Wednesday, 21 May 2014

Stick by Your Guns – or Die by Your Marketing!

Stick by Your Guns – or Die by Your Marketing! 

'No more drama'; I clearly remember me saying this at the end of BsidesLondon.  I also remember saying that if 'you disagree with someone, then that's fine too'.  No more name calling though.  So, I get to live by my rants and stand by them. 

Let's get this out of the way; I disagree with F-Secure and Mikko Hypponen.

Now, just so we are all very clear, I actually have a lot of respect for Mikko, as do many in our industry.  However, what has played out IMHO over the last few months has been at best confusing, and at worst incredibly contradictory.  A short time-line of events that have led the way to this personal opinion of both Mikko and F-Secure are as follows: -

ZOMG NSA RSA WTF $$$$$
UMAD BRO, NOT SPEAKING AT RSA!
MAN IZ LOOKING FOR FREEDOM WITH THE HOFF!
PROTECT FACEBOOK USERS FROM MALWARE!

Let me connect the dots here.  Mikko and F-Secure took a stand about the allegations that RSA took money to purposely back-door some of their security products.  Mikko, as most of you will know was a regular speaker at the RSA conferences, took objection to what he and F-Secure thought was unacceptable and cancelled his talk(s) with them.  This engaged the 'cyber-media-firetrucks' and the circus came to town.  As that stood, I personally thought he had the right to do this and ask questions.  Let's say a win for Mikko and F-Secure here.  Now, you know what would be a good idea here?  Another bloody conference in San Francisco at the same time as RSA, because you know, we have the flights and shit we should totally go and hold some type of awesome conference in protest!  Errrr, guys you know BSidesSF is an awesome conference that is about people connecting and contributing?!?  That seemed to be a moot point, as another conference started its cyber-engines, in my personal opinion!

Fast forward to about two weeks ago; Mikko, F-Secure, and David Hasslehoff come to Berlin to talk about how the Hoff is a privacy campaigner and has been for twenty-years (I know, it surprised me too, but a man's gotta eat I guess) and they want to produce a 'Digital Freedom Manifesto', followed by a wee sing-song about 'Looking for Freedom'.  The only thing I'm looking for is why on earth you need a gimmick for a subject matter so large?  Still, I guess we can call it a win here for Mikko and F-Secure, although personally the cyber-media circus around the initiative is beyond me.  Hey, you know they don't build statues to critics, so I'll wind my neck in on this!

To recap, RSA bad for working with the NSA, Digital Freedom needed, and you know what else we need?  Malware scanning on Facebook!  Well yeah, I guess, I mean, Malware is bad voodoo and a lot should be done to fix it, but I thought you, Mikko and F-Secure, didn't like it when they worked with NSA partners!  You know, Digital Freedom, and what not? 

F-Secure announced today that they will be partnering up with Facebook to help its users scan for Malware and give them a scanner if they detect anything that could be malicious.  There is thus a real chance that mom and pops will actually have some protection from those evil malware authors (no, I don't mean the intelligence services around the world, I mean the bad dudes!).  I guess this is a win for Mikko and F-Secure also.  I might add, not bad business getting your brand out to that many Facebook users. 

In total, that adds up to three wins in the column for F-Secure and Mikko.  You see this is where it gets difficult for me, it just doesn't really add up.  The journey from RSA being the bad guys, and all the attention that came from that, to launching a digital freedom manifesto wrapped up nicely by working with Facebook.  I just can't get my head around RSA==BAD, FB==GOOD.  They've both taken flak from the Snowden leaks, they've both been accused of assisting the NSA to spy on foreigners (that's non-Americans like Mikko and myself, if you're wondering).  There are some differences though between the two organisations.

RSA and Facebook, both big names?  No, not really.  RSA is big in industry, but Facebook is a big name to EVERYONE.  Even those that know RSA, know Facebook.

Both RSA and Facebook have used customer data to make money?  Grey area here, Facebook is definitely not known for loving the gods of privacy and in fact, their business model sort of precludes them from it.  Whereas, RSA sell actual products for securing people (although this is the area of issue, back-dooring security products is just out and out wrong), although, I suppose selling back-door access could be argued as supplying customer data. 

Both RSA and Facebook have had relationships with the NSA.  Now here comes Mikko's response to this when I tweeted him about it:

'I have no proof of FB volunteering their data to any intelligence agencies.  Do you?'

To which I responded;
'So, did you use the Snowden leaks as proof for the payment to RSA'

Technically speaking, I'm wrong; Mikko didn't use the Snowden leaks as proof, he used Reuters, which referenced a Snowden leak.

'On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of your products, in exchange for $10 million.'  
http://www.f-secure.com/weblog/archives/00002651.html

'Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back-door” in encryption products'
http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220

Now, to justify what I've said, and my burden of proof that Facebook also spied on people for the NSA doesn't come from Reuters, it comes from the New York Times I'm afraid, however Reuters reference them, so I'm sure it's cool for me

'The companies that negotiated with the government include Google, which owns YouTube; Microsoft, which owns Hotmail and Skype; Yahoo; Facebook; AOL; Apple; and Paltalk, according to one of the people briefed on the discussions. The companies were legally required to share the data under the Foreign Intelligence Surveillance Act.'

http://www.nytimes.com/2013/06/08/technology/tech-companies-bristling-concede-to-government-surveillance-efforts.html?ref=global-home&_r=2&pagewanted=all&

So to be fair, Facebook had to do it!  Yeah, well they could have joined Twitter and made it hard for them to spy on foreigners (like Mikko and me).  I guess you can argue either way on them 'volunteering' their data to intelligence agencies, but I'm going to go with; YES, I BLOODY DO!  If the burden of proof used to damn RSA was leaks, then the burden of proof for Facebook should be the same.

Now, I've gone a long way around to say this but here is crux of it;
If you damn one for the sin, then damn them all!  It's contradictory to attack RSA and yes, give Facebook a pass for the same thing.  RSA couldn't give a mailbox (I believe in some of the posts they call it a back-door) feature similar to the one offered by Facebook to the intelligence agencies, so a flawed encryption algorithm which acts like a back-door might have been their own choice too. 

It seems that the real argument is going to focus on what your definition for 'volunteering data' is.  For me, it's painfully simple that publicly attacking RSA for badness, whilst ignoring that data is being given, with the knowledge of Facebook, who didn't fight against it, unlike Twitter, is at best a confusing stance.  I fail to see how you can campaign for 'Digital Freedom' when you've partnered up with someone given a portal by Facebook to invade our privacy without our knowledge.    

So yes, this post is a bit trolling, I know, but hey, I thought you did the right thing with RSA, I just thought you were shitty with BsidesSF.  I personally think gimmicks are for other vendors incapable of making a lucid, valid argument, something I'm sure F-Secure is capable of doing.  Moreover, if you give a position publicly, then for the love of God, stand by it!  You have a chance to lead by example, and at best you've changed a position about working with people who break our trust in our privacy. 

You wouldn't want people to think that the steps taken over the past few months have been more about publicity than freedom.

finux