Is there such a thing as security technology that is too good? ESET’s Cameron Camp, who is in attendance at RSA, discusses further.
The stage is set: the wily Apple facing off against the heavyweight FBI bruiser. The contest: industry argues unbreakable crypto should be just that – unbreakable. In the other corner, the suits at the FBI argue that if someone REALLY needs to know what’s on your phone, there needs to be a way to know. Here at RSA, that level of conversation takes the spotlight. Is there such a thing as security technology that is TOO good? If you’re here, you want to know.
It also depends on where you’re standing. If you want to protect your family against a host of real (and maybe imaginary) threats, unbreakable locks are a “Good Thing”. You can rely on an unbreakable lock when your life depends on it. Or maybe when you have very unpopular thoughts, beliefs and plans. But in a polite society, when bad guys become “too bad”, should there be a privileged back door? Who should have the keys? Who gets to decide?
If bad guys get unbreakable crypto, they can ramp up crypto-infused ransomware that’s unbreakable and run amuck. They can do a host of other very bad things (not only in ransomware) as well. And if you just got hit with a ransomware exploit, you’ll probably be looking for that magic set of keys as well – you might just suddenly become a fan of the master key idea.
“If you want to protect your family against a host of real threats, unbreakable locks are a good thing.”
Some would argue that the math behind crypto is an amoral construct. It’s just a bunch of numbers and letters in a particular sequence. You just do good math and it shouldn’t break. Telling an engineer to deliberately break the math smacks of sacrilege, it just seems wrong, if indeed there is a moral construct behind good engineering. As an engineer you should do your level best to make the most well-engineered thing there is. The best car, bridge, or in this case, crypto.
But here at RSA, we get to walk the floors, sit in on the sessions, and wrestle over whether crypto is getting too good. So good that you can’t export it because it becomes considered weapons grade. But not exporting math formulas because someone deems them weaponized because they’re too good somehow seems, well, silly – like telling someone they can’t sing a particular song in a different country. Oh wait, that really happens.
It comes down to trust. If you’re visiting a security vendor booth here, you want to understand what lengths they are prepared to go to protect your stuff. There are bad things out there, and you hope the techies at Company A are good enough to protect you from Bad Guys B through Z.
Those are tall odds. Your security has to be right … it has to be very, very good. In this context you don’t want them to betray that trust for any reason – you want them to do their best. And if there were an unbreakable lock in the form of software and/or hardware, you’d buy that, regardless of what anyone else thought. You’d go to great lengths to protect the Crown Jewels in your organization. You care a lot.
So in that context the choice is clear, favor those you trust. Now go run around RSA and figure out how hard that is to know.