[Clips] Crypto Expert: Moore's Law fuels app obesity epidemic

R.A. Hettinga rah at shipwright.com
Mon Feb 19 13:06:10 PST 2007 

--- begin forwarded text


  Delivered-To: rah at shipwright.com
  Delivered-To: clips at philodox.com
  Date: Mon, 19 Feb 2007 15:53:34 -0500
  To: Philodox Clips List <clips at philodox.com>
  From: "R.A. Hettinga" <rah at shipwright.com>
  Subject: [Clips] Crypto Expert: Moore's Law fuels app obesity epidemic
  Reply-To: clips-chat at philodox.com
  Sender: clips-bounces at philodox.com


<http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/02/19/08NMmain_1.html>

  InfoWorld


  Crypto Expert: Moore's Law fuels app obesity epidemic

  Chip advances fuel "supersized," insecure applications


  By Paul F. Roberts

  February 19, 2007

  Cryptography is no mean field. After all, the science was invented by
  humans for the purpose of concealing information from other humans. That
  means that the best cryptographers have to be blindingly smart, with a
  mastery of mathematics but also a firm grasp of human psychology and, these
  days, fields such as computer science.

  Paul Kocher, president and chief scientist of Cryptography Research is a
  good example of the breed. A cryptography superstar, Kocher is credited
  with helping discover two different techniques for defeating certain kinds
  of encryption algorithms. He's also a corporate executive who's devoted his
  life to helping create cryptographic applications that can be used in the
  real world.

  Kocher sat down to talk security with InfoWorld Senior Editor Paul F.
  Roberts at the recent RSA Security Conference in San Francisco. Despite
  making his name by poking holes in encryption, Kocher says that crypto
  hacks are the last thing enterprise IT should worry about. A much bigger
  problem is wrestling with the security implications of application and OS
  "supersizing" that is being fueled by a new generation of powerful
  processors.

  InfoWorld: Tell us a bit about the history of Cryptography Research and how
  the security environment has changed since you first started the company.

  Paul Kocher: I started Cryptography Research 11 years ago. When I first
  started working on these problems, we were still at the point where you
  could understand how systems work. This was back in the DOS days. You had
  640K of memory and could run one program at a time. These days, I have no
  clue what's running on my laptop. And you probably have no idea, either.
  There's too much software there. Moore's Law has created obesity in
  systems, so when you're trying to come up with ways to keep things secret
  despite this, it's an enormous problem.

  IW: Cryptography is often followed as a kind of arms race, with people who
  want to make stronger encryption pitted against those who want to break it.
  Is that the wrong discussion to have?

  PK: There are a few pieces that are strong. The math behind modern
  algorithms is incredibly robust. That's the thing most people focus on: "We
  have this brick and it's really strong, so if we have a system that
  includes this brick, it will also be really strong." But implementations
  are where the problems lie. People tend to get enamored with the
  cryptography and the algorithms and not pay attention to other things that
  end up failing.

  IW: You talk about the "brittleness" in much of application security. If
  you were an enterprise shop with internally developed applications, what
  steps would you take to reduce that brittleness?

  PK: One thing I'd do is just step back and have the engineers think about
  how they would attack the system. It's a different mind set than how to
  build features. You start looking for that thread that lets you in, and you
  learn something useful. Also, try to build your application so that it
  doesn't need sophisticated security capabilities. If you've got an
  application on the Web where it's exposed to outside attacks, just leave
  the feature out that's going to create the risks.

  IW: What about mobile devices? Microsoft this week announced a new version
  of Windows Mobile. Are platform companies going to repeat the same mistakes
  they made on the desktop?

  PK: I think Microsoft is certainly following the path it followed with the
  PC, though the security problems haven't caught up yet because mobile
  devices aren't worth hacking yet.

  There's an inflection point that people almost never recognize until they
  hit it. It's the point at which a system becomes worth attacking. You hit
  the threshold when someone figures out that they could make more money
  attacking your system than by doing whatever it is they're doing and after
  factoring in the risks. At that point, the dynamic changes completely.

  As you take mobile devices and put more functions on them, someone will
  wake up and realize that they can make $15 million hacking them, as opposed
  to the $80,000 to do their current job. We just don't know whether that
  will be this year or 10 years from now.


  --
  -----------------
  R. A. Hettinga <mailto: rah at ibuc.com>
  The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
  44 Farquhar Street, Boston, MA 02131 USA
  "... however it may deserve respect for its usefulness and antiquity,
  [predicting the end of the world] has not been found agreeable to
  experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
  _______________________________________________
  Clips mailing list
  Clips at philodox.com
  http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list