The anti-RSA conference: More security, less NSA

TrustyCon sets up shop across from the RSA Conference, with hopes of opening a debate on the state of security

The 2014 RSA Conference takes place next week at the Moscone Center in San Francisco, and across the street will be a conference for RSA refuseniks, also known as TrustyCon. Score a slam dunk for the upstart conference in the "what's in a name?" contest, as many in the security industry these days are asking whom to trust -- and RSA is not on the short list of candidates.

RSA the conference is in some ways an innocent bystander hit by a wave of anger directed at RSA the security company. TrustyCon, dubbed "The Trustworthy Technology Conference," was born out of the backlash after Reuters disclosed that the NSA secretly paid RSA $10 million to incorporate a deliberately flawed encryption algorithm into its security software to aid the agency in its surveillance programs. The revelation came on the heels of disclosures by the New York Times and ProPublica that the NSA has been working for years to weaken security standards.

RSA suffered a black eye in the past over the hack of its less-than-secure SecurID authentication tokens, but accusations that it had embedded deliberately weakened Dual EC DRBG crypto technology into its widely used BSafe toolkit as a backdoor for the NSA went beyond the pale. Twelve security experts scheduled to speak at RSA Conference subsequently announced they were boycotting in protest.

However, some feel the anger behind the walkout is misplaced. "Boycotting the RSA Conference is not the same as not supporting or buying RSA tokens. For anyone who doesn't already know, RSA Conference is pretty much a separate entity from RSA and their token business," says Alan Shimel, co-founder of CISO Group. "In fact, they work really hard to keep a 'firewall' (no pun intended) between the two organizations."

Others say that singling out RSA deflects attention from other technology vendors that may have enabled the NSA's data collection. As Jaikumar Vijayan notes:

Recent reports by German magazine Der Spiegel revealed how the NSA developed exploits and hacked backdoors into networking equipment, PCs, and servers from some of the world's biggest technology vendors, including Cisco, Juniper Networks, Dell, Huawei and Hewlett-Packard. Given the extensive arsenal of tools the NSA has at its disposal, it is nearly inconceivable that none of the vendors had an inkling that their products had been compromised.

Surprisingly, another person who had mixed emotions about the idea of a boycott is TrustyCon organizer Alex Stamos, CTO at Artemis Internet. "I initially objected to people dropping out of RSA," Stamos told Cnet, "because I wanted people to be heard, people who have opinions on the ethical concerns of the security community."

The point of TrustyCon, Stamos says, is to start a much-needed discussion within the security industry about trust. "American technology companies have to build products that people around the world can trust," he said. "If we don't do this, the economic fallout resulting from the loss of trust is going to be pretty bad."

Hugh Thompson, chief security strategist at Blue Coat Systems and committee chair for this year's RSA Conference, seems to agree. Thompson told Reuters that "there are a lot of questions that have been raised about the security infrastructure and how it works, and I do think it's going to lead to a very healthy debate. This is a topic that is definitely going to be discussed."

Attendance at TrustyCon is limited to 400 people, and tickets sold out almost immediately. RSA Conference, billed as "where the world talks security," expects to attract more than 24,000 attendees. Let the talking begin.

This article, "The anti-RSA conference: More security, less NSA," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.


Copyright © 2014 IDG Communications, Inc.