Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Encryption Security IT

Cryptography 'Becoming Less Important,' Adi Shamir Says 250

Posted by Soulskill from the encryption-is-useless-when-users-are-also-useless dept.
Trailrunner7 writes "In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important, one of the fathers of public-key cryptography said Tuesday. Adi Shamir, who helped design the original RSA algorithm, said that security experts should be preparing for a 'post-cryptography' world. 'I definitely believe that cryptography is becoming less important. In effect, even the most secure computer systems in the most isolated locations have been penetrated over the last couple of years by a series of APTs and other advanced attacks,' Shamir said during the Cryptographers' Panel session at the RSA Conference today. 'We should rethink how we protect ourselves. Traditionally we have thought about two lines of defense. The first was to prevent the insertion of the APT with antivirus and other defenses. The second was to detect the activity of the APT once it's there. But recent history has shown us that the APT can survive both of these defenses and operate for several years.""
This discussion has been archived. No new comments can be posted.

Cryptography 'Becoming Less Important,' Adi Shamir Says More

Cryptography 'Becoming Less Important,' Adi Shamir Says

Comments Filter:

  • Re:APT (Score:5, Informative)

    by Dizzer ( 251533 ) on Tuesday February 26, 2013 @09:08PM (#43020485)

    Advanced Persistent Threat

  • Re:APT (Score:5, Informative)

    by Frosty Piss ( 770223 ) * on Tuesday February 26, 2013 @09:10PM (#43020501)

    Advanced Persistent Threat [wikipedia.org]

  • If you're trying to protect your big organization against foreign spies, yes. If you are a little guy who wants to communicate without having that communication be laid wide open for a large organization to see, then I think encryption is still pretty useful. Even if just because managing all those separate unique intrusions over a long period of time requires a lot more resources than just tapping into a trunk line.

  • Re:He put the S in RSA (Score:5, Informative)

    by a_hanso ( 1891616 ) on Tuesday February 26, 2013 @09:32PM (#43020639) Journal

    He put the S in Rivest-Shamir-Alderman

    You mean Adleman.

  • Re:Dress for suck-(cess) (Score:5, Informative)

    by vux984 ( 928602 ) on Tuesday February 26, 2013 @10:03PM (#43020827)

    His point wasn't that cryptography wasn't useful, but simply that dealing with modern threats doesn't require "better cryptography" because modern threats aren't attacking the crypto. They are attacking the public key infrastructure (PKI), they are attacking the end points before encryption/after decryption.

    Our security focus is there.
    In other words, PGP doesn't protect your email, if you have a virus on your system sending everything to an attacker after its decrypted. PGP doesn't protect your email if the PKI is hacked, and you are signing mail with public keys generated by people impersonating the intended recipients.

    Etc. Etc.

    A better PGP crypto algorithm isn't going to help you here.

  • Re:He put the S in RSA (Score:5, Informative)

    by schitso ( 2541028 ) on Tuesday February 26, 2013 @10:27PM (#43020969)
    Advanced, persistent threat.

  • Re:no (Score:5, Informative)

    by the_B0fh ( 208483 ) on Wednesday February 27, 2013 @03:17AM (#43022235) Homepage

    no. They finally tracked it down. They watched the guy come in and take over the box again. He got in and owned the box in 8 seconds.

    The hacker found an old samba server in Australia (version 0.5 or some such), took it over. Used that to remotely mount the windows desktop used by the researchers in Japan.

    Found the private cert/key on the windows box. Used that to ssh in to the linux server. Ran a zero day gnome exploit and took it over.

    After taking over the server, installed 2 kernel modules that hid itself and also trapped certain calls like the ones used by tripwire and basically returned true for all the operations for tripwire and removed itself from the modules list and the process list.

    damned cool hack, and that was 15 years ago!

  • Re:I do not agree! (Score:3, Informative)

    by indymike ( 1604847 ) on Wednesday February 27, 2013 @07:40AM (#43022957) Homepage
    Security isn't a "core piece" because it is a pain in the ass for everyone but security people and easy to defeat most of the time. If you get root, collecting keys and salt for secure hashes becomes a lot easier. A good example is DRM - almost every crack comes from extracting keys. Most of the time, when you think encryption, your time would be better invested in say, keeping software up to date, auditing user permissions and doing other basic things that actually do have a big impact on real security. Almost every security choice is a trade between secure and easy to use. Magic solutions that claim somehow make everything secure often are not magic and not very secure. The let's encrypt everything concept is a virus of the mind - it sounds good, but in application is often riddled with a combination of bugs, assumptions and mistakes that result in big holes and big bills from security consultants. Oh, and with encryption you also inject a probability of data loss... some idiot losing a key is more of a threat that unauthorized access.

Slashdot Top Deals

The rule on staying alive as a program manager is to give 'em a number or give 'em a date, but never give 'em both at once.

Close