The Complex

Techies Boycott Big Security Conference Over NSA Spying

The annual RSA conference in San Francisco, founded by the computer security company of the same name, is a marquee event for the security industry and has long been a forum for some of the most vocal opponents of government surveillance to discuss ways to keep personal data safe from prying eyes. But this year, talk of betrayal is in the air. At least eight prominent attendees are pulling out of the conference, which begins next month, and are canceling planned talks and presentations to protest RSA's alleged covert collaboration with the National Security Agency.

At issue is a $10 million deal that RSA reportedly struck with the spy agency to include a deliberately flawed algorithm in one of its security products, which effectively gave the agency a backdoor to spy on RSA's customers.

The alleged deal, which was reported last year by Reuters, shocked many security experts and technologists, who have long seen RSA as a pioneering defender of privacy-enhancing technologies like encryption and a historic adversary of the NSA. The company's products are used by people, companies, and governments around the world to shield their communications and data.

The agency's efforts to weaken an encryption algorithm that RSA eventually adopted in 2006 were confirmed in documents disclosed by Edward Snowden. His leaks have revealed a multifaceted campaign by the NSA to foil encryption and steal unencrypted information from Google and Yahoo. But the Reuters report is the first specific allegation of a company being paid to secretly insert weaknesses into its products in order to help the NSA spy.

"It's astounding," Jeffrey Carr, the CEO of Taia Global, said of RSA's alleged decision to use the NSA's flawed algorithm. "Even if RSA comes forward and says, 'Here's the contract, we had no idea there was a backdoor,' it's still bad judgment. It's maybe not as bad as saying, 'Yes, we took a bribe,' but it's still bad judgment."

Carr had planned to speak on a panel at the conference but pulled out as part of a growing boycott that, as of Wednesday, included two security engineers from Google, which itself has been a high-profile target of NSA's intelligence-gathering apparatus. So far, the protesters are a mix of technologists and activists. No conference sponsors have pulled out, and only one company has said none of its employees will speak.

Mikko Hypponen, a prominent security researcher, was the first conference attendee to pull out, a decision he announced two weeks ago in an open letter to RSA executives criticizing their alleged cooperation with the spy agency.

"I don't want to portray myself as a leader of a boycott," Hypponen wrote on Wednesday in an update to his letter. "I did what I felt I had to do. Others are making their own decisions." Hypponen, the chief research officer for F-Secure, a security company based in Finland that has offices in the United States and around the world, said that no one from his company would speak at the conference.

What's especially galling to the conference boycotters is that RSA's founders were some of the original stalwarts against NSA's efforts to foil encryption. In the 1990s, they helped lead a charge against an NSA project, known as the Clipper Chip, to stop the proliferation of commercial encryption, which the agency feared would allow terrorists and criminals to communicate using codes that it couldn't break.

Ironically, the RSA conference started in response to concerns by privacy advocates and technologists that the government would try to dictate encryption standards, thus giving agencies like the NSA the privileged access for which they allegedly paid the company years later. (RSA was acquired by EMC Corp. in 2006.)

In a statement last year, RSA denied that it entered into a "secret contract" with the spy agency. But it hasn't explicitly said that there is no backdoor in the product that it ultimately sold after consultation with the NSA. "We have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use," the statement said. But RSA also distanced itself from the spy agency, saying that back when it decided to use the flawed algorithm, "the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption."

Even that assertion may strike some security experts as a stretch, considering that the NSA has never made a secret of its attempts to break codes. (That is, after all, the business it's in.) But the NSA also helps make codes, and has encouraged the adoption of ostensibly strong encryption standards. The flaw in RSA's algorithm was quickly discovered and written about by security researchers at Microsoft and elsewhere at the time. But there was no proof it had been put there by the NSA. Not until the documents released by Snowden showed that the NSA had poisoned the algorithm did RSA encourage people to stop using it.

"Until RSA explains what happened, the available evidence we have points to a betrayal of trust," Carr said.

The RSA conference organizers didn't respond to a request for comment.

Joining the protest with Carr, Hypponen, and two Google engineers, Chris Palmer and Adam Langley, are Christopher Soghoian, the principal technologist for the American Civil Liberties Union; Marcia Hofmann*, a privacy and security expert and attorney formerly with the Electronic Frontier Foundation; Alex Fowler, who leads global privacy and public policy issues for Mozilla; and Josh Thomas, the "chief breaker" at security research firm Atredis Partners.

