Slashdot Mirror
Spaf's Crystal Ball: Network Security Predictions
remora writes "Eugene Spafford[?] (of CERIAS, and co-author of "Practical Unix Security") has written an article for Information Security Magazine with eight of his predictions for the coming years in network security. He touches on subjects such as "Spam will grow as a problem" (obviously), to the "Greater emphasis on international cooperation and communication. Some of the article is fairly predictable, but it is still interesting to hear from one of the more experienced security people out there."
or some one else finds this article kind of predictable. I thought I'd see some insightful discussion from such a leading person in the field.
it's ruining the whole concept of email. As soon as I set up an email address, boom, hundreds of spams. They find ways of sending it to you no matter what you do, unless you block all incoming email except from certain addresses, which defeats the point of email in the first place. How are we meant to give an email address to children when they're going to be bombarded with "See horny naked amatures live NOW!" half a dozon times per day.
If someone was dumping 100 pornographic adverts into your house's mail box each day, or DOSing your website, they can at least get in trouble. But with spam, nothing really is done to stop them, and they just keep on doing it. Convictions are rare and don't disuade them any more than a parking ticket. It needs to be recognised that spam is doing a heck of a lot to undermine the evolution of the internet.
While most of "Spaf's" comments seem fairly self evident, I liked this point regarding add-on security products:
"Expect to see several established products fail or be withdrawn because they are too invasive, have unfriendly interfaces, or are found to be considerably less effective than claimed."
This kinda makes me think of the effect that ZoneAlarm have had on the personal firewall market for instance. 3 years ago, firewall technology was clunky and strictly for the network administrator. Nowadays anyone can have a simple to configure basic level of protection thanks to a product that broke the paradigm and set a new standard for ease of use. Of course, the really security consciuos out there still have their infinitely configurable command-line tools, but at the same time, my dad (for instance) can feel comfortable with a product that he can understand.
A little planning goes a long way...
Whats the Use in enabling data streaming over bluetooth when we can't safely sent files over LANS and existing technology
Oh and I really think the advent of Wireless Networks and 3G Systems will open up a whole new Can of Worms in terms of security - We can Already intercept calls over GSM systems, now we're looking to send huge chunks of data via the same systems!
Someone is gonna get burnt...
It's hard enough to remember my opinions, never mind the reasons for them..
1) Apparently this guy hasn't been using windows.
2) He hasn't read the book "Mythical Man Month".
As I see it this statement is not insightful but redundant.
I always thought it was the other way around!
As in we should exercise more caution about closed source systems no matter which one we are advocating !!
Oh well!
Simple. Don't connect your computer to a phoneline/DSL/cable modem :)
Wasn't Eugene Spafford the anti-hacker in hackers?!
:)
Well, near enough anyway
As far as you web server is concerned, getting slashdotted ranks way up there, along with using IIS (gratuitous MS baching). =)
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Is exactly what? Placing open source in that list makes no sense to me. Why?
Mozilla 1.3 is adding support for Bayesian spam filters
I like the part about cooperation. Hackers do it for years successfully, while network administrators prefer to sit in their closets under tin-foil hats hoping to preotect themself with obscurity.
Systems to share already exist. Just check the "Internet Storm Center" and DShield for a place to exchange logs and ideas.
---- join dshield.org Distributed Intrusion Detec
Yes, it clears some things up *hidden message here* - but not related to my guestion. :)
Consumers and technologists will continue to be enamored with fads and flash rather than quality and safety. Wireless will continue to be deployed in sensitive locations despite the terrible vulnerabilities and risks. Furthermore, we'll see policymakers and technicians continue to place faith in technology to solve our problems instead of investing in sound management and trained personnel.
The point being that security is frequently misunderstood, isn't sexy and doesn't appeal to the mass market. Possibly the only way to change this is for security to become a major feature of the products (a bit like microsoft is saying it's doing now) so that people will come to expect the security... Somewhat similar to the safety features in cars...
"Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics."
Slashdot reporting on something that says Open Source has security problems? Wow!
For all of you who's wondering what he's talking about, think: trojan in OpenSSL, trojan in libpcap, immediate disclosure of apache vulnerabilities... its not all peaches and cream just because its open. Closed source has some important inherant security benefits.
Yes, it is entirely predictable and the fact that it's a well-known person who's spouting forth such prattle doesn't make it any better.
Thrustgood's prediction for the next five years: OK then, man, like there will be, like a total far-out radical 1337 hax0r of, like, some network product, man, you dig?
"Consumers will embrace appliance-based computing as it becomes available."
Spaf apparently believes that consumers aren't capable of dealing with real computers; he thinks dedicated apps and devices are the future.
This reminds me of the NC vs. PC debate. PCs were supposedly too clunky, hard to use, and powerful for the average user; NCs were going to replace them. Eventually, PCs ate NCs.
I believe that looking at this issue from a security point of view is somewhat misleading. As Spaf himself seems to realize, most domestic consumers are misinformed and apathetic about security. The average person will see a refrigerator, that for no good reason, can go online, rather than a secure online service. PCs will still be more versatile than appliances, and will continue to provide more value. Remember how the next big thing 10 years ago was the iCoffeeMaker?
Domestic consumers won't use them. Corporate consumers won't use them. Who will adopt appliances?
