Ira Winkler: The RSA Conference boycott is nonsense
The outrage is more about media hype, hypocrisy and grandstanding than firm principles
Computerworld - Some people are boycotting the RSA Conference. What is that all about?
Ostensibly, it is about the revelations made in a December story from Reuters that claimed that RSA was paid $10 million by the National Security Agency to use a flawed encryption algorithm in its BSafe product, giving the NSA a back door.
But the boycott effort is really about many other things. Things like erroneous assumptions, misguided outrage, hypocrisy, grandstanding and media hype.
It's the media hype that bothers me most really, but I'll get to that later. First, let me fill in some of the details.
The Reuters story sprang from a September report in The New York Times that said that documents leaked by former NSA contractor Edward Snowden showed that the NSA was able to implement a back door in encryption products by creating a flawed algorithm for generating random numbers. What was new in the Reuters report was the claim that in 2006, the NSA paid RSA $10 million to make that flawed algorithm the default option in its BSafe encryption product.
This alleged complicity in a spying program sparked outrage in certain quarters of the information security community. But the conspiracy theory has several holes.
First, BSafe users were free to choose other random-number generators included with the product. True, most people will never opt out of the default algorithm, but you would think the NSA would get something more for its money than just the possibility that people will deploy the algorithm with the back door.
More seriously, though, how can it be assumed that RSA adopted the flawed algorithm with full knowledge that it was flawed? The algorithm was approved by the National Institute of Standards and Technology (NIST) up until September 2013, when the flaw was discovered. Is it likely that the NSA would have volunteered the information that the algorithm provided a back door? That doesn't sound like the NSA we're familiar with.
Moreover, RSA claims that it made the algorithm in question the default random-number generator for BSafe in 2004, two years before it supposedly entered into a diabolical conspiracy with the NSA. I have not seen anyone refute RSA's claim, which shouldn't be hard to do if RSA is lying.
And to get back to the NIST, it made the algorithm in question a standard, qualifying the BSafe product for FIPS compliance. That means BSafe was deemed safe to use within critical U.S. government operations. My guess is that the U.S. government and its contractors are probably the largest segment of BSafe's customer base. Now, the NIST first had warnings about potential flaws in the algorithm in 2007, but it did not believe there was a significant concern until 2013. That means that U.S. government operations were vulnerable to attack for several years, all because of a deliberately flawed algorithm the NSA is alleged to have introduced into the market.
More by Ira Winkler
- A simple cure for the cybersecurity skills shortage
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- 8 realities about location-based apps
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts