Father of SSH Says Security Is 'Getting Worse' 132
alphadogg writes with an excerpt from an interview with the designer of SSH-1: "Tatu Ylönen has garnered fame in technology circles as the inventor of Secure Shell (SSH), the widely used protocol to protect data communications. The CEO of SSH Communications Security — whose crypto-based technology invented in 1995 continues to be used in hundreds of millions of computers, routers and servers — recently spoke with Network World on a variety of security topics, including the disappearance of consumer privacy and the plight of SSL. (At the Black Hat Conference this week, his company is also announcing CryptoAuditor.)"
How is this quantifiable in any stretch? (Score:5, Informative)
If you think about it, the issues with key infrastructure are nothing new, they've been there since day 1, and in fact the same can be said about the micro-controllers which are now being regularly exploited by big brother.
User/Device security is no more or less "secure" than it was back in 1995, actually I'd argue that it's getting better as it's more widely adopted (when was the last time you used rsh?). In general it's always an evolving process.
We still don't have a practical way of breaking high bit crypto, and in general I feel plenty safe with my 1024 bit ssh connections to my LAN machines =)
it's because people don't value it. (Score:5, Informative)
I try to get my college buddies to send me encrypted email, and it's the same story, "Dude, just use Facebook like everybody else". I have a Facebook but stopped using it because I don't want FB snooping all my communications!
Privacy disappears because people don't value it. If they did, they wouldn't be using Facebook for all their communications. If they cared, they'd be using encrypted point-to-point VOIP for voice, not Skype. If they cared, they would be using OTR and Pidgin for chat.
Slashdot peoples care, but outside that crowd, people value convenience, not security or privacy. That's the only way so many privacy-violating services have become so huge when there are alternatives that preserve your privacy.
98% of people in the 22-29 year old age bracket now use Facebook. Most of those use it as their primary means of communicating with friends, and you're now considered "abnormal" if you don't have a Facebook. Even if you explain it to them the pitfalls of FB they don't care.
Until people start to care about their security and privacy, they won't have any. You have to vote with your actions.
Re:ssh (Score:5, Informative)
implementation and usage are the weakest links in any security plan
any given encryption tool can be made weak in implementation by using short keys or failing to salt the encryption
any security infrastructure can be made weak by users who send email in clear text, directly exchange passwords in the same medium the password is used for, continue to use telnet or ftp when ssh and sftp are available
It makes me happy to think about a completely secure computer system with NO USERS since that is the only way that you could possibly make a system secure
Re:How is this quantifiable in any stretch? (Score:4, Informative)
Right but we're no where near that point. Even 128 bit keys are huge mountains to climb with the most powerful systems on the planet.
I don't think anyone is saying that security research in the realm of computer science is settled, but saying the sky is falling and security hasn't kept up with improvements in overall compute power is false.
Just like today, back in 1995 if keys were stolen then you have a chance of being exploited some how. Is there a better method to prevent such problems? Probably, but it's a MINOR issue.
In most cases attackers don't bother with crypto systems, in favor of much lower hanging fruit (such as insecure web servers, sql injection exploits, etc).