Slashdot Mirror
Security in Ten Years
Schneier has posted a conversation between himself and Marcus Ranum, Chief Security Officer for Tenable Network Security, Inc. looking at where security is headed. "[...] at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."
Software Freedom is never mentioned. Instead the authors depressingly assume a complete triumph of ISPs and software owners. No wonder their outlook for "security" is so bleak. Real security comes from freedom. Every step away from freedom hands someone else a tool to hurt you. Their future is too bad to let happen and it won't because it will be too expensive.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
It would seem like some sort of super intelligent artificial intelligence system which actively protects the cyber world would be the obvious solution to all of our problems. We should also give it some sort of cool name and since it sort of watches over the Internet like a big super powerful being in the sky we should call it skynet. That would solve all of our problems once and for all.
We will have become used to having a small number of portals that provide the vast majority of the data we will be allowed to access (for a fee, of course) and security will have become the problem of these portals.
Users simply won't have much incentive to surf freely from site to site as there will be so little free data available. Therefore the sort of security issues we have today will have gone away. The problem in the future will be for providers (that's you amd me bloggers and other website owners) to prove to the portals that they are clean and meet the standards of the day.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Which is why after 40 years of computing, we're still getting hacked by buffer overflows.
It will be exactly the same until a charismatic visionary steps up to the plate, gets funding, and pushes one of the many well-known alternatives to today's Operating System and code design. Java and
* Sorta. When it's not exposing brain-dead APIs lower in the system.
Javascript + Nintendo DSi = DSiCade
10 years? I remember my uncle trying to stay one step ahead of the cable companies back in the early 80's, ordering black box descramblers out of the back of Rolling Stone magazine, only to have the cable company then scramble the "newly" descrambled signal, and he'd have to find the new upgrade.
In the end, I think it would have been easier and cheaper to just subscribe to the damn cable, but that's not the point.
When I think of the history of hacking, of course there's the homebrew club, and it's ilk, and all the phreakers, etc. Are there other groups that predate computers? I'm imagining a group of people like HG Wells and his friends in The Time Machine...sort of steampunk hackers, or something...
Without a change in attitude, both on the developer side and on the customer side, the problems will remain the same. I do not see that attitude change happening.
Well worth the read.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Just a thought that crossed my mind the other day (actually after watching "Idiocracy" on TV).
By making our products ad foolproof as we can aren't we inviting fools to use them? And, by doing so, aren't we removing an evolutionary pressure that prevented really dumb people from being socially functional?
Are we making stupidity _less_ painful?
http://www.dieblinkenlights.com
i think my point is valid though, that bricking devices has been tried and failed long before the ipod.
If you mod me down, I will become more powerful than you can imagine....
The point isn't what a few elites can do, it's what regular people can do. That's the benefit of technology, because it's what drives social change. (Incidentally, I think it's what a lot of geeks don't "get" sometimes.) History books will write about the Internet as a 1990s phenomenon, even though it existed long before, because only in the 1990s could most people use it. And it was only when lots of people started using it that it started to have effects that could be felt everywhere; that's when it started to change everything.
Dismissive hand-waving about hackers misses the point: when you limit the number of people who can effectively use a technology to a small number of hackers or hobbyists, you hobble the technology and you sharply reduce the effect that it could have had.
It's a pernicious problem because it's difficult to quantify the loss due to technology that the masses either never get, or never get in a form that's useful to them. How do you quantify the social benefits of a CableCard or DVR standard that doesn't suck royally? (The ability for everyone to do what I can do on a MythTV box: pause a program on one TV, walk away, and resume it from another one in a different part of the house an hour later?) It's not something that's easy to measure, but there's obviously some benefit there, even if it's not exactly a cure for cancer. Every time a company locks a product up and makes it difficult for a user to really take full advantage of its capabilities, we all lose a little. Or rather, we just fail to get something that we could have.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I thought that quote was a bit weird as well. It's not the first time that Bruce has sounded like a tool, from Bruce's own mouth. If the internet is all about commerce now - did they forget to send the memo to the owners off all the non-pay sites? I guess accademics and the open-source crowd are shit out of luck.
The other odd claim was that we haven't invented a new crime in a 1000 years. In a discussion about computer security? Trying to relate hacking to "impersonation" or lockpicking (which he didn't list) is a tenuous link at best. How does DRM circumvention get described using 1000-year old criminal terminolgy. If you're going to try then you have to pretend that DRM is some sort of lock...
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
In 10 years there will be two internets. One for educated, free-minded people and one for everyone else. The educated, free-minded ones will have the ability to discuss anything openly and freely, but nothing they do can be seen by the rest of the public. That's because they will all be in special concentration camps in an unknown location, awaiting re-education or enlistment into various secret government jobs.
The rest of the internet will be limited to a relatively small list of 'allowable' applications which are run by thin clients that boot off the network - all of it controlled by megacorporations and all of the traffic and computer behaviour monitored.
This is the future of trusted computing. They know they can trust you, because you can't do anything with your computer that they didn't let you do.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
Technology in 10 years will be much more ubiquitous. While attacks will go more "high tech," end users intelligence will drop. Take for instance right now, "net savvy" users of Myspace? "Net savvy" enough to use google, but that's really about all they can do. People don't care about security, they just take it for granted. When I worked in IT, I was shocked at how many people had their passwords on post it notes on the monitors, or the number of VPs that wrote their password down and just handed it to me. This will get worse in the future as the the growth of technology also increases the ease of use. But not user education.
It's only going to get worse because it'll only get easier for people to get online or use/get access to a computer.
Perhaps I'm a bit of an optimist, but I hardly believe that we will be in a similar situation 10 years from now in terms of security.
I don't think that its necessarily going to be good, but I hardly think that it is a lost cause at this point.
What a lot of people seem to forget is that during the 80s and a ways into the 90s, the primary means of compromising a computer was to type commands directly into it. Sure there were networks, but they were a minority of the total computers, and they were costly enough and complex enough that people didn't sit in front of them without a fair amount of study. That is still the best way, to undermine a security model, but it isn't the only way.
As things switched to being wired, and now wireless, it was more or less inevitable that crackers would gain a foothold, with a much easier time finding machines and the ability to log in via the net rather than just in person, of course the number of trojans and such is going to go up.
I think that educating users about security and possibly throttling bandwidth on computers that are likely to be infected isn't given enough credit for their potentials. Just getting users to not click on links in spam and to know how to maintain antimalware/antispyware would go quite a ways. I don't think that it would solve the problem, but it would help out quite a bit. Better yet, holding the companies that are advertised via spam accountable would put a serious dent in those rates, as would getting people to stop clicking the links.
Domainkeys and SPF seem to be having some effect, I'm not sure how else to explain why my non domainkeys account gets such a large amount of spam and my account with both gets so little. I can't imagine that the increase a couple of weeks ago from 20 a day to 300 a day in the former isn't in large part due to lesser controls. The later account hasn't seen a noticeable increase, I still get fewer than 5 per day on average.
That doesn't even include the hardware updates which only recently have been put into computers. I would be surprised if the mechanisms are as effective as they will be.
So, I guess what I'm saying is that we definitely have a fair number of options that haven't yet been tried, and as such it really is premature to assume that things will be like they are now in 10 years or worse. It's unlikely that things are going to be much worse in 10 years than they are now.
I see it more as an angry mutant sea bass with a frikkin la-ser on its head.
And if you disagree with me sir, I shall slap you with it!
Science advances one funeral at a time- Max Planck
I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago. That alone leaves me with the conclusion that things aren't bad.
That's not to say that security is perfect. But in the balance of security versus convenience, privacy, and general humanism, I think we're resting in a perfectly reasonable situation.
You know, I'm pretty sick of people calling for more security in everything. A few weeks ago, someone stole an infant out of a hospital nursery -- walked right out the front door. Millions of people yelled that hospitals need more security -- even though it hadn't happened in this city for decades.
I spent two weeks in the middle-east many years ago. When you see armed security guards outside every pizza parlour, it's not a warm and fuzzy feeling.
And that's not even raising the issue of false positives.
In 10 years Windows will be over. There will be native Linux versions (still proprietary binaries) of Photoshop and productivity software, but a few people will see the newborn open source alternatives and try them out. Perhaps there will be price-fixing lawsuits against free software by proprietary software makers, and, in the worst case, patent lawsuits (depending on whether software patents are abolished by then or not).
Most people will run old versions of Windows (probably XP SP3, maybe SP4 - or perhaps Windows 7, but Vista will be another WinME) or ReactOS 1.x (it'll be too early for 2.x) in a virtualized PC running Linux. Unixphobes will run ReactOS (around 60 to 70%) or Windows (the rest) natively. Probably Microsoft will retreat from the OS business and stick with consoles or Office software, and Google will absorb the MSN messenger network.
I really hope that the Windows^H^H^H^H^H^H^H^HReactOS and similar OSs' security model will be revamped, with sandboxed registries and directories. Passwords will be asked for installations, unless software is ran by only one user.
Botnets will be rarer (and therefore much more expensive to rent than they are now), but they'll still exist due to user stupidity ("this game needs to run with root privileges"). They'll run in Anonymous P2P nets.
About Anonymous P2P, they'll be the norm for file sharing, but they'll be definitely banned by draconian governments - whether or not the US goes that way, is up to your imagination. Perhaps we'll see a struggle between anonymous P2P and content providers/law enforcement agencies, similar to what happened with Napster a few years ago.
However, website security will face more or less the same problems we're facing now, due to negligence to patch existing webservers. Botnets and phishers will use infected servers to keep stealing identities, and let's not forget about inside jobs and "user account info gone missing". These will go on. Hackers will be government sponsored - to hack into other countries' machines. Buffer overflows will be the favorite vulnerability, while hacker websites will run in anonymous P2P networks.
Let's put this post in a time capsule and see how well it fares in 2018.
... but I am as confident as I am that the Sun will rise tomorrow that it will be safe from terrorists. After all, we have the children to think about.
July 12, 2005
Copyright © 2005 Michael David Crawford.
This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.
If one is able to find any privacy or anonymity in this New Internet, it will be because of some undiscovered security hole, which will be quickly repaired, rather than any kind of conscious design decision. Probably one reason they are accepting proposals before rolling it out is to avoid the sort of accidental security holes that enable pr0n, peer-to-peer filesharing and left-wing political activism.
Microsoft, a leading contributor both to this nation's technology base and to the campaign coffers of its leaders, will embrace this new technology and extend it in such a way that the development and dissemination of Open Source software will be, if not mathematically and physically impossible, at least as intractible as factoring a 2048-bit public key.
Imagine, if you will, Trusted Computing implemented at the router level, in such a way that any packets that go farther than one hop are certified not only to support protocols whose patent licenses are fully paid-up and on file with the legal department in Redmond, but whose content is compliant with the Windows standard. The faintest whisp of a Public License, GNU or otherwise, will result in the dropping not only of the individual packet, not only in the cancellation of the entire file transmission, but, within microseconds, the reporting of the physical location of the offending server to responsible law enforcement personnel. The identities of its rogue administrators will be fetched instantly from the database maintained by the Department of Homeland Security. (You will have to submit fingerprints and DNA samples to obtain a Windows server license, as after all, Internet servers can be used to disseminate explosives r
Request your free CD of my piano music.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
They can pry my Free Software from my cold, dead platters
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
I admire Schneier for his work over all these years. I think everyone should... it's required reading for some of us ;-P
I think what I most agree with is Schneier's contention that security is really about people or services. And therefore, the consequences of having poorly trained and educated people is in kind; regardless of how sophisticated or brilliant the math is. (SIDE: I cant stand the mathematicians. I am a physicist. We score more e.g. Schrodinger, Einstein, Feynman... were all pimps. Newton died a virgin. Turing was gay. Godel was emaciated and his wife just had to be cheating on him.)
What bothers me most about a security craze is the trade-offs one has to accept. Kind of like laws in physics i.e. momentum and position or energy and time. In my opinion, it looks like functionality and security are the two factors we need to juggle. But with the service-side being pushed, it's apparent how much functionality is really strained with more than just security but also competence. You all know this anytime you try to get support.
Anyhow, just putting in my two cents. Cheap as it is. I understand that the mark of our civilization as commonly encountered is all this technology, but I am starting to get the feeling that maybe all the technological progress is so short-sighted because we just are not capable of being civilized. Therefore... we get these half-measures, "band-aids" and "patches."
All science is either physics or stamp-collecting.
I am TheRaven on Soylent News
I'm pretty sure he didn't say "lose both", let alone "loose both." (Ben Franklin was literate, for starters)
Done with slashdot, done with nerds, getting a life.
First of all: DRM is some sort of lock.
Second: Reverse engineering keys is as old as creating locks.
Third: Having a librarian in a monastry's library was also some kind of DRM. He was the arbiter who decided (sometimes after consulting with the abbot) which monk was entitled to which book, and when he had to return it.
may make this issue moot.
Or perhaps least turn some of us now law-abiding citizens into "criminals" (and some to "cyber-criminals") as things get more desperate and people can't make ends meet. Or, more often, see whatever dreams they may have entertained vanish in a puff of greasy black smoke.
Take one crucial resource, gasoline, for example:
http://www.oregon.gov/ODOT/CS/FS/gas_prices.shtml
Taking the average of the 1997, and the average of the 2007 values Jan-Aug of both years, at least in Oregon:
Cheap gas is now 2.19 times the average 1997 value.
Mid is now 2.15 times the 1997 value.
Premium is now 2.07 times the 1997 value.
Has your salary doubled? Is your money worth more than it was then for real things like food, housing, and transportation? Do you think it will double again?
If the existing trend continues by 2017, (and we are making the assumption that there will still be low, medium, and high grades) gasoline will for that year be at or around:
$2.85 x 2.19 = $6.23/Gal
$3.00 x 2.15 = $6.44/Gal
$3.08 x 2.07 = $6.40/Gal
And there's every indication that the rate of price change will probably increase - which means we're probably looking at $7.00 to 7.50/gallon rates here in the US by then.
Now, before you Europeans say, "we already pay like $8/gal, so what" - you have to understand that we here in America use our cars a whole lot more, since most of the public transport - like trains was dismantled in the 1950s, in favor of interstates. You guys may pay more, but you also don't depend on automobiles as much as we do.
And that's just one crucial resource - namely gasoline.
So, what's this have *directly* to do with computer security? Well, not a whole helluva lot, aside from the fact that you don't know what other things will cause people to want to cheat, steal, lie, etc. As these resources get scarcer and more expensive, I think the propensity of a people who were formerly in the entitlement-mode of "we can get something for nothing", are soon going to find out that isn't the case, and when they do, they're gonna want to get what they used to have, or thought they use to have at some point - either by breaking and entering, or via identity theft, etc.
I think you're always going to have the mischief-style, bored script kiddie type cyber-criminal. But I think you're gonna see an increase in the other, desperate kind due to these impending cheap-resource-scarcity issues.
The way to cut out much crime related to this, and hence make things more secure, is for local governments to come together to ensure that people have the resources to make a decent living, can afford the basics, and at least have an illusion that they can put money away for a future where it will be worth something. That is, create conditions non-conducive to the "demand" side of that sort of crime, cyber or otherwise.
2) Businesses by and large don't want to change or don't know how to change. Security isn't a title or job or position, or even a department, it's a matter of policy and every member of the enterprise takes part in some way. If you don't solve that problem, you'll never solve the larger problem, certainly not with point solutions that scan email or network traffice or logs looking for "insecurity" and vulnerability and attacks. The single biggest step any organization can take to improving security is to write a concise policy and educate every single employee and maintain some accountabilty. You can't simply buy something and get "security." It requires changes in habbits, changes in attitudes, and education. I think this is very hard, so many businesses have become so lazy that their work forces kind of look at policies and scoff, it takes a lot of strong leadership to change that kind of culture. It also crosses technological lines as well as physical, you lock your car doors right? You lock your house when you leave right? Do you lock your desk or office door at work when you leave? Places are willing to pay cintas to shred documents and iron mountain to store documents but they don't take that policy to their working rank and file. Developing a culture of security will do far more than any product you can buy on the market. Do employees know what to do with intellectual property? Do they even know what the company's intellectual property is?
3) The "security industry" has largely been a money grab. After 9/11, the US Federal governement published some figures about federal security spending and basically it was going to grow exponentially over the first 10 to 15 years of this century. Hundreds or maybe even thousands of companies were formed to try and exploit that. What is totally amazing to me is how few of them are actually about really increasing security, these are all for profit businesses. What's more amazing, is how stupid the consumers are that bandwagon them and go along with the feature plays. Take NAC for example, basically the idea to to authenticate devices or users as they enter a network and possibly restrict their access based upon some policy. The policy can be anything, it could be permissions set in a RADIUS or LDAP database, it could be based upon the results of some sort of scanning system, it could be based upon time of day. Rather than pushing the auth component or the policy aspect all these jackasses are concerned with scanning the end point device for anti-virus software or whatever. It strikes a chord with certain IT types, they think "oh yes, I need to scan the devices on my network before they enter the network, that will make everything better" but there isn't a correllation between that and
Trying to guess where security will be in 10 years may be fun, but useless.
Just think back to 1997 and imgine how impossible it would have been to predict where things would be today. In 1997 state of the art was windows 95. In 1997 people were more worried about getting a virus from a floppy than over their network. In 1997 the word phishing didn't exist. In 1997, there had never been a virus that had been the top news story of the day. In 1997 most homes didn't have an internet connection, most businesses didn't have an internet connection, and the businesses that did rarely would have every desktop in the company able to go online. In 1997 many forms of active content that are now part of darn near every web page didn't exist. (I could go on, but you get the point)
Those two words, jumped right out at me from the page. Seriously, I don't think there I have seen a more succinct and accurate way to describe Microsoft's "Trustworthy Computing Initiative", than "Software Stalinism".
The ironic thing is that by centralizing all of your data and services, you make your network more vulnerable to denial of service attacks and more vulnerable to sabotage because all of the data is managed by one entity. Even if you have a very sophisticated backup system, those backup systems are vulnerable as well to sabotage.
ARPANet was designed in such a way that if a bunch of nodes were taken down through sabotage, accident, military strike or whatever, the network as a whole would still be functional. Unfortunately, the trends are toward turning the brilliant P2P design of the internet into a giganto sized version of a corporate network where everything is centralized and controlled.
Client/Server networks are great for a lot of things, but they are inherently vulnerable to all the pitfalls of centralized command and control systems as they scale. Just like communism works fine and dandy for very small groups of people (like primitive hunter/gatherer tribes), communism starts to have big problems once it tries to scale to larger and larger sizes. Capitalism does not work at all on a very small scale because you need a critical mass of people to establish a fair market value for goods and services, however, capitalism does shine as the size of the markets increase in size.
In other words, you can compare Client/Server networks to Communism and P2P networks to Capitalism if you think of people as nodes on a network whose value on that network is determined dynamically and democratically just as money is a democratic tool to vote for the value of a good or service as opposed to having their value on the network determined statically and autocratically in the way command and control economies impose price controls and central planning with regard to goods and services.
The direction Microsoft and unfortunately much of the software world seems to be going with this "software as a service" and the centralized authentication schemes that support "software as a service" I feel is a huge disaster waiting to happen. If I was a terrorist or an agent of a foreign nation and I wanted to take down the economy of the United States overnight, I would prefer to be be dealing with a command and control computing monoculture than one that is fragmented, redundant, and diverse.
It is both sad and alarming that many Americans reflexively feel that the way to have better security is to centralize computing operations rather than spread computing operations to as many interconnected nodes as possible.
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin, An Historical Review of the Constitution and Government of Pennsylvania. (1759) [source: http://en.wikiquote.org/wiki/Benjamin_Franklin%5D
Sara
Designer, Gamer, Macgrrl in an XP World
That's where my Third comes in: Reading something without the librarian condoning it was a crime in mediaval monastries. You were still allowed to carry it around. And you had to keep it secret that you were able to read in certain circumstances.