*Correction (Jan. 9, 2014): An earlier version of this post misspelled Marcia Hofmann's surname.

Gabriel Bouys/AFP/Getty

The Complex

The Air Force Totally Lied to You About the Fiery Fate of Its Stealth Bomber

On Feb. 26, 2010, a U.S. Air Force B-2 stealth bomber forward-deployed to America's giant Pacific air base in Guam was getting ready for a training flight when one of its four jet engines burst into flames.

Firefighters extinguished the blaze and the crew escaped unharmed. A Guam newspaper phoned Air Force spokesman Lt. Col. Kenneth Hoffman, who reassured the paper that the fire was "minor."

But that was a lie -- the depth of which is still becoming apparent, four years later. The cover-up is one of a long chain of obfuscations by the U.S. military in the wake of serious and even fatal accidents involving its most high-tech and expensive warplanes.

Far from being minor, the fire underneath the radar-evading B-2's skin caused serious damage that rendered it unable to fly -- a big deal, considering that the Air Force possesses only 20 of the giant bombers. The B-2s, normally based in Missouri, are the only long-range American warplanes able to slip past heavy enemy defenses.

Northrop Grumman built 21 B-2s for the Air Force between the 1980s and early 2000s at a total cost of more than $40 billion. A small number of the bat-wing bombers rotate through Guam in order to put them within quick flying time of America's Pacific rivals, including China. But the Pacific ops are risky: in 2008, a B-2 crashed in Guam, reducing the stealth bomber fleet to just 20 planes.

Losing another B-2 in Guam not two years later obviously had the potential to be hugely embarrassing for the flying branch. For more than a year after Hoffman dismissed the latest accident as "minor," no one outside of the Air Force had any idea that the B-2, named Spirit of Washington, had nearly been destroyed and was, in fact, stuck in Guam.

The Air Force did not list the fire in its official tally of B-2 mishaps, but a presentation by a pair of military researchers in October 2010 did acknowledge the incident ... and stressed the unexpected difficulties that airmen faced trying to smother a blaze underneath the bomber's special radar-absorbing skin.

The first major indication that Hoffman, and indeed the entire Air Force, had been less than truthful about the B-2's condition came in August 2011, when the flying branch released a feel-good official story describing efforts to get Spirit of Washington back into flying shape so that the bomber could return to the mainland United States for permanent repairs.

The official story ret-conned the bomber fire to "horrific" and described the "Herculean" task of shipping new parts to Guam in order to patch up the crippled airplane, get it back into the air and shepherd it across the vast Pacific to Northrop Grumman's secretive stealth warplane factory in Palmdale, California. "The task list was long and included rebuilding some structural components," the Air Force admitted.

Reporters were incensed.

Spirit of Washington spent the next two years in Palmdale being rebuilt by Northrop Grumman in the same facility that produces top-secret stealth drones. Another official story in December 2013 detailed the huge extent of the repair work. "A percentage of the parts could be re-manufactured, but other parts could only be obtained from Air Force spare parts depots."

On Dec. 16 last year, the restored Spirit of Washington took off on its first training sortie since the 2010 fire. Four days later, the Air Force deigned to announce the bomber's return to duty-and the increase in the operational B-2 fleet from 19 airframes to 20.

The cover-up is consistent with the Pentagon's handling of incidents involving its most sophisticated warplanes, which besides the B-2 also include the F-22 stealth fighter and the V-22 tiltrotor. The complex V-22 takes off and lands like a helicopter but cruises like an airplane thanks to its rotating engine nacelles.

For years, F-22 pilots complained of oxygen deprivation apparently resulting from inadequate equipment in the high- and fast-flying plane, which costs up to $300 million apiece. In 2010, Capt. Jeff Haney died after crashing his F-22 in Alaska. The evidence strongly indicated that Haney had blacked out, but that did not stop the Air Force from blaming the accident on pilot error.

Likewise, the Air Force and Marines' finicky V-22s-purchased for $100 million a pop-crash and burn at a rate much higher than the official statistics admit. When a V-22 went down in Afghanistan in 2010, killing four people, the Air Force blamed the crew despite evidence that the tiltrotor's engines had failed in mid-flight.

And when lead accident investigator Brig. Gen Donald Harvel protested, the flying branch brass mounted a coordinated campaign to discredit and silence him.

The Pentagon seems to want Americans believe that its high-tech warplanes rarely malfunction. The reality is that crashes and fires are shockingly common, expensive and deadly.

First published on Medium.com's War Is Boring collection.

Air Force photo