Slashdot Mirror
The Next 50 Years of Computer Security
wbglinks writes "An informative interview with Linux guru Alan Cox, with an emphasis on Linux and security. Alan will be the keynote speaker at EuroOSCON this October." From the article: "It is beginning to improve, but at the moment computer security is rather basic and mostly reactive. Systems fail absolutely rather than degrade. We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours. In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
This reminds me of a conversation I had with my business partner regarding computer security:
Imagine a hacker group that offered to protect your system against other hackers. In exchange for x% of your computer cycles, x% of your HDD space, a predetermined number of pop-up ads, etc., the group would guard your computer against others attempting to compromise it for its own use. The group would connect to your system from the internet, install their rootkits, and regularly scour your system looking for intruders, which they would zealously remove. Because they would be paid in computer resources (disk space, cycles, etc.), it would be in their best interests to keep your system as free from other parasites as possible. In much the same way as the bacteria growing in our mouths prevent them from being colonized by other, much more harmful bacteria, the group would defend its box against intruders.
Just an idea...thought I'd throw it out there and see what the Slashdot crowd thought of it (be gentle ^_^).
____
~ |rip/\/\aster /\/\onkey
[...] at the moment computer security is rather basic and mostly reactive.
OpenBSD has been proactive since Day 1. And, really, can anyone speak authoritatively on computer issues 5 years in advance let alone 50?
If I drank a strong tea brewed from Theo de Raadt's toenail clippings I could glean knowledge from perhaps a couple of days in the future, but beyond that you're getting into the realm of Xenu.
Trolling is a art,
Seems to be the classic 'sleep with the devil' scenario. The problem occurs when the hackers, over time, want more than you want give/barter with.
-Valiss
... Linux was only 5 years away from mainstream.
I can't see how anyone can claim to know what is going to happen in the next 50.
The controls that an organization would need to put in place to avoid being utterly exploited in such a scenario are pretty much the same controls needed to manage systems securely in the first place. So as a thought experiment, this is useful. As an actual practice, forget it.
Parity: What to do when the weekend comes.
"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them." - however in a sense we are unfortunate that they generally take control of them to destroy someone elses computer, it just depends on how selfish you are.
Matthew Grint Midnight Artists
Sounds like a classic protection racket to me.
This last area is very important. We know the theory of writing secure computer programs. We are close to knowing how to create provably secure computer systems (some would argue we can--e.g. EROS). The big hurdles left are writing usable, managable, provably secure systems, and the user.
It may be possible to establish "limited" proofs of security which are tightly defines in small areas but a provably secure operating system is impossible. It's impossible on so many levels that I expect that Alan Cox doesn't understand the issues deeply enough.
There are a number of problems with creating a secure operating system. One is the amount of code it takes. You can't create a security proof on huge volumes on code. Hundreds of lines? probably. Thousands of line.. maybe.. hundred of thousands? no chance.
The next problem is that we haven't figured out a way to make security modularise. You can't say "method 1 is secure, method 2 is secure therefore using method 1 after method 2 is secure. It just doesn't work like this. You can put two secure pieces of code and get insecurity. This means you have to treat the whole operating system as one huge program all of which needs to be proven secure.
The third problem is that even you establish a proof of security this still isn't enough. Your proof is based on some formalisation of the language but the compiler itself might be buggy (either by accident or on purpose) and might compile in a way that breaks your proof. Ouch! cuO
Too often we strive to absolutes in security. Security is not binary. It is not a zero or one but a complex set of trade-offs and risk mitigation.
Simon.
"City hall" in German is "Rathaus" Kinda explains a few things......
cos if they actually destroyed them, then people would take proper care... apparently, it's quite normal for people to view their ms-windows boxes filling up with vermin etc. as just a fact of computer life... they only do something when they can't get online anymore... and then it now appears cheaper to buy a new box than get the damned thing fixed properly...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
Are you really that naive, or were you just trying to get modded up?
.
Professor Frink: Well, sure, the Frinkiac-7 looks impressive, don't touch it, but I predict that within 100 years, computers will be twice as powerful, 10,000 times larger, and so expensive that only the five richest kings of Europe will own them.
I'm a big tall mofo.
The reason your idea will never take off is that if this scheme turned out to be profitable to both the racketeers and the people paying for "protection", the government would step in and demand a monopoly in the "protection" racket. Now, you don't want the government installing their rootkits on your computer, do you?
Man is a slave because freedom is difficult, whereas slavery is easy.
In 50 yrs I'm going to assume that IPv6 (or v7,8,9) has taken over the world. Wouldn't that do a lot for basic internet security? No more scanning and rooting boxen.
