| SAN FRANCISCO
SAN FRANCISCO Jan 17 Several prominent computer
security experts have cancelled appearances at the largest
annual conference on security technology and are now lending
their names to a rival gathering as discord in the industry over
U.S. intelligence practices continues to grow.
The experts are among nine who have publicly forsaken
coveted speaking slots at the annual RSA Conference, to be held
next month in San Francisco, in protest over the conference
owner's dealings with the National Security Agency.
They will instead speak at the new and much smaller
"TrustyCon," to be held in the same city during the RSA event.
Billed as the first "Trustworthy Technology Conference," the
upstart event's backers include Def Con, which holds a major
hacking conference each year in Las Vegas, and the nonprofit
Electronic Frontier Foundation, which will get the proceeds from
$50 ticket sales that begin Friday.
Reuters reported last month that RSA Security, now a
division of data storage maker EMC Corp, incorporated a
flawed cryptography formula in a widely used software tool under
a $10 million federal contract. The NSA-developed formula is now
believed to have been breakable by the agency, though people
familiar with the RSA arrangement told Reuters that executives
had not realized that at the time.
"I don't think it's wrong for companies to work with the
government. What's important is being trustworthy and honest
with customers," said Alex Stamos, who helped create the one-day
TrustyCon event. "The most charitable reading is that RSA failed
to see the danger and didn't warn the customers."
RSA continued to use the NSA formula for years after
cryptography experts called it suspicious, recommending its
removal only when reports based on NSA documents leaked by
former U.S. spy agency contractor Edward Snowden prompted a
federal standards body to drop its endorsement of the
RSA said in December that it never knowingly weakened its
products and that a decade ago the NSA had been seen as a
helpful partner in developing security tools.
But Def Con founder Jeff Moss said that RSA "seemed to lack
a genuine interest in engaging with its customers" about what it
had done and why, as well as what it had learned.
RSA declined to comment. Its executive chairman, Art
Coviello, is scheduled to give one of the keynote speeches at
the RSA event.
Though owned by RSA parent EMC, the RSA Conference depends
on outside advisors to select talks. The program committee chair
this year is Hugh Thompson, chief security strategist at Blue
Coat Systems Inc.
In an interview, Thompson said that while he was
disappointed that some speakers had cancelled, there would still
be a great deal of discussion about Snowden's revelations and
the roles played by RSA and its peers.
"There are a lot of questions that have been raised about
the security infrastructure and how it works, and I do think
it's going to lead to a very healthy debate," Thompson said.
"This is a topic that is definitely going to be discussed."
More than 500 speakers remain at the RSA Conference, which
organizers expect to attract more than last year's record 24,000
Among those withdrawing from the RSA Conference were Mikko
Hypponen, chief research officer at Finland-based security
company F-Secure, two researchers from Google Inc
, and Jeffrey Carr, a consultant who holds his own
conferences on cyber intelligence-gathering and defense.
Some said the RSA deal struck such a nerve because it is the
first security company to be identified as having a contractual
relationship with the NSA that ultimately weakened security.
Others have faulted the conference withdrawals, saying that many
companies and different countries are guilty of similar,
Hypponen, Moss, and RSA critics from the Electronic Frontier
Foundation and American Civil Liberties Union will be among the
TrustyCon presenters, Stamos said. Hypponen's talk is on
malicious software created by governments.