(PAUL J. RICHARDS/AFP/Getty Images)

The cybersecurity trade show known as the RSA conference kicked off in San Francisco this week. The conference begins two months after revelations that the RSA Corporation allegedly accepted $10 million from the National Security Agency to engineer a “back door” allowing NSA access to its encryption products. In the resulting backlash, some of the scheduled speakers are boycotting the RSA conference and have created their own spinoff conference, TrustyCon, which opens Thursday. We discuss cyber ethics and what this rift means for hackers and the online security industry in the Bay Area.

Guests:
Aarti Shahani, reporter covering technology for KQED
Alex Stamos, CTO of Artemis Internet, co-founder of iSEC Partners, a cybersecurity consulting firm and speaker at TrustyCon
Vinnie Liu, partner at Bishop Fox, a global security firm that provides attack-and-defense security services to Fortune 1000 companies

  • geraldfnord

    When I first heard of PGP (c. 1991) I told Mr G——-l that it sounded like a _great_ recipe for repopularising torture.

  • thucy

    What a mess. This was all weirdly “predicted” by Francis Ford Coppola in his 1974 film “The Conversation” starring Gene Hackman, and some of the era’s best character actors. Right down to the wiretappers’ San Francisco convention scene! Life imitates Coppola…

  • Guest

    The NSA has found eager participants in spying at most of the big corporations. They can listen to your Skype calls, record your phone calls, read all of your text messages, track you using your phone wherever you go, break the Internet’s encryption, track you using Google’s tracking cookies, and they record all Internet traffic and have something like 2 years’ worth of buffer to look through. The Stasi never had even 1/10000th of the spying capability the NSA has. We should all be boycotting the major US tech companies. They haven’t just betrayed us, they’ve raped us. The conspiracy theorists have been proven right (again). The tech companies are like the fracking companies–they’re happy to screw us over. When questioned they either feign being troubled or they’re blasé about it.

    I encourage everyone to use Tor to access the web, and use GPG to encrypt emails.
    However many websites block Tor, including Disqus which KQED uses for comments.

    • balbus

      I agree Tor is great technology and people should use it when they can. However, there are other cryptographic systems that are very good (like PGP/GPG) that are reasonably secure AND have a good infrastructure.

      Regarding “We should all be boycotting the major US tech companies. They haven’t just betrayed us, they’ve raped us”. This is just BS. Why don’t you just say “its worse than the holocost

    • balbus

      Frank:
      I agree Tor is great technology and people should use it when they can. However, there are other cryptographic systems that are very good (like PGP/GPG) that are reasonably secure AND have more available infrastructures that are reasonably convenient to use.

      Regarding “We should all be boycotting the major US tech companies. They haven’t just betrayed us, they’ve raped us”. This is just BS. Why don’t you just say “its worse than the holocaust”. Put up some facts rather than FUD. In any case not all major US tech companies have been “collaborating” with the NSA. Also, many non US tech organizations have been “collaborating” with the NSA. Also, many US and non US tech organizations have been “collaborating” with foreign governmental organizations in the same way as some US tech organizations and the NSA (i.e. because of court orders).
      If you don’t like this “collaboration” contact your congressman so that US tech companies don’t have to comply with court orders that you don’t like.
      In any case, your gripe is reasonable for organizations like RSA that did not have to take the NSA’s money. It is not reasonable for organizations that were ordered by the US government to become “collaborators”. Put the blame where it belongs.

  • Ben Rawner

    The idea that the government hacking and backdooring is some how shocking is rediculous. Most of The technology used today was developed by the government. 25 years ago when only a handful of people used tech like they do today it was understood the the government was watching. This technology is quite powerful And for the government to keep their noses out would not only be impossible it would endanger is the citizens.

    • Guest

      That’s an awful lot like saying if a girl goes to a frat party she should expect to be raped.

      • Guest

        It’s worse than that, because we’re all mandated to attend the IT party.

        You can’t fully contribute to society without using information technology.

      • Ben Rawner

        I don’t see the correlation. The governments responsibility is to protect and serve its citizens. If u don’t like the govnt that’s fine, but its role as a facilitator and protector are stated in the constitution. Maybe we should let corporations do it for us? Because it really looks like corporations really care about citizens (sarcastically). I pay taxes so the government protects me, I don’t bid taxes on an open market for protections. Eliminating the governments role will only allow corporate entities to perform this function for the highest bidder without regards to law or equality. I haven’t heard of the us govnt raping anybody, but I sure have heard of many corporations that rape worldwide.

        • Guest

          You won’t protect people by violating the Constitution and violating their civil rights.
          It’s like you’re saying that in order to protect women who go to a frat party from rape, you’ll have have to strip search them all.

