Slashdot Mirror
Security in Ten Years
Schneier has posted a conversation between himself and Marcus Ranum, Chief Security Officer for Tenable Network Security, Inc. looking at where security is headed. "[...] at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."
From TFA: "Think of the iPhone model: You get what Apple decides to give you, and if you try to hack your phone, they can disable it remotely. We techie geeks won't like it, but it's the future. The Internet is all about commerce, and commerce won't survive any other way."
Amen.
An incredibly creative approach.
CC.
TaijiQuan (Huang, 5 loosenings)
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
"Those who are willing to give up a little liberty for a little security, will deserve neither and loose both. Or something."
-Ben Franklin
what a fucking visionary
Software Freedom is never mentioned. Instead the authors depressingly assume a complete triumph of ISPs and software owners. No wonder their outlook for "security" is so bleak. Real security comes from freedom. Every step away from freedom hands someone else a tool to hurt you. Their future is too bad to let happen and it won't because it will be too expensive.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Welcome our future predicting, insecurity overlords.
It would seem like some sort of super intelligent artificial intelligence system which actively protects the cyber world would be the obvious solution to all of our problems. We should also give it some sort of cool name and since it sort of watches over the Internet like a big super powerful being in the sky we should call it skynet. That would solve all of our problems once and for all.
We will have become used to having a small number of portals that provide the vast majority of the data we will be allowed to access (for a fee, of course) and security will have become the problem of these portals.
Users simply won't have much incentive to surf freely from site to site as there will be so little free data available. Therefore the sort of security issues we have today will have gone away. The problem in the future will be for providers (that's you amd me bloggers and other website owners) to prove to the portals that they are clean and meet the standards of the day.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
It's an arm's race, new and better hacks' spur new and better protection which spurs better hack's and so on...Just like today there won't be any one solution to provide security and their won't be anything that's 100% secure. No matter what the speed of the processor.
It's always interesting to read the tripe these people spout when attempting to predict the future
'In the year 2020 man will be as one with the four legged zebra, and so shall our notions of internet security!'
'Could you elaborate please?'
'We suspect hackers will become more sophisticated in their methods'
'So where does that lead internet security?'
'We suspect new security issues will be addressed as they become apparent'
'So in ten years say, where will internet security be?'
'I believe I addressed that question previously with my statement of man becoming as one with the four legged zebra'
I have nothing compelling to say
Without a change in attitude, both on the developer side and on the customer side, the problems will remain the same. I do not see that attitude change happening.
Well worth the read.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Windows and many windows apps are still coded with a bolted on afterward Security design.
Mac os X is set up to make it a lot harder to get carpware running on it.
And yes of course they run Windows, X-Windows that is!!!!!!!!!!!!
Hey ha!
Just a thought that crossed my mind the other day (actually after watching "Idiocracy" on TV).
By making our products ad foolproof as we can aren't we inviting fools to use them? And, by doing so, aren't we removing an evolutionary pressure that prevented really dumb people from being socially functional?
Are we making stupidity _less_ painful?
http://www.dieblinkenlights.com
In 10 years there will be two internets. One for educated, free-minded people and one for everyone else. The educated, free-minded ones will have the ability to discuss anything openly and freely, but nothing they do can be seen by the rest of the public. That's because they will all be in special concentration camps in an unknown location, awaiting re-education or enlistment into various secret government jobs.
The rest of the internet will be limited to a relatively small list of 'allowable' applications which are run by thin clients that boot off the network - all of it controlled by megacorporations and all of the traffic and computer behaviour monitored.
This is the future of trusted computing. They know they can trust you, because you can't do anything with your computer that they didn't let you do.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
Technology in 10 years will be much more ubiquitous. While attacks will go more "high tech," end users intelligence will drop. Take for instance right now, "net savvy" users of Myspace? "Net savvy" enough to use google, but that's really about all they can do. People don't care about security, they just take it for granted. When I worked in IT, I was shocked at how many people had their passwords on post it notes on the monitors, or the number of VPs that wrote their password down and just handed it to me. This will get worse in the future as the the growth of technology also increases the ease of use. But not user education.
It's only going to get worse because it'll only get easier for people to get online or use/get access to a computer.
Perhaps I'm a bit of an optimist, but I hardly believe that we will be in a similar situation 10 years from now in terms of security.
I don't think that its necessarily going to be good, but I hardly think that it is a lost cause at this point.
What a lot of people seem to forget is that during the 80s and a ways into the 90s, the primary means of compromising a computer was to type commands directly into it. Sure there were networks, but they were a minority of the total computers, and they were costly enough and complex enough that people didn't sit in front of them without a fair amount of study. That is still the best way, to undermine a security model, but it isn't the only way.
As things switched to being wired, and now wireless, it was more or less inevitable that crackers would gain a foothold, with a much easier time finding machines and the ability to log in via the net rather than just in person, of course the number of trojans and such is going to go up.
I think that educating users about security and possibly throttling bandwidth on computers that are likely to be infected isn't given enough credit for their potentials. Just getting users to not click on links in spam and to know how to maintain antimalware/antispyware would go quite a ways. I don't think that it would solve the problem, but it would help out quite a bit. Better yet, holding the companies that are advertised via spam accountable would put a serious dent in those rates, as would getting people to stop clicking the links.
Domainkeys and SPF seem to be having some effect, I'm not sure how else to explain why my non domainkeys account gets such a large amount of spam and my account with both gets so little. I can't imagine that the increase a couple of weeks ago from 20 a day to 300 a day in the former isn't in large part due to lesser controls. The later account hasn't seen a noticeable increase, I still get fewer than 5 per day on average.
That doesn't even include the hardware updates which only recently have been put into computers. I would be surprised if the mechanisms are as effective as they will be.
So, I guess what I'm saying is that we definitely have a fair number of options that haven't yet been tried, and as such it really is premature to assume that things will be like they are now in 10 years or worse. It's unlikely that things are going to be much worse in 10 years than they are now.
I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago. That alone leaves me with the conclusion that things aren't bad.
That's not to say that security is perfect. But in the balance of security versus convenience, privacy, and general humanism, I think we're resting in a perfectly reasonable situation.
You know, I'm pretty sick of people calling for more security in everything. A few weeks ago, someone stole an infant out of a hospital nursery -- walked right out the front door. Millions of people yelled that hospitals need more security -- even though it hadn't happened in this city for decades.
I spent two weeks in the middle-east many years ago. When you see armed security guards outside every pizza parlour, it's not a warm and fuzzy feeling.
And that's not even raising the issue of false positives.
In 10 years Windows will be over. There will be native Linux versions (still proprietary binaries) of Photoshop and productivity software, but a few people will see the newborn open source alternatives and try them out. Perhaps there will be price-fixing lawsuits against free software by proprietary software makers, and, in the worst case, patent lawsuits (depending on whether software patents are abolished by then or not).
Most people will run old versions of Windows (probably XP SP3, maybe SP4 - or perhaps Windows 7, but Vista will be another WinME) or ReactOS 1.x (it'll be too early for 2.x) in a virtualized PC running Linux. Unixphobes will run ReactOS (around 60 to 70%) or Windows (the rest) natively. Probably Microsoft will retreat from the OS business and stick with consoles or Office software, and Google will absorb the MSN messenger network.
I really hope that the Windows^H^H^H^H^H^H^H^HReactOS and similar OSs' security model will be revamped, with sandboxed registries and directories. Passwords will be asked for installations, unless software is ran by only one user.
Botnets will be rarer (and therefore much more expensive to rent than they are now), but they'll still exist due to user stupidity ("this game needs to run with root privileges"). They'll run in Anonymous P2P nets.
About Anonymous P2P, they'll be the norm for file sharing, but they'll be definitely banned by draconian governments - whether or not the US goes that way, is up to your imagination. Perhaps we'll see a struggle between anonymous P2P and content providers/law enforcement agencies, similar to what happened with Napster a few years ago.
However, website security will face more or less the same problems we're facing now, due to negligence to patch existing webservers. Botnets and phishers will use infected servers to keep stealing identities, and let's not forget about inside jobs and "user account info gone missing". These will go on. Hackers will be government sponsored - to hack into other countries' machines. Buffer overflows will be the favorite vulnerability, while hacker websites will run in anonymous P2P networks.
Let's put this post in a time capsule and see how well it fares in 2018.
... but I am as confident as I am that the Sun will rise tomorrow that it will be safe from terrorists. After all, we have the children to think about.
July 12, 2005
Copyright © 2005 Michael David Crawford.
This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.
If one is able to find any privacy or anonymity in this New Internet, it will be because of some undiscovered security hole, which will be quickly repaired, rather than any kind of conscious design decision. Probably one reason they are accepting proposals before rolling it out is to avoid the sort of accidental security holes that enable pr0n, peer-to-peer filesharing and left-wing political activism.
Microsoft, a leading contributor both to this nation's technology base and to the campaign coffers of its leaders, will embrace this new technology and extend it in such a way that the development and dissemination of Open Source software will be, if not mathematically and physically impossible, at least as intractible as factoring a 2048-bit public key.
Imagine, if you will, Trusted Computing implemented at the router level, in such a way that any packets that go farther than one hop are certified not only to support protocols whose patent licenses are fully paid-up and on file with the legal department in Redmond, but whose content is compliant with the Windows standard. The faintest whisp of a Public License, GNU or otherwise, will result in the dropping not only of the individual packet, not only in the cancellation of the entire file transmission, but, within microseconds, the reporting of the physical location of the offending server to responsible law enforcement personnel. The identities of its rogue administrators will be fetched instantly from the database maintained by the Department of Homeland Security. (You will have to submit fingerprints and DNA samples to obtain a Windows server license, as after all, Internet servers can be used to disseminate explosives r
Request your free CD of my piano music.
Your telling me that Windows Firewall wont cut it anymore? Well...touche internet.
The main barrier against secure systems, is apathy. People don't bother to securely exchange keys, they opt for the convenience of being able to run Trojans, etc.
Pain can cure apathy. It may not lead to a solution, but it can eliminate today's biggest opposition to having a solution.
When the very forseeable disaster happens, that's the time to ask people: "oh, I didn't know you cared. Would you prefer your communications to be private? Would you rather not be part of a spambot net?"
I think there will be some changes in the environment. Lots of arbitrary data that used to be input by keyboard will be replaced by pointers to content already online, which will make that content less likely (though not 100%) to have security threats in the data. However, lots of new arbitrary data in multimedia will be routinely sampled, like audio, image and video. Lots more untrusted (though not necessarily untrustworthy) people will have online status, including their own servers, from which to distribute untrusted data. And many many more different people will be sources of untrusted data, and even untrusted code that will be easier to generate and attach to networked services. The ubiquity of these devices will mean that even less sophisticated users, therefore even more diverse "wild" security risks, will rise, even as the systems get locked down with more reuse of more modern software, including patches and safer languages like Java. While the bad guys will get more expertise, too, and the prizes will become greater and more common as more value is moved online.
But overall, the main threats and defenses will be the same, from security programming standpoint. Mostly because most orgs that need to be secure will not have absorbed the main lessons about security. That's predictable because there's no good reason that today's orgs haven't learned from the past 10 years, which offered plentiful cost:benefit*risk incentive to learn them. That's not going to change in the next 10 years, either. The changes occurred in the 10 years prior to that, but didn't sink in.
There's probably two changes that will reach critical mass. One is the scale of security crime finally outgrowing national police ability to fight even a losing battle, which is mainly a function of the gradual undermining of citizens' reliance on their police. If that change overwhelms business' ability to rely on insurance as "protection", then there might be a real change in who's enforcing security: like the shift from sheriffs to "Pinkertons" in the Wild West. The other is, as you imply, the reliance on social networking to establish trust networks for practically every communication. Which has already started, hasn't reached critical mass, but already offers cheap technology and protection appropriately complex to the actual humans it protects. Of course, distributed private trust might just balance reduced institutional, centralized public ("government") trust mechanisms.
So maybe the next 10 years will indeed see some substantial changes, beyond "lots more of the same". But I still won't be surprised to see it basically balance out, and still look like just more of the same, especially to people practicing it on the inside.
--
make install -not war
ooooh, it's benjamin franklin. franklin, franklin, benjamin franklin.
Please stop stalking me, bro.
It's funny, I wrote a journal entry about such a future. I called it "Trapping Mozart in a soundproof cage".
I admire Schneier for his work over all these years. I think everyone should... it's required reading for some of us ;-P
I think what I most agree with is Schneier's contention that security is really about people or services. And therefore, the consequences of having poorly trained and educated people is in kind; regardless of how sophisticated or brilliant the math is. (SIDE: I cant stand the mathematicians. I am a physicist. We score more e.g. Schrodinger, Einstein, Feynman... were all pimps. Newton died a virgin. Turing was gay. Godel was emaciated and his wife just had to be cheating on him.)
What bothers me most about a security craze is the trade-offs one has to accept. Kind of like laws in physics i.e. momentum and position or energy and time. In my opinion, it looks like functionality and security are the two factors we need to juggle. But with the service-side being pushed, it's apparent how much functionality is really strained with more than just security but also competence. You all know this anytime you try to get support.
Anyhow, just putting in my two cents. Cheap as it is. I understand that the mark of our civilization as commonly encountered is all this technology, but I am starting to get the feeling that maybe all the technological progress is so short-sighted because we just are not capable of being civilized. Therefore... we get these half-measures, "band-aids" and "patches."
All science is either physics or stamp-collecting.
"Hacking - it's not just a crime - it's a survival trait!"
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Hopefully in the future Apple won't discriminate against goldfish so much.
Naw, let's just continue to ignore it, like it was from outer space:
http://en.wikipedia.org/wiki/Plan_9_from_Bell_Labs
~hylas
That's called "backwards compatibility." Unfortunately, there's not a lot Microsoft can do as long as so much "professionally-developed" software writes directly to the /Program Files folder, doesn't work correctly with limited permissions, opens ports for no reason, etc.
Comment of the year
We're already analyzing ur speech, disproving ur factz...
Maybe slashdot can answer this? Why isn't the capability security model being extended into the networked world?
Not to worry, these guys will be in charge of security in ten years time.
Nobody likes spam, spyware and viruses, but I'm not entirely convinced the solution might not be worse than the problem. You can bet your bottom dollar that if truly bulletproof security becomes available, it will very quickly become the exclusive property of governments, multi-national corporations and the like. I don't know how that situation would be used to screw the average person, but I am absolutely certain that we'd better have some lubricant handy.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
conversations of scheiners are now "news events" pretty soon we'll have the gospel according to Bruce, then the twofish crusades to out the Rijndael heathens.
The thing is, ten years from now, we'll have Gigapop Internet in the USA (already installed at most major universities and colleges), and IPv6 will be in large-scale usage, but most of the security features will have been disabled by commercial interests, who care little about consumers.
It's not difficult to make sure gateways restrict mobile-based IPv6 traffic to more stringent anti-spam anti-viral measures, but unlikely that big business will let that happen, as that would impact their ability to sell software and hardware to deal with the problem, and might restrict the type of mobile devices allowed to use the Net to communicate.
-- Tigger warning: This post may contain tiggers! --
may make this issue moot.
Or perhaps least turn some of us now law-abiding citizens into "criminals" (and some to "cyber-criminals") as things get more desperate and people can't make ends meet. Or, more often, see whatever dreams they may have entertained vanish in a puff of greasy black smoke.
Take one crucial resource, gasoline, for example:
http://www.oregon.gov/ODOT/CS/FS/gas_prices.shtml
Taking the average of the 1997, and the average of the 2007 values Jan-Aug of both years, at least in Oregon:
Cheap gas is now 2.19 times the average 1997 value.
Mid is now 2.15 times the 1997 value.
Premium is now 2.07 times the 1997 value.
Has your salary doubled? Is your money worth more than it was then for real things like food, housing, and transportation? Do you think it will double again?
If the existing trend continues by 2017, (and we are making the assumption that there will still be low, medium, and high grades) gasoline will for that year be at or around:
$2.85 x 2.19 = $6.23/Gal
$3.00 x 2.15 = $6.44/Gal
$3.08 x 2.07 = $6.40/Gal
And there's every indication that the rate of price change will probably increase - which means we're probably looking at $7.00 to 7.50/gallon rates here in the US by then.
Now, before you Europeans say, "we already pay like $8/gal, so what" - you have to understand that we here in America use our cars a whole lot more, since most of the public transport - like trains was dismantled in the 1950s, in favor of interstates. You guys may pay more, but you also don't depend on automobiles as much as we do.
And that's just one crucial resource - namely gasoline.
So, what's this have *directly* to do with computer security? Well, not a whole helluva lot, aside from the fact that you don't know what other things will cause people to want to cheat, steal, lie, etc. As these resources get scarcer and more expensive, I think the propensity of a people who were formerly in the entitlement-mode of "we can get something for nothing", are soon going to find out that isn't the case, and when they do, they're gonna want to get what they used to have, or thought they use to have at some point - either by breaking and entering, or via identity theft, etc.
