[Cryptography] Unlearned lessons

[Jerry Leichter]

It appears that every new generation of products must relearn, from scratch, all the hard lessons of cryptography and security.  While we have a way to go, we're beginning to have some handle on the software and services that date back 10 years and more:  Data at rest, email, Web, and so on.  We're just beginning to see serious effort put into such things as process control software - not new in and of itself, but newly exposed to the Internet.

Meanwhile, the latest rage is The Internet Of Things - which is rapidly showing itself to be The Internet Of Insecure Things, all ready to compromise everything it connects to.  Case in point:  http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/ in which smart WiFi connected light bulbs used a vulnerable pre-shared (fixed?) AES key with the result that an attacker within 30 meters of one of the bulbs could grab the WiFi password.

Just one of many recent attacks.  (And of course we're already at the level of "connected" door locks, so this crosses back into physical security - previously a long-solved problem - as well.)

Back in the early days of Java applets, some wag came up with the phrase:  Give me full access to run code in your browser, and I'll give you pictures of jumping beans on the screen!  We need some similar smart phrase for these "smart" devices....
                                                        -- Jerry