[Cryptography] Boing Boing pushing an RSA Conference boycott

[ianG]

On 15/01/14 23:33 PM, Salz, Rich wrote:
>> I never said they were evil, but it might be evil to reinterpret words to defend the indefensible, dunno.
> 
> Perhaps you haven't.  But others have.
> 
>> As has been repeatedly mentioned in this list, RSA were tricked.  They and the people within were not evil nor are they evil.
>> Rather, *there but for the grace of the crypto gods go we all*.
> 
> Agree.  So why is a boycott a good thing?

Well, we could do nothing.  Seems a bit pathetic, how do stand before
customers and say "oh, it's ok, it's just the media again?"

We could choose an alternate approach.  I'm not sure what that would be
-- ridicule?  offer them security advice?  Have a whip 'round to get
them an audit?  Hack them?  Trick them into inserting a back door for
the Iranian Revolutionary Guard?

Aside from a boycott, I'm not aware of anything we could do that would
make the point?


> Why punish someone for being tricked?


Well, they weren't only tricked.  They were also asleep on the watch.
During the period after the default was set and late last year there was
a fairly compelling series of publications that undermined the DUAL_EC DRBG.

If they had been tricked, and then in 2007 had entirely withdrawn the
product, there would have been some media attention, but most people
would have said "fair disclosure" because we depend on them to have the
integrity to admit their mistakes.

But no such.

> (Not specifically directed to Ian).  It seems to me the better object lesson is one of the strongest cryptography companies in the world (at the time) was tricked into possibly making many of their customers vulnerable.  How can we move forward from this?




Some comments.

The lesson is clear, sure.  But the lesson isn't supposed to be needed:
 Companies go to RSA (etc) so that they do not have to learn that lesson
or others lessons.  They rely on RSA's default DRBG so that they do not
have to build their own.  The rely on FIPS so they do not have to spend
years studying the business before writing it themselves or choosing a
company with some reputation in the field.

There's no insurance for this, no strategy, no fallback.  It's not like
trucks where you can have 3 to do the work of 2.  It's not like
buildings where you can have fire insurance.

Disclosure.  We depend heavily for disclosures of problems.  Obviously,
RSA and NSA are beside themselves with annoyance over this, but this
disclosure strengthens ever other person on the planet.  We do need to
reward people for disclosures, or create some incentive scheme such that
companies of integrity can actually do the integrity thing.

SecureId.  Philip makes the point that we should boycott the SecureId
fobs, not the conference.  I think I'd rather ask more pointedly -- does
SecureId use BSAFE?  It's a fair enough assumption that it does.  So,
does this mean that all SecureIDs are compromised, around the world?

Wider scrutiny.  Also, it was the company that was tricked.  Was this
the only case?  Do we need to be suspicious of every other product?  Ask
pointed questions, how do we know that favours weren't done?

Unfortunately, this is something that we now need to ask of any security
company that had relationships with NSA.  So, perhaps we need a
disclosure of that?  If you are doing business with any USA company, do
we now need to quiz them on their relationships?

And, get it in writing.  If their claims later turn out to be wrong,
you've got a cause.  Then, if you're damaged, and they lied to you, you
can sue for fraud.

As if.  We need to get used to acting /as if/ the NSA is trying to
attack us.  Each of us.  We need to develop an attitude.  In some basic
sense, this protects us, and it protects the NSA, because if they know
we're watching for it, they are less tantalised by the easy favour.



iang