I think you're always going to have the mischief-style, bored script kiddie type cyber-criminal. But I think you're gonna see an increase in the other, desperate kind due to these impending cheap-resource-scarcity issues.
The way to cut out much crime related to this, and hence make things more secure, is for local governments to come together to ensure that people have the resources to make a decent living, can afford the basics, and at least have an illusion that they can put money away for a future where it will be worth something. That is, create conditions non-conducive to the "demand" side of that sort of crime, cyber or otherwise.
As a Security Professional myself, the number one rule that I've seen come out of the past 10+ years is this:
People in general don't care about Security until (maybe) it's too late. They want their shiny widgets now.
The examples are countless, and still happening today.
I hope that doesn't sound too jaded; it's not meant to be. I make my living working with the few companies that do require real Security.
2) Businesses by and large don't want to change or don't know how to change. Security isn't a title or job or position, or even a department, it's a matter of policy and every member of the enterprise takes part in some way. If you don't solve that problem, you'll never solve the larger problem, certainly not with point solutions that scan email or network traffice or logs looking for "insecurity" and vulnerability and attacks. The single biggest step any organization can take to improving security is to write a concise policy and educate every single employee and maintain some accountabilty. You can't simply buy something and get "security." It requires changes in habbits, changes in attitudes, and education. I think this is very hard, so many businesses have become so lazy that their work forces kind of look at policies and scoff, it takes a lot of strong leadership to change that kind of culture. It also crosses technological lines as well as physical, you lock your car doors right? You lock your house when you leave right? Do you lock your desk or office door at work when you leave? Places are willing to pay cintas to shred documents and iron mountain to store documents but they don't take that policy to their working rank and file. Developing a culture of security will do far more than any product you can buy on the market. Do employees know what to do with intellectual property? Do they even know what the company's intellectual property is?
3) The "security industry" has largely been a money grab. After 9/11, the US Federal governement published some figures about federal security spending and basically it was going to grow exponentially over the first 10 to 15 years of this century. Hundreds or maybe even thousands of companies were formed to try and exploit that. What is totally amazing to me is how few of them are actually about really increasing security, these are all for profit businesses. What's more amazing, is how stupid the consumers are that bandwagon them and go along with the feature plays. Take NAC for example, basically the idea to to authenticate devices or users as they enter a network and possibly restrict their access based upon some policy. The policy can be anything, it could be permissions set in a RADIUS or LDAP database, it could be based upon the results of some sort of scanning system, it could be based upon time of day. Rather than pushing the auth component or the policy aspect all these jackasses are concerned with scanning the end point device for anti-virus software or whatever. It strikes a chord with certain IT types, they think "oh yes, I need to scan the devices on my network before they enter the network, that will make everything better" but there isn't a correllation between that and
This reminds me of some "The Daily Show global edition" episode.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
"at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."
Yeah I met Ranum, he made a snide comment about me and girls. The guy is pretty much a bitter old man with wild views on security; pretty much his idea is "if it doesn't work don't do it." He believes patching systems and software is the wrong way to do it; google and find his site and he's got a whole article on using "software that doesn't suck." Basically, use software that has no vulnerabilities, and never bother patching it because it doesn't help.
Some of the stuff he says is okay, and he's a really smart guy; but don't look to this guy for any great advice.
Support my political activism on Patreon.
Trying to guess where security will be in 10 years may be fun, but useless.
Just think back to 1997 and imgine how impossible it would have been to predict where things would be today. In 1997 state of the art was windows 95. In 1997 people were more worried about getting a virus from a floppy than over their network. In 1997 the word phishing didn't exist. In 1997, there had never been a virus that had been the top news story of the day. In 1997 most homes didn't have an internet connection, most businesses didn't have an internet connection, and the businesses that did rarely would have every desktop in the company able to go online. In 1997 many forms of active content that are now part of darn near every web page didn't exist. (I could go on, but you get the point)
The OLPC effort may show us the way out. The great hope with the OLPC is that it doesn't have any legacy applications that rely on security holes. It might actually work, and they have a chance of fixing it if it doesn't.
Neither the Windows nor the Linux world really support untrusted applications, ones with fewer privileges than their user. That's the fundamental problem. But OLPC does. They've thought about the problem correctly, and have something implemented that's reasonable. Now we'll have to see how it works in the field.
And it's called Linux.
(I mean, Really. It's openly hackable as per the bsaic freedom granted by GPL, and there are a lot of companies making a damn good use of it. Thanks to it hackability it has been ported to crazy range of hardware from wrist watches to super computers. And it's good at it if one pays attention at the world's top supercomputers. In the middle somewhere lie router box and similar [I don't know about the Buffalo you mention but I think it's close to that] whose selling companies are obviously successful. And that's only about the kernel. There are a lot of other components in any opensource software solution that can find success somewhere)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
From the article: "There hasn't been a new crime invented in millennia."
Cloning of stem cells for research?
Bruce Schneier said:
It's the same with a lot of our secure protocols. SSL, SSH, PGP and so on all assume the endpoints are secure, and the threat is in the communications system. But we know the real risks are the endpoints.
Rather, the threat was everywhere, and SSH etc solved (at least the technical aspects of) countering the threats in the communications system. The real risks today are only at the endpoints precisely because SSH, SSL, and PGP have been so successful.
Those two words, jumped right out at me from the page. Seriously, I don't think there I have seen a more succinct and accurate way to describe Microsoft's "Trustworthy Computing Initiative", than "Software Stalinism".
The ironic thing is that by centralizing all of your data and services, you make your network more vulnerable to denial of service attacks and more vulnerable to sabotage because all of the data is managed by one entity. Even if you have a very sophisticated backup system, those backup systems are vulnerable as well to sabotage.
ARPANet was designed in such a way that if a bunch of nodes were taken down through sabotage, accident, military strike or whatever, the network as a whole would still be functional. Unfortunately, the trends are toward turning the brilliant P2P design of the internet into a giganto sized version of a corporate network where everything is centralized and controlled.
Client/Server networks are great for a lot of things, but they are inherently vulnerable to all the pitfalls of centralized command and control systems as they scale. Just like communism works fine and dandy for very small groups of people (like primitive hunter/gatherer tribes), communism starts to have big problems once it tries to scale to larger and larger sizes. Capitalism does not work at all on a very small scale because you need a critical mass of people to establish a fair market value for goods and services, however, capitalism does shine as the size of the markets increase in size.
In other words, you can compare Client/Server networks to Communism and P2P networks to Capitalism if you think of people as nodes on a network whose value on that network is determined dynamically and democratically just as money is a democratic tool to vote for the value of a good or service as opposed to having their value on the network determined statically and autocratically in the way command and control economies impose price controls and central planning with regard to goods and services.
The direction Microsoft and unfortunately much of the software world seems to be going with this "software as a service" and the centralized authentication schemes that support "software as a service" I feel is a huge disaster waiting to happen. If I was a terrorist or an agent of a foreign nation and I wanted to take down the economy of the United States overnight, I would prefer to be be dealing with a command and control computing monoculture than one that is fragmented, redundant, and diverse.
It is both sad and alarming that many Americans reflexively feel that the way to have better security is to centralize computing operations rather than spread computing operations to as many interconnected nodes as possible.
Your post is well-worded but I disagree. No program can have a 100% malware recognition rate, when the definition of "malware" is not even objective. Where do you draw the line? Is VNC malware? It can be used to spy on people. Computers were created to do stuff people tell them to, and as long as people tell them to steal other peoples' data/delete their files/etc, we're always going to have that problem. Perhaps the single most important advice you could give a user is "don't run stuff you don't completely trust" and use antimalware programs to help them make an informed decision on that. That "Big Brother watching over me, securing my PC" stuff won't happen, and it won't really work even if it does.
Send email from the afterlife! Write your e-will at Dead Man's Switch.
then I would be inclined to agree with Mr. Ranum's points. But the fact is that there are lots of people out there working on Real Security. Let's see, there's OpenBSD's work to integrate cryptography as a system service, there's Neils Provos' work on systrace, there's GCC's ProPolice stack-smashing protection, there's OpenBSD's write XOR execute protection (which, BTW, Windows now has to some small extent), there are phishing mitigation features in Firefox, there are Free implementations of good authentication systems (e.g., MIT Kerberos, Heimdal), lots of programs now ship with sane defaults (ala Postfix and qmail), there are safe-string libraries of all license stripes, and on and on and on! The fact that Microsoft apparently does not use their own safe-string implementation is indicative of the problem here. Microsoft writes crap. If you want systems where security is a real concern, it's easy to find it. That's not to say that those systems are "secure"-- security is always a work in progress-- but to say that "our responses to those problems also remain the same" is disingenuous. Projects like OpenBSD (among many others mentioned above) have attempted to identify entire classes of problems, and solve them on the big-picture level instead of doing the patch-a-week thing.
