Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security in Ten Years

Posted by ScuttleMonkey on from the wild-world-of-conjecture dept.

Schneier has posted a conversation between himself and Marcus Ranum, Chief Security Officer for Tenable Network Security, Inc. looking at where security is headed. "[...] at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."

5 of 154 comments (clear)

  1. Software Freedom. by Erris · · Score: 5, Insightful

    Software Freedom is never mentioned. Instead the authors depressingly assume a complete triumph of ISPs and software owners. No wonder their outlook for "security" is so bleak. Real security comes from freedom. Every step away from freedom hands someone else a tool to hurt you. Their future is too bad to let happen and it won't because it will be too expensive.

    --
    DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
  2. Re:Skynet by zappepcs · · Score: 4, Insightful
    Actually, that may be the way things go, with the near typical science fiction results. The trouble with such a system (which should be obvious) is that it would be written/programmed by the same people that can't get security correct right now.

    A leap in security technology will take a requisite leap in human intelligence. IDS systems do a couple of things well. Routers do a couple of things well. Antivirus software does a couple of things well. Nobody has put them all together in an intelligent way, nor have they replaced them with an intelligent alternative. Remember that any computer system is as dumb (read useless) as the dumbest asshat human operating it. (place old adage here) When you build an idiot proof system, the idiots only get smarter.

    And I quote TFA

    I'd like to officially modify my position somewhat: I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017. It probably won't be terrorists that do it, though. More likely, we'll suffer some kind of horrible outage because a critical system was connected to a non-critical system that was connected to the Internet so someone could get to MySpace -- and that ancillary system gets a piece of malware. Or it'll be some incomprehensibly complex software, layered with Band-Aids and patches, that topples over when some "merely curious" hacker pushes the wrong e-button. We've got some bad-looking trend lines; all the indicators point toward a system that is more complex, less well-understood and more interdependent. With infrastructure like that, who needs enemies? Not to be all pessimistic on the great new security shock and awe campaign, but it will only work when we can get universal agreement from all humans (and possible non-humans) to not mess with it or obstruct its operation in any way. (queue other bad science fiction films here) Uhmmm, yeah, that's going to happen. Tell me again, when will the last Win95 system be decommissioned?

    total security... no
    really good security... possibly
    good enough security... probably
    thought it was good security... most likely

    Security is expensive, difficult, inconvenient, troublesome, and seldom seems worth the cost.

    --
    Support NYCountryLawyer RIAA vs People
  3. umm ineffective? by holophrastic · · Score: 4, Insightful

    I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago. That alone leaves me with the conclusion that things aren't bad.

    That's not to say that security is perfect. But in the balance of security versus convenience, privacy, and general humanism, I think we're resting in a perfectly reasonable situation.

    You know, I'm pretty sick of people calling for more security in everything. A few weeks ago, someone stole an infant out of a hospital nursery -- walked right out the front door. Millions of people yelled that hospitals need more security -- even though it hadn't happened in this city for decades.

    I spent two weeks in the middle-east many years ago. When you see armed security guards outside every pizza parlour, it's not a warm and fuzzy feeling.

    And that's not even raising the issue of false positives.

  4. Re:Creativity by Sique · · Score: 4, Insightful

    First of all: DRM is some sort of lock.
    Second: Reverse engineering keys is as old as creating locks.
    Third: Having a librarian in a monastry's library was also some kind of DRM. He was the arbiter who decided (sometimes after consulting with the abbot) which monk was entitled to which book, and when he had to return it.

    --
    .sig: Sique *sigh*
  5. Software Stalinism! by MCTFB · · Score: 4, Insightful

    Those two words, jumped right out at me from the page. Seriously, I don't think there I have seen a more succinct and accurate way to describe Microsoft's "Trustworthy Computing Initiative", than "Software Stalinism".

    The ironic thing is that by centralizing all of your data and services, you make your network more vulnerable to denial of service attacks and more vulnerable to sabotage because all of the data is managed by one entity. Even if you have a very sophisticated backup system, those backup systems are vulnerable as well to sabotage.

    ARPANet was designed in such a way that if a bunch of nodes were taken down through sabotage, accident, military strike or whatever, the network as a whole would still be functional. Unfortunately, the trends are toward turning the brilliant P2P design of the internet into a giganto sized version of a corporate network where everything is centralized and controlled.

    Client/Server networks are great for a lot of things, but they are inherently vulnerable to all the pitfalls of centralized command and control systems as they scale. Just like communism works fine and dandy for very small groups of people (like primitive hunter/gatherer tribes), communism starts to have big problems once it tries to scale to larger and larger sizes. Capitalism does not work at all on a very small scale because you need a critical mass of people to establish a fair market value for goods and services, however, capitalism does shine as the size of the markets increase in size.

    In other words, you can compare Client/Server networks to Communism and P2P networks to Capitalism if you think of people as nodes on a network whose value on that network is determined dynamically and democratically just as money is a democratic tool to vote for the value of a good or service as opposed to having their value on the network determined statically and autocratically in the way command and control economies impose price controls and central planning with regard to goods and services.

    The direction Microsoft and unfortunately much of the software world seems to be going with this "software as a service" and the centralized authentication schemes that support "software as a service" I feel is a huge disaster waiting to happen. If I was a terrorist or an agent of a foreign nation and I wanted to take down the economy of the United States overnight, I would prefer to be be dealing with a command and control computing monoculture than one that is fragmented, redundant, and diverse.

    It is both sad and alarming that many Americans reflexively feel that the way to have better security is to centralize computing operations rather than spread computing operations to as many interconnected nodes as possible.