A Suits and Spooks Collision in Washington DC

October 10, 2013, 11:36 am

≫ Next: Who's Spear-Phishing the CEO of Mandiant?

≪ Previous: Let's defeat Lockheed Martin's attempt to trademark "Cyber Kill Chain" and keep it in common usage

No, President Obama didn't authorize a CIA direct action against House Tea Party members who are keeping the government closed. The "Collision" that I'm talking about is the Suits and Spooks event that is happening in Washington DC on January 19-21. Some of you know that I've been reluctant to call it a "conference" ever since I created this event in 2011. Finally, thanks to my friend Jim Stogdill at O'Reilly Media, I've got a new name for it - a collision.

It's the perfect word because that's precisely what happens during many of the talks. It's not a Summit where high profile speakers get to express their opinions without the opportunity for audience members to question them. Our speakers understand that the content of their talks can be challenged at any time by the attendees. And since we keep our total attendance capped to under 150 and keep all of the sessions on a single track, there's a lot of interaction taking place that just doesn't happen at any other event. In fact, when you consider who some of our speakers are, that's a remarkable thing to experience.

Here are just a few of the 25 or so high profile speakers that we've lined up for SNS DC:

Barbara M. Hunt: Co-founder of Cutting Edge C.A. who was formerly the Director for Capabilities of Tailored Access Operations at NSA as well as a 20 year veteran technical expert at CIA
David Howe: CEO at Civitas Group; formerly Special Assistant to the President (Homeland Security Council)
Carmen Medina: Career senior national security executive at CIA (retired). Assignments included Director for the Center of the Study of Intelligence; Deputy Director of Intelligence; and Chief of the Strategic Assessments Group, Office of Transnational Issues, Directorate of Intelligence.
Eric O’Neill: Attorney and co-founder, The Georgetown Group; former FBI operative who was instrumental in the Robert Hanssen espionage case.
John Gilkes: Principal, Deloitte Financial Advisory Services; more than twenty years experience in asset tracing and recovery and in the management and conduct of financial/fraud investigations involving wire transfer fraud, bribery/corruption, and extortion.
Steven Chabinsky: General Counsel, Chief Risk Officer at CrowdStrike; Previously Deputy Ass’t Director Cyber at FBI
Stewart Baker: Partner, Steptoe & Johnson LLP; Previously Ass’t Secretary for Policy at DHS

Another first for Suits and Spooks DC 2014 will be our workshops. We're not a hacker con so you won't find the workshops that you're accustomed to at Blackhat and other events. That's because there's more to cyber security than malware alone. We'll be offering four workshops in January:

Lance Cottrell, the founder of Anonymizer, will teach a half-day workshop on Internet Anonymity and Pseudonymity.
Rob DuBois, a retired Navy SEAL and former director of operations for the Dept of Defense Red Team will teach a full-day course on how to train and operate a full spectrum red team.
Carmen Medina, a former Deputy Director of Intelligence at CIA will teach a half-day course on analytic methods.
Phil Rosenberg and John Gilkes will teach a course on financial fraud investigations and money laundering.

Registration for SNS DC is now open and we're already 25% full. Registration for the workshops is currently open for Lance Cottrell's topic and the others should be ready by next week (separate tuition is charged for the workshops). Here's the link for the SNS DC webpage. See you in January.

And if you're interested in having your company become a sponsor, please shoot me an email.

↧

Who's Spear-Phishing the CEO of Mandiant?

October 15, 2013, 11:43 am

≫ Next: Huawei Claims Transparency But These Facts Say Otherwise

≪ Previous: A Suits and Spooks Collision in Washington DC

According to this Foreign Policy article, someone spear-phished Kevin Mandia, CEO of the information security firm Mandiant, using one or more fake invoices from the company which provides his limo service. According to Mandia the name of his limousine service has never been publicly announced so the question is, how did the attacker know it?

One possibility according to Kevin Mandia is that Chinese foreign nationals have followed him to speaking engagements and observed which car service he used. Personally, I've never seen a limo with a billboard mounted to it or the name painted on the side. When I use Uber, for example, I'm given the license plate number of the driver so that I can tell which black town car is the one I'm waiting for. Usually limos and SUVs that belong to private transportation services are pretty discrete, unlike taxi cabs.

Another possibility is that the someone is targeting CEOs at companies based in MD/DC/VA metroplex with a spear phishing attack that assumes they use a particular high end car service. There's probably not more than a few dozen reputable car services, if that.

Yet another possibility is that the attack came from a disgruntled former employee or competitor with inside knowledge of the Mandiant CEO's travel preferences. I've heard that thanks to Mandiant's rapid growth, it's been actively recruiting security engineers from other companies. That's probably left a bad taste in more than one person's mouth and this might be someone's idea of getting a small measure of revenge.

Or it could be that despite Mandiant's best efforts, an attacker was able to access inside information on the company's network and he sent the email just to stir the pot.

Mandiant's security team believes that they've identified the attacker as an "advanced hacking group back in China". Such groups focus on stealing intellectual property. China, like many states, is investing money in information security research and development. Would Mandiant's intellectual property match and/or accelerate China's own InfoSec R&D priorities? If so, that would be yet another explanation for this attack.

The bottom line is that no one is immune from a motivated attacker; not even a leading information security company.

UPDATE (10/15/13): A reader reminded me of this article which described a Chinese group engaged in espionage-as-a-service via a significant foothold in the travel and tourism industry.

↧

Huawei Claims Transparency But These Facts Say Otherwise

October 20, 2013, 12:46 pm

≫ Next: Carmen Medina to teach Workshop on Analytic Methods and Critical Thinking at Suits and Spooks DC 2014

≪ Previous: Who's Spear-Phishing the CEO of Mandiant?

"(A)s the Deputy Chairman of the Board of Huawei and the Chairman of the Global Cyber Security Committee of Huawei, I would like to make our company’s position clear. We can confirm that we have never received any instructions or requests from any Government or their agencies to change our positions, policies, procedures, hardware, software or employment practices or anything else, other than suggestions to improve our end-to-end cyber security capability. We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies.

"Huawei will continue our open and transparent approach and responsible position to its operations and everything we do."

- Ken Hu (Deputy Chairman of the Board of Huawei and Chairman of the Huawei Global Cyber Security Committee)

Mr. Hu wrote the above statement in a web posting which announced Huawei's Cyber Security white paper "Cyber Security Perspectives: Making Cyber Security a part of a Company's DNA" (October, 2013).

This PR campaign is clearly mean't to take advantage of the Snowden leaks regarding NSA activities and data collection. Mr. Hu wants to paint a picture that Huawei, unlike U.S. companies named with supporting legal NSA requests, has not received any such requests from the Chinese government.

That's disingenuous at best, and purposefully misleading at worst.

The government of China is one of Huawei's biggest customers; primarily the State-owned telecommunications companies - China Telecom, China Unicom, and China Mobile. Those companies engage in State-mandated monitoring of all telecommunications inside the PRC using in part Huawei's equipment. In fact, China's State Security Law requires that companies and individuals comply with any request for assistance by the MSS or other state security organs up to and including technological means of surveillance.

If the MSS hasn't asked Huawei to provide access, it's because Huawei has already built that access in so that China Telecom can do its job of lawful intercept. And that's not just for telecommunications services. The law was updated in 2010 to include Internet traffic.

Regardless of how Mr. Plummer, Mr. Purdy, Mr. Hu and other Huawei executives try to spin their company's dedication to transparency and security, they work for a company whose equipment is used to surveil the communications of a country of 1.3 billion people, including all of the foreign-owned companies which have offices in China. Their white paper doesn't talk about that, nor does it reveal how Huawei hardware supports MSS collection efforts.

That's not being transparent, gentlemen.

↧

Carmen Medina to teach Workshop on Analytic Methods and Critical Thinking at Suits and Spooks DC 2014

October 21, 2013, 6:52 am

≫ Next: Germany's BND Caught Spying on Afghan Minister's Emails (2008)

≪ Previous: Huawei Claims Transparency But These Facts Say Otherwise

As the rush to the Cloud and the aggregation of data in amounts here-to-for unheard of accelerates, the one area that continues to suffer from lack of attention is the use of analytic methods designed to off-set cognitive bias; in other words the rare skill of critical thinking.

This is particularly true among information security companies but it applies across all industry vectors. I've recognized and railed against this problem for years, but now with Suits and Spooks entree into offering workshops, I'm able to offer a solution in the person of Carmen Medina.

Carmen is a CIA veteran of almost 32 years. She was the Director of the Center for the Study of Intelligence (CSI) from January 2007-December 2009. As the CSI Director, she developed and managed CIA’s first Agency-wide Lessons Learned Program. Her record as a visionary analytic thinker and a dedicated, caring leader made her widely recognized--inside CIA and beyond--as an articulate, passionate voice for excellence in intelligence.

From 2005 through 2007, she was the Deputy Director for Intelligence, a member of the executive team that led the CIA’s analytic directorate. In her CIA career, Carmen held positions of increasing responsibility to include Chief of the Strategic Assessments Group in the Office of Transnational Issues, Directorate of Intelligence. She has led analysts working on Southern Africa and Central America, and helped to design the Global Coverage Program and innovate new production methods to support policymakers. In the early 1990s, she served overseas in Western Europe.

By attending Carmen's four hour workshop on Analytic Methodology and Critical Thinking, your analysts will learn:

Different analytic techniques to help organize data. 
The value chain of analytic insight. 
Question templates to use when evaluating information. 
Rules and techniques for using data and information. 
Techniques to assist in more rigorous what if and future thinking.

The early bird rate for this workshop is only $495 and attendees must also register for Suits and Spooks DC. Complete information is available here. Register early to save money and to secure your seat.

↧

Germany's BND Caught Spying on Afghan Minister's Emails (2008)

October 26, 2013, 4:15 pm

≫ Next: Level 3 Communications, the NSA, and the end of the Physical-Digital Divide. What needs to be done?

≪ Previous: Carmen Medina to teach Workshop on Analytic Methods and Critical Thinking at Suits and Spooks DC 2014

In light of the current tensions between German Chancellor Merkel and President Obama over alleged NSA spying, I found this Der Speigel article in the bookmarks that I keep on nation state espionage:

The BND, Germany's foreign intelligence service, was caught spying on Minister Amin Farhang of the Afghan government via a trojan that they installed on his computer. The campaign lasted for about six months and included collecting the emails of a Der Speigel journalist.

Then in 2009 there was this Der Speigel headline: "BND Infiltrated Thousands of Computers Abroad" - which describes how Germany's foreign intelligence service used keyloggers and other tactics to monitor at least 2500 computers in a highly targeted espionage campaign.

Granted, this is nowhere close to the scale of the NSA revelations, however Chancellor Merkel should certainly be aware that her own intelligence services have engaged in the same activities as everyone else's and her outrage should be tempered accordingly.

↧

Level 3 Communications, the NSA, and the end of the Physical-Digital Divide. What needs to be done?

November 1, 2013, 1:25 pm

≫ Next: Russian Venture Capital (RVC): A Report on Funding Priorities and RF Government Affiliations

≪ Previous: Germany's BND Caught Spying on Afghan Minister's Emails (2008)

The Level 3 Communications (NYSE: LVLT) blog recently published an article entitled "Say Goodbye to the Physical-Digital Divide." It's a light-hearted, upbeat corporate feel-good piece about how television shows are become Twitter-enabled. It's also a very disturbing piece when you realize that Level 3 is one of the Tier 1 backbone providers who has assisted the NSA in its collection efforts:

This is an exciting time! Not only for Joe Consumer, who is being further enabled (and actively encouraged) to merge his offline and online behavior, blurring the lines of the physical-digital divide, but also for major content providers – many of whom we’re fortunate enough to call customers. This is the new model of content consumption. Always-on and always-available. Cross-media and cross-platform.

Think about that from the standpoint of legal intercepts and data collection, and you'll see my point. We used to be vulnerable based upon what we read at the library, what we threw away in our trash, and what we wrote to our friends. Today, that has expanded exponentially and we've lost control of exactly how and where we are vulnerable to exposure.

Now consider that Level 3 is Google's upstream provider. Is that how the NSA was able to intercept the data traveling between Google's data centers? To be clear, Level 3 isn't doing anything illegal, nor is the NSA for that matter. And that's precisely the problem that needs addressing.

In less than 10 years, the physical - digital divide has disintegrated. In less time than it takes a human being to achieve mastery over a skill, technology has exponentially expanded how we interact with each other and, conversely, how we can harm each other.

Intelligence and law enforcement agencies, whose mission is to identify and intercept those who wish to cause us harm, have leveraged legal regimes like the Patriot Act, EO 12333, etc. to gain a foothold within the networks that are the primary supports (i.e., backbone) for our digital environment. The difference between what those out-dated laws still allow and what technology has made possible in the way of data collection and analysis is where our focus needs to be. In other words, the laws must be amended to catch up with how exposed we are in today's digital and physical world so that a better privacy:security balance can be restored.

Wasting time bashing the NSA and other intelligence services does more harm than good because it fails to address the real problem (out-dated authorities that need revising) in favor of lashing out at an easy and unpopular target - the NSA and its fellow agencies who diligently attempt to accomplish the very difficult tasks that we expect from them.

In an effort to help move this debate forward and clarify where reforms are needed, I've set aside two hours for a panel discussion at Suits and Spooks DC on how our parallel needs for security and privacy can be met through reform of the current laws authorizing data collection by the IC. It's not an easy panel to fill, so let me know if you have any suggestions for experts to participate on it. Dr. Catherine Lotrionte of Georgetown University will be the moderator.

↧

Russian Venture Capital (RVC): A Report on Funding Priorities and RF Government Affiliations

November 15, 2013, 11:08 am

≫ Next: Navy SEAL Charity Fraud Graham Ware's Latest Scam

≪ Previous: Level 3 Communications, the NSA, and the end of the Physical-Digital Divide. What needs to be done?

Taia Global regularly produces custom reports on foreign research and development activities in Russia and China. Our most recent report examines Russian Venture Capital (RVC), an Open Joint Stock company (OAO RVC) with initial funding from the Investment Fund of Russia through the Federal Agency for STate Property Management (Rosimuschestvo). It's charter allows RVC to invest both domestically and overseas. RVC's Board of Directors limited investments by RVC to companies with products on the Russian government's critical technologies list.

This report is 17 pages long with graphics and two appendices, including the above-mentioned critical technologies list. We examined the background of RVC's executives as well as the firm's investments and its U.S. affiliations.

We are offering this report for a limited time to non-subscribers for $225. Interested parties may order via this link or by calling (855) 877-8242.

↧

Navy SEAL Charity Fraud Graham Ware's Latest Scam

November 18, 2013, 4:28 pm

≫ Next: The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website

≪ Previous: Russian Venture Capital (RVC): A Report on Funding Priorities and RF Government Affiliations

Graham Ware, a Scottsdale, AZ native who was outed (here and here) for running a fake Navy SEAL charity website has moved on to the Search Engine Optimization game. His new scam is complete with a fake Google Certification logo, a fake Arizona LLC, and operates out of a UPS mail drop.

The above screen capture shows all three red flags.

Lower part of OptZona.com website

GOOGLE ANALYTICS CERTIFIED (NOT)

I checked with Google Analytics Professional Services and Google Analytics Partner Services. Neither one lists Optzona LLC as a certified organization. This isn't surprising when you read the requirements for a company to become a GACP (Google Analytics Certified Partner). For one thing, "you have to be legally incorporated to do business in your locality." So Ware obviously cut and pasted a fake Google Analytics logo to add credibility to his non-existent company.

OPTZONA's LLC STATUS (NOT)

The State of Arizona maintains a Division of Corporations website where anyone can run a business entity search. If you plug "Optzona" into the search window, you'll see two hits. One is a name reservation for Optzona LLC filed by Graham Ware on July 18, 2013 which expired on 11/16/13 (File Number: N-1860916-0). The other is a Pending File Inquiry (File Number: L-1884805-8) filed on 11/8/13 and returned to Ware on 11/12/13 for what appears to be a potential name conflict. As of today, 11/18/13, Optzona LLC does not legally exist.

OPTZONA's BUSINESS ADDRESS

The contact address on Optzona's web page is 15279 N. Scottsdale Rd., Scottsdale, AZ which turns out to be a UPS mail drop.

Slide used in a Optzona promotional video on YouTube

Ware's YouTube channel features a 20 minute slide presentation with Ware providing voice-over. In it he describes OptZona LLC as a Search Engine Optimization company that was founded in 2012 and that has grown to become "one of the major industry leaders in their field" (minute 0:54-1:03). Notice the reference in the above slide to "grossly misleading & unethical businesses". Unbelievably, Ware is pitching viewers to avoid unethical companies just like OptZona; companies which aren't legally incorporated, who invent their own history, and who advertise certifications that they never qualified for.

INVESTORS BE WARNED

OptZona's Twitter account made this disturbing announcement about two weeks ago:

If this tweet is accurate, Ware intends to expand his fraudulent enterprise with other peoples money. I encourage anyone reading this article to report Ware to the Arizona Attorney General's office. Between his un-registered Navy SEAL charity scam and this fake SEO company, the guy is a malicious serial con artist.

↧

The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website

November 19, 2013, 10:32 pm

≫ Next: U.S. Gov Employee Responds to TrustedSec's Review of Healthcare.gov

≪ Previous: Navy SEAL Charity Fraud Graham Ware's Latest Scam

Yesterday, Rep. Lamar Smith, the Republican Chairman of the House Committee on Space, Science and Technology had four cyber security experts testify about the poor security of healthcare.gov's website. Of the four experts, at least two were ardent critics of the Obama Administration in general and the Affordable Care Act specifically: David Kennedy, the CEO of TrustedSec and Morgan Wright, the CEO of Crowd Sourced Investigations. And of those two, only one - David Kennedy - could accurately be called a cyber security "expert".

While it's not surprising that a Republican Committee would load its witness list with individuals that would support its anti-Administration agenda, what was surprising was that David Kennedy used his reputation as a pen-tester to do an unauthorized security audit of the site and then go public with his findings. TrustedSec LLC, Kennedy's company, was not engaged by the U.S. Department of Health and Human Services (HHS) to perform penetration testing on Healthcare.gov. If they were, he'd be under an NDA to not discuss his findings. Instead, he took it upon himself to run a passive test against the site.

Passive testing occurs when a user monitors his interaction with a website by using a proxy server and a "sniffer" to inspect the traffic between the website and the proxy server. Kennedy hasn't disclosed exactly how he conducted his passive vulnerability assessment but it wouldn't have revealed enough data to warrant an opinion that the site "had already been hacked", as Mr. Kennedy told the committee:

“And if I had to guess, based on what I can see … I would say the website is either hacked already or will be soon.”

In my opinion, this raises serious ethical issues on the part of Mr. Kennedy and his company TrustedSec LLC. Vulnerability assessments including penetration testing are hugely sensitive operations that rely upon confidentiality and discretion on the part of the testing company. In fact, it would be professional suicide for any pen tester to "out" the vulnerabilities found on a client's website. Obviously, neither Kennedy nor TrustedSec had that relationship with HHS. Instead, Kennedy ran an unauthorized and non-defined "passive" vulnerability assessment which by its nature could not provide any kind of thoroughness in its findings and then announced those findings publicly to support a Right-wing political agenda. If he had done that against a private company, he'd be sued.

In contrast to the approach that Kennedy took, Dr. Avi Rubin, Director, Health and Medical Security Laboratory Technical Director, Information Security Institute, Johns Hopkins University (one of the remaining two experts who testified before the committee) advised that a full security review of the site was in order, and:

“I would need to know whether there are inherent flaws vs. superficial problems that can be fixed,” Rubin says. “If they can be fixed, that’s better than shutting it down.”

What a concept. Do a proper investigation and then provide an informed opinion based upon facts.

↧

U.S. Gov Employee Responds to TrustedSec's Review of Healthcare.gov

November 21, 2013, 11:31 am

≫ Next: In OSINT, All Sources Aren't Created Equal

≪ Previous: The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website

After I wrote yesterday's article "The Questionable Value and Ethics of TrustedSec's Pen Test of the HealthCare.gov Website", I received an email from a well-respected employee of a large government agency who had read TrustedSec's report on the Healthcare.gov website. This employee has asked me if I would publish the content of that email on my blog. Here it is with some minor formatting changes.

-------------------

So let's put aside the isc2 ethics violation by TrustedSec that this "report" is and instead focus upon its content."

The report is split into two parts, one based upon public open source intel gathering, and on upon actual "analysis". Contrary to what Goebbels might say, repeating a lie does not make it true. The first half of the "analysis" consists of misquotes and out of context statements about news reports, blog postings and the Heritage foundation (an anti-Affordable Care Act org).

They extrapolate from news articles and jump to conclusions that would be laughed out of a Bsides conference, let alone a court of law. Most of the "observations" are generic in nature with no supporting detail. Everything is anecdotal. Everything is hearsay. There is no direct observation of any vulnerability, and only "potential risks".

Many of the articles highlight pre-launch issues that have since been resolved, and others are issues common to most web application (hello, user enumeration? Seriously? Any site with a unique user account has this issue).

This lack of substance extends to the second part of the "analysis" which shows a lack of understanding of both what healthcare.gov is and what security is.

In the professional world of cyber security there are two concept at the heart of computer forensics; peer review and reproducibility. Professionals understand that their word is not enough and they actually have to show something that the community and their peers can reproduce. None of their findings are "reproducible" vulnerabilities. They are all vague possible-maybe-there-could-be risks, or worse yet, a gross misunderstanding of what they are "analyzing."

They raise issues with things like the Terms of Service (TOS).

They raise issues with data.healthcare.gov.

Healthcare.gov is not just a website, it is a complex node in a web of Federal, State, and private systems that interconnect to produce the healthcare.gov site. The data in it comes from state exchanges, medicare, the IRS, SSA, and other Federal/state agencies, plus private insurers. It's not just a webserver/webapp with a back end database like something circa 2003.

They raise an issue that data will be shared with outside agencies which shows they don't understand what healthcare.gov is. Then they raise another issue about public profiles on the data.healthcare.gov site. The fact is that Data.healthcare.gov is an open data initiative based on the data gathered from insurers. Public profiles are a feature, not a bug, of that SEPARATE platform.

These two examples show the lack of due care conducted on this analysis. Please take a moment to read the "results"[CARR: A link to TrustedSec's report is provided below]. The level of writing and actual deliverable are so laughable that if a contractor had produced this for my agency I would have terminated their contract on the spot. (The report shows) no due diligence, sloppy work, and worst of all it is wrong in its "conclusions".

Determinations need proof beyond media quotes and theoretical issues. They need to be based in fact.

------------------------

Here's a link to TrustedSec's public report (.pdf) for those readers who wish to review it and assess the above criticism for themselves. Comments are open.

↧

In OSINT, All Sources Aren't Created Equal

November 24, 2013, 5:52 pm

≫ Next: What Does Huawei's Announcement of Exiting the U.S. Market Really Mean?

≪ Previous: U.S. Gov Employee Responds to TrustedSec's Review of Healthcare.gov

"In evaluating open-source documents, collectors and analysts must be careful to determine the origin of the document and the possibilities of inherent biases contained within the document."
- FM2-22.3: Human Intelligence Collector Operations, p. I-10

"Source and information evaluation is identified as being a critical element of the analytical process and production of intelligence products. However there is concern that in reality evaluation is being carried out in a cursory fashion involving limited intellectual rigour. Poor evaluation is also thought to be a causal factor in the failure of intelligence."
- John Joseph and Jeff Corkill "Information Evaluation: How one group of Intelligence Analysts go about the Task"

These two quotes illustrate the long-running problem that has plagued commercial cyber security reporting for many years. There are very few unclassified OSINT standards of source evaluation and even less for cyber threat intelligence; at least that I could find while doing research for this article.

The field of cyber intelligence is fairly new and fortunately, thanks to the Software Engineering Institute at Carnegie Mellon and the work of Jay McAllister and Troy Townsend, we can take a credible look at the state of the practice of this field:

"Overall, the key ﬁndings indicate that organizations use a diverse array of approaches to perform cyber intelligence. They do not adhere to any universal standard for establishing and running a cyber intelligence program, gathering data, or training analysts to interpret the data and communicate ﬁndings and performance measures to leadership."
- McAllister and Townsend, The Cyber Intelligence Tradecraft Project

The one thing that isn't covered in their report is the issue of source validation and how that contributes to the validity or value of the intelligence data received. However they did write a follow-up white paper with Troy Mattern entitled "Implementation Framework - Collection Management (.pdf)"

Please take some time to study the framework and read the white paper. It's an ambitious and very thorough approach to helping companies understand how to get the most value from their cyber intelligence products. Unfortunately, while it specifies data evaluation and source validation, it doesn't provide any specific guidelines on how to implement those two processes.

Fortunately, there has been some great work done on source analysis for Human Intelligence (HUMINT) that I believe can be applied to Cyber intelligence and OSINT in general. It's a paper written by Pat Noble, an FBI intel analyst who did his Masters work at Mercyhurst University's Institute for Intelligence Studies: "Diagnosing Distortion In Source Reporting: Lessons For HUMINT Reliability From Other Fields"

A PowerPoint version of Noble's paper is also available. Here are a few of the slides from that presentation:

We recognize these failings when it comes to human intelligence collection but for some reason we don't recognize them or watch for them when it comes to OSINT. The crossover application seems obvious to me and could probably be easily implemented.

I started this article with a quote from the Army Field Manual FM2-22.3: Human Intelligence Collector Operations (.pdf). Appendix B in that manual contains a Source and Information Reliability Matrix which I think is also applicable to Cyber intelligence or any analytic work that relies upon open sources.

I think a graph like this could be applied with very little customization to sources referenced in cyber intelligence reports or security assessments produced by cyber security companies.

The West Australian Police Force study by John Joseph and Jeff Corkill "Information Evaluation: How one group of Intelligence Analysts go about the Task" recommended the use of the Admiralty Scale which is identical to the Army's matrix shown above:

Again, these scales were developed to evaluate human sources, not published content, but they certainly seem applicable with some minor tweaking.

It's important to note that only part of the problem lies in the lack of source evaluation methods. Another very large contributing problem is the lack of standardized cyber intelligence tradecraft pointed out by McAllister and Townsend in their Cyber Intelligence Tradecraft paper:

"Tradecraft: Many government organizations have adopted the intelligence community standard of consistently caveating threat analysis with estimative language and source validation based on the quality of the sources, reporting history, and independent veriﬁcation of corroborating sources. Numerous individuals with varying levels of this skillset have transitioned to cyber intelligence roles in industry and academia, but the practice of assessing credibility remains largely absent. The numerous analytical products reviewed for the CITP either did not contain estimative or source validation language, or relied on the third-party intelligence service providing the information to do the necessary credibility assessment." (p.11)

And of course due to the newness of the field there's no standard yet for Cyber Intelligence training (McAllister and Townsend, p. 13).

IN SUMMARY

There are numerous examples of cyber security reports produced by commercial and government agencies where conclusions were drawn based upon less than hard data, including ones that I or my company wrote. Unless you're working in a scientific laboratory, source material related to cyber threats is rarely 100% reliable. Since no one is above criticism when it comes to this problem, it won't be hard for you to find a report to critique. In fact, it seems like a different information security company is issuing a new report at least once a month if not once a week so feel free to pick one at random and validate the sources using any of the resources that I compiled for this article.

If you know of other source evaluation resources, please reference them in the comments section.

If you're a consumer of cyber intelligence reports or threat intelligence feeds, please ask your vendor how his company validates the data that he's selling you, and then run it through your own validation process using one of the tools provided above.

I'd love to hear from any readers who implement these suggestions and have experiences to share, either in confidence via email or in the comments section below.

UPDATE (11/24/13): A reader just recommended another excellent resource: Army Techniques Publication 2.22-9 "Open Source Intelligence". It discusses deception bias and content credibility, both of which must be accounted for in source validation.

↧

What Does Huawei's Announcement of Exiting the U.S. Market Really Mean?

December 2, 2013, 12:00 pm

≫ Next: Three Suits and Spooks Courses taught by 3 World-Renowned Experts: Limited Enrollment and Savings!

≪ Previous: In OSINT, All Sources Aren't Created Equal

Last night, my Google Alert for Huawei captured an intriguing headline: "Huawei exiting US market: CEO". The article appeared in Global Times, a Chinese paper that's part of Peoples Daily. Here's the opening paragraph:

Chinese telecommunications equipment maker Huawei Technologies Co Ltd has exited the US market in order not to affect Sino-US relations, Ren Zhengfei, founder and CEO of Huawei, said in an interview in Paris, news portal 163.com reported Sunday.

Upon first reading, this raised a lot of questions in my mind regarding Huawei's current U.S. operations. It has offices in a number of U.S. cities and has already sold quite a bit of equipment to both U.S. corporations and the U.S. government. What would happen there, I wondered?

Fortunately, I was able to reach Bill Plummer, Huawei's VP of External Affairs by email and received the following clarification:

Huawei has prioritized markets that welcome competition and investment, such as Europe.

That said, we remain committed to our customers, employees, investments and operations and more than $1 billion in sales in the U.S., and we stand ready to deliver additional competition and innovative solutions as desired by customers and allowed by authorities.

So basically what seemed like a radical change of strategy is actually something very practical. Huawei isn't pulling out of the U.S. physically nor is it abandoning its current U.S. customers. It is simply re-allocating its resources to increase sales in those parts of the world where it is welcome to compete.

Personally, as someone who has been a frequent critic of Huawei, I think it's a smart strategy. They're already the world's largest telecommunications hardware manufacturer. Why should they risk engendering more controversy by continuing to battle against U.S. government resistance when it will do nothing to improve their bottom line? In my opinion, Huawei's combination of low prices and quality manufacturing will eventually force adoption by U.S. corporations and government agencies. It might take years but I think that will be the inevitable outcome.

In the meantime, instead of hoping that the U.S. government will keep potential adversary states from selling them risky devices, U.S. companies should incentivize cyber security researchers to find ways to automatically test firmware updates for exploits. Currently, whether the hardware is made by Huawei, ZTE, or Dell, firmware updates are loaded automatically with no testing. If, down the road, a foreign intelligence agency (Chinese or otherwise) wants to compromise a strategically placed router made by a company that it has legal authorities over by adding a bit of malicious code, a firmware update is one of the easiest ways to do it.

As a side note I'm happy to say that both Bill Plummer and Andy Purdy (Huawei's CSO) will be at Suits and Spooks DC. Andy will be speaking on a panel that I'm moderating which will explore cyber security risks in the supply chain. We still have about 28 seats available if you'd like an opportunity to discuss Huawei and related cyber security issues with a couple of the company's executives face-to-face.

↧

Three Suits and Spooks Courses taught by 3 World-Renowned Experts: Limited Enrollment and Savings!

December 3, 2013, 8:02 pm

≫ Next: If You Missed Suits and Spooks NY, Here It Is On Video

≪ Previous: What Does Huawei's Announcement of Exiting the U.S. Market Really Mean?

At Suits and Spooks events, we always have world-class speakers. But for 2014, I wanted to offer world-class training as well. For example, in January we're featuring:

CARMEN MEDINA: Specialist leader at Deloitte Consulting LLP after retiring from an almost 32 years-career at the Central Intelligence Agency where her roles included Director of the Center for the Study of Intelligence (CSI); the Deputy Director for Intelligence, and Chief of the Strategic Assessments Group in the Office of Transnational Issues, Directorate of Intelligence. She has led analysts working on Southern Africa and Central America, and helped to design the Global Coverage Program and innovate new production methods to support policymakers. In the early 1990s, she served overseas in Western Europe.

