The State of Security

http://www.infoworld.com/article/07/08/20/34FEnextbigthing_grimes_1.html

In an interesting article, Roger Grimes talks about how the state of Security is pathetic and appalling (I agree), and how in future authentication on chips and such advances would make hacking unprofitable and eventually make our online experience safe (I disagree).

It's like this:
It doesn't matter what algorithm you create - and what keyspace you may have - but the weakest link is the human being and human error. Once the key is exposed nothing can save it - not even the strongest encryption.

Only one thing can save us from being such idiots when it comes to Security, and that is multifactor authentication. "What you have, what you know, and who are you" -- any two would help, yes, but all three would be NEARLY bulletproof. Notice I use "nearly" - and that's because NOTHING in unbreakable.

Everything has a weak point, a vulnerability (Patch Tuesday, anyone?) that people are more than happy to discover, exploit, and profit from. And in this respect, the abysmal state of Security literacy and lack of focus on such issues in our education system will together drag down any advances that Security scientists and researchers may make (may have made).

You have SSL for browsers? Hmm, just phish with real-sounding fake names. You have sitekey? Create an alternative site with a map of any and all authenticating images and ask the user to enter the password. Unless it's an educated user, you'll find that nearly 99.99% will enter the password DESPITE seeing an incorrect sitekey.
Why is that? Simple - psychology. People have this air of infallibility around them, and hackers use that to full potential, to their own benefit.

How does one really avoid such issues?
a. Multifactor authentication (iris scan/fingerprint; password; smartcard)
b. Intensive and regular education
c. Strict policies and granular access control
d. End-to-end monitoring of all packets - bidirectional
...

Simple monitoring and alarms will not work; what's needed is a total change in/of philosophy when it comes to revealing one's identity on the Web to complete and possibly criminal strangers. You would not give out your house key to just anyone - so why would you give your password/id out to shady sites without verifying they are who they say they are.

Ultimately, it does not matter how much progress we make in terms of Security (new algorithms, large keyspaces, complex passwords, password protection and PBE implementation etc) - but what matters is what end-users are willing to do to protect themselves. Having electrified fences, a guard dog, 12-foot-high gates, an advanced alarm system: these are all fantastic when it comes to protecting your home, but none of these can help if you left your front door ajar.

Be safe!