As for stuff like BIOS erasers and disk locking tools, e-mail will no longer be a useful attack vector due to filtering. The again, nothing can defeat stupidity.
Disclaimer: IANAL
[Fuck Beta]
o0t!
"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
Of course, we will have to worry about the attackers that inadvertently destroy systems while trying to control them.
I'm afraid I can't let you do that, Dave...this virus is too important for me to let you jeopardize it.
He who knows best knows how little he knows. - Thomas Jefferson
Sounds like a good idea in principle but who is to stop this group of hackers from using your resources for their own milicious intentions.
GL HF!
"Yes, Mr Sarbanes Oxley Auditor, I exposed my entire desktop computing infrastructure to a group of self-proclaimed hackers so they could uninstall spyware for me. Great idea, huh? Huh? Hey! Come back! I haven't told you about the foxes guarding the corporate henhouse yet."
I have a better idea. Swap some other commodity (like, say, money) for the same service, and call it an MSSP.
Which reminds me,
;)
where the hell is that freebsd virus?
The one that would infect windows systems, and once infected reformat the drive and install freebsd?
I've always wanted to actually see this thing...
so where is it?
Hey guys, I've got an idea, why don't we just get the barbarians to guard the gates of Rome?
KFG
Extrapolating recent trends, Pokemon will be President of the United Corporations of America. The United Middle East will be America's closest friend. Together, we will have obliterated the EU. No one will care about poverty and disease in Africa.
Computers will be so small, they'll be ingestable, with music players and cell phones being implanted in teeth. But DRM will be so pervasive that the RIAA will be allowed to inspect your mouth with toothpicks. The weakest link in computer security will still be the human being.
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
There are a large number of problems with your suggestion. I will outline only one.
... and then six months later your computer will be part of a gigantic DDOS or some other illegal act so large it will attract the FBI's attention. From here there are two possibilities. Possibility one is, the people you've been contracting with here are a legitimate business, in which case the FBI will get their contact information from you and have them arrested. Possibility two is, the people you've been contracting with here are not a legitimate business, in which case the FBI will arrest you for conspiring with an organized crime group. We can assume no group even remotely competent enough to even get into this hypothetical security "protection" business in the first place would be stupid enough to let possibility one happen. This leaves possibility two. See the problem?
One problem is that your suggestion is wholly founded on the assumption of computational resources being valuable. This is to an extent incisive, since you have realized that the reason why the formation of zombie networks has increasingly become the endgoal of worms and such is that there is commercial value in those networks' computational resources. But this breaks down when you start to think about what they use those computational resources for.
Computational resources, by themselves, aren't particularly valuable or hard to obtain; even bandwidth resources are beginning to become expendable if you're smart about how you use them. Your average PC is absolutely awash in power it doesn't need. 20 years of "your computer is obsolete as soon as you buy it" has crashed out into "your five-year-old computer technically isn't obsolete yet". People who used to buy supercomputers often now just buy cheap PCs and leash them together. Anybody who just has a legitimate need for a lot of computation these days can most easily obtain this through totally legitimate channels.
The reason why hackers, worm-builders, spyware peoples, etc obtain their resources through illegitimate means (like worms) is because they have illegitimate intents for those resources. They don't so much want 20% of the resources of a PC, they want 20% of the resources of a PC that can't be traced back to them. This is because once they have these resources, they're going to be using them for things like, warez. Sending spam without compliance with local laws. Hosting dubious and virus-like spyware. Extorting businesses for money in exchange for not launching DDOS attacks against them. If you willingly give these people 20% of your hard drive and CPU they aren't going to be using it for things like 3d rendering or protein folding; if that was all they wanted, they wouldn't need to be using hacker methods to get it in the first place.
Instead, if we go by your scenario, you'll give them 20% of your hard drive, CPU and bandwidth; they will protect you from the other hacker groups; everyone will be happy;
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Let me be the first to offer you those services as it describes my company exactly. We exchange security for a small meagre portion of your vast unused computer cycles and HDD space.
For everyone else, Do you need mass advertising? Do you need to get your message out in a cheap and effective manner? Contact me for mass electronic messaging promotions.
Live forever, or die trying.
"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
This is not necessarily a good thing. I've read that Ebola and other very nasty diseases don't spread as far as they might, because they wipe out their carrier population too quickly. As opposed to HIV, which has time to slowly spread out. If an infected PC self-destructed after one round of outbound spreading, then it's not going to be continually spewing the junk like they do today.
Such a virus would burn through the supply of unprotected PCs quickly, and then go away.
But it's not absolute trust; just as helpful bacteria in our mouths can get out of control, software may (will?) prove vulnerable. So we still have to monitor and maintain our systems, installing security patches and changing administration practices accordingly.
And read it as Anonymous Coward? Makes the article funnier.
If we could eliminate all users, the internet would be much safer! All joking aside, what it comes down to is this: As long as there is information people want to protect, there is going to be someone who wants to read it, distribute it, sell it (?). Let's play a mental game.. Suppose we come up with a truly proactive system to protect a home PC (which are mainly target to be zombies against riper targets). All a hacker need to do is purchase a copy (or download it from IRC or some file-sharing service) and keep trying their virus or exploits against their own system on their own network until it works. Now you're still going to be dependent on the old reactive system of doing things to patch your brand new proactive system. Until we change the way we think about network security and adopt more distributed solutions to this problem, it's going to very difficult to stop these people. In my opinion, it's going to take a completely different way of thinking about networking which, sadly, probably won't happen until some new technology necessitates it.
Government's view of the economy: If it moves, tax it. If it keeps moving,regulate it. If it stops moving, subsidize it.
The next 50 years of computing will see the introduction of AI to PC's in the form of an expert system designed to protect against intruders and malicious programs.
The problem is that the hacker would be using your computer resources for other illicit purposes, such as hacking computers belonging to other businesses. It would solve your problems at the expense of others. And imagine the liability of having their attacks traced back to your computers.
It would be no different than giving guns to thugs to protect your business. When they do finally get busted, the FBI will find your fingerprints on the guns.
Hah, don't you wish.
No, the reality of the matter is, their computer "just broke" because of "evil hackers" so they need to buy a new one from best buy, the one the pimply faced sales rep will be immune from that kind of attack, the one that's conveniently very expensive.
A worm which would spread fast like slammer and destroy infected machines after a short time is actually benevolent. It will destroy only machines that would otherwise be used as spam zombies. The day after the outbreak the internet would be clean again!
Patents Drive Free Software as Hurricanes Drive Construction Industry
Sounds like how Ankh Morpork runs - Vetinari legimised crime by creating the guilds but made them responsible for keeping crime to within agreed limits. Of course, he had leverage over the guild leaders to make them comply. Not sure what I'd have over some Russian kid who I've never met.
yep, sounds just like what m$ is doing right now, only they are doing a lousy job of it... or are they it might be part of the master plan to get you to give them total control to get rib of those awful windoze worms, windoze viruses, windoze trojans, windoze hackers, windoze spyware, windoze adware, windoze etc...
FragHARD or don't frag at all
A group of whitehat extremists may become tired of lusers that don't patch their systems, and decide that they don't deserve to use the internet.
They then launch their virus and destroy on all non-patching infidels.
What, it could happen.
Um, dude, about those gates. We had to remove them because they were interfereing with us getting in and out of the city to rape and pillage in our 20% of Rome. Oh, and by the way, we decided that we would rather rape and pillage in the 20% of Rome that contains the forums. Raping and pillaging in the slums wasn't working.
Yours truly,
The Visigoths.
This is a vision of the future produced by someone stuck in the past. :)
No offense, but a *lot* can happen in 50 years...
Right now, the worst that happens is you have to reformat your hard drive when the pop-ups and re-directors stop you from doing anything online.
If the systems were destroyed, you'd see a lot more effort put into protecting them.
From the summary...
In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them.
Personally, I find it unfortunate. We would be more fortunate if the attackers did seek to destroy. I'd rather irresponsible people's computers were fried than to get tons of spam and viruses sent by them.
I believe those types would be classified as greyhats.
Ninjas don't carry tic tacs
Yeah. The problem is when they decide you need more "fire insurance."
I've always assumed that was what Norton was doing when it randomly stole half my CPU to not scan anything. I mean, it makes a lot more sense for them to *steal* my processor cycles than just *waste* them, right?
... but it would be pretty interesting days to live in for a time. Just imagine the circus! =)
;-)
Then again, it might just be good for us who run not Windows. I mean, most important servers and the like aren't running Windows anyway, and those who do are probably pretty well firewalled. So we'd have the internet all to ourselves - probably the only thing I'd notice for quite some time is a shorter "Online Buddies" list.
Now, if we had the games, imagine those ping times!
Spine World
Possibility two is, the people you've been contracting with here are not a legitimate business, in which case the FBI will arrest you for conspiring with an organized crime group.
Plausible Deniability
And don't forget... You can't arrest a corporation. Just the individuals that work for it. Thirdly, you can't go after the shareholder's assets unless they have been directly implicated in the crime.
Lastly, the crime might have been intentional in order to get the FBI's intention. Of course you'd be dealing with a Class A hacker, but if you wanted to get rid of someone for a while you'd just put illegal underage images on their computer and then attract attention to that computer.
Then again... I'm throwing around terms and ideas that would just make a good murder mystery and no one would apply them to real life.
Still... Leasing out your computers to people outside with the pretext they will protect you is a bad idea.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Ah so you noticed! I was wondering what Microsoft was doing with my hardware all these years...
-=fshalor
This will probably be modded as a Troll or Flamebait, which I suspect is how many people here will see it. *sigh*
The fact is that Linus and most of the linux kernel dev team don't see security as a priority. Linus designed linux to be fast and flexible. He achieved those goals admirably. But the design does not take security into account.
Yes, there are a couple of projects that are doing a great job trying to bolt security onto Linux, but in all seriousness, the security is just bolted on, not built in. So until we, as a community, start to take security into account as a priority, Linux will still have a very reactive security approach.
We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet...
Wouldn't a variant of this attack be great for hardware vendors? Read the BIOS and kill a certain percentage of the oldest computers per year. They're old, so folks probably wouldn't think twice about a hardware failure.
Instant upgrade.
Profit!
*Workable means you can do this in finite time.
1) For each function, determine the preconditions, postconditions and the formal description of that function.
2) For each of the derived specifications, modify the specifications to be robust (ie: no invalid states are possible).
3) For each subunit of code that is referenced outside of the unit it is within, add mandatory access controls with a default of "deny", except for the mandatory access control system's check access function which should have a default access of "accept", and the bootstrap code which should have no access controls as the MAC system won't be running at the time.
4) MAC systems should be heirarchically defined in terms of linking a set of users to a set of rights those users can have. You then have as many mappings of this kind as you need. But because it is heirarchical, an application run by another application cannot assign rights it doesn't know about, nor can it assign rights to users it doesn't know about. An application accessed by paths with different rights must associate the rights to the path used to connect to it and define those as the superset of rights that path has when calling sub-components.
Oh, and MAC system interaction should follow the paradigm laid out under the Bezantine General's Problem - in other words, MAC systems should distrust each other enough that they can detect any MAC system that turns traitor.
5) MAC should apply to EVERYTHING. The network, memory pools, swap space, shared memory, everything. No resource should have permit access rights by default and no resource should allow unconstrained access granting. The resource should be able to control who can be granted access, so no one central system hands out access.
6) Remote connections (via any kind of connection outside of the defined physical machine) should be secure channels (host authentication, user authentication and data validation) and should have access rights limited to the subset of rights allowed to both remote connections, the remote host and the user who is performing the access. This is in addition to any constraints imposed by the application being connected to or any access rights it inherits (and is therefore limited to).
7) As part of 5, no "superuser" account should exist. Administrator accounts should only be permitted to administer, they should not be permitted to do anything else. There would be no "root" account, for example.
8) Once the specification has been hardened as above, it then needs to be re-implemented as code and then the code must be formally verified against the specification for correctness.
The first consequence of all of this is that paths would be very tightly constrained, making any kind of breaking out of the box about as close to impossible as you can get.
The second consequence is that because all access control is independent (but heirarchical), breaking the security of one module won't affect the security of anything else and won't grant any rights in excess of the subset defined by the intersection of the rights allowed by the path of connection, the broken module, the module then accessed and the broken module's rights within the module then accessed.
The third consequence is that, because the default is "deny", nothing can do anything not explitly authorized by the entire chain of connections.
Could this be done in Linux? Sure. If you add the kernel, X, KDE/QT, Gnome/Gtk, the GNU suite, etc, together, you're probably talking a billion lines of code. One million coders could probably do this entire eight-step lockdown over the whole of that codebase in a year, maybe two. There are more than a million coders o
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
So we need to write smaller code. Perhaps the "kernel" of the OS should not be responsible for memory management and device drivers, but security of communication between all parts built on top of it (including APIs and hardware access). Perhaps the micro-kernel will have its day after all. How does the security model of the Hurd differ from that of Linux?
I think Cox should focus on getting Linux up to par with Windows before he starts looking at 'the future'. How can he see the road ahead when he is stuck behind a bus?
"Hi I'm a 1337 Hax0r and I offer you a deal. Me and my friends will not take over your disk space if you give us some of your disk space."
It would be better to have a PC that is riddled with virus' and spyware, that infects anyone who ties up to it, and just have it as a dummy-PC for the 1337 Hax0rs to have to deal with. It wouldn't be a trojan horse, it would be a trojan castle.
Both, I think are a waste of disk space.
