Monday, November 15, 2010

3 Watersheds in Computer Security

Posted on Bruce Schneier's Cryptogram about a recent talk by Whitfield Diffie:

The first was the invention of the radio. Pre-radio, the most common communications security device was the code book. This was no longer enough when radio caused the amount of communications to explode. In response, inventors took the research in Vigenère ciphers and automated them. This automation led to an explosion of designs and an enormous increase in complexity -- and the rise of modern cryptography.

The second watershed was shared computing. Before the 1960s, the security of computers was the physical security of computer rooms. Timesharing changed that. The result was computer security, a much harder problem than cryptography. Computer security is primarily the problem of writing good code. But writing good code is hard and expensive, so functional computer security is primarily the problem of dealing with code that isn't good. Networking -- and the Internet -- isn't just an expansion of computing capacity. The real difference is how cheap it is to set up communications connections. Setting up these connections requires naming: both IP addresses and domain names. Security, of course, is essential for this all to work; DNSSec is a critical part of that.

The third watershed is cloud computing, or whatever you want to call the general trend of outsourcing computation. Google is a good example. Every organization uses Google search all the time, which probably makes it the most valuable intelligence stream on the planet. How can you protect yourself? You can't, just as you can't whenever you hand over your data for storage or processing -- you just have to trust your outsourcer. There are two solutions. The first is legal: an enforceable contract that protects you and your data. The second is technical, but mostly theoretical: homomorphic encryption that allows you to outsource computation of data without having to trust that outsourcer.

Diffie's final point is that we're entering an era of unprecedented surveillance possibilities. It doesn't matter if people encrypt their communications, or if they encrypt their data in storage. As long as they have to give their data to other people for processing, it will be possible to eavesdrop on. Of course the methods will change, but the result will be an enormous trove of information about everybody.

Security quirkiness at Akshardham

I had been to the Akshardham temple at Delhi recently and must say that it is one of the most beautiful temples I have ever seen. I would rate it on par with my Taj Mahal trip earlier this year. It is a must see for anyone visiting Delhi. The security is very high, probably due to the past attack on the Akshardham temple in Gujarat. No electronic items including phones or cameras are allowed. Security checks are similar to those at airports. Some observations:

1) Belts are not allowed to be worn through security check. Apparently, belts interfere with the new full body scanners installed at various airports. But guess what, there are no full body scanners at Akshardham!

2) Multi-factor authentication: Bags greater than the size of a small ladies purse are not allowed inside. We had to deposit our belongings filling up a form and received a token in exchange. To receive the items on our way back, we had to provide the token and speak out the name and telephone number we earlier entered on the form. God help those who specified numbers they do not remember and are stored on the deposited phone's contacts list.