Talk of an RSA Boycott Grows After Reports It Colluded With the NSA
A boycott may be brewing against security company RSA’s annual conference, in the wake of reports that the company used encryption technology that had been created by the U.S. National Security Agency in its products in order to create a “back door” in them.
A well-known security researcher has announced that he is boycotting RSA’s annual security industry conference in San Francisco early next year, and will no longer deliver a scheduled talk at that event.
In an open letter addressed to Joe Tucci, the CEO of EMC, of which RSA is a unit, and Art Coviello, the head of RSA, Mikko Hypponen, chief research officer at F-Secure, said he is “withdrawing his support for the event.” (See the full text of the letter below.)
In a story on Friday, Reuters reported that RSA had accepted a $10 million payment from the NSA to use a random-number generator created by that agency in a widely used security product called BSafe.
After being developed by NSA, the technology, known as Dual EC DRBG, which stands for Dual Elliptic Curve Deterministic Random Bit Generator, was recommended by the National Institute of Standards and Time (NIST) as an algorithm to create random numbers, a key part of the process of encrypting and securing data communications.
RSA has issued a carefully worded denial of what Reuters described as a “secret contract” with the NSA. The company said that it has long worked with the NSA openly for what it described as an “effort to strengthen, not weaken” security products.
RSA’s annual conference, scheduled Feb. 24-28, 2014, at San Francisco’s Moscone Center, is a significant event for large and small companies in the computer security industry, and is also widely attended by independent researchers. The conference boasts attendance of about 15,000 people.
Hypponen has worked for F-Secure, based in Helsinki, since 1991. He’s a sought-out speaker on security topics, and is frequently quoted in the media (such as this example from AllThingsD in 2011), and has spoken at the influential TED conference. He has also has worked with law-enforcement agencies around the world. His research into the SoBig virus was the subject of a lengthy 2004 feature in Vanity Fair magazine. The name of the talk that he won’t be giving: “Governments as Malware Authors.”
Others in the security industry are talking about boycotting the RSA event, too. Here are a few tweets about it:
All #infosec personnel should give serious consideration to boycott/hijack of RSA conf/talks re: RSA/NSA algorithm collusion
— Patrick McCulley (@panther_modern) December 23, 2013
— James Williams (@uvicjames) December 21, 2013
Here’s Hypponen’s letter:
23rd of December 2013
An Open Letter to:
Joseph M. Tucci – Chairman and Chief Executive Officer, EMC
Art Coviello – Executive Chairman, RSA
Dear Joseph and Art,
I don’t expect you to know who I am.
I’ve been working with computer security since 1991. Nowadays I do quite a bit of public speaking on the topic. In fact, I have spoken eight times at either RSA Conference USA, RSA Conference Europe or RSA Conference Japan. You’ve even featured my picture on the walls of your conference walls among the ‘industry experts’.
On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of the your products, in exchange of $10 million. Your company has issued a statement on the topic, but you have not denied this particular claim. Eventually, NSA’s random number generator was found to be flawed on purpose, in effect creating a back door. You had kept on using the generator for years despite widespread speculation that NSA had backdoored it.
As my reaction to this, I’m cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.
Aptly enough, the talk I won’t be delivering at RSA 2014 was titled “Governments as Malware Authors”.
I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I’m not expecting other conference speakers to cancel. Most of your speakers are american anyway — why would they care about surveillance that’s not targeted at them but at non-americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I’m a foreigner. And I’m withdrawing my support from your event.
Chief Research Officer