The communist/corporatist commerce that exist in the USA, EU, China ... is not what the Internet is all about.
....
... are shit by any other name, and even in a no-nose species, will continue to stink. Present Proper-Political colloquial use of Capitalism, Meritocracy, Free/Open Markets ... commerce are faux-labels of vapor-morals/ethics essential to presenting a more plural/palatable and less obvious slavery/exploitation culture.
The public/citizens seek "Openness" on the Internet.
Corporatist [and corrupt governments] seek institutionalized nepotism/hostage-welfare which in Present Proper-Political plebeian [AKA: spin-truth] could be called commerce. Present Proper-Political vernacular use of commerce as an economic concept, will never be Capitalism, Meritocracy, Free/Open Markets
Communism, oligarchy, plutocracy, aristocracy, exploitation, oppression
Let USAll wave the flag and hold the (whichever) mythological holy-book high for all to see.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
This could be an interesting conversation, but Ranum makes it almost impossible to take seriously (or enjoy). I cannot--and would not--take away from his accomplishments, but his talking points sound like they came from a magic 8-ball or a doll that talks when you pull the string. "Keep the horses in the barn" and "don't mix production with non-production" and "I before E, except after C"....blech. What a douche nozzle.
No I don't think so, I'm going to have to disagree on this parent post.
Yours,
Patrick "Shithook" Bateman, ESQ.
Foolishness has a value all it's own.
The only difference I see between XPI and ActiveX, from the point of view of security, is that XPI makes you jump through an extra dialog for trusting sites, and wait an extra 10 seconds (oh, no, it's 3 seconds) before presenting you with the "yes, I want to spread my legs" dialog.
It's harder to accidentally click OK with XPI. But it's still possible. It still puts J Random User in the position of deciding "do I want to install this program" right then and there. And it still means that there's a code path in the browser to grant remote scripts local-user rights.
Safari makes it a little harder with Dashboard widgets, in that you still have to run the installed Dashboard widget in Dashboard... a separate step, that you don't take in the same reflex operation. But it's still more of the same basic design flaw: the idea that it's OK for software to be automatically downloaded and installed at the request of untrusted sites, rather than explicitly by the user.
Yes, there are a lot of good security designs being pushed by open source groups. That doesn't mean that open source is some kind of magic paint that makes bad designs impossible. That doesn't mean that closed source and proprietary systems are using evil paint that prevents them from using good design principles... consider that bad as Lan Manager was, at least it didn't make the mistake of treating an IP address as a security token, like certain open-systems protocols still do.
"We" includes the people who are doing stupid stuff, as well as the people who are doing smart stuff, and as long as the people doing stupid stuff are widely used and successful products like Firefox, and the people doing smart stuff are obscure products like OpenBSD, then "we" really does include people from all sides of the open-vs-proprietary debate.
Alas.
You would have had a great time around '68. Too bad we failed. However, there is still hope that the Vogons come around.
Namaste — CC.
TaijiQuan (Huang, 5 loosenings)
Yeah - it's the troutware that OS X users have really got to be worried about now...
http://xkcd.com/313/
I never said anything about open source.
...
Beg pardon, the products you listed were primarily open source, so I jumped to that conclusion.
My point is that deep security problems are not limited to Windows. I will happily agree that they are one of the worst examples, and I will happily agree that there are alternatives to Windows. The implication I read in your message was that as long as you avoid Microsoft you're home free. If you didn't intend to imply that, I apologize for overreacting, but the fact that there are many non-Microsoft organizations that do a great job of security doesn't mean that they're even in the majority let alone common enough to assume that you can just "dump Microsoft" and have done with it.
On the other hand, I think you're reading something into my post that I didn't put there either.
XPI has access to the Mozilla application. ActiveX has access to the entire operating system..
The XPI installer API grants the installer the ability to create local files and execute them directly. This gives you full native user access without restrictions, AKA "access to the entire operating system".
But even if I grant you the fact that you need to jump through one more trivial hoop with XPI than ActiveX, and grant that it matters, the point is not that "XPI is just as bad as ActiveX", but that XPI suffers from the same kind of design flaw as ActiveX: it provides a mechanism for an untrusted object to request full local user access.
