Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

'Obnoxious' RSA Protests, RSA Remains Mum

timothy posted about 5 months ago | from the where-it-hurts dept.

Communications 99

An anonymous reader writes "By 'buying out' the most obvious lunch spot nearest the RSA conference yesterday, opponents and truth-seekers regarding RSA's alleged deal with the NSA raised awareness amongst attendees in the most brutal way possible: by taking away tacos and tequila drinks. Robert Imhoff, Vegas 2.0 co-founder, says, 'RSA could begin to fix this by going on the record with a detailed response about the accusations.'" I tried to get attendees of the conference to comment on camera — even a little bit — on what they thought of the NSA spying revelations, and not a single person I approached would do so. The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell. Especially at a conference where the NSA is surrounded by vendors who sell the hardware and software that enables your "mere" metadata to be captured and sifted, plenty of the people on the floor know that the companies they work for are or might one day be seeking contracts to do all that capturing and sifting, even if they'd rather not be subject to it personally, so their don't want their face shown saying so.

cancel ×

99 comments

On the record (2)

Threni (635302) | about 5 months ago | (#46356809)

> 'RSA could begin to fix this by going on the record with a detailed response about
> the accusations.'"

Which we'd all of course believe.

Re:On the record (1, Interesting)

wiredog (43288) | about 5 months ago | (#46357221)

They already did.

Re:On the record (4, Interesting)

thue (121682) | about 5 months ago | (#46357835)

Are you referring to this RSA's CTO Sam Curry's "defense", which Mathew Green and Matt Blaze has had so much fun ridiculing? http://blog.cryptographyengine... [cryptograp...eering.com]

RSA Security really haven't made anything close to a coherent defense.

Re:On the record (1)

Soulskill (1459) | about 5 months ago | (#46360323)

What would amount to a coherent defense, to you?

Situations like this are pretty hard to unravel. RSA can protest until they're blue in the face, but the nature of the accusation is such that their statements are already suspect. Add to that the level of distrust associated with the NSA, and the NSA's potential power over RSA. Evaluating any unprovable denial simply boils down to whether we trust RSA or not -- which is the same question we're already facing.

So, what about provable denials -- what evidence could RSA show us that would reinstate our trust? What if that evidence is damning in other ways? (Perhaps their decisions were spurred by incompetence rather than greed.) I'm not even sure exactly what that evidence should look like — documents can be forged or omit details communicated orally.

I dunno -- I'd hate to be in RSA's shoes.

Re:On the record (2)

thue (121682) | about 5 months ago | (#46360921)

For starters, they can come clean. All their press releases have been exercises in trying to say as little as possible, and be as misleading as possible whiile still not literally lying. For example, their non-denial of the $10,000,000 deal with NSA had half the press falsely reporting that RSA claimed there never any $10,000,000 deal [bbc.com] .

Dual_EC_DRBG has been documented since 2006/2007 to be an insecure CSPRNG, even without the backdoor. I knew about it for example, and I do not even work in that field. The only way nobody at RSA Security (a huge company specializing in security) could not have heard about it is by putting their hands over their ears and yelling LALALA. And they didn't put 2 and 2 together about why NSA paid them $10,000,000 when the possible backdoor was discussed in the media and the cryptographic community?

I can accept that RSA Security might have been fooled in 2004. But they have not even tried to explain why they kept using Dual_EC_DRBG after 2006/2007. They have been caught with the hand in the cookie jar, and refuse to even try to defend themselves. Why should I try to invent explanations for their innocence for them?

> what evidence could RSA show us that would reinstate our trust

The point is that the circumstantial evidence is so hugely strong. This is not unfair - this is reality.

It is like finding you standing over a corpse in a pool of blood and a knife in your hand, with a $10 million payment to your account from the victims worst enemy. And you refusing to talk about how you got there, or why the victim's worst enemy sent you the $10 million. Do you think I have no right to make assumptions in that case?

Re:On the record (1)

Darinbob (1142669) | about 5 months ago | (#46362709)

By saying "come clean" you are automatically assuming they are guilty. Thus any denial they make would be rejected.

Re:On the record (1)

thue (121682) | about 5 months ago | (#46381473)

I freely admit that I assume they are guilty because of 1) all the damning evidence 2) their refusal to defend themselves.

And I submit that all reasonable persons should assume they are guilty for the same reasons. Assuming they are not guilty would be incredibly stupid.

Re:On the record (1)

Darinbob (1142669) | about 5 months ago | (#46362681)

But part of that is true: elliptic curve was in vogue, and is in use in many places. However the Dual_EC is the one we're talking about.

Overall though, I get a very strong feeling that everyone is reacting at a gut level, as there is no evidence of collusion or a backdoor. All we have is a past presentation about how Dual_EC has some problems, RSA uses it anyway, and a journalist paraphrasing something Snowden said. What has changed is not any direct proof but instead the tenuous trust between organizations has dissolved. That's what is more interesting in so many ways, the web of trust that security sits on top of is not a good foundation.

