[149034] in cryptography@c2.net mail archive
Re: [Cryptography] Boing Boing pushing an RSA Conference boycott
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Tue Jan 14 10:50:47 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <52D4E0B5.7070007@iang.org>
Date: Tue, 14 Jan 2014 08:16:54 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: ianG <iang@iang.org>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============9183931809799510163==
Content-Type: multipart/alternative; boundary=089e0115fb1290337c04efee01e5
--089e0115fb1290337c04efee01e5
Content-Type: text/plain; charset=ISO-8859-1
On Tue, Jan 14, 2014 at 2:01 AM, ianG <iang@iang.org> wrote:
> On 13/01/14 22:35 PM, Phillip Hallam-Baker wrote:
>
> > Absolutely right. But how should we respond?
>
>
> Also, I think a fair proportion of the blame lies with NIST. They force
> their standards on the world (never mind that they don't say that) and
> then act surprised when they get turned. What's worse, they take no or
> little account that they are pursuing industrial control policies by
> their barriers to entry, the cost of the stuff is huge, for what dividend?
>
> I'd boycott NIST. Dump all the security FIPS and what have you. How
> much good have they done?
>
NIST does have a conference in April and we can boycott that by setting up
a parallel conference with bigger names very easily.
That does at least mean that we are likely to send the right message (i.e.
boycott successful) and send it to an organization that can relay it to the
political entities.
One of the questions raised by Flame is how the US government can hope to
have public-private partnerships when the US government is attacking US
companies. Flame involved an attack on Microsoft, remember.
I'd also boycott companies doing business with the NSA. And USG. If
> their primary purposes is dealing with those agencies, then we know they
> are likely vulnerable. Seek companies with clean records. Especially,
> ask questions: how much influence? what options were asked for?
> what contracts?
That particular outcome is practically self-enforcing. Everyone is going to
be very suspicious of NSA proposals now.
The claim that the NSA simply bribed RSA makes it sound as if all companies
need to do is refuse obvious bribery attempts.
Looking at the attack as sophisticated social engineering makes for a much
stronger warning: If you deal with the NSA they will betray you and then
the scheme will come out in an insider attack.
The attack on the RSA conference is an attack on the brand of RSA. This
> covers the whole company. Yes there is collateral damage, but there is
> also an easy fix: change the name, sell the company. It can even be
> profitable.
>
Attacking the brand through the conference is difficult because I don't see
any name pulling out so far that is big enough to have effect.
The fact that the main trade show is joined to one company is a very long
standing irritation for all of us in the industry. It would be better if
the RSAConference was owned by a conferencing company that didn't have a
business competing with the rest of us. I don't think that conflict of
interest has helped RSA the company either. Their strategy has been
constrained by needing to avoid compromising the conference too badly.
That is an idea. If one is in the business of sanctions and one is
> concerned with collateral damage, it is a competitive market.
>
> I think all boycotts have this problem. But what other tool do we have
Well we have been facing the same problem with the boycott of Sochii. Its
going to be another Nuremberg. And I don't mean that figuratively, Putin
has been copying the institutions of fascism. But we did get the Pussy Riot
girls and the Greenpeace protestors out of jail which isn't nothing.
The conference made the company business a target in the past. At VeriSign
we did an open standard version of the SecureID token, OATH and launched it
at the conference. It does not take a genius to work out what the objective
was there. It was the conference we were after, trying to commoditize the
token business was an attempt to buy it cheap.
Without the RSA tokens biz, there would be no real business reason binding
RSA to EMC. That is the pressure point I would attack. But given that I
have proposed a second alternative to number based tokens that uses the
capabilities of smart phones, that would be a somewhat self-interested
proposal.
> > If the RSA token business is gutted there will be no reason for EMC to
> keep
> > RSA Labs or the name.
>
>
> Is it a battle to win? CISOs pick the tokens. They are unlikely to
> look past their noses. The tokens are typically customer-branded.
>
If there was a free alternative that people could use to turn their smart
phone into a token, people could press for it as an alternative. The IT
desk would almost certainly like to be rid of the stupid tokens, they are
very expensive and the preprogramed expiry date creates a constant admin
hassle.
This is pushing at an open door. Replacing the tokens is something almost
all CISOs would like to do. Especially after the 2011 fiasco. But it just
hasn't been a priority. This set of circumstances can make it a priority.
We would need more that speaks directly against the tokens to spread the
> message, hypothetically something like a Snowden revelation that
> indicates the NSA has a back door to the tokens.
