Slashdot Mirror
Computer Security, The Next 50 Years
bariswheel writes "Alan Cox, fellow at Red Hat Linux, gives a short-and-sweet talk at the European OSCON on the The Next 50 Years of Computer Security. Implementations of modularity, Trusted Computing hardware, 'separation of secrets,' and overcoming the challenge of users not reading dialog boxes, will be crucial milestones as we head on to the future. He states: "As security improves, we need to keep building things which are usable, which are turned on by default, which means understanding users is the target for the next 50 years. You don't buy a car with optional bumpers. You can have a steering wheel fitted if you like, but it comes with a spike by default." All of this has to be shipped in a way that doesn't stop the user from doing things."
I wouldn't consider Alan an expert on security, so I don't understand why this is posted on /. ... well, I do understand, most "news" are just as corny.
What the article is basically saying is that we have to teach people how to use their computers. >85% of all the computer problems I encounter are PEBKAC (Problem Exists Between Keyboard And Chair). It's like the old saying goes, make something idiot proof and the world will make a better idiot. If people just learn how to use their computers (you shouldn't download exe's from people you don't know, a firewall is a good thing to have, ActiveX controls aren't safe and your default response shouldn't be to install them no matter what IE says) a huge number of problems would be eliminated. Like it or not, users are the biggest computer problem today. The problem shouldn't be usability, it should be user-ability.
I've always pictured the color of OS zealotry as a sort of bright flamingo pinkish hue
Lusers - always the biggest security hole! Social engineering is the first fallback option.
The 'Net is a waste of time, and that's exactly what's right about it. - William Gibson
and overcoming the challenge of users not reading dialog boxes,
/etc once, do you wanna do it again?"
That's true. So true. Tons of times I just clicked yes without reading or reading fully and then later on down the road...oops.
I updated outlook express for my mom the one time and it autmatically blocked attachments, confusing her. And me, until I found where to uncheck that.
The computer can be taught to enforce security policies that the users themselves are unlikely to uphold, given their propensity to ignore advisories and software dialog boxes. Software engineers must build in security that is active by default, and they must understand the user so that security tools are actually used.
But also keep in mind who the user will be. Some advanced users would probaly not need/want the security by default. New users or non-advanced ones would need it. We would need to find security to be adaptable.
In a comical way maybe the system can say "well you hosed
That which does not kill me only postpones the inevitable.
Am I alone in finding this kind of topic - "The state of X in the year 2050" - really, incredibly pointless?
Given that no-one has been able to make accurate predictions about computer technology over a 5-year horizon, what possible basis is there for thinking that anyone can predict what the state of technology will be in 50 years time? By then we may be keeping our data secure by storing it in a hidden pocket of space-time in a parallel universe 10,000,000 years back in time and retrieving it through a wormhole when required. Or civilization may have collapsed, leaving us with the 'pointy rock tied to a stick' device as our best form of security.
My point is: no-one knows. It's pointless to predict this far into the future.
I would prefer people stick to making these kinds of predictions about large, relatively predictable fields (e.g.: the climate; oil supplies; population; tectonic plate movement) and leave their prognostications about ridiculous things like 'computer security' to something like a 2-10 year window.
Or we could, you know, read some *news* instead of some random predictions.
Read Pynchon.
Wonder how many of those will become obsolete in 10 years only, not because the problem stopped to exist, just because terms of the problem changed giving little meaning for that to normal people. Today computing security is a tangible problem, even normal users have to worry about virus, trojans, worms, spyware, not having trivial keys, etc, but how much of that problems could remain for users in 20-50 years from here, or how they will be perceived?
We can be here discussing war strategy with sticks and stones while in 50 years (to be a bit exaggerated :) they use rayguns, but some of the things discussed now could remain valid then, some could work if some fallback must be done to something similar to stick and stones, and other things could had no meaning anymore.
As a responsible parent, you don't give your kids alcohol. As a responsible driver, you don't drive 100mph near a school. And there are actually laws that, if you happen to be careless and negligant, you get fined or worse.
Only when it comes to computers and the 'net, you can be as irresponsible as you want and you won't get any negative feedback from the feds. You may click on every "please click here to become a spambot" message. You may install every kind of adware, while at the same time ignoring or even blocking updates for your system (and thus becoming the primary target for exploits like the recent WMF desaster). Nobody will hold you accountable for it. Even if you manage to fall for some cheap "please insert all your personal, bank and credit card info, and send us a copy of your passport" scam, more often than not your bank will cover for you.
Why is ignorance and irresponsibility an excuse when it comes to computers and the 'net? Because judges and legislators can't make sense outta it? At least, given some laws I'd get that impression.
Security starts with teaching the users, and most of all teaching them responsibility. Not better tech. You can have the best high secuirity door if you falls for the cheapest con job and let anyone in, you'll still have some things missing after every visit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I always found the term "dialog" box to be an amusing misnomer. If they were really dialogs, I suspect the user would rarely have constructive things to say to their computer. On the other hand, monologue boxes would be far too dramatic, with the spotlight and all.
Limina.Log
And it should also be easy to use.
Making security easy to use CAN be done.
Email encryption for example, when you install the mail client, it could generate a public/private keypair automatically and submit the public key to public key servers automatically.
Then when you send an email, it can automatically look up the public key of the person you are emailing and encrypt the email (unless you tell it not to).
When explaining it all to the user, dont call it "Encryption", just tell them that if they use this feature, it will mean that only the person you are sending the email to can read it and it cant be read by .
Facilities could be there so that businesses could configure it (via group policy) so that email encryption is active but keypairs are created by corporate mailservers and the mailserver (or the mail admin or whoever) has the keys and can look at the mail to look for whatever it is that email admins want to monitor email for. Or it could be disabled completly (or completly except for email going out of the company).
If email encryption was easy to use, everyone would start using it and the world would be a better place.
Ditto with other security features such as IM security (I would love to see a new feature in MSN messenger/AOL messenger/etc such that IMs were encrypted and only readable by the intended recipiant)
I don't know where you live, but where I do, bumperless cars would be illegal. Driving around without them would not only endanger yourself, but more importantly all of the other traffic. So, the comparison is actually fair an to the point.
By setting a standard for security and having all (or most; or some with a nice logo) comply, people will be able to buy software with the same sense of security they have when shopping for a car, not worrying about purchasing some murderous deathtrap.
The problem with IT security, historically, has been a "Default Allow" approach. This is getting better, but still has a LOOOONG ways to go. Things should not be automatically allowed, they hsould have to be turned on.
Consider Windows 98/98SE. File sharing is off. And the OS itself was more or less a fairly secure (for it's time) OS on a DEFAULT install. Compare to Win2k/WinXP. Default admin shares open, often in upgrade cases we have Administrative accounts with NO password, which (with the exception of XP) could log on remotely. XP at least was intelligent enough in it's design so as not to allow remote logins with blank passwords for Administrative accounts (UNLESS ENABLED). THAT, my friends, is the correct approach to security. Default = NO!
Once this has been accomplished, and the general mindset of programmers when considering security (and Admins, etc.) is to assume the user knows NOTHING, and that things just should NOT be permitted without full warning of the consequences (this is where figuring out how to get users to read dialogue boxes comes in handy) security will be much tighter. And lets not forget about vendors and programmers just ignoring security glitches. It's sad to see a Buffer Overflow attack remain a vulnerability in a program beyond a single patch release, once identified. Even sadder, is when further program releases STILL have not addressed the issue (see, Medal of Honor Voting)). The 'solution' is disabling a bonafide FEATURE. This type of nonchalant approach to security will always land the general populaec in the grips of security vulnerabilities, with no clearn end in sight.
My thoughts.
I'm with you here. My sibling post (correct term?) and you make nice points about lazy programmers, so I'm going to go and bash some bad designers, too.
I've found that Windows and its applications are really, really stupid with the way they handle dialog boxes. Kind of off-topic, I know, but since most security issues are luser error, I can guess that most of those are caused by blind click-click-clicking Yes to dialog boxes.
I get a dialog box when I try to delete a file. I get several dialog boxes whenever a program crashes - something about an error report. At my school, they've managed to set up Word so you get three dialog boxes when you open it: one asking you to disable macros (to which the average user goes What?), another telling you that macros have been disabled (yes, that's why I clicked that button) and another telling you that there's a window open.
With so many dialog boxes around, most of them unnecessary, I don't blame the average user for ignoring the important ones. If you press Yes, the nasty evil dialog box will go away. Sooner or later the times comes when you install some spyware trying to get rid of the dialog box.
And what has Vista done? Put even more of them in. Quoth even Paul Thurrott: The problem with UAP is that it throws up an unbelievable number of warning dialogs for even the simplest of tasks. That these dialogs pop up repeatedly for the same action would be comical if it weren't so amazingly frustrating. It would be hilarious if it weren't going to affect hundreds of millions of people in a few short months. It is, in fact, almost criminal in its insidiousness. Gah, showering the user with more dialog boxes is useless, as they ignore them all anyway!
I'm on a roll here. What else?
When I want to Save a document, I go to the button marked Save. At least, I do on Gnome and OS X: Windows likes to have buttons called "Yes", "No" and "Cancel" instead. So instead of doing what I want (Saving), I have to read the dialog to find out which button Saves my document. And most people wouldn't even try to read it; they'd just click Yes and hope it was the right one. Oh, and the dialog text is often in a small font with no discernable main point about what it does.
Windows dialog boxes are obtrusive enough that people would rather make them go away (think: click Yes) than working out what they do. Here's an example of a Mac one - I can tell what each button does before reading, and even if I have to read, there's some nice bold text so I don't have to read it all. Here's the worst example of a Windows one I could find. Note none of the above things that the Mac does right. This isn't the best example, I know, but it points out where Windows fails best.
I reckon you could've eliminated a fair few spyware installs if the "Yes" button was labelled "Install Software", or the "Next" button was lebelled "Accept this Licence", or whatever it is. No more "Let's click Yes to make the nasty evil dialog box go away", but some people will think "Do I really want to install this software?" or "Do I really want to run this program?". It makes people think, and thinking is good when you're trying to make decisions.
