Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Trust Is For Suckers: Lessons From the RSA Breach

Soulskill posted more than 3 years ago | from the and-we're-back dept.

Security 79

wiredmikey writes "Andrew Jaquith has written a great analysis of lessons learned from the recent RSA Cyber Attack, from a customer's perspective. According to Jaquith, in the security industry, 'trust' is a somewhat slippery concept, defined in terms ranging from the cryptographic to the contractual. Bob Blakley, a Gartner analyst and former chief scientist of Tivoli, once infamously wrote that 'Trust is for Suckers.' What he meant is that trust is an emotional thing, a fragile bond whose value transcends prime number multiplication, tokens, drug tests or signatures — and that it is foolish to rely too much on it. Jaquith observed three things about the RSA incident: (1) even the most trusted technologies fail; (2) the incident illustrates what 'risk management' is all about; and (3) customers should always come first."

cancel ×

79 comments

Sorry! There are no comments related to the filter you selected.

Trust is required (4, Insightful)

houstonbofh (602064) | more than 3 years ago | (#36558814)

The problem is that trust is also required to have a functioning society. The higher the trust, the better a society can function. The lower the overall trust (More corruption) the less effective it is. I think "Trust but verify" is the best.

Re:Trust is required (1, Insightful)

h4rr4r (612664) | more than 3 years ago | (#36558920)

Trust but verify, means don't trust otherwise you would not have to verify. Non-thinking people like the phrase because their idol said it. Why middle class folks idolize someone who sold out the middle class I do not understand.

Re:Trust is required (2)

RightSaidFred99 (874576) | more than 3 years ago | (#36558998)

Yeah, those shitty 80's. We're all much better off now!

Re:Trust is required (0)

Anonymous Coward | more than 3 years ago | (#36559108)

I guess you are being sarcastic, but at least crime is way down.

Re:Trust is required (1)

h4rr4r (612664) | more than 3 years ago | (#36559130)

What do you think got us here?

Re:Trust is required (1)

RightSaidFred99 (874576) | more than 3 years ago | (#36559318)

Greed and idiocy, which is expected and part of the system and should be self correcting over the long term if you let it happen. What's going to really fuck us is spending, both from Republicrats and Demublicans.

Re:Trust is required (1)

h4rr4r (612664) | more than 3 years ago | (#36559904)

Spending a crazy low taxes, one or the other folks. At this point we need to cut spending and when our economy is in decent shape raise taxes to get debt down.

Our problem was we spent and spent while cutting taxes and did not save up for the rainy days ahead.

Re:Trust is required (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36559118)

It is ironic that the man who made "trust but verify" famous is much more often trusted than verified...

Re:Trust is required (3, Insightful)

houstonbofh (602064) | more than 3 years ago | (#36559196)

A whole post of information and all you see is the quote at the end. You might want to read "The Last Centurion" by John Ringo for some good information on high vs low trust societies. Or not, since he might like people you hate.

Re:Trust is required (2, Insightful)

h4rr4r (612664) | more than 3 years ago | (#36559226)

I don't hate anyone, I dislike people who work against folks I do like though. I don't like it when people idolize those who work against them either. "Trust, but verify" just makes no sense. "Never trust, always verify" at least makes good sense.

Re:Trust is required (2, Informative)

Anonymous Coward | more than 3 years ago | (#36559676)

I don't hate anyone

Bullshit.

Re:Trust is required (4, Informative)

hedwards (940851) | more than 3 years ago | (#36559296)

No, what it means is that you don't blindly trust anybody, but you do verify periodically that the trust hasn't been abused. It's like granting a business the right to take money out of your checking account to cover expenses, like say a CC company. You trust them not to put things on the bill which you didn't authorized. And you verify at least once a month that everything that's on the bill was authorized by you.

Same thing here, the problem with RSA was that people trusted them, but there was no particular manner of verifying that the trust was well placed.

Re:Trust is required (1)

Anonymous Coward | more than 3 years ago | (#36559336)

Trust but verify means that some (most?) of the time you trust, but occasionally you verify to ensure that trustworthiness is still warranted.

Don't trust means you have to verify every time. Trust without verifying means that sooner or later you're going to get taken.

Really, it's not rocket science. (grin)

Re:Trust is required (1)

flaming error (1041742) | more than 3 years ago | (#36559598)

> Why middle class folks idolize someone who sold out
> the middle class I do not understand.

It's easy. We all have our own private reality.

Here's mine. Whatever any POTUS may have done is inconsequential compared to what our Gov't did in 1913. They set in motion everything that's happened since when they handed over our economy to a semi-accountable, quasi-governmental, 100% privately owned for-profit banking cartel.

Re:Trust is required (0)

Anonymous Coward | more than 3 years ago | (#36560322)

Ya, I know that before 1913 everyone was living longer and enjoying a higher standard of living then we do now...

Re:Trust is required (1)

flaming error (1041742) | more than 3 years ago | (#36561022)

I'd like to rebut your rebuttal, but I'm having trouble figuring out what you think you rebutted.

So long, and thanks for the red herring.

Re:Trust is required (1)

HiThere (15173) | more than 3 years ago | (#36561684)

That's one point. But I don't know why you consider it more important than all the others.

Personally I consider two points crucial:
1) The Civil War, when BOTH sides centralized control of the government over the populace.
2) The Union Pacific addendum, which got corporations to be considered legal persons.

Basically, though, when the frontier closed, increased governmental control over the citizenry started ramping up immediately. The increase was slow at first. But you could also pick the Constitution giving the feds control over the currency. Or the suppression of Lysander Spooner's currency. Or lots of other points. Each is just one data point along a curve.

Personally, when I survey the current landscape the point that stands out to me is the granting of corporate personhood via an addendum made on his own authority to a lawsuit by a legal clerk. Be interesting to know if he was paid extra to do that, but it wouldn't have mattered if the courts hadn't allowed that addendum to stand.

Re:Trust is required (1)

flaming error (1041742) | more than 3 years ago | (#36563632)

> I don't know why you consider it more important than all the others.

Because we were talking about the economy.

But I agree completely with the milestones you picked for the general erosion of liberty. I hope one day we'll be able to point to events that put us back on track.

Re:Trust is required (1)

panikfan (1843944) | more than 3 years ago | (#36560914)

Trust but verify, means don't trust otherwise you would not have to verify. Non-thinking people like the phrase because their idol said it. Why middle class folks idolize someone who sold out the middle class I do not understand.

Sounds to me like there is a whole lot you do not understand.

Re:Trust is required (4, Insightful)

flaming error (1041742) | more than 3 years ago | (#36559044)

> trust is also required to have a functioning society.
Maybe, to a degree.

>"Trust but verify" is the best.
Indeed it is. Trust works when claims can be supported.

Problems happen when information is just not verifiable, such as in closed source products, secret negotiations, undisclosed business interests, or whenever information is withheld or misrepresented.

When "trust me" is all the verification a vendor offers, trust is for suckers.

Re:Trust is required (1)

MacGyver2210 (1053110) | more than 3 years ago | (#36560160)

closed source products

Again coming back to a lack of trust, of your customers and clients. Trust them with the source code, and verify they aren't misusing it.

Re:Trust is required (2)

ChatHuant (801522) | more than 3 years ago | (#36561196)

Problems happen when information is just not verifiable, such as in closed source products, secret negotiations, undisclosed business interests, or whenever information is withheld or misrepresented.

You're mixing things up, either intentionally or because zealotry trumps reason in your thought processes. Not getting source code is not the same as being lied to, either by omission or by commission. You'll never have all the information about the making of a product available. You don't have the secret Coca Cola recipe, but that doesn't stop you from drinking coke. You don't know the composition of the various alloys your car is built of, but you do drive. You don't know the maintenance history of the plane you're going to use, but you do fly. You don't normally care about all those things, because they're not normally relevant to your needs. It's the same with the source code. What you care about is whether the product actually does what it's supposed to do, and meets both explicit and implicit expectations. The only reason to mention source code in this particular context is zealotry.

Let me give you an example: if a vendor tells you his database performs one thousand transactions a second in a given configuration, what are you going to do with the source, simulate the database using pen and paper and check the vendor's statement? Surely not. You'll build the configuration and count the transactions. If the database only performs a hundred transactions per second, you've been given false info. Or, if the database performs a thousand transactions for about a hour after which it crashes repeteadly, you've been given insufficient relevant info.

To preempt some weak counter arguments, yes, there are a few rare cases when the source code IS relevant to the issue. When getting actual source is an condition/expectation of the sale, the vendor will submit it, or they won't offer the product at all.

Re:Trust is required (1)

flaming error (1041742) | more than 3 years ago | (#36563764)

> You don't have the secret Coca Cola recipe, but that doesn't stop you from drinking coke

I have the ingredients, which opens up the product considerably. And actually does stop me from drinking it.

> Not getting source code is not the same as being lied to
I didn't say it was - why misrepresent my words?. It is an example of unverifiability,. not dishonesty.

> You don't know the composition of the various alloys your car is built of, but you do drive
I may not know that off the top of my head, but it's not an example of "unverifiable". I could analyze a sample if I felt the need.

In warping my claim into these non-apt analogies, what is the point you are trying to make? That I sometimes trust what I cannot verify? That I sometimes trust what I didn't bother to verify? And that makes me either a hypocrite or a sucker?

I'll admit I'm a sucker - I've lost in the marketplace more than once. But me being a sucker doesn't make my post invalid or unreasonable. A vendor who asks for your trust that something works, but gives you no way to verify it works, is a vendor to avoid.

Re:Trust is required (2)

idontgno (624372) | more than 3 years ago | (#36559236)

The "verify" part implies a degree of transparency and insight that's rare nowadays. The fact that governments have to write laws that compel breached firms to notify their affected constituents in a reasonably timely and understandable manner is proof that if their reputation and sales are on the line, you'll only learn the absolute minimum dictated with the weight of unavoidable severe consequences. And that is a miserable basis for "verify", which makes "trust" a fool's game.

Re:Trust is required (1)

hedwards (940851) | more than 3 years ago | (#36559338)

I don't think this is anything new. Corporations have been behaving like that for many decades now. What's changed is that you have fewer options and the corporations have much broader reach than they used to have. The places where you didn't have choices, the corporations were pretty transparent about ripping the customers off, and since there were no other options, there was little choice but to buy from them.

But, at least for folks living in cities, there was pretty much always a small business which one could go to buy things, and one probably knew the proprietor on a first name basis outside of the shop.

Re:Trust is required (1)

LordNimon (85072) | more than 3 years ago | (#36559458)

I'm sorry, but I've never understood what "trust but verify" is supposed to mean. If you trust someone, then by definition, you think you don't need to verify it. The only time I verify anything is if I don't trust it!

Re:Trust is required (1, Funny)

Duradin (1261418) | more than 3 years ago | (#36559656)

I'll take your word that you've never understood what "trust but verify" means for the moment but I may look into your post history later to see if it's true.

Re:Trust is required (2)

Dishevel (1105119) | more than 3 years ago | (#36559692)

I use it all the time.
I download software from people I have some trust with.
But I always run at least a cursory virus scan and always use custom install options if available.
I then try out the software looking for problems. making sure it behaves as I was told it would.
If it starts communicating with the outside world where I think it should not or installing services and driver where they need not be my "trust" get revoked.
Just because I trust you with the keys to my house does not mean that will not change when I get information that my trust may be misplaced.

Re:Trust is required (1)

houstonbofh (602064) | more than 3 years ago | (#36559756)

I have a vendor of choice. Most of the time I just order stuff and assume that he is giving me a good price. Occasionally I price check him. If I ever find he has abused my trust, I get a new vendor. The alternative is trust all the time (Stupid) and trust none of the time (a lot of work). The problem is the "verify" part. How do you do it with some companies?

Re:Trust is required (1)

LordNimon (85072) | more than 3 years ago | (#36568024)

So every time you verify your vendor, you are suspending the trust you have in it. You are alternating between trusting and verifying. You are never doing both at the same time.

Re:Trust is required (0)

Anonymous Coward | more than 3 years ago | (#36559874)

Trust is only required if you set up your society in the way that we have: Rewarding self-interest and nothing else.

"Trust but verify" rule fools some people (1)

Sloppy (14984) | more than 3 years ago | (#36560500)

I think "Trust but verify" is the best.

I think it's actually a bad platitude, because "verify" is always implemented as a nested trust, and that trust often turns out to be serial but the platitude glosses over that.

It goes like this: Is this person authorized to enter the building? Yes, probably, or else why would he be at the door? Well, let's verify: does he have a keycard? Yes, he has a keycard, and we trust the keycard. Why do we trust the keycard? Because only party X has the secret number hidden within it. How do we know that? Because they say so.

If any one of those things that you trust goes wrong, you lose. Not that "trust but verify" is really wrong but it isn't explicit about what "verify" really means, so you can follow the "trust but verify" rule of thumb and still screw up.

I think "Require an amazing conspiracy" is best. That makes what you really need more clear. You want several failure probabilities to get multiplied to determine the probability of the system failing. That's where multi-factor authentication comes in, the concept of "require 3 moderately trusted certs" OpenPGP default comes from, etc.

And almost all of these ideas are ignored in most mainstream "security." *sigh* We use complete reliance on any single CA in https, for example. https, one of the most important things for commerce on the net, and we get it totally wrong. Lame. I can't help but thinking, though, that the dumbfuck who thought it up believed he was doing "trust but verify."

Re:"Trust but verify" rule fools some people (1)

poopdeville (841677) | more than 3 years ago | (#36563668)

"Require an amazing conspiracy" is closer to what trust means in terms of security than "trust but verify". But it is still too weak for a security context. And in some ways, it is the polar opposite of what "trust" means in context.

In security (of the mathematical, physical, or professional kind), a "trusted source" is a source that you are compelled to believe, because without their input, the security model would be impossible. Indeed, you want to have as few trusted sources as possible. For example, you rely on random numbers to seed a cryptographic system. Then you must trust your random number generator, because it is impossible (in general) that it is not biased in some way. You must trust your algorithm, because it is impossible to verify that it is unbreakable.

The fewer things in your security you have to take the word of, the more secure your model is, all things being equal. So "trust, but verify" runs counter to professional usage of the word "trust", because trusted things are unverifiable by definition (in context).

In security, everything that is not trusted is untrusted. And untrusted sources get all the scrutiny that is economically efficient.

Re:"Trust but verify" rule fools some people (1)

poopdeville (841677) | more than 3 years ago | (#36563790)

about RNGs: "because it is impossible (in general) that it is not biased in some way"

Impossible to prove it's not biased.

Like Warren Buffett said... (5, Insightful)

MetricT (128876) | more than 3 years ago | (#36558830)

It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.

RSA was hacked, ultimately, because of short-term MBA thinking (I have one, so I know the type). If there's only a 10% chance of a serious security breach, then 90% of the time you can scrimp on security, and you won't merely get away with it, you'll be rewarded for "doing more with less". This same dynamic is often seen in both Wall Street and Washington.

I really wish we were required to read Nassim Nicholas Taleb's "Fooled by Randomness" and "Black Swan" in school, instead of Thomas Friedman's dreck. At least they couldn't say they weren't forewarned.

Re:Like Warren Buffett said... (1)

marcosdumay (620877) | more than 3 years ago | (#36558884)

The bad news is that reputation nowadays is something you buy (from the mass media). That saying doesn't work anymore.

Re:Like Warren Buffett said... (1)

yuhong (1378501) | more than 3 years ago | (#36560858)

Yep, "legacy" PR based on controlling the message is fundamentally flawed and cause many problems too.

Re:Like Warren Buffett said... (2)

GameboyRMH (1153867) | more than 3 years ago | (#36558892)

They make people read Friedman to get MBAs!? Well that goes a long way to explaining why the world's so fucked up.

Re:Like Warren Buffett said... (1)

houstonbofh (602064) | more than 3 years ago | (#36558964)

It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.

The real problem is that the idiots that caused the hurt to RSA's reputation are not hurt themselves. They will be with Verisign next year, or somewhere else. If we don't watch the corporate level Merry-Go-Round, it will never stop.

Re:Like Warren Buffett said... (1)

idontgno (624372) | more than 3 years ago | (#36559294)

True. The shoddy Diebold/Premier Election Systems shell game is ample proof of that.

Re:Like Warren Buffett said... (1)

hedwards (940851) | more than 3 years ago | (#36559372)

Indeed, if only we could attach some sort of a mark which would let people know about the danger they face and how they should be audited. Obviously it should be a red A because of the threat they are to the business when auditors are on premises.

From technician's point of view (1)

boorack (1345877) | more than 3 years ago | (#36559058)

I agree mostly with that - but not in full extent. I've lost faith in this company quite some time ago once I've seen their Authentication Management product (software required to authenticate against tokens). It is clearly a crap-quality product made by MBAs for MBAs. It looks like it's been severely crippled by some cheap outsourced programmers (typical corporate attitude - "cuting costs"). This particular breach mainly confirmed my earlier opinion about RSA.

Losing reputation also takes quite a long time - some MBAs worked hard to turn their products into a very expensive crap. These "5 minutes" is an instant where everybody realizes it.

Re:Like Warren Buffett said... (1)

yuhong (1378501) | more than 3 years ago | (#36560820)

You mean Milton Friedman?

History (4, Interesting)

chill (34294) | more than 3 years ago | (#36558852)

Of the people who I've talked to with RSA tokens, most have said they're now actively planning a migration off of RSA tokens.

It isn't that they were hacked. Shit happens, even to the best of them. It was the lack of information and lack of transparency by RSA (EMC) on the whole event. Trust has been lost.