>
No, I don't think we do. There are solid business reasons for abandoning
the tokens already.
The fact that RSA has dual control over your authentication infrastructure
is the issue I would point to. RSA could be subpoenaed to give the feds
access to the whole token database. It would be very easy to match token
codes to tokens given their intercept capabilities.
We don't need to allege collusion in the past. All we need to do is to
point out that the scheme lacks transparency.
In the contrary, do we do more damage to companies by tricking them into
> dropping perfectly good tokens for some other equally ropey product?
Unlike the NSA, I do not give people advice knowing it is false.
The tokens do rely on the token provider being trustworthy. The token
database allows backdoor access.
I feel like we should also boycott the IETF. They have truly not served
> us. We should have had opportunistic SSL covering the planet by now,
> and that would have been a fantastic defence against the worldwide
> surveillance -- it would have shifted the NSA to an active attack, which
> would have been eventually detected.
>
No, leave them out of this. Don't turn off my damn waster supply while I am
trying to fight a fire.
--
Website: http://hallambaker.com/
--089e0115fb1290337c04efee01e5
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Tue, Jan 14, 2014 at 2:01 AM, ianG <span dir=3D"ltr"><<a href=
=3D"mailto:iang@iang.org" target=3D"_blank">iang@iang.org</a>></span> wr=
ote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style=
:solid;padding-left:1ex">
<div class=3D"im">On 13/01/14 22:35 PM, Phillip Hallam-Baker wrote:<br><br>
> Absolutely right. But how should we respond?<br>
<br>
<br>
</div>Also, I think a fair proportion of the blame lies with NIST. =A0They =
force<br>
their standards on the world (never mind that they don't say that) and<=
br>
then act surprised when they get turned. =A0What's worse, they take no =
or<br>
little account that they are pursuing industrial control policies by<br>
their barriers to entry, the cost of the stuff is huge, for what dividend?<=
br>
<br>
I'd boycott NIST. =A0Dump all the security FIPS and what have you. =A0H=
ow<br>
much good have they done?<br></blockquote><div><br></div><div>NIST does hav=
e a conference in April and we can boycott that by setting up a parallel co=
nference with bigger names very easily.</div><div><br></div><div>That does =
at least mean that we are likely to send the right message (i.e. boycott su=
ccessful) and send it to an organization that can relay it to the political=
entities.</div>
<div><br></div><div>One of the questions raised by Flame is how the US gove=
rnment can hope to have public-private partnerships when the US government =
is attacking US companies. Flame involved an attack on Microsoft, remember.=
</div>
<div><br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,=
204);border-left-style:solid;padding-left:1ex">
I'd also boycott companies doing business with the NSA. =A0And USG. =A0=
If<br>
their primary purposes is dealing with those agencies, then we know they<br=
>
are likely vulnerable. =A0Seek companies with clean records. =A0Especially,=
<br>
ask questions: =A0how much influence? =A0what options were asked for? =A0wh=
at=A0contracts?</blockquote><div><br></div><div>That particular outcome is =
practically self-enforcing. Everyone is going to be very suspicious of NSA =
proposals now.</div>
<div><br></div><div>The claim that the NSA simply bribed RSA makes it sound=
as if all companies need to do is refuse obvious bribery attempts.</div><d=
iv><br></div><div>Looking at the attack as sophisticated social engineering=
makes for a much stronger warning: If you deal with the NSA they will betr=
ay you and then the scheme will come out in an insider attack.</div>
<div><br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,=
204);border-left-style:solid;padding-left:1ex"><div class=3D"im"><span styl=
e=3D"color:rgb(34,34,34)">The attack on the RSA conference is an attack on =
the brand of RSA. =A0This</span><br>
</div>
covers the whole company. =A0Yes there is collateral damage, but there is<b=
r>
also an easy fix: =A0change the name, sell the company. =A0It can even be<b=
r>
profitable.<br></blockquote><div><br></div><div>Attacking the brand through=
the conference is difficult because I don't see any name pulling out s=
o far that is big enough to have effect.</div><div><br></div><div>The fact =
that the main trade show is joined to one company is a very long standing i=
rritation for all of us in the industry. It would be better if the RSAConfe=
rence was owned by a conferencing company that didn't have a business c=
ompeting with the rest of us. I don't think that conflict of interest h=
as helped RSA the company either. Their strategy has been constrained by ne=
eding to avoid compromising the conference too badly.=A0</div>
<div><br></div><div><br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,=
204);border-left-style:solid;padding-left:1ex"><div class=3D"im"><span styl=
e=3D"color:rgb(34,34,34)">That is an idea. =A0If one is in the business of =
sanctions and one is</span><br>
</div>
concerned with collateral damage, it is a competitive market.<br>
<br>
I think all boycotts have this problem. =A0But what other tool do we have</=
blockquote><div><br></div><div>Well we have been facing the same problem wi=
th the boycott of Sochii. Its going to be another Nuremberg. And I don'=
t mean that figuratively, Putin has been copying the institutions of fascis=
m. But we did get the Pussy Riot girls and the Greenpeace protestors out of=
jail which isn't nothing.</div>
<div><br></div><div><br></div><div><div>The conference made the company bus=
iness a target in the past. At VeriSign we did an open standard version of =
the SecureID token, OATH and launched it at the conference. It does not tak=
e a genius to work out what the objective was there. It was the conference =
we were after, trying to commoditize the token business was an attempt to b=
uy it cheap.</div>
<div><br></div><div>Without the RSA tokens biz, there would be no real busi=
ness reason binding RSA to EMC. That is the pressure point I would attack. =
But given that I have proposed a second alternative to number based tokens =
that uses the capabilities of smart phones, that would be a somewhat self-i=
nterested proposal.</div>
</div><div><br></div><div>=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(20=
4,204,204);border-left-style:solid;padding-left:1ex"><div class=3D"im">>=
If the RSA token business is gutted there will be no reason for EMC to kee=
p<br>
> RSA Labs or the name.<br>
<br>
<br>
</div>Is it a battle to win? =A0CISOs pick the tokens. =A0They are unlikely=
to<br>
look past their noses. =A0The tokens are typically customer-branded.<br></b=
lockquote><div><br></div><div>If there was a free alternative that people c=
ould use to turn their smart phone into a token, people could press for it =
as an alternative. The IT desk would almost certainly like to be rid of the=
stupid tokens, they are very expensive and the preprogramed expiry date cr=
eates a constant admin hassle.</div>
<div><br></div><div>This is pushing at an open door. Replacing the tokens i=
s something almost all CISOs would like to do. Especially after the 2011 fi=
asco. But it just hasn't been a priority. This set of circumstances can=
make it a priority.</div>
<div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-lef=
t-style:solid;padding-left:1ex">
We would need more that speaks directly against the tokens to spread the<br=
>
message, hypothetically something like a Snowden revelation that<br>
indicates the NSA has a back door to the tokens.<br></blockquote><div><br><=
/div><div>No, I don't think we do. There are solid business reasons for=
abandoning the tokens already.=A0</div><div><br></div><div>The fact that R=
SA has dual control over your authentication infrastructure is the issue I =
would point to. RSA could be subpoenaed to give the feds access to the whol=
e token database. It would be very easy to match token codes to tokens give=
n their intercept capabilities.</div>
<div><br></div><div>We don't need to allege collusion in the past. All =
we need to do is to point out that the scheme lacks transparency.</div><div=
><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.=
8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-st=
yle:solid;padding-left:1ex">
In the contrary, do we do more damage to companies by tricking them into<br=
>
dropping perfectly good tokens for some other equally ropey product?</block=
quote><div><br></div><div>Unlike the NSA, I do not give people advice knowi=
ng it is false.</div><div><br></div><div>The tokens do rely on the token pr=
ovider being trustworthy. The token database allows backdoor access.</div>
<div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-lef=
t-style:solid;padding-left:1ex"><div class=3D"im"><span style=3D"color:rgb(=
34,34,34)">I feel like we should also boycott the IETF. =A0They have truly =
not served</span><br>
</div>
us. =A0We should have had opportunistic SSL covering the planet by now,<br>
and that would have been a fantastic defence against the worldwide<br>
surveillance -- it would have shifted the NSA to an active attack, which<br=
>
would have been eventually detected.<br></blockquote><div><br></div><div>No=
, leave them out of this. Don't turn off my damn waster supply while I =
am trying to fight a fire.</div><div><br></div></div><div><br></div>-- <br>
Website: <a href=3D"http://hallambaker.com/">http://hallambaker.com/</a><br=
>
</div></div>
--089e0115fb1290337c04efee01e5--
--===============9183931809799510163==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============9183931809799510163==--
