Spaf's Crystal Ball: Network Security Predictions

remora writes "Eugene Spafford[?] (of CERIAS, and co-author of "Practical Unix Security") has written an article for Information Security Magazine with eight of his predictions for the coming years in network security. He touches on subjects such as "Spam will grow as a problem" (obviously), to the "Greater emphasis on international cooperation and communication. Some of the article is fairly predictable, but it is still interesting to hear from one of the more experienced security people out there."

Spam may not be a problem much longer

[DrXym]

Mozilla 1.3 is adding support for Bayesian spam filters

Re:Open not necessarily better for security...

[Zocalo]

Repetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
Latest version? I don't think so. BIND currently has three main code bases:

v4.x - essentially an ugly, bug ridden hack (or at least it seemed like it).

v8.x - a very stable DNS server, but unfortunately largely built upon the v4.x codebase and inheriting issues galore as a result.

v9.x - A complete rewrite of v8.x, plus extra features, with much more attention paid to code integrity.
Almost ALL of the recent serious BIND exploits, including the recent one you are referring to, have been focused upon the v4.x and 8.x trees. Sure, v9.x isn't without it's problems, but all in all, it's proven to be pretty secure and stable so far.

Re:His point on open source

[coj]

FYI, My day job is CERIAS webmaster.

I believe he mentions it in response to the common belief that OSS is *inherently* more secure than closed source. We use tons of open-source software at CERIAS, so it's not the case that Spaf has a dislike for open source.

-Ed

Re:Caution with open source?

[theBraindonor]

Spaf is simply trying to drive a point home that he teaches constantly at Purdue--and yes, I had the privelage of taking his class. When it comes to computer security, you should never blindly trust anything! Why is he saying that we should be cautious? Simple... Too many people have the impression that open source == security. And we've all heard it: "It's open source, it must be secure..."

Why is that a bad thing? Risk Analysis... You can never achieve 100% security. At best, you can develop a plan that takes into account most anything that can go wrong: Fire, Burglary, Natural Disaster, Hacking, etc. If you blindly trust a component, then your risk analysis isn't worth anything.

PS: Spaf... See... I wasn't asleep in class.

Re:Software Engineering

[Zanguinar]

In response to your accusations...

1) Apparently this guy hasn't been using windows.
I'm sure he has to some extent, but I believe he uses Mac OS X in his office.

2) He hasn't read the book "Mythical Man Month".
Yes, he has. It was assigned reading for one of the courses he taught.

Recall, this is a predicition, a guess. Wierder predictions have come true.

The reason most people use Windows is because they don't realize they have a choice. For the average consumer who can't handle Linux/BSD/etc. and uses PCs at work and therefore is more comfortable with Windows than MacOS, there realistically isn't a choice. That's why appliance PCs will take off (IMO), if they're designed right. Because of the age old KISS (Keep It Simple, Stupid) formula. If you make it easy enough for everybody to use, they will. That is, as long as they are willing to pay the price for the functionality. That's why appliance PCs have failed so far...

Re:Software Engineering

[Tassach]

The reason most people use Windows is because they don't realize they have a choice.

Actually, I think that's a secondary cause. I think the top two reasons people use windows is because 1.) It's what came on their computer, or 2.) It's what they're familiar with from work. I can't tell you how many machines I've seen that have been in use for years but still have the default settings for everything.