Boycott Of RSA Security Conference Builds In Wake Of NSA Spy Scandal: Report
Joseph F. Kovar
A boycott of the upcoming RSA security conference appears to be building in the wake of the latest allegations that the U.S. National Security Agency paid RSA parent company EMC to add a backdoor in one of its products.
Online news site ARS Technica Tuesday reported that increasing numbers of security experts are pulling out of the RSA conference.
The RSA conference is named after RSA, a major provider of security technology that was acquired in 2006 by storage king EMC.
Reuters on Dec. 20 reported that RSA inked a "secret $10 million contract" with the NSA to allow the spy agency take advantage of intentionally flawed encryption as the default option in its BSAFE developer toolkit in order to make it easy for the NSA to conduct surveillance.
The Reuters report was based on information leaked by former NSA contractor Edward Snowden.
ARS Technica reported that eight scheduled RSA participants, including participants from Google, the American Civil Liberties Union, the Electronic Frontier Foundation, Mozilla, Atredis Partners and security consultancy Taia Global, have now joined in a boycott of the RSA security conference.
The news organization reported that members of the Open Web Application Security Project are also voting on whether to continue with previously planned developer training.
Those members join Chief Research Officer Mikko Hypponen of Finland-based Internet and mobile security technology developer F-Secure, who two weeks ago announced plans to boycott the meeting.
Hypponen Wednesday wrote in a blog post that, while he initially only cancelled his planned presentation titled "Governments as Malware Authors," he has since decided to cancel all appearances at the conference. F-Secure also will not speak, exhibit or provide sponsorships at RSA 2014, he wrote.
"While I am glad to see that many other speakers have decided to cancel their appearances at RSA 2014 in protest, I don't want to portray myself as a leader of a boycott. I did what I felt I had to do. Others are making their own decisions," he wrote.
EMC and RSA declined to discuss the potential boycott of the conference. An EMC spokesperson pointed to a Dec. 22 RSA blog post in which the company denied having entered into a "secret contract" with the NSA to incorporate a "known flawed random number generator" into its BSAFE encryption libraries.
"We have worked with the NSA, both as a vendor and an active member of the security community. We have never kept this relationship a secret and in fact have openly publicized it. Our explicit goal has always been to strengthen commercial and government security," RSA wrote in that blog.
NEXT: Who Can You Trust?
Kevin McDonald, president of Noloki, an Irvine, Calif.-based health-care solution provider with a strong compliance practice, said he is not surprised to see moves to boycott the RSA security conference.
Noloki's parent organization, Irvine, Calif.-based network services provider Alvaka Networks, stopped using the letters "RSA" in security recommendations to customers in 2011 when RSA SecureID was first breached, McDonald said.
"We said at the time that we're done," he said. "We have relationships with defense contractors and others who ask us what to do. We tell them to go elsewhere. There are so many questions about what is happening out there."
From a financial perspective, the U.S. economy is based on trust, said McDonald. "If what is being said about RSA and the NSA is true, even in part, it puts a fundamental damper on the industry," he said. "If I can't trust the people we recommend, who can we trust?"
PUBLISHED JAN. 8, 2013