Wednesday, January 29, 2014

Where risk calculations fall apart [again]

I suspect this may upset some people who believe these types of things are possible, or are even performing such actions today - and to those folks I apologize in advance but this is merely my opinion.

This morning, one of the few people who actually understand application/software security, Jeremiah Grossman of White Hat, dropped an interesting tweet. Lots of intelligent people replied, and what seemed like an interesting debate was unfolding.

Then Dan Cornell said something interesting, which got me thinking.

Monday, January 13, 2014

On withdrawing your [RSA Conference] talk in protest

By now the news has settled a bit in people's brains, that RSA (the company) was allegedly paid by the NSA some $10M to weaken encryption. Reuters broke the story with this quote:
"Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a "back door" in encryption products, the New York Times reported in September."
Enough about the alleged wrongdoings of an encryption company and our own National Security Agency. Whether they did it, or they didn't, needs to be vetted in public, and RSA not denying the allegations is making this issue even more interesting. But let's talk about some of the fallout in the security community.

What has become interesting is the slow trickle of #InfoSec echo chamber big-shots that have been 'cancelling their talk' at RSA. Now, I'm not criticizing anyone's moral imperative ... but if you're cancelling your talk/training/etc long after many of the attendees have purchased their tickets and scheduled their attendance - who are you really hurting? This is a sticking point with me. If you're going to take a stand against RSA's alleged malfeasance, then you should do it in a way that creates the least amount of collateral damage, and cancelling your talk or training is a, in my personal opinion, poor choice.

So, here are a few things you could do instead of cancelling your appearance and screwing over attendees:

  1. Make a T-shirt that says "RSA has violated our trust" and wear it during your talk
  2. Take 2 minutes at the start of you talk, and discuss the issue you're taking with RSA's alleged behavior
  3. Blog about the issue and publicize it
  4. Change your talk, without telling the organizers, to be about the damage that their alleged wrong-doing have caused
  5. Speak at the conference, but refuse to give RSA any positive press
  6. Speak at Security BSides SF and draw attention to the issue
  7. Make a sign and stand outside the RSA Conference venue in protest
  8. Refuse to buy/use/endorse RSA products/services
  9. Urge others to refuse to buy/use/endorse RSA products/services
  10. Work with the industry to identify and flag uses of the weakened crypto component in software packages - as a vulnerability finding
..there are, of course, many more ways to protest. You don't need to hurt the attendees in the process, and I think that's exactly what cancelling your talk and refusing to speak does in the end.

My $0.1999 ...if you disagree or believe I'm wrong - use the comments section or catch me on Twitter.