Oh, and:
"How dare you try to type at another window when I am here, infidel scum!"
"And Vista dyes the rest of the screen black, just in case you didn't notice me the first time. See?"
Where was I? Oh yes, computer security. I don't think it's fair to blame any and all spyware installations on user error. Windows places you on a path above a crevasse with a bicycle, and expects you to pedal to the other side. Sure, you might get blown off by wind (read: security holes in the OS). Many people
Guy asked me for a quarter for a cup of coffee. So I bit him.
How long are you willing to wait? Plenty of people still use FORTRAN and LISP, and C/C++ will probably outlive many of us. Short of government regulation, I'm pessimistic about the chances of any major migration to a fundamentally new language. The economic factors strongly favor more of the same.
Mea navis aericumbens anguillis abundat
2) Wasted CPU cycles and how you can prevent them.
3) Proper punch card disposal protocols.
The point? We have *no clue* what the computer will look fifty years from now, to say nothing of the security environment. Todays threats will be laughable in light of the technology and practices of tomorrow (many of the threats we spend a lot of time worrying about, such as spyware, are features not of all computing, not even of a particular application class, but that plague one particular implementation of an application which just happens to have a majority share of the market today -- who can say whether a security researcher in 2056 will even remember the words "Internet Explorer" from his history class or whether browsing any analogue to the Internet will be a common activity?). Prognosticating the threat environment that far out is a waste of time. Look to the near term (next 5 years: spam, viruses, malware) and address the perinneals (dumb users, men on the inside, etc) rather than trying to prognosticate what year we'll have the computer equivalent of flying cars.
Help poke pirates in the eyepatch, arr.
Oh, please. If you have to rely on a programming language to keep you from doing "dangerous" things, you have already lost.
..... the question is, to what extent, and is it likely to have a detrimental effect on real-life applications? Does the newest version of ADA allow a single keystroke to be read without waiting for the RETURN key?}
If the language really doesn't enable you to do "dangerous" things, then it's in all probability computationally incomplete. {Of course, any computer with finite memory and hard drive space is technically computationally incomplete
If an "intrinsically-safe" language was written in a language which lets you do "dangerous" things, then there is still a possibility that something could fail behind the scenes and cause "dangerous" things to happen anyway. Or, if you can prove mathematically that that is never going to happen with the "safe" language compiler written in a "dangerous" language, then you can prove the same thing for any application written in a "dangerous" language.
These kind of comments are invariably made by teachers of pure mathematics, who like Noddy-car languages such as Pascal and Modula-2 and are constantly troubled by the thought that somebody, somewhere is doing something useful with a computer.
Je fume. Tu fumes. Nous fûmes!
Only thing? No. Interfaces also make common mistakes easier to recover from
However, some mistakes cannot be recovered from - for example, if you click the "yes" button on the "would you like to install this malware" dialogue. In this case you might be able to use journalling features of the filesystem to undo the damage, but if you've done other things since then you probably couldn't selectively roll back the filesystem changes associated with the malware without rolling back everything else too.
In this case the UI has to be designed to make unrecoverable mistakes difficult or impossible to do in the first place so the "how do I recover?" problem (almost) never comes up. This is a very hard thing to do unless you want to turn computers into appliances (most people wouldn't like appliance computers since they wouldn't be able to install their favorite software) and becomes even harder when the people who want you to make mistakes (malware writers) are actively trying to trick you into making them.
One possibility that has been suggested is kind of a halfway-house between computers as we know them now and appliance computers - the OS would require all executable code to be signed by a "trusted party". However, this brings up some serious problems:
1. Who can be a "trusted party"? Lets say it's the OS vendor, why should I trust Microsoft to guarantee that the signed software is malware-free (especially since they are probably getting paid by the software vendor)? There will certainly need to be stiff penalties for signing software which turns out to be malware.
2. The inability to run unsigned software could be used to lock out the competition - for example, Microsoft could refuse to sign OpenOffice.
3. How much would this "signing service" cost - you can bet that thoroughly inspecting the software to ensure it really isn't malware is going to be very expensive so you just locked out all the small vendors who can't afford it.
4. How are you going to run code you compiled yourself since it won't be signed by the trusted party? This could either be FOSS code that you choose to compile yourself, or your own personal code.
These are certainly not easy problems. I do, however, feel that the ISPs need to take more action against people running malware infected machines. It seems all too common these days for ISPs to ignore abuse reports, let alone run monitoring software to proactively drop the connection to infected machines.
The ISPs should monitor people's connections for malware signatures and upon finding an infected host they should drop the entire internet connection until it's fixed (probably redirecting all web requests at a server containing patches and instructions to fix the problem).
Part of the problem is definately that most of the malware doesn't actually cause a problem for the owner of the infected machine - they don't know or care that their machine is actively being a spambot. Cause hassle for the owners of infected machines and they might actually pay attention to the security of their own systems (viruses were considered a much bigger deal back in the days when their payload often trashed your data).
http://blog.nexusuk.org