In the wake of last month’s revelations that encryption firm RSA has been in cahoots with the NSA, several of the best-known security industry speakers cancel their regular appearances at the RSA Conference.
RSA promotional art for the company’s upcoming San Francisco conference.
Actions have consequences, goes the old saying, and actions taken by the security firm RSA in December have come back to haunt it this week.
Last month, it was revealed that RSA had accepted $10 million from the National Security Agency to implement an intentional cryptographic flaw, commonly called a backdoor, in one of its encryption tools. Days later, Mikko Hypponen, chief technology officer of F-Secure with decades under his belt as a security researcher, canceled his annual presentation at the American-hosted RSA Conference, to be held in San Francisco in February.
DOJ appeals ruling against NSA phone snooping
NSA working on quantum computer to break any encryption
ACLU fights ruling on NSA phone surveillance
What to do about Snowden: The NY Times gets it right
The NSA and the erosion of trust
“I don’t really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA,” he said. “In fact, I’m not expecting other conference speakers to cancel.”
The Finnish Hypponen cited nationality as the reason behind the cancellation of his talk but didn’t expect others to follow his boycott.
He didn’t think American attendees would care enough to take action against an American company assisting the American government in surveillance of non-American citizens.
While Hypponen canceled his talk, “Governments as Malware Authors,” he is still scheduled to appear as a panelist on the security challenges in connecting previously unconnected devices to the Internet.
Hypponen did not immediately return a request for comment. CNET will update the story when we hear back from him.
The day before Hypponen canceled his talk, Josh Thomas, the “Chief Breaking Officer” at security firm Atredis, canceled his scheduled talk via Twitter.
Jeffrey Carr, another security industry veteran who works in analyzing espionage and cyber warfare tactics, took his cancellation a step further. Yesterday, he publicly called for a boycott of the conference, saying that RSA had violated the trust of its customers.
At DefCon 19, F-Secure’s Chief Technical Officer Mikko Hyponnen shows off a 5-1/4 inch floppy that has on it the first personal computer virus.
(Credit: Seth Rosenblatt/CNET)
“I can’t imagine a worse action, short of a company’s CEO getting involved in child p**n,” Carr told CNET. “I don’t know what worse action a security company could take than to sell a product to a customer with a backdoor in it.”
While many have acknowledged on Twitter that RSA the conference and RSA the company are only loosely-tied entities, Carr argued that the only way to get the company to listen to hit it where it hurts: in the wallet.
“When you look back at incidents that changed institutions of power, they weren’t changed by hacking from the inside,” he said. “The only way you change a company, you force the board of directors, by hitting their profits.”
Carr said that he waited until this week to announce his decision because he thought that RSA had made a correctable public relations error, not an unusual mistake for the company. RSA found itself in a public relations imbroglio in 2011, when information about its SecurID authentication tokens was stolen.
(Credit: Jeffrey Carr/Twitter)
When the company declined to address the NSA deal further, Carr said he was left with no choice but to cancel his presentation and advocate for a boycott.
The choice was not an easy one, he said.
He was hoping that his relatively new company, Taia Global, would get a business boost from his RSA Conference session. His co-presenter, Christopher Burgess, opted to continue the presentation.
Following Carr’s announcement on Monday, several other RSA regulars joined the boycott.
These include privacy attorney and former Electronic Frontier Foundation lawyer Marcia Hoffman; Mozilla privacy and public policy expert Alex Fowler; American Civil Liberties Union advocate and privacy expert Christopher Soghoian; Google security expert Adam Langley; and Google Chrome security engineer Chris Palmer; bringing the total boycotters to eight.
RSA declined to comment for this story.
“Hopefully, this will force RSA to fire their CEO and apologize, and they can reclaim the company that RSA was in the ’90s, as far as it goes toward the integrity of their encryption,” Carr said.
In the 1990s, RSA was instrumental in resisting NSA pressure to include encrypted NSA access to personal computers via the Clipper Chip.
Given the company’s stance so far, it would have to take a cancellation from a luminary like Stephen Colbert, who’s delivering the opening keynote this year, before Carr and the other boycotters get what they want.