[149084] in cryptography@c2.net mail archive
Re: [Cryptography] Boing Boing pushing an RSA Conference boycott
daemon@ATHENA.MIT.EDU (Kent Borg)
Thu Jan 16 09:19:39 2014
X-Original-To: cryptography@metzdowd.com
Date: Thu, 16 Jan 2014 08:48:12 -0500
From: Kent Borg <kentborg@borg.org>
To: cryptography@metzdowd.com
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711E91F9ED0@USMBX1.msg.corp.akamai.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is a multi-part message in MIME format.
--===============6921491475811866409==
Content-Type: multipart/alternative;
boundary="------------030108040303000905010706"
This is a multi-part message in MIME format.
--------------030108040303000905010706
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
On 01/15/2014 03:33 PM, Salz, Rich wrote:
> Agree. So why is a boycott a good thing? Why punish someone for being
> tricked? (Not specifically directed to Ian). It seems to me the better
> object lesson is one of the strongest cryptography companies in the
> world (at the time) was tricked into possibly making many of their
> customers vulnerable. How can we move forward from this?
I want everyone to see blood (figuratively), and be afraid. For their
jobs, for their reputations.
Every few minutes some other business has a data breach, and it seems
their big worry is always publicity ("Can we kill a messenger?"). Let's
up the stakes. I want to see a little operant conditioning, apply some
pain to mistakes, and see people trying to avoid being part of blunders.
Security doesn't sell, let's at least make security blunders cost.
RSA needs to be seen as having paid dearly for their very bad mistake.
People in corporations need to be able to invoke "RSA" and have others
shudder. I don't care if others have also done bad things, I want RSA
made an example. How much worse could they have behaved? Make an
example of them.
How much money did EMC pay for RSA? I want EMC (and others) to see that
a purchase can be destroyed if they misbehave and just cash the big
check. Did EMC managers encourage them to be profitable, praise them
for the nice haul? I think we can assume "yes". Did EMC put /any/ real
effort into policing RSA's integrity? We don't know, but I guess "not
really"; clearly it was not enough. Make EMC pay for that.
Security doesn't sell. At least make security blunders cost.
-kb
--------------030108040303000905010706
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/15/2014 03:33 PM, Salz, Rich
wrote:<br>
</div>
<blockquote
cite="mid:2A0EFB9C05D0164E98F19BB0AF3708C711E91F9ED0@USMBX1.msg.corp.akamai.com"
type="cite">
Agree. So why is a boycott a good thing? Why punish someone for
being tricked? (Not specifically directed to Ian). It seems to me
the better object lesson is one of the strongest cryptography
companies in the world (at the time) was tricked into possibly
making many of their customers vulnerable. How can we move forward
from this?</blockquote>
<br>
I want everyone to see blood (figuratively), and be afraid. For
their jobs, for their reputations.<br>
<br>
Every few minutes some other business has a data breach, and it
seems their big worry is always publicity ("Can we kill a
messenger?"). Let's up the stakes. I want to see a little operant
conditioning, apply some pain to mistakes, and see people trying to
avoid being part of blunders.<br>
<br>
Security doesn't sell, let's at least make security blunders cost.<br>
<br>
RSA needs to be seen as having paid dearly for their very bad
mistake. People in corporations need to be able to invoke "RSA" and
have others shudder. I don't care if others have also done bad
things, I want RSA made an example. How much worse could they have
behaved? Make an example of them. <br>
<br>
How much money did EMC pay for RSA? I want EMC (and others) to see
that a purchase can be destroyed if they misbehave and just cash the
big check. Did EMC managers encourage them to be profitable, praise
them for the nice haul? I think we can assume "yes". Did EMC put <i>any</i>
real effort into policing RSA's integrity? We don't know, but I
guess "not really"; clearly it was not enough. Make EMC pay for
that. <br>
<br>
Security doesn't sell. At least make security blunders cost.<br>
<br>
-kb<br>
<br>
</body>
</html>
--------------030108040303000905010706--
--===============6921491475811866409==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6921491475811866409==--
