[Cryptography] New approach needed to IT, says NIST's top cyber scientist
Kent Borg
kentborg at borg.org
Fri Sep 2 17:02:20 EDT 2016
Story from the very belt-way sounding "fedscoop":
http://fedscoop.com/ron-ross-cybersecurity-comission-august-2016
First two paragraphs:
> No amount of security software, firewalls or anomaly detection systems
> can protect an IT infrastructure that's fundamentally insecure and a
> new approach to computer architecture is required to deal with the
> looming cybersecurity crisis, the National Institute of Standards and
> Technology's top computer security scientist told the president's
> commission on long-term cybersecurity.
>
> The "only way" to address the looming cybersecurity crisis is "to
> build more trustworthy secure components and systems," Ron Ross told
> the Commission on Enhancing National Cybersecurity during a Tuesday
> meeting in Minneapolis.
Amazing that this could be news. But it is.
Just look at each new retailer with a credit card break in. We laugh at
Target for not heeding the intrusion warnings they had. Yes, they
deserve ridicule for that. But what about the folks who make a PoS
system that is apparently just a PoS? Why are they still in business?
Another quote:
> The reason: "You cannot protect that which you do not understand ...
> Increased complexity translates to increased attack surface."
I feel like he was cribbing from my recent rant on how we need to
understand and specify our system boundaries.
[http://www.metzdowd.com/pipermail/cryptography/2016-July/029750.html]
I also feel like this is off-topic for a cryptography list--at least
from the old cypherpunk perspective that writing good crypto code will
solve our security problems. But what good is the best RNG if someone
trying to use it doesn't wire it up right? What good is the best cypher
if someone trying to use it can't manage the keying and use a sensible
cypher mode? What good is any of this if input isn't sanitized and
attackers can get directly to the backing database? (https://xkcd.com/327/)
A lot of clever people have done great crypto work, and it seems we now
have a good set of powerful primitives. Snowden confirms that good
crypto works. And there might be some great crypto buried in Fancy New
Product, but if that product is otherwise riddled with security
blunders, what good is it?
Crypto people are practiced at thinking in security terms, but the
people building insecure systems left and right are not. I know we have
plenty of opinions and are familiar with no one else being much
interested in them, but I wonder whether things might be shifting. Is it
time to make a different kind of noise?
If the budding, young, somewhat-technical manager in charge of building
some new website, or app-plus-cloud product asked "How do I manage this
so we will not be broken into and make the news?", do we have anything
to say beyond "Hire people who know what they are doing and sternly tell
then not to fuck up."? If the NIST guy, Ron Ross, asks a similar
question, do we have anything better than "Don't let the NSA hand you
backdoored RNGs."? (He probably agrees with us on that.)
Is it time to elbow aside "agile programming" in favor of some new
buzzword-compatible philosophy that pushes people toward not committing
so many security fuck-ups? Make it simple enough to summarize in a short
paragraph, but real, something to have seminars about, something that
can work if it gets a chance to command significant mindshare. Something
the somewhat technical manager can grab onto. Is there currently
something out there like I describe that could use more promotion?
Someone on this list maybe makes a pile of money writing a popular
business bestseller that Important Executives can mostly finish on a
long plane flight?
Someone tell me we might ever get to the point that building a secure
system* could become an even slightly common occurrence.
-kb, the Kent who is still unemployed and so helpfully, and shamelessly,
posts a link to his resume for any who might be interested
http://www.borg.org/~kentborg/kentborg-resume-long-2016-07-16.pdf
* What the hell does "secure system" mean? I say you gotta define what
you mean, as part of defining the system boundaries: Say what you are
defending and against what. Say what you are not defending, say what
attacks you can't fend off.
More information about the cryptography
mailing list