Spaf's Crystal Ball: Network Security Predictions

remora writes "Eugene Spafford[?] (of CERIAS, and co-author of "Practical Unix Security") has written an article for Information Security Magazine with eight of his predictions for the coming years in network security. He touches on subjects such as "Spam will grow as a problem" (obviously), to the "Greater emphasis on international cooperation and communication. Some of the article is fairly predictable, but it is still interesting to hear from one of the more experienced security people out there."

Spam is more than a problem

it's ruining the whole concept of email. As soon as I set up an email address, boom, hundreds of spams. They find ways of sending it to you no matter what you do, unless you block all incoming email except from certain addresses, which defeats the point of email in the first place. How are we meant to give an email address to children when they're going to be bombarded with "See horny naked amatures live NOW!" half a dozon times per day.
If someone was dumping 100 pornographic adverts into your house's mail box each day, or DOSing your website, they can at least get in trouble. But with spam, nothing really is done to stop them, and they just keep on doing it. Convictions are rare and don't disuade them any more than a parking ticket. It needs to be recognised that spam is doing a heck of a lot to undermine the evolution of the internet.

Re:Spam is more than a problem

Nothing really. Spammers use dictionary lists like crack0rs, and have automatic emailaddress-finder software gradually bombard a domain with every concievable word-combindation. They then find out which email addresses are active, then pass on the information to other spammers. You can easilly have 100 spams per day within one week of setting up an email address.
A domain's resistance to this sort of email-finding depends on the vigilance of the admin and the type of email address you have - "cat@domain" will be more likely to be found than "3liteh1dd0n3m4il@domain".
Also, there are the viruses. You can email someone, they get a virus from someone else, boom - every email address on their harddrive is auto-emailed to every other email address on their harddrive - instantly your email address whisks off to every Korean spam-bot this side of Pluto.

I'm guessing you don't get much spam because:
1) Your admin is good
2) You have an unusual email address
3) You don't email people who get viruses
4) You don't post your address to usenet nor list it on places like Slashdot

Re:Spam is more than a problem

[Chanc_Gorkon]

Um....I don't hardly get any on my home one. You know why? I DON'T USE IT ON PUBLIC WEBSITES!! I also don't plaster it all over my web page. I only give it to sites and people I implicitly trust. My S/N Ratio is rather low. Now anytime I want to make a entry onto a public website, I use my hotmail account. Hotmail, Yahoo, AOL and other major ISP's are hardest hit because they are so large that there is almost one address for every thinkable name(except for really weird ones). So, the spammer knows there will probably be a jsmith@aol.com.

Now in contrast, I checked my work mail this monrning and it was about 90 percent spam. Why? Someone high up in the college thought it would be a good idea to out our whole college's e-mail directory online. There defense of the idea was we are a public school and must make everything except the stuff voered by FERPA public. I guess our e-mail and snail mail addresses aren't covered there. Anyway, I tried to tell them within a month our whole directory would have been crawled by a spammer and I was right. Everyone's getting high levels of spam. I even get stuff that could be targetted at students even though they have a entirely different domain and everything for their student issued e-mail accounts. Funny thing was they asked our mail server admin to help set this up! (well, he could have been TOLD to do it too)

Interesting point...

[Ratface]

While most of "Spaf's" comments seem fairly self evident, I liked this point regarding add-on security products:

"Expect to see several established products fail or be withdrawn because they are too invasive, have unfriendly interfaces, or are found to be considerably less effective than claimed."

This kinda makes me think of the effect that ZoneAlarm have had on the personal firewall market for instance. 3 years ago, firewall technology was clunky and strictly for the network administrator. Nowadays anyone can have a simple to configure basic level of protection thanks to a product that broke the paradigm and set a new standard for ease of use. Of course, the really security consciuos out there still have their infinitely configurable command-line tools, but at the same time, my dad (for instance) can feel comfortable with a product that he can understand.

Re:Interesting point...

[wheany]

but at the same time, my dad (for instance) can feel comfortable with a product that he can understand.

When you combine a personal firewall and an inexperienced user, one of two things will happen, judging from newsgroups:

a) "My machine is completely invulnerable, I have a personal firewall!"
b) The firewall says: "AIEEEEE!!! A dangerous hacking attempt is in progress", and the user panics, because someone pinged his machine.

Re:Interesting point...

[Ratface]

True, but I only need to explain to him once or twice that

a) Still be careful with information you give out/files that you open ... and ...
b) Turn off automatic notification.

It's definitely better than no protection or completely mis-configured protection because the user interface is designed for systems administrators.

Hence the whole point of Zone Alarm as a paradigm-buster.

Fads and Flash

[osullish]

I totally agree with the Author in terms of Consumers are always looking to new Technology, instead of making the existing technology more secure.

Whats the Use in enabling data streaming over bluetooth when we can't safely sent files over LANS and existing technology

Oh and I really think the advent of Wireless Networks and 3G Systems will open up a whole new Can of Worms in terms of security - We can Already intercept calls over GSM systems, now we're looking to send huge chunks of data via the same systems!

Someone is gonna get burnt...

What the?!

[Pat__]

From the article... (emphasis mine)

Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics.

I always thought it was the other way around!
As in we should exercise more caution about closed source systems no matter which one we are advocating !!
Oh well! ... He is the security expert so I guess who am I to argue!

Spam may not be a problem much longer

[DrXym]

Mozilla 1.3 is adding support for Bayesian spam filters

Re:Spam may not be a problem much longer

[DrXym]

That is not the point. The point is that if Mozilla can have a Bayesian filter and it proves effective at catching spam then in a few years *every* mail application and many services such as AOL/MSN/Yahoo etc. will have one too. There will be no more need for the user to set up 20-odd advanced filter rules to filter for crap like $$$, xxx, Nigeria etc., or buy spam filtering shareware or anything else requiring effort - they simply click "this is spam" or whatever on their mail software and it's dealt with.

There was a slashdot article the other day that mentioned the return rate on spam was something like 0.001-0.002%. If a filter that learns can kill 90% of it or more then you can stick an extra 0 in there at least. Let the fuckers burn their money if they wish, but there will be a point when most of them will simply give up.

cooperation: 'out-share' hackers

[UnderAttack]

I like the part about cooperation. Hackers do it for years successfully, while network administrators prefer to sit in their closets under tin-foil hats hoping to preotect themself with obscurity.

Systems to share already exist. Just check the "Internet Storm Center" and DShield for a place to exchange logs and ideas.

Re:Real Network Security

[OrangeSpyderMan]

Don't connect your computer to a phoneline/DSL/cable modem

Oh please don't try and convince me that wireless is more secure! :-)

Most important point

[ifoxtrot]

I don't think that any of these predictions are particularly insightful, but the 8th is a good illustration of the root of the problem with security.

Consumers and technologists will continue to be enamored with fads and flash rather than quality and safety. Wireless will continue to be deployed in sensitive locations despite the terrible vulnerabilities and risks. Furthermore, we'll see policymakers and technicians continue to place faith in technology to solve our problems instead of investing in sound management and trained personnel.

The point being that security is frequently misunderstood, isn't sexy and doesn't appeal to the mass market. Possibly the only way to change this is for security to become a major feature of the products (a bit like microsoft is saying it's doing now) so that people will come to expect the security... Somewhat similar to the safety features in cars...

Re:His point on open source

[PerryMason]

Take a look at CERIAS's sponsor list for a few reasons;

http://www.cerias.purdue.edu/about/related/spons or s/

Appliances?

[Omkar]

"Consumers will embrace appliance-based computing as it becomes available."

Spaf apparently believes that consumers aren't capable of dealing with real computers; he thinks dedicated apps and devices are the future.

This reminds me of the NC vs. PC debate. PCs were supposedly too clunky, hard to use, and powerful for the average user; NCs were going to replace them. Eventually, PCs ate NCs.

I believe that looking at this issue from a security point of view is somewhat misleading. As Spaf himself seems to realize, most domestic consumers are misinformed and apathetic about security. The average person will see a refrigerator, that for no good reason, can go online, rather than a secure online service. PCs will still be more versatile than appliances, and will continue to provide more value. Remember how the next big thing 10 years ago was the iCoffeeMaker?

Domestic consumers won't use them. Corporate consumers won't use them. Who will adopt appliances?

Re:Appliances?

[Chanc_Gorkon]

Actually I kind of agree with him. I will tell ya why. Personally, when I am at home it's my time. I usually love unplugging for at least an hour if not the whole evening. Yeah I love technology and all, but why I want to is invariably, I always start to ask the question is it worth it when I start working on something. If it isn't, I push away and relaxe by watching a DVD. Now if I didn't have the hassle of normal day to day computer using, I would use it more. Case in point, my PDA is what I take with me on trips rather then a laptop. It works EVERYTIME and powers on in less then a second. People hate having to wait for the boot sequence and all of that. People want to work. Remember when the first home computers came out and they were real popular? Remember why? The reason it was was that they were instant on. No waiting for a disk to be read or any of that. On my Atari 800XL, when I wanted to write a paper for school, I would insert the cartridge for the word processor and turn it on. THAT'S IT! The software was available soon after (less then a second) I flipped the power switch. The only downside of the older ones was that saves took forever because you usually could not afford the disk drive so you were stuck with tape. My Atari 800XL cost LESS then the disk drive! We used a tape drive. There's no reason we can't have these type of computers and no reason to kill off the PC because of them. The PC could turn out to be a household server more then anything with everyone having a laptop style or pad style computer that could be used anywhere. When you were at home, the pad could periodically dump it's contents to the PC and when you leave you can make sure you have the files you really need with you. Appliance computers will happen eventually. Even us geeks will use them.

Re:Appliances?

[fferreres]

Price. Start offering NC for $4,99 a month (say you already have a monitor and only need to plug a micro NC that is netword card + video display and some simple bios).

You can only win against a PC if you can offer the NC at "ridiculous" (for past standards) price. Everything should be thin clients if you ask me, and if I need I could "network to my own server" or to a server provider i hired (for my personal apps, my disk space, email, whatever). Everything will be distributed services.

The PC will then be a seens as a "local NC + server" all-in-one.

But we'll have to wait some years. It will be fun:
- No instalation of software
- Almost no configuration, except for user choices

Just imagine: click here to play Doom IV (service cost $0,05 a minute, or buy a monthly pack at $10). Here to launch a word process (prices start at $0,02 (OO) and up to $0,10 (MSO)). Click here for phone service, etc. etc.

Companies offering lots of "service packs" (not the MS ones! Real service packs). Your own computer will be irrelevant, the best stuff WILL NOT INSTALL ON YOUR COMPUTER.

The reasoning behind this is simple: as network speeds become incresingly powerfull, there will an inflexion point in the economics of running a local computer: when the needed "combined" bandwith for using all the applications you need + upgrade to them and updates surpasses the needed bandwith to just broadcat the "video stream" to your computer, network computing will arrive.

And the needed bandwith to broadcast a video signal grows little over time and can even go down (small screens, PDAs) but the bandwith to install new games, OSs, to watch video and applications and to stay current is growing exponentially.

It's just a matter of time! Gone will be the days one will have a computer faster than your friend. You could compile your kernel in 3 seconds in a virtualized mainframe as long as you don't exceed your CPU/hour quota!

People will ask what CPU/hour you are hiring (if you run a server) and how many clients/hour are you serving, not how much mbits you have :)

Re:Appliances?

[Tassach]

You seem to be missing the point. "Network Appliance" doesn't mean "Toaster with a RJ-45 port", it means "Dedicated computing device". Domestic and Corporate customers are buying single-purpose, dedicated appliances like mad. Security applicances. Network-Attached Storage appliances. Search appliances. And so forth.

When you want to do one job, and do it well, a dedicated piece of hardware almost always wins out over a general-purpose computer. Can a PC with 2 nics and the appropriate software do everything a high-end router can do? Sure it can. Then why do people by dedicated routers? Because they are more reliable, have better performance, consume less power, and are simpler to administer. It's the same reason you have a toaster and an oven. A toater does one thing: it converts bread into toast easily, reliably, and efficiently. You can't cook your Thanksgiving turkey in the toaster, but that's why you have an oven. You can make toast in your regular oven, but it takes more power, it's easier to burn it, and it's far less convienient.

Open not necessarily better for security...

[Sheetrock]

Recently, I think we've had some pretty good demonstrations of the false sense of security we've all smugly adapted regarding open source:

oTrojaning of popular open source software (such as OpenSSH and tcpdump).
oRepetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
oProgrammers releasing details of security flaws after their platform is covered but before everybody else has a chance to patch the problem.

So I think he may have a point. Closed source isn't secure, to be sure, but irregardless these continual problems with dealing with security flaws in free software beg the question of whether or not the open source methodology is much better in 'root'ing out problems.

