RSA says it adopted the Dual EC algorithm in 2004, meaning an alleged 2006 NSA payoff makes no sense. But there are plausible explanations.
Organizers iSEC Partners, the Electronic Frontier Foundation (EFF) and DEF CON announced Monday morning that its inaugural event, taking place Thursday, Feb. 24, 2014 at the AMC Metreon Theatre in San Francisco, sold out its 400 seats in three days.
Billed as an event for information security enthusiasts interested in "the technical, legal and ethical underpinnings of a stronger social contract between users and technology," TrustyCon was created in part as a venue for speakers who bowed out of this year's RSA Conference because of RSA's alleged ties to the National Security Agency.
RSA has faced harsh industry criticism following a December Reuters report alleging that the EMC-owned security vendor signed a $10-million contract around 2006 with the NSA to use the flawed Dual_EC_DRBG pseudorandom number-generating algorithm as the default option in its BSAFE cryptographic library product. If true, RSA may have been a willing collaborator in helping the NSA secretly access data encrypted using that algorithm. RSA has denied the allegations.
In response, several high-profile RSA Conference speakers who had been slated to take the stage at the information security industry's biggest annual conference chose to pull their talks and instead appear at TrustyCon; among them, Josh Thomas of Atredis Partners, Mikko Hyponnen of F-Secure Corp. and EFF attorney Marcia Hofmann.
"I'm happy to speak at TrustyCon and I'm waiting to see lots of people there," Hypponen told SearchSecurity. He declined to comment on his decision to drop out of the RSA Conference.
Lead TrustyCon organizer Alex Stamos of iSEC Partners said the organizers had hoped to eventually launch such an event, and the RSA backlash provided an unexpected boost of momentum.
"This just gave us a really good opportunity in that you had very good speakers who were available," Stamos said, "some of whom had nonrefundable tickets to San Francisco."
The arrival of TrustyCon presents yet another option for RSA Conference attendees in what has become an increasingly busy week in the City by the Bay. In addition to the RSA Conference and the other events that collocate with it, such as those held by (ISC)2 and the Cloud Security Alliance, the Security B-Sides group holds a popular event that competes with the RSA Conference.
Stamos though brushed off criticism of TrustyCon being yet another event during RSA Conference week.
"There are always people who want to be meta-contrarians in the security industry -- and they don't have to come," he said. "That's the great thing about a conference; it doesn't hurt anybody."
Stamos said that while the event primarily features information security researchers, having the event coincide with the RSA Conference presents the opportunity to share information with the wide range of information security practitioners in town for RSA's event.
"I think it's honestly more important for those people to be exposed to these kinds of voices than it is for security researchers to go watch each other in Vegas," Stamos said.
The TrustyCon team has not invited anyone from RSA to attend its event, but Stamos said they would be welcome to do so.
"I'm good friends with some folks who work in the overall EMC company and I'd be happy to have one of them if they're interested, but that seems unlikely.
Conference organizers have announced a waiting list for those still interested in attending. More information can be found on the conference website. Proceeds from the event will benefit the EFF.