I'm not talking about public statements or mea culpas. I'm talking about why they weren't 100% open and upfront with existing customers right away. It gives the impression that EMC's execs were hoping no one would get hacked and it would all fade away over time. That they could just ride this out and weren't going to have to fork over a boatload of cash to replace everyone's tokens, thus not taking a hit on their stock or bonuses.

They were wrong, and now the price they are going to pay is not only replacing everyone's tokens, but a loss of trust and hence future business.

Re:History (1)

drachenfyre (550754) | more than 3 years ago | (#36559284)

Of the people who I've talked to with RSA tokens, most have said they're now actively planning a migration off of RSA tokens.

It isn't that they were hacked. Shit happens, even to the best of them. It was the lack of information and lack of transparency by RSA (EMC) on the whole event. Trust has been lost.

I'm not talking about public statements or mea culpas. I'm talking about why they weren't 100% open and upfront with existing customers right away. It gives the impression that EMC's execs were hoping no one would get hacked and it would all fade away over time. That they could just ride this out and weren't going to have to fork over a boatload of cash to replace everyone's tokens, thus not taking a hit on their stock or bonuses.

They were wrong, and now the price they are going to pay is not only replacing everyone's tokens, but a loss of trust and hence future business.

I just got my quote for replacement tokens. They're giving me a 3 to 6 month estimate on when I'll actually have the new tokens. I can quote the whole chain from "Nothing was stolen" to "Nothing was stolen that could replicate a token" to "Yea, our bad."

Re:History (1)

h4rr4r (612664) | more than 3 years ago | (#36559308)

Why are you even replacing them?
Would you not be better off moving to a competitors service?

Re:History (0)

Anonymous Coward | more than 3 years ago | (#36562176)

Why are you even replacing them?Would you not be better off moving to a competitors service?

Long term, anyone on RSA is probably better off moving to a competitors service. However, before you can do that, you need to figure out which is best, figure out how to implement it, get budget approval, buy it, test the change, and implement it. Just changing all the tokens is a relatively cheap and easy short-term fix - and you can still plan on moving later.

Re:History (1)

Some Bitch (645438) | more than 3 years ago | (#36566016)

Why are you even replacing them?Would you not be better off moving to a competitors service?

Long term, anyone on RSA is probably better off moving to a competitors service. However, before you can do that, you need to figure out which is best, figure out how to implement it, get budget approval, buy it, test the change, and implement it. Just changing all the tokens is a relatively cheap and easy short-term fix - and you can still plan on moving later.

^^^ This. We're awaiting around 100k tokens but the worldwide amount needing to be replaced far outweighs the supply.

Re:History (1)

yuhong (1378501) | more than 3 years ago | (#36560774)

Yea, likely a cover-up culture, another common problem.

Re:History (1)

gweihir (88907) | more than 3 years ago | (#36562208)

Exactly my thoughts. They hoped the attackers would be competent enough to not get caught and the attacks not being traced back to broken SecureID. Seems the RSA hack was pretty simple, as the attackers subsequently got detected when they tried to use the data.

IMO, RSA has lost any and all credibility as a security solutions provider. Not only the completely unacceptable delay tactics, but also that this information could be hacked in the first place. Only terminally stupid or terminally greedy people leave their token seeds online, no matter how many firewalls and layers. It is really not necessary to do so in the first place.

The only resolution to this problem is for RSA to go out of business and serve as a warning to others.

Re:History (1)

godel_56 (1287256) | more than 3 years ago | (#36563262)

Of the people who I've talked to with RSA tokens, most have said they're now actively planning a migration off of RSA tokens.

It isn't that they were hacked. Shit happens, even to the best of them. It was the lack of information and lack of transparency by RSA (EMC) on the whole event. They were wrong, and now the price they are going to pay is not only replacing everyone's tokens, but a loss of trust and hence future business.

I don't think the worst thing is that they were hacked, I think the real incompetence is having the seeds stored on a public facing system, ready to be stolen if someone did get in.

A company of their stature should have known to air-gap this kind of information. I think this is equivalent to those web sites that have their customers passwords stored in plain text.

Serious Definitional issues... (5, Insightful)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36559048)

Speaking of trust issues, quoting a Gartner analyst?

Anyway, back to the matter at hand: This article seems like a particularly bad situation for the two sharply different definitions of "trusted" to come into collision without very, very careful elucidation.

On the one hand, you have the usual social usage of "trust": more or less "the belief that a person or device will do what it says/act in good faith/do what it says on the tin/etc."

On the other, you have the paranoid security wonk definition of "trusted": "the state of being a component of the security system whose overall integrity depends on your integrity as a component."

