A relatively small but influential list of speakers for the upcoming RSA Conference have decided to withdraw from the show in the wake of stories implicating RSA as a co-conspirator in the NSA’s surveillance efforts. The group is a tiny fraction of the hundreds of speakers scheduled to talk next month, but it includes some big names.

The RSA Conference is one of the larger security conferences in the U.S. each year, and it attracts thousands of attendees, exhibitors and executives. Speaking at the conference is a nice entry on a presenter’s resume, and many of the bigger names in the industry speak there annually. The 2014 edition of the conference, which is scheduled for late February, was set to be no different, with a roster of top-tier speakers expected to take the stage during the course of the week.

But then came the allegation last month that RSA several years ago agreed to a deal with the NSA that involved the company making the compromised Dual_EC DRBG random number generator the default choice in the company’s BSAFE crypto library. The allegation was that the company took a $10 million payment in exchange for using Dual_EC as its default, something that NSA officials allegedly knew at the time would give them an advantage over any product that included the number generator, because the NSA allegedly had deliberately weakened Dual_EC during the development process.

RSA officials have denied that the company had a secret contract with the NSA to use the weakened random number generator.

“Recent press coverage has asserted that RSA entered into a ‘secret contract’ with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries.  We categorically deny this allegation,” the RSA statement says.

But that denial hasn’t done much to ease the fears and calm the anger in the security community surrounding this story. The withdrawals began shortly before Christmas when Josh Thomas of Altredis said he was pulling his talk from the conference. The next day, Mikko Hyponnen of F-Secure posted an open letter to top executives at RSA and its parent company, EMC, saying he too was canceling his talk, which was going to cover government-sponsored malware.

Since then, several other speakers have followed suit, including Chris Soghoian of the ACLU, Adam Langley of Google, Marcia Hoffman of the EFF, Alex Fowler of Mozilla and Chris Palmer of Google.

“I’ve given up waiting for RSA to fess up to the truth re: the NSA and Dual_EC. I’ve just withdrawn from my panel at the RSA conference,” Soghoian said on Twitter on Tuesday.

There’s a vocal contingent of the security community that doesn’t think pulling out of the conference is the right choice, especially in the absence of the concrete evidence regarding the NSA allegations.

“Basically, I don’t feel there is enough evidence to ascribe misdeeds on RSA. Pulling out of the conference is misguided at best,” said analyst Rich Mogull of Securosis. “That may change, I also don’t know if they are innocent, but we can’t hang people without enough evidence. That represents the worst reactions of our industry and community.”

What, if any, effect the cancellations will have on the conference is unclear. The conference organizers typically have alternate speakers lined up in case of cancellations and the conference, despite its beginnings as a gathering of cryptographers, isn’t viewed as a highly technical show and is seen mainly as a sales and marketing event now.

RSA Conference officials could not make anyone available for comment.

Image from Flickr photos of Kevin Bocek.

Categories: Cryptography, Privacy, Web Security

Comment (1)

  1. seagull
    1

    I bet that 10 million seems like a bad decision in hind site. Anyway, what does RSA do anyway? The physical token is outdated….

    Reply

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>