Less than two months before the industry's annual RSA Conference, respected researchers and experts are canceling their appearances at the major event in light of allegations that the National Security Agency (NSA) arranged a shady deal between it and security firm RSA.
The fallout started after a disquieting article was published by Reuters last month.
In the story, which sourced classified documents obtained by whistleblower Edward Snowden, the outlet detailed a $10 million contract which set an NSA-influenced formula as the default method for number generation in RSA's BSAFE software.
Robert Graham, CEO of Errata Security, posted a running list online this weekend of the speakers that have pulled out of the conference in San Francisco, which will take place Feb. 24 though 28.
Easily the largest gathering of security pros to gather annually in the U.S., the RSA Conference will now be absent several voices that planned to lead talks or speak in panels.
Among the confirmed cancellations, are F-Secure Chief Research Officer Mikko Hypponen, Taia Global CEO Jeffrey Carr, Atredis Partners “Breaker in Chief” Josh Thomas and well-known privacy buffs Chris Soghoian (with the American Civil Liberties Union) and Marcia Hofmann (a special counsel at the Electronic Frontier Foundation who recently started her own practice focusing on tech and privacy issues).
In addition, Google software engineers Adam Langley and Chris Palmer, along with Alex Fowler, Mozilla's global privacy and public policy leader, have decided not to speak next month.
Josh Thomas, a partner at security firm Atredis, told SCMagazine.com on Wednesday that, despite the fact that RSA, the company, and RSA, the conference, “are two different entities” – that they still “share the same name,” and he didn't want to lend his name or credibility to the event.
“If I speak at the conference, I feel that I lend my name to their credibility and actions as a company,” Thomas said. “I had no interest in press [in canceling]. I just did not want to lend my name to something I do not believe in. “
He continued, saying that he doesn't believe that the group of cancellations will have a “big impact at the end of the day” on the company, “but on my principled stance, I just don't want to be a part of it.”
Soghoian specifically referenced RSA's quick (and meticulously worded) denial of the NSA allegations.
I've given up waiting for RSA to fess up to the truth re: the NSA and Dual_EC. I've just withdrawn from my panel at the RSA conference.— Christopher Soghoian (@csoghoian) January 7, 2014
On Wednesday, Hyponnen took to F-Secure's website to confirm that, in addition to him canceling his appearance in an FTC panel at the event, that the company would not be “speaking, sponsoring or exhibiting at RSA Conference USA 2014.”
“While I am glad to see that many other speakers have decided to cancel their appearances at RSA 2014 in protest, I don't want to portray myself as a leader of a boycott,” Hyponnen wrote. “I did what I felt I had to do. Others are making their own decisions.”
The board for the Open Web Application Security Project (OWASP), a nonprofit group aimed at improving software security, is currently deciding whether the group should move forward with plans to train developers at the conference. OWASP has asked members to weigh in via a poll.