Slashdot Mirror
The Future of Security
Kvorgette writes "Scott Berinato in The Future of Security presents a very dark future of security in the years around 2010. Several computer security experts expect that a major security-related problem (a 'digital Pearl Harbour') will change software development procedures and remove the freedom in computer use we are striving for. The worst part is, most experts apparently think removal of software tools and access to information from the majority of computer and Internet users would be a good thing."
...or at least my customers think so. I am a security consultant, and I certainly do not believe that you'll get anywhere through removal of users' freedom. Nor do most of my "expert" colleagues. In fact, that viewpoint I've most frequently heard from fairly clueless middle management most concerned with immediate, bandaid fixes to deeper problems.
Like it or not, that's what it comes down to--freedom and choice. Our job is not, like in other fields, to "get to the bottom of the problem", but to fix the symptoms. Because, frankly, the cure would be worse than the disease.
Currently, you and I, as "clued" users, have access to the resources we need. We would be needlessly crippled by DRM, technical restrictions, whatnot. We all saw how effective US export controls on encryption technology were in the long run, and a lot of us have run into situations at work where we simply couldn't do the job with the given tools (all of which had to go through months of committees and acceptance testing, whatever.)
I'll grant you that corporations have more leeway in this; a company environment is more likely (and legitimately so) to be less flexible regarding software tools available to employees. But for general use?
I've been following loads of discussions among ISPs, for example, who see nothing fundamentally wrong with limiting traffic to ports 25, 110 and 143. Nice prospects, you say? Well take this a step further--when "someone" decides that the grannies of this world, whose PCs are currently spitting worms left and right, should be locked down, do you think that the type of legislation and technological restrictions necessary to do this will differentiate between the grannies and the "clued" users?
I don't have the answers, but I strongly suspect they go in the direction of continuing education. A few years ago, most people couldn't spell "virus" (well, they probably still can't, but they at least know what it is.) Putting the spotlight on security holes and spam and and and for the average joe is what gets results, not locking shit down.
Sorry for the ramble.
Cole's Law: Thinly sliced cabbage
Relying on OS patches is useless because the true dark-side hackers won't publicise any holes they've found until they've used them.
What could be useful is - dare I suggest it - holding essential OS kernel files in ROM. Slightly awkward if you want an upgrade, but not insurmountable with socketed chips. If you use UV-erasable ROM chips, you can still burn upgrades at home but remote hacking is impossible. And your PC would start up in the blink of an eye!
When I am king, you will be first against the wall.
I may be getting my three letter publisher names mixed up, but doesn't IDG do nice reviews for Microsoft? This whole scenario seems to be tailor written as FUD promoting the Trusted Computing model and it's successors. The winners of this ficticious version of Perl Harbor are very easy to pick; Microsoft, RIAA, MPAA, and the studios.
Yes, and mechanics expect broken cars, teachers expect ignorant people, and doctors expect injuries. Of course, just by explaining what they "expect," security experts create more business for themselves by instilling fear in the public. Whatever.
Preventing people to access security-related information will only make things worse. Hackers will create their own tools, and find security holes on their own. Yes, there will be less people that know about the holes. But they will be able to do more damage, since there are too few people which have the knowledge to stop them.
Diversity is what keeps the 'digital world' going. Standards specify how we communcate, but what we do with the information we process is up to the operation system/applications.
What the article suggest is that we should have a 'standard' ways of doing this, "standard software patches". Now what if someone breaks that standard and introduces a bug/backdoor a standard patch which everyone will recieve? We'll have a situation much worse that what can possible happen today.
"The federal government will mandate that users must authenticate their identity to access the Internet itself"
-Wow! Only one place 'to hit' to deny access for everyone to the internet.
What if I identify myself as someone else? Of course it will happen, then someone can wreak havoc and later the innocent neighbor will be arrested because:
'It was him, without doubt, that did all this and that on the internet. Proof? We have logs which clearly showes the perpetrator logging on to the net'
Standards and centralizing is what will bring us a 'digital Perl Harbor' (what a stupid name).
This reminds me rather of the anxiety over the Y2K bug. I think the rather doom-laden scenario being predicted here is frankly overblown.
"Then the lights wink out. Everywhere.
Then it begins to get cold."
Naturally, it leads into a Big Brother state from that point on. The article's a troll; it engages in emotive button-pushing.
I'm sorry, I couldn't finish the article, it was just pissing me off too much.
This guy is utterly clueless, I mean look at this:
Five factors distinguish the digital Pearl Harbor from the virus attacks we've suffered to date.
First, it disrupts backup systems. Fragile networks heretofore have been mitigated largely with backup. Disrupt that and badness follows.
Second, it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up. Due to the loss of backup, corporate earnings data is irretrievably lost. This panics Wall Street and destabilizes the financial sector.
OK, a couple of things. First, "it disrupts backup systems". Riiiight. So this Flaw in 'the internet infrastructure' can also get to tape backups in safes? OH NOS!!!1!
Second, "it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up."
"it attacks the Internet infrastructure--such as domain name servers and routers--and industrial systems connected to the Internet, like utility control systems.". I'm sorry but if someone connects utility control systems to the net then they are the ones who should be strung up.
The point is that bugs aren't a risk to 'national security', they are a big problem, and will be very costly to business I'm sure, but an attack or accident that has a serious detrimental effect on peoples lives, caused by security holes just shouldn't be possible.
