[125831] in cryptography@c2.net mail archive
Re: A call for aid in cracking a 1024-bit malware key
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Ivan_Krsti=C4=87?=)
Wed Jun 11 20:35:00 2008
Cc: "Jeffrey I. Schiller" <jis@mit.edu>,
cryptography@metzdowd.com
From: =?UTF-8?Q?Ivan_Krsti=C4=87?= <krstic@solarsail.hcs.harvard.edu>
To: Steven M. Bellovin <smb@cs.columbia.edu>
In-Reply-To: <20080611160439.65f39dc8@yellowstone.machshav.com>
Date: Wed, 11 Jun 2008 23:38:09 +0200
On Jun 11, 2008, at 10:04 PM, Steven M. Bellovin wrote:
> Let's put it like this: suppose you wanted to use all of your
> cryptographic skills to do such a thing. Do you think it could be
> cracked? I don't...
Exactly right. After Storm, I don't think anyone reasonable still =20
believes that there's no talent in the black hat community. So even if =20=
this particular piece of malware has implementation issues, the next =20
version won't. And then what?
Focusing on the crypto is just missing the point entirely, although I =20=
suppose it grabs headlines. But the problem at hand has nothing to do =20=
with crypto, and everything to do with the fact that our desktop =20
security systems are fundamentally broken[0]. There is _no_ _reason_ =20
that a piece of malware executing silently in the background should =20
have access to the user's files without interaction or approval from =20
the user. And you can't maliciously encrypt files you can't access.
We know how to build systems that are both drastically more secure and =20=
more usable than the ones in use today[1]. I wonder if a proliferation =20=
of headline-grabbing threats like cryptographic ransomware will help =20
overcome the OS vendor inertia.
[0] See first half of =
<http://radian.org/~krstic/talks/2007/auscert/slides.pdf=20
>. Note: I'm no longer affiliated with OLPC.
[1] E.g. <http://en.wikipedia.org/wiki/CapDesk>, =
<http://en.wikipedia.org/wiki/Polaris_(computer_security)=20
>, <http://en.wikipedia.org/wiki/Bitfrost>
--
Ivan Krsti=C4=87 <krstic@solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
