
Why we have to boycott RSA - techinsidr
http://blog.erratasec.com/2014/01/why-we-have-to-boycott-rsa.html
======
ics
> I mention this because people on Twitter are taking the stance that instead
> of boycotting RSA that we should attend their conference, to represent our
> views, to engage people in the conversation, to be "ambassadors of liberty".
> This is nonsense. It doesn't matter how many people you convince that what
> the RSA did is wrong if that doesn't change their behavior. If everyone
> agrees with you, but nobody boycotts RSA's products/services, then it sends
> the clear message to other corporations that there is no consequence to bad
> behavior. It sends the message to other corporations that if caught, all
> that happens is a lot of talk and no action. And since the motto is that
> "all PR is good PR", companies see this as a good thing.

 _DO BOTH_. This is the real world. People have to compromise to send a
unified message. Don't refuse to help one group who shares your goals because
they have a different idea of how to achieve it. If you are in a position
where you can boycott _and_ voice your opinion to their faces, do it. Maybe
you're right and they don't give a shit about what you say. Who cares? Let the
other people there know, and let them know that there are more of you out
there.

~~~
gpcz
It would take too much secret coordination, but the coolest thing would be if
all the world's encryption experts/academics colluded to talk at RSA's
conference with seemingly-plausible topics, but then have everyone just
deliver a speech on RSA's actions before leaving the podium. Then again,
getting in would require writing legitimate papers that RSA could still
publish in their proceedings to make the conference look successful.

------
oroup
I'd go further. I think there needs to be a class action suit brought by
customers who purchased a security solution and got snake oil. I'm sure the
RSA license limits liability but I think there's a case to be made that this
isn't just negligence but willful criminal acts and the limitations should be
set aside. The case itself would probably be pretty damaging ("Tell us, what
did you think the $10m was buying?"). I think RSA would go pretty far to avoid
a trial.

~~~
us0r
[https://www.eff.org/files/filenode/20111229_9C_Hepting_Opini...](https://www.eff.org/files/filenode/20111229_9C_Hepting_Opinion.pdf)

"II. The 2008 Amendments to the FISA

While the underlying actions were pending in district court, and partially in
response to these suits, Congress enacted the FISA Amendments Act of 2008,
Pub. L. No. 110-261, 122 Stat. 2435, codified at 50 U.S.C. § 1885a. Among the
amendments is § 802, an immunity provision and related procedures that are
triggered if the United States Attorney General certifies to one or more of
five conditions. In such case, no civil action may be maintained “against any
person for providing assistance to an element of the intelligence community.”
§ 802(a)."

This to me says such an action would not even get off the ground let alone
them having to answer the "what did you think the $10m was buying" question.

~~~
rhizome
You should also paste the five conditions for completeness:

1\. any assistance by that person was provided pursuant to an order of the
court established under section 103(a) directing such assistance;

2\. any assistance by that person was provided pursuant to a certification in
writing under section 2511(2)(a)(ii)(B) or 2709(b) of title 18, United States
Code;

3\. any assistance by that person was provided pursuant to a directive under
section 102(a)(4), 105B(e), as added by section 2 of the Protect America Act
of 2007 (Public Law 110–55), or 702(h) directing such assistance;

4\. in the case of a covered civil action, the assistance alleged to have been
provided by the electronic communication service provider was—

A) in connection with an intelligence activity involving communications that
was—

i) authorized by the President during the period beginning on September 11,
2001, and ending on January 17, 2007; and

ii) designed to detect or prevent a terrorist attack, or activities in
preparation for a terrorist attack, against the United States; and

B) the subject of a written request or directive, or a series of written
requests or directives, from the Attorney General or the head of an element of
the intelligence community (or the deputy of such person) to the electronic
communication service provider indicating that the activity was—

i) authorized by the President; and

ii) determined to be lawful; or

5\. the person did not provide the alleged assistance.

------
fintler
RSA is a subsidiary of EMC. This means that a boycott of Greenplum, Pivotal,
VMWare, Isilon, Mozy, and MANY others would probably be included.

I just don't see an effective boycott of this scale happening -- especially
when most of their customers just care about the product cost and benefit.
Also, it can probably be argued that trying to secure your systems against a
targeted intrusion from the NSA using technical means is pointless and a waste
of money (throwing money at the EFF might be more effective).

Having said that, is there an good alternative to SecureID? The only thing
that seems to come close is CRYPTOCard, but it looks like they have closer
ties with the NSA than RSA does. A yubikey also looks nice, but I don't like
how it needs to be plugged in as a keyboard -- a device that is kept
physically separated from the login machine would be ideal. OTP apps on a
multi-purpose device (mobile phone) also isn't something I consider to be
secure.

~~~
MacsHeadroom
>is there an good alternative to SecureID?

Twitter, Tumblr, Facebook, MIT, Stanford, Sony, Arbor Networks, 37 Signals,
Twilio, (and many more) all use Duo Security as an alternative to RSA
SecureID. [https://www.duosecurity.com/success-
stories](https://www.duosecurity.com/success-stories)

Duo 2FA is easily the most secure[1], easiest to use[2], and most developer
friendly multi-factor solution[3].

[1]
[https://www.duosecurity.com/security](https://www.duosecurity.com/security)

[2] [https://www.duosecurity.com/product](https://www.duosecurity.com/product)

[3a] Almost all of Duo is open source.
[https://github.com/duosecurity](https://github.com/duosecurity)

[3b] Duo's c development libraries and SSH/PAM packages are available in the
official repos for major distributions like Debian/Ubuntu, REHL/CentOS/Fedora,
SUSE/SLES, etc.
[http://packages.debian.org/search?keywords=duo+security&sear...](http://packages.debian.org/search?keywords=duo+security&searchon=all&suite=testing&section=all)

[3c] Duo's REST APIs kick ass:
[https://www.duosecurity.com/api](https://www.duosecurity.com/api)

~~~
droopybuns
The only downside to Duo is Jon Oberheide's previous collaborations w/ Charlie
Miller, ex-nsa'er & advocate of the "no more free bugs" movement.

Minor nitpick, but if we're shaming companies in the security community, I
think it's worth calling out some of the security celebrities whose stances
contribute to the privacy destroying activities of the NSA. He and people like
the gruqg are enablers of the government's destruction of our privacy.

I agree with you though. Duo is one of the best alternatives out there. Jon's
collaborations w/ Miller were years ago. Perhaps I'm being a bit to grudgy.

------
kerkeslager
Branding this as a boycott implies that this is an expression of protest, that
this is a moral issue. I agree that it is, but a lot of people don't. The
morality of the NSA, and of cooperating with the NSA, is a matter of national
debate.

However, it is not a matter of debate that the RSA backdoor of BSAFE was and
is not open merely to the NSA. It is an objective fact that anyone can take
advantage of a backdoor like this. As such, even if you think that the NSA is
right, even if you think that cooperating with the NSA is correct, this is not
the way to do it.

It might make business sense to do business with a security company that
cooperates with the NSA. It does not make business sense to do business with a
security company which is proven to produce vulnerable software.

Whether or not it's an ethical problem is subjective. The fact that it's a
business problem is objective.

This comment misses the mark:

> Also, it can probably be argued that trying to secure your systems against a
> targeted intrusion from the NSA using technical means is pointless and a
> waste of money

The BSAFE backdoor does not simply make companies vulnerable to targeted
intrusion from the NSA. It makes _every_ technology which uses Dual EC_DRBG
vulnerable to _any_ hacker who knows how to use the vulnerability. This is a
pseudorandom number generator, which means that it affects almost every
primitive cryptographic operation.

A company which would introduce such a vulnerability for the NSA may or may
not be an ethical company, but it certainly is not a company qualified to
provide security.

EDIT: It looks like I messed up my understanding of the way in which
Dual_EC_DRBG was broken. See the responses to my post for details.

~~~
sdevlin
> However, it is not a matter of debate that the RSA backdoor of BSAFE was and
> is not open merely to the NSA. It is an objective fact that anyone can take
> advantage of a backdoor like this.

This is not accurate. You need to know the private key for the generator, and
this is not publicly known.

~~~
SwellJoe
But, how many people have access to said private key? Will it ever be leaked,
as some pieces of sensitive data have been? You can't trust keys that aren't
yours to control, because while we can probably safely assume that NSA has
better security than you or I or the companies we work for, it also has much
higher capability attackers than most of us ever see in our lifetimes. The
value of this particular private key is probably the highest of any known
single private key in existence.

And, what about further down the road? 10 years, maybe 20, when this new type
of key is predictably breakable with large enough resources? A 1024 bit RSA
key is breakable for about $10 million _today_ , according to a study that was
linked to in a previous discussion about the state of quantum competing a
couple days ago.

There are too many ways this one key could end up compromising potentially
millions of locks.

~~~
bigiain
" … because while we can probably safely assume that NSA has better security
than you or I … "

This is the same NSA that has no idea what or how many documents Snowden
exfiltrated as a contractor sysadmin?

Would you bet your company's confidential data (and possibly future existence)
on the assertion that Snowden didn't have access to that private key? Or that
other less politically motivated NSA contractors didn't have access to that
private key, and which they could have sold for profit instead of publicly
whisteblowing for ethical reasons?

~~~
SwellJoe
I've seen no evidence that the key has been compromised, nor evidence that any
important NSA keys have _ever_ been compromised. I must assume they have
different practices for their keys than for their data gathering practices.

While I've never seen it spelled out this way, I've always been under the
assumption that the reason the NSA had so many outside contractors doing
particularly dirty work was perhaps because they knew it was illegal and
unconstitutional, and wanted it to happen outside the agency itself. But, I
may be misinterpreting. It may have simply been a cost-cutting measure in
which they failed to account for the lower level of loyalty to the state and
higher level of loyalty to the constitution and individual rights than they
were accustomed to from "company men".

