Monday, 13 June 2011

A Really Good 4096-bit AES Key Service

Where Do I Sign?

Sorry, there's just no such thing. Oh it exists in principle, yes. In theory. In Plato's universe of ideals, yes, you can buy them there. Pick them up for free, in fact. But as Robert X. Cringely (who is not a spy) explains in the article When Engineers Lie, "Build a really good 4096-bit AES key service and watch the Justice Department introduce themselves to you."

Bob also answers the perennial question about architectural secrecy: why is it needed at all, if 1024- or 2048-bit codes really would take thousands of years to crack? Isn’t the encryption, combined with a hard limit on login attempts, good enough? The answer is no. Part of the explanation is that the U.S. government insists on nobbling the key services of every provider - RSA, Cisco, Microsoft, just everybody - to ensure they're sufficiently insecure, to enable snooping. The cost of noncompliance is, of course, jail.

For the obligatory silver lining, Bob points to IPv6 and Open Source, which he reckons "are beginning to close some of those security doors that have been improperly propped open." Go read his article at I, Cringely to find out why.

V For Vendetta

Recently this little blog hasn't been doing its job, of reporting on the latest big security breaches, how they were done, whodunnit, and to whom. Quite simply there have been far too many; an almost unprecedented number of successful attacks, on a scale rarely seen previously. And as I've said before, the media coverage of this phenomenon has been such as to render my monthly Security Digest utterly redundant.

Instead we sit on the sidelines enjoying the mayhem, grumbling agreement with Bob Cringely. Or with Patrick Grey at, who reckons that we - the professional security community - secretly love LulzSec. Patrick's rant is still more entertaining than Bob's, and just as thought provoking, as he laments his ten years of futility, trying to get businesses to see and acknowledge the potential for chaos which LulzSec is now so ably demonstrating, and which is gradually earning the reluctant respect of security researchers:
Security types like LulzSec, because they're proving what a mess we're in. They're pointing at the elephant in the room and saying "LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!"
Not Necessarily the Official SDL Position

Local hero and a familiar name to readers of this blog, Adam Shostack chimes in to express reluctant, or guarded, agreement. In his article Are Lulz Our Best Practice? he confides that he takes "a certain amount of pleasure in watching LulzSec. Whoever’s doing it are actually entertaining, when they’re not breaking the law. And even sometimes when they are."

In prescribing the way out of our present troubles, Adam returns to the main point being made by Bob in the first article above. Salvation lies in admitting the breaches that do occur, talking about them and about the wider world of security openly, transparently and honestly.

No comments:

Post a Comment