Enhanced security can solve many issues, but it can't
improve the thing that sits between the keyboard and the chair - the
user - a cryptographers' panel concluded Tuesday.
The panel, a staple of the RSA Conference here, invited four of the
industry's luminaries on stage with Bruce Schneier, author and chief
technology officer at Counterpane Internet Security, to discuss the
evolution of cryptography. The discussion soon turned to recent
failures in information security, however, including the recent leak
of some of Microsoft Corp.'s source code and the knotty security
problem of social engineering.
Each panelist - Whitfield Diffie, chief security officer at Sun
Microsystems Inc.; Paul Kocher, president and chief scientist at
Cryptography Research Inc.; Ron Rivest, Viterbi professor of computer
science at the Massachusetts Institute of Technology; and Adi Shamir,
professor at the Weizmann Institute of Science in Israel - came to the
panel with his own view of security priorities. Rivest, for example,
was concerned with the policy of security., Diffie, on the other hand,
said the industry was shaping up for a battle over DRM.
Increasingly, the panelists said, security experts' challenges have
had less to do with the intricacies of cryptosystems used to wrap code
than the real-world intricacies of standards and government
guidelines. Rivest cited the case of Diebold Systems Inc.'s electronic
voting machine code, which was found on the Internet and quickly
picked apart as insecure. Until a grass-roots movement pushed for
paper-based records to prove a voter cast a ballot for one candidate
over another, the Diebold machine did not allow for independent
verification of results.
"Why am I, as a cryptographer, talking about such things?" Rivest
asked, citing Archimedes' maxim: "Give me one smooth spot to stand on
and I will move the world." "We have great levers to move things, if
we have a smooth spot to stand on," Rivest said. "We have secure
platforms and secure keys to move the earth a bit."
Similarly, Kocher said he was "terrified" of the only solution he saw
to enforcing consumer privacy—government regulation. While consumers
have a strong incentive to maintain their privacy, law-enforcement
agencies and large corporations do not, he said.
Part of the fear engendered by government regulation is additional
laws, which tend to entangle and complicate the flow of information,
panelists said. For example, Kocher said, he was advised by his lawyer
not to examine the leaked Microsoft code.
"So we're in an awkward situation that is almost the worst of all
possible worlds," he said. "We can't look at proprietary systems to
improve our code, but the bad guys can."
Diffie, meanwhile, focused on a fight he said is looming over the
definition and implementation of digital-rights-management. Citing the
recent lawsuits by the Recording Instiitute of American Artists
(RIAA), Diffie said that the notion of compensating copyright holders
had evolved into a situation in which those copyright holders had
begun to dictate how consumers could use it. "Soon you'll only be able
to buy a machine … where you won't be able to tell it what you want to
do and it does it," he said.
The panel failed to propose a solution for one of the most pernicious
and pervasive security problems: the problem of the user itself.
"Phishing" scams and other techniques to wrest personal information
from users won't go away easily, they agreed.
In perhaps the only actual discussion of cryptography, the Weizmann
Institute's Shamir said the sun was setting on stream ciphers used to
encode real-time data streams. Instead, the power of today's
microprocessors could be used to encode data in blocks via block
ciphers, which are more powerful but require a large amount of
information to be buffered and then encoded.
© 2008; SpywareUninstaller.com Group Project; All Rights Reserved.