Slashdot Mirror
Security in Ten Years
Schneier has posted a conversation between himself and Marcus Ranum, Chief Security Officer for Tenable Network Security, Inc. looking at where security is headed. "[...] at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."
It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
"Those who are willing to give up a little liberty for a little security, will deserve neither and loose both. Or something."
-Ben Franklin
what a fucking visionary
Software Freedom is never mentioned. Instead the authors depressingly assume a complete triumph of ISPs and software owners. No wonder their outlook for "security" is so bleak. Real security comes from freedom. Every step away from freedom hands someone else a tool to hurt you. Their future is too bad to let happen and it won't because it will be too expensive.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
We will have become used to having a small number of portals that provide the vast majority of the data we will be allowed to access (for a fee, of course) and security will have become the problem of these portals.
Users simply won't have much incentive to surf freely from site to site as there will be so little free data available. Therefore the sort of security issues we have today will have gone away. The problem in the future will be for providers (that's you amd me bloggers and other website owners) to prove to the portals that they are clean and meet the standards of the day.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
It's an arm's race, new and better hacks' spur new and better protection which spurs better hack's and so on...Just like today there won't be any one solution to provide security and their won't be anything that's 100% secure. No matter what the speed of the processor.
Without a change in attitude, both on the developer side and on the customer side, the problems will remain the same. I do not see that attitude change happening.
Well worth the read.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A leap in security technology will take a requisite leap in human intelligence. IDS systems do a couple of things well. Routers do a couple of things well. Antivirus software does a couple of things well. Nobody has put them all together in an intelligent way, nor have they replaced them with an intelligent alternative. Remember that any computer system is as dumb (read useless) as the dumbest asshat human operating it. (place old adage here) When you build an idiot proof system, the idiots only get smarter.
And I quote TFA I'd like to officially modify my position somewhat: I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017. It probably won't be terrorists that do it, though. More likely, we'll suffer some kind of horrible outage because a critical system was connected to a non-critical system that was connected to the Internet so someone could get to MySpace -- and that ancillary system gets a piece of malware. Or it'll be some incomprehensibly complex software, layered with Band-Aids and patches, that topples over when some "merely curious" hacker pushes the wrong e-button. We've got some bad-looking trend lines; all the indicators point toward a system that is more complex, less well-understood and more interdependent. With infrastructure like that, who needs enemies? Not to be all pessimistic on the great new security shock and awe campaign, but it will only work when we can get universal agreement from all humans (and possible non-humans) to not mess with it or obstruct its operation in any way. (queue other bad science fiction films here) Uhmmm, yeah, that's going to happen. Tell me again, when will the last Win95 system be decommissioned?
total security... no
really good security... possibly
good enough security... probably
thought it was good security... most likely
Security is expensive, difficult, inconvenient, troublesome, and seldom seems worth the cost.
Support NYCountryLawyer RIAA vs People
Just a thought that crossed my mind the other day (actually after watching "Idiocracy" on TV).
By making our products ad foolproof as we can aren't we inviting fools to use them? And, by doing so, aren't we removing an evolutionary pressure that prevented really dumb people from being socially functional?
Are we making stupidity _less_ painful?
http://www.dieblinkenlights.com
i think my point is valid though, that bricking devices has been tried and failed long before the ipod.
If you mod me down, I will become more powerful than you can imagine....
Technology in 10 years will be much more ubiquitous. While attacks will go more "high tech," end users intelligence will drop. Take for instance right now, "net savvy" users of Myspace? "Net savvy" enough to use google, but that's really about all they can do. People don't care about security, they just take it for granted. When I worked in IT, I was shocked at how many people had their passwords on post it notes on the monitors, or the number of VPs that wrote their password down and just handed it to me. This will get worse in the future as the the growth of technology also increases the ease of use. But not user education.
It's only going to get worse because it'll only get easier for people to get online or use/get access to a computer.
I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago. That alone leaves me with the conclusion that things aren't bad.
That's not to say that security is perfect. But in the balance of security versus convenience, privacy, and general humanism, I think we're resting in a perfectly reasonable situation.
You know, I'm pretty sick of people calling for more security in everything. A few weeks ago, someone stole an infant out of a hospital nursery -- walked right out the front door. Millions of people yelled that hospitals need more security -- even though it hadn't happened in this city for decades.
I spent two weeks in the middle-east many years ago. When you see armed security guards outside every pizza parlour, it's not a warm and fuzzy feeling.
And that's not even raising the issue of false positives.
How does DRM circumvention get described using 1000-year old criminal terminolgy
;)
What, suddenly "stealing" isn't good enough?
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
First of all: DRM is some sort of lock.
Second: Reverse engineering keys is as old as creating locks.
Third: Having a librarian in a monastry's library was also some kind of DRM. He was the arbiter who decided (sometimes after consulting with the abbot) which monk was entitled to which book, and when he had to return it.
2) Businesses by and large don't want to change or don't know how to change. Security isn't a title or job or position, or even a department, it's a matter of policy and every member of the enterprise takes part in some way. If you don't solve that problem, you'll never solve the larger problem, certainly not with point solutions that scan email or network traffice or logs looking for "insecurity" and vulnerability and attacks. The single biggest step any organization can take to improving security is to write a concise policy and educate every single employee and maintain some accountabilty. You can't simply buy something and get "security." It requires changes in habbits, changes in attitudes, and education. I think this is very hard, so many businesses have become so lazy that their work forces kind of look at policies and scoff, it takes a lot of strong leadership to change that kind of culture. It also crosses technological lines as well as physical, you lock your car doors right? You lock your house when you leave right? Do you lock your desk or office door at work when you leave? Places are willing to pay cintas to shred documents and iron mountain to store documents but they don't take that policy to their working rank and file. Developing a culture of security will do far more than any product you can buy on the market. Do employees know what to do with intellectual property? Do they even know what the company's intellectual property is?
3) The "security industry" has largely been a money grab. After 9/11, the US Federal governement published some figures about federal security spending and basically it was going to grow exponentially over the first 10 to 15 years of this century. Hundreds or maybe even thousands of companies were formed to try and exploit that. What is totally amazing to me is how few of them are actually about really increasing security, these are all for profit businesses. What's more amazing, is how stupid the consumers are that bandwagon them and go along with the feature plays. Take NAC for example, basically the idea to to authenticate devices or users as they enter a network and possibly restrict their access based upon some policy. The policy can be anything, it could be permissions set in a RADIUS or LDAP database, it could be based upon the results of some sort of scanning system, it could be based upon time of day. Rather than pushing the auth component or the policy aspect all these jackasses are concerned with scanning the end point device for anti-virus software or whatever. It strikes a chord with certain IT types, they think "oh yes, I need to scan the devices on my network before they enter the network, that will make everything better" but there isn't a correllation between that and
* Security that protects the customer, versus,
* Security that screws the customer.
It's true that the Internet is all about commerce. But that commerce will (rightfully) fail if it screws the customer.
Hacking the iPhone is a reaction by customers to getting screwed.
Breaking the iPhone's security will not hurt Internet commerce in the least. It has absolutely nothing to do with security that protects the customer.
Trying to guess where security will be in 10 years may be fun, but useless.
Just think back to 1997 and imgine how impossible it would have been to predict where things would be today. In 1997 state of the art was windows 95. In 1997 people were more worried about getting a virus from a floppy than over their network. In 1997 the word phishing didn't exist. In 1997, there had never been a virus that had been the top news story of the day. In 1997 most homes didn't have an internet connection, most businesses didn't have an internet connection, and the businesses that did rarely would have every desktop in the company able to go online. In 1997 many forms of active content that are now part of darn near every web page didn't exist. (I could go on, but you get the point)
Those two words, jumped right out at me from the page. Seriously, I don't think there I have seen a more succinct and accurate way to describe Microsoft's "Trustworthy Computing Initiative", than "Software Stalinism".
The ironic thing is that by centralizing all of your data and services, you make your network more vulnerable to denial of service attacks and more vulnerable to sabotage because all of the data is managed by one entity. Even if you have a very sophisticated backup system, those backup systems are vulnerable as well to sabotage.
ARPANet was designed in such a way that if a bunch of nodes were taken down through sabotage, accident, military strike or whatever, the network as a whole would still be functional. Unfortunately, the trends are toward turning the brilliant P2P design of the internet into a giganto sized version of a corporate network where everything is centralized and controlled.
Client/Server networks are great for a lot of things, but they are inherently vulnerable to all the pitfalls of centralized command and control systems as they scale. Just like communism works fine and dandy for very small groups of people (like primitive hunter/gatherer tribes), communism starts to have big problems once it tries to scale to larger and larger sizes. Capitalism does not work at all on a very small scale because you need a critical mass of people to establish a fair market value for goods and services, however, capitalism does shine as the size of the markets increase in size.
In other words, you can compare Client/Server networks to Communism and P2P networks to Capitalism if you think of people as nodes on a network whose value on that network is determined dynamically and democratically just as money is a democratic tool to vote for the value of a good or service as opposed to having their value on the network determined statically and autocratically in the way command and control economies impose price controls and central planning with regard to goods and services.
The direction Microsoft and unfortunately much of the software world seems to be going with this "software as a service" and the centralized authentication schemes that support "software as a service" I feel is a huge disaster waiting to happen. If I was a terrorist or an agent of a foreign nation and I wanted to take down the economy of the United States overnight, I would prefer to be be dealing with a command and control computing monoculture than one that is fragmented, redundant, and diverse.
It is both sad and alarming that many Americans reflexively feel that the way to have better security is to centralize computing operations rather than spread computing operations to as many interconnected nodes as possible.