[Cryptography] Boing Boing pushing an RSA Conference boycott

[ianG]

On 13/01/14 22:35 PM, Phillip Hallam-Baker wrote:
> On Mon, Jan 13, 2014 at 2:08 PM, Kent Borg <kentborg at borg.org> wrote:
> 
>> On 01/13/2014 10:23 AM, Phillip Hallam-Baker wrote:
>>
>>> Unless someone shows evidence that RSA actually knew they were being
>>> punked, the boycott makes no sense. And I can't believe that evidence
>>> exists because there was absolutely no need to tell RSA they were being
>>> punked to get the outcome they wanted.
>>>
>>
>> Two points.
>>
>>
>> First, RSA knew--or certainly should have known--that they were in the
>> business of selling security, yet they failed in that.  Worse, thewy failed
>> spectacularly and sold something not just broken, but something with a
>> backdoor specifically designed to defeat security. As you well know, this
>> is serious business.
>>
>> I don't think the suits knew what they were doing, I think they were just
>> chasing money, they didn't ask too many questions that might get in the way
>> of that money.  Businessmen do that.  We all know (suits, too), security
>> doesn't sell, buzzwords sell.  They sold the buzzwords without the
>> security.  Nearly everyone does it to some degree.  They did it worse, they
>> were in a position of trust.
>>
> 
> Absolutely right. But how should we respond?


Also, I think a fair proportion of the blame lies with NIST.  They force
their standards on the world (never mind that they don't say that) and
then act surprised when they get turned.  What's worse, they take no or
little account that they are pursuing industrial control policies by
their barriers to entry, the cost of the stuff is huge, for what dividend?

I'd boycott NIST.  Dump all the security FIPS and what have you.  How
much good have they done?

I'd also boycott companies doing business with the NSA.  And USG.  If
their primary purposes is dealing with those agencies, then we know they
are likely vulnerable.  Seek companies with clean records.  Especially,
ask questions:  how much influence?  what options were asked for?  what
contracts?


>> If we can't make selling security pay, we can maybe make selling
>> insecurity cost.  There are a lot of other suits watching this, seeing how
>> RSA fairs.  I want them to see something gruesome, something that worries
>> them.  (The same way I want a banker or two who nearly dumped us into
>> recession to go to jail, so others will think twice.)
>>
> 
> There should be a penalty, no question. But what should the penalty be?


The attack on the RSA conference is an attack on the brand of RSA.  This
covers the whole company.  Yes there is collateral damage, but there is
also an easy fix:  change the name, sell the company.  It can even be
profitable.

If the response is serious, EMC will realise.  OK, that's not a given,
the idiot journalists universally attack the brand of Java whenever an
applet exploit is found, and Oracle sits their sleeping like a sloth.
So maybe some of these companies don't understand what a brand is.


> We should not choose a penalty that causes collateral damage on our side. A
> much more effective response would be to gut the RSA token business. That
> hurts EMC's bottom line directly. Changing the speaker lineup at the show
> does not.


That is an idea.  If one is in the business of sanctions and one is
concerned with collateral damage, it is a competitive market.

I think all boycotts have this problem.  But what other tool do we have?


> If the RSA token business is gutted there will be no reason for EMC to keep
> RSA Labs or the name.


Is it a battle to win?  CISOs pick the tokens.  They are unlikely to
look past their noses.  The tokens are typically customer-branded.

We would need more that speaks directly against the tokens to spread the
message, hypothetically something like a Snowden revelation that
indicates the NSA has a back door to the tokens.

Perhaps just those questions.  If RSA dropped the security baby on
BSAFE, why not on the tokens?  Did the NSA approve or vet the tokens?
Did they sit in on any of the meetings for government sales?  What
features and options did they request?  Does BSAFE play a part?  Was
DUAL_EC used for the generation of the token secrets?

In the contrary, do we do more damage to companies by tricking them into
dropping perfectly good tokens for some other equally ropey product?


> Lets pick out battles here.



I feel like we should also boycott the IETF.  They have truly not served
us.  We should have had opportunistic SSL covering the planet by now,
and that would have been a fantastic defence against the worldwide
surveillance -- it would have shifted the NSA to an active attack, which
would have been eventually detected.

They're still sitting there doing the work of the companies and not the
work of the people.  What success have the IETF committees brought us,
other than to surface the corporate wars?



iang