rebecca@sfbg.com
The world’s largest computer security conference, RSA, got underway in the Moscone Convention Center on Feb. 24. It’s a huge deal: Speakers will include former Secretary of State Condoleezza Rice, and closing remarks will be given by comedian Stephen Colbert.
Started in 1991, the RSA Conference has grown exponentially. But this year, 13 digital security experts have canceled their scheduled talks in protest of recent revelations that RSA cooperated with the National Security Agency to use a flawed tool for safeguarding sensitive information.
Speakers who are boycotting include technology experts from Google and various security firms. They’re concerned about allegations that RSA, a pioneer in the security software industry, agreed to incorporate a flawed encryption formula into a widely used security product in accordance with a secret $10 million NSA contract.
“In my opinion, RSA has a serious trust issue,” said Jeffrey Carr, CEO of a security firm called Taia Global Inc. and one of the speakers who has decided to cancel his talk and boycott the conference. “I think they’ll just let it die down. There’s been little uproar, even among the security people,” he added.
Carr authored a blog post explaining his decision. He also organized a “town hall” debate, part of an event series called Suits and Spooks, to be held at the Ritz Carlton in San Francisco on Feb. 27, featuring commentary from security industry representatives as well as insiders from the national intelligence community.
RSA used the encryption algorithm as a default for its security products, meaning users would have had to actively switch to a different formula to avoid exposure to the security threat.
According to a Reuters article published in December, the NSA arranged the contract as part of a campaign to embed breakable encryption software into security products that are widely used to safeguard personal devices.
Previous reporting by The New York Times, based on documents leaked by former NSA contractor Edward Snowden, showed that the NSA had generated the weak encryption formula to create a “backdoor.”
EMC, the parent company that owns RSA, issued a response in December that didn’t specifically address the allegations. The company stated that in 2004, when it agreed to use the algorithm, “the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.”
But Carr said researchers within the security industry had suggested the algorithm might be flawed as early as 2006, and RSA did not abandon its use until after the Snowden leaks were publicized.
Other speakers who are boycotting have issued statements publicly condemning RSA. “Your company has issued a statement on the topic, but you have not denied this particular claim. Eventually, NSA’s random number generator was found to be flawed on purpose, in effect creating a back door. You had kept on using the generator for years despite widespread speculation that NSA had backdoored it,” wrote chief researcher Mikko Hypponen of the Finnish company F-Secure.
“As my reaction to this, I’m canceling my talk at the RSA Conference USA 2014 in San Francisco in February 2014,” Hypponen went on. “Aptly enough, the talk I won’t be delivering at RSA 2014 was titled ‘Governments as Malware Authors.'”
Meanwhile, Colbert is also taking some heat for agreeing to speak at the RSA conference.
“We know you, Stephen, and we know you love a good ‘backdoor’ joke as much as we do — but this kind of backdoor is no laughing matter,” activists from Fight for the Future wrote in a petition urging him to join the other speakers who are boycotting the RSA conference. “Companies need to know that they can’t betray our trust without repercussions. We want to hear your speech, but give it somewhere else!”