The vast majority would probably be much happier on another OS instead of Windows, cause lets face it all modern malware is for Windows. UNIX and Linux offer enough options to satisfy just about any group and the user/company gets to keep closer control on their systems and dont have to pay licensing fees to MS or buy antivirus programs and subscriptions on top of that taking up computing cycles and HD space. UNIX and Linux users only have to keep their firewalls activated or if youre an OSX user you can turn on Stealth mode. Open source is the future, and its the answer to expand human knowledge as no one group is holding the keys to knowledge when anyone anywhere can access info with open standards and formats
"What does Alan Cox know about security?"
What do the moderators know about Alan Cox?
That's a really stupid idea. For one, it would only encourage other hackers to attack servers controlled by another hacker group.
That sounds to me a lot like paying your neighborhood gang "protection money".
"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
Right, but I really don't see too much of a difference between a computer under the control of a hacker or hacker group and a destroyed computer, because either one makes a computer unusable for your average end user.
It's an exhaustive effort to get rid of hackers once they're in since they install all kinds of nasty software, so for people who don't know much except their computer is doing something weird and they're having their identity stolen, etc etc, they just throw it out and get a new Dell. I am not saying this applies to every user that doesn't know much about computers but I have seen it over and over again with friends, family, family friends, you name it.
So bottom line is, for a lot of people who have no expertise with computers, destruction of a computer due to hacking OR having the computer infected and controlled by hacker groups means you get rid of it, in which case there's not much difference between the two, since it leads to the same result.
I noticed 3 comments all similar to this. It struck me, the only reason that anyone is comparing it to organized crime or using henhouse metaphors is because the first suggestion was for "hackers" to protect us.
It sounds like anti-virus companies are charging us protection money already!
The Good Life
the shitty programming languages we use for building software? yes, I am talking about C and C++. Before I am modded as flamebait, I urge people to think twice about the programming languages we use.
Don't give them ideas!
That would be cavities and gingivitis in the original poster's dental analogy, eh?
> A group of whitehat extremists
You keep using that word. I do not think that it means what you think it means.
Someone should release a destructive virus that is capable of spreading to most systems out there. This would clearly identify the idiots that run systems that are not secure enough to be allowed on the internet. Once those systems are destroyed those users should then be barred from owning a computer ever again.
This is also when the cops coming knocking at your door about all the illegal activity thats been coming from your IP :)
The next 50 years of computing will see the introduction of AI to PC's in the form of an expert system designed to protect against intruders and malicious programs.
So would a future version of Windows with this kind of AI uninstall itself the instant its switched on?
Blank until
2 questions:
1) Why would I give my computer up to 'hackers', by which I assume you mean people who break into machines illegaly or maliciously. There would be nothing to stop them from fully taking over the machine and doing whatever they want - ie. under this arrangement I have no power or control over them to ensure they hold up their end of the bargain. Since what they are doing is probably illegal and they are more than likely in a far off country I have no legal hold over them either.
2) What's the point of this when its perfectly practical and possible to secure your machine anyway. Even if you must use Windows logging in as a non-admin user, not using IE or OE and using common sense (don't click on the 'screensaver' in your email) is enough to keep your machine secure.
This (2)) is fundamentally different from the protection-racket scenario I think you've derived this idea from. In the protection-racket scenario there is nothing much you can do - maybe you can put a 10-cm think steel door on your house, but if you do that the mob will just walk through the open front door of your cafe/bar/shop/whatever during business hours and demand their payment. So in short its out of your control for all practical purposes whereas having a secure internet-access machine (even with Windows) is not.
Pre-canned Evolution Links for all those Slashdot holy wars.
I'd think of it a bit like buying "cleaning services" for 10 cents a year, sure in aggregate that might be worthwhile for someone to do (if they can get 2 million victims, say) ... but if some super-new virus happens that takes out %1 of their userbase, they sure as hell aren't going to care.
For that kind of "price" it's going to be all automated software, which a bunch of companies already do ... for not significantly more, per. customer, and are much more likely to not want bad press with problems of even a 1% margin.
ustr: Managed string API with ave. 44% overhead over strdup(), for 0-20B
Always endeavour to make computer security somebody else's problem because it is with out doubt the most mindless head f**k of the digital age, a route to instant endless digital paranoia. There are just so many different ways to break in, it isn't funny. Yeah gods, hardware, software, network infrastructure and incoming data. Governments, corporations and crackers all looking for ways to sneak in when ever they want to. FUD for the day, how do you know that you already havn't been hacked its just that they've not had sufficient reason to actually do anything, "YET".
Chaos - everything, everywhere, everywhen
Parent post seems a whole lot more "Insightful" to me.
But what happens when your protection needs protection? That is called racqueteering.