ENTRIES TAGGED "encryption"
This controversy impacts everyone (and here's what we can do about it)
As a cyber security author and CEO of a security consulting company, I was personally shocked by the RSA’s attitude about the alleged secret payments it received from the NSA as well as its willingness to weaken its BSAFE product; especially after the weakness became public in 2006. I was even more shocked by the lack of outrage shown by many security bloggers, analysts, and security company executives.
The speaker-in-protest count has reached 13 speakers who have canceled talks they were scheduled to give at the RSA Conference (RSAC) next week, first and most notably, Mikko Hypponen, who published this open letter. A few outraged others have also spoken out about their decision to cancel their talks, including Dave Kearns and, via Twitter, Adam Langley and Josh Thomas.
When will Adobe disclose the full extent of its breach to users?
Over the last week, the analysis of the Adobe breach has gotten more interesting.
The actual file itself has been available via BitTorrent. I found a torrent file and looked through it myself. If you’re interested, note that the torrent gets you a 4+GB zip of the actual 10GB of text.
Paul Ducklin at Sophos has published a very good analysis of the contents of that file. The summary is that each record has an account number, an account name, an email address, the encrypted password, and the person’s password hint.
Not just paying attention, but starting over
Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that “we need to start planning for a computing world with minimal trust.”
So what are our options? I’m not sure if this ordering goes precisely from worst to best, but today this order seems sensible.
Stay the Course
This situation may not be that bad, right?
Is protecting open processes possible?
I was somewhat surprised, despite my paranoia, by the extent of NSA data collection. I was very surprised, though, to find the New York Times reporting that NSA seems to have eased its data collection challenge by weakening security standards generally:
Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.
Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.
Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”
The Guardian tells a similar story. It’s not just commercial software, where the path seemed direct, but open standards and software where it seems like it should have been harder.
I was very happy to wake up to a piece from the IETF emphasizing their commitment to strengthening security. There’s one problem, though, in its claim that:
IETF participants want to build secure and deployable systems for all Internet users
Last week’s revelations make it sadly clear that not all IETF participants are excited about creating genuinely secure systems.