Tuesday, July 14, 2009

Podcast: Crypto-Gram 15 December 2007: Real security isnt something u build, it's something u get when u leave out all the other garbage

from the Dec 15, 2007 Crypto-Gram Newsletter
by Bruce Schneier

* How to Secure Your Computer, Disks, and Portable Drives

Computer security is hard. Software, computer and network security are all ongoing battles between attacker and defender. Attacker has an inherent advantage: He only has to find one network flaw, while the defender has to find and fix every flaw.

Cryptography is an exception. As long as you don't write your own algorithm, secure encryption is easy. And the defender has an inherent mathematical advantage: Longer keys increase the amount of work the defender has to do linearly, while geometrically increasing the amount of work the attacker has to do.

Unfortunately, cryptography can't solve most computer-security problems.

I use PGP Disk's Whole Disk Encryption tool for two reasons. It's easy, and I trust both the company and the developers

PGP's encouragement of passphrases makes this much easier

PGP Disk can also encrypt external disks

PGP Disk's encrypted zip

If you're a Windows Vista user, you might consider BitLocker
Many people like the open-source and free program, TrueCrypt

* Defeating the Shoe Scanning Machine at Heathrow Airport

This works because the two security systems are decoupled. And the shoe screening machine is so crowded and chaotic, and so poorly manned, that no one notices the switch.

* Security in Ten Years

Roy Amara : "We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run."

In 10 years, computers will be 100 times more powerful, but throughout history and into the future, the one constant is human nature. There hasn't been a new crime invented in millennia.

You can pass laws about locking barn doors after horses have left, but it won't put the horses back in the barn.

Computers will be even more important to our lives, economies and infrastructure. If you're right that crime remains a constant, and I'm right that our responses to computer security remain ineffective, 2017 is going to be a lot less fun than 2007 was.

I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017.

IT service trend - the ultimate way to lock in customers. The endpoints are not going to get any better. The trend is to continue putting all our eggs in one basket and blithely trusting that basket.

It's the same with a lot of our secure protocols. SSL, SSH, PGP and so on all assume the endpoints are secure, and the threat is in the communications system. But we know the real risks are the endpoints.

It's ironic the counterculture "hackers" have enabled (by providing an excuse) today's run-patch-run-patch-reboot software environment and tomorrow's software Stalinism.

I don't think we're going to start building real security. Because real security is not something you build - it's something you get when you leave out all the other garbage as part of your design process. Purpose-designed and purpose-built software is more expensive to build, but cheaper to maintain. The prevailing wisdom about software return on investment doesn't factor in patching and patch-related downtime, because if it did, the numbers would stink.

length: 21:26
PS: this is my cheat sheet of Bruce Schneier's Podcast:

Labels: ,


Post a Comment

<< Home