Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptography 'Becoming Less Important,' Adi Shamir Says

Posted by Soulskill on from the encryption-is-useless-when-users-are-also-useless dept.

Trailrunner7 writes "In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important, one of the fathers of public-key cryptography said Tuesday. Adi Shamir, who helped design the original RSA algorithm, said that security experts should be preparing for a 'post-cryptography' world. 'I definitely believe that cryptography is becoming less important. In effect, even the most secure computer systems in the most isolated locations have been penetrated over the last couple of years by a series of APTs and other advanced attacks,' Shamir said during the Cryptographers' Panel session at the RSA Conference today. 'We should rethink how we protect ourselves. Traditionally we have thought about two lines of defense. The first was to prevent the insertion of the APT with antivirus and other defenses. The second was to detect the activity of the APT once it's there. But recent history has shown us that the APT can survive both of these defenses and operate for several years.""

14 of 250 comments (clear)

  1. no by masternerdguy · · Score: 5, Insightful

    Encryption is the best anti-tampering mechanism you have in computing. Well placed encryption protects OS data from tampering, user data from theft, and sensitive communications secured. It's only getting more important.

    --
    To offset political mods, replace Flamebait with Insightful.
    1. Re:no by masternerdguy · · Score: 4, Insightful

      Code signing to the rescue but slashdotters seem to hate that idea.

      --
      To offset political mods, replace Flamebait with Insightful.
    2. Re:no by masternerdguy · · Score: 4, Insightful

      Before I get flamed, it is possible to do code signing without using it for evil. It's a tool like anything else.

      --
      To offset political mods, replace Flamebait with Insightful.
    3. Re:no by jonwil · · Score: 5, Insightful

      Slashdotters (including myself) dont hate code signing, they just hate code signing where the owner of the computer does not control what gets signed and what can run.

    4. Re:no by happylight · · Score: 5, Insightful

      I think the point is no encryption is going to protect you from users installing malware, buggy software, or just plain hand over data unknowingly. Next to no attackers would attack the cryptography itself. The weakest link is always somewhere else.

    5. Re:no by masternerdguy · · Score: 4, Insightful

      Crypto is part of a full solution containing (crypto), proper segregation of permissions, proper segregation of user data / accounts, proper firewall configuration, proper software configuration, patching vulnurabilities, malware detection (lots of solutions on Windows, chkrootkit on linux), and user education. If I forgot anything add it to the list.

      --
      To offset political mods, replace Flamebait with Insightful.
    6. Re:no by swilde23 · · Score: 4, Insightful

      user education should be printed in all caps, bold, underlined, comic sans, etc...

      At some point, unless we develop new algorithms that utterly break how current encryption algorithms behave (which I know I know, is a possibility... and of course the NSA has it already)... your weakest point is not going to be the computer. It's going to be the lackey at the front-desk happily letting a "tech" in (physically or electronically)

      --
      There are 10 types of people in the world. Those that understand this sig, and those that beat up people who do.
    7. Re:no by demonlapin · · Score: 4, Insightful

      This is true but unfortunately irrelevant. You can do all the user education in the world and it means nothing if the IT staff are idiots.

      I have a handful of fairly secure passwords. They're reasonably long, are incredibly easy for me to memorize, and don't rely on any details of my life (pets, wife, kids, birthday, etc.). But I have to deal with websites that demand a series of ridiculous standards: some require (thank you, AmEx) a number in the username, some require passwords to have number, capital letter, and symbol. I spent a lot of damned time figuring out a password that people can't guess, and I can't use it because I can't remember the rules for any random website - so I have to get a password reset email sent to me in plaintext. And on top of that, I can't use a password I've used before - so every time I log into a website I rarely use, I have to reset the password to something I will forget in a few days. I'd use something like Keepass but I need to be able to log in from non-home computers.

    8. Re:no by crutchy · · Score: 5, Insightful

      would you remove all the locks on the doors and windows of your house merely because they couldn't stop aliens from abducting you?

      also, window locks are uselss because burglers can simply smash the window

      any level of personal security (even the fake security cameras, lasers, etc) is better than none at all

      but on the other hand, imposing your ideas of "security" on others is not a good idea (such as the TSA)

      people should be free to decide what level of security they think is appropriate for themselves, as long as it doesn't adversely affect others (don't install a nuclear reactor powered ion cannon in your back yard because your neighbors likely won't be very happy having risks from your ideas of security imposed on them)

  2. APT by Anonymous Coward · · Score: 5, Insightful

    Would have been nice to define APT...

    1. Re:APT by fuzzyfuzzyfungus · · Score: 4, Insightful

      It's doubly annoying because(in PR-flack ass-covering speak) an "Advanced Persistent Threat" is "Any bad guy smarter than our dumbest sysadmin's stupidest mistake".

      It might have been a clear category at one point(and there still are attackers who are pretty clearly both advanced and persistent); but the constant "Well, we could say 'gosh, we fucked up, how stupid of us.' or we could say 'It was and Advanced Persistent Threat, total national security shit, probably chinamen or something!'" pressure hasn't helped...

    2. Re:APT by obarthelemy · · Score: 4, Insightful

      Actually, I know plenty of intelligent people who make mistakes. Almost as many as retards who take pleasure in calling others out.

      --
      The Cloud - because you don't care if your apps and data are up in the air.
  3. Re:The way I do security by masternerdguy · · Score: 5, Insightful

    Have fun when Joe the Burgler takes your computer.

    --
    To offset political mods, replace Flamebait with Insightful.
  4. I do not agree! by endus · · Score: 4, Insightful

    I was just having a discussion about this at work today. Encryption should be ubiquitous now. There is no excuse. It's not "free" in terms of the resources it takes up, but it's pretty close. Everything should be encrypted in transit. Everything should be encrypted at rest. "Well you mean the table with the PII and not...." NO! I mean EVERYTHING. The servers drive should be encrypted. The entire database should be encrypted. Every network connection should be encrypted.

    This doesn't mean encryption is a panacea solution to APTs or to any other security threat, but its an absolutely critical layer which is still not widely implemented enough. To prevent tampering, to prevent certain types of attacks, to prevent breaches through physical theft, etc. Saying encryption isn't as important anymore is like saying that keyboards aren't that important anymore. Sure, management shouldn't spend a lot of time worrying about them, and should be focusing on other problems instead....but that doesn't mean everything will be cool if everyone's keyboard is stolen overnight.

    It needs to be there, and by there I mean everywhere. And its not. Every day developers are looking at security guys like, "huh??" because they are looking for encryption to be incorporated into the product. Or, they want to "just get the system built out" without encryption, but they'll totally enable it once everything is working perfectly and all the testing is done (FYI developers, security guys aren't falling for that, we realize that you really mean, 'we'll think about enabling it until we realize how many things it will break, and then we'll ship the product without it, ignoring the enormous liability it creates'). You would think things would be different now that its 2013...they are different, but not that much different. Security still isn't regarded as a core piece, or even an important feature, of most products.