"Now a lot of people, maybe some in this room, were upset to learn I'd be speaking here today," comedian Stephen Colbert told to a packed ballroom at San Francisco's Moscone Center during the closing keynote of the RSA USA cybersecurity conference. "Many of you see me as a champion of privacy," quipped Colbert. "Which I know because I read your e-mails."
The "elephant in the room," was that there had been a campaign to get the comedian to boycott the conference, he said. Several speakers dropped out of the conference after a Reuters report suggested RSA, the cybersecurity company which sponsors it, had received $10 million from the National Security Agency to establish a random number generator, DUAL_EC_DRPG, as the default in its encryption software package BSafe. That random number generator includes a flaw that amounts to a "backdoor" allowing the agency to break encryption according to a September New York Times report based on documents from former NSA contractor Edward Snowden.
In a blog post posted after the story, RSA "categorically" denied the allegation, saying they had never kept their relationship with the NSA secret and its "explicit goal has always been to strengthen commercial and government security."
But RSA's response to the Reuters report left some in the cyber and information security industry unsatisfied, resulting in a one day rival event called "TrustyCon" on Feb. 27, largely using speakers who had withdrawn from RSA in protest. While the RSA Conference, TrustyCon, and another gathering called B-Sides unfolded in San Francisco this past week, highlighting the divides within the cybersecurity community in the wake of greater transparency about governments' involvement in the industry.
"I hope RSA took the money," quipped Colbert. "If they didn't, they should have. We all have Uncle Sam's cameras up our junk. Shouldn't someone be getting paid for it?"
"The annual heartbeat of the security industry"
There was no shortage of money at the RSA conference. Renting and running a 20' x 20' booth space cost some cybersecurity companies $100,000, but could lead to significant long-term business deals. The conference has run since 1991, and the organizers also host conferences in Asia and Europe. Last year, the conference stuffed over 24,000 attendants and 350 vendors into one of the Moscone Center buildings. This year, it used three halls.
"Love or hate the RSA Conference, it is the annual heartbeat of the security industry and for many mainstream security professionals, this is their best chance to learn, challenge themselves and interact with the industry’s leading minds," wrote computer security professional Joshua Corman in a blog post explaining why he chose to attend the conference.
Corman is working to help organize a movement of security researchers and professionals called "I am the Cavalry" to tackle public safety concerns due to people's increased reliance on software and computing. "I thought long and hard about all of the sides of this issue and decided that those most likely to be hurt by me boycotting were the very people I do this for."
So while he had some reservations about the NSA situation, he went to the conference. "If everyone who had a critical or informed take on the situation of the breach of trust had removed themselves from that dialogue, it would be a very one sided dialogue," he told The Post in an interview.
But still, he understands why some boycotted. "Trust is the currency of the security industry," he said. "It's the bedrock foundation -- it's central. And trust has been damaged."
"The ones with the balls have canceled."
"Ten years ago in 2004, I for the first time gave a talk at the RSA conference. I remember very well getting into the conference and being proud about seeing my name on the wall at the largest conference in the industry," Mikko Hypponen, chief research officer at Finnish cybersecurity company F-Secure, told the attendants packed into an AMC movie theater a block away from the Moscone Center for TrustyCon. Hypponen was one of the first speakers to pull out of RSA following the Reuters report about a $10 million NSA contract for using a flawed random number generator by default in one of their products.
"I have to tell you today I'm happy not to have an RSA conference badge on me, because for me this is a very personal decision," he said, calling the revelations about RSA's relationship with the NSA "the declaration of losing trust."
He sees that as a major issue for his industry. "Security companies work on the basis of trust -- if our users don't trust us, there really is nothing left." And RSA, he said, should have "known better" than to enter into an agreement with the NSA in this particular instance.
"The suspicions about weaknesses in the algorithms that they were using and being paid to use had been floating around for years," he said. Indeed, some security professionals raised concerns about the code as far back as 2006.
In his initial open letter announcing he would be withdrawing from the RSA conference, Hypponen said he didn't expect any others to follow suit in a boycott. But on the stage at TrustyCon, he admitted, "Of course, I wrote that in there as a challenge."
"And I'm very happy to see a very sizable number of speakers have canceled -- the ones with the balls have canceled."
"Apparently someone from a rival event has warned AMC that we are a 'protest event' and there might be security concerns," said TrustyCon organizer Alex Stamos during his opening remarks for the conference. Stamos is a cybersecurity professional reportedly recently tapped by Yahoo to be their new chief information security officer.
Asked for details, Stamos said in an e-mail that the Westfield security team, which operates the mall that housed the movie theater, told him it had been contacted by a member of the RSA conference security team and warned about possible protest related disruptions.
Earlier during the week, activists had handed out blue ribbons protesting RSA's NSA contracts for attendees of the larger conference to attach to their badges. And a banner drop reading "RSA NSA" caused some protesters to be removed from the premises.
— CODEPINK (@codepink) February 25, 2014
"I told the Westfield and AMC managers that I highly doubted that anything approaching a protest would occur and they dismissed the concerns and have been very supportive," wrote Stamos. "These concerns were first raised with our venue by RSA a week ago, and we addressed them the same way then. I only have nice things to say about the management of the mall and theater and I think we've responded by holding a professional event." The Westfield security team declined to comment on the situation, and a request for comment to the RSA Conference press team was not returned.
TrustyCon attracted a sold out crowd of 400 attendees, while some 300 people were wait-listed. The tickets were $50 a piece, with proceeds being donated to the Electronic Frontier Foundation, an online civil liberties organization. However, despite the interest, Stamos wrote in an e-mail that they had a difficult time locking down a location willing to host their event.. "During the process of selecting our venue several hotels and other event spaces in SOMA [the San Francisco neighborhood where the RSA conference and TrustyCon were held] told us that they had room today but needed to ask RSA for permission."
The NSA at RSA
In an interview with The Switch for a story about the initial boycott by some speakers, RSA Conference program committee chairman Hugh Thompson expressed disappointment at their departure from the event. He argued that although RSA owned and profited from the conference, it was always run as a neutral space where members of the industry could come together to discuss recent events -- something all the more needed in wake of the NSA revelations from the previous year.
And there was plenty of discussion about the NSA at the RSA Conference -- the agency was brought up in numerous panels. Plus, the NSA was there with its own 20' x 20' booth -- it even brought a World War II-era Enigma machine. Outside the exhibit hall, government privacy representatives held many prominent speaking slots. And attendees continued to raise questions about the aspects of national security related programs.
During Colbert's keynote, University of Indiana Computer Science Prof. L. Jean Camp asked how many people in the audience were afraid following the revelations about government programs from the past year and received a low rumble of acknowledgement.
For her part, Camp says she understands RSA's decision to use the reportedly flawed algorithm. "The thing about RSA using the DUAL_EC_DRPG is that it was a reasonable choice," she told me over e-mail, citing earlier actions the agency took that strengthen encryption during its early days. Specifically, she referred to the agency recommending the use of techniques that amounted to similar protections to differential cryptanalysis in Data Encryption Standard (DES) deployments during the 1970s, although information about that type of protection was not openly published until the 1990s.
She says she understands RSA's decision.
"So RSA, if approached by the NSA and assured that these changes were necessary, could have chosen the DUAL_EC_DRPG with historically reasonable confidence and trust in the NSA," she said. "With what we know now about the practices of the NSA, no one would trust them. But with the history of the NSA in cryptography, it was a reasonable choice at that time."
RSA mirrored her sentiments in their initial response to the story, writing "at that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."
Researchers to the rescue?
After explaining his reasons for his boycott, Hypponen gave the talk he was once scheduled to give at the RSA event. He discussed government sponsored malware -- both the development of offensive cyber weapons by governments and deployments more close to home.
Ten years ago, he said, the thought that governments would be regularly deploying malicious code against their own citizens was science fiction. But now he says, "cops are infecting their own citizens with viruses." Another TrustyCon speaker, American Civil Liberties Union technologist and security researcher Christopher Soghoian, noted that the practices of technology companies are intimately linked to government capabilities. "If the service exists, the government can come and ask to use it."
EFF Activism Director Rainey Reitman struck a similar chord while accepting $20,000 on behalf of the organization from the conference. "The technology community and the security community play an incredibly important and unique role in the NSA speech -- and first and foremost that's in the engineering decisions you make," she said. "The daily decisions you make on the daily basis about how you build technologies will affect the privacy of millions of people not only today but for years to come potentially."
Reitman also praised engineers in technology companies who speak up about privacy issues, calling them the "unsung heroes" of a fight against the NSA. She called on the cybersecurity community to engage in educating the public and congress about the ways technology company behaviors affected consumer privacy and security. "One of the things we need to solve is how do we get our knowledge about technology to Congress, so that they aren't writing laws in a dark world without any understanding of the ramifications of what they're trying to do."
Corman has been crisscrossing cybersecurity conferences with the "I am the Cavalry" project, with the a draft theme of enabled "technologies with the potential to impact public safety and human life are worthy of our trust."
— I am The Cavalry (@iamthecavalry) February 27, 2014
On Feb. 23 and 24, he partnered with another information cybersecurity conference, B-Sides, in San Francisco. There he said the group had packed rooms and discussed plans to formalize the organization.
"We don't have a community, we have communities."
Corman partnered with B-Sides for a conference also in San Francisco on Feb. 23 and 24. There he says he got more attention than at RSA. "We have very different demographics," he explained noting that RSA is geared more towards security practitioner, "so for them it was the very first introduction."
But that, he thinks, helps illustrate the divide in the space. "We don't have a community, we have communities. And there's some pretty deep schisms within them."
Public opinion polls about NSA programs have showed people are divided on whether government spying activities go too far. And in cybersecurity circles, where many of those revelations hit even closer to home, opinions -- and actions -- are similarly divided.
"Some of these researchers can have a beer together at a bar, but one of them thinks that you're a horrible person if you sell exploits to the government, and the other one is actively selling exploits to the government," says Corman. "There are some pretty deep rifts that are resurfacing,"
"We the people voted for the Patriot Act. We voted for the people who reauthorized it, and re-reauthorized it. The American people have spoken," Colbert said, adding jokingly, "you don't change horses in mid-wiretap." And the RSA conference, despite serious discussion of government spying programs, came to represent a sort of unspoken acknowledgement of the status quo.
And while tens of thousands attendees circled hundreds of vendors at the RSA conference, it was hard not to marvel at the sheer scale of the industry that has emerged to combat cybersecurity threats. The $20,000 donation TrustyCon collected for EFF would barely cover the rental and staffing costs of modest booth on the RSA's conference show room floor.
But the low buzz of shared grievances under the surface of the RSA conferences and public interest cybersecurity research advocacy like Corman is working to organize may suggest that the rebellious energy at TrustyCon is infecting more and more in the broader industry. But the tone of both events suggested that there is a lot of trust that needs to be rebuilt between government leaders, Internet advocates, and the cybersecurity industry moving forward.