Slashdot Mirror
Security in Ten Years
Schneier has posted a conversation between himself and Marcus Ranum, Chief Security Officer for Tenable Network Security, Inc. looking at where security is headed. "[...] at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."
Software Freedom is never mentioned. Instead the authors depressingly assume a complete triumph of ISPs and software owners. No wonder their outlook for "security" is so bleak. Real security comes from freedom. Every step away from freedom hands someone else a tool to hurt you. Their future is too bad to let happen and it won't because it will be too expensive.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
10 years? I remember my uncle trying to stay one step ahead of the cable companies back in the early 80's, ordering black box descramblers out of the back of Rolling Stone magazine, only to have the cable company then scramble the "newly" descrambled signal, and he'd have to find the new upgrade.
In the end, I think it would have been easier and cheaper to just subscribe to the damn cable, but that's not the point.
When I think of the history of hacking, of course there's the homebrew club, and it's ilk, and all the phreakers, etc. Are there other groups that predate computers? I'm imagining a group of people like HG Wells and his friends in The Time Machine...sort of steampunk hackers, or something...
A leap in security technology will take a requisite leap in human intelligence. IDS systems do a couple of things well. Routers do a couple of things well. Antivirus software does a couple of things well. Nobody has put them all together in an intelligent way, nor have they replaced them with an intelligent alternative. Remember that any computer system is as dumb (read useless) as the dumbest asshat human operating it. (place old adage here) When you build an idiot proof system, the idiots only get smarter.
And I quote TFA I'd like to officially modify my position somewhat: I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017. It probably won't be terrorists that do it, though. More likely, we'll suffer some kind of horrible outage because a critical system was connected to a non-critical system that was connected to the Internet so someone could get to MySpace -- and that ancillary system gets a piece of malware. Or it'll be some incomprehensibly complex software, layered with Band-Aids and patches, that topples over when some "merely curious" hacker pushes the wrong e-button. We've got some bad-looking trend lines; all the indicators point toward a system that is more complex, less well-understood and more interdependent. With infrastructure like that, who needs enemies? Not to be all pessimistic on the great new security shock and awe campaign, but it will only work when we can get universal agreement from all humans (and possible non-humans) to not mess with it or obstruct its operation in any way. (queue other bad science fiction films here) Uhmmm, yeah, that's going to happen. Tell me again, when will the last Win95 system be decommissioned?
total security... no
really good security... possibly
good enough security... probably
thought it was good security... most likely
Security is expensive, difficult, inconvenient, troublesome, and seldom seems worth the cost.
Support NYCountryLawyer RIAA vs People
The point isn't what a few elites can do, it's what regular people can do. That's the benefit of technology, because it's what drives social change. (Incidentally, I think it's what a lot of geeks don't "get" sometimes.) History books will write about the Internet as a 1990s phenomenon, even though it existed long before, because only in the 1990s could most people use it. And it was only when lots of people started using it that it started to have effects that could be felt everywhere; that's when it started to change everything.
Dismissive hand-waving about hackers misses the point: when you limit the number of people who can effectively use a technology to a small number of hackers or hobbyists, you hobble the technology and you sharply reduce the effect that it could have had.
It's a pernicious problem because it's difficult to quantify the loss due to technology that the masses either never get, or never get in a form that's useful to them. How do you quantify the social benefits of a CableCard or DVR standard that doesn't suck royally? (The ability for everyone to do what I can do on a MythTV box: pause a program on one TV, walk away, and resume it from another one in a different part of the house an hour later?) It's not something that's easy to measure, but there's obviously some benefit there, even if it's not exactly a cure for cancer. Every time a company locks a product up and makes it difficult for a user to really take full advantage of its capabilities, we all lose a little. Or rather, we just fail to get something that we could have.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago. That alone leaves me with the conclusion that things aren't bad.
That's not to say that security is perfect. But in the balance of security versus convenience, privacy, and general humanism, I think we're resting in a perfectly reasonable situation.
You know, I'm pretty sick of people calling for more security in everything. A few weeks ago, someone stole an infant out of a hospital nursery -- walked right out the front door. Millions of people yelled that hospitals need more security -- even though it hadn't happened in this city for decades.
I spent two weeks in the middle-east many years ago. When you see armed security guards outside every pizza parlour, it's not a warm and fuzzy feeling.
And that's not even raising the issue of false positives.
In 10 years Windows will be over. There will be native Linux versions (still proprietary binaries) of Photoshop and productivity software, but a few people will see the newborn open source alternatives and try them out. Perhaps there will be price-fixing lawsuits against free software by proprietary software makers, and, in the worst case, patent lawsuits (depending on whether software patents are abolished by then or not).
Most people will run old versions of Windows (probably XP SP3, maybe SP4 - or perhaps Windows 7, but Vista will be another WinME) or ReactOS 1.x (it'll be too early for 2.x) in a virtualized PC running Linux. Unixphobes will run ReactOS (around 60 to 70%) or Windows (the rest) natively. Probably Microsoft will retreat from the OS business and stick with consoles or Office software, and Google will absorb the MSN messenger network.
I really hope that the Windows^H^H^H^H^H^H^H^HReactOS and similar OSs' security model will be revamped, with sandboxed registries and directories. Passwords will be asked for installations, unless software is ran by only one user.
Botnets will be rarer (and therefore much more expensive to rent than they are now), but they'll still exist due to user stupidity ("this game needs to run with root privileges"). They'll run in Anonymous P2P nets.
About Anonymous P2P, they'll be the norm for file sharing, but they'll be definitely banned by draconian governments - whether or not the US goes that way, is up to your imagination. Perhaps we'll see a struggle between anonymous P2P and content providers/law enforcement agencies, similar to what happened with Napster a few years ago.
However, website security will face more or less the same problems we're facing now, due to negligence to patch existing webservers. Botnets and phishers will use infected servers to keep stealing identities, and let's not forget about inside jobs and "user account info gone missing". These will go on. Hackers will be government sponsored - to hack into other countries' machines. Buffer overflows will be the favorite vulnerability, while hacker websites will run in anonymous P2P networks.
Let's put this post in a time capsule and see how well it fares in 2018.
First of all: DRM is some sort of lock.
Second: Reverse engineering keys is as old as creating locks.
Third: Having a librarian in a monastry's library was also some kind of DRM. He was the arbiter who decided (sometimes after consulting with the abbot) which monk was entitled to which book, and when he had to return it.
Those two words, jumped right out at me from the page. Seriously, I don't think there I have seen a more succinct and accurate way to describe Microsoft's "Trustworthy Computing Initiative", than "Software Stalinism".
The ironic thing is that by centralizing all of your data and services, you make your network more vulnerable to denial of service attacks and more vulnerable to sabotage because all of the data is managed by one entity. Even if you have a very sophisticated backup system, those backup systems are vulnerable as well to sabotage.
ARPANet was designed in such a way that if a bunch of nodes were taken down through sabotage, accident, military strike or whatever, the network as a whole would still be functional. Unfortunately, the trends are toward turning the brilliant P2P design of the internet into a giganto sized version of a corporate network where everything is centralized and controlled.
Client/Server networks are great for a lot of things, but they are inherently vulnerable to all the pitfalls of centralized command and control systems as they scale. Just like communism works fine and dandy for very small groups of people (like primitive hunter/gatherer tribes), communism starts to have big problems once it tries to scale to larger and larger sizes. Capitalism does not work at all on a very small scale because you need a critical mass of people to establish a fair market value for goods and services, however, capitalism does shine as the size of the markets increase in size.
In other words, you can compare Client/Server networks to Communism and P2P networks to Capitalism if you think of people as nodes on a network whose value on that network is determined dynamically and democratically just as money is a democratic tool to vote for the value of a good or service as opposed to having their value on the network determined statically and autocratically in the way command and control economies impose price controls and central planning with regard to goods and services.
The direction Microsoft and unfortunately much of the software world seems to be going with this "software as a service" and the centralized authentication schemes that support "software as a service" I feel is a huge disaster waiting to happen. If I was a terrorist or an agent of a foreign nation and I wanted to take down the economy of the United States overnight, I would prefer to be be dealing with a command and control computing monoculture than one that is fragmented, redundant, and diverse.
It is both sad and alarming that many Americans reflexively feel that the way to have better security is to centralize computing operations rather than spread computing operations to as many interconnected nodes as possible.