• “Briefly and simply, assurance work makes a user or a creditor more confident that the system works as intended without flaws, without surprises, even in the presence of malice.” … “The major shortfall is absence of assurance or safety mechanisms in software.  If my car crashed as often as my computer does, I’d be dead by now.”

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need Assurance", AusCERT 2008

  • “We are a cyber nation. The U.S. information infrastructure--including telecommunications and computer networks and systems and the data that reside on them--is critical to virtually every aspect of modern life. This information infrastructure is increasingly vulnerable to exploitation, disruption, and destruction by a growing array of adversaries.”

    The National Coordination Office (NCO) for Networking Information Technology Research and Development (NITRD), Federal Register: December 30, 2008 (Volume 73, Number 250).

  • "There is a good chance that large quantum computers can be built within the next 20 years.  This would be a nightmare for IT security if there are no fully developed, implemented, and standardized post-quantum signature schemes."

    Prof. Johannes Buchmann, et al, “Post-Quantum Signatures”, Oct 2004, Technische Universität Darmstadt

  • The software security industry today is at about the same stage as the auto industry was in 1930" ... "it looks fast, goes nice but in an accident you die.” ... "The major shortfall is absence of assurance (or safety) mechanisms in software. If my car crashed as often as my computer does, I would be dead by now."

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008

  • "History has taught us: never underestimate the amount of money, time, and effort someone will expend to thwart a security system. It's always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. When the unexpected happens, you'll be glad you did."

    Bruce Schneier, "Why Cryptography Is Harder Than It Looks", 1997

  • "But conventional security is not enough. The complexity of today's operational environment means organisations must embrace a level of business resilience that is normally associated with the protection of critical national infrastructure."

    Detica, a BAE Systems Company

  • "First and foremost, there is no proper excuse for continued use of a broken cryptographic primitive (MD5) when sufficiently strong alternatives are readily available, for example SHA-2. Secondly, there is no substitute for security awareness." ... "Advice from experts should be taken seriously and early in the process. In this case, MD5 should have been phased out soon after 2004."

    Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Wegerr, "MD5 considered harmful today - Creating a rogue CA certificate", December 2008
  • "Today’s systems must anticipate future attacks. Any comprehensive system – whether for authenticated communications, secure data storage, or electronic commerce – is likely to remain in use for five years or more. It must be able to withstand the future: smarter attackers, more computational power, and greater incentives to subvert a widespread system. There won’t be time to upgrade it in the field."

    Bruce Schneier, "Why Cryptography Is Harder Than It Looks", 1997

  • “The more complex the threats become, the more you have to do the basics and groundwork really well. Staying aware and on top of new vulnerabilities and ensuring that patches and software updates are rapidly implemented is crucial.”

    Jeff Shipley, Cisco Intelligence Collection Manager, Cisco 2008 Annual Security Report

  • “It's not good enough to have a system where everyone (using the system) must be trusted, it must also be made robust against insiders!”

    Robert Morris, former Chief Scientist of the US National Security Agency (NSA), National Computer Security Center, "Crypto '95 invited talks by R. Morris and A. Shamir", 1995

  • "My colleagues at MIT and I have been building simple quantum computers and executing quantum algorithms since 1996, as have other scientists around the world. Quantum computers work as promised. If they can be scaled up, to thousands or tens of thousands of qubits from their current size of a dozen or so, watch out!

    Prof Seth Lloyd of MIT, MIT Review 2008

  • In the next five years we will counter many 'hacker' attacks but we will not be safe from Nation States and other large entities

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008

  • “Given today’s common hardware and software architectural paradigms, operating systems security is a major primitive for secure systems – you will not succeed without it. This area is so important that it needs all the emphasis it can get. It is the current ‘black hole’ of security.”

    Brian Snow, Former Technical Director of the US National Security Agency (NSA), "We need assurance!", 1999-2008

  • "Even a relatively small quantum computer, one that had a few tens of thousands of qubits, could consider so many different values at once that it would be able to break all known [ed: RSA, D&H, ECC, AES-128] codes commonly used for secure Internet communication.”

    Prof Seth Lloyd of MIT, MIT Review 2008

Resources Frequently asked questions Security in general faq: How long will it take global systems to migrate to post quantum secure status?
faq: How long will it take global systems to migrate to post quantum secure status?
Synaptic Facts and FAQs - Security in general


The answer to this question depends on many factors including the complexity of the protocol, the number of computers that are in the system, the number of users in the system, the number of network attached devices in the system, where the network attached devices are physically deployed, who owns the networked attached devices, the potential losses from down time during upgrade, the risks of internal security failure during an upgrade, and so on.

At one extreme small groups of individuals or computers may be able to rapidly achieve a higher level of security using systems based around the Synaptic Group Key Exchange or Enterprise Key Exchange technologies. Synaptic is planning the deployment of a instant messaging system that should enable basic communications (voice, file transfer, etc) to be established rapidly between small groups.

At the other extreme the communications protocols between devices, readers, and back-office servers may need to be significantly revised to achieve the necessary level of security in a manner that is cost-effective over the life-cycle of the system.  For example, EMVco is considering making a protocol change to the Eurocard-MasterCard-Visa banking system.  EMVco advises that "it will take 12 to 15 years for the infrastructure to be migrated in support of the new technique, which is why we are now conducting a review of various options.".  Synaptic Labs' security ecosystem is designed explicitly to address secure RFID credit and debit card transactions in a way that can be cost effectively deployed on current smart cards, achieves 100 year security and maintains the privacy of card holders from third parties.

An example of upgrading a large number of devices in the field is the $1.5 billion Cryptographic Modernization Initiative in the US Department of Defense. This project aims to strengthen security by deploying ECC, a public key technology that is not post quantum secure, in only 1.3 million existing pieces of equipment over the next 10 years.

Business now relies on information infrastructures that are interlinked and interdependent. We need to understand how to predict and mitigate these risks with a view to aid reaction and recovery within these infrastructures.
...
Complex systems exist in all aspects of society ranging from stock market analysis to climate change, and information systems and infrastructures are no exception. As an information system matures it typically converges with others to add a richer functionality. This reliance upon extrinsic factors to deliver a service adds extra layers of complexity and interdependency, which are not fully understood and are to some degree uncontrollable.

The way in which these hidden interdependencies pervade our everyday lives is staggering and, in some cases, may go unchecked for many years until an incident occurs that revels the true nature of the interdependences' impact.

The British Government’s Technology Strategy Board, 2008

It is currently unclear how long it would take to upgrade all mission-critical national and international infrastructure to support a post quantum secure status. Synaptic Laboratories is working towards a cost effective way of achieving the necessary level of information assurance for our communications infrastructure while simultaneously increasing network performance in the Janelda communications project.
 
This website uses cookies to manage authentication, navigation, and to provide you with a better and more personal service. By continuing to use this website, you are consenting to this use. Find out more here.

image Introduction to synaptic Laboratories global cyber safety and Security status 2012 Cyber Security Technical Problems, Drivers and Incentives Video Presentation by Brian Snow

"Synaptic Laboratories is a rare company; they tackle the hard problems! Their basic approach is directly relevant to Governments and/or any commercial companies that deploy products that must function correctly in high-risk environments. They differ from most competitors in that not only do they work hard to get the concepts right, they also work very hard to assure the implementation is correct and robust as well."

Related Items

 

 

 

 

 

 

 

Universal Transaction System