Cryptography 'Becoming Less Important,' Adi Shamir Says 250
Trailrunner7 writes "In the current climate of continuous attacks and intrusions by APT crews, government-sponsored groups and others organizations, cryptography is becoming less and less important, one of the fathers of public-key cryptography said Tuesday. Adi Shamir, who helped design the original RSA algorithm, said that security experts should be preparing for a 'post-cryptography' world. 'I definitely believe that cryptography is becoming less important. In effect, even the most secure computer systems in the most isolated locations have been penetrated over the last couple of years by a series of APTs and other advanced attacks,' Shamir said during the Cryptographers' Panel session at the RSA Conference today. 'We should rethink how we protect ourselves. Traditionally we have thought about two lines of defense. The first was to prevent the insertion of the APT with antivirus and other defenses. The second was to detect the activity of the APT once it's there. But recent history has shown us that the APT can survive both of these defenses and operate for several years.""
Re:APT (Score:5, Informative)
Advanced Persistent Threat
Re:APT (Score:5, Informative)
Advanced Persistent Threat [wikipedia.org]
Depends on your threat model (Score:3, Informative)
If you're trying to protect your big organization against foreign spies, yes. If you are a little guy who wants to communicate without having that communication be laid wide open for a large organization to see, then I think encryption is still pretty useful. Even if just because managing all those separate unique intrusions over a long period of time requires a lot more resources than just tapping into a trunk line.
Re:He put the S in RSA (Score:5, Informative)
He put the S in Rivest-Shamir-Alderman
You mean Adleman.
Re:Dress for suck-(cess) (Score:5, Informative)
His point wasn't that cryptography wasn't useful, but simply that dealing with modern threats doesn't require "better cryptography" because modern threats aren't attacking the crypto. They are attacking the public key infrastructure (PKI), they are attacking the end points before encryption/after decryption.
Our security focus is there.
In other words, PGP doesn't protect your email, if you have a virus on your system sending everything to an attacker after its decrypted. PGP doesn't protect your email if the PKI is hacked, and you are signing mail with public keys generated by people impersonating the intended recipients.
Etc. Etc.
A better PGP crypto algorithm isn't going to help you here.
Re:He put the S in RSA (Score:5, Informative)
Re:no (Score:5, Informative)
no. They finally tracked it down. They watched the guy come in and take over the box again. He got in and owned the box in 8 seconds.
The hacker found an old samba server in Australia (version 0.5 or some such), took it over. Used that to remotely mount the windows desktop used by the researchers in Japan.
Found the private cert/key on the windows box. Used that to ssh in to the linux server. Ran a zero day gnome exploit and took it over.
After taking over the server, installed 2 kernel modules that hid itself and also trapped certain calls like the ones used by tripwire and basically returned true for all the operations for tripwire and removed itself from the modules list and the process list.
damned cool hack, and that was 15 years ago!
Re:I do not agree! (Score:3, Informative)