[liberationtech] Is cryptography becoming less important?
Kyle Maxwell
krmaxwell at gmail.com
Thu Feb 28 11:13:42 PST 2013
On Thu, Feb 28, 2013 at 12:03 PM, Andreas Bader <noergelpizza at hotmail.de> wrote:
> Scott Elcomb:
>> I'd be most interested in hearing this group's thoughts about this post:
>>
>> 'In the current climate of continuous attacks and intrusions by APT
>> crews, government-sponsored groups and others organizations,
>> cryptography is becoming less and less important and defenders need to
>> start thinking about new ways to protect data on systems that they
>> assume are compromised, one of the fathers of public-key cryptography
>> said Tuesday. Adi Shamir, who helped design the original RSA
>> algorithm, said that security experts should be preparing for a
>> "post-cryptography" world.'
>>
>> <https://threatpost.com/en_us/blogs/rsa-conference-2013-experts-say-its-time-prepare-post-crypto-world-022613>
>>
> There was always a "war" between people that encrypt data and people
> that want to hack that encryption. But in the last years it was clear
> that the algorithms can no more be brutforced and hacked.
> The normal brutforce attack is obsolete and the true problem is the
> user, the software and the password he sets for encrypted data. But
> that's nothing new.
Riffing with no particular thesis here, at least at the moment:
This strikes me as sort of an xkcd security (http://xkcd.com/538/)
situation. The crypto in most cases is "good enough", depending on the
adversary, that your real concerns lie in operational and system
security. We have spent so much energy on code fixes, because those
are cheap and easy, that we've neglected seeing the larger picture.
So organizations get compromised by well-meaning users who click on a
link in an email or slip up and use an insecure connection, and while
we can ameloriate that to a certain extent with code, we really need
to think more about how to make it easier for users to make the
"right" choices versus the "wrong" choices.
We can also think about "active defense" from a policy perspective,
not meaning "retaliatory hacking" but "engaging with attackers" rather
than hope the castle walls keep them out. At this point, then, you
have to take on a counter-intelligence mindset and not just a
traditional IT security mindset.
--
Kyle Maxwell [krmaxwell at gmail.com]
http://www.xwell.org
Twitter: @kylemaxwell
More information about the liberationtech
mailing list