Slashdot Mirror


Current Crypto Trends with Bruce Schneier

Saint Aardvark writes "SecurityFocus has published an interview with Bruce Schneier. Fascinating stuff, especially the level-headed assessments of the NSA, spam and the impact of full disclosure: 'Q: Since most crypto protocols on the internet, such as SSL or SSH, uses public-keys to build a secure channel, wouldn't a unexpected public disclosure create a chaos on the internet ? A: No. Chaos is hard to create, even on the Internet. Here's an example. Go to Amazon.com. Buy a book without using SSL. Watch the total lack of chaos.'"

10 of 196 comments (clear)

  1. Interesting interview... by nacturation · · Score: 5, Insightful

    Is it just me, or does the interview read mostly like "Stop asking me dumb questions"?

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    1. Re:Interesting interview... by spidereyes · · Score: 3, Insightful

      It does but it's nice to see someone with some balls for once give clearcut answers and actual references instead of the usual poppycock which has become standard. Most of the stuff you read is filled with so much fluff it's painful to read, Bruce just put it out there clear and simple.

      --

      I say we just grow up, be adults and die.
  2. Please stop abusing the English language by lelitsch · · Score: 5, Insightful

    I am certainly no grammar Nazi--actually, English is my third language, so I am far from perfect. But for the love of God, could the people at Security Focus please try to do some rudimentary editing and proofreading? I don't mind typos, but some of their questions are so wrong that they are very hard to read and understand.

    "Do you think that NSA is promoting ECC based crypto because they cannot crack RSA/DSA based one?"

    What?

    "Or maybe just because they can crack RSA/DSA they prefer to protect USbusiness with ECC (supposed to be harder to crack)?"

    Huh?

    "What about crypto monopoly? Don't you think that having just a couple of public-key algorithms based on the same math problem could lead to a catastrophe if cracked ?"

    This doesn't follow any European-language grammar.

    But the next question takes the cake:

    "Why is often used a money-rewarded challenge to verify a crypto algorithm?"

  3. Uncrackable? by hoka · · Score: 3, Insightful

    Puh-leaze. While in a reasonable amount of time he is contextually correct, "uncrackable" indicates that there is no way of cracking the code, which isn't true. These things can all be brute forced, even though it might take a really, really long time to crack.

  4. Re:He didn't answer the question by Spiked_Three · · Score: 5, Insightful

    Not true. I send my credit card through un-encrypted email all the time. People on the receiving end freak out and go into panic. Guess what? Never had a bit of trouble.
    I hate to say it, but most of the people running around crying 'the secure sky is falling' are clueless (vast majority) or are trying to make money from it (Schneier et al.)
    Crypto is part of a total solution. And as is always the case, the weakest link determines the overall strength. You can have the best military encryption on the planet, and if you write your password on a sticky note and tack it to the bottom of your keyboard the encryption doesnt do dick. There are far too many weak points on the internet, for someone who knows what is really going on, to get very excited about encryption.
    How many of the thousands of ID thefts that occurred recently (Bank of America) were originated on a secure (SSL?) link? Answer: probably all of them. See? SSL isn't really all that helpful. Its one of those markets that was created to make money, and the vast majority of the public believe they are buying value.
    While I generally take everything Scnierer says with a grain of salt (because I know he says what someone pays him to say) I'd have to agree with him on this one. No panic, no chaos, no big deal.

    --
    slashdot troll = you make a compelling argument I do not like the implications of.
  5. Well, in defense of Schneier's succinct responses by MmmmAqua · · Score: 4, Insightful

    I don't think the interviewer has much knowledge about cryptography, or even security in general. I am judging solely based on the questions asked:

    I mean TCP/IP does not use crypto, while a VPN does. Do you think that in the future we'll use crypto for every type of communication?
    Which displays a fairly simplistic, and unfortunately common, grasp of security principles, which is: crypto makes things secure, and everything must be secure. The reality is that cryptography is part of a greater security process, and that not every communication *must* be secure. Do you care if someone hears you discussing the newest Family Guy episode at the office, or hears you say "Hi" to your coworkers? No. So why should you be concerned if you're transmitting SYN/ACK or a comment to Slashdot in a relatively clear manner? Secure processes should be implemented where they are needed, and nowhere else, or else security becomes a burden forcing users to find ways to circumvent it.

