Spaf's Crystal Ball: Network Security Predictions

remora writes "Eugene Spafford[?] (of CERIAS, and co-author of "Practical Unix Security") has written an article for Information Security Magazine with eight of his predictions for the coming years in network security. He touches on subjects such as "Spam will grow as a problem" (obviously), to the "Greater emphasis on international cooperation and communication. Some of the article is fairly predictable, but it is still interesting to hear from one of the more experienced security people out there."

Spam may not be a problem much longer

[DrXym]

Mozilla 1.3 is adding support for Bayesian spam filters

Re:Open not necessarily better for security...

[Zocalo]

Repetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
Latest version? I don't think so. BIND currently has three main code bases:

v4.x - essentially an ugly, bug ridden hack (or at least it seemed like it).

v8.x - a very stable DNS server, but unfortunately largely built upon the v4.x codebase and inheriting issues galore as a result.

v9.x - A complete rewrite of v8.x, plus extra features, with much more attention paid to code integrity.
Almost ALL of the recent serious BIND exploits, including the recent one you are referring to, have been focused upon the v4.x and 8.x trees. Sure, v9.x isn't without it's problems, but all in all, it's proven to be pretty secure and stable so far.

Re:His point on open source

[coj]

FYI, My day job is CERIAS webmaster.

I believe he mentions it in response to the common belief that OSS is *inherently* more secure than closed source. We use tons of open-source software at CERIAS, so it's not the case that Spaf has a dislike for open source.

-Ed