Saturday, January 04, 2014

Why we have to boycott RSA

The only thing stopping corporations from putting NSA backdoors into their products is the risk of getting caught. RSA got caught backdooring BSAFE. If nobody seems to care, if RSA doesn't suffer consequences, then nothing will stop other corporations from following suit.

RSA is the singular case. The Snowden leaks make us suspicious of other companies, like Google, Yahoo, Apple, Microsoft, and Verizon, but only with RSA do we have a "smoking gun". In some cases the companies had no choice (Verizon). In other cases, it appears that rather than cooperating with the government, the companies may in fact be yet another victim (Google). RSA is the standout that deserves our attention.

I mention this because people on Twitter are taking the stance that instead of boycotting RSA that we should attend their conference, to represent our views, to engage people in the conversation, to be "ambassadors of liberty". This is nonsense. It doesn't matter how many people you convince that what the RSA did is wrong if that doesn't change their behavior. If everyone agrees with you, but nobody boycotts RSA's products/services, then it sends the clear message to other corporations that there is no consequence to bad behavior. It sends the message to other corporations that if caught, all that happens is a lot of talk and no action. And since the motto is that "all PR is good PR", companies see this as a good thing.

The word to describe those who do business with the RSA, even while criticizing their backdoor, is "collaborator". This was the word used by the French ("collabo") to describe the members of the Vichy government who aided the invading Germans. Instead of giving up their positions of power, wealth, and prestige, members of the French government just kept doing their same job. Their reasoning was that they were really anti-German, but that they could do more good for the French people inside the occupation government than without. The French didn't buy this reasoning, and neither should you. Speakers who claim they can do more good collaborating with RSA, while speaking out against RSA, are still enjoying the speaking fees and the prestige of talking at a major conference.

Sadly, I haven't spoken at RSA in many years. Had I been accepted to talk this year, I'd certainly be canceling it. Moreover, I won't be talking or attending any future conference labeled "RSA" ever.

The reason isn't that I'm upset at RSA, or think that they are evil. I think RSA was mostly tricked by the NSA instead of consciously making the choice to backdoor their products. Instead, what I care about is sending the message to other corporations, that they should fear this sort of things happening to them. If you are a security company, and you get caught backdooring your security for the NSA, you should go out of business.

Comments: there are more comments to this post over at Y Combinator.

Confirmed speakers/trainers who have canceled their RSA Conference talks are:

Dave Lewis is also maintaining a list of cancels at CSO Online.


gwrtheyrn said...

I think you should clarify that you're talking about the RSA Security LLC, not about the RSA algorithm. Otherwise some people might confuse them :)

William Payne said...

Does the same reasoning apply to EMC, their parent company?

Security Leaders Group said...

You should make a distinction between the RSA Conference and RSA the security division of EMC. There is certainly a link but there are also some walls.
What everyone should do is choose something other that the default RNG for BSafe, as RSA announced after it was learned that it had been compromised by the NSA.

Risav Karna said...

It indeed looks like we are more sure about RSA than other potential accomplice companies. Nevertheless, giving the boycott treatment only to RSA really works more to take the spotlight away from further investigation of the others than to set an example for NSA and co. For instance, you made it sound certain that Google was a victim and as if the others mentioned too do not deserve the same boycott.

If only a smaller player like RSA gets the burns and none of the alleged big names feel even the hint of a spark, not much will change in the larger scheme of things.

Let's not single out a small scapegoat and make it look like it solves anything big.

Pierre-Yves Luyten said...

@security leaders group - boycott does not have to target this or that subsidiary very precisely. This is quite the opposite.

The more violently you boycott, the worst for the holding. The worst for the holding is the best.

CaliDreamWorks said...

It should absolutely apply to EMC as well.

billy said...

@SecurityLeadersGroup: No, what everyone should do is stop using bsafe and RSA products all together.

Jonathan said...

No, he shouldn't make a distinction between the RSA conference and the RSA group in EMC. That's the whole point.

The organization did something unacceptable and it must be shunned. I think that should include EMC as well.

Paolo Brizzo said...

Please can You explain better why You think Google is another victim and Verizon has no choice? I do not live in USA and I'm not familiar with USA legislation maybe I'm missing some important points because of this.

Kate Krauss said...

Thanks for backing out, and doing it publicly.

Robert Graham said...

Paulo, Verizon was given a court order. That means if they don't comply, people with guns come and shoot them.

Alan Beveridge said...

RSA the conference has little to do with RSA the security division of EMC who provides the products that may have been compromised by the NSA. The RSA conference is so large and popular because it is not another single vendor promotion conference, but a true vendor agnostic discussion of security. If I go to Oracle World or one of the IBM conferences, all I hear is a product pitch for that one company or its close partners. The RSA conference isn't about RSA the company, it's about spreading knowledge about information security in general, and allows people to see the products of any company.

Ricci Reyes said...

Uhm, if RSA conference isn't about RSA the company, what could be the reason why they have called it RSA conference? One observation is that the RSA in the conference and in the company bears the same logo. Hmmm, TED Talks isn't about TED the company, but about spreading knowledge about almost everything.

Melchoir Farrell said...

RSA has denied cooperation with the NSA in providing the back door, and accepting the payment of $10 million.

Since they are so sure of themselves why not suggest a forensic analysis of their financial records going back several years. Any attempt to corrupt records has a good chance of being discovered.

The audit should be conducted by one or more truly independent auditors.

This presumes that they have not been able to hide the revenue; even the GCHQ seems to have been unable to hide the $100 million payment from the NSA.