At a basic level, information should be encrypted in both its stored and transmitted states. However, while decryption is rather difficult, it is not impossible and can be easily achieved. The simplest vector for breaking encryption is that of social-engineering - convincing another person to give up access to confidential information. If the information in question is being accessed over anything that touches the Internet, that information is fundamentally less secure than information not passing over the Internet. Several high profile news reports have shown that people can misplace laptops containing large amounts of sensitive data, or backup tapes can be lost or misplaced. Data in its non-encrypted state is not protected at all. Further, when computers in the wild (taken home, or used outside of strictly controlled conditions) are used to access encrypted data, the same data is also in the wild and subject to compromise. Encryption is only as effective as the lack of persistence the perpetrator has. If you have the time, you can break most encryption schemes.
What do you think about the full disclosure of vulnerabilities?
First let’s think about this from a different angle… let’s say that a consumer product is discovered to have a short coming - for example - a child’s toy has small parts which could come off and cause choking. We would all want to be informed of this issue so that we can protect ourselves and children. Full disclosure is just that – letting the people who are depending on the technology know its flaws so that they can avoid the potential danger.
Going back to the child’s toy example, if some unscrupulous person continues to sell the questionable toys and doesn’t comply with the recall, they are potentially exploiting the buyer. We mostly operate by buyer beware, but when was the last time you checked if there were any recalls on the toys your children play with. The major difference here is the agent involved in exploiting the problem.
The inherent openness and enablement of the Internet makes it easy for someone to take advantage of breaking in with little opportunity to detect it. Imagine that a flaw was discovered in a door lock that when turned three times to the left and twice to the right the door just unlocked? Maybe the door of your home has one of these locks? Do you know? But, you say, I live on a busy street and someone would see someone trying my door and call the police. You are placing some implicit trust in the context of your home and neighbors. But what if someone could try the lock remotely from across the globe, you would never know.
So to make a long answer short, full disclosure needs to be measured. I think the approach that Dan Kaminsky and Paul Vixie used in disclosing a recent DNS vulnerability is acceptable. They coordinated fixing a certain technology with all of the vendors of DNS server software prior to publicly disclosing the problem. This allowed the vendors time to get repair kits for the locks ready before details of the vulnerability were common knowledge.
What do you expect from the future? Is it likely for a serious “cyberterrorism” event to take place in the next 12 months, or do you see it as hype?
I think the future will be frustrating for organizations that depend on the Internet. One can do everything right and if someone, really anyone else on the net, does not do what they should, you will potentially feel the negative effects. The Internet is inherently not a protected system. Don't get me wrong, it is extremely resilient, but it is not protected. The Internet functions daily at a level which was never imagined by its designers. Frankly, it is amazing it works at all sometimes. Internet vulnerabilities are not all together just hype. The scenarios are plausible and easily accomplished. So the real question is - why wouldn’t a serious event take place on the Internet?