Re:On the record (0)

tomhath (637240) | about 5 months ago | (#46357819)

While they're at it they should also produce Obama's birth certificate.

It's not like saying nothing will be of any use (2)

korbulon (2792438) | about 5 months ago | (#46356811)

As if the NSA doesn't already know what they really think.

Re:It's not like saying nothing will be of any use (0)

Anonymous Coward | about 5 months ago | (#46356943)

True, but their employers might not know. Which, would likely be 'brought up' at the next performance evaluation.

You're quite naive, if you think it wouldn't happen.

Re:It's not like saying nothing will be of any use (0)

Anonymous Coward | about 5 months ago | (#46357007)

They don't try to control thoughts. Just the public message.
If tens of security experts went on record saying the NSA has really sabotaged the US security, that would be a big problem for the NSA.
If hundreds of security experts think it but don't go on the record, the NSA is fine.
Of course there is Tim's comment that the NSA couldn't prevent but that's all that's left of all these experts' desire to speak up.
Quite an efficient way to stifle free speech...

stupid (-1)

Anonymous Coward | about 5 months ago | (#46356827)

It is unbelievably stupid to pretend that the article's author can read into 'pained expressions' like the summary indicates. Pained epxressions can as easily be, 'you smell bad,' 'that's not what you said the interview was about,' or 'how would I, a mere conference-goer and not an employee, have any clue about that.'

Trash reporting for a trash news aggregator.

Re:stupid (1)

jythie (914043) | about 5 months ago | (#46357147)

I had a similar thought, though without seeing video of the author's behavior it is impossible to tell how much of their reaction was due to the subject vs the person doing the asking. Given that the blogger in question has built a bit of a brand and pride around being obnoxious, I would not be surprised if the latter played a role.

Maybe (1)

justthinkit (954982) | about 5 months ago | (#46357517)

Maybe the author was wearing Google Glass [slashdot.org] .

Re: stupid (0)

Anonymous Coward | about 5 months ago | (#46357755)

I'm at RSA. I've been asked by multiple people to comment on this all week. At first I had insightful things to say. At this point though "get the hell out of my way and leave me alone" is the answer I'm giving because I'm tired of dealing with assholes trying to score points off of me.

Re: stupid (Sqore:200, Insightful) (0)

Anonymous Coward | about 5 months ago | (#46359379)

You're still guilty, though, and you can't walk away from that...

CAP = 'fetching'

Re: stupid (1)

Catbeller (118204) | about 5 months ago | (#46359689)

You mean, you'd like some privacy? You do get the horror of that, don't you?

Jerk (0)

Anonymous Coward | about 5 months ago | (#46356829)

An anonymous reader wants people to feel comfortable with him shoving a camera in their faces and asking for their comments for him to use as he will.
I wonder what "pained facial expressions" an anonymous reader might display in such circumstances.

People are not obligated to talk to you. (0)

Anonymous Coward | about 5 months ago | (#46356837)

If some pushy dude comes up to me and starts pestering me with questions, he's gonna get a knuckle sandwich!

Re:People are not obligated to talk to you. (0)

Anonymous Coward | about 5 months ago | (#46362115)

It's a good thing the poor little NSA has such valiant defenders as you!

reminds me (0)

Anonymous Coward | about 5 months ago | (#46356849)

of my times in communist country in which I grew up. This is the very common thing - people do not want to talk about certain subjects. This is of course not a one way street and it does not mean you are there yet but the beginning is made. Waves of BS and intimidation. Yet another sign of decay and decline of Western civilization one may argue.

And when the came for me... (2)

TWX (665546) | about 5 months ago | (#46356877)

First, they came for my tacos. But I did not speak out because I was not a taco...

Then they came for my tequila drinks. But I did not speak out because I was not a tequila drink...

Re:And when the came for me... (0)

Anonymous Coward | about 5 months ago | (#46357015)

And when they came for you...

Everyone was hungry?

Re:And when the came for me... (-1)

Anonymous Coward | about 5 months ago | (#46357097)

"they" being people who are just as retarded as the anti-vax'ers. RSA *did* already go on record about it. I don't want to talk to any retard with a camera. The professionals (Chris Drew at the NY Times, that's you) will deliberately lie about what you say, and the conspiracy theory freaks in this crowd are uninterested in the truth.

Re:And when the came for me... (1)

jythie (914043) | about 5 months ago | (#46357157)

yeah but they did not put out a long form official statement! They must still be hiding the truth!

Re:And when the came for me... (3, Funny)

CyberKnet (184349) | about 5 months ago | (#46358691)

First they came for the tacos, and I did not speak out -- because we had a CmDrTaCo.
Then they came for the tequila drinks, and I did not speak out -- because I was more a fan of Wine.
Then they came for the chips 'n dips, and I did not speak out -- because everyone had moved on to Slashdot
Then they came for Slashdot, -- there was no one left to speak for it...

... because beta had already driven everyone away.

Re:And when the came for me... (1)

TangoMargarine (1617195) | about 5 months ago | (#46362307)

(sig)

Re:And when the came for me... (1)

TWX (665546) | about 5 months ago | (#46364889)

For great justice

Re:And when the came for me... (1)

TangoMargarine (1617195) | about 5 months ago | (#46367223)

You have no chance to survive make your time.

What did you expect? (4, Insightful)

sirwired (27582) | about 5 months ago | (#46356897)

I don't think this little stunt has anything to say about a "problem with a surveillance society"; they have something to say about a problem with some a$$hole ambushing some geeks at a tech conference that just want to get their lunch and get back to the conference sessions.

And the RSA did go on record. They said it wasn't true. As far as going into the gory details of the contract? Contract details of any contract, with any customer, are generally not something a security company is ever going to disclose. That's not surveillance-state paranoia or evidence of evildoing; it's routine business practice.

routine (1, Insightful)

Anonymous Coward | about 5 months ago | (#46356955)

If the contract is such that you are abetting the government in unconstitutional searches, then well, it seems worthy of getting pissed off about and definitely worthy of being labeled "surveillance state".

As a long time (and lazily anonymous, sue me) reader of slashdot I'm always amazed at how many commenters seem willing to give companies/corporations/government a pass because it's just "routine" business practice.

If it's routine for a company not to tell me how it makes it's product, okay fine (maybe).
If it's routine for a company to give away all my information to the government (who yes , absolutely is supposed to have a warrant) then I say, "fuck routine."

On what basis can you make this demand? (2, Insightful)

sirwired (27582) | about 5 months ago | (#46357027)

The RSA has already explicitly said the contract doesn't say what they are accused of it saying. What else do you want them to do? They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

Now, I'm not saying that RSA isn't lying, but if they were, would you believe that any contract they produced was an accurate one? Probably not. Talk about "Damned if you do, damned if you don't."

Re:On what basis can you make this demand? (3, Insightful)

Goldsmith (561202) | about 5 months ago | (#46357501)

Sure, they can release the details of that contract. Government contracts are supposed to be public. Go take a look at usaspending.gov and fpds.gov There are plenty of security contracts posted there, just not any between RSA and NSA. It's not the easiest system in the world to navigate, you have to know a lot about government contracting to make sense of it.

But, you'll see military hardware contracts, homeland security database contracts, all of them are published on federal websites as a matter of course (you have to get special approval to not post a contract publically). The government mandates this so that competing companies and the public can see that they're getting a "fair deal". Never mind that a lot of these show they weren't competed, no one actually takes advantage of government transparency when it's available.

Re:On what basis can you make this demand? (1)

tomhath (637240) | about 5 months ago | (#46358081)

Government contracts are supposed to be public.

Actually, no. They're usually kept confidential.

Re:On what basis can you make this demand? (3, Informative)

Goldsmith (561202) | about 5 months ago | (#46358515)

I worked as a government employee overseeing R&D contracts. It wasn't that long ago. We were required to post the contracts publically. They're on the websites I mentioned...

Re:On what basis can you make this demand? (1)

tomhath (637240) | about 5 months ago | (#46360199)

Depends on the contract. Some years ago I worked for a company that did contract work with the government. Sometimes even the existence of a contract is kept classified.

Not all contracts are public (1)

sirwired (27582) | about 5 months ago | (#46360913)

The defense and intelligence parts of the budget have very large parts that are a "black box". As well they should be. It's a bit difficult to carry out secret projects if all your contracts are open to anybody that wants to read them.

Yes, such contracts are vulnerable to abuse and oversight problems. But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.

Re:Not all contracts are public (1)

BobMcD (601576) | about 5 months ago | (#46361823)

But that doesn't mean that the RSA even has the ability to release the contract if they wanted to.

Because WikiLeaks doesn't exist?

Re:On what basis can you make this demand? (1)

thue (121682) | about 5 months ago | (#46357617)

> They can't go and release the details of a confidential contract simply because somebody thinks it contains something it doesn't have.

Given that NSA made the contract in bad faith, is RSA Security still obligated to keep their silence? Maybe, but it seems insane. What RSA Security could say for starters was for example to explicitly confirm that a $10,000,000 contract exists. They haven't even done that.

RSA Security also have not yet given a good explanation for why they ignored the multitude of red flags until 2013. As cryptographer Matthew Green writes [cryptograp...eering.com] :

> So why would RSA pick Dual_EC as the default? You got me. Not only is Dual_EC hilariously slow -- which has real performance implications -- it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when Shumow and Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing. And the killer is that RSA employs a number of highly distinguished cryptographers! It's unlikely that they'd all miss the news about Dual_EC.

If RSA Security makes secret contracts that impacts other people's security, I don't see why RSA Security should get any benefit of the doubt. Why should we trust a company cloaked in secrecy who has shown themselves to be overwhelmingly incompetent and/or malicious?

Re:On what basis can you make this demand? (2)

Arker (91948) | about 5 months ago | (#46358765)

"The RSA has already explicitly said the contract doesn't say what they are accused of it saying."

Link? Because what I remember reading from them was more of a very carefully calculated non-answer. Did not deny the elements of the crime, but very vaguely denied any intent. An evasive, lawyerly answer, not a straightforward denial at all.

Re:On what basis can you make this demand? (1)

Darinbob (1142669) | about 5 months ago | (#46362835)

So have you stopped beating your wife? Trouble with that sort of question is that you can't say yes and you can't say no, and it's intentionally designed to be highly provocative so the answer is very likely to be "fuck off you, go bother someone else."
So when someone is asked "please give us details of the crime we all know you committed" you are going to get that sort of answer.

Re:On what basis can you make this demand? (1)

sjames (1099) | about 5 months ago | (#46360875)

Proving it would be good.

Imagine an FBI agent. He has been spotted accepting a large sum of money from a prominent mob boss. He 'just happens' to have recently made a few odd decisions in his investigation that were very favorable to the very same mob boss. Do you expect anyone to just accept when he says 'it wasn't a bribe'?

That's why FBI agents avoid having private transactions with shady characters.

RSA chose to lie down with dogs and so they now have fleas.

Re:On what basis can you make this demand? (1)

Darinbob (1142669) | about 5 months ago | (#46362885)

Except that many many people are working with the NSA. It was common place to do this for a very long time. Companies and researchers worked with them because NSA was the undisputed expert in crypto. Their mission statement was not to spy on US citizens, that is only a recent discovery. For much of their history they worked to improve and strengthen crypto standards and this is documented.

Right now there is a hint that there is a backdoor, a hint that RSA took money, and these hints are troubling. However the fact that RSA and NSA have worked together in the past is to be expected.

Re:On what basis can you make this demand? (1)

sjames (1099) | about 5 months ago | (#46363097)

It's a wee bit more specific. RSA made a truly bizarre choice to default to a broken RNG that had absolutely no benefit and many risks (it was slower, more memory hungry and untested). We know the NSA created that RNG to be subtly weak. We know that RSA took a largish payoff.

They either got suddenly stupid or they took a payoff. Neither suggests confidence in their products or recommendations.

Yes, many have worked with the NSA in the past. Some stopped after the world found out the NSA was not what they thought it was, others continue. RAS continues.

RSA really should have known better. The NSA is now known to be toxic and contagious. RSA hopped into bed with it and now it has cooties.

Re:routine (1)

jythie (914043) | about 5 months ago | (#46357205)

Ahm.. not posting private contracts is a pretty reasonable 'routine' business practice. That is not a 'pass' it is a 'of course they are not going to publish it', and looking to it as proof they were up to something nefarious is just another 'if you are not guilty you have nothing to hide' argument.

Re:routine (1)

Darinbob (1142669) | about 5 months ago | (#46362793)

You're mixing two things together. First you assume a-priori that they must be guilty in assisting in spying or in adding a backdoor. Second they got a contract. You conflate the two into assuming that they got a contract in order to add the back door. No one is saying it is routine to give away our info to the government, and no one is defending that.

All we really have right now are accusations but no real evidence. Now the contract from NSA would be fishy if it was the only contract they ever got and if no one else got a similar contract and if contracts were really rare. Given that the NSA has worked very often in the past strengthening crypto schemes and has worked closely with many companies and researchers in this area, it is not unusual for a prominent crytpo company to get some money from the NSA. Yes it _could_ have been a bribe to add a back door but there's no evidence of that. Ie, it's circumstantial.

Re:What did you expect? (0)

Anonymous Coward | about 5 months ago | (#46356981)

They. LIED. Publicly. You can't just say "oh, well they disclosed it on the record" and then NOT LOOK at the veracity of the stated record.

And this company in PARTICULAR is supposed to be about verification of trust.

What lie? (1)

sirwired (27582) | about 5 months ago | (#46357107)

They were accused of taking a $10M bribe to backdoor an encryption algorithm. RSA says it's not true. There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

If they truly were going to compromise the security of every one of their customers, why would they have agreed to accept a paltry $10M?

Re:What lie? (1)

guises (2423402) | about 5 months ago | (#46357171)

They might not have know the details about the weakness, but why else would the NSA be paying them to use a particular algorithm? They thought they were getting money for no reason?

