Cut Mary Ann Davidson Some Slack

These last two days the infosec community has been consumed by a blog post Oracle CSO Mary Ann Davidson wrote. In that post she railed against security researchers who reverse-engineer Oracle’s code and nudge the database giant with their vulnerability findings. (Oracle removed the post, but The Wayback Machine captured it and it’s been distributed far and wide anyway.)

Mood music:

Davidson argued that Oracle does just fine finding and fixing its vulnerabilities and that outsiders who butt in are messing with end-user license agreements and overall company sovereignty.

Having reported on Oracle vulnerabilities for years, I found her position flawed. I’ve seen time and again how researchers find flaws and Oracle leaves them unfixed, sometimes for years. That tells me the company doesn’t have a handle on its security problems. I also think it’s important that companies welcome the help of outside researchers. In the fight against the bad guys, companies can use all the help they can get. Google and Microsoft understand this, and their bug bounty programs enhance their overall security.

Oracle took the post down, saying it doesn’t accurately reflect the company’s view of customers. If you’re Davidson, that’s gotta sting. Her not responding to the criticism makes the situation worse. I suspect Oracle has muzzled her, and the company itself isn’t returning reporters’ calls. Not that the company has ever been good at returning calls. It was a closed-off culture when I was reporting on its security flaws a decade ago.

We can disagree with Davidson, but we should remain professional rather than stoop to childish taunts.

She forcefully argued her position, and the relationship between security researchers and tech companies is an important, ongoing topic. I’ve seen a lot of people criticizing her position respectfully, which is good. But I’ve also seen the usual vitriol-laced pile-on. Hundreds of people are ripping her to shreds, often doing so with the same amount of snark they criticized her for using in her post. With these debates people can get mean, and that’s too bad.

I’ve known Davidson for a long time. We haven’t always seen eye to eye, but she’s a good, intelligent person and I respect her a lot. It’s sad to see her character unnecessarily killed in an online, public execution.

I hope she gets through this. I suspect she will.

Finally, it’s worth noting that those of us who write are always going to get it wrong from time to time. I’ve had my share of stinkers. We’re all human and emotion does funny things to the brain. That’s what I’m trying to keep in mind during this latest infosec firestorm.

Disagreement is good. But when you remove kindness, it turns to poison.

MARY ANN DAVIDSON

So You Wanna Boycott RSA Conference 2014

Disclaimer: This is my opinion. I do not speak on behalf of my employer.

Folks in the information security industry are debating whether to boycott RSA Conference 2014 to protest RSA’s reported misdeeds concerning the National Security Agency (NSA). Boycotts can be powerful tools. But they can also lead to trolling or a loss of your own voice.

Mood music:

One of this blog’s missions is to promote more reasonable discussion. I’ve seen how people hurt each other with words in the security industry and elsewhere, and this latest issue is no exception.

It’s a waste of energy.

Some Background

At last count, eight well-known security practitioners announced that they were skipping the upcoming RSA Conference in San Francisco because the conference’s sponsor, security vendor RSA, allegedly pocketed money from the NSA to put a faulty encryption algorithm into one of its products.

The revelation is part of the ongoing fallout of former NSA technical contractor Edward Snowden leaking details of top-secret mass-surveillance programs to the press.

In this debate on whether RSA, and by extension the NSA, did wrong, you’re either a PR-obsessed grandstander or a coward who refuses to take a stand. It just depends on which side of the discussion you fall under. Those who are boycotting the RSA conference have been accused of the former, while those who are still attending are accused of being the latter.

My Two Cents

I’m going to RSA Conference 2014.

Based on all the information out there — and I’ve read quite a bit of it — I’m inclined to believe RSA took money from NSA to allow a flaw into its technology.

I agree that this shouldn’t come as a surprise because the NSA was, after all, created for those sorts of activities. That doesn’t mean there’s no cause for anger.

RSA customers rely on the company’s products to keep proprietary information safe from sinister hands. Taking money from a government agency to make spying easier is not OK. The argument that spying on American citizens is necessary to uncover terrorist plots is rubbish. It’s the same fear-based thinking after 9-11 that led to the PATRIOT Act. That’s my opinion. To those who disagree, I mean no disrespect. Good people can disagree.

Having said all that, you would think I’d be among the boycotters. I share their anger and respect their right to protest as they see fit, as long as no one is harmed in the process. But I’m not boycotting for a few reasons:

  • I’ve never gone to RSA Conference to support RSA the company. I go to network with peers and get a better sense of what the latest security trends are.
  • I can’t do my job from the sidelines. I have to be where the action is.
  • If you’re angry with RSA, isn’t it better to attend the conference and speak your mind? It’s a more powerful approach than staying home.

I don’t claim to have all the answers. I don’t claim moral superiority. That’s simply where I stand.

On Twitter the other night, Akamai CSO Andy Ellis — my friend and boss — said, “Whether or not one agrees with the RSAC boycott, we can celebrate [the boycotters’] freedom to express anger and disappointment. We need more of that.”

Furthermore, he said, we should be able to be angry without feeling the need to ostracize those who aren’t expressing anger, and vice versa.

He’s right.

It’s OK to rage, and it’s OK to boycott. Troll if you must. That’s your right, my friends. I’m going to follow my conscience and strive for civility.

RSA SecurID