[Cryptography] Boing Boing pushing an RSA Conference boycott

Phillip Hallam-Baker hallam at gmail.com
Tue Jan 14 08:16:54 EST 2014 

On Tue, Jan 14, 2014 at 2:01 AM, ianG <iang at iang.org> wrote:

> On 13/01/14 22:35 PM, Phillip Hallam-Baker wrote:
>
> > Absolutely right. But how should we respond?
>
>
> Also, I think a fair proportion of the blame lies with NIST.  They force
> their standards on the world (never mind that they don't say that) and
> then act surprised when they get turned.  What's worse, they take no or
> little account that they are pursuing industrial control policies by
> their barriers to entry, the cost of the stuff is huge, for what dividend?
>
> I'd boycott NIST.  Dump all the security FIPS and what have you.  How
> much good have they done?
>

NIST does have a conference in April and we can boycott that by setting up
a parallel conference with bigger names very easily.

That does at least mean that we are likely to send the right message (i.e.
boycott successful) and send it to an organization that can relay it to the
political entities.

One of the questions raised by Flame is how the US government can hope to
have public-private partnerships when the US government is attacking US
companies. Flame involved an attack on Microsoft, remember.


I'd also boycott companies doing business with the NSA.  And USG.  If
> their primary purposes is dealing with those agencies, then we know they
> are likely vulnerable.  Seek companies with clean records.  Especially,
> ask questions:  how much influence?  what options were asked for?
>  what contracts?


That particular outcome is practically self-enforcing. Everyone is going to
be very suspicious of NSA proposals now.

The claim that the NSA simply bribed RSA makes it sound as if all companies
need to do is refuse obvious bribery attempts.

Looking at the attack as sophisticated social engineering makes for a much
stronger warning: If you deal with the NSA they will betray you and then
the scheme will come out in an insider attack.


The attack on the RSA conference is an attack on the brand of RSA.  This
> covers the whole company.  Yes there is collateral damage, but there is
> also an easy fix:  change the name, sell the company.  It can even be
> profitable.
>

Attacking the brand through the conference is difficult because I don't see
any name pulling out so far that is big enough to have effect.

The fact that the main trade show is joined to one company is a very long
standing irritation for all of us in the industry. It would be better if
the RSAConference was owned by a conferencing company that didn't have a
business competing with the rest of us. I don't think that conflict of
interest has helped RSA the company either. Their strategy has been
constrained by needing to avoid compromising the conference too badly.


That is an idea.  If one is in the business of sanctions and one is
> concerned with collateral damage, it is a competitive market.
>
> I think all boycotts have this problem.  But what other tool do we have


Well we have been facing the same problem with the boycott of Sochii. Its
going to be another Nuremberg. And I don't mean that figuratively, Putin
has been copying the institutions of fascism. But we did get the Pussy Riot
girls and the Greenpeace protestors out of jail which isn't nothing.


The conference made the company business a target in the past. At VeriSign
we did an open standard version of the SecureID token, OATH and launched it
at the conference. It does not take a genius to work out what the objective
was there. It was the conference we were after, trying to commoditize the
token business was an attempt to buy it cheap.

Without the RSA tokens biz, there would be no real business reason binding
RSA to EMC. That is the pressure point I would attack. But given that I
have proposed a second alternative to number based tokens that uses the
capabilities of smart phones, that would be a somewhat self-interested
proposal.



> > If the RSA token business is gutted there will be no reason for EMC to
> keep
> > RSA Labs or the name.
>
>
> Is it a battle to win?  CISOs pick the tokens.  They are unlikely to
> look past their noses.  The tokens are typically customer-branded.
>

If there was a free alternative that people could use to turn their smart
phone into a token, people could press for it as an alternative. The IT
desk would almost certainly like to be rid of the stupid tokens, they are
very expensive and the preprogramed expiry date creates a constant admin
hassle.

This is pushing at an open door. Replacing the tokens is something almost
all CISOs would like to do. Especially after the 2011 fiasco. But it just
hasn't been a priority. This set of circumstances can make it a priority.

We would need more that speaks directly against the tokens to spread the
> message, hypothetically something like a Snowden revelation that
> indicates the NSA has a back door to the tokens.
>

No, I don't think we do. There are solid business reasons for abandoning
the tokens already.

The fact that RSA has dual control over your authentication infrastructure
is the issue I would point to. RSA could be subpoenaed to give the feds
access to the whole token database. It would be very easy to match token
codes to tokens given their intercept capabilities.

We don't need to allege collusion in the past. All we need to do is to
point out that the scheme lacks transparency.

In the contrary, do we do more damage to companies by tricking them into
> dropping perfectly good tokens for some other equally ropey product?


Unlike the NSA, I do not give people advice knowing it is false.

The tokens do rely on the token provider being trustworthy. The token
database allows backdoor access.

I feel like we should also boycott the IETF.  They have truly not served
> us.  We should have had opportunistic SSL covering the planet by now,
> and that would have been a fantastic defence against the worldwide
> surveillance -- it would have shifted the NSA to an active attack, which
> would have been eventually detected.
>

No, leave them out of this. Don't turn off my damn waster supply while I am
trying to fight a fire.


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140114/2dc06ea6/attachment.html>

More information about the cryptography mailing list