Spaf's Crystal Ball: Network Security Predictions

remora writes "Eugene Spafford[?] (of CERIAS, and co-author of "Practical Unix Security") has written an article for Information Security Magazine with eight of his predictions for the coming years in network security. He touches on subjects such as "Spam will grow as a problem" (obviously), to the "Greater emphasis on international cooperation and communication. Some of the article is fairly predictable, but it is still interesting to hear from one of the more experienced security people out there."

Spam is more than a problem

it's ruining the whole concept of email. As soon as I set up an email address, boom, hundreds of spams. They find ways of sending it to you no matter what you do, unless you block all incoming email except from certain addresses, which defeats the point of email in the first place. How are we meant to give an email address to children when they're going to be bombarded with "See horny naked amatures live NOW!" half a dozon times per day.
If someone was dumping 100 pornographic adverts into your house's mail box each day, or DOSing your website, they can at least get in trouble. But with spam, nothing really is done to stop them, and they just keep on doing it. Convictions are rare and don't disuade them any more than a parking ticket. It needs to be recognised that spam is doing a heck of a lot to undermine the evolution of the internet.

Re:Spam is more than a problem

Nothing really. Spammers use dictionary lists like crack0rs, and have automatic emailaddress-finder software gradually bombard a domain with every concievable word-combindation. They then find out which email addresses are active, then pass on the information to other spammers. You can easilly have 100 spams per day within one week of setting up an email address.
A domain's resistance to this sort of email-finding depends on the vigilance of the admin and the type of email address you have - "cat@domain" will be more likely to be found than "3liteh1dd0n3m4il@domain".
Also, there are the viruses. You can email someone, they get a virus from someone else, boom - every email address on their harddrive is auto-emailed to every other email address on their harddrive - instantly your email address whisks off to every Korean spam-bot this side of Pluto.

I'm guessing you don't get much spam because:
1) Your admin is good
2) You have an unusual email address
3) You don't email people who get viruses
4) You don't post your address to usenet nor list it on places like Slashdot

Re:Spam is more than a problem

[Chanc_Gorkon]

Um....I don't hardly get any on my home one. You know why? I DON'T USE IT ON PUBLIC WEBSITES!! I also don't plaster it all over my web page. I only give it to sites and people I implicitly trust. My S/N Ratio is rather low. Now anytime I want to make a entry onto a public website, I use my hotmail account. Hotmail, Yahoo, AOL and other major ISP's are hardest hit because they are so large that there is almost one address for every thinkable name(except for really weird ones). So, the spammer knows there will probably be a jsmith@aol.com.

Now in contrast, I checked my work mail this monrning and it was about 90 percent spam. Why? Someone high up in the college thought it would be a good idea to out our whole college's e-mail directory online. There defense of the idea was we are a public school and must make everything except the stuff voered by FERPA public. I guess our e-mail and snail mail addresses aren't covered there. Anyway, I tried to tell them within a month our whole directory would have been crawled by a spammer and I was right. Everyone's getting high levels of spam. I even get stuff that could be targetted at students even though they have a entirely different domain and everything for their student issued e-mail accounts. Funny thing was they asked our mail server admin to help set this up! (well, he could have been TOLD to do it too)

Interesting point...

[Ratface]

While most of "Spaf's" comments seem fairly self evident, I liked this point regarding add-on security products:

"Expect to see several established products fail or be withdrawn because they are too invasive, have unfriendly interfaces, or are found to be considerably less effective than claimed."

This kinda makes me think of the effect that ZoneAlarm have had on the personal firewall market for instance. 3 years ago, firewall technology was clunky and strictly for the network administrator. Nowadays anyone can have a simple to configure basic level of protection thanks to a product that broke the paradigm and set a new standard for ease of use. Of course, the really security consciuos out there still have their infinitely configurable command-line tools, but at the same time, my dad (for instance) can feel comfortable with a product that he can understand.

Re:Interesting point...

[Ratface]

True, but I only need to explain to him once or twice that

a) Still be careful with information you give out/files that you open ... and ...
b) Turn off automatic notification.

It's definitely better than no protection or completely mis-configured protection because the user interface is designed for systems administrators.

Hence the whole point of Zone Alarm as a paradigm-buster.

Fads and Flash

[osullish]

I totally agree with the Author in terms of Consumers are always looking to new Technology, instead of making the existing technology more secure.

Whats the Use in enabling data streaming over bluetooth when we can't safely sent files over LANS and existing technology

Oh and I really think the advent of Wireless Networks and 3G Systems will open up a whole new Can of Worms in terms of security - We can Already intercept calls over GSM systems, now we're looking to send huge chunks of data via the same systems!

Someone is gonna get burnt...

cooperation: 'out-share' hackers

[UnderAttack]

I like the part about cooperation. Hackers do it for years successfully, while network administrators prefer to sit in their closets under tin-foil hats hoping to preotect themself with obscurity.

Systems to share already exist. Just check the "Internet Storm Center" and DShield for a place to exchange logs and ideas.

Most important point

[ifoxtrot]

I don't think that any of these predictions are particularly insightful, but the 8th is a good illustration of the root of the problem with security.

Consumers and technologists will continue to be enamored with fads and flash rather than quality and safety. Wireless will continue to be deployed in sensitive locations despite the terrible vulnerabilities and risks. Furthermore, we'll see policymakers and technicians continue to place faith in technology to solve our problems instead of investing in sound management and trained personnel.

The point being that security is frequently misunderstood, isn't sexy and doesn't appeal to the mass market. Possibly the only way to change this is for security to become a major feature of the products (a bit like microsoft is saying it's doing now) so that people will come to expect the security... Somewhat similar to the safety features in cars...

Re:His point on open source

[PerryMason]

Take a look at CERIAS's sponsor list for a few reasons;

http://www.cerias.purdue.edu/about/related/spons or s/

Well I'll be a monkey's uncle!

[morhoj]

"Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics."

Slashdot reporting on something that says Open Source has security problems? Wow!

For all of you who's wondering what he's talking about, think: trojan in OpenSSL, trojan in libpcap, immediate disclosure of apache vulnerabilities... its not all peaches and cream just because its open. Closed source has some important inherant security benefits.

Appliances?

[Omkar]

"Consumers will embrace appliance-based computing as it becomes available."

Spaf apparently believes that consumers aren't capable of dealing with real computers; he thinks dedicated apps and devices are the future.

This reminds me of the NC vs. PC debate. PCs were supposedly too clunky, hard to use, and powerful for the average user; NCs were going to replace them. Eventually, PCs ate NCs.

I believe that looking at this issue from a security point of view is somewhat misleading. As Spaf himself seems to realize, most domestic consumers are misinformed and apathetic about security. The average person will see a refrigerator, that for no good reason, can go online, rather than a secure online service. PCs will still be more versatile than appliances, and will continue to provide more value. Remember how the next big thing 10 years ago was the iCoffeeMaker?

Domestic consumers won't use them. Corporate consumers won't use them. Who will adopt appliances?

Re:Appliances?

[fferreres]

Price. Start offering NC for $4,99 a month (say you already have a monitor and only need to plug a micro NC that is netword card + video display and some simple bios).

You can only win against a PC if you can offer the NC at "ridiculous" (for past standards) price. Everything should be thin clients if you ask me, and if I need I could "network to my own server" or to a server provider i hired (for my personal apps, my disk space, email, whatever). Everything will be distributed services.

The PC will then be a seens as a "local NC + server" all-in-one.

But we'll have to wait some years. It will be fun:
- No instalation of software
- Almost no configuration, except for user choices

Just imagine: click here to play Doom IV (service cost $0,05 a minute, or buy a monthly pack at $10). Here to launch a word process (prices start at $0,02 (OO) and up to $0,10 (MSO)). Click here for phone service, etc. etc.

Companies offering lots of "service packs" (not the MS ones! Real service packs). Your own computer will be irrelevant, the best stuff WILL NOT INSTALL ON YOUR COMPUTER.

The reasoning behind this is simple: as network speeds become incresingly powerfull, there will an inflexion point in the economics of running a local computer: when the needed "combined" bandwith for using all the applications you need + upgrade to them and updates surpasses the needed bandwith to just broadcat the "video stream" to your computer, network computing will arrive.

And the needed bandwith to broadcast a video signal grows little over time and can even go down (small screens, PDAs) but the bandwith to install new games, OSs, to watch video and applications and to stay current is growing exponentially.

It's just a matter of time! Gone will be the days one will have a computer faster than your friend. You could compile your kernel in 3 seconds in a virtualized mainframe as long as you don't exceed your CPU/hour quota!

People will ask what CPU/hour you are hiring (if you run a server) and how many clients/hour are you serving, not how much mbits you have :)

Re:Appliances?

[Tassach]

You seem to be missing the point. "Network Appliance" doesn't mean "Toaster with a RJ-45 port", it means "Dedicated computing device". Domestic and Corporate customers are buying single-purpose, dedicated appliances like mad. Security applicances. Network-Attached Storage appliances. Search appliances. And so forth.

When you want to do one job, and do it well, a dedicated piece of hardware almost always wins out over a general-purpose computer. Can a PC with 2 nics and the appropriate software do everything a high-end router can do? Sure it can. Then why do people by dedicated routers? Because they are more reliable, have better performance, consume less power, and are simpler to administer. It's the same reason you have a toaster and an oven. A toater does one thing: it converts bread into toast easily, reliably, and efficiently. You can't cook your Thanksgiving turkey in the toaster, but that's why you have an oven. You can make toast in your regular oven, but it takes more power, it's easier to burn it, and it's far less convienient.

Open not necessarily better for security...

[Sheetrock]

Recently, I think we've had some pretty good demonstrations of the false sense of security we've all smugly adapted regarding open source:

oTrojaning of popular open source software (such as OpenSSH and tcpdump).
oRepetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
oProgrammers releasing details of security flaws after their platform is covered but before everybody else has a chance to patch the problem.

So I think he may have a point. Closed source isn't secure, to be sure, but irregardless these continual problems with dealing with security flaws in free software beg the question of whether or not the open source methodology is much better in 'root'ing out problems.

Note: I'm just talking about security, not overall quality of product. I still use open source because I feel it is superior to closed source in so many ways. However, I want to burst this bubble we've collectively got about "Thousands of eyes on the source code mean we're all safer", because obviously it isn't turning out that way.

Re:His point on open source

[jase!]

after listening to a lecture he gave at AUSCERT2002 I think it comes down to his belief that even open source doesn't use methodologies that promote secure code from design. The example he gave was an old kerberos security flaw that existed for several years. many people had looked at the code but none picked it up. Just having a hundred people look at code doesn't make it secure. see trojan code that has been added to tcpdump as an example

Re:Spam may not be a problem much longer

[DrXym]

That is not the point. The point is that if Mozilla can have a Bayesian filter and it proves effective at catching spam then in a few years *every* mail application and many services such as AOL/MSN/Yahoo etc. will have one too. There will be no more need for the user to set up 20-odd advanced filter rules to filter for crap like $$$, xxx, Nigeria etc., or buy spam filtering shareware or anything else requiring effort - they simply click "this is spam" or whatever on their mail software and it's dealt with.

There was a slashdot article the other day that mentioned the return rate on spam was something like 0.001-0.002%. If a filter that learns can kill 90% of it or more then you can stick an extra 0 in there at least. Let the fuckers burn their money if they wish, but there will be a point when most of them will simply give up.

Caution with open source?

[quadcitytj]

Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics.{Emphasis mine}

It would be nice if he could give us a concrete reason why we should "exercise caution" with open source. Does he really have a valid point, or is he just propogating the "open source is less secure because crackers can see the code" myth?

Re:Caution with open source?

[swordgeek]

Spaf is a Smart Guy, and of the many things he's said, 'open source == less secure' is certainly not one that I'm aware of!

Open source may or may not be more secure because it allows for independent code review. It is NOT, however, inherently secure which is something that some people seem to think.

What he's saying is that none of these things are a panacea. We can't say that we're secure because we use open source software (like tcpdump, sendmail, BIND), nor can we say that we're safe from bad guys because of biometrics.

He's reminding us of the fundamental point of security: It's a journey, not a destination. The technologies that he mentioned are great cases of either or both (a) easily breakable technology, and (b) technology that too many people are willing to wave their hands at and call 'secure.'

Caution is a fair attitude, I'd say.

Re:What the?!

[Dr.+Charles+Forbin]

He didn't say open source was bad - he said it was a technology 'about which we should exercise caution'. The listed technologies are not Bad Things, they are just things that require caution when incorporating them. Biometrics were also listed in the technologies where caution needs to be exercised. I think what he's getting at is that it is completely possible to build an insecure system with secure components, and that something can't be assumed to be good just because it is grouped with things that are.