2007 in Security

An anonymous reader wrote in to say that "Heise Security did a year end review — for the upcoming year 2007. In their crystal ball they see P2P bots, (almost) crashing stock exchanges, dropping prices for zero day exploits and private mails of gmail users published on the google search engine." Speculatory and amusing.

private mails on google search engine

[discord5]

private mails of gmail users published on the google search engine

Oh noes! Everyone can see my spam now!

So...

[Architect_sasyr]

Business as usual then? DDoS attacks, the crackers finding ways to be one step ahead of the security team, and someone reading my email...

Yep, sounds like business as usual to me...

Vista

[RAMMS+EIN]

I think the big thing to happen to security in 2007 is Windows Vista. With increasing adoption, we will really get to see whether all the rewrites, new features, and bugfixes dramatically improve security. Holes will be found and plugged. Other operating systems will copy the good ideas and avoid the bad ones. Whenever pre-Vista Windows versions are broken into, people will say "It's your own fault; you should just have upgraded to Vista".

Other than that, I think existing trends will continue. More development will be shifted from unsafe languages like C and C++ to Java, the .NET languages, and the popular languages from the open source community. Exploits will continue to shift from buffer overflows and integer overruns to logic errors and injection vulnerabilities. More attacks will target web browsers. With increasing adoption of Unix-like OSes, perhaps we will see some exploits for these run wild, too.

Re:Vista

[RAMMS+EIN]

``More unsafe developers will be shifted from languages like C and C++ to Java and the .NET languages''

Where there are fewer mistakes they can make; buffer overflows, memory leaks, and even, to some extent, injection vulnerabilities are common in C and C++ programs, but rare or absent in Java, C# and VB.NET programs.

``and continue to promote needless vendor lock-in, much to the dismay of the the open source community."

It's not as bad as it used to be. Java is being open source, and there are various implementations of .NET, at least two of them open source. Both Java and .NET are standardized. Contrast this with popular open source languages like Perl, PHP, Python, Ruby, OCaml, ... and you will generally find that they have no standard and there is generally only one real implementation. C and C++ aren't much better; although the languages are standardized and a myriad of implementations exists, a lot of code uses either Microsoft or GNU extensions, again tying the code to a single vendor.

Re:Vista

[canuck57]

Other than that, I think existing trends will continue. More development will be shifted from unsafe languages like C and C++ to Java, the .NET languages, and the popular languages from the open source community. Exploits will continue to shift from buffer overflows and integer overruns to logic errors and injection vulnerabilities. More attacks will target web browsers. With increasing adoption of Unix-like OSes, perhaps we will see some exploits for these run wild, too.

Saying a language used to program a computer causes security issues is like saying that cars kill people.

Like cars, programming languages will perform just like they are driven. PCs too, it they are driven carelessly then there will be security accidents.

2007 in Security - I predict the new rumblings of a "Careless and Dangerous" computing law. Maybe eventually in 2010 a warning label on all new computers, "WARNING - Fines for Careless Use".

Lets face it, the number one cause of computer compromise is how people use them, followed by the quality (or lack of it) in the operating system.

Re:Even worse:

[discord5]

Everyone can read about the penis enlargement treatment you ordered.

Quartermaster Clerk: One Swedish-made penis enlarger.
Austin Powers: That's not mine.
Quartermaster Clerk: One credit card receipt for Swedish-made penis enlarger signed by Austin Powers.
Austin Powers: I'm telling ya baby, that's not mine.
Quartermaster Clerk: One warranty card for Swedish-made penis enlarger pump, filled out by Austin Powers.
Austin Powers: I don't even know what this is! This sort of thing ain't my bag, baby.
Quartermaster Clerk: One book, "Swedish-made Penis Enlargers And Me: This Sort of Thing Is My Bag Baby", by Austin Powers.

This is great news!

[Overzeetop]

There wasn't a single mention of an increase in penny-stock pumping emails.

Screw the rest of the world, if those would go away I'd consider 2007 a success.

Re:& UNIX is BAD because it is OLD

[TheSpinningBrain]

Nobody should ever say that an OS is bad because it's old. Different operating systems are meant to be applied differently. Windows (and I mean all versions) are all good in their own respects, even the older ones (think Windows 1.0 commercial with Steve Ballmer), if only as a negative reference. One of the reasons that Unix-type systems are growing in number is that some people took an operating system and actually put some care into it. They stuck to it and keep evolving it, which can definitely not be said of Vista, which is a rewrite of Windows. Is there anything wrong with Windows XP now? Definitely. Was there anything wrong with Windows 98/ME when they reached their End-of-Service? Definitely. Are there things that are still wrong with Unix systems? Definitely. So what's the difference? "They're all old and they suck." Well, here's the main difference: Unix-based systems haven't been given up on. In fact, you can still run versions on really old PCs, but you can run it on the newest stuff, too. In case you haven't noticed, Windows 98 works. And it takes up much less resources than XP or Vista. In that regard, I'd say it's better. However, Microsoft has stopped supporting it, even though it's still not perfect. I can say that if Windows 98 had the support now that XP has, I'd be running it on a dual-boot, since it's small and fast enough that I wouldn't really care about the disk space. Really, there's no such thing as a bad OS, just a bad implementation. Unix is changing in popularity because it's changing its ability to be implemented successfully in a desktop.

Re: 2007 in Security

[shrtckt]

"Educating these users of what their Windows boxes may be barfing out 24/7 is they key to correcting the problem"

No, the key is to make the ISPs legally liable for preventing the viruses getting on/off your desktop and making an OS that don't get viruses from clicking on a URL or opening an attachment. Making ISPs legally liable for viruses and regulating a users software is just one step closer to having "Big Brother" control our lives (this is one of MS's favorite games). I don't want my bandwidth throttled for packet inspection due to legalities caused by some other idiot surfing a pron site and blaming his ISP for the resulting problems. BTW, that OS you are talking about (that don't get viruses from clicking a URL...) is called Unix.