TrustyCon's RSA Conference rebels promise more to come
Government-sponsored malware, the legal implications of the US government's pro-spying defense, and a discussion of tools to fight for the future lit up the agenda at the first Trustworthy Technology Conference.
SAN FRANCISCO -- What started as a one-man boycott of the annual RSA Conference here in response to the confab's parent company's ties to the National Security Agency has begun to blossom into a broader movement to reclaim the trust of technology and Internet users.
Alex Stamos, co-organizer of the event -- nicknamed TrustyCon -- and chief technology officer at the security firm Artemis, took the stage in Theater 14 at the AMC Metreon multiplex to explain just why the Trustworthy Computing Conference was needed in the first place. After all, with Security B-Sides earlier in the week, it's not even the first counter-conference programmed against RSA.
The goal, he said, was not to have "another" security conference, "but a trust conference." It was also a fundraiser for the Electronic Frontier Foundation, scoring $20,000 for the group.
"How do we build trustworthy systems?" he asked the crowd. Citing viruses, malware, and the post-Snowden leaks environment, he said, "We have failed."
TrustyCon's roots are tied to the rebellion of Mikko Hypponen, an unlikely source of dissent. Hypponen, the chief technology officer at Finnish security firm F-Secure and a computer virus and malware expert, has spoken at the RSA Conference for the past eight years and was the first major speaker to withdraw from the show.
"I'm not expecting to participate in the future," he said, although he later revealed after TrustyCon that the RSA Conference organizers had pleaded with him privately to stay on board. He said he had published openly his letter to the RSA Conference organizers as a challenge to other speakers.
"I wasn't expecting anyone else to cancel, wasn't expecting American speakers to cancel," he said, saying at the time that it was an issue of national pride.
To his surprise, he told TrustyCon, "the ones with the balls have canceled."
His TrustyCon speech focused on the simmering international conflict. He pointed out that thanks to Snowden and to the Stuxnet revelations, we've learned that governments were actively writing and delivering malware.
"Ten years ago this would've been science fiction," he said.
He noted that he wasn't against all government spying and said that high-profile political leaders such as Angela Merkel of Germany have a reasonable expectation to be the targets of surveillance.
"The problem," he said, "is listening to the traffic of people on the street. Why is it being collected? Because it's technically possible. We created the monster."
Other speakers also focused on the issue of trust, and of otherwise trustworthy computing systems exploited by governments, including the US.
Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union who has spoken often against domestic spying since the Snowden leaks, used the example of automatic software updates exploited by the US government as compromising the trust in both technology and government.
A talk by civil liberties attorney Marcia Hoffman emphasized the government's legal logic and how it's based on laws that are far behind the technology they're governing. Google's Chris Palmer, of the Chrome secure usability team, gave a technical explanation of why it's so difficult to build encryption tools that are easy for the general public to use.
During an onstage interview with Joseph Menn, the reporter who first broke the story of RSA's connections to the NSA, independent security expert Bruce Schneier sounded a call to action to build better tools.
"Twenty years of PGP has taught us that one-click encryption is one click too many," Schneier said.
He also echoed Hypponen's point that not all spying is bad, something that tends to get lost in the outrage over the leaked document revelations. "If the Snowden docs had shown the NSA spying on North Korea and the Taliban, nobody would've cared because that's their job," he said.
The show ended on talks by Def Con founder and Homeland Security adviser Jeff Moss and noted technologist and Princeton professor Ed Felten. Moss focused on empowering the gathering of hackers and information security experts, explaining that while everybody "needs the Net to work," "the only ones" interested in "knowledge" are hackers, researchers, and academics.
Felten, who has testified in front of the US Senate on the issue, reminded those who wanted to get involved that fixing the NSA meant paying attention to what NSA officials have said.
"You have to read every word carefully," he said, "and especially every word by an intelligence official under oath."
"I haven't spent this long in a movie theater since I was a teenager and hid in the back all day," quipped Stamos as he closed the conference by promising the return of TrustyCon.
"This was not a one-time thing," he said, "because the issue is not a one-time thing."