Ira Winkler: The RSA Conference boycott is nonsense
The outrage is more about media hype, hypocrisy and grandstanding than firm principles
Computerworld - Some people are boycotting the RSA Conference. What is that all about?
Ostensibly, it is about the revelations made in a December story from Reuters that claimed that RSA was paid $10 million by the National Security Agency to use a flawed encryption algorithm in its BSafe product, giving the NSA a back door.
But the boycott effort is really about many other things. Things like erroneous assumptions, misguided outrage, hypocrisy, grandstanding and media hype.
It's the media hype that bothers me most really, but I'll get to that later. First, let me fill in some of the details.
The Reuters story sprang from a September report in The New York Times that said that documents leaked by former NSA contractor Edward Snowden showed that the NSA was able to implement a back door in encryption products by creating a flawed algorithm for generating random numbers. What was new in the Reuters report was the claim that in 2006, the NSA paid RSA $10 million to make that flawed algorithm the default option in its BSafe encryption product.
This alleged complicity in a spying program sparked outrage in certain quarters of the information security community. But the conspiracy theory has several holes.
First, BSafe users were free to choose other random-number generators included with the product. True, most people will never opt out of the default algorithm, but you would think the NSA would get something more for its money than just the possibility that people will deploy the algorithm with the back door.
More seriously, though, how can it be assumed that RSA adopted the flawed algorithm with full knowledge that it was flawed? The algorithm was approved by the National Institute of Standards and Technology (NIST) up until September 2013, when the flaw was discovered. Is it likely that the NSA would have volunteered the information that the algorithm provided a back door? That doesn't sound like the NSA we're familiar with.
Moreover, RSA claims that it made the algorithm in question the default random-number generator for BSafe in 2004, two years before it supposedly entered into a diabolical conspiracy with the NSA. I have not seen anyone refute RSA's claim, which shouldn't be hard to do if RSA is lying.
And to get back to the NIST, it made the algorithm in question a standard, qualifying the BSafe product for FIPS compliance. That means BSafe was deemed safe to use within critical U.S. government operations. My guess is that the U.S. government and its contractors are probably the largest segment of BSafe's customer base. Now, the NIST first had warnings about potential flaws in the algorithm in 2007, but it did not believe there was a significant concern until 2013. That means that U.S. government operations were vulnerable to attack for several years, all because of a deliberately flawed algorithm the NSA is alleged to have introduced into the market.
More by Ira Winkler
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- 8 realities about location-based apps
- Ira Winkler: Is Google evil? The jury is out
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts