[Infowarrior] - Former NSA tech chief: I don't trust the cloud

Tue Mar 9 14:30:53 UTC 2010

(agree 100% -rick)

This story appeared on Network World at
http://www.networkworld.com/news/2010/030410-rsa-cloud-security-warning.html

Former NSA tech chief: I don't trust the cloud
RSA Conference hears warnings about trusting cloud services
By Tim Greene, Network World
March 04, 2010 10:20 AM ET

The former National Security Agency technical director told the RSA  
Conference he doesn't trust cloud services and bluntly admonished  
vendors for leaving software vulnerabilities unpatched sometimes for  
years.
Speaking for himself and not the agency, Brian Snow says that cloud  
infrastructure can deliver services that customers can access  
securely, but the shared nature of the cloud leaves doubts about  
attack channels through other users in the cloud. "You don't know what  
else is cuddling up next to it," he says

Snow was speaking as a member of the annual cryptographers panel at  
RSA Conference. Another panelist said he doesn't trust clouds either,  
but his reluctance was based upon worry about what NSA might be up to.

Adi Shamir a computer science professor at Israel's Weizmann Institute  
of Science and also the "S" in the RSA encryption algorithm, warned  
against trusting cloud computing services for the same reason he  
suspects the confidentiality of transmissions over telecom networks  
and the Internet. He says the phone systems are secure, but that major  
crossroads in their networks are tapped by the NSA. "There's a pipe  
out of the back of an office at AT&T in San Francisco to NSA," he said.

Government access to assets entrusted to public cloud providers will  
be similar, he says. He suspects in some cases cloud providers will be  
companies influenced by government spy agencies, similar to the way  
Crypto AG security gear gave the NSA backdoor access to encrypted  
messages sent by foreign governments that had bought the gear. "Please  
don't use Crypto AG," he said.

On another topic, Snow said many commercial applications and security  
products contain known flaws or shortcomings that users accept without  
understanding them or analyzing them thoroughly. That trust is similar  
to the trust investors had in unsound Wall Street derivative  
investment products, he said. Just as the country's financial markets  
melted down last year, he said network security could face a "trust- 
bubble meltdown".

He alluded to a 17-year-old Microsoft vulnerability that went  
unpatched. Fixing such problems before they are exploited gives  
vendors a commercial advantage, so they should do so. "Fix  
vulnerabilities before you first smell an attack," he said. "End of  
message."

Also during the panel, Snow acknowledged that cryptographers for the  
NSA have been losing ground to their counterparts in universities and  
commercial security vendors for 20 years but still maintain the upper  
hand in the sophistication of their crypto schemes and in their  
ability to decrypt.

"I do believe NSA is still ahead, but not by much -- a handful of  
years," said Snow, the former technical director for the agency. "I  
think we've got the edge still."

He said that in the 1980s there was a huge gap between what the NSA  
could do and what commercial encryption technology was capable of.  
"Now we are very close together and moving very slowly forward in a  
mature field," Snow said.

The NSA has a deep staff of Ph.D. mathematicians and other  
cryptographic experts to work on securing traffic and breaking codes,  
and also has another key advantage. "We cheat. We get to read what  
[academics] publish. We do not publish what we research," he said.

Whitfield Diffie -- the Diffie in Diffie-Hellman key exchange -- said  
the NSA lead might have to do with the fact that some cryptography  
problems are out of bounds for academics, such as nuclear command and  
control platforms. "It would be illegal, expensive and frustrating to  
do," said Diffie, who sat on the cryptographers' panel. Any work done  
privately would be immediately be classified and the researchers would  
be unable to discuss it publicly or claim credit, he said.

Plus the demands of commercial cryptography don't allow for the  
thoroughness of refinement that is the hallmark of NSA work, he said.  
There are practical issues -- such as developing products quickly that  
can be sold to business as valuable assets -- that NSA doesn't face.

Snow's claim of NSA superiority seemed to rankle. He noted that when  
the titles of papers in NSA technical journals were declassified up to  
1983, there were none that included public key encryption. "That  
demonstrates that NSA was behind," Shamir said.

But Snow said that perhaps the topic was written about, only under  
another name. When technologies are developed separately in parallel,  
the developers don't necessarily use the same terms for them, he said. 