Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security in Ten Years

Posted by ScuttleMonkey on from the wild-world-of-conjecture dept.

Schneier has posted a conversation between himself and Marcus Ranum, Chief Security Officer for Tenable Network Security, Inc. looking at where security is headed. "[...] at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."

13 of 154 comments (clear)

  1. Creativity by foobsr · · Score: 1, Interesting

    From TFA: "Think of the iPhone model: You get what Apple decides to give you, and if you try to hack your phone, they can disable it remotely. We techie geeks won't like it, but it's the future. The Internet is all about commerce, and commerce won't survive any other way."

    Amen.

    An incredibly creative approach.

    CC.

    --
    TaijiQuan (Huang, 5 loosenings)
    1. Re:Creativity by Kadin2048 · · Score: 5, Interesting

      yeah wow so creative at cable box makers/companys have been trying the same nonsense for the better part of 10 years and look how well it's worked for them - it's spawned a legion of hackers all trying to out do each other at the speed they can create hacked cable cards. Yeah, and how many people do you know who have hacked cable boxes? I don't know any, and I have some pretty geeky friends.

      The point isn't what a few elites can do, it's what regular people can do. That's the benefit of technology, because it's what drives social change. (Incidentally, I think it's what a lot of geeks don't "get" sometimes.) History books will write about the Internet as a 1990s phenomenon, even though it existed long before, because only in the 1990s could most people use it. And it was only when lots of people started using it that it started to have effects that could be felt everywhere; that's when it started to change everything.

      Dismissive hand-waving about hackers misses the point: when you limit the number of people who can effectively use a technology to a small number of hackers or hobbyists, you hobble the technology and you sharply reduce the effect that it could have had.

      It's a pernicious problem because it's difficult to quantify the loss due to technology that the masses either never get, or never get in a form that's useful to them. How do you quantify the social benefits of a CableCard or DVR standard that doesn't suck royally? (The ability for everyone to do what I can do on a MythTV box: pause a program on one TV, walk away, and resume it from another one in a different part of the house an hour later?) It's not something that's easy to measure, but there's obviously some benefit there, even if it's not exactly a cure for cancer. Every time a company locks a product up and makes it difficult for a user to really take full advantage of its capabilities, we all lose a little. Or rather, we just fail to get something that we could have.
      --
      "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
    2. Re:Creativity by smallfries · · Score: 2, Interesting

      I thought that quote was a bit weird as well. It's not the first time that Bruce has sounded like a tool, from Bruce's own mouth. If the internet is all about commerce now - did they forget to send the memo to the owners off all the non-pay sites? I guess accademics and the open-source crowd are shit out of luck.

      The other odd claim was that we haven't invented a new crime in a 1000 years. In a discussion about computer security? Trying to relate hacking to "impersonation" or lockpicking (which he didn't list) is a tenuous link at best. How does DRM circumvention get described using 1000-year old criminal terminolgy. If you're going to try then you have to pretend that DRM is some sort of lock...

      --
      Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    3. Re:Creativity by veganboyjosh · · Score: 1, Interesting

      But you don't seem to place any value on the sheer defiance of it all.

      Oh. I do now. But back then, it just seemed like as soon as he got his new descrambler in the mail, the cable company would re-scramble their signal, so he'd have to get a re-descrambler, etc etc. To the point where he had 4 or 5 black boxes on top of his tv, to get through all the crypto that got added as the cable theives got better tech.

      At some point, my dad opined (and it made sense then, and it makes sense now) that it was probably the cable companies selling the black boxes in the back of home theater magazines...Since that sense of defiance is what a lot of the early cable hackers were about, more than the money. The cable company doesn't care if you want to feel defiant, especially if you're paying for it...

  2. Re:Well by AKAImBatman · · Score: 2, Interesting

    The problems will definitly NOT be the same.

    Which is why after 40 years of computing, we're still getting hacked by buffer overflows.

    It will be exactly the same until a charismatic visionary steps up to the plate, gets funding, and pushes one of the many well-known alternatives to today's Operating System and code design. Java and .NET* are a good start. Let's take it that much farther.

    * Sorta. When it's not exposing brain-dead APIs lower in the system.
    --
    Javascript + Nintendo DSi = DSiCade
  3. Two Internets by mrbluze · · Score: 2, Interesting

    In 10 years there will be two internets. One for educated, free-minded people and one for everyone else. The educated, free-minded ones will have the ability to discuss anything openly and freely, but nothing they do can be seen by the rest of the public. That's because they will all be in special concentration camps in an unknown location, awaiting re-education or enlistment into various secret government jobs.

    The rest of the internet will be limited to a relatively small list of 'allowable' applications which are run by thin clients that boot off the network - all of it controlled by megacorporations and all of the traffic and computer behaviour monitored.

    This is the future of trusted computing. They know they can trust you, because you can't do anything with your computer that they didn't let you do.

    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
  4. Re:Still the Same by hedwards · · Score: 2, Interesting

    Perhaps I'm a bit of an optimist, but I hardly believe that we will be in a similar situation 10 years from now in terms of security.

    I don't think that its necessarily going to be good, but I hardly think that it is a lost cause at this point.

    What a lot of people seem to forget is that during the 80s and a ways into the 90s, the primary means of compromising a computer was to type commands directly into it. Sure there were networks, but they were a minority of the total computers, and they were costly enough and complex enough that people didn't sit in front of them without a fair amount of study. That is still the best way, to undermine a security model, but it isn't the only way.

    As things switched to being wired, and now wireless, it was more or less inevitable that crackers would gain a foothold, with a much easier time finding machines and the ability to log in via the net rather than just in person, of course the number of trojans and such is going to go up.

    I think that educating users about security and possibly throttling bandwidth on computers that are likely to be infected isn't given enough credit for their potentials. Just getting users to not click on links in spam and to know how to maintain antimalware/antispyware would go quite a ways. I don't think that it would solve the problem, but it would help out quite a bit. Better yet, holding the companies that are advertised via spam accountable would put a serious dent in those rates, as would getting people to stop clicking the links.

    Domainkeys and SPF seem to be having some effect, I'm not sure how else to explain why my non domainkeys account gets such a large amount of spam and my account with both gets so little. I can't imagine that the increase a couple of weeks ago from 20 a day to 300 a day in the former isn't in large part due to lesser controls. The later account hasn't seen a noticeable increase, I still get fewer than 5 per day on average.

    That doesn't even include the hardware updates which only recently have been put into computers. I would be surprised if the mechanisms are as effective as they will be.

    So, I guess what I'm saying is that we definitely have a fair number of options that haven't yet been tried, and as such it really is premature to assume that things will be like they are now in 10 years or worse. It's unlikely that things are going to be much worse in 10 years than they are now.

  5. Re:Skynet by dougmc · · Score: 2, Interesting

    What seems more likely would be some sort of technological singularity happening sometime after we start making intelligent machines. Of course, this might turn into this `Skynet' that you're referring to -- but if it does, I don't think there will be much of a chance of humankind prevailing if the machines decide that we should be gotten rid of.

  6. I said it before... by MichaelCrawford · · Score: 3, Interesting
    From I Don't Know What This New Internet Will Look Like, which began life as a Slashdot comment:

    ... but I am as confident as I am that the Sun will rise tomorrow that it will be safe from terrorists. After all, we have the children to think about.

    July 12, 2005

    Copyright © 2005 Michael David Crawford.

    This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.

    It seems that David Clark, who led the development of the Internet way back in the '70's - did you know there even was a '70's? - wants to create a whole new Internet that will fix many of the problems the current Internet is plagued with. The New Internet's engineers will be much more careful this time around to make sure it works better than the first one did.

    I'm afraid, though, that the engineers are not the only ones who will be deciding how our New Internet will work.

    If one is able to find any privacy or anonymity in this New Internet, it will be because of some undiscovered security hole, which will be quickly repaired, rather than any kind of conscious design decision. Probably one reason they are accepting proposals before rolling it out is to avoid the sort of accidental security holes that enable pr0n, peer-to-peer filesharing and left-wing political activism.

    Microsoft, a leading contributor both to this nation's technology base and to the campaign coffers of its leaders, will embrace this new technology and extend it in such a way that the development and dissemination of Open Source software will be, if not mathematically and physically impossible, at least as intractible as factoring a 2048-bit public key.

    Imagine, if you will, Trusted Computing implemented at the router level, in such a way that any packets that go farther than one hop are certified not only to support protocols whose patent licenses are fully paid-up and on file with the legal department in Redmond, but whose content is compliant with the Windows standard. The faintest whisp of a Public License, GNU or otherwise, will result in the dropping not only of the individual packet, not only in the cancellation of the entire file transmission, but, within microseconds, the reporting of the physical location of the offending server to responsible law enforcement personnel. The identities of its rogue administrators will be fetched instantly from the database maintained by the Department of Homeland Security. (You will have to submit fingerprints and DNA samples to obtain a Windows server license, as after all, Internet servers can be used to disseminate explosives r

    --
    Request your free CD of my piano music.
  7. Security by KinakeM · · Score: 3, Interesting

    I admire Schneier for his work over all these years. I think everyone should... it's required reading for some of us ;-P

    I think what I most agree with is Schneier's contention that security is really about people or services. And therefore, the consequences of having poorly trained and educated people is in kind; regardless of how sophisticated or brilliant the math is. (SIDE: I cant stand the mathematicians. I am a physicist. We score more e.g. Schrodinger, Einstein, Feynman... were all pimps. Newton died a virgin. Turing was gay. Godel was emaciated and his wife just had to be cheating on him.)

    What bothers me most about a security craze is the trade-offs one has to accept. Kind of like laws in physics i.e. momentum and position or energy and time. In my opinion, it looks like functionality and security are the two factors we need to juggle. But with the service-side being pushed, it's apparent how much functionality is really strained with more than just security but also competence. You all know this anytime you try to get support.

    Anyhow, just putting in my two cents. Cheap as it is. I understand that the mark of our civilization as commonly encountered is all this technology, but I am starting to get the feeling that maybe all the technological progress is so short-sighted because we just are not capable of being civilized. Therefore... we get these half-measures, "band-aids" and "patches."

    --
    All science is either physics or stamp-collecting.
  8. Re:Skynet by naasking · · Score: 2, Interesting

    A leap in security technology will take a requisite leap in human intelligence.

    Not at all. A leap in security will take a requisite change in our development tools, from identity-centric abstractions, to authorization-centric abstractions so we can achieve the Principle of Least Authority (POLA) for all software. Ultimately, it's not about adding security, it's about removing insecurity; most languages have insecure abstractions baked into them, and when those are removed, the resulting software is significantly more secure, and yet, poses no significant burden on the developer; quite the opposite in fact: the software becomes more modular and maintainable. See the discussions on capabilities, and the E, and Emily capability-secure programming languages for examples. There have been numerous case-studies on the vulnerabilities of identity-centric services, and how they were rectified by refactoring the service to use authorization-centric models.

    --
    Higher Logics: where programming meets science.
  9. Other resource costs in 10 years... by my_left_nut · · Score: 2, Interesting

    may make this issue moot.

    Or perhaps least turn some of us now law-abiding citizens into "criminals" (and some to "cyber-criminals") as things get more desperate and people can't make ends meet. Or, more often, see whatever dreams they may have entertained vanish in a puff of greasy black smoke.

    Take one crucial resource, gasoline, for example:

    http://www.oregon.gov/ODOT/CS/FS/gas_prices.shtml

    Taking the average of the 1997, and the average of the 2007 values Jan-Aug of both years, at least in Oregon:

    Cheap gas is now 2.19 times the average 1997 value.
    Mid is now 2.15 times the 1997 value.
    Premium is now 2.07 times the 1997 value.

    Has your salary doubled? Is your money worth more than it was then for real things like food, housing, and transportation? Do you think it will double again?

    If the existing trend continues by 2017, (and we are making the assumption that there will still be low, medium, and high grades) gasoline will for that year be at or around:

    $2.85 x 2.19 = $6.23/Gal
    $3.00 x 2.15 = $6.44/Gal
    $3.08 x 2.07 = $6.40/Gal

    And there's every indication that the rate of price change will probably increase - which means we're probably looking at $7.00 to 7.50/gallon rates here in the US by then.

    Now, before you Europeans say, "we already pay like $8/gal, so what" - you have to understand that we here in America use our cars a whole lot more, since most of the public transport - like trains was dismantled in the 1950s, in favor of interstates. You guys may pay more, but you also don't depend on automobiles as much as we do.

    And that's just one crucial resource - namely gasoline.

    So, what's this have *directly* to do with computer security? Well, not a whole helluva lot, aside from the fact that you don't know what other things will cause people to want to cheat, steal, lie, etc. As these resources get scarcer and more expensive, I think the propensity of a people who were formerly in the entitlement-mode of "we can get something for nothing", are soon going to find out that isn't the case, and when they do, they're gonna want to get what they used to have, or thought they use to have at some point - either by breaking and entering, or via identity theft, etc.

    I think you're always going to have the mischief-style, bored script kiddie type cyber-criminal. But I think you're gonna see an increase in the other, desperate kind due to these impending cheap-resource-scarcity issues.

    The way to cut out much crime related to this, and hence make things more secure, is for local governments to come together to ensure that people have the resources to make a decent living, can afford the basics, and at least have an illusion that they can put money away for a future where it will be worth something. That is, create conditions non-conducive to the "demand" side of that sort of crime, cyber or otherwise.

  10. Re:making stupidity _less_ painful by Anonymous Coward · · Score: 1, Interesting

    Statistically speaking 50% of the population has below average intelligence. Add that to the old saying "A fool and his money are soon parted" and you'll see why media, advertisers, etc... all pander to the lowest common denominator. They make up half the population and are much easier to get money from.