Schneier on Security
A blog covering security and security technology.
« Building an Online Lie Detector |
| CROSSBEAM: NSA Exploit of the Day »
February 21, 2014
Co3 Systems at the RSA Conference
Co3 Systems is going to be at the RSA Conference. We don't have our own booth on the show floor, but there are four ways you can find us. Monday, we're at the Innovation Sandbox: 1:00–5:00 in Moscone North. At the conference, we're in the RSA Security booth. Go to the SecOps section of the booth and ask about us. We'll be happy to show you our incident response coordination system. We're hosting an Incident Response Forum on Tuesday night with partners HP, CSC, and iSight Partners for select companies and individuals. We also have a demo suite in the St. Regis Hotel. E-mail me if you want to get on the schedule for either of those two.
Posted on February 21, 2014 at 2:06 PM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Why did Co3 chose not to participate in the RSA boycott?
> "Now we know that RSA was bribed," said security expert Bruce Schneier, who has been involved in the Snowden document analysis. "I sure as hell wouldn't trust them. And then they made the statement that they put customer security first," he said.
How can you appear at their conference, after RSA Security's ridiculous behaviour?
Am I really gonna have to scrap Schneier.com from my favs?
I don't understand , gotta go - need to puke. argdoosfghghd
Vb!ogghg!!1 asdasdiioe4 !Bieh
If he boycotts meetings with those who when over to the dark side, how can he ever bring them back to the light side of the force.
The RSAcon is much much more than just RSA. Chill out, folks.
Haven't you guys ever heard of covert ops? We're sending in the Bruce to infiltrate RSA.
But seriously, having read his AC2 book, you could tell there's always been a deep suspicion of the NSA and subverted crypto, and that he is pretty familiar w/ the people at RSA. When a lot, well most of your life's work could potentially all be subverted, it's quite a shock I'm sure.
Look at the recent AMA on reddit w/ the CEO of Intel. Typical cowardly CEO question-dodging b/c some people have a hard time confronting reality and ignore it. The questions we wanted answered was about the potential hardware RNG subversion of RDRAND. Crickets...but hey we know he likes a peanut butter and jelly sandwich, (insert expletive). Reddit did a good job calling him out and he can't even answer an important question about the company's products. That means very likely NSL, of frickin' INTEL CEO.
Like M@ said, it's a conference with plenty going on. There's many good reasons for Co3 to be there. Besides, an anti-RSA effort would do better by going to their conference and discreetly showing people certain leaked slides. Then you refer them to your competing product. :)
It's hard to stay pure and stay employed. In security especially. A guy's got to eat. He's only working with people who remain key players in his industry. I assume that Bruce will not be joining RSA in subverting encryption.
Bruce might have a more specific explanation. I think he wisely avoids threads that touch on his employment.
Folks RSA "managment" took what looked like "free money" to make minor changes to an overall system, in which RSA had already placed at the time --supposadly-- unknown dodgy code in order to be in on "standards compliant" products.
We don't know the exact details but I can tell you from experiance if your major customer comes along and asks for changes and offers to pay for them then in most industries it happens pretty much without question, even if engineers etc say it's not a good idea after all from the managment perspective "Money talks...". Even prospective money has major product influance afterall how do you think software bloat comes about Marketing get told stuff by "customers" and they sell it to managment and thus in the product spec it goes...
Further and a little more subtaly when it comes to "inventory control" the less products you have generaly the less problems you have, so if the major customer is happy to alow others to have the changes then the chances are it will go in the main product as an upgrade. This is normal behaviour in many many industries, which is probably why the NSA thought they could get away with it. And without the Ed Snowden revelations they would have got away with it. But... and this is the important point ask yourself what upsets you the most,
1, The fact that the NSA tried it on?
2, That RSA managment fell for it?
3, That the NIST standards commity was a push over?
4, That 99% of developers would "follow the standard"?
5, The fact that the NSA nearly put one over on you?
My feeling having seen this all happen before is that it's realy most likely to be 5 as it feels like your trust has been abused, and thus all the noise is about spited hubris prior to nemesis.
Have a think about those other companies, what do you realy know about them?
One of those other companies is HP anyone remeber back in 2006 what nasty little habits the Chairwoman of the time had that got into the news? And how it ended up in new Federal laws?
Quite a few other of the companies at the conferance have more than one or two closet dwelling piles of bones just waiting to get out. The older the company the more likely it is it has some past ethical issues, so if a company started 50 or more years ago it's almost --but not quite-- guarenteed because societal ethics change over time. It's one of the reasons companies don't last for ever. Even Bill Gates knows this and has said this publicly and has been seen to implement "sea state changes" in MS.
Importantly it's the nature of business life that you "have to sup with the Devil" to stay in the game and survive, the important thing as the old saw has it is the length of your spoon, the longer the better so the greater the distance. But doing things at a distance can be unwieldy and problematical so sometimes you need to remember that the closer you are generaly the easier it is to change things.
Which is the point like it or not to "effect change" you have to be at the place where "change can happen" and for now atleast thats RSA's Expo.
No, I'm not boycotting the RSA Conference. Honestly, were I to list the bad actors w.r.t. the NSA, I don't think RSA Security would make the top 20.
And besides, boycotting the conference hurts the attendees and not the company. I'd rather be there, speaking about the NSA.
"Why did Co3 chose not to participate in the RSA boycott?"
Co3 Systems decided to be at the RSA Conference before I got there. The reason was pretty obvious: that's where the potential customers are.
Personally, I have chosen not to boycott the conference because I thought I would do more good by attending and speaking.
"If he boycotts meetings with those who when over to the dark side, how can he ever bring them back to the light side of the force."
I'm also speaking at TrustyCon. So there's that.
I think the local intra-community politics of this stuff is important, and were I as famous as you would pointedly boycott the conference, but I don't think it's productive to spend lots of energy peanut-gallery-auditing your decision to attend which seems yours-to-make and not-crazy.
It'd be more interesting to know who's in your top 20 NSA collaborators ahead of RSA. They're currently near the top of my list since their decision was so _simply_ evil that I don't see a more perfect example of unacceptable mathematician / programmer behaviour than RSA's. Even working for the NSA itself is less disgusting to me than what RSA did.
You'll find nicer whores elsewhere in SF.
I mean seriously, $2,595 for the full day pass to go shoulder to shoulder with the scum of the Earth?
No way. No way. No way. No way. No way.
> Coviello said RSA did all it could to secure its software. What's your take on the affair?
> Schneier: I believe that's true. When NIST came out with that RNG standard, it was one of four choices available, and those choices tracked other crypto suites. It made sense in a holistic way that there should be an elliptic curve in there. It was slower, it was kludgier, but some people thought that was a plus, not a minus.
What? RSA Security could have made Dual_EC_DRBG not the default once its flaws became known. That would be a simple obvious thing they could easily have done. To quote a certain Bruce Schneier from 2007: http://www.wired.com/politics/security/...
> If this story leaves you confused, join the club. I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
Clearly you would have to be an idiot to use Dual_EC_DRBG by default in 2007. Even if you didn't know about the backdoor, and somehow though the slowness made it safer in some unspecified way, the non-randomness which made Gjøsteen call it "cryptographically unsound" in 2006 should still have disqualified it.
I want the old Bruce Schneier back. :(
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.