Monday, July 27, 2009

Information Security

Some random thoughts I wanted to set down about information security in the light of the Black Hat conference in Las Vegas:

Maybe information security is obsolete. People spout off information constantly. Listen in for five minutes at Starbucks while they yammer on their cell phone and you have their kids' names (and probably part of most of their passwords.) Make a J. Smith account at Facebook and add them, and you'll know their schedules, including when they leave for vacations. Information should not be what guards the gates to what we're really trying to protect - bank accounts, jobs, lives, etc. The more you make it the key to something, the more it gets targeted. The more you safeguard it, the more targets there are left out. There are too many thieves and too many easy ways to steal information. So far the key component has always been that - information, but in this overloaded age, it's not profitable to have to sift through information. If it was out there, then there wouldn't be this unfounded sense of complacency.
But how to protect what's important without resorting to passwords, PINs, etc? RSA uses a combination of private and public to make their keys impenetrable to most yet useful. How could we do this? DNA recognition? Fingerprinting?
The simplest way is to bring it back down to people. People are the ultimate in facial and voice recognition. It used to be common to arrange introductions. Problem is, people can be corrupted. People are sometimes less than competent on bad days.
Hiding in plain sight. The army of regular transactions that banks watch for anomalies. Perhaps giving people more vigilance over their transactions - no, that's been tried. People get bored of monotony. They forget or get busy.
It's troubling. There's got to be a way to make the information unguarded, and the important things still guarded.

No comments: