Speakers and organizations have begun to back out of next month’s annual RSA security conference amid reports of RSA’s shady new deal with the NSA.
Last month, Reuters reported RSA Security took $10 million from the NSA to use a purposely flawed pseudo random number generator (PRNG) as a default option in one of their products. The news supports ex-NSA contractor and current fugitive Edward Snowden’s claim that the NSA has attempted to weaken internet security.
In a somewhat hazy statement addressing the controversy, RSA said they have “…never entered into any contract or engaged in any project with the intention of weakening RSA’s products…” The collaboration with the NSA, including the $10 million deal, was not denied all together. CSO Online reported that the RSA used the flawed PRNG in their products for almost a decade after the agreement with the NSA.
The conference, to be held in San Francisco, is an annual event for 20,000+ attendees to network and learn about the latest security trends. But so far nine security professionals have withdrawn from presenting at the conference, in protest of the supposed relationship. These withdrawals are yet another representation of the security community’s and the general public’s disapproval of government surveillance efforts brought to light by the Snowden leaks.
Eoin Keary, OWASP board member was scheduled to do a class at RSA Conference on secure coding, is one of the several contributors who have withdrawn.
In a statement via email, Keary said, “As an [OWASP] board member and individual I can’t put my head in the sand and attend an event hosted by an organization which may be linked to erosion of software security, individual privacy and possible freedom.”
Sarah Baso, Executive Director of the group confirmed brought up canceling the co-marketing agreement in an email to the OWASP mailing list:
“…RSA is undoubtedly a great opportunity for us to spread our mission and raise visibility (which is why we went ahead with the co-marketing contract in the first place), but with the additional information (accusations) about RSA’s behavior, it does call into question whether OWASP should at least pass this year on the co-marketing agreement…”
A vote was taken and the co-marketing agreement ended today.
Others who have withdrawn come from organizations ranging from Google to the ACLU to Mozilla, among others.