The Next 50 Years of Computer Security

wbglinks writes "An informative interview with Linux guru Alan Cox, with an emphasis on Linux and security. Alan will be the keynote speaker at EuroOSCON this October." From the article: "It is beginning to improve, but at the moment computer security is rather basic and mostly reactive. Systems fail absolutely rather than degrade. We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours. In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."

50 years, eh?

[grub]

[...] at the moment computer security is rather basic and mostly reactive.

OpenBSD has been proactive since Day 1. And, really, can anyone speak authoritatively on computer issues 5 years in advance let alone 50?

If I drank a strong tea brewed from Theo de Raadt's toenail clippings I could glean knowledge from perhaps a couple of days in the future, but beyond that you're getting into the realm of Xenu.

Sleeping....?

[Valiss]

Seems to be the classic 'sleep with the devil' scenario. The problem occurs when the hackers, over time, want more than you want give/barter with.

Re:Sleeping....?

[Tackhead]

> In exchange for x% of your computer cycles, x% of your HDD space, a predetermined number of pop-up ads, etc., the group would guard your computer against others attempting to compromise it for its own use. The group would connect to your system from the internet, install their rootkits, and regularly scour your system looking for intruders, which they would zealously remove
>
> And once you let someone compromise your system, you'll never be able to fully trust it again. It's about the stupidest idea yet in computer security. The only reason it wasn't on that list of "top six stupid things" the other day is because it's not an adopted practice, and isn't taken seriously.

Is that not the functional specification for Windows Update? ( Ha ha, only serious.)

For that matter, is that not the functional spec for every automatically self-updating piece of software?

Your machine is as trustworthy as those you permit to administer it. To the extent that you install auto-updating software, your machine is only as trustworthy as the authors of that software.

I'm highly confident that when my cron job asks apt-get to phone home, the maintainers of $MY_PET_DISTRO won't take advantage of the opportunity to place anything nasty on my machine.

I'm somewhat confident that Microsoft isn't going to auto-disable even pirated Windows installations, nor to install a RIAA/MPAA sniffing trojan as part of its updates - at least, not without providing a few weeks of warning.

I had so little confidence (as a matter of personal opinion) that the auto-updating and installation of DRM/software subscription services from www.steampowered.com, that I never purchased Valve's Half-Life 2. (If you trust Valve, hey, go for it -- but Steam is, IMO, fundamentally no different than having companies like EA and Adobe decide to outsource the management of "licencing component services" to organizations like Macrovision and the BSA. Would you like to get your "security components" from DRM providers?

And finally, I'd have no confidence whatsoever in any machine that was required, as part of the Homeland Cybersecurity Act of 2012, to download security updates from updatefarm.cybersec2012.gov.

On that scale, I'd place the original "cracker group" (perhaps affiliated with the Russian mafia) installing its own rootkits as somewhere between "less trustworthy than Steam, but more trustworthy than bsa.org".

But there's fundamentally no difference between any of these options.

looking back on the last 50 years,

[JeanBaptiste]

I can't see how anyone can claim to know what is going to happen in the next 50.

Re:looking back on the last 50 years,

[cbiltcliffe]

Easy...watch:


In 50 years, we'll have flying cars, world hunger and poverty will be a distant memory, and we'll all have a small nuclear fusion reactor in our basement which will power everything from our maid service robot to the 512-core 650GHz Pentium 17 computer in your home office.
Bill Gates will disband Microsoft when he retires, and all his billions will be donated to help sick kids on Mars. (We'll have settlements there, after all, but the hospitals won't be quite up to snuff for a few more decades.)
When the Voyager 17 warp-drive probe reaches Alpha Centauri in 2043, it will be regarded with deep suspicion by the natives, and subsequently dismantled. George W. Bush the 5th will then unilaterally decide that the Alpha Centaurians must be in league with Al-Qaida, and declare war on them.
Using the decades-old first-strike policy he'll order pre-emptive nuclear strikes on all planets in the Alpha Centauri system (just to be safe....wouldn't want those pesky terrorists to go changing planets in the months it will take the missiles to reach the system....)
The Centaurians will see the missiles coming before they're even halfway there (after all...they didn't underfund their Hubble project), and come out to meet them, blowing them up in deep space where they can do no harm. They'll then continue on to our planet, quickly determine that the order to destroy them came from the White House, blow up Bush and Congress, and tell us all to stop being so fscking childish and grow up.
Then, just to prove they mean business, and that if we want to play in the galactic neighbourhood, we've got to play nice, they'll blow up both the RIAA and MPAA headquarters, before heading back to their own planet.
The rest of us will soon realize that without Congress, and the ??AA, the earth has suddenly become a very nice place, and we'll stop trying to go away to other planets.


See, it's easy to claim to know what's going to happen in 50 years. You'll be full of shit, but you can still claim it.

Re:The next step in security: benevolent parasites

[starfishsystems]

Isn't that rather like setting the fox to guard the henhouse?

The controls that an organization would need to put in place to avoid being utterly exploited in such a scenario are pretty much the same controls needed to manage systems securely in the first place. So as a thought experiment, this is useful. As an actual practice, forget it.

Fortunate?

[Krast0r]

"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them." - however in a sense we are unfortunate that they generally take control of them to destroy someone elses computer, it just depends on how selfish you are.

Re:The next step in security: benevolent parasites

[taustin]

Sounds like a classic protection racket to me.

Global proofs of security are not on..

[Ckwop]

This last area is very important. We know the theory of writing secure computer programs. We are close to knowing how to create provably secure computer systems (some would argue we can--e.g. EROS). The big hurdles left are writing usable, managable, provably secure systems, and the user.

It may be possible to establish "limited" proofs of security which are tightly defines in small areas but a provably secure operating system is impossible. It's impossible on so many levels that I expect that Alan Cox doesn't understand the issues deeply enough.

There are a number of problems with creating a secure operating system. One is the amount of code it takes. You can't create a security proof on huge volumes on code. Hundreds of lines? probably. Thousands of line.. maybe.. hundred of thousands? no chance.

The next problem is that we haven't figured out a way to make security modularise. You can't say "method 1 is secure, method 2 is secure therefore using method 1 after method 2 is secure. It just doesn't work like this. You can put two secure pieces of code and get insecurity. This means you have to treat the whole operating system as one huge program all of which needs to be proven secure.

The third problem is that even you establish a proof of security this still isn't enough. Your proof is based on some formalisation of the language but the compiler itself might be buggy (either by accident or on purpose) and might compile in a way that breaks your proof. Ouch! cuO

Too often we strive to absolutes in security. Security is not binary. It is not a zero or one but a complex set of trade-offs and risk mitigation.

Simon.

Re:Global proofs of security are not on..

[querencia]

"I expect that Alan Cox doesn't understand the issues deeply enough."

I hope someday I am cocky enough to make that statement.

"You can put two secure pieces of code and get insecurity."

Of course you can. But you can also put two secure pieces of code and prove that the combination is secure. The fact that the two pieces that you're combining are provably secure means that there is less work for you to do. Nobody is talking about writing the "Linux is secure" proof. If you start with the building blocks of secure systems and make them provably secure, you can absolutely combine them to come up with "provably secure systems."

"... a provably secure operating system is impossible."

You are wrong. Perhaps a provably secure Linux is impossible. But Alan Cox didn't say "operating system." He said, "system." Always pause (at least briefly) before suggesting that you have a better understanding of operating systems than Alan Cox.

Re:Global proofs of security are not on..

[starfishsystems]

The next problem is that we haven't figured out a way to make security modularise.

You raise several really interesting points.

I think it would be more correct to say that we haven't found a way to reduce the general security problem by means of modularization. It's an open conjecture that we could do so, even in principle, since we don't actually know what the general security problem is.

However, to the degree that we can isolate information processing into modular elements, we can individually reason about their security, and as far as I understand, those security properties are preserved under composition.

There are two parts to this. The first is to show that the application of functions such as F(G(x)) or (F*G)(x) need not expose functions F and G to each other. That is, composition doesn't violate modularity in the ordinary sense. I take your point that a faulty compiler is in a position to violate modularity, but that's an implementation error, not a reason to discard the formalism.

The second is that we have formalize what composition means in terms of information exchange. Ordinarily, composition is assumed to be purely a matter of topology. As in circuit topology, the wires don't count. But in the context of security, the interface explicitly exposes communication. But communication security has been very well studied, and we should be able to apply the results here directly.

Some details of my understanding may be wrong, and I'd be grateful for your thoughts on any of this.

Bull!

[cbiltcliffe]

In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them.

Not a chance. Because with that, we've got millions of clueless users who think that because their computer turns on, it can't possibly have a virus/worm/spy trojan, so they do absolutely jack shit about it. Meanwhile, I'm still getting copies of Netsky.P emailed to me. It's almost a year and a half old, for Pete's sake!!!

'tis a pity...

[advocate_one]

We are still in a world where an attack like the slammer worm combined with a PC BIOS eraser or disk locking tool could wipe out half the PCs exposed to the internet in a few hours. In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them.

cos if they actually destroyed them, then people would take proper care... apparently, it's quite normal for people to view their ms-windows boxes filling up with vermin etc. as just a fact of computer life... they only do something when they can't get online anymore... and then it now appears cheaper to buy a new box than get the damned thing fixed properly...

Re:But you said

[Alexis+Boulva]

as the number of new computer users increases, their average level of intelligence decreases. same thing happens when it comes to IT professionals, sorry to say.

Problem

[mcc]

There are a large number of problems with your suggestion. I will outline only one.

One problem is that your suggestion is wholly founded on the assumption of computational resources being valuable. This is to an extent incisive, since you have realized that the reason why the formation of zombie networks has increasingly become the endgoal of worms and such is that there is commercial value in those networks' computational resources. But this breaks down when you start to think about what they use those computational resources for.

Computational resources, by themselves, aren't particularly valuable or hard to obtain; even bandwidth resources are beginning to become expendable if you're smart about how you use them. Your average PC is absolutely awash in power it doesn't need. 20 years of "your computer is obsolete as soon as you buy it" has crashed out into "your five-year-old computer technically isn't obsolete yet". People who used to buy supercomputers often now just buy cheap PCs and leash them together. Anybody who just has a legitimate need for a lot of computation these days can most easily obtain this through totally legitimate channels.

The reason why hackers, worm-builders, spyware peoples, etc obtain their resources through illegitimate means (like worms) is because they have illegitimate intents for those resources. They don't so much want 20% of the resources of a PC, they want 20% of the resources of a PC that can't be traced back to them. This is because once they have these resources, they're going to be using them for things like, warez. Sending spam without compliance with local laws. Hosting dubious and virus-like spyware. Extorting businesses for money in exchange for not launching DDOS attacks against them. If you willingly give these people 20% of your hard drive and CPU they aren't going to be using it for things like 3d rendering or protein folding; if that was all they wanted, they wouldn't need to be using hacker methods to get it in the first place.

Instead, if we go by your scenario, you'll give them 20% of your hard drive, CPU and bandwidth; they will protect you from the other hacker groups; everyone will be happy; ... and then six months later your computer will be part of a gigantic DDOS or some other illegal act so large it will attract the FBI's attention. From here there are two possibilities. Possibility one is, the people you've been contracting with here are a legitimate business, in which case the FBI will get their contact information from you and have them arrested. Possibility two is, the people you've been contracting with here are not a legitimate business, in which case the FBI will arrest you for conspiring with an organized crime group. We can assume no group even remotely competent enough to even get into this hypothetical security "protection" business in the first place would be stupid enough to let possibility one happen. This leaves possibility two. See the problem?

fast vs. slow spreading...

[markana]

"In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."

This is not necessarily a good thing. I've read that Ebola and other very nasty diseases don't spread as far as they might, because they wipe out their carrier population too quickly. As opposed to HIV, which has time to slowly spread out. If an infected PC self-destructed after one round of outbound spreading, then it's not going to be continually spewing the junk like they do today.

Such a virus would burn through the supply of unprotected PCs quickly, and then go away.

Problem is Users...

[sarlos]

If we could eliminate all users, the internet would be much safer! All joking aside, what it comes down to is this: As long as there is information people want to protect, there is going to be someone who wants to read it, distribute it, sell it (?). Let's play a mental game.. Suppose we come up with a truly proactive system to protect a home PC (which are mainly target to be zombies against riper targets). All a hacker need to do is purchase a copy (or download it from IRC or some file-sharing service) and keep trying their virus or exploits against their own system on their own network until it works. Now you're still going to be dependent on the old reactive system of doing things to patch your brand new proactive system. Until we change the way we think about network security and adopt more distributed solutions to this problem, it's going to very difficult to stop these people. In my opinion, it's going to take a completely different way of thinking about networking which, sadly, probably won't happen until some new technology necessitates it.

Re:The next step in security: benevolent parasites

[elcheesmo]

The problem is that the hacker would be using your computer resources for other illicit purposes, such as hacking computers belonging to other businesses. It would solve your problems at the expense of others. And imagine the liability of having their attacks traced back to your computers.

It would be no different than giving guns to thugs to protect your business. When they do finally get busted, the FBI will find your fingerprints on the guns.

Re:The good ol' days...

[TheRaven64]

The most successful ones back then waited a few days / weeks and infected every floppy disk you inserted (executables and boot sector) so that they didn't die out immediately. Of course, the longer this period was, the more copies of the virus would exist and the more successful it was. Eventually, the period extended to infinity - the virus would infect the `host organism' and use it to create copies of itself until it was detected and killed. A virus with this strategy was far more successful - in fact the most successful virus would be one that didn't have any adverse effect on the computer at all.

And that, my friends, is an example of both evolution and intelligent design in operation.

Pretty Unimaginative Vision

This is a vision of the future produced by someone stuck in the past. :)
No offense, but a *lot* can happen in 50 years...

Fortunate?

From the summary...

In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them.

Personally, I find it unfortunate. We would be more fortunate if the attackers did seek to destroy. I'd rather irresponsible people's computers were fried than to get tons of spam and viruses sent by them.

Re:The next step in security: benevolent parasites

[Mr.+Underbridge]

Yeah. The problem is when they decide you need more "fire insurance."