Less than two months after publicly announcing that he was pulling out of the RSA Security Conference, which took place last week in San Francisco, because RSA had accepted a US$10 million contract from the United States National Security Agency, F-Secure Chief Researcher Mikko Hypponen appeared to take a somewhat mellower stance.
He alternated between criticizing RSA and offering an olive branch when speaking to reporters last week in San Francisco.
Despite his unbroken stretch of six prior years of conference attendance, “I’m happy not to carry an RSA badge around my neck this time around,” Hypponen said. “I’m not expecting to talk again at the RSA conference any time soon.”
Doing It in Style
However, he had some kind — perhaps even a tinge apologetic — words as well.
The conference organizers “got in touch with me immediately my letter was published and they played it very well,” Hypponen said.
“They understand I have strong opinions, but they also proposed to me that I should speak about the issue in an open forum at the meeting instead,” he continued. “They promised not to censor the talk.”
The approach was “very reasonable and I seriously considered this for some time — changing the title and going back and doing it,” Hypponen noted. “I gave them sh*t and broke my contract with them, and they get points for [their graciousness].”
None but the Brave
Hypponen’s public criticism and withdrawal spurred another 11 security vendors to walk out.
The backlash led to the Electronic Frontier Foundation partnering with Defcon and iSec Partners to set up an alternative conference — TrustyCon — which was held Thursday in San Francisco, close to the RSA conference location.
TrustyCon, which counts fierce anti-NSA surveillance campaigner CloudFlare among its sponsors, raised US$20,000 for the EFF.
“It’s all about trust, and that’s crucial, because that’s what I believe RSA lost in their dealings with the NSA,” Hypponen said. “Trust is paramount in our business. If you can’t trust an AV vendor, there is no reason for the relationship at all.”
When Governments Are the Enemy
Hypponen detailed several examples of various governments in developed nations spying on their citizens.
NSA’s targeted espionage is “what intelligence agencies are supposed to do,” Hypponen remarked. Foreign heads of state are a legitimate target, and “I have no problem with them listening to the phone calls of German Chancellor [Angela Merkel].”
His beef is with the “wholesale blanket surveillance of people [the NSA] have no reason to be interested in, and the reason they do this is because it’s technically possible.”
The problem is compounded by the fact that most Internet traffic goes to U.S. websites. That means the U.S. government “can look at 96 percent of world traffic,” Hypponen pointed out.
Cybersecurity companies “miss governmental Trojans all the time,” Hypponen said. “The whole industry missed Flame for three years.
The Flame malware, discovered in 2012, was used for targeted cyberespionage in the Middle East.
Big Brother Rules
Despite their best efforts, cybersecurity vendors are not likely to be able to combat government Trojans.
“Governments don’t need to ask us to cooperate with them,” Hypponen said. “They have enough budgets and expertise to do what they want.”
The difference between fighting cybercriminals and fighting governmental malware is “the difference between fighting criminals on the street and fighting James Bond,” Hypponen sighed.
For example, the NSA’s ANT catalog of technology available to the NSA for surveillance work includes the IrateMonk exploit, which replaces the master boot records of hard drives.
It “modifies the hard drive firmware, so if you wipe a hard drive clean, it still remains infected,” Hypponen said. “How the hell are we supposed to fight programs as low-level as these that are as many years ahead of our cutting-edge research?”
Your "because RSA had accepted a US$10 million contract from the United States National Security Agency" is not a very accurate description of the issue. RSA appears to have deliberately used, as the default choice in their software, a pseudorandom number generator known to be insecure, under circumstances strongly suggesting that it was designed to make material encrypted using it vulnerable to the NSA. The combination of that with a ten million dollar payment from the NSA to RSA strongly suggests that RSA was paid to betray its customers, to encourage them to use software designed to let the NSA break its encryption.
For more details see: