Bear-joke security is dead
Pascal Cuoq - 24th Jan 2014Likely, you have heard this one before:
Two campers are surprised by an angry bear. One of them starts putting on eir running shoes. Surprised the other exclaims “What are you doing Alex? You can't outrun a bear!”
To which Alex replies: “I don't have to outrun the bear. I only have to outrun you.”
This joke used to be popular with security experts who employed it as a metaphor. I only ever heard it in that context the first time as a student in the late nineties. The bear joke was still used for this purpose in 2008.
You may also have heard that there is a new bear in town and the new bear can take both Alex and eir friend with or without running shoes. Also the new bear could literally(*) eat a horse. And the bear is part of an organized network of hungry bears with walkie-talkies and sniper guns.
If your approach to security was based on bear jokes with dubious morals now must really suck. Andy Green's blog post “Cryptography may not be dead but it is on life support” is representative of the change. One of the quote he takes from Schneier's talk is:
Most of how the NSA deals with cryptography is by getting around it … They exploit bad implementations—we have lots of those.
Yes we do but we don't have to use them.
Here is to 2014 being the year of reliable cryptography implementations that cannot be circumvented through defects.
(*) “literally” within the confines of this metaphor