[Cryptography] Boing Boing pushing an RSA Conference boycott

[ianG]

On 13/01/14 18:23 PM, Phillip Hallam-Baker wrote:
> Yes, we all know that RSA got punked by the NSA. But this boycott some folk
> are pushing seems like a terrible idea to me.
> 
> What is important now is to get people to deploy and use defenses. Which
> means making the most of the communication platforms we already have.
> 
> Even if a boycott of RSA was to work the best it could achieve is to damage
> the main industry trade show. It would take any replacement several years
> to recover. In the meantime we have no venue to sell security product.
> Black Hat is not RSA and does not want to turn into RSA. They have
> deliberately created a totally different value proposition.
> 
> The boycott proposal is purely punitive. They have no demand. Which is a
> very weak position. We did not boycott Bigot-fil-a to punish them. We were
> demanding that they stopped being bigoted. What are the boycotters
> demanding of RSA?


What's your suggestion?

Let's try a hypothetical.  Say I'm CEO of some really important security
company.  And I know I'm being punked.  Or, I'm a techie and I think
I've spotted a punking in progress.

What message do you want to give me?  It's ok for RSA?  I'll get away
with it because people need my product?  As long as I don't admit I knew?



This exact same thing happened in the CA industry -- CAs were selling
dodgy MITM sub-certs.  The alleged price for these was around $50k.
Gravy!  While nobody said anything, everyone was sweet.  Then, when we
started finding them ... the CAs didn't get punished.  Oh, there was
some flak in the papers, and sub-CAs were revoked, but no significant CA
lost anything.

So what do we do?  Being honourable doesn't work.



I find this all very curious.  People are really angry.  The NSA is
continuing to deceive or lie through their teeth or be so incompetent or
blind or dissonant that they should not just be fired but sent to the
gulags [0].

When people are angry, they want to punish someone.  We can't punish the
NSA.  People also want results, fixes.  Congress won't fix the NSA.

So how do we go about that, in a general sense?

Deploying more tools isn't it.  Tools get deployed, then weakened, then
forgotten.  We've travelled that path, that's where we are not, that's
the path they breached.



iang




[0] compare this comment
http://www.wired.com/threatlevel/2014/01/nsa-surveillance/
"The officials resisted this characterization. Why, they asked, would
they compromise security of products they use themselves, like Windows,
Cisco routers, or the encryption standards they allegedly compromised?"

With these documents released by Snowden:
http://financialcryptography.com/mt/archives/001455.html
"Shape the worldwide commercial cryptography marketplace to make it more
tractable to advanced cryptanalytic capabilities being developed by
NSA/CSS."  etc etc.

[1] Or compare this:
They believe their intelligence gathering is palatable because it’s
controlled by laws, regulations, and internal oversight. Looking at the
world through their eyes, there is no privacy threat in collecting
massive amounts of information — if access to that information is
rigidly controlled and minimalized.

To this:
http://www.wired.com/threatlevel/2013/09/nsa-backdoored-and-stole-keys/
“Approval to release to non-Sigint agencies,” a GCHQ document says,
“will depend on there being a proven non-Sigint method of acquiring keys.”

They are releasing SIGINT assets ... if they can get away with it?
That's preservation of their secrets, not protection for our secrets!