The two could really hardly be more different while still occupying the same word. The former is socially valuable, and societies become dystopian hellholes without it; but it is a very poor ingredient upon which to build technologically secure systems. The second is an unfortunate necessity; but it is one of the marks of a good security system that it knows exactly what parts of the system are 'trusted' and what parts need not be.(a second, and important, mark of a good security system is that the set of 'trusted' systems has been culled as much as possible, and that no 'trusted' systems remain that you do not have good reason to 'trust' in the usual social sense.)

In the case of RSA, you really had a massive failure on both counts: In the social sense of "trust", RSA arguably oversold the security of their solution, was intensely cagey about the break-in until breaches at major defense contractors forced their hands, and generally fucked around as though they were trying to burn social trust. In the infosec sense, the fuckup was that(by retaining all token seed keys, RSA made themselves a 'trusted' component of every customer's security infrastructure. It is an architectural limitation of the RSA system that there must be a trusted system, with access to the seeds and an RTC, in order to perform authentication attempt validations. However, it is Not a requirement that there be other online seed stores out of the customers' control. By making themselves an extraneous, excess, trusted system, RSA weakened all their customers' security. Now that they are a 'trusted' component that no sensible people have social trust in, they are finding themselves written out of a fair few security architectures...

That is the real crux of the matter. From what I've heard(both public-ally and informally from friends working in IT at largish RSA customers) the hack was some seriously sophisticated work, rather than somebody walking in through an unlocked door. However, it barely matters how tough their security is; because they never should have set themselves up as part of their customers' systems in the first place. Had the customers done the keyfill for the tokens, it wouldn't have mattered whether they had been hacked or not.

Re:Serious Definitional issues... (1)

katyngate (1800438) | more than 3 years ago | (#36559958)

The former is socially valuable, and societies become dystopian hellholes without it

why so?

Re:Serious Definitional issues... (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36562762)

I don't know exactly, it's still an ongoing area of research; but the research suggests that societies with high levels of mutual and institutional trust score very well in prosperity and perceived wellbeing, while low levels act as a drag on both prosperity and happiness.

My assumption is that there are two basic flavors of factors at work: One would be 'transaction costs' in the broad sense. Every dollar spent on extra lawyer hours to draw up ironclad contracts, loss-prevention guys watching for shoplifters, and all the other people and infrastructure involve in enforcing compliance when you cannot expect it to happen voluntarily is a loss to society. Sometimes you don't have a choice; but you will be that much poorer than the people who don't have to invest as much in those things. The other would be any economic or social interaction that is roughly similar to a 'prisoner's dilemma' type problem: if people cooperate, the outcome can be substantially favorable, if they don't, it can be zero sum or worse; but it can be impossible or expensive to set up formal structures for enforcing cooperation; but if people just assume each other to be honest, they get the gains for free.

Re:Serious Definitional issues... (0)

Anonymous Coward | more than 3 years ago | (#36563768)

You use RSA if you don't trust your employees. If you own the keys, you must trust your employees and many organizations would rather trust RSA them anyone technical inside. Poor judgment but understandable....

Fresh Air! (1)

Anonymous Coward | more than 3 years ago | (#36559120)

A one page article. Ahhh relief.

Trust what? (3, Interesting)

lazlo (15906) | more than 3 years ago | (#36559128)

From my understanding, the RSA breach basically broke into the database that ties serial numbers to the internal "secret" that's used to generate OTP's. So go back to before the breach, and assume you're an RSA customer. To be their customer, you have to trust them. You can trust them to:

  1. 1) securely wipe their copy of the database once they've delivered your tokens to you
  2. 2) keep their database secure against attackers
  3. 3) provide you with a copy of the database after you lose yours.

Note that options 1 and 3 are mutually exclusive. Now, it would be nice to be able to choose your level of risk tolerance yourself and decide on #1 vs #2 + #3, but there are a reasonable number of customers who actively dislike being forced to make choices. And there would be a whole lot of customers who would be really mad if, after losing their database, were told by RSA "Sorry, all of your tokens are now useless keyrings. No choice but to replace them all"

To me it's like the evolution of passwords. In the beginning, if you forgot your password, your admin could tell you what it was. Then passwords got hashed, and your admin couldn't tell you what it was, but could reset it for you, and security was enhanced. Then passwords were used as encryption keys, and now your admin couldn't tell you what it was or reset it. If you forgot it, your data was gone. Once again, a security enhancement, but now a greater danger of data loss through forgetfulness.