~~~
bigiain
In this post Snowden era, any time I hear the phrase "I must assume … ", I
automatically have to wonder just how well founded that assumption is any
more.

You're _probably_ right.

A year ago I would have said you were "probably right" if you told me the NSA
wasn't recording metadata for almost every phone call, email, and website
visit.

~~~
SwellJoe
I don't disagree with you, really.

I think we both agree that any company that is willing to compromise its users
to _any_ entity, for money or otherwise, is not a company that should be
entrusted with security. I will never deploy an RSA product, and will
encourage my customers to choose other options (we support 2FA in our
products, as of a couple of months ago, so we have the ability to determine
what potentially millions of users choose, though realistically only a few
hundred of our users have enabled 2FA, thus far; we don't support RSA).

So, yeah, it's _also_ possible that the NSA's super secret input data they
used for this RNG will be revealed or will be compromised by some powerful
attacker (China, for instance, who would have very high incentive to
compromise a large percentage of major corporations in the US in one fell
swoop).

------
salient
Do we have a customer list of RSA? We should at least try warning them about
it. Many of them probably aren't even aware of this. What banks use RSA's
products?

~~~
tptacek
Conservatively: all of them.

~~~
dvanduzer
I'm far more concerned about the overlap between the name of the organization
and the name of the algorithm.

The political debate over "working inside the system" is certainly important
to have. But the organization that makes those hardware tokens used all over
the place could vanish, and it would be a minor systems integration
inconvenience.

The reputation hit to a fundamental algorithm is going to be confusing
programmers for a long time. I don't even know how to start measuring the cost
of that.

~~~
rainsford
I think the solution to that problem should be that if a programmer doesn't
understand the difference between RSA the company and RSA the algorithm or the
difference between a random number generator and an asymmetric algorithm, for
God's sake don't let them anywhere near any crypto code.

Of course that probably won't happen since programmers who don't know what
they're doing implementing crypto seems to be as popular as ever.

~~~
dvanduzer
Ahh, yes I wasn't clear enough. There are two distinct issues here. I observed
more than one reaction to the original news, where a tech journalist type was
clearly experiencing "reasonably informed confusion" about RSA.

And then, the degree of "knowing what you're doing" is important too, because
I'm pretty sure I have a better background in algebra than some professional
cryptographers, but human blind spots can get pretty subtle.

The difference between a PRNG and an asymmetric cipher is _easy_ to
understand. The _cognitive load_ of associating RSA the company with RSA the
algorithm (and ECDRBG the PRNG with ECC the PKI for that matter) is difficult
to overcome even when you're aware of the potential bias.

------
us0r
"In some cases the companies had no choice (Verizon)"

This is how wrong so many people are. Verizon's CEO has flat out said "they
are our largest customer" (i.e - go fuck yourself).

------
sneak
From the article:

"Sadly, I haven't spoken at RSA in many years. Had I been accepted to talk
this year, I'd certainly be canceling it."

~~~
sophacles
What does this have to do with the core part of the article: that people
should boycott the RSA for helping the NSA so willingly in surveilance?

------
eliteraspberrie
A boycott is symbolic, and that is important. But I doubt it will be effective
in changing their corporate priorities. RSA makes its money from government
contracts, or from other government contractors, not from privacy-minded
individuals like us.

Instead, I propose that it be unlawful for companies which have been
thoroughly hacked to bid on government cybersecurity contracts, at least for
some period of time. After the SecurID hack, RSA should have been blacklisted
for, say, a year. BSAFE should not be anywhere near a government or defence
network.

PS: The analogy to Vichy France isn't great. It was not a matter of French
technocrats collaborating just to save their jobs; it was real counter-
revolutionaries fighting to bring down the Third Republic from within.

------
cpt1138
Via this logic, shouldn't we boycott Yahoo, Google, and Facebook too?

~~~
tptacek
Why would you boycott companies that spent millions of dollars fighting NSA
because of an allegation that another company took millions of dollars to hep
NSA?

~~~
cpt1138
Well these companies are giving information to the NSA one way or another. Its
a slippery slope argument, but anyone that doesn't refuse to give up the
information e.g. Lavabit is complicit in aiding the NSA. Whether they get paid
for it or not seems irrelevant.

~~~
notacryptwizard
I think that a reasonable person would consider {Apple, Google, Lavabit, ...}
receiving a National Security Letter coercion, and therefore not "complicit".

"Complicit" would be Verizon or AT&T, who to this day still sell phone call
metadata to the NSA.

------
jmspring
I initially read this as boycotting RSA products like BSAFE, rather than the
conference.

Aside from their secure ID products, do people use many RSA products?

------
murphysbooks
What About EMC?

Should they bear any of the burden or only the subsidiary?

What about those companies that use RSA products and services?

These are just questions.

Not advocacy.

------
puppetmaster3
+1.

411 - [http://rsaconference.com](http://rsaconference.com)