Re:What lie? (1)

Darinbob (1142669) | about 5 months ago | (#46362945)

The money may be for many reasons. Maybe it sounds like a lot of money to you, but it could be supplied for many legitimate reasons. Both RSA and NSA are involved in standards committees, and creating a standard is not done for free. RSA could have been paid to work on a standard, do some research, provide a product, and so forth.

If there is indeed a backdoor the most we have proof of is that RSA were played for fools. Which actually is damning enough to cause them to lose all the credibility that they are losing today.

The other thing in the picture is that RSA is not a person, it is composed of many employees. Not all of them are evil people seeking to subvert peope's freedoms. And yet every single employee with RSA and every customer still working with them are being treated as if they've done something wrong; is in some obnoxious blogger ambushing them while trying to have lunch.

Re:What lie? (1)

thue (121682) | about 5 months ago | (#46357487)

> There's zero evidence that RSA knew about the weakness when accepting the money to include the algorithm in their products.

It is possible that RSA Security was not aware of the possible backdoor in 2004, though unlikely [cryptograp...eering.com] . But that in no way excuses or explains why RSA security kept using the algorithm after the flaws became apparent and widely known in 2006 and 2007: http://blog.cryptographyengine... [cryptograp...eering.com]

Re:What lie? (1)

Agent ME (1411269) | about 5 months ago | (#46362147)

Yeah, if RSA didn't take a bribe, then they're just grossly incompetent and should still be villified anyway.

Re:What lie? (0)

Anonymous Coward | about 5 months ago | (#46357727)

"why would they have agreed to accept a paltry $10M?"

What difference does it make if it's 10 times that? None.

Re:What lie? (1)

hackajar1 (1700328) | about 5 months ago | (#46370827)

This argument is very valid when you consider RSA is not directly in the encryption business, they only repackage other peoples ciphers, and have no one on staff who could verify anything. Oh wait...

Re:What did you expect? (0)

Anonymous Coward | about 5 months ago | (#46357055)

...some a$$hole ambushing some geeks at a tech conference that just want to get their lunch and get back to the conference sessions.

the NSA is surrounded by vendors who sell the hardware and software that enables your "mere" metadata to be captured and sifted, plenty of the people on the floor know that the companies they work for are or might one day be seeking contracts to do all that capturing and sifting,...

Get another job.

Anyone who works for companies that knowingly enables the Government to abuse its power is part of the problem.

The true face of Capitalism - profit is everything.

There are no excuses.

"If we don't, someone else will!"

Let it be someone else.

And if I see a job applicant who worked for one these vendors, I just have to wonder about his ethics. Is he really working for the NSA and is using my company for a cover? Is he going to put code in to spy for them? For someone else?

I don't know guys, working for a NSA vendor looks like career death.

Re:What did you expect? (1)

mmell (832646) | about 5 months ago | (#46359119)

Well, to quote a famous fictional hero, "I got bits falling off my ship, I got a crew ain't been paid and, oh yeah, a powerful need to eat sometime this month".

Somehow, I don't think giving the NSA the middle finger they so richly deserve is going to make that any easier.

Re:What did you expect? (0)

Anonymous Coward | about 5 months ago | (#46360689)

And yet Mal still wasn't so far down that he'd sell out to the Alliance.

Re:What did you expect? (1)

TangoMargarine (1617195) | about 5 months ago | (#46362451)

Although after watching a show quite a number of times, I'm no longer convinced Mal was this ethical paragon that people make him out to be. He seemed to go out of his way to make his crew think he was about to do something bad and say, "Just trust me." It turned out a minute of screen time later that that *wasn't* what he was going to do, but he seemed to be intentionally misleading.

That, and his whole "you're on the crew, you're family" mantra seemed to be veeeery malleable when he wanted it to be.

Although this reinforces my saying that there's a Firefly quote for every occasion ;)

Re:What did you expect? (0)

Anonymous Coward | about 5 months ago | (#46360615)

Well, first you have to convince me that any laws were broken, and thus, any abuses of power have happened. But, since you obviously are a trusted (and sanctimonious) Constitutional scholar, I guess I'll have to take your word for it. And please, don't embarrass yourself by quoting verbatim the 4th Amendment because that would only show you that you don't know fuck about 200+ years of court cases and interpretations.

But, hey, if you can make yourself feel better by looking down your nose at people based off where you choose to draw your line in the morality sand, then go for it. Just get in line behind the abortion critics, Westboro Baptist Church folks, PETA, etc. because it is all the same indignant outrage based upon claiming sole ownership of the high moral ground.

Re:What did you expect? (1)

Darinbob (1142669) | about 5 months ago | (#46363017)

And please list all the companies you've ever worked for, to see if we should blacklist you as well.
Wait, you're still posting on Slashdot, and they're owned by Dice, so clearly you're all in favor of the corporate takeover of open free speech sites.

Geeks don't exist in a vacuum (0)

Anonymous Coward | about 5 months ago | (#46357079)

Though sometimes I wish they did, as the life expectancy in a vacuum is rather short, maybe 2 minutes tops?

Re:What did you expect? (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 5 months ago | (#46357537)

Pity the poor hatchetmen, cruelly interrupted during lunch. I, for one, fear for the future of a society that respects the privacy of others so little...

Do I think that Our Fearless Correspondent is even remotely effective in his stated aims? Not with those tactics, he'd be hard pressed to get someone to tell him the time.

Should we care about that? Do RSA's little minions deserve to throw a veil of contractual secrecy over their lunch hour, lest their delicate feelings be offended by the sight of disapproval?

In a situation where legal redress is, in all probability, a fantasy; but displeasure is very real, isn't social disapproval an excellent response? Wouldn't it be delightful if admitting to working for a spook contractor was about as pleasant as admitting that you take the long way around that school zone because you are a convicted sex offender? Now, especially without good evidence tying individual people to individual pieces of work, you don't want to go overboard; but it would be downright wholesome if the penalty for collaboration was constant exposure to contempt.

"Minions?" Hardly (1)

sirwired (27582) | about 5 months ago | (#46358209)

Most of the attendees at a tech conference are front-line IT grunts (and their managers) sent their by their boss to learn about new products, techniques, etc. Most of them don't work for RSA, nor will most have been in charge of the buying decision to purchase RSA products.

This isn't a "veil of contractual secrecy" being thrown... this is some more-or-less random schmoe having a complete stranger asking him questions on camera on something on which he doesn't have enough information to make an intelligent reply.

Re:What did you expect? (1)

Guppy06 (410832) | about 5 months ago | (#46357655)

some geeks at a tech conference

They're called "enablers."

Re:What did you expect? (1)

Darinbob (1142669) | about 5 months ago | (#46363041)

They've invented color photography decades ago, and they even have color televisions now. Why is your world still in black and white?

Re:What did you expect? (1)

thue (121682) | about 5 months ago | (#46357765)

> And the RSA did go on record. They said it wasn't true.

What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal. RSA Security has not denied that it turned out there was a backdoor, or that there was a $10,000,000 deal to make Dual_EC_DRBG the default in the BSAFE library.

If you read the keynote from the current RSA Conference [blogspot.dk] , RSA's defense is that they stopped independently creating and verifying the cryptographical algorithms, instead just getting them straight from NIST and ANSI. And they knew or should have known that Dual_EC_DRBG was written by NSA.

> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

Meanwhile RSA Security ignored all the independent research showing that Dual_EC_DRBG was radioactive. So RSA Security's defense is that they stopped doing any due diligence, and instead just copied everything straight from NSA. And because they stopped even trying to do independent cryptography, they were not aware of the possible backdoor. And you think RSA Security's statements in their defense are not laughable, and that people protesting this is just "a$$holes"?

Re:What did you expect? (1)

thue (121682) | about 5 months ago | (#46357869)

> What RSA Security has specifically said is that they knew about the backdoor when they made the $10,000,000 deal.

That should of course have been:

> What RSA Security has specifically said is that they didn't know about the backdoor when they made the $10,000,000 deal.

Re:What did you expect? (0)

Anonymous Coward | about 5 months ago | (#46358087)

are generally not something a security company is ever going to disclose

What have they got to hide?

surveillance-state paranoia

Says that the government knows what's in my contracts, because what have I got to hide?

Nobody's doing nothin' wrong.

Re:What did you expect? (1)

Opportunist (166417) | about 5 months ago | (#46358241)

If the allegation is that the contract violates constitutional laws and especially if one of the partners in said contract is a branch of the government, I'd at the very least expect a general attorney to take a look at the contract. The accusation here is nothing less than RSA conspiring with a government agency to undermine constitutional rights of US citizens.

That's not enough to get a GA moving? Really? Guess they first have to torrent a few movies.

Re:What did you expect? (1)

david_thornley (598059) | about 5 months ago | (#46369531)

When I read what they had to say, what they seemed to be explicitly denying is that they specifically knew they were putting a back door in at the time. There was a lot of other fluff, but no substantive statement.

Here's one scenario consistent with what I read: RSA accepted $10M from the NSA to put in certain specific values in their cryptosystem, and did not at the time bother to look if it might be a back door. It was in fact a back door, and they continued pushing it for years. AFAIK, they haven't denied that one.

Re:What did you expect? (1)

hackajar1 (1700328) | about 5 months ago | (#46370865)

Did you RTFA? They only turned away people who PAID to be at the conference. "Expo Only" passes, I.e. plain old tech people, were allowed access. It is also worth noting that you are attempting to claim something as a "tech conference" and blatantly ignoring fact that it is a SECURITY CONFERENCE. How many free lunches has RSA given you? is probably a better question, seeing all of your pro-rsa talk on these topic.

Seriously? (1)

sirwired (27582) | about 5 months ago | (#46375339)

"Plain old tech" people get paid conference passes all the time. Your company buys X amount of stuff from Y vendor (or a business partner), the vendor account rep provides your company with Z full conference passes gratis, and most of those passes end up in the hand of front-line IT grunts (they are the ones most of the education classes are targeted for.) These grunts are no more likely to be familiar with the particular facts of what they were getting interrogated on than any other geek.

Also, it IS a tech conference; RSA just happens to be a security vendor; pretty much every single large tech vendor runs one of these conferences. A "security conference" would be something like DEFCON, one of the several conferences the IEEE runs on security, etc.

And quit with your paranoia about how much RSA is bribing me. I work from home, so it'd be pretty tough for RSA to buy me lunch. The organization I work for (part of a larger IT company) is not an RSA customer. Not everyone that voices vocal disagreement is a sock-puppet; I thought the whole point of the Slashdot comment section was to comment.

All my so-called "pro-RSA" talk on this topic has been motivated by the obnoxious tactics of these protestors, and the knee-jerk silence-equals-guilty attitude. You'd get the same reaction from me if this was a story about PETA sticking microphones in the face of somebody trying to buy some chicken for dinner.

Chevy's sucks though. (0)

Anonymous Coward | about 5 months ago | (#46356919)

Watered down margaritas and fall-apart fail-tacos seems ironically appropriate here.

Bad inference (4, Insightful)

DoofusOfDeath (636671) | about 5 months ago | (#46356945)

The pained facial expressions when they refused were interesting, though, and reflect the problem with a surveillance society in a nutshell.

Stupid reasoning. There are plenty of other reasons these people might not want to publicly comment. The most likely is that they're not authorized to speak for their employers, and fear rebuke or dismissal at their workplaces if they speak publicly on the topic.

Re:Bad inference (2)

Trepidity (597) | about 5 months ago | (#46357151)

Also, the pained facial expressions might be related to the lack of tacos and/or tequila drinks.

Re:Bad inference (1)

fulldecent (598482) | about 5 months ago | (#46358227)

If someone stole my tequila, my response would be elevated from the TFS to TFH

Re:Bad inference (0)

Anonymous Coward | about 5 months ago | (#46359103)

This!

Re:Bad inference (1)

jythie (914043) | about 5 months ago | (#46357241)

Or even the rather pedestrian 'people do not like random bloggers shoving a camera in their face and just want to go about their business'. When someone does that to me, I do not care what the topic or question is, they still annoy me and I am not in a mood to cooperate or even interact with them.

Re:Bad inference (1)

Crypto Cavedweller (2611959) | about 5 months ago | (#46360319)

Exactamundo. My time is precious, no you can't have it just because you think you and your camera are entitled to it.

Re:Bad inference (0)

Anonymous Coward | about 5 months ago | (#46363231)

Reminds me of Michael Dunn's victim mentality. When you are involved with evil shit no wonder people want answers!

Re:Bad inference (0)

Anonymous Coward | about 5 months ago | (#46358333)

This. Just about every place I've ever worked has had a rule which states that the only information employees shall give out to the press on the behalf of the company is the business card of the company's PR person. Either that, or thou shalt consult the legal dept. before saying anything.

Re:Bad inference (0)

Anonymous Coward | about 5 months ago | (#46358391)

Maybe they were just desperate to use the toilet at that taco place. Or maybe they were waiting for the money offer.

This (1)

sl3xd (111641) | about 5 months ago | (#46359665)

+1 to this.

It's fairly common for companies to have required IT products, such as RSA. Then they send their employees out to improve their knowledge of the "blessed" product(s).

The employees are often obligated to attend the conference, and are also (due to corporate policy) unable to say much, just in case those comments can be construed as company opinion.

So yeah... you have these poor attendees who are pretty much like "Look, I don't know anything anyway, my attendance was mandated by someone else. Why are you harassing me?"

Re:This (1)

Darinbob (1142669) | about 5 months ago | (#46363143)

There are a lot of RSA customers, so it is reasonable to expect them to show up at RSA conference. Similarly those customers should not be expected to do a recall of all their product lines and rewrite all the code so thast they can ditch RSA as soon as possible (especially if not using Dual_EC!). Second, the RSA conference, despite the name, is not only about RSA products. It's an important venue to go to in order to learn about new products from a large variety of vendors, to network with other people in the field, and to listen to respected speakers in the field. To treat all these people like they were all sub-subcontractors for NSA is stupid.

'buying out' the most obvious lunch spot nearest (0)

Anonymous Coward | about 5 months ago | (#46357021)

Jesus christ are these people serious?

heresy, everywhere heresy (0)

Anonymous Coward | about 5 months ago | (#46357323)

I'm sorry, do you have a problem with the FREE MARKET ?!! you probably kiss girls, you foggot

Re:heresy, everywhere heresy (1)

TangoMargarine (1617195) | about 5 months ago | (#46362551)

Not sure which is worse: you calling someone a faggot for not reason, or not even knowing how to spell it properly...

WTF is the "Classic" link now? (0)

Anonymous Coward | about 5 months ago | (#46357035)

WTF is the "Classic" link now?

Re:WTF is the "Classic" link now? (0)

Anonymous Coward | about 5 months ago | (#46357565)

Why doesn't your bookmark say http://slashdot.org/?nobeta=1 [slashdot.org] yet?

The doom in mankind's future (0)

Anonymous Coward | about 5 months ago | (#46357129)

Do you think that the bomber would cease dropping the artillary if he or she could see the faces of the burning people on the ground? Or do you think that nightmares of an eternity in a firey hell would prevent a commander from sending his troops mercilessly into a suicidal slaughter? Do you think that just because an entire nation sits on the precipice of collapse created by the decisions of a few who do not share the same loyalties would stop their plans when they know it will result in the destruction of that nation? Then you do not understand the fact that as long as they all can pass the responsibility for their own actions onto something greater than their own cowardice, this world will never be a safe place. As long as they believe that it is for the greater mankind, the bulk of mankind will never rest easily or assuredly. That is the nature of the way it has to be. For the rebellious nature of man will soon be overwhelmed by a universal change that ~no one will stop.

RSA considered Dual_EC research without merit? (1)

thue (121682) | about 5 months ago | (#46357195)

Jeffrey Carr has a good point from the RSA Conference keynote:

> "When, last September, it became possible that concerns raised in 2007 might have merit as part of a strategy of exploitation, NIST as the relevant standards body issued new guidance to stop the use of this algorithm. We immediately acted upon that guidance, notified our customers, and took steps to remove the algorithm from use." - Art Coviello RSAC 2014 Keynote speech

So up until then, they apparently considered all the criticism of RSA security without merit? On what basis? The research was obviously right.

http://jeffreycarr.blogspot.dk... [blogspot.dk]

If you read a bit more in the actual keynote, there is actually an unexpectedly frank explanation:

> "Recognizing that [after year 2000, open source, non-patented encryption was widely available], and encryption's inevitable shrinking contribution to out business, we worked to establish an approch to standards setting that was based on the input of the larger community rather than the intellectual property of any one vendor. We put our weight and trust behind a number of standards bodies - ANSI X9 and yes, the National Institute of Standards and technology (NIST). We saw our new role, not as the driver, but as a contributor to and beneficiary of open standards that would be stronger due to the input of the larger community."

But they ignore most of the input of the larger community, in favor of taking $10,000,000 from NSA to use their backdoored algorithm.

What we have seems to be standard exploitation of a valuable acquired brand which is no longer profitable. Take a high-quality brand with an outstanding reputation for independent quality checking. Fire everybody skilled (and expensive), and sell as many cheap commodity products under that brand as you can get away with, with as little expensive quality control as possible. Their claim is that they expected to get the quality control for free from NIST, which they knew was dominated by the NSA. Meanwhile, RSA Security choose to totally ignore any contradicting independent research.

Personally I believe the amount of incompetence and cluelessness claimed by RSA Security as defense strains credulity beyond breaking point.

Re:RSA considered Dual_EC research without merit? (0)

Anonymous Coward | about 5 months ago | (#46357733)

Their claim is that they expected to get the quality control for free from NIST, which they knew was dominated by the NSA.

Who has been known in the past for strengthening public crypto algorithms (see DES), not weakening them.

So what's left that is still strong? Anything?? (0)

Anonymous Coward | about 5 months ago | (#46357229)

While I support this kind of excellent awareness-based protest and non-violent resistance, I don't believe it will be in the least bit effective. Preaching to the sheep as it were.

But this all begs the question of what encryption methods, algorithms and ciphers are still strong? Anything? Not a damn thing? With as far back as some of this seems to go and more nonsense coming up every week, everyone is wondering if this has been going on since NIST starting approving things in encryption or even before.

NSA vs USA (1)

mtrachtenberg (67780) | about 5 months ago | (#46357857)

Look, the NSA has already done more damage to the United States technology industry than any other enemy. RSA and the rest are just private branches of the state. Fuck them.

Re:NSA vs USA (0)

Anonymous Coward | about 5 months ago | (#46362189)

National Antisecurity Agency

Pained (1)

Crypto Cavedweller (2611959) | about 5 months ago | (#46360301)

"The pained facial expressions when they refused were interesting ..." In many cases I suspect this was just their "Who are you and why are you bugging me now go away" expression.

And not all (0)

Anonymous Coward | about 5 months ago | (#46361473)

cops are bad. All of them are enablers making them all bad.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...