Course title:"Analytic Methodology and Critical Thinking for Cyber Intelligence and Information Security"

LANCE COTTRELL: Chief Scientist at Ntrepid Corp. and the founder and principle at Obscura Security. He founded Anonymizer Inc. in 1995, and is an internationally recognized expert in cryptography‚ online privacy‚ and Internet security.

Course title:"Tools, Techniques, and Pitfalls in Internet Anonymity and Pseudonymity"

ROB DUBOIS: Security advisor, smart power authority and retired U.S. Navy SEAL with experience in more than thirty nations. He recently served as the operations manager for the Department of Defense Red Team where his innovative tactics earned him the reputation of the U.S.’s “top terrorist”. Rob has provided his “Think like the Adversary” workshop to elite military units in combat zones, Fortune 500 companies, and agencies including the National Counterterrorism Center.

Course title: "Better Red than Dead: Learn to build your own full-spectrum Red Team with a veteran Red Team leader"

Originally, in order to attend a workshop you needed to also register for the conference. I've changed that policy so now you can take the training without having to register for Suits and Spooks DC, or you can register for both. Basically, it's now your choice.

Finally, in order to help us fill up these courses so as to have a more effective test on whether this is something that we continue to offer at Suits and Spooks events, I've lowered the tuition by 33% on all 3 courses until December 20th.

You can get complete details on each course by clicking on the course title, or call us with any questions you may have. Please help spread the word about this unique opportunity to learn from these highly esteemed professionals. Depending on our enrollment numbers, it may be the only time that we offer it.

↧

If You Missed Suits and Spooks NY, Here It Is On Video

December 8, 2013, 11:14 am

≫ Next: Judge Leon's Three Key Findings Against the NSA that Prompted those Exclamation Points

≪ Previous: Three Suits and Spooks Courses taught by 3 World-Renowned Experts: Limited Enrollment and Savings!

O'Reilly Media, the publisher of my book Inside Cyber Warfare, has produced a video compilation of our Suits and Spooks event. I'm proud to say that this is the first non-O'Reilly conference that they have produced for sale and it looks great. It doesn't include every speaker because some of the talks were under Chatham House rules, but here are the speakers that are included:

The Top 50 Non-state Hacker Groups in the World - Christopher Ahlberg (CEO of RecordedFuture)
Out of the Mountains: A Future of Feral Cities, Urban Systems Under Stress, and Increasing Overlaps Between the Real and Virtual Worlds - David Kilcullen (CEO of Caerus Associates)
Emerging Bad Actors in the Virtual and Physical Worlds (Jeffrey Carr, Moderator with Dr. David Kilcullen, Jonathan Hutson, Thomas Dzieran, Aaron Weisburd, Peter Mattis, and John Scott-Railton)
How to Survive a Surveillance-friendly Environment - Mike Janke (Co-founder, CEO of Silent Circle)
Should Defensive Strategies be Specific to the Threat Actor or Generalized for all Threat Actors? (Jeffrey Carr, Moderator with Pierre-Marc Bureau (ESET), Derek Manky (Fortinet), Roel Schouwenberg (Kaspersky), Chris Coleman (LookingGlass), Brian Carrier (Basis Technology))
Real-time Depiction of the Global Cyber Threat Landscape - Chris Coleman
Icefog: Mercenary Hackers Who Focus on Supply Chain Attacks in Asia - Roel Schouwenberg
Joseph Kony, the LRA and Elephant Poaching in Africa - Jonathan Hutson

The complete series is only $149. Here's where to order. We're going to be offering this again for Suits and Spooks DC so please let me know what you think.

↧

Judge Leon's Three Key Findings Against the NSA that Prompted those Exclamation Points

December 18, 2013, 1:36 pm

≫ Next: Who's Defending U.S. Military Networks if the NSA and FIS are Breaking Them?

≪ Previous: If You Missed Suits and Spooks NY, Here It Is On Video

“He’s very passionate; he uses a lot of italics and exclamation points,” Orin S. Kerr, a professor at the George Washington University Law School and a defender of the N.S.A.’s surveillance programs said referring to the way Judge Leon wrote the decision. Mr. Kerr said he found the judge’s ruling short “on legal reasoning.” (source: The New York Times)

There are several exclamation points in this decision. Judge Leon plainly feels that he has been lied to, and that we all have been. And he seems to be done with it. (source: The New Yorker)

Considering the above comments about Judge Leon's use of exclamation points, I thought it might be interesting to see what prompted them. I read his 68 page decision, and found that Judge Leon used exclamation points three times. Here are those instances.

1(a). Plaintiffs Have Standing to Challenge Bulk Telephony Metadata Collection and Analysis.

"The Government argues that Judge Vinson's order names only Verizon Business Network Services ("VBNS") as the recipient of the order, whereas plaintiffs claim to be Verizon Wireless subscribers."

"Put simply, the Government wants it both ways. Virtually all of the Government's briefs and arguments to this Courst explain how the Government has acted in good faith to create a comprehensive metadata database... - in which case the NSA must have collected metadata from Verizon Wireless, the single largest wireless carrier in the United States, as well as AT&T and Sprint, the second and third-largest carriers."

"Yet in one footnote, the Government asks me to find that plaintiffs lack standing based on the theoretical possibility that the NSA has collected a universe of metadata so incomplete that the program could not possibly serve its putative function. Candor of this type defies common sense and does not exactly inspire confidence!" (p. 38)

2. The Collection and Analysis of Telephony Metadata Constitutes a Search.

"First, the pen register in Smith was operational for only a matter of days between March 6, 1976 and March 19, 1976, and there is no indication from the Court's opinion that it expected the Government to retain those limited phone records once the case was over.

"In his affidavit, Acting Assistant Director of the FBI Robert J. Holley himself noted that "[p]en-register and trap-and-trace (PR/TT) devices provide no historical contact information, only a record of contacts with the target occurring after the devices have been installed."

"This short-term, forward-looking (as opposed to historical), and highly-limited data collection is what the Supreme Court was assessing in Smith. The NSA telephony metadata program, on the other hand, involves the creation and maintenance of a historical database containing five years' worth of data."

"And, I might add, there is the very real prospect that the program will go on for as long as America is combatting terrorism, which realistically could be forever!" (p. 47)

3. The Public Interest and Potential Injury to Other interested Parties Also Weigh in Favor of Injunctive Relief.

"("[T]he public interest lies in enjoining unconstitutional searches.") That interest looms large in this case, given the significant privacy interests at stake and the unprecedented scope of the NSA's collection and querying efforts, which likely violate the Fourth Amendment. Thus, the public interest weighs heavily in favor of granting an injunction."

