On Paranoia and Security
I bought Bruce Schneier’s boxed set of three books: “Applied Cryptography”, “Practical Cryptography” and “Secrets and Lies”. Hopefully reading all this will make me sufficiently paranoid to deal with the security threats we’ll be facing as we move into the SaaS world. Bruce says that originally when he wrote “Applied Cryptography” he thought all the security problems on the Internet could be solved by Mathematics. That a few powerful cryptographic algorithms would solve all the security problems out there. He now realizes that this isn’t the case. That there are so many other weak links to be exploited, like bad implementations, lack of vigilance, human error, etc. In fact many people feel that if they are connected to a web site via SSL or TLS that they are fully secure. However this just isn’t the case.
SSL and TLS only protect the connection between the client computer and the server. They don’t protect the client computer. They don’t secure or encrypt data stored in the Browser’s memory. They don’t force you to use secure passwords. They don’t force you to check the validity of the root certificate authority used by a server. They don’t force you to use the maximum encryption settings possible. They don’t force you to run anti virus and spybot software.
Generally the security business is described as a “Red Queen’s Race”. This means the people trying to protect systems are running harder and harder just to stay in the same place. It seems the advances made by hackers are very impressive. Even now that most crytographic algorithm’s patents have expired and governments aren’t trying to supress them anymore as military secrets, that it will take much more than mathematics to provide a secure Internet.
Another point he makes is that it is possible to create a secure operating system. But since there is no liability to software vendors when break-ins occur, that there is no real motivation for anyone to make a more secure operating system. For instance it would cost Microsoft billions to really address the problems in Windows, but since there isn’t any liability, besides a bit of bad press, why would they? As it is they are content just to spend a bit of time releasing Windows Updates they discover holes found by hackers. But what about all the holes that hacker’s have found and not told them about?
But in spite of all the negativity, it is possible to create a reasonably secure system (ie secure enough that hackers will look elsewhere for easier targets). With a reasonable amount of vigilance, following of best practices and intelligence, you can run a secure system. But you have to stay alert and not believe that SSL and a firewall are all protecting.