Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cryptography 'Becoming Less Important,' Adi Shamir Says

Soulskill posted about a year ago | from the encryption-is-useless-when-users-are-also-useless dept.

Encryption 250

Trailrunner7 writes "In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important, one of the fathers of public-key cryptography said Tuesday. Adi Shamir, who helped design the original RSA algorithm, said that security experts should be preparing for a 'post-cryptography' world. 'I definitely believe that cryptography is becoming less important. In effect, even the most secure computer systems in the most isolated locations have been penetrated over the last couple of years by a series of APTs and other advanced attacks,' Shamir said during the Cryptographers' Panel session at the RSA Conference today. 'We should rethink how we protect ourselves. Traditionally we have thought about two lines of defense. The first was to prevent the insertion of the APT with antivirus and other defenses. The second was to detect the activity of the APT once it's there. But recent history has shown us that the APT can survive both of these defenses and operate for several years.""

cancel ×

250 comments

He put the S in RSA (5, Interesting)

Anonymous Coward | about a year ago | (#43020449)

Without him, it'd just be RA, which isn't even RAD.

Re:He put the S in RSA (2, Funny)

ls671 (1122017) | about a year ago | (#43020583)

He put the S in Rivest-Shamir-Alderman

Re:He put the S in RSA (4, Informative)

a_hanso (1891616) | about a year ago | (#43020639)

He put the S in Rivest-Shamir-Alderman

You mean Adleman.

Re:He put the S in RSA (2)

ls671 (1122017) | about a year ago | (#43020701)

Holy shit , thanks for that.

https://en.wikipedia.org/wiki/Leonard_Adleman [wikipedia.org]

Re:He put the S in RSA (1)

a_hanso (1891616) | about a year ago | (#43020919)

No problem. I used to do the exact same thing!

Re:He put the S in RSA (2)

noh8rz10 (2716597) | about a year ago | (#43020949)

Thank you for helping with the acronyms, but what the feck is APT?

Re:He put the S in RSA (4, Informative)

schitso (2541028) | about a year ago | (#43020969)

Advanced, persistent threat.

Re:He put the S in RSA (1)

treeves (963993) | about a year ago | (#43021019)

Well, he did say that everything he writes is lies. Had to stay true to form.

Re:He put the S in RSA (1)

EETech1 (1179269) | about a year ago | (#43021187)

Looks like he could have quite the neckbeard if he wanted to:)

Re:He put the S in RSA (0)

gmuslera (3436) | about a year ago | (#43021199)

Thats why you should use AES-256. Breaking the encryption in RSA is just transposing one letter..

no (5, Insightful)

masternerdguy (2468142) | about a year ago | (#43020453)

Encryption is the best anti-tampering mechanism you have in computing. Well placed encryption protects OS data from tampering, user data from theft, and sensitive communications secured. It's only getting more important.

Re:no (0)

Anonymous Coward | about a year ago | (#43020503)

what about a root kit that installs itself above the OS?

Re:no (4, Insightful)

masternerdguy (2468142) | about a year ago | (#43020523)

Code signing to the rescue but slashdotters seem to hate that idea.

Re:no (4, Insightful)

masternerdguy (2468142) | about a year ago | (#43020533)

Before I get flamed, it is possible to do code signing without using it for evil. It's a tool like anything else.

Re:no (0, Troll)

Anonymous Coward | about a year ago | (#43021029)

Yes. In the same way that a gun is a tool for killing, so code signing is a tool for evil.

Re:no (0, Insightful)

Anonymous Coward | about a year ago | (#43021215)

Yes. In the same way that a gun is a tool for killing, so code signing is a tool for evil.

You are a simple-minded fool.

Killing is not always bad. And guns are efficient tools when killing needs
to be done.

Or maybe you'd rather try to "negotiate" when scum who have invaded your home
are interested in raping your wife and daughter while they make you watch ?

Do you actually believe the police are going to save you in the above scenario ?
That is the sort of fantasy naive children entertain. Adults know better.

Re:no (5, Insightful)

jonwil (467024) | about a year ago | (#43020561)

Slashdotters (including myself) dont hate code signing, they just hate code signing where the owner of the computer does not control what gets signed and what can run.

Re:no (1, Insightful)

Kaenneth (82978) | about a year ago | (#43020763)

The problem is most owners have no clue how to do code signing, and would rather their equipment/software vendor take care of it.

My car door/ignition lock came from the factory; I have no idea how to fix it if something goes wrong, but that's fine by me, since for more than 10 years it has just worked.

The best encryption is transparent to the user; most people won't notice if a link uses HTTP or HTTPS, a bright red bar might get their attention, but that's about it.

Re:no (3, Insightful)

Anonymous Coward | about a year ago | (#43020825)

Its fine for someone else to take care of it. The problem is when you complicate it for those who don't want someone else taking care of it. The reasons it is being done differ from those stated. They are doing it with malicious intent.

Re:no (3, Insightful)

Anonymous Coward | about a year ago | (#43021127)

Exactly. When the code signing process can not be initiated by the end user should they chose to sign an unsigned executable. It's just asking the vendors of your hardware and OS to establish a monopoly on your user experience by locking out competition.

This current system of all-or-nothing needs to go unless they offer an easy but out of the way means of signing an executable. All the current system does is make dumb users choose the nothing route and forgo all of the transparent benefits of the all route.

Hell stick the signer in a control panel app or similar easy to access location. Restrict it to administrative/root level for usage. That's enough to deter anyone from using it unless it's needed. The process should not be so obscure that you must resort to potentially malicious 3rd party sources just to get started. Especially with all the self-proclaimed experts out there that regularly dish out advice like "disable UAC" instead of pointing out the simple process to give an individual program automatically elevated privileges.

Re:no (2)

Kaenneth (82978) | about a year ago | (#43021233)

For code signing, if you could sign everything yourself, what stops malware (or an attacker with temporary physical access) with the same privileges as the user from doing the exact same operations, and signing itself to install a rootkit?

Re:no (0)

Anonymous Coward | about a year ago | (#43021013)

No. I honestly hate code signing.

Re:no (1)

Junta (36770) | about a year ago | (#43021149)

The problem is the execution. In my mind SecureBoot both restricts the user power *and* comes up short of a comprehensive solution. I can't imagine a comprehensive solution that wouldn't completely supersede SecureBoot strategy and allow user control.

Re:no (1)

EETech1 (1179269) | about a year ago | (#43021155)

Seems they've gotten to Bit-9, and found ways to get around that too.

OS security needs to have a major makeover, zero days for sale to the highest bidder, state sponsored malware with forged certs, vulnerabilities everywhere.

It's getting scary on the ol' Interweb...

She ain't what she used to be

Re:no (5, Insightful)

happylight (600739) | about a year ago | (#43020597)

I think the point is no encryption is going to protect you from users installing malware, buggy software, or just plain hand over data unknowingly. Next to no attackers would attack the cryptography itself. The weakest link is always somewhere else.

Re:no (4, Insightful)

masternerdguy (2468142) | about a year ago | (#43020621)

Crypto is part of a full solution containing (crypto), proper segregation of permissions, proper segregation of user data / accounts, proper firewall configuration, proper software configuration, patching vulnurabilities, malware detection (lots of solutions on Windows, chkrootkit on linux), and user education. If I forgot anything add it to the list.

Re:no (4, Insightful)

swilde23 (874551) | about a year ago | (#43020849)

user education should be printed in all caps, bold, underlined, comic sans, etc...

At some point, unless we develop new algorithms that utterly break how current encryption algorithms behave (which I know I know, is a possibility... and of course the NSA has it already)... your weakest point is not going to be the computer. It's going to be the lackey at the front-desk happily letting a "tech" in (physically or electronically)

Re:no (4, Insightful)

demonlapin (527802) | about a year ago | (#43021279)

This is true but unfortunately irrelevant. You can do all the user education in the world and it means nothing if the IT staff are idiots.

