Slashdot Mirror

← Back to Stories (view on slashdot.org)

We Live In The Dark Ages of Internet Security, Says Kaspersky Labs CEO

Posted by msmash on from the security-woes dept.

An anonymous reader cites a report on TheMerkle: It is never a positive sign when one of the world's leading security firms mentions how the world is currently in the "Dark Ages" of computer security. That particular statement was made by Kaspersky Labs CEO Eugene Kaspersky during the NCSC One conference in The Hague. Enterprises and consumers need to step up their protection sooner rather than later, as the number of security threats keeps increasing. Update: 04/05 18:41 GMT by M :Reader Rob MacDonald has posted the following insightful comment (slightly edited for clarity and length): We're in the dark ages by design. We've allowed the alphabet agencies to compromise our security, at every level, including hardware. The one that doesn't have an exploit at shipping, gets intercepted and modified in transit. The encryption algorithms we've been using were compromised at such a level it took this long to see it.

3 of 83 comments (clear)

  1. Before anyone says it.... by phishybongwaters · · Score: 5, Insightful

    Yes, they are Russian. Yes it's a fucking solid, quality, AV solution for enterprise. In fact, there's a shit load of functionality there that most people wouldn't expect from an AV solution. So yeah, when one of the world leaders in the industry says that, he's not talking out of his ass. The point not stated, at least in the summary, is the fact that we're in the dark ages BY DESIGN. We've allowed the alphabet agencies (not google you dolt) to compromise our security, at every level, including hardware. That which doesn't have an exploit at shipping, gets intercepted and modified in transit. The encryption algorithms we've been using were compromised at such a level it took this long to see it. TLS, SSL, sha. all compromised at the core. Jesus we can't even trust random number generators. We can't trust encryption based on primes as it's proven these can be broken if you have the hardware (they do) and the time (they do). Nothing short of a do over can fix this. The infrastructure is compromised, the undersea trunks are tapped, they can even decipher passwords and information from an AIR GAPPED COMPUTER. Seriously. I can't see a way out of this. Encryption for all!!!!! FBI much? Encryption is a joke when they've helped build the encryption system. We hae been pwnd from day 1.

    1. Re:Before anyone says it.... by mlts · · Score: 5, Insightful

      I wouldn't say it was alphabet agencies.

      The real culprit, in my experience, is the "security has no ROI" philosophy which has been part of many companies since 2000. When told by a previous manager that "a lock brings no money except to the lock maker", with the implications that security is, at best, an afterthought in product design.

      Now combine that with the fact that so far, there have been no real consequences for security breaches. All a company has to do is tell the Windows admin to do a "dsquery user | dsmod user -mustchpwd yes", pay for the victims to have a year of LifeLock, toss some PR ads, and stock prices will be back to normal in 90 days or less, even for the most egregious breaches. Even regulations have no teeth. HIPAA is rarely used. The only person who went to jail by Sarbanes-Oxley law was someone fishing who went over their bag limit with grouper, and that use of the law got tossed overboard by SCOTUS. The only "regulation" that has any respect whatsoever is PCI-DSS3.x, and that is because Visa will pull merchant status.

      It is common to criticize blaming the victim... but with security being an afterthought at best in many places, it is actually astounding that far more attacks have not happened.

      How can this be fixed? Well, right now, there still isn't any interest or caring for the most part in general. It is going to take an event like GM's OnStar being compromised and disabling all vehicles during a hurricane evacuation, causing astounding casualties, before something actually will get done.

      The ironic thing is that, of all places, security is where the TLAs are actually on the ball. NIST has a lot of security guidelines on their website, from basic stuff like killing the guest user, but there are a lot more useful and esoteric things as well (for example, using trustchk on AIX to keep unauthorized libraries from being loaded.)

  2. Re:Only if you force yourself to live in the dark. by Anonymous Coward · · Score: 2, Insightful

    BULLSHIT

    An operating system is as secure as its administrator makes it. OpenBSD with it's inferior performance due to lack of tuning (stop blaming it on "being more secure" because that's a straight up lie,) lack of a reliable modern filesystem (good grief, port ZFS already...oh wait, you can't because it's almost literally impossible...THANKS THEO,) and a project "leader" who is actually an impossible to work with asshole who thinks he knows everything and knows better than everybody else what his little operating system needs.

    And don't even get me started on how fucking hard it is to install and run even the most common software in that bastardized environment, which was made that way by a bunch of change "for the sake of security" that was in reality change for the sake of change. If you don't know what I'm on about then you've never gone through the experience of trying to set up apache, pgsql, and a CMS of any complexity. The fight to compile is only the first of many battles that don't need to be fought on any other OS.

    So, I repeat. An operating system is as secure as its admins make it, and a competent admin can mitigate the security risks of any OS, even Windows.