RSA Conference organizers accused of attempting to sabotage TrustyCon

An article in the New York Times alleges that RSA Conference organizers phoned in warnings to venue management in order to have TrustyCon shutdown.

TrustyCon, which had a max of 400 attendees due to limited space, almost didn't happen. It was held on Thursday at the Metreon, a shopping complex that sits across the street from the Moscone Center. According to a story in the New York Times, which ran on Friday, TrustyCon organizers had to persuade Metreon management - who were concerned about calls they had been receiving - to allow them to keep the space.

From the article:

"The organizers of a rival conference, called TrustyCon, which was organized following revelations that RSA had been paid by the N.S.A., said they had spent much of the past weekend persuading executives from the Metreon - another big, downtown center next to the Moscone - not to kick them out of their conference space. The Metreon was set to house the TrustyCon conference on Thursday but Metreon’s management began to grow concerned after they received calls from RSA’s conference organizers.

"The RSA organizers warned the Metreon that TrustyCon attendees were arranging a huge boycott on their premises. In the end, the TrustyCon conference was able to proceed Thursday without a hitch."

It doesn't seem fair to call a conference that has 400 attendees a rival given the massive size the RSA Conference. Even financially it doesn't compete, given that the RSA Conference made millions, and TrustyCon made nothing (all of the ticket sales went to the EFF).

However, the Times' story raises the ghost of an incident that happened two-years ago.

In 2012, the RSA Conference considered invoking a non-compete clause in their sponsor contracts, forcing some security vendors to re-think their support of B-Sides San Francisco, as they couldn't sponsor both conferences.

The situation was resolved, as B-Sides San Francisco moved their event to days that do not interfere with the peak traffic days at RSA Conference, but the incident itself was a PR nightmare for the nation's largest security conference. Fast forward to 2014, and it seems as if history has repeated itself.

TrustyCon exists because the organizers and speakers all took issue with news reports stating that RSA took $10 million form the NSA to use Dual EC_DRBG in their BSAFE products.

Dual EC_DRBG is a flawed pseudo random number generator (PRNG) that was developed by the NSA and set as the default option in BSAFE. In addition, because Dual EC_DRBG was being used in the public market, the NSA used that fact to have it approved by the NIST.

Many of those who spoke at TrustyCon did so after canceling their scheduled RSA Conference appearances, and according to many reports, this was something that RSA Conference organizers didn't appreciate. They accepted it, but not before attempting to get the speakers to reconsider dropping out.

So if the reports are true, and RSA Conference organizers attempted to have TrustyCon removed from their venue, this is a problem. However, there's something missing. Start with the story itself. Where did the information come from?

One possible explanation for the story comes from the TrustyCon video. Towards the end of his opening remarks, Alex Stamos, TrustyCon co-organizer, said the following:

"...We'd like to think our hosts, AMC in Westfield. Apparently somebody from a rival conference that I haven't heard of, has warned them this morning that we're a protest event, and therefore they should be careful for security in case there's going to be protests. So they've been wonderful hosts to us, and I really want to thank them for standing up to the pressure and not kicking us out..."

The New York Times article makes it seem as if the issue lasted the entire week, but Stamos says the calls happened the morning of the event. No matter what timeline you follow, the calls themselves are at issue. So, if these warning calls were in fact made, who made them?

There are three firms behind the RSA Conference; the primary being Nth Degree (the company that manages the show itself), Shift Communications (the company that does PR for the show), and RSA. Why was no one at these firms contacted for reactions or comments? If they were contacted, why didn't they respond if the allegations are false?

The Hash has reached out to everyone involved including TrustyCon, RSA, Shift Communications, and Nth Degree. I'm hopeful they'll respond, because as I said, the other side to this story is missing, and it's an important one.

H/T: Thanks to Mikko Hypponen for pointing me to the video with the comments about the protest call. The video itself is available on the TrustyCon website.


None of the RSA Conference organizers have responded to questions, ignoring emails that have been sent. However, Alex Stamos responded to questions with the following:

"All I know is what I was told by the head of security for Westfield, which is that a member of the RSA conference security team warned them on the morning of TrustyCon about possible disruptions caused by our attendees protesting.

"I told the Westfield and AMC managers that I highly doubted that anything approaching a protest would occur and they dismissed the concerns and were very supportive. I was surprised that we were dealing with this issue on the day of the event, since these concerns were first raised with our venue by RSA a week before and we addressed them the same way then."

Update 2:

Alex Bender, the GM of  RSA Conference, has sent the following statement on the matter. In it, he confirms that a member of the RSAC security team made the calls about TrustyCon.

"The RSA Conference is an industry-leading event that attracted over 28,000 attendees, over 400 exhibitors and more than 600 speakers. It is not unusual for small events to happen alongside that aim to leverage the momentum and publicity of the RSA Conference, which is a good sign of a thriving industry event.  We've always embraced these activities and the open, healthy dialog that springs from them.

"That said, there was no threat made to TrustyCon or action taken to cancel the event. Based on proximity, there is close communication between the Moscone Center and the Metreon. A member of the security team did call on Thursday morning to discuss some recent issues seen throughout the week outside Moscone and passed along the information as a courtesy. It was never directed at TrustyCon, its speakers or its attendees."

Cybersecurity market research: Top 15 statistics for 2017