Monday, January 13, 2014

On withdrawing your [RSA Conference] talk in protest

By now the news has settled a bit in people's brains, that RSA (the company) was allegedly paid by the NSA some $10M to weaken encryption. Reuters broke the story with this quote:
"Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September."
Enough about the alleged wrongdoings of an encryption company and our own National Security Agency. Whether they did it, or they didn't, needs to be vetted in public, and RSA not denying the allegations is making this issue even more interesting. But let's talk about some of the fallout in the security community.

What has become interesting is the slow trickle of #InfoSec echo chamber big-shots that have been 'cancelling their talk' at RSA. Now, I'm not criticizing anyone's moral imperative ... but if you're cancelling your talk/training/etc long after many of the attendees have purchased their tickets and scheduled their attendance - who are you really hurting? This is a sticking point with me. If you're going to take a stand against RSA's alleged malfeasance, then you should do it in a way that creates the least amount of collateral damage, and cancelling your talk or training is a, in my personal opinion, poor choice.

So, here are a few things you could do instead of cancelling your appearance and screwing over attendees:

  1. Make a T-shirt that says "RSA has violated our trust" and wear it during your talk
  2. Take 2 minutes at the start of you talk, and discuss the issue you're taking with RSA's alleged behavior
  3. Blog about the issue and publicize it
  4. Change your talk, without telling the organizers, to be about the damage that their alleged wrong-doing have caused
  5. Speak at the conference, but refuse to give RSA any positive press
  6. Speak at Security BSides SF and draw attention to the issue
  7. Make a sign and stand outside the RSA Conference venue in protest
  8. Refuse to buy/use/endorse RSA products/services
  9. Urge others to refuse to buy/use/endorse RSA products/services
  10. Work with the industry to identify and flag uses of the weakened crypto component in software packages - as a vulnerability finding
..there are, of course, many more ways to protest. You don't need to hurt the attendees in the process, and I think that's exactly what cancelling your talk and refusing to speak does in the end.

My $0.1999 ...if you disagree or believe I'm wrong - use the comments section or catch me on Twitter.

9 comments:

stewbie2 said...

Great post, Raf!

stewbie2 said...

Great post, Raf. Agree that not being there to deliver a session isn't hurting anyone but the attendees.

Unknown said...

Disagree. The way you hurt the conference is to devalue it. RSA has devalued the industry by allowing it to be bought and sold. They should be fiscally punished and if this means that because talks are cancelled then attendance declines this, or next year, then the point has been made.

A better approach than the ones you offered is an extended BSides - covering the entirety of the conference, not at the conference - but in close proximity. This retains value for the attendees and content, but removes that from RSA, this also leaves room for a "replacement" conference to unfold and not make it awkward for presenters to "wear a shirt" or "make a statement". It seems as if your suggestions are to keep people there, so they can visit the sponsoring booths... Seems like the MO of an event sponsor.

Rafal Los said...

Dear "unknown": My current employer sponsors the conference, but I am not writing as an employee of that organization, rather on my own. I believe your alternatives are fine, and I'm good with them - but not speaking and pulling out only hurts the people who have already paid and will be attending.
Now, if those "big draw" people were to decline for NEXT YEAR and state this as their reason - then I'm totally on board with you.
I think it's too convenient for you to dismiss my point of view like you do in the last few sentences - but hey, you're allowed to think what you'd like, and I don't mind dissent.

Trojan7Malware said...

I agree. Cancel your talks for NEXT years con not this years. People have already paid for their tickets and some people go purely to watch a certain persons talk. Boycott them well in advance and inform your fans you're going to be doing so

TGHCagent said...

This hurting the people who already paid is massively hypocritical when overlooking the actual reason why. maybe other people just care about privacy more than you.

If we all thought like this we'd have lots of t-shirts and a worthless sense of freedom.

RSA did this, and it's stupid to suggest speakers should feel some kind of guilt - well done OWASP, well done everyone else who backed out.

in my opinion.

Russell Thomas said...

Excellent points and, as a RSAC speaker, I agree. Here's my post (same day): Why I am not boycotting #RSAC

PJ Velasco said...

Good article. I have hear a lot of talk about how RSA is no longer the only driving force behind the RSA Conference. If this is indeed the case, then perhaps the folks that run the RSA Conference should rebrand and spend the next year advertising the new branding. This rebranding would allow the conference to continue without RSA benefiting from the association with the conference brand. If the rebranding concept fails to hold merit, I like the idea of a competing conference running at the same time as RSA at a venue very close to the RSA venue.

PJ Velasco said...

Good article. I have heard a lot of talk about how RSA is no longer the primary driving force behind the RSA Conference. If this is indeed the case, then perhaps the folks that run the RSA Conference should rebrand and spend the next year advertising the new branding. This rebranding would allow the conference to continue without RSA benefiting from the conference brand. If the rebranding concept fails to hold merit, I like the idea of a competing conference running at the same time as RSA at a venue very close to the RSA venue. The attendance statistics could speak volumes. Maybe a ShmooCon West?

Google+