The difference between "clicking on a dialog box that's presented to you by the browser" and "opening an installer from the file manager or command line" is substantial.
The former is something that users are conditioned to doing, routinely, by operating system and application components that ask them if they REALLY want to delete that file, close that window, shut down, log out, turn on,
The latter is something that the user does on their own schedule. They can leave that package on the desktop unopened, in perfect safety, while they go ask Joe in IT what to do about it. They don't mind that. They're used to dowloading files today and doing something with them tomorrow.
They do mind leaving a dialog (a modal dialog, at that) open. It bothers them. They want to close it, and they're used to just clicking OK. Making the dialog more complex doesn't make that much difference. Making them whitelist the site does matter, some, until they have enough sites whitelisted that someone can use a cross-site attack on one... turning a cross-site exploit into a remote execute attack. And that's not a "deep" difference between XPI and ActiveX, because ActiveX can be similarly configured by a site policy (it isn't, in most cases, but it's certainly possible to automatically refuse ActiveX without a dialog if it's not from some particular 'zone').
The difference between these two approaches - content-based and user-based requests for execution of potentially untrusted code - is huge. Almost all users can learn not to explicitly run untrusted programs. It may take being bitten once, but it almost never requires a second lesson. I have only once, in ten years as a network admin with hundreds of users, had a guy come to me a second time because they thought their computer was infected after they'd opened some random file on the desktop. I have had many of them come to me over and over again because they'd approved an unexpected "do you want to run this thing I just downloaded?" dialog.
The bottom line is that an approval dialog is not a security feature. Approval dialogs are useful in some cases where a user is about to perform an operation that's not reversible and has serious consequences, as a convenience for the user, but an approval dialog should not be considered in analyzing the security of a system because people are conditioned to approve them by reflex.
Whitelisting is a stronger constraint, especially if the user has to explicitly enable the whitelisted site in a s
It's very different. Buying the Codeweavers products will just provide money to the Crossover developers, and will not help the community. Sponsoring Codeweavers and the Crossover products is making Linux NON-FREE (oh, if you want to use Office, you have to PURCHASE crossover), which is very different than having a free implementation of the Win32 API (Linux supports MS Office FOR FREE! Just install Wine!).
One of the reasons for not using Linux is incompatibility with Windows software. By asking for money, Codeweavers are effectively holding Windows compatibility hostage for a ransom. That goes against the Free as in Freedom philosophy of GNU/Linux. In fact, Codeweavers forked Wine (a free software) and began selling it with their adaptations. What does the community get from them? NOTHING!
Codeweavers are just leechers, they wouldn't be earning money if Wine hadn't been released into the public. And I wonder whether Linux adoption would have arrived earlier if they had given back their software to the community.
This is why I cannot promote Crossover. Donating to Wine is the way to go.
But how do we know that the tools we believe give us these things, are actually working correctly?
A capability design is actually quite simple. To get it right is not hard at all, relatively speaking. Most of the languages I mentioned already have a capability core, and they went out of their way to bypass it. Securing those languages means removing features, not adding them.
Of course, reasoning about complex systems assembled from myriad low-level objects can be quite complex. Security experts usually try to tackle complex systems using high level policies and then verifying that the model enforces the policy. SCOLLAR is such a verification tool for capability systems.
Then comes the task of verifying the implementation is faithful to the model. Ultimately, verification is a problem in any field. How do mathematicians guarantee their proofs are correct? They check it, they mechanize it in an automated theorem prover, etc. How do we prove the theorem prover is correct, or the reviewers didn't make a mistake? Other people triple-check, audit the code, prove the code correct using another theorem prover, and so on.
The benefits of capabilities here are two-fold: 1) POLA implies partitioned subsystems, which means modularity and locality, which facilitates auditing (which is almost intractable for any existing system since they require global knowledge instead of just local knowledge), and 2) they actually have a verifiable security model with which we can reason about high-level policies. If you check the security literature, access-control list systems are known to be unverifiable and so we can't reason about their security properties with sufficient confidence.
Regarding root-kits, certainly any vulnerabilities are exploitable, but by the very nature of POLA the damage of any one exploit is isolated to a particular subsystem, akin to puncturing the skin at best; exploits in current systems are total penetrations, a veritable knife to their hearts.
Higher Logics: where programming meets science.