Slashdot Mirror
The Future of Security
Kvorgette writes "Scott Berinato in The Future of Security presents a very dark future of security in the years around 2010. Several computer security experts expect that a major security-related problem (a 'digital Pearl Harbour') will change software development procedures and remove the freedom in computer use we are striving for. The worst part is, most experts apparently think removal of software tools and access to information from the majority of computer and Internet users would be a good thing."
I know, different Charles Baio.
Still, unless you count Buddy, Charles provided a great role model and environment for the kids to grow up in. Security through education, not necessarily obscurity or technological whizbangitry.
To reiterate: 1) Security can only be achieved through education. 2) I would have liked to fuck the older sister on that show.
I have been pwned because my
When you got ONE company runing the whole damn show, what will MAKE them focus on security, its not like some else will/can step in to take over.
People cant see the forest for bare trees...
Methinks this is another promotion of proprietary software. We Barbarians will find a way to protect ourselves despite what the Government and the Borg thinks is best for us.
As is commonly the case in modern society, people focus on success at the expense of principle.
Certainly, the average joe not having access to the internet would make the internet secure, so that would appear to be successful.
The only issue is that this would be in violation of principles about freedom, principles which many people may not care about.
It's the same reason that having a corporate systems with owners removed from responsibility is problematic: only successfulness is considered, not right and wrong.
...or at least my customers think so. I am a security consultant, and I certainly do not believe that you'll get anywhere through removal of users' freedom. Nor do most of my "expert" colleagues. In fact, that viewpoint I've most frequently heard from fairly clueless middle management most concerned with immediate, bandaid fixes to deeper problems.
Like it or not, that's what it comes down to--freedom and choice. Our job is not, like in other fields, to "get to the bottom of the problem", but to fix the symptoms. Because, frankly, the cure would be worse than the disease.
Currently, you and I, as "clued" users, have access to the resources we need. We would be needlessly crippled by DRM, technical restrictions, whatnot. We all saw how effective US export controls on encryption technology were in the long run, and a lot of us have run into situations at work where we simply couldn't do the job with the given tools (all of which had to go through months of committees and acceptance testing, whatever.)
I'll grant you that corporations have more leeway in this; a company environment is more likely (and legitimately so) to be less flexible regarding software tools available to employees. But for general use?
I've been following loads of discussions among ISPs, for example, who see nothing fundamentally wrong with limiting traffic to ports 25, 110 and 143. Nice prospects, you say? Well take this a step further--when "someone" decides that the grannies of this world, whose PCs are currently spitting worms left and right, should be locked down, do you think that the type of legislation and technological restrictions necessary to do this will differentiate between the grannies and the "clued" users?
I don't have the answers, but I strongly suspect they go in the direction of continuing education. A few years ago, most people couldn't spell "virus" (well, they probably still can't, but they at least know what it is.) Putting the spotlight on security holes and spam and and and for the average joe is what gets results, not locking shit down.
Sorry for the ramble.
Cole's Law: Thinly sliced cabbage
Relying on OS patches is useless because the true dark-side hackers won't publicise any holes they've found until they've used them.
What could be useful is - dare I suggest it - holding essential OS kernel files in ROM. Slightly awkward if you want an upgrade, but not insurmountable with socketed chips. If you use UV-erasable ROM chips, you can still burn upgrades at home but remote hacking is impossible. And your PC would start up in the blink of an eye!
When I am king, you will be first against the wall.
I may be getting my three letter publisher names mixed up, but doesn't IDG do nice reviews for Microsoft? This whole scenario seems to be tailor written as FUD promoting the Trusted Computing model and it's successors. The winners of this ficticious version of Perl Harbor are very easy to pick; Microsoft, RIAA, MPAA, and the studios.
the internet is still a relatively infantile concept; rules are not rigid, and everyone's feeling their way around - with standards being reviewed and re-written everyday. The future may as well be as how the author claims it to be; the net surfers of today, the slashdotters will be looked upon in the future as we do at the hippies - they had their sex and drugs - we have/had any data/information we wanted. This DOES NOT mean that I disapprove of today's internet; after all who has the right to decide on our behalf - what we can know and what we can not. But with mega-organizations like RIAA pushing harder for stringent rules(yes,though they can claim to have a valid concern), I won't be surprised if our grandkids point fingers at us and say "hey - in your days, couldn't you look up how to make bombs and hack and even look at naked women?"
|/________
|\A|ALYS|
Comment removed based on user account deletion
Yes, and mechanics expect broken cars, teachers expect ignorant people, and doctors expect injuries. Of course, just by explaining what they "expect," security experts create more business for themselves by instilling fear in the public. Whatever.
Trusted apt-get is a fully secured, digital rights managed version of the popular package management system for Debian. However, Trusted apt-get differs in many ways. In order to avoid the situation of people being tricked into installing trojan-containing .deb files, all Trusted apt-get packages come from secured, trusted servers. Many of these are hosted in former Russian military data centres, and are easily identified by their '.ru' domain names. This is a mark of trust. Secondly, the Trusted apt-get source code has undergone a line-by-line security audit by Theo from OpenBSD. A lot of people believe that Theo isn't all that keen on Linux, but it's mostly been due to the lack of security focus. Trusted apt-get changes that. The final component is a DRM layer in apt-get, which allows for trusted, copyrighted closed source packages to be easily installed on any Debian system. This DRM layer is implemented using standard UNIX crypt() calls, so it's really portable, yet really secure.
We can all look forward to the day when downloading trusted, trojan free software is as simple as issuing a 'trusted-apt-get install gator' command (followed by a reboot. Rebooting flushes insecure code from the processor execution stack, and is the only NSA-approved way to install software safely on a UNIX/Linux system). I believe Trusted apt-get will be available as the standard package manager from Debian 4.0 onwards. Until then, apt-get play it safe.
Preventing people to access security-related information will only make things worse. Hackers will create their own tools, and find security holes on their own. Yes, there will be less people that know about the holes. But they will be able to do more damage, since there are too few people which have the knowledge to stop them.
It should be simple to write secure software. Most current operating systems (in their default configuration), assume that applications run by the current user should have all the powers and privileges of the current user. This is obviously wrong.
If I install a text editor, I probably don't want it to be able to access the Internet. It should be possible to say, "for this app here, don't let it do anything network related". That way, no matter how badly the text editor is written, it can't do any harm beyond the data it is allowed to work with. If I then want to use the text editor to print to a network print, I should be able to tweak a few options to make that possible (without enabling anything else).
Ideally, all of this would happen when an application is installed. If there were some UI that said, "This here program is asking for the following rights, is that OK?", I would immediately know what I was letting myself in for.
I know there are various ways of doing this kind of thing at the moment (virtual machines, using permissions more effectively or using different accounts for software) but none of them are particularly easy to get going.
With all of this implemented correctly, it should be possible to run any application (no matter where it came from) with out risking all the data on a PC and connected resources and to deal with security in a way that any normal user would understand.
Diversity is what keeps the 'digital world' going. Standards specify how we communcate, but what we do with the information we process is up to the operation system/applications.
What the article suggest is that we should have a 'standard' ways of doing this, "standard software patches". Now what if someone breaks that standard and introduces a bug/backdoor a standard patch which everyone will recieve? We'll have a situation much worse that what can possible happen today.
"The federal government will mandate that users must authenticate their identity to access the Internet itself"
-Wow! Only one place 'to hit' to deny access for everyone to the internet.
What if I identify myself as someone else? Of course it will happen, then someone can wreak havoc and later the innocent neighbor will be arrested because:
'It was him, without doubt, that did all this and that on the internet. Proof? We have logs which clearly showes the perpetrator logging on to the net'
Standards and centralizing is what will bring us a 'digital Perl Harbor' (what a stupid name).
This reminds me rather of the anxiety over the Y2K bug. I think the rather doom-laden scenario being predicted here is frankly overblown.
"Then the lights wink out. Everywhere.
Then it begins to get cold."
Naturally, it leads into a Big Brother state from that point on. The article's a troll; it engages in emotive button-pushing.
I'm sorry, I couldn't finish the article, it was just pissing me off too much.
This guy is utterly clueless, I mean look at this:
Five factors distinguish the digital Pearl Harbor from the virus attacks we've suffered to date.
First, it disrupts backup systems. Fragile networks heretofore have been mitigated largely with backup. Disrupt that and badness follows.
