Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptography 'Becoming Less Important,' Adi Shamir Says

Posted by Soulskill on from the encryption-is-useless-when-users-are-also-useless dept.

Trailrunner7 writes "In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important, one of the fathers of public-key cryptography said Tuesday. Adi Shamir, who helped design the original RSA algorithm, said that security experts should be preparing for a 'post-cryptography' world. 'I definitely believe that cryptography is becoming less important. In effect, even the most secure computer systems in the most isolated locations have been penetrated over the last couple of years by a series of APTs and other advanced attacks,' Shamir said during the Cryptographers' Panel session at the RSA Conference today. 'We should rethink how we protect ourselves. Traditionally we have thought about two lines of defense. The first was to prevent the insertion of the APT with antivirus and other defenses. The second was to detect the activity of the APT once it's there. But recent history has shown us that the APT can survive both of these defenses and operate for several years.""

13 of 250 comments (clear)

  1. He put the S in RSA by Anonymous Coward · · Score: 5, Interesting

    Without him, it'd just be RA, which isn't even RAD.

  2. no by masternerdguy · · Score: 5, Insightful

    Encryption is the best anti-tampering mechanism you have in computing. Well placed encryption protects OS data from tampering, user data from theft, and sensitive communications secured. It's only getting more important.

    --
    To offset political mods, replace Flamebait with Insightful.
    1. Re:no by jonwil · · Score: 5, Insightful

      Slashdotters (including myself) dont hate code signing, they just hate code signing where the owner of the computer does not control what gets signed and what can run.

    2. Re:no by happylight · · Score: 5, Insightful

      I think the point is no encryption is going to protect you from users installing malware, buggy software, or just plain hand over data unknowingly. Next to no attackers would attack the cryptography itself. The weakest link is always somewhere else.

    3. Re:no by hairyfeet · · Score: 5, Interesting

      Exactly, its like how a friend of mine was nearly fired because he wouldn't let a PHB have his "files" from his "friend" Melissa, yep the moron was threatening to fire him if he didn't let a worm loose on the network. Lucky for Glenn the guy above the PHB wasn't a retard and actually kept up on current events so he just said "Is he talking about the worm that's going around?" and then gave Glenn a free steak dinner while giving the PHB the riot act for trying to compromise security for an imaginary girl.

      At the end of the day you just can't protect from a case of the stupids, you just can't. I was quite proud of having an unbroken record, nothing but happy customers and well running systems,until I finally had to throw a customer out of the shop and threaten to call the cops, why? because this was right after Limewire had been shut down, I told him flat footed "The courts shut Limewire down, it doesn't exist and anything that says its limewire is either worthless or a malware laden fake" so guess what he did? promptly went home, downloaded "the new limewire" and then demanded i fix the machine for free because...shock... it was nothing but a bunch of malware with the limewire logo. When i threw him out the shop he was saying "it says its limewire now you make it work!"

      Sadly there is only so much you can do without turning the system into nothing but a locked down, corporate controlled thin client and as long as the user has the right to install you are at the whims of somebody who may be a moron. I learned you do the best you can but at the end of the day stupid is as stupid does.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    4. Re:no by crutchy · · Score: 5, Insightful

      would you remove all the locks on the doors and windows of your house merely because they couldn't stop aliens from abducting you?

      also, window locks are uselss because burglers can simply smash the window

      any level of personal security (even the fake security cameras, lasers, etc) is better than none at all

      but on the other hand, imposing your ideas of "security" on others is not a good idea (such as the TSA)

      people should be free to decide what level of security they think is appropriate for themselves, as long as it doesn't adversely affect others (don't install a nuclear reactor powered ion cannon in your back yard because your neighbors likely won't be very happy having risks from your ideas of security imposed on them)

  3. APT by Anonymous Coward · · Score: 5, Insightful

    Would have been nice to define APT...

    1. Re:APT by Dizzer · · Score: 5, Informative

      Advanced Persistent Threat

    2. Re:APT by Frosty+Piss · · Score: 5, Informative

      Advanced Persistent Threat

      --
      If you want news from today, you have to come back tomorrow.
    3. Re:APT by Score+Whore · · Score: 5, Funny

      Always Perky Titties. The thing is the nerds in IT are easily distracted by some nice sweater stretchers which enables the bad guys to have their way with the servers while the boobs are bouncing around.

  4. The way I do security by Anonymous Coward · · Score: 5, Interesting

    I have a PC that I use for all of my financial stuff, record keeping, and other critical data. I don't encrypt the hard drive. I don't even password protect files.

    You know how I do security for the PC that handles my most critical data?

    It's not plugged into the fucking Internet. That's how.

    1. Re:The way I do security by masternerdguy · · Score: 5, Insightful

      Have fun when Joe the Burgler takes your computer.

      --
      To offset political mods, replace Flamebait with Insightful.
  5. Re:Dress for suck-(cess) by vux984 · · Score: 5, Informative

    His point wasn't that cryptography wasn't useful, but simply that dealing with modern threats doesn't require "better cryptography" because modern threats aren't attacking the crypto. They are attacking the public key infrastructure (PKI), they are attacking the end points before encryption/after decryption.

    Our security focus is there.
    In other words, PGP doesn't protect your email, if you have a virus on your system sending everything to an attacker after its decrypted. PGP doesn't protect your email if the PKI is hacked, and you are signing mail with public keys generated by people impersonating the intended recipients.

    Etc. Etc.

    A better PGP crypto algorithm isn't going to help you here.