People 'too thick' to cope with viruses

Although governments and companies appear to be making significant headway on many security problems, don't expect headaches like spam to disappear anytime soon, according to security experts.

Human error, combined with the increasing technical sophistication of malicious hackers, creates a situation in which security, ultimately, can never be perfect, security specialists on the cryptographer's panel at the RSA Conference said Tuesday.

Invariably, individuals will inadvertently open dangerous files or fall for cleverly deceptive spoofs. Even technically sophisticated users will make mistakes, according to Paul Kocher, president of Cryptography Research.

"We simply aren't smart enough as a species to handle this," Kocher said.

At the same time, solutions for solving some of these problems don't necessarily jibe with how individuals conduct themselves online, said Ronald Rivest, a professor of computer science at the Massachusetts Institute of Technology.

Some digital content protection schemes prevent a PC from opening up protected files. While that helps Hollywood, it represents a dramatic shift in the PC-owner relationship.

"You no longer have a PC that does what you tell it to do," Rivest said.

Spam presents another dilemma. Rivest, who has spoken out in the past against cryptography export restrictions, said he favors trying out a system in which the sender pays a fee to mail unsolicited messages. Then again, this system could be difficult to administer as increasing amounts of spam are sent from unwitting drone computers, pointed out Bruce Schneier, chief technology officer at Counterpane Internet Security.

Electronic voting also will likely create a host of controversies, Rivest said, because some of the systems already show potential flaws. In one election in Broward County, Florida, for instance, the winner won by 12 votes, but no votes were recorded for 137 people who actually went inside the booth to vote.

On the optimistic side, however, progress toward better security seems to be occurring. Adi Shamir, professor of the Weizmann Institute of Science in Israel, noted that in the past year, no major advanced cryptography system has been broken and no new ones have been introduced. Additionally, a Pentagon committee that oversees encryption has approved the use of the Advanced Encryption Standard (AES) for encrypting classified documents. The approval represents progress, because AES comes from Belgium and has been approved by international bodies.

"This was unthinkable years ago," said Whitfield Diffie, chief security officer at Sun Microsystems.

The panel also discussed the recent release of Windows code on the internet, but generally concluded that it didn't present that severe of a danger. National governments and other large organisations likely already possessed copies of the source code before the leak, Schneier pointed out. Kocher noted that one of the chief irritants of the leak is that legitimate Windows customers can't look at the code, but hackers can.

Shamir, however, countered that he wasn't going to look through tens of millions of lines of code. Not because it wouldn't reveal flaws, but because "it is boring."

Michael Kanellos writes for CNET News.com