--- begin forwarded text
Delivered-To: rah@shipwright.com
Delivered-To: clips@philodox.com
Date: Mon, 19 Feb 2007 15:53:34 -0500
To: Philodox Clips List
From: "R.A. Hettinga"
Subject: [Clips] Crypto Expert: Moore's Law fuels app obesity epidemic
Reply-To: clips-chat@philodox.com
Sender: clips-bounces@philodox.com
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/02/19/08NMmain_1.html
InfoWorld
Crypto Expert: Moore's Law fuels app obesity epidemic
Chip advances fuel "supersized," insecure applications
By Paul F. Roberts
February 19, 2007
Cryptography is no mean field. After all, the science was invented by
humans for the purpose of concealing information from other humans. That
means that the best cryptographers have to be blindingly smart, with a
mastery of mathematics but also a firm grasp of human psychology and, these
days, fields such as computer science.
Paul Kocher, president and chief scientist of Cryptography Research is a
good example of the breed. A cryptography superstar, Kocher is credited
with helping discover two different techniques for defeating certain kinds
of encryption algorithms. He's also a corporate executive who's devoted his
life to helping create cryptographic applications that can be used in the
real world.
Kocher sat down to talk security with InfoWorld Senior Editor Paul F.
Roberts at the recent RSA Security Conference in San Francisco. Despite
making his name by poking holes in encryption, Kocher says that crypto
hacks are the last thing enterprise IT should worry about. A much bigger
problem is wrestling with the security implications of application and OS
"supersizing" that is being fueled by a new generation of powerful
processors.
InfoWorld: Tell us a bit about the history of Cryptography Research and how
the security environment has changed since you first started the company.
Paul Kocher: I started Cryptography Research 11 years ago. When I first
started working on these problems, we were still at the point where you
could understand how systems work. This was back in the DOS days. You had
640K of memory and could run one program at a time. These days, I have no
clue what's running on my laptop. And you probably have no idea, either.
There's too much software there. Moore's Law has created obesity in
systems, so when you're trying to come up with ways to keep things secret
despite this, it's an enormous problem.
IW: Cryptography is often followed as a kind of arms race, with people who
want to make stronger encryption pitted against those who want to break it.
Is that the wrong discussion to have?
PK: There are a few pieces that are strong. The math behind modern
algorithms is incredibly robust. That's the thing most people focus on: "We
have this brick and it's really strong, so if we have a system that
includes this brick, it will also be really strong." But implementations
are where the problems lie. People tend to get enamored with the
cryptography and the algorithms and not pay attention to other things that
end up failing.
IW: You talk about the "brittleness" in much of application security. If
you were an enterprise shop with internally developed applications, what
steps would you take to reduce that brittleness?
PK: One thing I'd do is just step back and have the engineers think about
how they would attack the system. It's a different mind set than how to
build features. You start looking for that thread that lets you in, and you
learn something useful. Also, try to build your application so that it
doesn't need sophisticated security capabilities. If you've got an
application on the Web where it's exposed to outside attacks, just leave
the feature out that's going to create the risks.
IW: What about mobile devices? Microsoft this week announced a new version
of Windows Mobile. Are platform companies going to repeat the same mistakes
they made on the desktop?
PK: I think Microsoft is certainly following the path it followed with the
PC, though the security problems haven't caught up yet because mobile
devices aren't worth hacking yet.
There's an inflection point that people almost never recognize until they
hit it. It's the point at which a system becomes worth attacking. You hit
the threshold when someone figures out that they could make more money
attacking your system than by doing whatever it is they're doing and after
factoring in the risks. At that point, the dynamic changes completely.
As you take mobile devices and put more functions on them, someone will
wake up and realize that they can make $15 million hacking them, as opposed
to the $80,000 to do their current job. We just don't know whether that
will be this year or 10 years from now.
--
-----------------
R. A. Hettinga
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips@philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga
The Internet Bearer Underwriting Corporation http://www.ibuc.com/
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'