[ISN] RSA Panel: Cryptography Can't Foil Human Weakness

From: InfoSec News (isn@private)
Date: Wed Feb 25 2004 - 02:12:18 PST

  • Next message: InfoSec News: "[ISN] Companies Form Computer Security Lobby"

    http://www.eweek.com/article2/0,4149,1538027,00.asp
    
    By Mark Hachman 
    February 24, 2004 
    
    SAN FRANCISCO - Enhanced security can solve many issues, but it can't 
    improve the thing that sits between the keyboard and the chair - the 
    user - a cryptographers' panel concluded Tuesday. 
    
    The panel, a staple of the RSA Conference here, invited four of the 
    industry's luminaries on stage with Bruce Schneier, author and chief 
    technology officer at Counterpane Internet Security, to discuss the 
    evolution of cryptography. The discussion soon turned to recent 
    failures in information security, however, including the recent leak 
    of some of Microsoft Corp.'s source code and the knotty security 
    problem of social engineering. 
    
    Each panelist - Whitfield Diffie, chief security officer at Sun 
    Microsystems Inc.; Paul Kocher, president and chief scientist at 
    Cryptography Research Inc.; Ron Rivest, Viterbi professor of computer 
    science at the Massachusetts Institute of Technology; and Adi Shamir, 
    professor at the Weizmann Institute of Science in Israel - came to the 
    panel with his own view of security priorities. Rivest, for example, 
    was concerned with the policy of security., Diffie, on the other hand, 
    said the industry was shaping up for a battle over DRM. 
    
    Increasingly, the panelists said, security experts' challenges have 
    had less to do with the intricacies of cryptosystems used to wrap code 
    than the real-world intricacies of standards and government 
    guidelines. Rivest cited the case of Diebold Systems Inc.'s electronic 
    voting machine code, which was found on the Internet and quickly 
    picked apart as insecure. Until a grass-roots movement pushed for 
    paper-based records to prove a voter cast a ballot for one candidate 
    over another, the Diebold machine did not allow for independent 
    verification of results. 
    
    "Why am I, as a cryptographer, talking about such things?" Rivest 
    asked, citing Archimedes' maxim: "Give me one smooth spot to stand on 
    and I will move the world." "We have great levers to move things, if 
    we have a smooth spot to stand on," Rivest said. "We have secure 
    platforms and secure keys to move the earth a bit." 
    
    Similarly, Kocher said he was "terrified" of the only solution he saw 
    to enforcing consumer privacy—government regulation. While consumers 
    have a strong incentive to maintain their privacy, law-enforcement 
    agencies and large corporations do not, he said. 
    
    Part of the fear engendered by government regulation is additional 
    laws, which tend to entangle and complicate the flow of information, 
    panelists said. For example, Kocher said, he was advised by his lawyer 
    not to examine the leaked Microsoft code. 
    
    "So we're in an awkward situation that is almost the worst of all 
    possible worlds," he said. "We can't look at proprietary systems to 
    improve our code, but the bad guys can." 
    
    Diffie, meanwhile, focused on a fight he said is looming over the 
    definition and implementation of digital-rights-management. Citing the 
    recent lawsuits by the Recording Instiitute of American Artists 
    (RIAA), Diffie said that the notion of compensating copyright holders 
    had evolved into a situation in which those copyright holders had 
    begun to dictate how consumers could use it. "Soon you'll only be able 
    to buy a machine … where you won't be able to tell it what you want to 
    do and it does it," he said. 
    
    The panel failed to propose a solution for one of the most pernicious 
    and pervasive security problems: the problem of the user itself. 
    "Phishing" scams and other techniques to wrest personal information 
    from users won't go away easily, they agreed. 
    
    In perhaps the only actual discussion of cryptography, the Weizmann 
    Institute's Shamir said the sun was setting on stream ciphers used to 
    encode real-time data streams. Instead, the power of today's 
    microprocessors could be used to encode data in blocks via block 
    ciphers, which are more powerful but require a large amount of 
    information to be buffered and then encoded. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 25 2004 - 05:22:47 PST