Re:Trust what? (1)

h4rr4r (612664) | more than 3 years ago | (#36559194)

1 and 3 are contradictory, but close approximations can be made that are not.

The data could have been kept not connected to any computer networks and possibly even stored on tapes in some secure location so #3 could easily be done. Then you just need to make sure no one breaks into the location you store those tapes in. That is what they like to call a solved problem, with cost going up as you add security.

Re:Trust what? (1)

lazlo (15906) | more than 3 years ago | (#36559502)

Taking the data offline and securing it physically is just a prudent way to secure it. To me, that still falls under #2, trusting them to keep it secure while #3, making it remain available. RSA did, I assume, a reasonable job at keeping the data available, but failed to keep it secure.

But I would have to say you're exactly right on what security should be expected. There is some data that not only can, but really should be secured by taking it completely offline. Hopefully things like this will make people think a moment more not only about who they're trusting, but what they're trusting them to do.

Re:Trust what? (1)

profplump (309017) | more than 3 years ago | (#36559398)

They could just let you change the secret. Then if you lost the DB you could make the tokens work again without recovering the data, just like using hashed passwords lets you reset lost passwords.

Re:Trust what? (1)

lazlo (15906) | more than 3 years ago | (#36559586)

They won't even let you change the battery, changing the secret is right out. :)

Re:Trust what? (1)

marcosdumay (620877) | more than 3 years ago | (#36559994)

And there lies the problem. How do you trust a device that you can't touch?

Re:Trust what? (0)

Anonymous Coward | more than 3 years ago | (#36564012)

The whole point of this particular device is that you can't 'touch' it to get the secret out, and that it is friggin cheap. Now you want to add a communication channel that risks the secret and takes away the cheap?

Sure, I may not trust RSA very far, but certainly farther than I would trust you based on your expressed understanding.

(If you want a cryptocard, just say so; this presentation doesn't convey that)

Re:Trust what? (1)

MacGyver2210 (1053110) | more than 3 years ago | (#36560222)

They could generate and store all keys on an offline server, under heavy lock-and-key. Then only employee misuse and social engineering are the attack vectors. It's a lot easier to protect against.

Remember Mission: Impossible? The 'secure server' room? Do something like that (but probably on a lesser level). I like to hack into stuff, but I'm sure as hell not going to crawl through vents unless it will be a big enough score to pay off governments.

More history (1)

untruenorth (1826690) | more than 3 years ago | (#36559164)

It's a decade and a half since I studied a security masters, but I seem to recall Someone Who Knew saying approximately this: in the vast sweep of history, it hasn't tended to be the technology that's failed (unless it's laughably weak in the first place), but the humans handling the technology. If we assume the worst case about the RSA hack, that a big file full of token serial numbers, shared secrets and end-customer details went missing, then this is a human failing. That is, some dumbass probably left that lot online and connected to the network rather than offline. Agree with other commentary too, that their handing of the entire incident has been shocking. If you say nothing, people assume the worst. If you tell people that it's happened, how is this different, aside from demonstrating that customers' interests come first? Duh.

This article too is for suckers (0)

Anonymous Coward | more than 3 years ago | (#36559266)

RSA _was_ trusted by the suckers. Come again, what is a "most trusted" service?

most trusted technologies? (2)

blair1q (305137) | more than 3 years ago | (#36559420)

"(1) even the most trusted technologies fail;"

Uh, dudes.

THE INTERNET IS NOT SECURE

If you hooked your database up to the Internet, then you are the fail.

Re:most trusted technologies? (-1)

Anonymous Coward | more than 3 years ago | (#36559618)

Did you stay up all night writing that?

I keep saying... (1)

Sta7ic (819090) | more than 3 years ago | (#36559720)

I keep saying that "I don't get paid to trust people", here at work ~ most of my job is to find bugs and squash them, whether in the code or in the model files. Some days it's the model, some days it's the software, some days it's the user. Then I talked to my neighbor and learned about his soon-to-be-ex wife problems. That simply reinforced the point that I don't get paid to trust people. Then RSA, Sony, and everyone else got hacked. That really reinforced the point. So hey, don't trust people. Trust the facts instead.

Two Words: Yubikey (3, Informative)

VortexCortex (1117377) | more than 3 years ago | (#36560038)

Yubikey [yubico.com] has secure tokens that you can "seed" yourself, for use with your own authentication servers. The scam is that RSA made some idiots think think there was no way to do this without their auth servers; Thereby fooling fools into using a less secure system with a mandatory recurring payment for RSA (to access the auth servers).

