In response to the news that Yahoo has announced plans to encrypt all internal traffic following the National Security Agency disclosures by Edward Snowden, Calum MacLeod, VP of EMEA at Lieberman Software Corporation has made the following comments:
“I’m sure Yahoo’s CEO is an intelligent lady, but it sounds to me like she needs good advisors. Yahoo staff can’t be so naïve as to think that encrypting traffic on their internal network is going to address the “Snowden Bug”. If they are, then good luck Yahoo!
The fundamental weakness that Snowden exposed was the ability to use highly privileged accounts to gain access to systems that stored confidential data. Encrypting traffic is pointless, if you’re not controlling privileged access and putting the essential checks and balances in place. It’s kind of like saying that because I’m on the surface of the English Channel and can’t see the channel tunnel then there isn’t a train. Unfortunately everybody on the train will clearly have a different viewpoint. Encrypting the data is pointless if you’re not controlling the access. You might as well decide that you’ll make airplanes bomb proof and eliminate security checks at airports. Once the bomb is in, the damage is done.
Snowden wasn’t some cryptographic genius but rather a systems operator who managed to use his privileged access, and the access of those gullible enough to share their privileges with him, to gain high privilege and then access. In fact the same person in a Yahoo world that would be setting up the encryption to encrypt all internal traffic.
I think the NSA and GCHQ will be trying to contain their laughter while appearing grave faced in front of the cameras to applaud the steps Yahoo are taking. Oh how some encryption companies must be falling over themselves to flog Yahoo more crypto software. I’m sure if Ms. Mayer looked in the cupboards at Yahoo, she’ll no doubt find a stack of “Shelfware” crypto that never made it to production. Save yourself the effort dear and instead go hire some people that know what they’re doing!”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.