Spaf's Crystal Ball: Network Security Predictions

remora writes "Eugene Spafford[?] (of CERIAS, and co-author of "Practical Unix Security") has written an article for Information Security Magazine with eight of his predictions for the coming years in network security. He touches on subjects such as "Spam will grow as a problem" (obviously), to the "Greater emphasis on international cooperation and communication. Some of the article is fairly predictable, but it is still interesting to hear from one of the more experienced security people out there."

Spam may not be a problem much longer

[DrXym]

Mozilla 1.3 is adding support for Bayesian spam filters

Re:Open not necessarily better for security...

[Zocalo]

Repetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
Latest version? I don't think so. BIND currently has three main code bases:

v4.x - essentially an ugly, bug ridden hack (or at least it seemed like it).

v8.x - a very stable DNS server, but unfortunately largely built upon the v4.x codebase and inheriting issues galore as a result.

v9.x - A complete rewrite of v8.x, plus extra features, with much more attention paid to code integrity.
Almost ALL of the recent serious BIND exploits, including the recent one you are referring to, have been focused upon the v4.x and 8.x trees. Sure, v9.x isn't without it's problems, but all in all, it's proven to be pretty secure and stable so far.

Re:His point on open source

[coj]

FYI, My day job is CERIAS webmaster.

I believe he mentions it in response to the common belief that OSS is *inherently* more secure than closed source. We use tons of open-source software at CERIAS, so it's not the case that Spaf has a dislike for open source.

-Ed

Re:Caution with open source?

[theBraindonor]

Spaf is simply trying to drive a point home that he teaches constantly at Purdue--and yes, I had the privelage of taking his class. When it comes to computer security, you should never blindly trust anything! Why is he saying that we should be cautious? Simple... Too many people have the impression that open source == security. And we've all heard it: "It's open source, it must be secure..."

Why is that a bad thing? Risk Analysis... You can never achieve 100% security. At best, you can develop a plan that takes into account most anything that can go wrong: Fire, Burglary, Natural Disaster, Hacking, etc. If you blindly trust a component, then your risk analysis isn't worth anything.

PS: Spaf... See... I wasn't asleep in class.

Re:Software Engineering

[Zanguinar]

In response to your accusations...

1) Apparently this guy hasn't been using windows.
I'm sure he has to some extent, but I believe he uses Mac OS X in his office.

2) He hasn't read the book "Mythical Man Month".
Yes, he has. It was assigned reading for one of the courses he taught.

Recall, this is a predicition, a guess. Wierder predictions have come true.

The reason most people use Windows is because they don't realize they have a choice. For the average consumer who can't handle Linux/BSD/etc. and uses PCs at work and therefore is more comfortable with Windows than MacOS, there realistically isn't a choice. That's why appliance PCs will take off (IMO), if they're designed right. Because of the age old KISS (Keep It Simple, Stupid) formula. If you make it easy enough for everybody to use, they will. That is, as long as they are willing to pay the price for the functionality. That's why appliance PCs have failed so far...

Re:Spam is more than a problem

[Delphis]

Your use of some sort of (Realtime Blackhole Lists) RBLs is required then..

We suffered a lot from spam where I work, but since I have installed QMail and rblsmtpd, plus set up local blacklists and whitelists (banning large chunks of the korean network space seems to work wonders) our levels of spam have dropped dramatically. And this is even with morons who still give out their company email address on every single website they can find.

Re:Appliances?

[fermion]

This is absolutely the case. When consumers can buy a flexible device that just works, they will. It is not that we can't understand how to make a computer work, it is that there are other things we would rather do

For instance, I have a store bought firewall. I have an extra box that I could have made into a linux firewall, but i just didn't feel like it. There was a time when I might have done it for the educational benefits, but there are other things I want to do and people I want to those thing with.

This was also what was great about the original Mac. I don't know if anyone remembers the morass of the pc world 20 years ago. Hacked up cables, printer codes in word processor documents, device drivers for each program, networks that were hand configured, if not coded. The original Mac ushered in a world of microcomputers and component that just worked. Cables would work, layers were abstracted so one printer driver, or set of menus, or modem drivers, would work for all applications. It was a box on the table that let the user compute. It was, in fact, an appliance. Like a TV things could be plugged into it. MS ran with part of this idea, but for the most part never fully implemented the 'appliance' part.

A big reason we do not have such a device is that MS sucks at embedded software and lives at the teat of yearly upgrade cycles, and has convinced consumers that MS is the only solution. For instance, I tried to give one relative a old mac that did exactly what she wanted, did not need to be upgraded every month(it was very stable software that had not been upgraded in two years). The problem was she was so indoctrinated into the MS world and did not believe that this machine could do what she wanted. She basically was so branded by MS that anything else would not do. So now she has a machine that does not consistently work, and will have this machine until MS and companies like Dell develop machine that just works. I am not holding my breath.

So yes I do expect to see many computing devices being made into appliances. I know my life would be much easier if I could just give my relatives a secure box that they can plug into the wall and use. It would dial, download mail and surf the web. It would not be so flexible that it could run spyware, download webbugs in email, or become owned.

Ineffective laws

[Vincy]

7. Consumers will still focus on the wrong things. Insiders will defraud companies because all the defenses will point outwards. Bad software will continue to be purchased and deployed because "it's what everyone else uses." Little funding will be provided for education and long-term research because it has no obvious impact on the quarterly report. Instead, untold billions of dollars will be spent on short-term patches and fixes that need to be replaced every few months. Military systems will be purchased because they are COTS, not because they are safe or well-tested. Many disasters will make the news in coming years as a result.

As reports of spectacular security failures increase, the public will feel more and more insecure. Instead of taking their own responsibility, they will turn to the lawmakers to provide them with laws that will give them back their security. These laws will come, since the lawmakers have to do something, even if the effect would be largely debatable.

Re:Software Engineering

[Tassach]

The reason most people use Windows is because they don't realize they have a choice.

Actually, I think that's a secondary cause. I think the top two reasons people use windows is because 1.) It's what came on their computer, or 2.) It's what they're familiar with from work. I can't tell you how many machines I've seen that have been in use for years but still have the default settings for everything.