Father of SSH Says Security Is 'Getting Worse'

alphadogg writes with an excerpt from an interview with the designer of SSH-1: "Tatu Ylönen has garnered fame in technology circles as the inventor of Secure Shell (SSH), the widely used protocol to protect data communications. The CEO of SSH Communications Security — whose crypto-based technology invented in 1995 continues to be used in hundreds of millions of computers, routers and servers — recently spoke with Network World on a variety of security topics, including the disappearance of consumer privacy and the plight of SSL. (At the Black Hat Conference this week, his company is also announcing CryptoAuditor.)"

How is this quantifiable in any stretch?

[colin_faber]

If you think about it, the issues with key infrastructure are nothing new, they've been there since day 1, and in fact the same can be said about the micro-controllers which are now being regularly exploited by big brother.

User/Device security is no more or less "secure" than it was back in 1995, actually I'd argue that it's getting better as it's more widely adopted (when was the last time you used rsh?). In general it's always an evolving process.

We still don't have a practical way of breaking high bit crypto, and in general I feel plenty safe with my 1024 bit ssh connections to my LAN machines =)

it's because people don't value it.

I try to get my college buddies to send me encrypted email, and it's the same story, "Dude, just use Facebook like everybody else". I have a Facebook but stopped using it because I don't want FB snooping all my communications!

Privacy disappears because people don't value it. If they did, they wouldn't be using Facebook for all their communications. If they cared, they'd be using encrypted point-to-point VOIP for voice, not Skype. If they cared, they would be using OTR and Pidgin for chat.

Slashdot peoples care, but outside that crowd, people value convenience, not security or privacy. That's the only way so many privacy-violating services have become so huge when there are alternatives that preserve your privacy.

98% of people in the 22-29 year old age bracket now use Facebook. Most of those use it as their primary means of communicating with friends, and you're now considered "abnormal" if you don't have a Facebook. Even if you explain it to them the pitfalls of FB they don't care.

Until people start to care about their security and privacy, they won't have any. You have to vote with your actions.

Re:ssh

[garyisabusyguy]

implementation and usage are the weakest links in any security plan

any given encryption tool can be made weak in implementation by using short keys or failing to salt the encryption

any security infrastructure can be made weak by users who send email in clear text, directly exchange passwords in the same medium the password is used for, continue to use telnet or ftp when ssh and sftp are available

It makes me happy to think about a completely secure computer system with NO USERS since that is the only way that you could possibly make a system secure

People don't understand what security is.

[gurps_npc]

Let's start with a basic, real world example.

I have a home. On this home there is a lock.

Now, an ignorant fool might think the lock is there to keep other people out. Nope, they are wrong. You see, in addition to my lock, I have windows, doors, a roof and floors, and walls. None of them are made of unobatanium.

An intelligent 5 year old child, with no training whatsoever can break my window and climb into my house.

My lock is there fore two distinct purposes:

1. It tells the world that this place is private - that the owner does not want anyone to enter it and will try to punish those that violate it's privacy. It's a sign.

2. It lets me get into my house easily, while making it much more difficult for anyone else to get in without leaving clear and obvious signs that they have trespassed (i.e. a broken window.)

That's what the locks on my home do - notify the world of my privacy and create traceable evidence of a violation of that privacy.

We need to start using IT security for the same purpose. Among other things, that means that when you log on to any website, it should list the last time you logged, and from where (using either an IP address and/or a cookie to identify the device used).

I don't want, nor do I need, an unbreakable password. I want to know when I've had a trespasser.

Re:People don't understand what security is.

[Vellmont]

The problem with your analogy is that your house doesn't need to be super-dupe-secure because nobody has invented anonymous, instantly replicable robots that roam the countryside looking for open windows, and equipped with high speed glass cutters, valuable item detectors, and phone-home capabilities to alert a human when further action is warranted. This is routing on the internet.

This is the threat to you email address or bank account has to deal with. In your home you merely have to deal with the people around you who might rob you, and the occasional opportunistic criminal. On the internet, everyone is basically the same distance from everyone else, automation is cheap, and anonymity is common. Think that might lead to the need for more security than easily breakable glass windows? If all my shit is gone from my house, but my window is broken, I'm still not terribly happy that the thief was kind enough to let me know through the broken window.

Security getting worse

[mpfife]

I would largely agree. Unfortunately, I believe it is because real security - cryptography and end-to-end security and privacy - are very difficult, and hence, very expensive to develop, implement, and test. My experience with such coding is that it's every bit, if not more, rigorous as code written for medical devices or flight control software. It simply has to be bulletproof. Any one hole in the theory, algorithm, or implementation - and the whole thing comes apart. Learning about all those possible holes and plugging them is a herculean task. One can point to the near constant stream of security patches for every browser, app, and OS on the market. And these are the best-funded commercial enterprises around.

Another huge problem is the 'meh' attitude people have towards their personal information. We throw our data around so willy-nilly on smart phones and social networks. We check in places that tell everyone where we are (or are not http://pleaserobme.com/ ), publicly publish our most intimate family and friend relationships, report where we live and work, we even identify people to image recognition software. One expert I heard said that he could not imagine a more dastardly personal information monitoring system than Facebook. And we WILLINGLY give that information away. Google reads your emails and all the documents you upload to their 'free' services. Websites use everything they can to target ads at you, etc.

The unfortunate part, as my CS security professor pointed out, is that by the time it crosses an ethical line - it's nearly impossible to stop. Even worse, what if the company you gave all that info too gets sold to a very un-scrupulous person in a country with no protections? What if your government is taken over and they raid these databases for information about dissenters? All of these things are real, happen today, and yet we consider it more important to be able to brag to our friends and family what we had for dinner last night than protect ourselves.

Re:ssh

It makes me happy to think about a completely secure computer system with NO USERS since that is the only way that you could possibly make a system secure

Then you should be pleased to know that RIM has been making great strides on their implementation of this idea. It might even be finished within the next year.

Re:ssh

[aix+tom]

As someone who as seen Firefly, it isn't even enough to live with a man 40 years. Share his house, his meals. Speak on every subject.

You have to tie him up, and hold him over the volcano's edge. And on that day, you will finally meet the man.