Note: I'm just talking about security, not overall quality of product. I still use open source because I feel it is superior to closed source in so many ways. However, I want to burst this bubble we've collectively got about "Thousands of eyes on the source code mean we're all safer", because obviously it isn't turning out that way.

Re:Open not necessarily better for security...

[Zocalo]

Repetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
Latest version? I don't think so. BIND currently has three main code bases:

v4.x - essentially an ugly, bug ridden hack (or at least it seemed like it).

v8.x - a very stable DNS server, but unfortunately largely built upon the v4.x codebase and inheriting issues galore as a result.

v9.x - A complete rewrite of v8.x, plus extra features, with much more attention paid to code integrity.
Almost ALL of the recent serious BIND exploits, including the recent one you are referring to, have been focused upon the v4.x and 8.x trees. Sure, v9.x isn't without it's problems, but all in all, it's proven to be pretty secure and stable so far.

Caution with open source?

[quadcitytj]

Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics.{Emphasis mine}

It would be nice if he could give us a concrete reason why we should "exercise caution" with open source. Does he really have a valid point, or is he just propogating the "open source is less secure because crackers can see the code" myth?

Re:Caution with open source?

[theBraindonor]

Spaf is simply trying to drive a point home that he teaches constantly at Purdue--and yes, I had the privelage of taking his class. When it comes to computer security, you should never blindly trust anything! Why is he saying that we should be cautious? Simple... Too many people have the impression that open source == security. And we've all heard it: "It's open source, it must be secure..."

Why is that a bad thing? Risk Analysis... You can never achieve 100% security. At best, you can develop a plan that takes into account most anything that can go wrong: Fire, Burglary, Natural Disaster, Hacking, etc. If you blindly trust a component, then your risk analysis isn't worth anything.

PS: Spaf... See... I wasn't asleep in class.

Re:Caution with open source?

[swordgeek]

Spaf is a Smart Guy, and of the many things he's said, 'open source == less secure' is certainly not one that I'm aware of!

Open source may or may not be more secure because it allows for independent code review. It is NOT, however, inherently secure which is something that some people seem to think.

What he's saying is that none of these things are a panacea. We can't say that we're secure because we use open source software (like tcpdump, sendmail, BIND), nor can we say that we're safe from bad guys because of biometrics.

He's reminding us of the fundamental point of security: It's a journey, not a destination. The technologies that he mentioned are great cases of either or both (a) easily breakable technology, and (b) technology that too many people are willing to wave their hands at and call 'secure.'

Caution is a fair attitude, I'd say.

Iris firewall/filter appliance.

[Bocaj]

We need a good appliance that can detect spam/intruders/viruses. In a nice little package with an LCD "Iris" that closes when it detects a "bad" incomming packet and the makes a thud sound when it kills it. :-)

Ok, yes, I watch too much Sci-Fi channel...

Re:His point on open source

[coj]

FYI, My day job is CERIAS webmaster.

I believe he mentions it in response to the common belief that OSS is *inherently* more secure than closed source. We use tons of open-source software at CERIAS, so it's not the case that Spaf has a dislike for open source.

-Ed

Re:Software Engineering

[Zanguinar]

In response to your accusations...

1) Apparently this guy hasn't been using windows.
I'm sure he has to some extent, but I believe he uses Mac OS X in his office.

2) He hasn't read the book "Mythical Man Month".
Yes, he has. It was assigned reading for one of the courses he taught.

Recall, this is a predicition, a guess. Wierder predictions have come true.

The reason most people use Windows is because they don't realize they have a choice. For the average consumer who can't handle Linux/BSD/etc. and uses PCs at work and therefore is more comfortable with Windows than MacOS, there realistically isn't a choice. That's why appliance PCs will take off (IMO), if they're designed right. Because of the age old KISS (Keep It Simple, Stupid) formula. If you make it easy enough for everybody to use, they will. That is, as long as they are willing to pay the price for the functionality. That's why appliance PCs have failed so far...

Re:Software Engineering

[Tassach]

The reason most people use Windows is because they don't realize they have a choice.

Actually, I think that's a secondary cause. I think the top two reasons people use windows is because 1.) It's what came on their computer, or 2.) It's what they're familiar with from work. I can't tell you how many machines I've seen that have been in use for years but still have the default settings for everything.