The Future of Security

Kvorgette writes "Scott Berinato in The Future of Security presents a very dark future of security in the years around 2010. Several computer security experts expect that a major security-related problem (a 'digital Pearl Harbour') will change software development procedures and remove the freedom in computer use we are striving for. The worst part is, most experts apparently think removal of software tools and access to information from the majority of computer and Internet users would be a good thing."

Principles vs. Success

[Jameth]

As is commonly the case in modern society, people focus on success at the expense of principle.

Certainly, the average joe not having access to the internet would make the internet secure, so that would appear to be successful.

The only issue is that this would be in violation of principles about freedom, principles which many people may not care about.

It's the same reason that having a corporate systems with owners removed from responsibility is problematic: only successfulness is considered, not right and wrong.

A suggestion

[Zog+The+Undeniable]

AV software is useless against new exploits unless heuristics are turned on. Few people will do this because of false positives.

Relying on OS patches is useless because the true dark-side hackers won't publicise any holes they've found until they've used them.

What could be useful is - dare I suggest it - holding essential OS kernel files in ROM. Slightly awkward if you want an upgrade, but not insurmountable with socketed chips. If you use UV-erasable ROM chips, you can still burn upgrades at home but remote hacking is impossible. And your PC would start up in the blink of an eye!

if you think about it

[katalyst]

the internet is still a relatively infantile concept; rules are not rigid, and everyone's feeling their way around - with standards being reviewed and re-written everyday. The future may as well be as how the author claims it to be; the net surfers of today, the slashdotters will be looked upon in the future as we do at the hippies - they had their sex and drugs - we have/had any data/information we wanted. This DOES NOT mean that I disapprove of today's internet; after all who has the right to decide on our behalf - what we can know and what we can not. But with mega-organizations like RIAA pushing harder for stringent rules(yes,though they can claim to have a valid concern), I won't be surprised if our grandkids point fingers at us and say "hey - in your days, couldn't you look up how to make bombs and hack and even look at naked women?"

Security should be simple

[zero-one]

It should be simple to write secure software. Most current operating systems (in their default configuration), assume that applications run by the current user should have all the powers and privileges of the current user. This is obviously wrong.

If I install a text editor, I probably don't want it to be able to access the Internet. It should be possible to say, "for this app here, don't let it do anything network related". That way, no matter how badly the text editor is written, it can't do any harm beyond the data it is allowed to work with. If I then want to use the text editor to print to a network print, I should be able to tweak a few options to make that possible (without enabling anything else).

Ideally, all of this would happen when an application is installed. If there were some UI that said, "This here program is asking for the following rights, is that OK?", I would immediately know what I was letting myself in for.

I know there are various ways of doing this kind of thing at the moment (virtual machines, using permissions more effectively or using different accounts for software) but none of them are particularly easy to get going.

With all of this implemented correctly, it should be possible to run any application (no matter where it came from) with out risking all the data on a PC and connected resources and to deal with security in a way that any normal user would understand.

This guy is a muppet.

[tolan-b]

I'm sorry, I couldn't finish the article, it was just pissing me off too much.

This guy is utterly clueless, I mean look at this:

Five factors distinguish the digital Pearl Harbor from the virus attacks we've suffered to date.

First, it disrupts backup systems. Fragile networks heretofore have been mitigated largely with backup. Disrupt that and badness follows.

Second, it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up. Due to the loss of backup, corporate earnings data is irretrievably lost. This panics Wall Street and destabilizes the financial sector.

OK, a couple of things. First, "it disrupts backup systems". Riiiight. So this Flaw in 'the internet infrastructure' can also get to tape backups in safes? OH NOS!!!1!

Second, "it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up."
"it attacks the Internet infrastructure--such as domain name servers and routers--and industrial systems connected to the Internet, like utility control systems.". I'm sorry but if someone connects utility control systems to the net then they are the ones who should be strung up.

The point is that bugs aren't a risk to 'national security', they are a big problem, and will be very costly to business I'm sure, but an attack or accident that has a serious detrimental effect on peoples lives, caused by security holes just shouldn't be possible.

This important infrastructure should not be connected to a fundamentally insecure network, and if you're looking for scapegoats, they should be those who allow that sort of level of insecurity. Look at that power station that got Blaster...

Surveillance doesn't scale

[starseeker]

"Authentication doesn't scale. But surveillance does. "The costs to observe are virtually zero, so it's not a question of will it exist, but what will we do with it?" Geer asks."

The AMOUNT of information you collect can scale, but the UNDERSTANDING of that information is limited by the processing capability of the organization collecting it. Not to mention its power and ethical use are in the hands of one organization.

I'm hoping by 2010 we will have remembered not to trust the government too much. Power corrupts, and post Sept. 11 is no different than pre as far as that goes. Nor is post digital Perl Harbor different from pre.

Bad things can happen - we have to accept that or do our society great damage. Any fixed target is a soft target, and computers and the internet are no different from anything else that way. The biggest liability right now on the net is unpatched Windows machines. Fixing the problems isn't enough - the fixes must be put into action. How do we solve that problem? Dunno, unless we do it right the first time (www.eros-os.org). But a free society has to be worth any price, or it will collapse. I won't accept government oversight as the price of keeping my computer safe - that price is too high. Particularly when it won't solve anything.

Pearl Harbor? Who would notice?

[lone_marauder]

The problem with the idea of a "digital pearl harbor" is the question of whether anyone would notice it. The metaphor suggests a peaceful world where computers and computer users are free to play in the wild with no fear until black Sunday finally comes and takes away all our innocence. The problem is that we don't have that innocence.

Try to bring up a Windows2000 workstation, freshly installed with no patches, and connect it to the Internet. In minutes it will be infected by a virus. Any one of the major security stories of the past five years would far exceed Pearl Harbor in terms of actual impact upon the information world. In fact, problems such as SQL slammer are more like the invasion of the Mongols, and the spam problem is global thermonuclear war.