[Cryptography] Boing Boing pushing an RSA Conference boycott

[Watson Ladd]

On Wed, Jan 15, 2014 at 12:33 PM, Salz, Rich <rsalz at akamai.com> wrote:
>> I never said they were evil, but it might be evil to reinterpret words to defend the indefensible, dunno.
>
> Perhaps you haven't.  But others have.
>
>> As has been repeatedly mentioned in this list, RSA were tricked.  They and the people within were not evil nor are they evil.
>> Rather, *there but for the grace of the crypto gods go we all*.
>
> Agree.  So why is a boycott a good thing?  Why punish someone for being tricked?  (Not specifically directed to Ian).  It seems to me the better object lesson is one of the strongest cryptography companies in the world (at the time) was tricked into possibly making many of their customers vulnerable.  How can we move forward from this?

Because your job as a cryptography company is not to be tricked, and
to exercise the judgement your client is hiring you to exercise in
their interests. If you can't or won't do it, you shouldn't take the
money of your customer. 2007 should have seen an immediate rush to fix
the problem. But instead they left their clients vulnerable to a known
weakness for 6 years, in exchange for millions of dollars. If they
were accountants or lawyers, they would be in jail for something
similar.

Sincerely,
Watson
>
>         /R$
>
> --
> Principal Security Engineer
> Akamai Technology
> Cambridge, MA
>
>
>
> -----Original Message-----
> From: ianG [mailto:iang at iang.org]
> Sent: Wednesday, January 15, 2014 2:29 PM
> To: cryptography at metzdowd.com
> Subject: Re: [Cryptography] Boing Boing pushing an RSA Conference boycott
>
> On 15/01/14 21:29 PM, Salz, Rich wrote:
>>> Also, we have the fact that they ignored the warnings that came out about DUAL_EC, from around 2007 - 2013.
>>> In short, their highly regarded cryptographic experts were not deployed, not available, not on that job.
>>
>> Perhaps their experts had different opinions.
>
>
> Could have been, but that isn't the case.  There is enough background info to conclude that the experts were not consulted on the deal.  Not that it makes much difference, remember the clanger.
>
>
>> Or perhaps the marketing literature you quoted was somewhat exaggerated; wow, like that's never happened before.
>
>
> There are some things that can be exaggerated ... and some things that can't be passed off as mere bluster and marketing.
>
> https://en.wikipedia.org/wiki/I_know_it_when_I_see_it
>
>
>> It's easy to look backwards and say "they must have been evil."
>
>
>
> (You're right about the looking back part for myself, I never even heard of a DUAL_EC before this blew up.)
>
>
>> But unless you were there, or can read minds, that's just an opinion.
>
>
> As has been mentioned, we are in a different space - the attacker refuses to play fair with us and appear in court to answer our prosecution.  No discovery is possible.  He will lie, prevaricate, deceive, and perjure, ignore orders to reveal.
>
> We cannot therefore rely on the standard of "beyond reasonable doubt"
> without committing a willful blindness ourselves.
>
> This won't change.  I therefore choose not to be willfully blind, and use a weaker standard.  Balance of probabilities is suggested for civil cases, and that seems to be a good working metric.
>
> Anyone of course can decide to insist on a smoking gun -- beyond reasonable doubt.  But we're dealing with an attacker that isn't that stupid.
>
> Should we be?  If you choose that path, all power to you, but you've taken yourself and your opinion out of the game.  Sorry about that.
>
>
>
> iang
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin