Stronger security urged

Experts at Demo 2006 say products, implementations need to improve drastically.

A panel discussion involving a group of experts held during Demo 2006 in Phoenix this month concluded that the state of security is not where it should be. Luckily, the panelists also had suggestions on how to improve it.

During the conference, which is owned by Network World, former IBMer and consultant John Patrick called together a panel of industry and academic figures to answer the question: Will the good guys be able to stay ahead of the bad guys? But first Patrick asked the panel to assess the current state of security, and the responses showed that the good guys aren't necessarily ahead of the bad.

"The state of security is terrible . . . absolutely abysmal," said Hilarie Orman, former research scientist and onetime member of Defense Advanced Research Projects Agency's Information Technology Office. She now is CTO and vice president of engineering with Shinkuro, which makes file-sharing software. "It's difficult to argue there's a good state of security right now."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

A panel discussion involving a group of experts held during Demo 2006 in Phoenix this month concluded that the state of security is not where it should be. Luckily, the panelists also had suggestions on how to improve it.

During the conference, which is owned by Network World, former IBMer and consultant John Patrick called together a panel of industry and academic figures to answer the question: Will the good guys be able to stay ahead of the bad guys? But first Patrick asked the panel to assess the current state of security, and the responses showed that the good guys aren't necessarily ahead of the bad.

"The state of security is terrible . . . absolutely abysmal," said Hilarie Orman, former research scientist and onetime member of Defense Advanced Research Projects Agency's Information Technology Office. She now is CTO and vice president of engineering with Shinkuro, which makes file-sharing software. "It's difficult to argue there's a good state of security right now."

Another panelist reminded the audience that there's no such thing as perfect security. "It's a cat-and-mouse game [that the industry plays with hackers], but we need to bring [the threat] down to a level where we can live with it," said Partha Dasgupta, an associate professor with Arizona State University's Fulton School of Engineering.

The good news, according to the third panelist, is at least the industry and users are beginning to think about security. Enterprise and consumer products need to find a balance between being secure and being useful, said Charles Palmer, manager of the security, networking and privacy departments at IBM's Thomas J. Watson Research Center.

"If [security] makes the system really hard to use or is done wrong, you've got a brick," he said.

One possible solution to the recent series of identity theft is biometrics, in which computers scan a finger, face, retina or other part of the body and save that image for authentication. The problem with biometrics, agreed the panel, is that once a thief learns how to reproduce a fingerprint, the owner can't change the original.

Technology is being developed that doesn't take a picture of the finger but some small measurements of the finger's characteristics, said Palmer, who added that 4% of people can't produce good fingerprints and that pineapple juice can temporarily remove a person's fingerprint.

Another promising area is challenge-response biometrics, Dasgupta said. Instead of matching a spoken word or phrase to one previously recorded, the phrase is changed every time so a thief can't record the phrase and replay it over and over to gain access to protected data. "That's much more sophisticated, and much more complicated," he said.

Fingerprint biometrics are the best bet at the moment, because the technique has been in practice the longest, Dasgupta said.

Another technology that can help improve security is encryption, the panelists agreed. However, most people don't know how to use it, and even when it is employed, it is poorly managed, Orman said.