RealTime IT News

RSA Reminds Us to Fight The Good Fight

SAN FRANCISCO -- No matter where I go around here, people ask me what I think of this year's RSA Conference. I tell them this is my first RSA show, so I don't know what to compare it to.

But that's a bald-faced lie. I have repeatedly copped out with that answer. I do have an opinion.

Here's my impression, my bottom line, my conclusion from spending five days talking to vendors and customers about security until we were all blue in the face: Based on the information I took in this week, I believe that we are, ultimately treading water when it comes to computer security, waiting for the next wave to drag us under.

But we need to keep trying to stem the tide.

I think it's great that Microsoft CardSpace is going to work with OpenID.

It's great that the world's most powerful software vendor is going to support an open source specification that lets anyone identify themselves on the Internet, much like Web sites do with a URL.

I think EMC buying RSA (and with that, this show) and IBM buying Internet Security Systems and BT buying Counterpane and Websense buying PortAuthority and Microsoft buying Whale Communications are all fine moves.

I believe in network access control, intrusion prevention systems, anti-malware, identity management. I put stock in encrypting data in transit and data at rest.

The deals, innovations and ideologies indicate that security is a serious problem that vendors want to generate more dollars from trying to fix.

Industry luminaries Bill Gates, Howard Schmidt and Bruce Schneier convinced me that they understand the problems and flaws with computer security. They all spoke eloquently about the need for solutions that can adapt to quickly morphing threats.

Caveat: None of them convinced me they have the answer. And that's because there is no answer. Our computers will never be airtight.

Maybe I'm a tad frustrated. Maybe I'm a bit jaded because my friend had to change her bank account number because TJX had a massive data breach.

Bottom line: we're still screwed. Whether you use IBM's Tivoli identity management products or Oracle's identity management software or VeriSign's digital certificates, you're always going to be at risk of getting your information pilfered.

What is wrong with me? Why have I come to such a dire conclusion? Isn't RSA supposed to be the show that leaves us feeling better about the safety of our personal or privileged information?

Aren't we supposed to sleep better at night after hearing Microsoft's Bill Gates, EMC RSA's Art Coviello, Symantec's John Thompson, Oracle's Larry Ellison proxy Hasan Rizvi and CA's John Swainson talk about how we need to shore up our PC defenses?

We are, I think. But I don't. I worry more because the threats to computer security are legion and always changing. Like mutating viruses, really.

Bruce Schneier, CTO for BT Counterpane, said he was trying to think of a major security attack in 2006 and couldn't come up with any one specific incident.

That's when it hit him that attacks are becoming reported so frequently that they hardly make big news anymore.

"A lot of these attacks are now so frequent that they are not big news," Schneier told about 50 RSA attendees at a luncheon Wednesday afternoon. "That's not good for two reasons. Not good because they're more common and because our bosses won't read about them in the Wall Street Journal."

He also said we're seeing more massive, targeted attacks. This is, of course, a frightening observation. There's just something sinister and nasty about some stranger coming after my credit card number through your computer.

"Spammers are actually targeting attacks to ZIP codes," Schneier said. "They're actually doing marketing. The normal spam platform is not just a spammed computer, it's a hacked computer so it's actually only good for a limited time.

"The attacks are also now more stealthy. The attacks that drop computers and make news are the exception. The attacks that take over our computers and turn them into bots are much more common."

I actually have to stop and think: would I rather be mugged on the street, or have my bank account information compromised by a hacker a world away? I'll have to think about that but the bottom line is that Schneier's comments scared me.

Next page: Is there possibly a solution?