"The Government responds that the public's interest in combating terrorism is of paramount importance - a proposition that I accept without question. But the Government offers no real explanation as to how granting relief to these plaintiffs would be detrimental to that interest. Instead the Government says that it will be burdensome to comply with any order that requires the NSA to remove plaintiffs from its database."

"Of course, the public has no interest in saving the Government from the burdens of complying with the Constitution!" (p.65-66)

---------

Here's the full opinion. It's well-worth reading. The fact is that our interaction with and reliance upon technology has fundamentally changed what privacy means to us today and that will certainly change even more tomorrow. Past court decisions from 30 years ago and longer which have informed current laws protecting our Fourth Amendment rights should be re-visited and updated to meet today's new reality of instant communication, geolocation, and data analytics.

↧

Who's Defending U.S. Military Networks if the NSA and FIS are Breaking Them?

January 2, 2014, 10:55 am

≫ Next: Joining Mikko in Protest, I've Cancelled My Talk at RSA

≪ Previous: Judge Leon's Three Key Findings Against the NSA that Prompted those Exclamation Points

According to Der Spiegel, the NSA has been developing tools to compromise software, hardware, and firmware made by multinational corporations in the U.S. and overseas. U.S. companies affected include Juniper Networks, Cisco, Dell, Western Digital, Seagate, Maxtor plus many others. Unless the company has offered to work with the NSA to create backdoors in their own products, you have a situation where the agency with the primary responsibility of defending U.S. Department of Defense networks from digital attack is also engaged in weakening the very technology used by the DOD on those networks such as Jupiter Network firewalls, Cisco routers, Seagate hard drives, etc.

Perhaps this wouldn't be a problem if foreign intelligence services (FIS) didn't also have the technical capability of finding those same vulnerabilities or others. For example, Xidian University in Xi'an, Shaanxi, China is one of China's top engineering universities. It's State Key Laboratory of Integrated Services Networks conducts research for military-specific and dual use systems including cryptography, offensive network attacks, and systems to be used in confrontational environments.

Here's another example taken from our data base on adversary R&D research. The Chinese Academy of Sciences' State Key Lab of Information Security reports directly to the Ministry of Public Security, among other government agencies. In addition to their primary research area of information security, they develop network attack systems.

Russia has similar educational institutions which focus on information security and electronic warfare for the Ministry of Defense, the FSB, and other relevant agencies. One example is the Voronezh Military Radio-electronics Insititute which is part of the Voronezh Aviation Engineering School. Part of their information warfare research includes breaking the security of automated systems.

Since Dell, Cisco, Juniper, etc. build hardware, firmware, and software that's broadly used around the world and especially on U.S. government networks, it's only logical to conclude that those companies' products are being examined for exploitable vulnerabilities by Russian and Chinese scientists who are at least equal if not superior to those employed by the NSA. Let's remember that unlike the NSA, scientists at Russian and Chinese foreign research laboratories don't have to compete with their respective versions of a Silicon Valley for high paying tech jobs. They can attract and keep their nation's brightest scientists focused on these high priority government military and civilian projects.

Bottom line - if the NSA has found or developed backdoors in critical U.S. technology, so have our adversaries, and by "adversaries", I don't mean Mandiant's version of the bored PLA hacker with sloppy OPSEC. We need as an industry to have more respect for our opponents. And there needs to be a serious discussion about whether the NSA can really defend U.S. military networks while also engaged in exploiting weaknesses in the very technology that those networks rely upon.

UPDATE (JAN 02 2014): Bruce Schneier has begun posting one NSA exploit per day at his blog. The first one called DEITYBOUNCE exploits the motherboard on Dell PowerEdge servers.

↧

Joining Mikko in Protest, I've Cancelled My Talk at RSA

January 3, 2014, 10:50 am

≫ Next: NSA's $10M RSA Contract: Origins

≪ Previous: Who's Defending U.S. Military Networks if the NSA and FIS are Breaking Them?

Granted, I'm no Mikko Hyponnen and my talk was a mere 20 minutes on the last day of the RSA conference, but I think it's vitally important that those of us who profoundly object to RSA's $10 million secret contract with the NSA do more than just tweet our outrage. We need to take action.

RSA has issued the weakest of denials possible on Dec 22nd and hasn't made any attempt to clarify its position since. The company's denial failed to address most of the troubling points raised in Joe Menn's article for Reuters. This on top of RSA's horrible handling of its 2011 SecureID breach has shattered any remaining trust in the company as far as I'm concerned.

Obviously, I hope that RSA and EMC's leadership will eventually rise to the occasion and be fully transparent about what happened and why. However unless and until RSA fully addresses this apparent breach of trust, I won't be speaking at any RSA events nor will I accept RSA as a sponsor at any future Suits and Spooks events.

UPDATE (Jan 3, 2014): I just learned that Josh Thomas of Atredis also pulled his talk from RSA back on December 26th. That makes three of us as of today.

An Open Letter to the Chiefs of RSA and EMC by Mikko Hyponnen
Exclusive: Secret contract tied NSA and security industry pioneer by Joseph Menn

RSA Response to Media Claims Regarding NSA Relationship

↧

NSA's $10M RSA Contract: Origins

January 6, 2014, 9:39 am

≫ Next: NSA Limericks, Jim Bidzos' Threats, and the 1st RSA Conference

≪ Previous: Joining Mikko in Protest, I've Cancelled My Talk at RSA

"For almost 10 years, I've been going toe to toe with these people at Fort Meade. The success of this company (RSA) is the worst thing that can happen to them. To them, we're the real enemy, we're the real target."

"We have the system that they're most afraid of. If the U.S. adopted RSA as a standard, you would have a truly international, interoperable, unbreakable, easy-to-use encryption technology. And all those things together are so synergistically theatening to the N.S.A.'s interests that it's driving them into a frenzy."

- James Bidzos (President, RSA Data Security in an interview with Steven Levy of the New York Times, June 1994)

Compare the above remarks by former RSA President James Bidzos in 1994 with RSA's formal statement about its relationship with the NSA (December 2013):

We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.

What happened to a company that in the 90's knew exactly where it stood vis a vis the NSA and this latest NSA-friendly incarnation? According to Reuters, it was a change in business direction away from pure cryptology in favor of joining the government for the war on hackers.

"When I joined there were 10 people in the labs, and we were fighting the NSA," said Victor Chan, who rose to lead engineering and the Australian operation before he left in 2005. "It became a very different company later on." By the first half of 2006, RSA was among the many technology companies seeing the U.S. government as a partner against overseas hackers."

Steven Levy's article "Battle of the Clipper Chip" which is where I found the top quote from James Bidzos is a must-read because although it was written 19 1/2 years ago, it provides keen insight into the issues that frame today's crisis of trust with RSA. Back then, the NSA and the Clinton Administration thought that a Key Escrow plan like Clipper Chip was the way to go. When the market place rejected using Clipper, the NSA eventually switched tactics to develop and promote its own encryption algorithm; first to RSA with a $10 million sweetener and then to NIST with the incentive that RSA had already adopted it. Today we all know that the NSA succeeded. What isn't known is why RSA agreed to it.

RSA's public statement on the issue is both misleading and lacking details which pertain to the facts uncovered by Joseph Menn for Reuters. Here are the four key points made in their statement and the problems with each:

“We made the decision to use Dual EC DRBG as the default in BSAFE toolkits in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.”

This fails to disclose the terms of RSA's agreement with the NSA to use Dual EC DRBG. It also paints RSA as naive as to the NSA's motives which is ludicrous once you know what happened 10 years earlier with Clipper Chip.

“This algorithm is only one of multiple choices available within BSAFE toolkits, and users have always been free to choose whichever one best suits their needs.”

With this statement RSA is trying to pass off the responsibility for using a back-doored Random Number Generator to the user!

“We continued using the algorithm as an option within BSAFE toolkits as it gained acceptance as a NIST standard and because of its value in FIPS compliance. When concern surfaced around the algorithm in 2007, we continued to rely upon NIST as the arbiter of that discussion.”

It became a NIST standard because RSA took the NSA's money in the first place. Concerns about the algorithm were raised in 2006 and were included in NIST SP 800-90A as being unresolved. By 2007, RSA should have been sufficiently alarmed to investigate on its own. To say that they relied upon NIST as the arbiter is merely an attempt to shift responsibility away from itself as the producer and onto NIST.

“When NIST issued new guidance recommending no further use of this algorithm in September 2013, we adhered to that guidance, communicated that recommendation to customers and discussed the change openly in the media.”

So once the New York Times' article was published and NIST took steps, then RSA did the right thing? And they expect credit for that?

RSA cannot escape responsibility for offering a compromised BSAFE product for the last 9 years by saying "we just followed NIST" and "our customers had a choice". This is a gross violation of its own mission statement not to mention its own illustrious history of defending the integrity of encryption against government attempts to weaken it.

I announced last Friday that I joined Mikko Hyponnen and Josh Thomas in pulling my talk from RSAC, but there needs to be an industry-wide boycott of RSA products. It's not enough to just talk about how bad this is. RSA's parent EMC, like every other corporation, has a Board of Directors that is answerable to its shareholders for maximizing revenue. If RSA's customers begin canceling their contracts and/or refuse to buy RSA products, the company's earnings will drop and that's the type of message that forces Boards to make changes.

Joining Mikko in Protest, I've Cancelled My Talk at RSA

↧

NSA Limericks, Jim Bidzos' Threats, and the 1st RSA Conference

January 8, 2014, 5:19 am

≫ Next: RSA Boycott or Not? 3 Questions To Help You Decide.

≪ Previous: NSA's $10M RSA Contract: Origins

I found some illuminating and very funny quotes that depict the adversarial relationship that existed between the NSA and RSA before the controversial $10M contract deal of 2004:

"There is a group at Fort Meade
who fear that which they cannot read
so they fight with their friends
(God knows to what ends! )
In attempts to get more than they need."
-- Jim Bidzos, CEO of RSA Data Security (source: Sam Simpson Cryptography Quotes)

"If I see you in the parking lot, I'll run your ass over"
- NSA Export Officer to Jim Bidzos (Head of RSA), April '94 (pg 287, Crypto by S.Levy)

"(C) Jim Bidzos, the aggressive RSA representative, was unable to attend but curmudgeon Whit Diffle presented a frail RSA position (Bidzos would have been much more implacable) and was essentially ignored by the panel."
- Declassified NSA "Cryptolog" March, 1994, p.17 describing a meeting at Eurocrypt '92 held on May 24-28, 1993 in Hungary.

And then I found this recounting by Jim Bidzos of how the first RSA Security conference came about:

"Yost: You mentioned the conference. Can you talk a bit about the origin of the RSA Data
Security Conference, about both the founding and the early years of it?
"Bidzos: Yes, actually it originated—you know there’s another example where there’s just
one moment, one phone call where this happened—right about the time that the
Electronic Frontier Foundation was being born around 1991. And actually it was also the
time that something called CPSR, Computer Professionals for Social Responsibility, was
becoming EPIC, the Electronic Privacy Information Center. The director of which is a
guy named Marc Rotenberg.
"This was a time when the government made an announcement. I don’t think it was the Clipper chip at the time, I think it was something called the DSA. Anyway they were starting to try to set or dictate [encryption] standards for the business community. They had made some announcement and Marc called me up
and said, “They’ve just announced this. Have you seen this?”
"And I said, “Yes.” And he said, “What are we going to do about this?” And I said, “I don’t know. It sounds to me like the best thing we can do is educate people, so maybe what we ought to do is host a
conference and educate people about this. I’ve got access to a lot of people who can talk about it.”
"It was his phone call, basically pleading, “What are we going to do? What are you going to do?” He was really bothered by DSA, seemed up in arms and didn’t know what to do. All that nervous energy that I felt somehow made me feel obligated to do something. So that’s when I came up with this idea to have this conference. So I got Rivest and a few other people, I think Marty Hellman was there, Taher El Gamal and
some other people to say this is a bad idea and here’s why. And so we let people come for free, I think we got sixty people. It just seemed like a good thing to do again the following year."

How times have changed.

↧

RSA Boycott or Not? 3 Questions To Help You Decide.

January 8, 2014, 1:45 pm

≫ Next: Guess Who Owns The Patent to RSA's Backdoor Algorithm? Blackberry

≪ Previous: NSA Limericks, Jim Bidzos' Threats, and the 1st RSA Conference

1. Did Joseph Menn's Reuters article contain sufficient information to raise your suspicion that RSA may have collaborated with the NSA for $10M in exchange for using NSA's preferred encryption algorithm?
If no, you can stop here. If yes, move to question 2.

2. Did RSA's response address your concerns?
If yes, you can stop here. If no, move to question 3.

3. What action can you take that you believe would prompt RSA to be more forthcoming?
Then do it.

Joining Mikko in Protest, I've Cancelled My Talk at RSA

NSA's $10M RSA Contract: Origins

↧