Re-configuration of YubiKeys by customers

For high security environments, customers may select not to share the
AES key information for their YubiKeys outside of their organization.
Customers may also for other reasons want to be in control of all AES
keys programmed into the Yubikey devices. Yubico therefore supports the
use of a personalization tool to reconfigure the YubiKeys with new AES
keys and meta data.

Additionally, I prefer the model that has RFID for physical access.

Relying on an outside source to have our cryptokeys is just adding another point of failure. EVERYONE relying on them is just creating THE BIGGEST point of failure possible... Every time I talked to security minded folks that used RSA tokens, I asked them, "So. How secure are RSAs severs? You do any security audits on them lately?" The blank expressions were priceless.

Blake's 7 (2)

HTH NE1 (675604) | more than 3 years ago | (#36561626)

Cally: My people have a saying: "A man who trusts can never be betrayed, only mistaken."
Avon: Life expectancy must be fairly short among your people.

Avon: Cally was murdered. So were most of her people.

Also, trusting marketing people is really stupid (1)

gweihir (88907) | more than 3 years ago | (#36562114)

They almost all lie. One of the jobs of a legal department in a large company is to ensure the marketing scum can promise you the moon and the stars and that when you find out what you actually got, you have no legal recourse.

The only way to deal with this is to a) have enough competence yourself to get suspicious early and b) hire independent, competent outside experts than cannot easily be bought or intimidated to evaluate the product. The amount of lying going on in the security industry is staggering.

Uhhh.... (1)

Tolkien (664315) | more than 3 years ago | (#36564078)

If the guy's third point wasn't so blindingly obvious to him it makes me question his qualifications as a whole.

This is why we should re-instate hostage swaps (1)

Rogerborg (306625) | more than 3 years ago | (#36565320)

Sure, we'll buy your security solution. We'll just need a contract, an SLA, and your first born son and heir. No, you can't have mine - he's currently living with our biggest customer.

I think we'd see a bit more spending on the quality assurance department then, don't you?

Trust has to be earned (1)

cheros (223479) | more than 3 years ago | (#36565364)

Trust is not something you gain by marketing or fancy words - it is defined by what you do consistently. Trust takes a long time to be built, but can be lost in an instant.

Breakthrough Authentication Technology CO for sale (1)

KevinKC (2273758) | more than 3 years ago | (#36603108)

JUNE 28th, 2011 SOLVANG, California—iMagic Software, Inc, developer of Trustable Passwords, has retained investment banking firm, Nations Media Partners, to coordinate a potential sale of the company. iMagic Software has developed a patented software technology and algorithm that authenticates a user uniquely by the way they type a password. iMagic holds the only fundamental patent for typing recognition authentication. This methodology offers a high accuracy, equal to hardware biometrics, of authentication without a hardware solution. “ Trustable Passwords allows a user to create a profile used to authenticate by only seven typing samples and can be completed in 15 – 20 seconds. ," Phil Boortz, President of iMagic Software, said in a statement. “The solution is easy to install on most existing web browsers, simply replacing your existing Username/Login.”. “The potential application for this fully developed and tested software can be defined as anyone who uses a password and wants increased protection from unauthorized use”, said Paul Spurgeon, President of Nations Media. “Content Companies that sell a subscription service that wish to prevent sharing of subscriptions and passwords will use this software to prevent loss of revenue”. “Online Financial services companies such as banks, credit card companies and other online payment agencies as well as educational testing companies can safely authenticate a user without cumbersome hardware add-ons such as fingerprint recognition hardware”. No footprint is left behind by Trustable Passwords , meaning the authentication mechanism can not be compromised by stealing a user’s PC, phone or something else. . The software is fully developed and has been fully tested with selected clients over the past two years. Since the passing of the founder and developer of this software, Steven Bender, in 2010, the board has decided to explore a sale in 2011, the company stated. This sale offers a unique opportunity for a purchaser to license the software over a myriad of categories or as a simple solution to internal and external authentication needs. To view the Offering Memorandum of this Company, please contact Paul Spurgeon or Kevin Hancock with Nations Media Partners at paul@nationsmedia.com or kevin@nationsmedia.com. Principals only. ABOUT NATIONS MEDIA PARTNERS: Nations Media Partners is a boutique investment banking firm specializing in the divestiture, acquisition and financing for media and technology companies. The Kansas City based firm has completed over $2.7 billion in transactions since 1996. For Further information, please contact: Kevin Hancock, Director Nations Media Partners 208 W. 19th Kansas City, MO 64108 816-979-1712 kevin@nationsmedia.com
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>