Recently there has been an upsurge in interest in the security of systems attached to the Internet. A long while ago, firewalls were considered the state of the art in security. They weren't, even at the time, but that was the general understanding of the populace… that if you have a firewall in place, you're safe. Then came the era of computer viruses enveigling their way into your computer from across the globe and no longer were firewalls the panacea they had been believed to be. Instead we grew a multiplicity of virus scanners to find and eliminate these beasties. As early as 2002, an article on Symantec was written by Paul Schmehl which referenced a variety of sources all calling for something better than the detect and eradicate approach of those scanners. So began the era of "holistic" security approaches including intrusion detection systems, generic detection, threat mitigation etc which have been the mainstay of the "protection" market for some time.

Recently, however, with the move to putting more and more of our personally and commercially sensitive data in a location we have no control over, in the hands of someone whose only possible motivation can be to use the data they hold for their commercial gain, the security of our information is threatened less by the virus attack on our personal computers (an attack vector much more lucratively monetised by DDOS-for-hire and spam-for-hire botnet providers) and much more at risk from attacks on the security protocols put in place to protect the data.

Note, by security protocols I do not mean cryptography. Cryptography is about keeping information secret in the face of mathematical attack. Security (in this instance) is much more about keeping information safe in the face of an attacker exploiting the myriad weaker links between you and your precious precious ones and zeroes. Recently there was a lovely talk given by Peter Gutmann of the University of Auckland entitled Crypto won't save you either wherein he detailed a variety of situations in which cryptography was not broken, but bypassed. Adi Shamir, in the early 2000s, gave a Turing Lecture alongside Rivest and Adleman. Shamir provided the 'status report' on cryptography and among his presentation where three slides which various people have felt worth repeating in various places.

Even more recently, Shubham Shah posted about how he bypassed two-factor auth on various high profile sites and service providers. His article very effectively demonstrates why security is everyone's problem. His attack did not need to touch the cryptography typically employed to protect your bits as they fly across the intertubes. He did not need to perform complicated mathematical operations to determine how to bypass that cryptography. He just made a call at the same time as clicking a button on a web page.

The cryptography itself in all of the above examples was never under attack. While there have been recent stirrings about the possibility of a breakthrough in mathematically attacking the discrete logarithm problem, the majority of effective attacks of late have not been near the mathematics. Security of your data bits cannot be left entirely to mathematics you do not understand. Unfortunately nor can it be left to systems you might previously have thought secure such as the voicemail of your mobile telephone. Security costs, both in money and in convenience, and we're all about keeping costs down in our brave new world. As such many of us don't enable things like the two factor authentication which Shubham Shah bypassed, let alone take care to reduce the attack vectors provided by relying on external means such as voicemail etc.

Cryptography is the problem of the software authors who write the product you rely on. Security is their problem too (designing a protocol for access which will easily authenticate and authorise you while easily detecting and denying imposters is a toughie and can't be done without them) but it's also your problem. And the problem of anyone you share your data with, and the problem of anyone you rely on to keep your data safe. But most importantly it is your problem -- and that's a problem we're unlikely to solve any time soon.

Security is also far more than confidentiality provided encryption. It is also about integrity - is this the comment I genuinely added, or has it been modified by someone? It is also about authenticity - is the comment really from the claimed author? It is also about availability - how do the provider of the blog prevent a DDOS attack stopping you from reading their blog. There three example are all in the domain of security, but little to do with encryption.

Comment by Colin Thu Aug 21 07:27:58 2014