Slashdot Mirror
Security in Ten Years
Schneier has posted a conversation between himself and Marcus Ranum, Chief Security Officer for Tenable Network Security, Inc. looking at where security is headed. "[...] at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."
Software Freedom is never mentioned. Instead the authors depressingly assume a complete triumph of ISPs and software owners. No wonder their outlook for "security" is so bleak. Real security comes from freedom. Every step away from freedom hands someone else a tool to hurt you. Their future is too bad to let happen and it won't because it will be too expensive.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
We will have become used to having a small number of portals that provide the vast majority of the data we will be allowed to access (for a fee, of course) and security will have become the problem of these portals.
Users simply won't have much incentive to surf freely from site to site as there will be so little free data available. Therefore the sort of security issues we have today will have gone away. The problem in the future will be for providers (that's you amd me bloggers and other website owners) to prove to the portals that they are clean and meet the standards of the day.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
10 years? I remember my uncle trying to stay one step ahead of the cable companies back in the early 80's, ordering black box descramblers out of the back of Rolling Stone magazine, only to have the cable company then scramble the "newly" descrambled signal, and he'd have to find the new upgrade.
In the end, I think it would have been easier and cheaper to just subscribe to the damn cable, but that's not the point.
When I think of the history of hacking, of course there's the homebrew club, and it's ilk, and all the phreakers, etc. Are there other groups that predate computers? I'm imagining a group of people like HG Wells and his friends in The Time Machine...sort of steampunk hackers, or something...
Without a change in attitude, both on the developer side and on the customer side, the problems will remain the same. I do not see that attitude change happening.
Well worth the read.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A leap in security technology will take a requisite leap in human intelligence. IDS systems do a couple of things well. Routers do a couple of things well. Antivirus software does a couple of things well. Nobody has put them all together in an intelligent way, nor have they replaced them with an intelligent alternative. Remember that any computer system is as dumb (read useless) as the dumbest asshat human operating it. (place old adage here) When you build an idiot proof system, the idiots only get smarter.
And I quote TFA I'd like to officially modify my position somewhat: I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017. It probably won't be terrorists that do it, though. More likely, we'll suffer some kind of horrible outage because a critical system was connected to a non-critical system that was connected to the Internet so someone could get to MySpace -- and that ancillary system gets a piece of malware. Or it'll be some incomprehensibly complex software, layered with Band-Aids and patches, that topples over when some "merely curious" hacker pushes the wrong e-button. We've got some bad-looking trend lines; all the indicators point toward a system that is more complex, less well-understood and more interdependent. With infrastructure like that, who needs enemies? Not to be all pessimistic on the great new security shock and awe campaign, but it will only work when we can get universal agreement from all humans (and possible non-humans) to not mess with it or obstruct its operation in any way. (queue other bad science fiction films here) Uhmmm, yeah, that's going to happen. Tell me again, when will the last Win95 system be decommissioned?
total security... no
really good security... possibly
good enough security... probably
thought it was good security... most likely
Security is expensive, difficult, inconvenient, troublesome, and seldom seems worth the cost.
Support NYCountryLawyer RIAA vs People
Just a thought that crossed my mind the other day (actually after watching "Idiocracy" on TV).
By making our products ad foolproof as we can aren't we inviting fools to use them? And, by doing so, aren't we removing an evolutionary pressure that prevented really dumb people from being socially functional?
Are we making stupidity _less_ painful?
http://www.dieblinkenlights.com
The point isn't what a few elites can do, it's what regular people can do. That's the benefit of technology, because it's what drives social change. (Incidentally, I think it's what a lot of geeks don't "get" sometimes.) History books will write about the Internet as a 1990s phenomenon, even though it existed long before, because only in the 1990s could most people use it. And it was only when lots of people started using it that it started to have effects that could be felt everywhere; that's when it started to change everything.
Dismissive hand-waving about hackers misses the point: when you limit the number of people who can effectively use a technology to a small number of hackers or hobbyists, you hobble the technology and you sharply reduce the effect that it could have had.
It's a pernicious problem because it's difficult to quantify the loss due to technology that the masses either never get, or never get in a form that's useful to them. How do you quantify the social benefits of a CableCard or DVR standard that doesn't suck royally? (The ability for everyone to do what I can do on a MythTV box: pause a program on one TV, walk away, and resume it from another one in a different part of the house an hour later?) It's not something that's easy to measure, but there's obviously some benefit there, even if it's not exactly a cure for cancer. Every time a company locks a product up and makes it difficult for a user to really take full advantage of its capabilities, we all lose a little. Or rather, we just fail to get something that we could have.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago. That alone leaves me with the conclusion that things aren't bad.
That's not to say that security is perfect. But in the balance of security versus convenience, privacy, and general humanism, I think we're resting in a perfectly reasonable situation.
You know, I'm pretty sick of people calling for more security in everything. A few weeks ago, someone stole an infant out of a hospital nursery -- walked right out the front door. Millions of people yelled that hospitals need more security -- even though it hadn't happened in this city for decades.
I spent two weeks in the middle-east many years ago. When you see armed security guards outside every pizza parlour, it's not a warm and fuzzy feeling.
And that's not even raising the issue of false positives.
In 10 years Windows will be over. There will be native Linux versions (still proprietary binaries) of Photoshop and productivity software, but a few people will see the newborn open source alternatives and try them out. Perhaps there will be price-fixing lawsuits against free software by proprietary software makers, and, in the worst case, patent lawsuits (depending on whether software patents are abolished by then or not).
Most people will run old versions of Windows (probably XP SP3, maybe SP4 - or perhaps Windows 7, but Vista will be another WinME) or ReactOS 1.x (it'll be too early for 2.x) in a virtualized PC running Linux. Unixphobes will run ReactOS (around 60 to 70%) or Windows (the rest) natively. Probably Microsoft will retreat from the OS business and stick with consoles or Office software, and Google will absorb the MSN messenger network.
I really hope that the Windows^H^H^H^H^H^H^H^HReactOS and similar OSs' security model will be revamped, with sandboxed registries and directories. Passwords will be asked for installations, unless software is ran by only one user.
Botnets will be rarer (and therefore much more expensive to rent than they are now), but they'll still exist due to user stupidity ("this game needs to run with root privileges"). They'll run in Anonymous P2P nets.
About Anonymous P2P, they'll be the norm for file sharing, but they'll be definitely banned by draconian governments - whether or not the US goes that way, is up to your imagination. Perhaps we'll see a struggle between anonymous P2P and content providers/law enforcement agencies, similar to what happened with Napster a few years ago.
However, website security will face more or less the same problems we're facing now, due to negligence to patch existing webservers. Botnets and phishers will use infected servers to keep stealing identities, and let's not forget about inside jobs and "user account info gone missing". These will go on. Hackers will be government sponsored - to hack into other countries' machines. Buffer overflows will be the favorite vulnerability, while hacker websites will run in anonymous P2P networks.
Let's put this post in a time capsule and see how well it fares in 2018.
... but I am as confident as I am that the Sun will rise tomorrow that it will be safe from terrorists. After all, we have the children to think about.
July 12, 2005
Copyright © 2005 Michael David Crawford.
This work is licensed under a Creative Commons Attribution-NoDerivs 2.5 License.
If one is able to find any privacy or anonymity in this New Internet, it will be because of some undiscovered security hole, which will be quickly repaired, rather than any kind of conscious design decision. Probably one reason they are accepting proposals before rolling it out is to avoid the sort of accidental security holes that enable pr0n, peer-to-peer filesharing and left-wing political activism.
Microsoft, a leading contributor both to this nation's technology base and to the campaign coffers of its leaders, will embrace this new technology and extend it in such a way that the development and dissemination of Open Source software will be, if not mathematically and physically impossible, at least as intractible as factoring a 2048-bit public key.
Imagine, if you will, Trusted Computing implemented at the router level, in such a way that any packets that go farther than one hop are certified not only to support protocols whose patent licenses are fully paid-up and on file with the legal department in Redmond, but whose content is compliant with the Windows standard. The faintest whisp of a Public License, GNU or otherwise, will result in the dropping not only of the individual packet, not only in the cancellation of the entire file transmission, but, within microseconds, the reporting of the physical location of the offending server to responsible law enforcement personnel. The identities of its rogue administrators will be fetched instantly from the database maintained by the Department of Homeland Security. (You will have to submit fingerprints and DNA samples to obtain a Windows server license, as after all, Internet servers can be used to disseminate explosives r
Request your free CD of my piano music.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
I admire Schneier for his work over all these years. I think everyone should... it's required reading for some of us ;-P
I think what I most agree with is Schneier's contention that security is really about people or services. And therefore, the consequences of having poorly trained and educated people is in kind; regardless of how sophisticated or brilliant the math is. (SIDE: I cant stand the mathematicians. I am a physicist. We score more e.g. Schrodinger, Einstein, Feynman... were all pimps. Newton died a virgin. Turing was gay. Godel was emaciated and his wife just had to be cheating on him.)
What bothers me most about a security craze is the trade-offs one has to accept. Kind of like laws in physics i.e. momentum and position or energy and time. In my opinion, it looks like functionality and security are the two factors we need to juggle. But with the service-side being pushed, it's apparent how much functionality is really strained with more than just security but also competence. You all know this anytime you try to get support.
Anyhow, just putting in my two cents. Cheap as it is. I understand that the mark of our civilization as commonly encountered is all this technology, but I am starting to get the feeling that maybe all the technological progress is so short-sighted because we just are not capable of being civilized. Therefore... we get these half-measures, "band-aids" and "patches."
All science is either physics or stamp-collecting.
First of all: DRM is some sort of lock.
Second: Reverse engineering keys is as old as creating locks.
Third: Having a librarian in a monastry's library was also some kind of DRM. He was the arbiter who decided (sometimes after consulting with the abbot) which monk was entitled to which book, and when he had to return it.
2) Businesses by and large don't want to change or don't know how to change. Security isn't a title or job or position, or even a department, it's a matter of policy and every member of the enterprise takes part in some way. If you don't solve that problem, you'll never solve the larger problem, certainly not with point solutions that scan email or network traffice or logs looking for "insecurity" and vulnerability and attacks. The single biggest step any organization can take to improving security is to write a concise policy and educate every single employee and maintain some accountabilty. You can't simply buy something and get "security." It requires changes in habbits, changes in attitudes, and education. I think this is very hard, so many businesses have become so lazy that their work forces kind of look at policies and scoff, it takes a lot of strong leadership to change that kind of culture. It also crosses technological lines as well as physical, you lock your car doors right? You lock your house when you leave right? Do you lock your desk or office door at work when you leave? Places are willing to pay cintas to shred documents and iron mountain to store documents but they don't take that policy to their working rank and file. Developing a culture of security will do far more than any product you can buy on the market. Do employees know what to do with intellectual property? Do they even know what the company's intellectual property is?
3) The "security industry" has largely been a money grab. After 9/11, the US Federal governement published some figures about federal security spending and basically it was going to grow exponentially over the first 10 to 15 years of this century. Hundreds or maybe even thousands of companies were formed to try and exploit that. What is totally amazing to me is how few of them are actually about really increasing security, these are all for profit businesses. What's more amazing, is how stupid the consumers are that bandwagon them and go along with the feature plays. Take NAC for example, basically the idea to to authenticate devices or users as they enter a network and possibly restrict their access based upon some policy. The policy can be anything, it could be permissions set in a RADIUS or LDAP database, it could be based upon the results of some sort of scanning system, it could be based upon time of day. Rather than pushing the auth component or the policy aspect all these jackasses are concerned with scanning the end point device for anti-virus software or whatever. It strikes a chord with certain IT types, they think "oh yes, I need to scan the devices on my network before they enter the network, that will make everything better" but there isn't a correllation between that and
Those two words, jumped right out at me from the page. Seriously, I don't think there I have seen a more succinct and accurate way to describe Microsoft's "Trustworthy Computing Initiative", than "Software Stalinism".
The ironic thing is that by centralizing all of your data and services, you make your network more vulnerable to denial of service attacks and more vulnerable to sabotage because all of the data is managed by one entity. Even if you have a very sophisticated backup system, those backup systems are vulnerable as well to sabotage.
ARPANet was designed in such a way that if a bunch of nodes were taken down through sabotage, accident, military strike or whatever, the network as a whole would still be functional. Unfortunately, the trends are toward turning the brilliant P2P design of the internet into a giganto sized version of a corporate network where everything is centralized and controlled.
Client/Server networks are great for a lot of things, but they are inherently vulnerable to all the pitfalls of centralized command and control systems as they scale. Just like communism works fine and dandy for very small groups of people (like primitive hunter/gatherer tribes), communism starts to have big problems once it tries to scale to larger and larger sizes. Capitalism does not work at all on a very small scale because you need a critical mass of people to establish a fair market value for goods and services, however, capitalism does shine as the size of the markets increase in size.
In other words, you can compare Client/Server networks to Communism and P2P networks to Capitalism if you think of people as nodes on a network whose value on that network is determined dynamically and democratically just as money is a democratic tool to vote for the value of a good or service as opposed to having their value on the network determined statically and autocratically in the way command and control economies impose price controls and central planning with regard to goods and services.
The direction Microsoft and unfortunately much of the software world seems to be going with this "software as a service" and the centralized authentication schemes that support "software as a service" I feel is a huge disaster waiting to happen. If I was a terrorist or an agent of a foreign nation and I wanted to take down the economy of the United States overnight, I would prefer to be be dealing with a command and control computing monoculture than one that is fragmented, redundant, and diverse.
It is both sad and alarming that many Americans reflexively feel that the way to have better security is to centralize computing operations rather than spread computing operations to as many interconnected nodes as possible.