    Should we use crypto to stop the spam problem ?
    I hardly know where to begin. How should we use cryptography to prevent spam? There are ways and ways to reduce spam, and perhaps cryptography in the form of some type of message authentication will play a role in that or not, but this is like asking "Should we use hydrogen molecules to cure cancer?". Hydrogen molecules in what context or construct?

    I'm no cryptographer, but (call me crazy) I expect a guy writing for SecurityFocus to know more than I do. Or at least to ask questions in an intelligent manner.

    --
    Arr! The laws of physics be a harsh mistress!
  6. Re:bad example by JoeBuck · · Score: 4, Insightful

    You think that Internet commerce will break down if someone can sniff your credit card number. But then, when you go to a restaurant, you hand over your physical credit card to some waiter you don't know from Adam.

  7. Re:Well, in defense of Schneier's succinct respons by Anonymous Coward · · Score: 3, Insightful

    Quoth the poster: "The reality is that cryptography is part of a greater security process, and that not every communication *must* be secure."

    Ah, but sometimes not having every communication secure can cause an insecurity in another way.

    1. The fact that some of your communications are encrypted/secured gives an observer the information that you are transmitting something secret/sensitive when that occurs. That in itself can be valuable knowledge. For example, if the Army normally sends messages unencrypted to field personnel, and suddenly starts sending a lot of secure communications, that can give away that something big is about to happen.

    2. If you secure all your communications, then someone trying to intercept a particular communication message must spend time decrypting all of them to get anything. They don't know which ones to look at.

    I'm not arguing that all web traffic should be encrypted or anything like that. And you and I both know that VPN runs on top of TCP/IP, which makes the comparison a bit weird. But it is true that if the underlying transport mechanism (TCP/IP) were trustably secure, we might not need to worry about all these different kinds and layers of security on top of it. Just a thought.

  8. Re:Well, in defense of Schneier's succinct respons by rgmoore · · Score: 3, Insightful
    Do you care if someone hears you discussing the newest Family Guy episode at the office, or hears you say "Hi" to your coworkers? No. So why should you be concerned if you're transmitting SYN/ACK or a comment to Slashdot in a relatively clear manner?

    That depends on how paranoid you are. If most of your messages are unencrypted, then the few encrypted ones stand out. Selective encryption is like putting a big sign on the encrypted messages telling eavesdroppers that they're worth listening to. If you encrypt everything (and run in through a good anonymizer proxy), then somebody who wants to monitor you has to decrpyt all your Family Guy discussions to find your few subversive messages. If you're really worried about security, you might want to keep up a high backround level of meaningless messages, which would both increase a listener's decryption load and help to foil attempts at traffic analysis.

    --

    There's no point in questioning authority if you aren't going to listen to the answers.

  9. Re:Doing well on the SPAM problem? by ajs · · Score: 3, Insightful

    "Sure, new spam filters can be pretty effective. But it takes a lot of resources to deal with spam in terms of hardware and network bandwidth. 75% of all e-mail traffic is SPAM. Millions upon millions a day."

    And how does this have anything to do with what Schneier said? Yes, extracting signal from noise is expensive, presents problems of diminishing returns and the cost/benefit doesn't favor an end to the problem any time soon. However, he's correct: as far as the average person is concerned, spam is a relatively solved problem.

    I heard an interesting quote recently: "any problem that can be solved by throwing money at it is not a real problem." Spam is not a real problem. It's a complication, but not a problem. Does it raise the price of business communications? Yes. Is that a problem? Not really, it just changes the economics.

    The real problem is that the people in the trenches who are the recipients of said money develop a sense that they are fighting some sort of holy war against an adversary that will one day be defeated. I have news for you: you are a machine that takes a noise source with weak signal in and produces an amplified version of the signal with some noise reduction. Noise is not evil, and signal will never be "pure".