This important infrastructure should not be connected to a fundamentally insecure network, and if you're looking for scapegoats, they should be those who allow that sort of level of insecurity. Look at that power station that got Blaster...
I could as easily argue that diversification of software and a multiplicity of non-binary-compatible platforms will lead to better security.
Monopoly suppliers can produce good code, but this places an excess of trust in the end user - a group who historically have not been eager and diligent in software patching.
Security loopholes become an issue when the software becomes omnipresent, as in Windows today.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
Politicians always think it's going to be an "electronic pearl harbor" but never imagine that it will actually be an electronic Exxon Valdez, or Bophal India.
The entire assumption is that some rogue power will launch a suprise attack on mothership america, when really, a bit of crappy code created by a monolithic company will cause widespread harm to the network and the economy.
It's already happened, look at Blaster/Nachi. The amount of background noise on the Internet caused by worm traffic in the core will only increase, and interestingly, probably to the point where it will make bandwidth expensive again.
As a security professional, it is always embarrassing to hear colleagues talk like this. It's self serving, unsophisticated, and politically motivated.
Get off it.
It's a populist piece of scaremongering, but it raises one valuable point: the fact that there are fewer and fewer baskets to contain the vital infrastructure eggs.
If you have separate wires for power, telephone and internet and an entirely separate mobile phone network you have a fair chance that enough of them are going to stay working to allow you to repair the ones that aren't.
If your voice communications are running over IP over your powerline and the phone companies throw out their phone switches and replace them with VoIP routers which are also switching internet traffic and, incidentally, providing virtual private networks which link the utility companies' control and monitoring systems, then the chances of everything going down together are significantly increased.
The only way to stop this tendency is to change the definition of "bottom line" and that can only be done through our old friend regulation.
Be careful-this article hardly seems legitimate. The article is simple fearmongering written by an author who only seeks to stir up attention of any kind. Unfortunately slashdot has furnished that attention. Allow me to expound on my position with some evidence.
./ers make it out to be, they simply exist to make money and dominate the market. Good security equals good money.
The author is the same one who wrote "Patch and Pray", an article that starts off with "It's the dirtiest little secret in the software industry: Patching no longer works. And there's nothing you can do about it. Except maybe patch less." Somehow I sense a pattern of fearmongering and irrational, attention whoring claims by this guy.
But let's analyze the article slashdot posted on its own merits. Here are a few choice quotes taken directly from the article:
digital Pearl Harbors are happening every day.
That kind of defeats the point of calling something a "Pearl Harbor" doesn't it? The author is just trying to make things sound scary by wielding historical words.
TIPPING POINT: On Dec. 7, 2008, computer systems around the world go down simultaneously. They do not come back up.
That's right, they do not come back up. The machines all catch fire or something, so you can't repair them.
This panics Wall Street and destabilizes the financial sector. People run to their banks, but the banks cannot disburse funds; their networks are down. As are the credit card networks and the ATMs. If you don't have cash, you go hungry. Then the lights wink out. Everywhere. And it begins to get cold.
If you put that in a movie script, any studio would laugh in your face at the lack of realism. Yet this kind of nonsense flies in computer security articles?
People are hungry. Freezing. The old and the young begin to die. The strong turn against each other.
It just gets better and better! but there is a bright side if you read on....
"[in 2010] the average PC, while it may cost $99"
Yes. They are actually stating that they expect the average PC to cost $99 in 2010. This makes it obvious where they're getting the rest of their numbers from: straight line approximations. Take what's happened during the last two years and assume the same thing keeps happening for the next ten. There's a word for that, and its not statistics-it starts with b and contains an s.
Of course, to have a reformation, you need a Martin Luther...Perhaps a rebel within Microsoft who sacrifices his career to change the culture and practices he's experienced firsthand.
You mean like, oh, Bill Gates? Microsoft wants better security already-they just can't implement it correctly, and many of their plans are misguided. But anybody in MS who could avert the next Blaster would get a promotion, not the axe. The company isn't quite the demonic hive some
TSP and PSP have already been found to reduce coding errors by factors of up to 10 or more. Microsoft tried it and reduced bugs within a 24,000-line program from more than 350 to about 25.
Now this guy is trying to hype yet another crazy how-to-program-better-with-process scheme. Let me guess, he's co-authoring a book about TSP and PSP? Yep, they reduce coding errors by a factor of 10, cure cancer, and bring about world peace.
We're reaching our limit with the angst. Popeye once said, 'I've had alls I can stands and I can't stands no more.' We're reaching that point."
Just imagine how those lines would go over in a security presentation in your company. "Boss, we have too much angst!"
And even features within programs, like the ability to forward e-mail messages, will be shut off.
Yes, that's right, the article made that prediction. You won't be able to forward email. Sure.
The federal government will mandate that users must authentic
Look at it this way; the viruses and worms that haunted the net at the time was more or less friendly, concept-like viruses. It could've been much worse. What if the viruses that roamed the the net would:
Destroy your data / the operating system silently (shredding your files so that they can't be recovered).
Mail your documents to everyone in your contacts-registry. (Eg. mailing corporate files to competitors)
Hopefully; the reason why the viruses wasn't dangerous was because: If you have the skill to write such a virus, you can probably imagine the consequences.
What are your thoughts on the subject?