News

At the recent 2006 RSA Security Conference, it was, we were told, 'a brave new world, and a bright new day'. Except that as the days went by, it became increasingly clear that the horizon is far from bright, despite reassuring rhetoric from the vendors that they are committed to working together to solve our security woes.

In the real world, however, the big guns are locked in mortal combat. For instance, Symantec, Sun Microsystems, Oracle and IBM are circling the Microsoft wagon as it continues to do battle with EU regulators. Symantec is especially keen to prevent Microsoft from bundling an anti- virus solution in Vista, the latest version of the Windows Operating system.

But despite the mixed messages, RSA keynote presentations are always a big draw, especially when Microsoft chairman Bill Gates takes centre stage. His opening jibe at Dick Cheney's inability to distinguish quail from human was delivered with aplomb, and he was discernibly peppier than last year.

The affable crowd chuckled gamely, and then visibly recoiled as he revealed the latest Microsoft vision for our collective future. Like Sigourney Weaver's nightmare in Alien Resurrection, the Thing that just wouldn't die was back: Passport had arisen from the flames, tweaked and ready for a new beginning; renamed Windows Live ID and supplemented by InfoCard, demonstrated by Gates at the event.

You will recall a few years back that Microsoft's ambition to make Passport the universal single sign- on for the masses fell flat as a pancake. The nail in the coffin came in 2002 when it agreed to settle U.S. Federal Trade Commission charges that it wasn't delivering on promises it made about the security and privacy of the various Passport offerings.

For instance, the FTC claimed that Microsoft misrepresented that purchases made with Passport Wallet were more secure than purchases made at the same site without it. In fact the FTC found that 'most consumers received identical security at those sites regardless of whether they used Passport Wallet' or not. In other words, using Passport did not provide any value-add for consumers- not to mention the fact they were potentially worse off for using it.

So Passport failed for many reasons; lousy security being just one of them. But top of the list was arguably the fact that almost no one, least of all, the consumer, cared one whit about it; it simply had no business case.

What has changed this time round? Despite assurances from team Microsoft that users — and not Microsoft - now control their data, the jury is out.

However, identity management, especially so-called 'federated identity management,' was a big topic at this years' event, popping up everywhere, from keynotes to individual sessions. The vendors are plainly keen to catch what is perceived to be the next wave, and to devise ways to prove that we are whom we claim to be.

Everyone it seemed was looking 'to federate' with everyone else - the idea being that we only have to sign in once to interact with multiple websites and applications. The impetus for all this is a conviction - reiterated by Bill Gates - that passwords are the weak link in the security chain that must be cast aside so we can find the holy grail: "Security that just works".

But Valhalla is not around the bend.

'Federation' is undoubtedly useful in enterprises, government organisations and closed corporate networks to reduce the considerable cost of managing passwords and disparate identities. And conceivably for extending out the boundaries of the network to include partners and suppliers - provided you can work out how to apportion risk and liability, and assuming you are confident that your partner cares as much about your brand as you do.

But when it comes to sharing sensitive data, such as credit card information or social security numbers belonging to employees, customers or consumers, is the risk worth the reward? And what guarantees do data owners have that companies and their extended circle of trust will do the right thing?

Managing 'outsourced' relationships is no easy matter- and federation takes the concept to a whole new level. Are we ready?

And what about aspirations to bring the experiment to the masses? A huge amount of effort is being put into defining a technical architecture, with barely a nod to the question whether the end user - especially the consumer - cares to federate. Or whether there is any discernible benefit to him doing so. That's assuming the average person has the faintest idea what such unappealing jargon means in the first place.

Not to mention the fact, despite loud rhetoric to the contrary, that the security and privacy implications of federation are horrible. If the bad guys get their hands on that one super set of credentials, the game is over- there is no longer any need to grub around to get your full measure: it is one stop shopping par excellence. And it will be honey to flies.

To his credit, RSA chief Art Coviello is on record as saying that federation has been a 'disappointment' and in his RSA keynote address, he said that what we need is a trust model that mimics the physical world. Whatever that is. He was, of course, adamant that digital ids and tokens— as sold by RSA- would be a large part of the solution.

It was heavy going and attendees had to dig deep for any sign of the 'inventiveness' that Gates mentioned is rife in the industry.

So it came as a relief to see Scott McNealy - the Sun Microsystems chief — take the stage. The sleepy dog demeanour hides a rapier wit and a propensity for sarcasm guaranteed to cleanse the palate. He dusted off his open source credentials with relish, and brought the father of Java, James Gosling, on stage (to the delight of the audience) to wax lyrical about the security advantages of open source code.

McNealy was positively gleeful in blaming the current security hubris on a lack of genetic diversity and standardisation on the desktop and on the server side; indeed certain unnamed monopolies (IBM) had forced customers to build and populate their data centres with Frankenstein "jalopies" - with obvious results. And in conspiratorial tones, he revealed that vendors are "overcharging for this stuff' that has "the shelf life of a banana or less," as they keep us hooked on proprietary solutions with free fixes, and then prevent us from moving to secure Java thin clients (stripped down computers), due to high switching costs.

Rollicking stuff, but not overly reassuring to the vast majority of the audience- duly locked in, as McNealy described.

Indeed, as the keynotes rolled by, the clouds gathered and the skies darkened.

McNealy claimed that 'the network is the computer' and that we need to buy Sun products as "the brain dead obvious way to go."

John Chambers, the Cisco CEO, told us that "the network is the platform," and that as such it must be the security platform - it's "the only way I know how to do it".

Stratton Sclavos, meanwhile, was forthright in his ambition for Verisign to emulate the success of Cirrus — the ubiquitous banking network - in the identity management sector. As Verisign runs the .com registry and owns much of the digital certificate market, I am not sure that is a desirable outcome. But now we know.

Symantec chief John Thompson refuted everything and everyone and warned us that we won't fix our security problems by either securing the network or the PC. Instead we need to install security products, pass strong security laws, and users need to develop the same sixth sense they have in the physical world, around who or what is safe, and apply it to the on-line world.

When it came to e-mail authentication, things were no better, as both Microsoft and Cisco/Yahoo continue to support different solutions; Sender ID and DomainKeys respectively, although Sender ID is further ahead and used, according to Microsoft, by 41 per cent of financial institutions. However, when push came to shove, both sides agreed that there are numerous ways for bad guys to circumvent both solutions in any event, and that they aren't trying to 'boil the ocean'.

But was there light at the end of the tunnel- from unexpected quarters?

Paul Kurtz, executive director of the Cyber Security Industry Alliance told a packed audience that in the past year he had witnessed a 'sea change' on Capitol Hill as U.S. legislators had a new found appetite for security issues, fuelled by constituents demanding that something be done about spyware and identity theft. There are some 26 bills in both Houses at present and a real prospect that a federal data breach reporting law might pass this session, and a spyware bill in the none too distant future.

But the real applause at RSA was reserved for Steven Squyres and his Mars rovers - a standing ovation no less. The charismatic scientist with the gift of the gab and the much-needed ability to bring science alive, brought tears to many eyes as we watched his hardy rover fight its way across Mars, dig its way out of sand, and boldly go where no rover had gone before. It was a great example of real ingenuity, of fine minds at work solving challenging problems for the good of mankind.

After the Squyres presentation, there was a palpable sense of relief amongst the attendees that scientists somewhere were actually doing something clever and cool.

Alas, as we were repeatedly told at RSA 2006, in the security field, no one is boiling any oceans. Not even on earth.

Roll on 2007.