Father of SSH Says Security Is 'Getting Worse'

alphadogg writes with an excerpt from an interview with the designer of SSH-1: "Tatu Ylönen has garnered fame in technology circles as the inventor of Secure Shell (SSH), the widely used protocol to protect data communications. The CEO of SSH Communications Security — whose crypto-based technology invented in 1995 continues to be used in hundreds of millions of computers, routers and servers — recently spoke with Network World on a variety of security topics, including the disappearance of consumer privacy and the plight of SSL. (At the Black Hat Conference this week, his company is also announcing CryptoAuditor.)"

People don't understand what security is.

[gurps_npc]

Let's start with a basic, real world example.

I have a home. On this home there is a lock.

Now, an ignorant fool might think the lock is there to keep other people out. Nope, they are wrong. You see, in addition to my lock, I have windows, doors, a roof and floors, and walls. None of them are made of unobatanium.

An intelligent 5 year old child, with no training whatsoever can break my window and climb into my house.

My lock is there fore two distinct purposes:

1. It tells the world that this place is private - that the owner does not want anyone to enter it and will try to punish those that violate it's privacy. It's a sign.

2. It lets me get into my house easily, while making it much more difficult for anyone else to get in without leaving clear and obvious signs that they have trespassed (i.e. a broken window.)

That's what the locks on my home do - notify the world of my privacy and create traceable evidence of a violation of that privacy.

We need to start using IT security for the same purpose. Among other things, that means that when you log on to any website, it should list the last time you logged, and from where (using either an IP address and/or a cookie to identify the device used).

I don't want, nor do I need, an unbreakable password. I want to know when I've had a trespasser.

Re:People don't understand what security is.

[Vellmont]

The problem with your analogy is that your house doesn't need to be super-dupe-secure because nobody has invented anonymous, instantly replicable robots that roam the countryside looking for open windows, and equipped with high speed glass cutters, valuable item detectors, and phone-home capabilities to alert a human when further action is warranted. This is routing on the internet.

This is the threat to you email address or bank account has to deal with. In your home you merely have to deal with the people around you who might rob you, and the occasional opportunistic criminal. On the internet, everyone is basically the same distance from everyone else, automation is cheap, and anonymity is common. Think that might lead to the need for more security than easily breakable glass windows? If all my shit is gone from my house, but my window is broken, I'm still not terribly happy that the thief was kind enough to let me know through the broken window.