Slashdotters do not read the articles. ;-)
SCD
Mother is the best bet and don't let Satan draw you too fast.
oTrojaning of popular open source software (such as OpenSSH and tcpdump).
oRepetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
oProgrammers releasing details of security flaws after their platform is covered but before everybody else has a chance to patch the problem.
So I think he may have a point. Closed source isn't secure, to be sure, but irregardless these continual problems with dealing with security flaws in free software beg the question of whether or not the open source methodology is much better in 'root'ing out problems.
Note: I'm just talking about security, not overall quality of product. I still use open source because I feel it is superior to closed source in so many ways. However, I want to burst this bubble we've collectively got about "Thousands of eyes on the source code mean we're all safer", because obviously it isn't turning out that way.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
With utmost respect I can't see any predictions, he's just stating obvious facts and logical conclusions derived from the present state of things. I feel the hidden message in the whole prophecy: M$ sux, Linux sux, closed source UNICES rules. A few rants/unconstructive comments follow:
1) Consumers will never be able to 'distinguish safe code from the typical dreck they're used to buying' just because there's no _SAFE_ code and they're not supposed to do so. They're _CONSUMERS_.
2) Yes the sales of security products will grow, US goverment and media are working around the clock with their 'war on human rights'.
3) I don't understand the point behind this rant.
4) The spam _IS_ a problem already, but there're effective solutions. Smart ISP already offer SPAM filtering service.
5) I hope he's not talking about US DOJ way of international cooperation when any human being living on earth is subject to US laws, which is also known as "All your ass belongs to us".
6) When lawyers and insurance companies jump in, software prices will skyrocket and we're going to see even more stupid EULAs and laws. That's the way lawyers work.
7) Oh, consumers _ALWAYS_ focus on wrong things, it's hardly any news. But, honestly who made him (or me) god to say: What you do is the wrong thing?
8) Open source isn't technology it's more a philosophy, a way of thinking. Other mentioned technologies can be safe enough for average consumer or company when implemented properly. Even matches are dangerous technology in the fire-lighter's hands.
Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics.{Emphasis mine}
It would be nice if he could give us a concrete reason why we should "exercise caution" with open source. Does he really have a valid point, or is he just propogating the "open source is less secure because crackers can see the code" myth?
We need a good appliance that can detect spam/intruders/viruses. In a nice little package with an LCD "Iris" that closes when it detects a "bad" incomming packet and the makes a thud sound when it kills it. :-)
Ok, yes, I watch too much Sci-Fi channel...
I have had about 5 spam in the last 3 years. Needless to say I am very strict about what I use the address for and who I give it to. If I have to give an addy, I go signup for a free one somewhere and use that.
As reports of spectacular security failures increase, the public will feel more and more insecure. Instead of taking their own responsibility, they will turn to the lawmakers to provide them with laws that will give them back their security. These laws will come, since the lawmakers have to do something, even if the effect would be largely debatable.
The last thing I want is all my security tools prepackaged in my OS. Not all intrusion detection is the same. Not all firewalls are the same. I want to be able to pick the tools that make sense for the needs of my network. I want to be able to run some of my critical security services on separate dedicated boxes from critical network services. (Obviously the firewall, but other stuff too.) I want to create multiple layers of security distributed around my network. I don't want the OS of my production box to give away all the details of my security posture.
We all know that admins out there fail to keep up patch levels at an enormous rate, let alone creating a well designed multi-layered security posture. Maybe rolling it all into one box would simplify the job of getting to a minimally secure configuration. But seriously, who doesn't believe that the black-hats wouldn't have a field day with this? He talks about real solutions, but the only real solution, now or 10 years from now, is hiring IT security experts to create and maintain a real comprehensive security solution.
I don't disagree that "underlying systems" need to be "rearchitected" to meet basic security needs, if that means, for example, that MS needs a radically different approach to integrating security concerns into the OS development process. But that isn't a solution to the problems addressed by what he calls "add-on" security tools. That's a different problem, and an important one. But no matter how well designed my underlying OS, I'm still going to put it behind a firewall, I'm still going to run some sort of IDS, I'm still going to monitor the logs, and I want control over how I do those things.
Or maybe I'm reading his relatively sketchy argument wrong, but I can't figure out a different way to take it.
The problem I see with absolutely every new protcol, going all the way back to the telephone and postal service is that there is an inherent assumption that all communication attempts are desired, and should be brought to the attention of the recipient. Only later are additions made to secure the protocol, such as Caller ID and the Telezapper for the phone, and requirments that large packages be delivered in person to protect the mail system.
For that reason, I think eventually every commincation protocol will have requirements that clearance to send be requested before the actual payload is allowed. And furthermore, upstream routers would remember when permission is denied for a limited time and repeat the denial, therefore cutting off DOS attacks early in their journey, and assuring most people still have access to the apparent target.
Ultimate security is achevied only with the air gap firewall.
HDGary secures my bank
This interview with Spaf goes into much more depth about his thinking about security -- or 'assurance' as he says -- because '...security really is a property that's an absolute that we can never quite achieve.'
Read the interview.
With every passing hour our solar system comes forty-three thousand
miles closer to globular cluster M13 in the constellation Hercules, and
still there are some misfits who continue to insist that there is no
such thing as progress.
-- Ransom K. Ferm
- this post brought to you by the Automated Last Post Generator...