Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security IT

Trust Is For Suckers: Lessons From the RSA Breach 79

Posted by Soulskill from the and-we're-back dept.
wiredmikey writes "Andrew Jaquith has written a great analysis of lessons learned from the recent RSA Cyber Attack, from a customer's perspective. According to Jaquith, in the security industry, 'trust' is a somewhat slippery concept, defined in terms ranging from the cryptographic to the contractual. Bob Blakley, a Gartner analyst and former chief scientist of Tivoli, once infamously wrote that 'Trust is for Suckers.' What he meant is that trust is an emotional thing, a fragile bond whose value transcends prime number multiplication, tokens, drug tests or signatures — and that it is foolish to rely too much on it. Jaquith observed three things about the RSA incident: (1) even the most trusted technologies fail; (2) the incident illustrates what 'risk management' is all about; and (3) customers should always come first."
This discussion has been archived. No new comments can be posted.

Trust Is For Suckers: Lessons From the RSA Breach More

Trust Is For Suckers: Lessons From the RSA Breach

Comments Filter:

  • Re:Trust is required (Score:5, Informative)

    by hedwards ( 940851 ) on Friday June 24, 2011 @03:48PM (#36559296)

    No, what it means is that you don't blindly trust anybody, but you do verify periodically that the trust hasn't been abused. It's like granting a business the right to take money out of your checking account to cover expenses, like say a CC company. You trust them not to put things on the bill which you didn't authorized. And you verify at least once a month that everything that's on the bill was authorized by you.

    Same thing here, the problem with RSA was that people trusted them, but there was no particular manner of verifying that the trust was well placed.

  • Re:Trust is required (Score:2, Informative)

    by Anonymous Coward on Friday June 24, 2011 @04:16PM (#36559676)

    I don't hate anyone

    Bullshit.

  • Two Words: Yubikey (Score:4, Informative)

    by VortexCortex ( 1117377 ) <VortexCortex AT ... trograde DOT com> on Friday June 24, 2011 @04:44PM (#36560038)

    Yubikey [yubico.com] has secure tokens that you can "seed" yourself, for use with your own authentication servers. The scam is that RSA made some idiots think think there was no way to do this without their auth servers; Thereby fooling fools into using a less secure system with a mandatory recurring payment for RSA (to access the auth servers).

    Re-configuration of YubiKeys by customers

    For high security environments, customers may select not to share the
    AES key information for their YubiKeys outside of their organization.
    Customers may also for other reasons want to be in control of all AES
    keys programmed into the Yubikey devices. Yubico therefore supports the
    use of a personalization tool to reconfigure the YubiKeys with new AES
    keys and meta data.

    Additionally, I prefer the model that has RFID for physical access.

    Relying on an outside source to have our cryptokeys is just adding another point of failure. EVERYONE relying on them is just creating THE BIGGEST point of failure possible... Every time I talked to security minded folks that used RSA tokens, I asked them, "So. How secure are RSAs severs? You do any security audits on them lately?" The blank expressions were priceless.

Slashdot Top Deals

BLISS is ignorance.

Close