Steve Gibson has observed how much dissembling he sees in the RSA disclosure of a cyber attack on RSA’s systems. Gibson goes on to ponder what is left unsaid and move from there to a call that all SecureID devices be recalled and replaced. This is a response to what Gibson identifies as “the only deductions possible from what little RSA has said in light of the [nature of the SecureID] technology.”
When I commented on the reported cyber attack at RSA, I was not so attentive to the “Open Letter to RSA Customers” which didn’t provide anything very specific, but to the statement of Overall Recommendations. These recommendations are generic and relevant to security provisions generally. I have no idea what the product-specific recommendations available to customers of specific SecureID products might be. One might indeed be puzzled how these particular general recommendations might be especially pertinent to the situation at hand.
It is not possible to determine, from the public RSA notice, whether more-specific, actionable information is available to SecureCare Online subscribers and SecureID customers. (It appears that Steve Gibson is also not one of these.)
I am struck by how easily I step over statements like “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecureID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” It is somehow not surprising that such statements are often unsatisfying and raise more questions than they answer, even for a game in which I have no skin.
Clearly, RSA in its general public statement is not being precise about what information was extracted and how its possession is useful in crafting a “broader attack.” One supposes that whoever possesses the information is already aware of the possibilities. We might hope that, at some appropriate future time, technical details and analysis might become available as a case for the enlightenment of the security community and relevant stakeholders.
What Does This Say about Us?
Let’s set that all aside and notice that there is a common cultural situation at issue here. That is the assumption that material and relevant information is being withheld. This is accompanied by extrapolation to immediate belief as to the nature of the information and what is frightening about it.
Just the other day I saw an example of this in a press conference by an official in Japan. One member of the press wanted to know at what level the government would expect to order the evacuation of Tokyo. The spokesman’s response was to the effect that there is no such contingency plan. The reporter’s stance was that there must be such a plan and the government is not revealing it. But if there is no such plan and no such conceivable contingency related to the current nuclear-plant catastrophe, what else could the official response have been? “All options are on the table?”
This reminds me of Frank Furedi’s commentaries on our “powerful tendency today towards downplaying what is known and towards the idea that what we don’t know is far more significant for determining our future.” It is not necessary to accept Furedi’s analysis of what leaking signifies as a psycho-social affliction. Simply notice how often the notion that there is something material being withheld shows up in the extrapolations in the media and among ourselves around unsettling events.
At the same time, pronouncements from authorities need to be reviewed for where straight talk is absent. That is where the already-lingering doubt in the veracity of a statement will find its entry. Or, as I have heard it said, “what people hear is what is unspoken.” We have a particular way of talking when we are withholding information on a subject we ourselves have raised, and people notice. If that is not what we are doing, we must be careful not to talk in that manner.
Meanwhile, see where folks are going based on the RSA announcement: