With this year’s RSA Conference only 6 weeks away it’s notable that the conversation around the event doesn’t hinge on the most important speakers or research expected to be discussed, but rather an usual circumstance for an information security event: a boycott.

Due to the allegations that the NSA paid $10 million to RSA for their complicity in defaulting their Bsafe product to utilize the known-weakened Dual EC DRBG, numerous information security professionals have opted to bail on their speaking obligations as a form of protest. As of this writing, the list of people involved with this boycott is at 12, including speakers and panelists. The list of boycotters currently includes the likes of F-Secure’s Mikko Hypponen and the EFF’s Marcia Hofmann.

While the reasoning for each boycotter differs slightly, all of them are very clearly upset at what they (and many others) believe is nothing short of a complete betrayal of the consumers and organizations who have put trust into RSA to be a leader of information security. What’s not clear is whether a boycott is the most impactful way to really make a point towards this situation we find ourselves in. Let’s think about a few other roads that are viable to show disdain.

1) Make Your Party Into a “Backdoor Ball”

I’ll wait a minute for you to groan at that title… OK, good! The point is that depending on your power to impact your organization’s actions you could perhaps take you regular old RSA after-party and change it into one that focuses its attention towards making change.

For example, hold a silent auction with the proceeds going towards the EFF. Also, instead of buying bags of corporate swag, give everyone t-shirts that they can wear around the conference to show their anger towards the actions of RSA. This road could lead to more advocates that are informed of the situation and can stand with you to show how collectively upset the community is.

2) Fun With Badges & Pieces of Flair

The fact that RSA’s name (while their roots are still to be respected) is comically close to NSA seems to lend its self to the potential for some clever badge reworking. I’m sure your local hacker space could come up with some alternative badges to walk around with for the event or even ways to manipulate your official one.

Ever see people wear small ribbons on their shirts? Perhaps lapel pins to show allegiance? I’d bet seeing 10,000 people walking around with a similar statement would be quite impactful even if the act of doing so may seem small. This is one of those “the sum is greater than its parts” situations.

3) Fire Talks With a Mission

Breakout sessions and fire talks are quite common at many information security conferences these days. Typically, such events would provide a chance for newer speakers (or those otherwise not accepted to the main CFP) to have a chance to give a short presentation. What if RSA became a venue for such presentations but completely outside the desired scope of the organizers?

Imagine walking through a hallway and seeing 200 people standing around as a would-be boycotter gives a presentation on the deceit of RSA or otherwise gives those walking by a few earfuls of the anger they feel towards the NSA. This is the equivalent of an info sec sit-in and would surely gain attention by attendees and the press.

The Road Less Traveled

While these are just a few ideas, I’d charge readers with remembering that while it’s always reasonable to follow people you trust or admire down a path, consider what other avenues you have at your disposal and find alternative ways to make a difference. Ultimately I don’t think we’ll see a “normal” year at the conference by a long shot.

Mark Stanislav | Duo Security | @markstanislav


Bio: Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor, Michigan-based start-up focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, start-up, and corporate environments, primarily focused on Linux architecture, information security, and web application development.

Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. During his time at EMU, Mark built the curriculum for two courses focused on Linux administration and taught as an Adjunct Lecturer for two years. Mark holds CISSP, Security+, Linux+, and CCSK certifications.

Notify of
1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Information Security Buzz
Would love your thoughts, please comment.x