Stupid, arrogant and greedy

Kenneth P. Weiss founded Security Dynamics in 1984, served as CEO until 1986 and remained chairman of the board and CTO until 1996. Under his watch the company developed the SecurID token. Once the SecurID's potential was recognized by both customers and investors, Weiss set out to expand his company, and he initiated the purchase in 1993 of RSA, a small, fledgling encryption company that was gaining some notoriety in the field of Internet commerce security.

Recently Weiss was interviewed for a story ("RSA breach threatens trust in one-time passcodes") in Digital ID News. The story quotes him:

"When I was running RSA, every few years a well-intentioned member of the executive team would suggest that the secret seeds, which are programmed into every token, be stored on a corporate computer," he says. "I would have to explain that that was grossly unnecessary and would put us at great risk."

BACKGROUND: Did hackers nab SecurID's secret sauce?

At the time of the March hack, RSA had indeed put the seeds on a network computer and it was breached. "There was no necessity, ever, to put the secret seeds on a computer that is online," he said. "They did it for internal convenience and put everybody at risk. What they've done is stupid, arrogant, greedy ... those words are really appropriate to the circumstance," he says.

Speaking of greedy and arrogant, Google+'s "real names" policy hit my inbox again this week when Bob Blakley, the highly respected VP from Gartner (formerly the Burton Group), weighed in on the much maligned policy ("Google+ Can Be A Social Network Or The Name Police -- Not Both"). You need to read all he has to say, but I'll give you one quote so you get the flavor: "That's the way it works amongst us humans -- I choose what I want to be called, and you call me that. That's apparently not the way it works at Google+."

Another respected thought leader, Identropy's Chief Architect Nishant Kaushik, added his own thoughts ("Google+ and The Trouble With Tribbles"): "Google wants to use social as the honeypot that draws in all those users and keeps them highly engaged and motivated to keep their data up-to-date."

OK, that's it. I think I can safely say that the RSA breach and Google's "Real Names" will never surface again in this newsletter. More about that next week.

Learn more about this topic

RSA spearphish attack may have hit US defense organizations

The Real Name mystery

Google+ introduces identity-verification badges

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies