Slashdot Mirror
The Future of Security
Kvorgette writes "Scott Berinato in The Future of Security presents a very dark future of security in the years around 2010. Several computer security experts expect that a major security-related problem (a 'digital Pearl Harbour') will change software development procedures and remove the freedom in computer use we are striving for. The worst part is, most experts apparently think removal of software tools and access to information from the majority of computer and Internet users would be a good thing."
When you got ONE company runing the whole damn show, what will MAKE them focus on security, its not like some else will/can step in to take over.
People cant see the forest for bare trees...
Methinks this is another promotion of proprietary software. We Barbarians will find a way to protect ourselves despite what the Government and the Borg thinks is best for us.
nothing like a clueless journalist to drive sales of security products up
the sky is falling again oh no
so anyone want to buy some insurance/security products/golem ?
...or at least my customers think so. I am a security consultant, and I certainly do not believe that you'll get anywhere through removal of users' freedom. Nor do most of my "expert" colleagues. In fact, that viewpoint I've most frequently heard from fairly clueless middle management most concerned with immediate, bandaid fixes to deeper problems.
Like it or not, that's what it comes down to--freedom and choice. Our job is not, like in other fields, to "get to the bottom of the problem", but to fix the symptoms. Because, frankly, the cure would be worse than the disease.
Currently, you and I, as "clued" users, have access to the resources we need. We would be needlessly crippled by DRM, technical restrictions, whatnot. We all saw how effective US export controls on encryption technology were in the long run, and a lot of us have run into situations at work where we simply couldn't do the job with the given tools (all of which had to go through months of committees and acceptance testing, whatever.)
I'll grant you that corporations have more leeway in this; a company environment is more likely (and legitimately so) to be less flexible regarding software tools available to employees. But for general use?
I've been following loads of discussions among ISPs, for example, who see nothing fundamentally wrong with limiting traffic to ports 25, 110 and 143. Nice prospects, you say? Well take this a step further--when "someone" decides that the grannies of this world, whose PCs are currently spitting worms left and right, should be locked down, do you think that the type of legislation and technological restrictions necessary to do this will differentiate between the grannies and the "clued" users?
I don't have the answers, but I strongly suspect they go in the direction of continuing education. A few years ago, most people couldn't spell "virus" (well, they probably still can't, but they at least know what it is.) Putting the spotlight on security holes and spam and and and for the average joe is what gets results, not locking shit down.
Sorry for the ramble.
Cole's Law: Thinly sliced cabbage
I may be getting my three letter publisher names mixed up, but doesn't IDG do nice reviews for Microsoft? This whole scenario seems to be tailor written as FUD promoting the Trusted Computing model and it's successors. The winners of this ficticious version of Perl Harbor are very easy to pick; Microsoft, RIAA, MPAA, and the studios.
If compilers are criminalized, then only criminals will have compilers
Open source software tools don't kill networks, people do
Comment removed based on user account deletion
Yes, and mechanics expect broken cars, teachers expect ignorant people, and doctors expect injuries. Of course, just by explaining what they "expect," security experts create more business for themselves by instilling fear in the public. Whatever.
Preventing people to access security-related information will only make things worse. Hackers will create their own tools, and find security holes on their own. Yes, there will be less people that know about the holes. But they will be able to do more damage, since there are too few people which have the knowledge to stop them.
Diversity is what keeps the 'digital world' going. Standards specify how we communcate, but what we do with the information we process is up to the operation system/applications.
What the article suggest is that we should have a 'standard' ways of doing this, "standard software patches". Now what if someone breaks that standard and introduces a bug/backdoor a standard patch which everyone will recieve? We'll have a situation much worse that what can possible happen today.
"The federal government will mandate that users must authenticate their identity to access the Internet itself"
-Wow! Only one place 'to hit' to deny access for everyone to the internet.
What if I identify myself as someone else? Of course it will happen, then someone can wreak havoc and later the innocent neighbor will be arrested because:
'It was him, without doubt, that did all this and that on the internet. Proof? We have logs which clearly showes the perpetrator logging on to the net'
Standards and centralizing is what will bring us a 'digital Perl Harbor' (what a stupid name).
This reminds me rather of the anxiety over the Y2K bug. I think the rather doom-laden scenario being predicted here is frankly overblown.
"Then the lights wink out. Everywhere.
Then it begins to get cold."
Naturally, it leads into a Big Brother state from that point on. The article's a troll; it engages in emotive button-pushing.
(if you can design your ROM code well enough that it won't allow a remote attack to take control from it, then it didn't need to be in ROM in the first place)
OS in ROM is good for other things, though (speed, impossible-to-mess-up failsafe boot, etc).
My father in law complained about his PC being slow, so I agreed to take a look at it, suspecting it was infested with spyware and such. I was right, and I wiped the machine clean as best as I could. I also installed a personal firewall, so spyware/adware should not be able to dial up to the internet at their own descretion.
What happened next is that when somebody wanted to visit an Internet page, or collect or send some email, that firewall would first ask permission for the app to contact the Internet. The first question was whether the app was allowed to contact host X.X.X.X at UDP/53. This off course, means bollocks to the average user.
The moral of this story is that you need in depth knowledge of computers, software and (TCP/IP)networks in order to tell your computer if an action can be conisidered save.
You could pose that a text-editor does not need Internet connectivity. How many of you guys use freeware/shareware that is ad-supported? How many (even payware) apps 'phone home' nowadays before even displaying anything like a splash screen?
Security of software and operating systems is primarily the responsibility of the writer thereof. You can NOT trust your average user to know what's safe and what's dangerous. You simple can't.
Viewed in that light, locking down a users rights, even on his/her own box, seems like a decent idea. It would save a lot of spam and virus trouble, and spyware firms would be out of business before the week is over.
I however think that I know what I'm doing, and I demand my rights. I'm willing to take a test of competence if needs be, but I will under no conditions give up the control of my system to anybody, especially to companies or governments.
I think it's suprising that you posted that on Martin Luther King day. I think MLK and Ghandi might have had something to say about non-violent ways to secure liberty.
Politicians always think it's going to be an "electronic pearl harbor" but never imagine that it will actually be an electronic Exxon Valdez, or Bophal India.
The entire assumption is that some rogue power will launch a suprise attack on mothership america, when really, a bit of crappy code created by a monolithic company will cause widespread harm to the network and the economy.
It's already happened, look at Blaster/Nachi. The amount of background noise on the Internet caused by worm traffic in the core will only increase, and interestingly, probably to the point where it will make bandwidth expensive again.
As a security professional, it is always embarrassing to hear colleagues talk like this. It's self serving, unsophisticated, and politically motivated.
Get off it.
Secure programming requires additional skill and focus during design, development, testing and configuration. This drives up costs and extends schedule for any project.
Ultimately the market decides winners in the software space (usually), and everyone needs to see security as a feature worth paying more for, in terms of employees designing and building the systems, to QA testers performing thorough audits before deployment, to users comparing choices in the corporate or consumer software space.
The author argues that it will take a digital pearl harbor to affect this change. I doubt it will be as drastic. We are already seeing consumers, users and businesses move towards more secure systems (and adding more diversity - breaking the monoculture)
The pain is only going to increase as attacks grow more and more prevalent, and damage more and more severe. Instead of a single, high profile event, I think we are going to see the current trend continue and accelerate: more and more people spending more money on secure systems, and diversifying their environments.
In the software market consumers and producers are equaly responsible for the state of security - it costs more time and money and skill to build secure systems: are people paying more for the secure alternatives on the market? do people make a thorough effort to address security before purchase? Until the answer is yes, the current methods will remain the market leader. Those that ignore security (to the extent they can) will come to market faster and cheaper than their more secure alternatives.
Those that put a premium on secure systems will spend more for a solution that gives them the stability and features they require, and understand the tradeoff involved in terms of cost, time and skill.
It's a populist piece of scaremongering, but it raises one valuable point: the fact that there are fewer and fewer baskets to contain the vital infrastructure eggs.
If you have separate wires for power, telephone and internet and an entirely separate mobile phone network you have a fair chance that enough of them are going to stay working to allow you to repair the ones that aren't.
If your voice communications are running over IP over your powerline and the phone companies throw out their phone switches and replace them with VoIP routers which are also switching internet traffic and, incidentally, providing virtual private networks which link the utility companies' control and monitoring systems, then the chances of everything going down together are significantly increased.
The only way to stop this tendency is to change the definition of "bottom line" and that can only be done through our old friend regulation.
This article seems to elude that we will be using today's software and security techniques in 2010.
But to me, that's 6 years of potential new discoveries and technology.
It was over 20 years ago that Fred Brooks wrote the Mythical Man-Month, and the majority of the software industry are still making the same mistakes.
If you think 6 years is going to make a bit of difference, can you please point out how the software industry is more secure than it was in 1998?
Perhaps you mean something like per process namespaces and device access through file interfaces controlled by normal permission checking.
Nah, that's just crazy talk.
oh, wait
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Is there an example of a successful nonviolent revolutionary in a land that was not owned by a modern Western democracy at the time?
Not to put MLK or Ghandi down, but I don't think either one would have had the same sort of success if they had been in North Korea or Eastern Europe under the Soviets, or even in the 18th-century British Empire. I think nonviolence is great for changing things in countries that are reasonably open, but it sucks for totalitarian states.
I would love a counterexample, however.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
This article is both bogus and dangerous. It's just a 2004-revamped prophecy of the apocalypse:
:-)
The apocalypse:
1) Predict utter destruction for the whole mankind
2) People freak out
3) Enforce your own agenda ("Give me your lands and you will be saved when the world ends in year 1000")
4) Profit! The church is the richest state in the world.
This FUD:
1) Predict utter destruction for the whole mankind
2) People freak out
3) Enforce your own agenda ("Give me your freedom and you will be saved when the time comes!")
4) Profit! Corporations control mankind.
It seems so obvious to me that's scary! A few points worth considering - let's dispel the FUD:
- The article says that every computer has 200,000 bugs in 2010. Omits to mention that in a multi-cultured internet (different computers, OSes, software) most computers would have a different set of bugs and therefore an attack couldn't possibly take down the whole, totally redundant infrastructure.
- If the internet goes down, everything (economy, electricity...) falls with it. Omits to mention that such statements should be proved.
- A more rigid security system would be more secure. False, people like Kevin Mitnick have been getting inside the world's most secure servers with very little problems, by using social engineering. Now, unless you can actually program the way the mind of people works, well, there's little you can do about it.
- Look who's talking. Uhm, a security expert suggesting more security - more than a little conflict of interest there...
I'm sure there are many more loopholes in this article, I leave to the reader the task of finding them
By the way, if someone told you "You're gonna die tomorrow! Do as I say and you will be spared!", how would you regard him/her?
My Stack Overflow user
Instead of a big bang scenario I could imagine a change through software liability.
Just imagine some slightly bigger then average small country (France? UK? Germany?) picking up the lead and explicitly cover product liability for software products. No more chickening out with boilerplate "click I AGREE" licenses.
Software companies would either have to be good enough or gone from that market. In this scenario e.g. Microsoft might have a really hard time to hold up against the courts. They might decide to leave that market. That would result in trouble for lots of businesses, but they will get over it. And then a reasonably big market might be open for something better. Don't be too optimistic, that other choice would have to be really better.
Such a small change could lead to a change in the IT industry much faster then any horrible catastrophic event in cyberspace (which also invariably leads to loss of life and property in popular articles). The change would spread out to the world really fast. And even if other countries didn't copy that legal model exactly it would leave us with a choice of software that is up to such a legal model.
Be careful-this article hardly seems legitimate. The article is simple fearmongering written by an author who only seeks to stir up attention of any kind. Unfortunately slashdot has furnished that attention. Allow me to expound on my position with some evidence.
./ers make it out to be, they simply exist to make money and dominate the market. Good security equals good money.
The author is the same one who wrote "Patch and Pray", an article that starts off with "It's the dirtiest little secret in the software industry: Patching no longer works. And there's nothing you can do about it. Except maybe patch less." Somehow I sense a pattern of fearmongering and irrational, attention whoring claims by this guy.
But let's analyze the article slashdot posted on its own merits. Here are a few choice quotes taken directly from the article:
digital Pearl Harbors are happening every day.
That kind of defeats the point of calling something a "Pearl Harbor" doesn't it? The author is just trying to make things sound scary by wielding historical words.
TIPPING POINT: On Dec. 7, 2008, computer systems around the world go down simultaneously. They do not come back up.
That's right, they do not come back up. The machines all catch fire or something, so you can't repair them.
This panics Wall Street and destabilizes the financial sector. People run to their banks, but the banks cannot disburse funds; their networks are down. As are the credit card networks and the ATMs. If you don't have cash, you go hungry. Then the lights wink out. Everywhere. And it begins to get cold.
If you put that in a movie script, any studio would laugh in your face at the lack of realism. Yet this kind of nonsense flies in computer security articles?
People are hungry. Freezing. The old and the young begin to die. The strong turn against each other.
It just gets better and better! but there is a bright side if you read on....
"[in 2010] the average PC, while it may cost $99"
Yes. They are actually stating that they expect the average PC to cost $99 in 2010. This makes it obvious where they're getting the rest of their numbers from: straight line approximations. Take what's happened during the last two years and assume the same thing keeps happening for the next ten. There's a word for that, and its not statistics-it starts with b and contains an s.
Of course, to have a reformation, you need a Martin Luther...Perhaps a rebel within Microsoft who sacrifices his career to change the culture and practices he's experienced firsthand.
You mean like, oh, Bill Gates? Microsoft wants better security already-they just can't implement it correctly, and many of their plans are misguided. But anybody in MS who could avert the next Blaster would get a promotion, not the axe. The company isn't quite the demonic hive some
TSP and PSP have already been found to reduce coding errors by factors of up to 10 or more. Microsoft tried it and reduced bugs within a 24,000-line program from more than 350 to about 25.
Now this guy is trying to hype yet another crazy how-to-program-better-with-process scheme. Let me guess, he's co-authoring a book about TSP and PSP? Yep, they reduce coding errors by a factor of 10, cure cancer, and bring about world peace.
We're reaching our limit with the angst. Popeye once said, 'I've had alls I can stands and I can't stands no more.' We're reaching that point."
Just imagine how those lines would go over in a security presentation in your company. "Boss, we have too much angst!"
And even features within programs, like the ability to forward e-mail messages, will be shut off.
Yes, that's right, the article made that prediction. You won't be able to forward email. Sure.
The federal government will mandate that users must authentic
Look at it this way; the viruses and worms that haunted the net at the time was more or less friendly, concept-like viruses. It could've been much worse. What if the viruses that roamed the the net would:
Destroy your data / the operating system silently (shredding your files so that they can't be recovered).
Mail your documents to everyone in your contacts-registry. (Eg. mailing corporate files to competitors)
Hopefully; the reason why the viruses wasn't dangerous was because: If you have the skill to write such a virus, you can probably imagine the consequences.
What are your thoughts on the subject?
In majority of the jobs and software projects that I've ever worked the concept of security and intgerity has never been of much a concern to management. More an afterthought. Now to be clear most of the projects I'm talking about here are embedded network components and servers.
I've always seen it as my responsiblity to try and write code that is secure. At the end of the day I'm trying to protect against such attacks. But even for all my diligence there is going to be some sort of mistake that can be exploited.
And for anyone who thinks for a second that I've been sloppy then just consider the OpenSSL library and the number of security holes found in it over the last year. This has been written by experts in computer security and cryptology, yet exploits and vunerablities are still found in it.
Now add to this managements concern to ship the project early or by certain unreasonable deadline, even if the system is plagued with bugs.
So when the product ships, a security hole exploited in it and the exploit traced back to a certain piece of code. Who should take the fall for it?
What about advances in security technology? Tageted IDS is still in its infancy. What about CERT's research into survivable systems engineering? Patch management software is going to suddenly go the way of the Dodo?
From my understanding the general concensus is that SOX auditing will eventually include all systems which run the business - not just the ones involved in financial reporting. That auditing requires a verified disaster recovery procedure and security documentation.
Am I saying there is absolutely no chance it could happen? No. But a lot of security people much better than me are going to have to be lobotomized before I think a digital "Pearl Harbor" is plausible.
I don't want knowledge. I want certainty. - Law, David Bowie
The parent post is right. The article is a bunch of FUD. Nothing like a clueless journalest to drive up sales of security products!
I may be getting my three letter publisher names mixed up, but doesn't IDG do nice reviews for Microsoft? This whole scenario seems to be tailor written as FUD promoting the Trusted Computing model and it's successors. The winners of this ficticious version of Perl Harbor are very easy to pick; Microsoft, RIAA, MPAA, and the studios. Parent is right about the article writer's agenda.
I am not sure why they used that for an analogy as Pearl Harbor was not a surprise attack. Pearl Harbor was deliberately allowed to happen so as to force the American people into WW2 and to make sure the Japs didn't know the US had cracked their codes.
The only way Pearl Harbor would be applicable is if you were using it in the context of Microsoft deliberately allowing crippling attacks on it's software so as to push through a new system whereby it (MS) has ultimate control.
Tippett argues that if we simply extend the present situation into the future, the level of complexity and vulnerability we would create will make a digital Pearl Harbor inevitable--and before 2010.
If we simply extend the present situation... but who is simple-minded enough to believe our world works like this?
"That [scenario] is appealing because it's one of the simplest things you can do with computers: restrict their abilities," says Peter Tippett, CTO of security vendor TruSecure and noted security expert.
Dear Peter, if you want to restrict all abilities of a computer which can possibly be used in a dangerous way, you'll have to pull the plug.
Tom's Rules For Reasoning About Tool Security:
- It's not the tool that's dangerous, it's the person using it.
- Every tool can be used to harm another person.
- Making a tool illegal won't prevent a determined person from using it.
Tom's First Conclusions From His Rules For Reasoning About Tool Security:The twin notions: that 24/7 surveillance of every computer in the US is possible, and that a national AAA system is not possible are presented and no reason is given - we are just to accept these 'facts' because they appear in the article.
[Set Cain on fire and steal his lute.]
This article reads just like many articles written by so-called "experts" about the dire Y2K "bug". All the world's computers going down at once? Please.
Proverbs 21:19