Thursday, March 24, 2016

English blog

Nguồn: President Obama's facebook
https://www.facebook.com/potus/posts/468102430046269 

It's been nearly 90 years since a U.S. President visited Cuba. And for the past half century, the sight of an American president in Havana would have been unimaginable.
But this week, because we're working to normalize our relations with Cuba, I was able to cross the Florida Straits and meet with and listen to the Cuban people. They told me about their hopes and their struggles, and we talked about what we can do together to help Cubans improve their lives.
What I saw and heard this week will stay with me forever.
I'll remember the beauty of Cuba and the pride Cubans take in their culture. On our first night, Michelle, Malia and Sasha and I walked around Old Havana, where every building, path, and plaza seems filled with the spirit and storied history of the Cuban people. We had a wonderful dinner at one of Havana's paladares, the often family-run restaurants where Americans and Cubans can meet and talk over some tostones.
I'll remember the innovative spirit of Cuba's entrepreneurs, especially the cuentapropistas who are running their own small businesses like bed and breakfasts, beauty parlors, barber shops and taxi services. These men and women, many of them young, are the face of Cuba's small but growing private sector, and I was proud to announce new partnerships to help them start and grow their businesses. That includes helping more Cubans connect to the Internet and the global economy.
I'll remember the courage of the Cuban human rights advocates I met, many of whom have been harassed, detained or imprisoned simply for standing up for the equal rights and dignity of every Cuban. They told me about their work to advance freedom of speech, assembly, the press and religion, and I promised them that the United States will continue to stand up for universal human rights in Cuba as we do around the world.
I'll remember the passion of the Cuban people, especially when it comes to our shared love of baseball—la pelota. At Havana's ballpark, President Castro and I watched as the Tampa Bay Rays took on the Cuban national team, the first professional baseball game between our countries in 17 years. Let me just say that tens of thousands of Cuban fans cheering for their team is...intense. But when we all stood for our national anthems, it was an unforgettable moment that reminded us of the friendship and mutual respect between the American people and the Cuban people.
Perhaps most of all, I'll remember the Cubans who lined the streets, mile after mile, to greet us. They were men, women and children, smiling, waving, snapping pictures. Some were even waving American flags—another sight that not long ago would have been unimaginable. In the faces of these Cubans I saw hope for a brighter future.
The Cuban people are ready for a new relationship between our two countries. The majority of Americans—including many Cuban Americans—support our new approach as well. It won't be easy. The long road ahead will see progress and setbacks. But the Cubans I met this week reaffirmed my hope that we can succeed, together.
I believe in the Cuban people - creo en el pueblo Cubano.
============ END ============

Nguồn: https://www.schneier.com/blog/archives/2016/03/cryptography_is.html

Cryptography Is Harder Than It Looks

Writing a magazine column is always an exercise in time travel. I'm writing these words in early December. You're reading them in February. This means anything that's news as I write this will be old hat in two months, and anything that's news to you hasn't happened yet as I'm writing.
This past November, a group of researchers found some serious vulnerabilities in an encryption protocol that I, and probably most of you, use regularly. The group alerted the vendor, who is currently working to update the protocol and patch the vulnerabilities. The news will probably go public in the middle of February, unless the vendor successfully pleads for more time to finish their security patch. Until then, I've agreed not to talk about the specifics.
I'm writing about this now because these vulnerabilities illustrate two very important truisms about encryption and the current debate about adding back doors to security products:
  1. Cryptography is harder than it looks.
  2. Complexity is the worst enemy of security.
These aren't new truisms. I wrote about the first in 1997 and the second in 1999. I've talked about them both in Secrets and Lies (2000) and Practical Cryptography (2003). They've been proven true again and again, as security vulnerabilities are discovered in cryptographic system after cryptographic system. They're both still true today.
Cryptography is harder than it looks, primarily because it looks like math. Both algorithms and protocols can be precisely defined and analyzed. This isn't easy, and there's a lot of insecure crypto out there, but we cryptographers have gotten pretty good at getting this part right. However, math has no agency; it can't actually secure anything. For cryptography to work, it needs to be written in software, embedded in a larger software system, managed by an operating system, run on hardware, connected to a network, and configured and operated by users. Each of these steps brings with it difficulties and vulnerabilities.
Although cryptography gives an inherent mathematical advantage to the defender, computer and network security are much more balanced. Again and again, we find vulnerabilities not in the underlying mathematics, but in all this other stuff. It's far easier for an attacker to bypass cryptography by exploiting a vulnerability in the system than it is to break the mathematics. This has been true for decades, and it's one of the lessons that Edward Snowden reiterated.
The second truism is that complexity is still the worst enemy of security. The more complex a system is, the more lines of code, interactions with other systems, configuration options, and vulnerabilities there are. Implementing cryptography involves getting everything right, and the more complexity there is, the more there is to get wrong.
Vulnerabilities come from options within a system, interactions between systems, interfaces between users and systems-- everywhere. If good security comes from careful analysis of specifications, source code, and systems, then a complex system is more difficult and more expensive to analyze. We simply don't know how to securely engineer anything but the simplest of systems.
I often refer to this quote, sometimes attributed to Albert Einstein and sometimes to Yogi Berra: "In theory, theory and practice are the same. In practice, they are not."
These truisms are directly relevant to the current debate about adding back doors to encryption products. Many governments-- from China to the US and the UK--want the ability to decrypt data and communications without users' knowledge or consent. Almost all computer security experts have two arguments against this idea: first, adding this back door makes the system vulnerable to all attackers and doesn't just provide surreptitious access for the "good guys," and second, creating this sort of access greatly increases the underlying system's complexity, exponentially increasing the possibility of getting the security wrong and introducing new vulnerabilities.
Going back to the new vulnerability that you'll learn about in mid-February, the lead researcher wrote to me: "If anyone tells you that [the vendor] can just 'tweak' the system a little bit to add key escrow or to man-in-the-middle specific users, they need to spend a few days watching the authentication dance between [the client device/software] and the umpteen servers it talks to just to log into the network. I'm frankly amazed that any of it works at all, and you couldn't pay me enough to tamper with any of it." This is an important piece of wisdom.
The designers of this system aren't novices. They're an experienced team with some of the best security engineers in the field. If these guys can't get the security right, just imagine how much worse it is for smaller companies without this team's level of expertise and resources. Now imagine how much worse it would be if you added a government-mandated back door. There are more opportunities to get security wrong, and more engineering teams without the time and expertise necessary to get it right. It's not a recipe for security.
Unlike what much of today's political rhetoric says, strong cryptography is essential for our information security. It's how we protect our information and our networks from hackers, criminals, foreign governments, and terrorists. Security vulnerabilities, whether deliberate backdoor access mechanisms or accidental flaws, make us all less secure. Getting security right is harder than it looks, and our best chance is to make the cryptography as simple and public as possible.
This essay previously appeared in IEEE Security & Privacy, and is an update of something I wrote in 1997.
============ END ============
Posted by at
Labels:

1 comment:

John Barness said...

Thank you for sharing this information.
The true is that modern cryptography and encryption systems are the core of today's data security systems used within data room software. As for me, every single unit must have it's own encryption.

May 24, 2016 at 6:59 AM

Post a Comment

Subscribe to: Post Comments (Atom)