Second, it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up. Due to the loss of backup, corporate earnings data is irretrievably lost. This panics Wall Street and destabilizes the financial sector.
OK, a couple of things. First, "it disrupts backup systems". Riiiight. So this Flaw in 'the internet infrastructure' can also get to tape backups in safes? OH NOS!!!1!
Second, "it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up."
"it attacks the Internet infrastructure--such as domain name servers and routers--and industrial systems connected to the Internet, like utility control systems.". I'm sorry but if someone connects utility control systems to the net then they are the ones who should be strung up.
The point is that bugs aren't a risk to 'national security', they are a big problem, and will be very costly to business I'm sure, but an attack or accident that has a serious detrimental effect on peoples lives, caused by security holes just shouldn't be possible.
This important infrastructure should not be connected to a fundamentally insecure network, and if you're looking for scapegoats, they should be those who allow that sort of level of insecurity. Look at that power station that got Blaster...
My father in law complained about his PC being slow, so I agreed to take a look at it, suspecting it was infested with spyware and such. I was right, and I wiped the machine clean as best as I could. I also installed a personal firewall, so spyware/adware should not be able to dial up to the internet at their own descretion.
What happened next is that when somebody wanted to visit an Internet page, or collect or send some email, that firewall would first ask permission for the app to contact the Internet. The first question was whether the app was allowed to contact host X.X.X.X at UDP/53. This off course, means bollocks to the average user.
The moral of this story is that you need in depth knowledge of computers, software and (TCP/IP)networks in order to tell your computer if an action can be conisidered save.
You could pose that a text-editor does not need Internet connectivity. How many of you guys use freeware/shareware that is ad-supported? How many (even payware) apps 'phone home' nowadays before even displaying anything like a splash screen?
Security of software and operating systems is primarily the responsibility of the writer thereof. You can NOT trust your average user to know what's safe and what's dangerous. You simple can't.
Viewed in that light, locking down a users rights, even on his/her own box, seems like a decent idea. It would save a lot of spam and virus trouble, and spyware firms would be out of business before the week is over.
I however think that I know what I'm doing, and I demand my rights. I'm willing to take a test of competence if needs be, but I will under no conditions give up the control of my system to anybody, especially to companies or governments.
With so much of the web's infrastructure now running on Linux systems, the question needs to be asked: "How secure is the average Linux distribution". If Linux is to continue its drive into the data center, with solid distributions like Debian and Mandrake at the spearhead, is it time for the Linux kernel to undergo the same type of rigorous, line-by-line security audit that OpenBSD has been built around? What is the opinion of Slashdot users out there who have had to implement a 'front line' Linux box, exposed to the day to day attacks that are part and parcel of an Internet exposed server? Are you wanting more security, or is Linux solid enough? Is OpenBSD really necessary, or is it mostly just hype? And are our current packaging systems robust enough to prevent the kind of trojan episodes which seem to grip the Windows 2000 Server community on an almost weekly basis. Can apt-get take us up to 2010 in secure confidence? I'd love to hear your opinions.
"Authentication doesn't scale. But surveillance does. "The costs to observe are virtually zero, so it's not a question of will it exist, but what will we do with it?" Geer asks."
The AMOUNT of information you collect can scale, but the UNDERSTANDING of that information is limited by the processing capability of the organization collecting it. Not to mention its power and ethical use are in the hands of one organization.
I'm hoping by 2010 we will have remembered not to trust the government too much. Power corrupts, and post Sept. 11 is no different than pre as far as that goes. Nor is post digital Perl Harbor different from pre.
Bad things can happen - we have to accept that or do our society great damage. Any fixed target is a soft target, and computers and the internet are no different from anything else that way. The biggest liability right now on the net is unpatched Windows machines. Fixing the problems isn't enough - the fixes must be put into action. How do we solve that problem? Dunno, unless we do it right the first time (www.eros-os.org). But a free society has to be worth any price, or it will collapse. I won't accept government oversight as the price of keeping my computer safe - that price is too high. Particularly when it won't solve anything.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
Politicians always think it's going to be an "electronic pearl harbor" but never imagine that it will actually be an electronic Exxon Valdez, or Bophal India.
The entire assumption is that some rogue power will launch a suprise attack on mothership america, when really, a bit of crappy code created by a monolithic company will cause widespread harm to the network and the economy.
It's already happened, look at Blaster/Nachi. The amount of background noise on the Internet caused by worm traffic in the core will only increase, and interestingly, probably to the point where it will make bandwidth expensive again.
As a security professional, it is always embarrassing to hear colleagues talk like this. It's self serving, unsophisticated, and politically motivated.
Get off it.
Secure programming requires additional skill and focus during design, development, testing and configuration. This drives up costs and extends schedule for any project.
Ultimately the market decides winners in the software space (usually), and everyone needs to see security as a feature worth paying more for, in terms of employees designing and building the systems, to QA testers performing thorough audits before deployment, to users comparing choices in the corporate or consumer software space.
The author argues that it will take a digital pearl harbor to affect this change. I doubt it will be as drastic. We are already seeing consumers, users and businesses move towards more secure systems (and adding more diversity - breaking the monoculture)
The pain is only going to increase as attacks grow more and more prevalent, and damage more and more severe. Instead of a single, high profile event, I think we are going to see the current trend continue and accelerate: more and more people spending more money on secure systems, and diversifying their environments.
In the software market consumers and producers are equaly responsible for the state of security - it costs more time and money and skill to build secure systems: are people paying more for the secure alternatives on the market? do people make a thorough effort to address security before purchase? Until the answer is yes, the current methods will remain the market leader. Those that ignore security (to the extent they can) will come to market faster and cheaper than their more secure alternatives.
Those that put a premium on secure systems will spend more for a solution that gives them the stability and features they require, and understand the tradeoff involved in terms of cost, time and skill.
It's a populist piece of scaremongering, but it raises one valuable point: the fact that there are fewer and fewer baskets to contain the vital infrastructure eggs.
If you have separate wires for power, telephone and internet and an entirely separate mobile phone network you have a fair chance that enough of them are going to stay working to allow you to repair the ones that aren't.
If your voice communications are running over IP over your powerline and the phone companies throw out their phone switches and replace them with VoIP routers which are also switching internet traffic and, incidentally, providing virtual private networks which link the utility companies' control and monitoring systems, then the chances of everything going down together are significantly increased.
The only way to stop this tendency is to change the definition of "bottom line" and that can only be done through our old friend regulation.
This article is both bogus and dangerous. It's just a 2004-revamped prophecy of the apocalypse:
:-)
The apocalypse:
1) Predict utter destruction for the whole mankind
2) People freak out
3) Enforce your own agenda ("Give me your lands and you will be saved when the world ends in year 1000")
4) Profit! The church is the richest state in the world.
This FUD:
1) Predict utter destruction for the whole mankind
2) People freak out
3) Enforce your own agenda ("Give me your freedom and you will be saved when the time comes!")
4) Profit! Corporations control mankind.
It seems so obvious to me that's scary! A few points worth considering - let's dispel the FUD:
- The article says that every computer has 200,000 bugs in 2010. Omits to mention that in a multi-cultured internet (different computers, OSes, software) most computers would have a different set of bugs and therefore an attack couldn't possibly take down the whole, totally redundant infrastructure.
- If the internet goes down, everything (economy, electricity...) falls with it. Omits to mention that such statements should be proved.
- A more rigid security system would be more secure. False, people like Kevin Mitnick have been getting inside the world's most secure servers with very little problems, by using social engineering. Now, unless you can actually program the way the mind of people works, well, there's little you can do about it.
- Look who's talking. Uhm, a security expert suggesting more security - more than a little conflict of interest there...
I'm sure there are many more loopholes in this article, I leave to the reader the task of finding them
By the way, if someone told you "You're gonna die tomorrow! Do as I say and you will be spared!", how would you regard him/her?
My Stack Overflow user
The problem with the idea of a "digital pearl harbor" is the question of whether anyone would notice it. The metaphor suggests a peaceful world where computers and computer users are free to play in the wild with no fear until black Sunday finally comes and takes away all our innocence. The problem is that we don't have that innocence.
Try to bring up a Windows2000 workstation, freshly installed with no patches, and connect it to the Internet. In minutes it will be infected by a virus. Any one of the major security stories of the past five years would far exceed Pearl Harbor in terms of actual impact upon the information world. In fact, problems such as SQL slammer are more like the invasion of the Mongols, and the spam problem is global thermonuclear war.
who are those slashdot people? they swept over like Mongol-Tartars.
Be careful-this article hardly seems legitimate. The article is simple fearmongering written by an author who only seeks to stir up attention of any kind. Unfortunately slashdot has furnished that attention. Allow me to expound on my position with some evidence.
./ers make it out to be, they simply exist to make money and dominate the market. Good security equals good money.
The author is the same one who wrote "Patch and Pray", an article that starts off with "It's the dirtiest little secret in the software industry: Patching no longer works. And there's nothing you can do about it. Except maybe patch less." Somehow I sense a pattern of fearmongering and irrational, attention whoring claims by this guy.
But let's analyze the article slashdot posted on its own merits. Here are a few choice quotes taken directly from the article:
digital Pearl Harbors are happening every day.
That kind of defeats the point of calling something a "Pearl Harbor" doesn't it? The author is just trying to make things sound scary by wielding historical words.
TIPPING POINT: On Dec. 7, 2008, computer systems around the world go down simultaneously. They do not come back up.
That's right, they do not come back up. The machines all catch fire or something, so you can't repair them.
This panics Wall Street and destabilizes the financial sector. People run to their banks, but the banks cannot disburse funds; their networks are down. As are the credit card networks and the ATMs. If you don't have cash, you go hungry. Then the lights wink out. Everywhere. And it begins to get cold.
If you put that in a movie script, any studio would laugh in your face at the lack of realism. Yet this kind of nonsense flies in computer security articles?
People are hungry. Freezing. The old and the young begin to die. The strong turn against each other.
It just gets better and better! but there is a bright side if you read on....
"[in 2010] the average PC, while it may cost $99"
Yes. They are actually stating that they expect the average PC to cost $99 in 2010. This makes it obvious where they're getting the rest of their numbers from: straight line approximations. Take what's happened during the last two years and assume the same thing keeps happening for the next ten. There's a word for that, and its not statistics-it starts with b and contains an s.
Of course, to have a reformation, you need a Martin Luther...Perhaps a rebel within Microsoft who sacrifices his career to change the culture and practices he's experienced firsthand.
You mean like, oh, Bill Gates? Microsoft wants better security already-they just can't implement it correctly, and many of their plans are misguided. But anybody in MS who could avert the next Blaster would get a promotion, not the axe. The company isn't quite the demonic hive some
TSP and PSP have already been found to reduce coding errors by factors of up to 10 or more. Microsoft tried it and reduced bugs within a 24,000-line program from more than 350 to about 25.
Now this guy is trying to hype yet another crazy how-to-program-better-with-process scheme. Let me guess, he's co-authoring a book about TSP and PSP? Yep, they reduce coding errors by a factor of 10, cure cancer, and bring about world peace.
We're reaching our limit with the angst. Popeye once said, 'I've had alls I can stands and I can't stands no more.' We're reaching that point."
Just imagine how those lines would go over in a security presentation in your company. "Boss, we have too much angst!"
And even features within programs, like the ability to forward e-mail messages, will be shut off.
Yes, that's right, the article made that prediction. You won't be able to forward email. Sure.
The federal government will mandate that users must authentic
Look at it this way; the viruses and worms that haunted the net at the time was more or less friendly, concept-like viruses. It could've been much worse. What if the viruses that roamed the the net would:
Destroy your data / the operating system silently (shredding your files so that they can't be recovered).
Mail your documents to everyone in your contacts-registry. (Eg. mailing corporate files to competitors)
Hopefully; the reason why the viruses wasn't dangerous was because: If you have the skill to write such a virus, you can probably imagine the consequences.
What are your thoughts on the subject?
What about advances in security technology? Tageted IDS is still in its infancy. What about CERT's research into survivable systems engineering? Patch management software is going to suddenly go the way of the Dodo?
From my understanding the general concensus is that SOX auditing will eventually include all systems which run the business - not just the ones involved in financial reporting. That auditing requires a verified disaster recovery procedure and security documentation.
Am I saying there is absolutely no chance it could happen? No. But a lot of security people much better than me are going to have to be lobotomized before I think a digital "Pearl Harbor" is plausible.
I don't want knowledge. I want certainty. - Law, David Bowie