I have a handful of fairly secure passwords. They're reasonably long, are incredibly easy for me to memorize, and don't rely on any details of my life (pets, wife, kids, birthday, etc.). But I have to deal with websites that demand a series of ridiculous standards: some require (thank you, AmEx) a number in the username, some require passwords to have number, capital letter, and symbol. I spent a lot of damned time figuring out a password that people can't guess, and I can't use it because I can't remember the rules for any random website - so I have to get a password reset email sent to me in plaintext. And on top of that, I can't use a password I've used before - so every time I log into a website I rarely use, I have to reset the password to something I will forget in a few days. I'd use something like Keepass but I need to be able to log in from non-home computers.

Re:no (3, Insightful)

happylight (600739) | about a year ago | (#43021009)

What you're referring to is more often called information security. Cryptography usually just refers to the methods, algorithms, and protocols of transferring data.

But there's little point in arguing the semantics of words. I think we can all agree the human factor plays a large part in almost all intrusions these days.

Re:no (0)

Anonymous Coward | about a year ago | (#43021109)

System administrators are severely overestimating themselves if they think they can keep an intelligence agency off their network. These organisations have millions of dollars and thousands of extremely skilled employees. And they're not just masters at the technical aspects. Adversaries might even have access to the source code of windows and who knows what else they might know and have. They are ahead of the curve, because that's what they're all about. They will find a way in no matter what you do, you will always be a sitting duck. There is just too much attack surface, and no possibility of retaliation.

Re:no (1)

Anonymous Coward | about a year ago | (#43020667)

And, in the short term, current cryptographic techniques may be good enough that focus needs to be placed on these other links.

Re:no (1)

Anonymous Coward | about a year ago | (#43020669)

Most of the attacks came by email from unknown senders. If we started using encrypted e-mail to verify authenticity, wouldn't that drastically lower the chance of being infected? By default you would never open files if they were never signed.

Re:no (1)

viperidaenz (2515578) | about a year ago | (#43020979)

Unless the subject of the email is "NAKED PICTURES OF " Then Average Joe will dismiss all warnings without reading them.

Re: no (0)

Anonymous Coward | about a year ago | (#43021051)

I keep clicking on your comment, but the pictures don't appear.

Re:no (2)

Sulphur (1548251) | about a year ago | (#43021091)

Unless the subject of the email is "NAKED PICTURES OF " Then Average Joe will dismiss all warnings without reading them.

Hillary Clinton?

Re:no (2)

ceoyoyo (59147) | about a year ago | (#43020879)

The weakest link is the encryption if you don't have any.

Encryption has just become so important, and so good, that attackers are forced to look elsewhere.

Re:no (1)

SternisheFan (2529412) | about a year ago | (#43021291)

When you build a better safe, there will always be a better safecracker. Same applies to encryption.

Re:no (1)

Anonymous Coward | about a year ago | (#43021081)

I think the canonical formulation of what you just said is that people aren't attacking the crypto, they're attacking how it's used. (And it's working.)

Encryption doesn't protect you (1)

elucido (870205) | about a year ago | (#43021135)

so if you know the information the enemy will find out through you.

Re:no (1)

ls671 (1122017) | about a year ago | (#43020643)

Encryption is the best anti-tampering mechanism you have in computing

Let me disagree; the best anti-tampering mechanism is checksums taken from preferably remote access to the file system from a highly protected host. md5sum and the like are your friend to find 0 day exploit root kits.

Note that this is line with what Rivest-Shamir-Alderman Adi Shamir is trying to warn us about.

Re:no (1)

Clarious (1177725) | about a year ago | (#43020925)

MD5 isn't that secure, and AFAIK SHA1 usage is not recommended due to near future threats too. The system you referred to is just the same one as my laptop, with the TPM chip as the 'highly protected host'.

Re:no (3, Insightful)

ls671 (1122017) | about a year ago | (#43021047)

I don't give a damn about how secure it is, I could even use crc-32 if the snapshot takes too long. The idea is only to be alerted about unexpected file changes, especially system executable like; top, login, w, etc. but you should look wider.

1) Take periodic checksums
2) Have differences reported
3) If they don't match documented updates you have an intruder.

That's why it is recommended to run the checksum program from a secluded host because the rootkit hopefully won't have had a chance to get at the checksum program on the secluded host. View that host as the ultimate secured host in a good rsync backup strategy, the CA in a good PKI strategy, etc...

It used to be common practice in the old days to take periodic checksums to detect intrusion into systems. Now, with all the fancy IDS solutions around, it seems to be less used but I do not see anything that really replaces it yet.

Re:no (1)

ls671 (1122017) | about a year ago | (#43021093)

Easy analogy: In spy movies, they put a tiny piece of something between the door frame and the door when leaving. If not there when back, then you have an intruder.

Same basic principle.

Re:no (2)

the_B0fh (208483) | about a year ago | (#43020953)

bah. 15 years ago, there was a post on BugTraq about this internet mapping that someone was doing. The systems were running redhat, everything was locked down, tripwired, only thing running was ssh, and it required certs to get in.

The guy felt something was wrong. Compared tripwired hashes to what was on the disk. Everything looked good. lsmod, ps -ef, netstat -an, everything looked kosher.

A couple of days later, he decided to take the system down anyway, and run an offline tripwire. Found shit.

Can you figure out how they got in?

Re:no (2)

jythie (914043) | about a year ago | (#43021083)

keyboard?

Re:no (1)

tibman (623933) | about a year ago | (#43021309)

15 Years ago there were bugs in ssh?

Re:no (1)

a_hanso (1891616) | about a year ago | (#43021085)

Exactly. Securing the data is not much use if the programs accessing that data are compromised. If the encryption program is conning you into thinking that your data has been securely encrypted, you're screwed. I'm not an expert in this area, but I don't know why this approach is not more widespread.

Re:no (0)

Anonymous Coward | about a year ago | (#43020785)

Encryption is the best anti-tampering mechanism you have in computing. Well placed encryption protects OS data from tampering, user data from theft, and sensitive communications secured. It's only getting more important.

Do not confuse importance with relevance. I believe that was the point he was trying to make. Seems no matter what crypto we use, it's been rather proven that attacks can live below that level and remain undetected. Thus the logical conclusion is use crypto pointlessly, or don't use it at all.

Re:no (0)

Anonymous Coward | about a year ago | (#43021317)

Exactly - if people were encrypting more of the data they have at rest, these breaches wouldn't be so damaging.

For example, companies handing payment card information have to comply with various PCI requirements regarding things such as never storing credit card information in clear text. If companies would treat other personal info (such as email addresses, names, snail mail addresses, etc) with the same level of concern and keep them encrypted as well, then these attacks wold be far less profitable to the attackers, and there would be fewer of them.

Re:no (0)

Anonymous Coward | about a year ago | (#43021381)

How about this: Whenever someone is caught deliberately hacking into a computer system, distributing spy/malware or running a bot net work, we take him/her out and shoot them in the fucking head?

Really, this is like debating how we are going to protect ourselves from muggers by wearing Kevlar and and helmet. Find the perps and deal with them. If fucking China is hacking into our systems,. cut them off. I mean send a ship and sever the cables to China. God Damn you people are such pussies.

Dress for suck-(cess) (1)

Anonymous Coward | about a year ago | (#43020471)

My vote is for just giving up and letting the bad guys have their way with us.

Re:Dress for suck-(cess) (1)

Anonymous Coward | about a year ago | (#43020581)

You mean business as usual for a lot of companies? I've heard the adage, "security has no ROI" way too many times... with its companion, "Tata or Geek Squad can fix anything."

Re:Dress for suck-(cess) (1)

mhajicek (1582795) | about a year ago | (#43020929)

Security has no ROI, but a lack thereof has a negative ROI. It may be better received if called "loss prevention".

Re:Dress for suck-(cess) (1)

viperidaenz (2515578) | about a year ago | (#43021097)

Tatas [reference.com] fix a lot of things, but security isn't one of them.

Re:Dress for suck-(cess) (1)

eksith (2776419) | about a year ago | (#43020637)

No... long answer, no way in hell and you can take my PGP from cold dead hands.

Re:Dress for suck-(cess) (5, Informative)

vux984 (928602) | about a year ago | (#43020827)

His point wasn't that cryptography wasn't useful, but simply that dealing with modern threats doesn't require "better cryptography" because modern threats aren't attacking the crypto. They are attacking the public key infrastructure (PKI), they are attacking the end points before encryption/after decryption.

Our security focus is there.
In other words, PGP doesn't protect your email, if you have a virus on your system sending everything to an attacker after its decrypted. PGP doesn't protect your email if the PKI is hacked, and you are signing mail with public keys generated by people impersonating the intended recipients.

Etc. Etc.

A better PGP crypto algorithm isn't going to help you here.

Re:Dress for suck-(cess) (1)

viperidaenz (2515578) | about a year ago | (#43021067)

I don't need to take your PGP, I just need to take your private key.

APT (5, Insightful)

Anonymous Coward | about a year ago | (#43020473)

Would have been nice to define APT...

Re:APT (5, Informative)

Dizzer (251533) | about a year ago | (#43020485)

Advanced Persistent Threat

Re:APT (5, Informative)

Frosty Piss (770223) | about a year ago | (#43020501)

Re:APT (-1)

Anonymous Coward | about a year ago | (#43020975)

Very Informative!

Re:APT (-1)

Anonymous Coward | about a year ago | (#43020991)

Very Redundant!

Re:APT (1)

Nerdfest (867930) | about a year ago | (#43020495)

I'm guessing "Advanced Persistent Threat", but I may be wrong. Yes, It would have been nice to define it at first use.

Re:APT (2)

Omnifarious (11933) | about a year ago | (#43020515)

I agree. Making it an acronym makes an annoying piece of jargon slightly inscrutable for people who aren't conversant with the field. APT in this case refers to Advanced Persistent Threat [wikipedia.org] .

Re:APT (4, Insightful)

fuzzyfuzzyfungus (1223518) | about a year ago | (#43020587)

It's doubly annoying because(in PR-flack ass-covering speak) an "Advanced Persistent Threat" is "Any bad guy smarter than our dumbest sysadmin's stupidest mistake".

It might have been a clear category at one point(and there still are attackers who are pretty clearly both advanced and persistent); but the constant "Well, we could say 'gosh, we fucked up, how stupid of us.' or we could say 'It was and Advanced Persistent Threat, total national security shit, probably chinamen or something!'" pressure hasn't helped...

Re:APT (4, Insightful)

obarthelemy (160321) | about a year ago | (#43020737)

Actually, I know plenty of intelligent people who make mistakes. Almost as many as retards who take pleasure in calling others out.

Re:APT (1)

Anonymous Coward | about a year ago | (#43020775)

"APT-get" is a well known tool available to Debian users for upgrading all the advanced, persistant and threatening installed packages on their pc.

Re:APT (5, Funny)

Score Whore (32328) | about a year ago | (#43020813)

Always Perky Titties. The thing is the nerds in IT are easily distracted by some nice sweater stretchers which enables the bad guys to have their way with the servers while the boobs are bouncing around.

Re:APT (1)

the_B0fh (208483) | about a year ago | (#43020959)

damn, I wish I hadn't commented previously!

Depends on your threat model (3, Informative)

Omnifarious (11933) | about a year ago | (#43020527)

If you're trying to protect your big organization against foreign spies, yes. If you are a little guy who wants to communicate without having that communication be laid wide open for a large organization to see, then I think encryption is still pretty useful. Even if just because managing all those separate unique intrusions over a long period of time requires a lot more resources than just tapping into a trunk line.

Re:Depends on your threat model (1)

Anonymous Coward | about a year ago | (#43020659)

If you're trying to protect your big organization against foreign spies, yes.

It's still useful and important. Not foolproof, but useful and important.

The way I do security (5, Interesting)

Anonymous Coward | about a year ago | (#43020559)

I have a PC that I use for all of my financial stuff, record keeping, and other critical data. I don't encrypt the hard drive. I don't even password protect files.

You know how I do security for the PC that handles my most critical data?

It's not plugged into the fucking Internet. That's how.

Re:The way I do security (5, Insightful)

masternerdguy (2468142) | about a year ago | (#43020645)

Have fun when Joe the Burgler takes your computer.

Re:The way I do security (0, Redundant)

godel_56 (1287256) | about a year ago | (#43020657)

I have a PC that I use for all of my financial stuff, record keeping, and other critical data. I don't encrypt the hard drive. I don't even password protect files.

You know how I do security for the PC that handles my most critical data?

It's not plugged into the fucking Internet. That's how.

And wha

Re:The way I do security (2)

godel_56 (1287256) | about a year ago | (#43020671)

I have a PC that I use for all of my financial stuff, record keeping, and other critical data. I don't encrypt the hard drive. I don't even password protect files.

You know how I do security for the PC that handles my most critical data?

It's not plugged into the fucking Internet. That's how.

And what do you rely on if your computer gets stolen? How about if your computer suddenly craps out and you have to take it in for repair, and the repair shop has full access to all your files as soon as the power supply is fixed?

Re:The way I do security (0)

Anonymous Coward | about a year ago | (#43020921)

People still take their computers to repair shops? Everyone I know either fixes it themselves or they just buy a new one.

In any case, there's no reason you couldn't just take your hard drive out and throw in an empty spare drive before taking it to the shop.

Re:The way I do security (1)

masternerdguy (2468142) | about a year ago | (#43021057)

I fix the computers of friends and co workers all the time.

Re:The way I do security (2)

cffrost (885375) | about a year ago | (#43021141)

How about if your computer suddenly craps out and you have to take it in for repair, and the repair shop has full access to all your files as soon as the power supply is fixed?

Why would somebody (particularly somebody who posts on Slashdot) haul the entire machine to a repair shop to replace a dead PSU? Five minutes with a Phillips-head screwdriver and a replacement PSU — done.

Re:The way I do security (0)

Anonymous Coward | about a year ago | (#43021339)

Why would somebody (particularly somebody who posts on Slashdot) haul the entire machine to a repair shop to replace a dead PSU?

Because a lot of people have no inkling of what they're doing and, to these people, computers are just magic boxes.

Re:The way I do security (2)

CRCulver (715279) | about a year ago | (#43020685)

If you move records from an internet-connected computer to this isolated computer via a removable drive, you may still be susceptible to attack. After all, Stuxnet and other viruses have spread this way. Viruses were already a problem for PC users long before network-connected device. And even if the computer is totally isolated from both networks and USB drives, the data can still be compromised through a TEMPEST attack (assuming you were a target for a state or especially savvy organized crime network).

Re:The way I do security (3, Insightful)

swilde23 (874551) | about a year ago | (#43020833)

I think what most of the people responding to this post aren't realizing (or acknowledging) is that your security needs to be appropriate for the data it's protecting.

If we're talking about a corporations backbone, then yeah saying "it's not connected to the internet" isn't acceptable.

If instead we're talking about some John Doe's personal data, then you aren't going to be attacked in the same way. Keeping it on a drive that has no internet access is probably good enough.

Re:The way I do security (1)

jythie (914043) | about a year ago | (#43021311)

Not only that, but people are not really taking the APT element into account. The security that is appropriate for a computer siting around that no one knows about is pretty different from the security useful for when you have a targeted attack by a motivated entity. Even if you are just some random individual, a persistant attacker would probably do things like break into your house...

APT is the new WMD (-1)

Anonymous Coward | about a year ago | (#43020663)

One retard point earned each time you spam it in your message. This article contains five occurences. That's the new trend for the next two decades, brace your anusses.

http://www.urbandictionary.com/define.php?term=wmd

1.Weapons of Mass Destruction--A mythical concept that lives in the minds of paranoid, old, white guys and is used to scare the public and gather support for attacking another country.
(also see bogeyman)
2.A term used to generate income for Haliburton.
3.Something that the US is permitted to own, but reserves the right to determine which other countries may also own them.

If we can convice Americans that Iraq has WMDs, we can kick the snot out of them and pay Haliburton to rebuild the place.

Write better code!!! (-1)

Anonymous Coward | about a year ago | (#43020687)

The real trick is to teach people to code in languages which make bad code difficult!

Teaching kids to code at a younger age like we do with foreign language skills would be an excellent start.

Instead of teaching kids to speak foreign languages we should be teaching them to code in 1st grade. It doesn't mean they have to be fluent at it. Just basic stuff like print statements, for loops, and things of that nature. Just getting the terminology and wording down would be a big head start.

By the time they get to middle school they should be covering topics in depth. There is no reason a 13 year old can't learn to hack the Linux kernel. Right now its just not being taught and the kids who who have hacked the kernel were self-motivated/taught.

Re:Write better code!!! (0)

Anonymous Coward | about a year ago | (#43020973)

kids who who have hacked the kernel were self-motivated/taught.

These are the only ones that the industry needs. The rest can fuck right off. It won't help to teach kids programming (shit I mean coding, nobody programs anything anymore)if they aren't interested. They will do the laziest shit they can get away with, and it won't matter what language you use the better idiot will be born. The age of the App is upon us. Have fun with all these lil' coders that don't know they didn't program shit and they are just using templates and can't even debug AT ALL because "the compiler won't let me make a mistake."
I just hope nobody wonders why most of their computers resources are devoted to error correction. It's fucking obvious now.

Translation: (3, Insightful)

gman003 (1693318) | about a year ago | (#43020761)

Encryption doesn't do shit if they're grabbing it before encryption or after decryption. It's not a magic security bullet. It has its uses, but now it's become easier for Eve to hack Alice and read the plaintext than to intercept and brute-force the ciphertext. And when Alice is talking to not just Bob, but Carol and Dave, well, that makes Alice a high-value target worth spending time on.

Understandable (1)

Anonymous Coward | about a year ago | (#43020809)

In a world where cryptography gets used for DRM purposes, it is not surprising to think that someone would say it was "becoming less important".
If you understand cryptography, you know that the opposite is true: It is absolutely essential and therefore extremely important.
It is not a silver bullet designed to kill every security problem; nothing ever will be. That doesn't mean it's not important.

perhaps differently put (2)

ewertz (1191025) | about a year ago | (#43020855)

Perhaps it's really just that encryption is a lesser part of the total solution, so in that respect, it's relatively less important than it used to be.

Now get that meat off of my cyberlawn!

Security was never about encryption (4, Interesting)

qbitslayer (2567421) | about a year ago | (#43020883)

The use of encryption is only intended to provide a way for legitimate remote users to gain supervised access to the system without having to hack into it. The real culprit behind bad security is software reliability. Attackers look for and try to exploit the defects in the software. Why is software defective? Because (it's the bugs, stupid!) the Turing/Von Neumann model of computing is inherently insecure and unreliable. Why? Because timing is not an essential part of the model. I predict that this decade will see the end of the Turing madness [blogspot.com] and that the future of computing is non-algorithmic [blogspot.com] . There is no alternative and the sooner, the better.

Re:Security was never about encryption (1)

hamster_nz (656572) | about a year ago | (#43021289)

I've read the links, and that is an awfully long bow to draw.

The use of encryption is to try and limit information to those that are intended to see it.

None of the ideas on your blogs address how to "end the Turing madness" in a way that will still allow you to post on Slashdot.

This guy (0)

Anonymous Coward | about a year ago | (#43020901)

hates bitcoin.

certificates (3, Insightful)

manu0601 (2221348) | about a year ago | (#43020965)

From TFA

One way to help shore up defenses would be to improve--or replace--the existing certificate authority infrastructure, the panelists said

Indeed. IMO SSL public keys could be stored in DNSsec protected DNS records. That way one would only have to trust the manager of the root zone and the TLD, which would be a good improvement compared to the CA debacle.

Wasted CPU cycles (0)

Anonymous Coward | about a year ago | (#43020981)

If you really want to protect your network, disconnect it from the internet. Encryption should be used to prevent sniffing or try to stop it anyways, in the intranet as a secondary defense. If you actually need the internet, you should have 2 networks, one with your internet facing servers, then a firewall allowing very specific access to the intranet network and heavy monitoring.

