot therefore rely on the standard of "beyond reasonable doubt"
without committing a willful blindness ourselves.

This won't change.  I therefore choose not to be willfully blind, and use a weaker standard.  Balance of probabilities is suggested for civil cases, and that seems to be a good working metric.

Anyone of course can decide to insist on a smoking gun -- beyond reasonable doubt.  But we're dealing with an attacker that isn't that stupid.

Should we be?  If you choose that path, all power to you, but you've taken yourself and your opinion out of the game.  Sorry about that.



iang
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list