I don’t read every press release that comes down the wire. But when I see one from a cyber security company called Secret Double Octopus–no lie–I take notice.
“Secret Double Octopus. This has gotta be good,” I thought to myself.
The real thrust of the press release is this. Encryption is strong, but the infrastructure supporting it isn’t. Therefore secrets get leaked. However, by “shredding” the data and sending it through different routes, any network traffic that is intercepted is unusable.
That’s good, but there is more. There is another sexy idea in the announcement by Secret Double Octopus, and that is a world without keys. Keys are the cryptographic shorthand for the authentication technologies that lock and unlock secure communications across a network. Keys are the weakest link in the otherwise bulletproof encryption architectures we use today. So if we can eliminate keys and key infrastructure, we take away the biggest source of risk.
Secret Double Octopus claims to do just that using mathematical theory already several decades old and well-respected in the academic and cryptographic communities. In layman’s terms, this “new” technique is called “secret sharing.” The core of the solution is to starve the attacker of sufficient information for any meaningful computation. In geek speak, “you cannot solve an equation of two variables.”
Bottom line: even after capturing some or all of the data transmission, the attacker lacks the ability to solve for the variables.
Securing our most sensitive data, and eliminating troublesome keys is the mission of Secret Double Octopus.
The impact could be huge. Today banks know that their PKI (public key infrastructure) is not secure enough for their most sensitive transmissions. And the demands of the Internet of Things have already strained PKI to the breaking point. Secret Double Octopus (I love saying that!) comes to the rescue, potentially enabling billions of secure, keyless transactions between cars, trains, factory machines and toasters to the cloud and to private networks.
The coming months will be fun to watch as this new startup out of Israel demonstrates its capabilities and attempts to disrupt the security and networking worlds.
Target named its new CISO today. Brad Maiorino will fill a newly created post called senior vice president and chief information security officer. When the Target search began, I shared the comment with several other security analysts wondering who would want that job. Apparently, Mr. Maiorino, who comes from General Motors and General Electric where he held similar positions, wants it. I imagine he feels excited about the opportunity to rebuild a security program with a substantial budget and likely a wide latitude. Plus, any breaches occuring in the first six months or so could easily be blamed on the previous administration. That gives him a year of smooth sailing and liberal spending. After that, the rubber hits the road and he will be on trial more than most CISOs.