[Cryptography] New approach needed to IT, says NIST's top cyber scientist

Kent Borg kentborg at borg.org
Fri Sep 2 17:02:20 EDT 2016


Story from the very belt-way sounding "fedscoop": 
http://fedscoop.com/ron-ross-cybersecurity-comission-august-2016

First two paragraphs:

> No amount of security software, firewalls or anomaly detection systems 
> can protect an IT infrastructure that's fundamentally insecure and a 
> new approach to computer architecture is required to deal with the 
> looming cybersecurity crisis, the National Institute of Standards and 
> Technology's top computer security scientist told the president's 
> commission on long-term cybersecurity.
>
> The "only way" to address the looming cybersecurity crisis is "to 
> build more trustworthy secure components and systems," Ron Ross told 
> the Commission on Enhancing National Cybersecurity during a Tuesday 
> meeting in Minneapolis.

Amazing that this could be news. But it is.

Just look at each new retailer with a credit card break in. We laugh at 
Target for not heeding the intrusion warnings they had. Yes, they 
deserve ridicule for that. But what about the folks who make a PoS 
system that is apparently just a PoS? Why are they still in business?

Another quote:

> The reason: "You cannot protect that which you do not understand ... 
> Increased complexity translates to increased attack surface."

I feel like he was cribbing from my recent rant on how we need to 
understand and specify our system boundaries. 
[http://www.metzdowd.com/pipermail/cryptography/2016-July/029750.html]

I also feel like this is off-topic for a cryptography list--at least 
from the old cypherpunk perspective that writing good crypto code will 
solve our security problems. But what good is the best RNG if someone 
trying to use it doesn't wire it up right? What good is the best cypher 
if someone trying to use it can't manage the keying and use a sensible 
cypher mode? What good is any of this if input isn't sanitized and 
attackers can get directly to the backing database? (https://xkcd.com/327/)

A lot of clever people have done great crypto work, and it seems we now 
have a good set of powerful primitives. Snowden confirms that good 
crypto works. And there might be some great crypto buried in Fancy New 
Product, but if that product is otherwise riddled with security 
blunders, what good is it?

Crypto people are practiced at thinking in security terms, but the 
people building insecure systems left and right are not. I know we have 
plenty of opinions and are familiar with no one else being much 
interested in them, but I wonder whether things might be shifting. Is it 
time to make a different kind of noise?

If the budding, young, somewhat-technical manager in charge of building 
some new website, or app-plus-cloud product asked "How do I manage this 
so we will not be broken into and make the news?", do we have anything 
to say beyond "Hire people who know what they are doing and sternly tell 
then not to fuck up."? If the NIST guy, Ron Ross, asks a similar 
question, do we have anything better than "Don't let the NSA hand you 
backdoored RNGs."?  (He probably agrees with us on that.)

Is it time to elbow aside "agile programming" in favor of some new 
buzzword-compatible philosophy that pushes people toward not committing 
so many security fuck-ups? Make it simple enough to summarize in a short 
paragraph, but real, something to have seminars about, something that 
can work if it gets a chance to command significant mindshare. Something 
the somewhat technical manager can grab onto. Is there currently 
something out there like I describe that could use more promotion? 
Someone on this list maybe makes a pile of money writing a popular 
business bestseller that Important Executives can mostly finish on a 
long plane flight?

Someone tell me we might ever get to the point that building a secure 
system* could become an even slightly common occurrence.

-kb, the Kent who is still unemployed and so helpfully, and shamelessly, 
posts a link to his resume for any who might be interested 
http://www.borg.org/~kentborg/kentborg-resume-long-2016-07-16.pdf

* What the hell does "secure system" mean? I say you gotta define what 
you mean, as part of defining the system boundaries: Say what you are 
defending and against what. Say what you are not defending, say what 
attacks you can't fend off.


More information about the cryptography mailing list