  • Holly

    What exactly is a “backdoor” for those of us who are not techies.

    • Guest

      Glad you asked: It’s a means by which a hacker, be they working for the Russian mafia or for the NSA, can get into either your computer, your phone, or your data.

      There was an NSA backdoor in Windows 98, for instance, and presumably every version of Windows since. A few years ago activists found Windows Vista was contacting DHS servers, Halliburton servers and DoD servers when a Vista computer started up for the first time.

      Almost all mobile phones have a huge backdoor, by the way, in the baseband processor. The NSA can for instance turn on your phone if it was turned off and listen to conversations in the room using the microphone. More on that:
      http://www.osnews.com/print/27416/The_second_operating_system_hiding_in_every_mobile_phone

  • Guest

    What do your guests think about the fact that it costs $2500 to get into the RSA conference, meaning what are the implications for nonprofits and individuals who are somewhat more likely to defend the little guy?
    And what’s the cost to get into TrustyCon?

  • Orlando

    I work with engineering programs like Solidworks, AutoCad, and Creo to design innovative products. In order for me to feel safe so that a Chinese firm, government or hackers here in the US or in Europe hack my computer I have completely disable my engineering computer from being able to log in at any point in time into the internet. I hate that I have to do this and is becomes so difficult especially when I need to upgrade my programs. Internet Privacy is horrible not only in the US but all around the world we need to fix this and we need to fix this now. It seems like protecting my inventions is almost like a part time job.

  • Ginny Bahr

    As a consumer, I don’t want to get a second degree to know which computer is safe enough to purchase. I can’t demand what I don’t know. I’m reliant on the industry to explain to me why it is safe, just as I am reliant on the car dealership to explain to me why this engine is better or why an airbag or windshield break light is necessary. That puts the onus back on the industry to build trust with the consumers first.

    • Guest

      About backdoors:

      You’ll never be able to trust antivirus programs to tell you that a backdoor exists. The NSA will have gotten to them and forced them to keep quiet.
      The best way to ensure there isn’t one is to periodically reinstall the operating system. This will also work to wipe out any viral infection.

      Viruses are now also written to attack the antivirus programs. So again, you need to reinstall the OS periodically.

      In most university computer labs, they reinstall the operating system every night.

  • David Kelley

    Governments, companies and private sectors alike are looking a lot like they are creating a way to build a population that can be subdued by the avenue of just one conduit ; the dependency of our beloved cyber space… we put all our daily live into this avenue …we are completely addicted and dependent on this, through our shopping and banking all the way to cultural needs…we find our violent games and movies to be related and simulated and like promident inventers have said ” soon you will not know the difference between virtual and reality” and they are so excited about that notion and they can’t wait to pull the plug and see you and me rock back and fourth in the fetal position in the corner cuz we don’t have our beloved cyber space anymore

  • Geriborg

    It’s an interesting point, the one that consumers don’t think much about security when buying software/hardware that connects to the Internet. There is one choice, at least for computers, that is relatively security: The most popular distributions of Linux, such as Ubuntu Linux, LinuxMint, Mageia, Fedora, etc. They are shockingly easy to use, relatively more secure and free.

    And, there are products, such as TOR and the USB-only distribution TAILS that offer up some greater security, although some speed and functionality is forfeited.

    • Guest

      In 2009, Jane Silber became the CEO of Canonical. Canonical makes Ubuntu. Jane Silber’s previous job was at that military contractor, namely the C4 Division of General Dynamics. It turns out that at the C4 Systems division is all about using computers for spying on people.

  • balbus

    Fir

  • balbus

    First, there is no proof that NSA knows a back door for the Elliptic Curve Random number generator. People are just assuming that because NSA paid RSA to make EC random number default, it is because the NSA knows the key. The last time the NSA poked their nose into a cryptographic standard (DES – Data Encryption Standard), it took 20 years for the public security community to discover that the reason was to make the standard stronger. This might be the case here, as well. It may be that the NSA wants a stronger algorithm that, for example, the Chinese cannot crack.

    Personally I think that NSA/RSA blundered UNLESS the entire NSA plan was to remove Elliptic Curve Random number from the algorithms actually in use. If that was the plan, they certainly succeeded! But we don’t know. We only have suspicions. Suspicions are not facts.

    Regarding “Most of The technology used today was developed by the government. 25 years ago when only a handful of people used tech like they do today it was understood the the government was watching”: Where did you get this fact? I agree that in 1989 only a handful of people used (cryptography) like today but I don’t see evidence that most of the cryptography used today was developed 25 years ago by the government.

Sponsored by

Become a KQED sponsor