Active Defense System (2)

wakeboarder (2695839) | about a year ago | (#43021089)

Why can't you build a system to monitor and defend against attacks? Once a virus gains control of your system it is quite easy to find and remove based on file signatures (time installed,ect). If you know what you have and something changes you should be able to identify it. It would be easy to identify attacks on a network when things go outside the norm. "Well, lets see somebody opened up a bunch of ports and is transferring files to some random IP in X country that isn't on my list of recently accessed http sites, I think I'll shut those down. Oh, a user is downloading 20% more classified files than normal users, maybe we should pay him a visit and shut down his access until we figure out what is going on. Implementing such a system would be difficult, but patterns should be statistical and you should be able to see most of what goes on. Yes people could slip through the cracks, but if you develop a good model, you should be able to spot the differences between malicious and normal behavior.

relative (0)

e**(i pi)-1 (462311) | about a year ago | (#43021103)

The quote was clearly understood "relative to other measures". Besides that one has to keep in mind that the top experts are often wrong [smithsonianmag.com] . Look at some quotes [heartquotes.net] :
  • Everything that can be invented has been invented
  • Who wants to hear actors talk?
  • There is no reason anyone would want a computer in their home.
  • The bomb will never go off. I speak as an expert in explosives.

Legal system threats (1, Troll)

gmuslera (3436) | about a year ago | (#43021249)

Another reason that it could become less important is if the zone becomes a patent [theregister.co.uk] minefield. Maybe math is not patentable, or shouldn't be (but even natural genes get patented) but there are enough borders around it that could be used as excuse that could be a tool to force only the use of "approved" encryption methods.

Is he saying about all uses of cryptography? (2)

osoriojr (1671500) | about a year ago | (#43021253)

Governments are trying to follow all our steps over the internet, intercepting and parsing everything we do. Encrypting our communications and trying to encrypt everything is the secure method to make the Internet freedom to us all.

Re:Is he saying about all uses of cryptography? (2)

compro01 (777531) | about a year ago | (#43021465)

What's he's saying is encryption doesn't matter if there's shit in the system grabbing your stuff before the encryption or after the decryption.

He's probably just fed up. (4, Interesting)

Animats (122034) | about a year ago | (#43021267)

I suspect he's just fed up with the state of software security, which is appallingly bad. We now have patch-and-release on everything. This turns out to be a failed strategy against competent attackers.

I used to work on secure microkernels in the 1980s. I thought that by now we'd have provably secure microkernels in ROM with a mandatory security model enforced. Systems like that have been built a few times for the three-letter agencies, but never went mainstream. Instead, we have bloated operating systems with a high churn rate, and far too much trusted software per system.

Ballmer used to call this "strategic complexity". As Ballmer once put it, when asked why Microsoft kept adding functions to Windows, "If we stopped adding functions to Windows, it would become a commodity, like a BIOS. And Microsoft is not in the BIOS business".

Most applications should be running with far less privileges than they have. But if they are locked down properly, their ad tracking, update checking, and self-modification won't work. The user would actually be in charge.

Cryptography only provides a secure way to communicate between secure regions. If there are few or no secure regions, it doesn't help much.

Article leaves out some steps... (1)

khb (266593) | about a year ago | (#43021379)

Upon reflection, and not surprisingly, the expert has made a good point.

If due to an Advanced Persistent Threat (APT), your secret data was captured after it was decoded (as it must be to be actively used, or created, or transferred, at some point) or if the private keys are compromised (either due to torture, pressure on appropriate authorities, or captured as created (see above)) the benefit(s) of encryption are greatly reduced (even if the cryptosystem itself is very secure).

It is a bit of a chilling thought, and yes other posters have pointed to various good zones of defense, but Shamir's point is that some existing APTs in the wild have penetrated to the deepest levels.

As for the "air gap" method, as has been pointed out in other places, that's often compromised even for very secure infrastructures by people with laptops, cellphones, or compromised printers that are moved from one side of the "air gap" to the other....

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...