Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Spaf's Crystal Ball: Network Security Predictions 93

remora writes "Eugene Spafford[?] (of CERIAS, and co-author of "Practical Unix Security") has written an article for Information Security Magazine with eight of his predictions for the coming years in network security. He touches on subjects such as "Spam will grow as a problem" (obviously), to the "Greater emphasis on international cooperation and communication. Some of the article is fairly predictable, but it is still interesting to hear from one of the more experienced security people out there."
This discussion has been archived. No new comments can be posted.

Spaf's Crystal Ball: Network Security Predictions

Comments Filter:
  • or some one else finds this article kind of predictable. I thought I'd see some insightful discussion from such a leading person in the field.
  • by Anonymous Coward on Thursday November 14, 2002 @07:20AM (#4667237)
    it's ruining the whole concept of email. As soon as I set up an email address, boom, hundreds of spams. They find ways of sending it to you no matter what you do, unless you block all incoming email except from certain addresses, which defeats the point of email in the first place. How are we meant to give an email address to children when they're going to be bombarded with "See horny naked amatures live NOW!" half a dozon times per day.
    If someone was dumping 100 pornographic adverts into your house's mail box each day, or DOSing your website, they can at least get in trouble. But with spam, nothing really is done to stop them, and they just keep on doing it. Convictions are rare and don't disuade them any more than a parking ticket. It needs to be recognised that spam is doing a heck of a lot to undermine the evolution of the internet.
    • by Chanc_Gorkon ( 94133 ) <gorkon@gma[ ]com ['il.' in gap]> on Thursday November 14, 2002 @07:53AM (#4667344)
      Um....I don't hardly get any on my home one. You know why? I DON'T USE IT ON PUBLIC WEBSITES!! I also don't plaster it all over my web page. I only give it to sites and people I implicitly trust. My S/N Ratio is rather low. Now anytime I want to make a entry onto a public website, I use my hotmail account. Hotmail, Yahoo, AOL and other major ISP's are hardest hit because they are so large that there is almost one address for every thinkable name(except for really weird ones). So, the spammer knows there will probably be a jsmith@aol.com.

      Now in contrast, I checked my work mail this monrning and it was about 90 percent spam. Why? Someone high up in the college thought it would be a good idea to out our whole college's e-mail directory online. There defense of the idea was we are a public school and must make everything except the stuff voered by FERPA public. I guess our e-mail and snail mail addresses aren't covered there. Anyway, I tried to tell them within a month our whole directory would have been crawled by a spammer and I was right. Everyone's getting high levels of spam. I even get stuff that could be targetted at students even though they have a entirely different domain and everything for their student issued e-mail accounts. Funny thing was they asked our mail server admin to help set this up! (well, he could have been TOLD to do it too)
      • Er this morning and covered by FERPA. I should know better then posting before I have had my first cuppa joe!

        People get spam because they aren't careful who they give their address out to. It's as simple as that!
      • Your use of some sort of (Realtime Blackhole Lists) RBLs is required then..

        We suffered a lot from spam where I work, but since I have installed QMail and rblsmtpd, plus set up local blacklists and whitelists (banning large chunks of the korean network space seems to work wonders) our levels of spam have dropped dramatically. And this is even with morons who still give out their company email address on every single website they can find.
    • I agree with you. One comment I liked is the bit about international cooperation. I receive a lot of international spam(from the US). Now I cant call them up and tell them to shut up in the US or for that matter take cause any real annoyance to them except for spamassasin [spamassasin.org]!
      This problem will grow unless govt takes more interest in internet and stricter anto-spam laws are there. But the case is that with more govt interference come more evils. The only option is offence, like finding their home numbers and ringing them up at 2am to tell them if they want to buy so and so cream... Mahatma Gandhi once said
      "An eye for an eye will make the world blind"
      But I guess that seems a better option than my ISP bills.
  • by Ratface ( 21117 ) on Thursday November 14, 2002 @07:20AM (#4667239) Homepage Journal
    While most of "Spaf's" comments seem fairly self evident, I liked this point regarding add-on security products:

    "Expect to see several established products fail or be withdrawn because they are too invasive, have unfriendly interfaces, or are found to be considerably less effective than claimed."

    This kinda makes me think of the effect that ZoneAlarm have had on the personal firewall market for instance. 3 years ago, firewall technology was clunky and strictly for the network administrator. Nowadays anyone can have a simple to configure basic level of protection thanks to a product that broke the paradigm and set a new standard for ease of use. Of course, the really security consciuos out there still have their infinitely configurable command-line tools, but at the same time, my dad (for instance) can feel comfortable with a product that he can understand.

    • by wheany ( 460585 )
      but at the same time, my dad (for instance) can feel comfortable with a product that he can understand.
      When you combine a personal firewall and an inexperienced user, one of two things will happen, judging from newsgroups:

      a) "My machine is completely invulnerable, I have a personal firewall!"
      b) The firewall says: "AIEEEEE!!! A dangerous hacking attempt is in progress", and the user panics, because someone pinged his machine.
      • by Ratface ( 21117 ) on Thursday November 14, 2002 @07:48AM (#4667333) Homepage Journal
        True, but I only need to explain to him once or twice that

        a) Still be careful with information you give out/files that you open ... and ...
        b) Turn off automatic notification.

        It's definitely better than no protection or completely mis-configured protection because the user interface is designed for systems administrators.

        Hence the whole point of Zone Alarm as a paradigm-buster.
        • Actually I think the broadband personal security market is better served by dedicated hardware appliances than software. Even my non-technical father was able to set up his Linksys router without my assistance. With DHCP on both the public and private nets, it was literally plug-and-play. This level of simplicity is what the non-technical masses need. Even zone alarm isn't this simple, and as was noted previously, often results in people getting themselves worked up into a frenzy every time somebody port-scans them.
  • Fads and Flash (Score:5, Insightful)

    by osullish ( 586626 ) <osullish@g[ ]l.com ['mai' in gap]> on Thursday November 14, 2002 @07:22AM (#4667250)
    I totally agree with the Author in terms of Consumers are always looking to new Technology, instead of making the existing technology more secure.

    Whats the Use in enabling data streaming over bluetooth when we can't safely sent files over LANS and existing technology

    Oh and I really think the advent of Wireless Networks and 3G Systems will open up a whole new Can of Worms in terms of security - We can Already intercept calls over GSM systems, now we're looking to send huge chunks of data via the same systems!

    Someone is gonna get burnt...

    • We can Already intercept calls over GSM systems

      We can intercept them, yes. But can we do anything with the intercepted data? I don't think so because it is encyrpted -granted a small key- but that's good enough to kill off the amateur eavesdroppers. It's not like the analog crap of 10 years ago, that anyone with a scanner could listen to

      • An attack on GSM encryption has been described (seems to be offline at the moment) that requires a few days' surveillance of the target and a lot of processing afterwards. So the security services can do this (or they can get a tap in the network, or maybe even force the network operator to hand over the secret key) but real-time eavesdropping of random calls is AFAIK impractical.
  • "Expect to see several established products fail or be withdrawn because they are too invasive, have unfriendly interfaces, or are found to be considerably less effective than claimed."

    1) Apparently this guy hasn't been using windows.
    2) He hasn't read the book "Mythical Man Month".

    As I see it this statement is not insightful but redundant.

    • In response to your accusations...

      1) Apparently this guy hasn't been using windows.
      I'm sure he has to some extent, but I believe he uses Mac OS X in his office.

      2) He hasn't read the book "Mythical Man Month".
      Yes, he has. It was assigned reading for one of the courses he taught.

      Recall, this is a predicition, a guess. Wierder predictions have come true.

      The reason most people use Windows is because they don't realize they have a choice. For the average consumer who can't handle Linux/BSD/etc. and uses PCs at work and therefore is more comfortable with Windows than MacOS, there realistically isn't a choice. That's why appliance PCs will take off (IMO), if they're designed right. Because of the age old KISS (Keep It Simple, Stupid) formula. If you make it easy enough for everybody to use, they will. That is, as long as they are willing to pay the price for the functionality. That's why appliance PCs have failed so far...
      • The reason most people use Windows is because they don't realize they have a choice.
        Actually, I think that's a secondary cause. I think the top two reasons people use windows is because 1.) It's what came on their computer, or 2.) It's what they're familiar with from work. I can't tell you how many machines I've seen that have been in use for years but still have the default settings for everything.
  • What the?! (Score:4, Interesting)

    by Pat__ ( 26992 ) on Thursday November 14, 2002 @07:26AM (#4667264)
    From the article... (emphasis mine)
    Other technologies about which we should exercise caution include VOIP, Bluetooth,
    open source, automated patching, RFIDs and biometrics.

    I always thought it was the other way around!
    As in we should exercise more caution about closed source systems no matter which one we are advocating !!
    Oh well! ... He is the security expert so I guess who am I to argue!
    • Recently, I think we've had some pretty good demonstrations of the false sense of security we've all smugly adapted regarding open source:

      oTrojaning of popular open source software (such as OpenSSH and tcpdump).
      oRepetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
      oProgrammers releasing details of security flaws after their platform is covered but before everybody else has a chance to patch the problem.

      So I think he may have a point. Closed source isn't secure, to be sure, but irregardless these continual problems with dealing with security flaws in free software beg the question of whether or not the open source methodology is much better in 'root'ing out problems.

      Note: I'm just talking about security, not overall quality of product. I still use open source because I feel it is superior to closed source in so many ways. However, I want to burst this bubble we've collectively got about "Thousands of eyes on the source code mean we're all safer", because obviously it isn't turning out that way.

      • by Zocalo ( 252965 ) on Thursday November 14, 2002 @08:25AM (#4667470) Homepage
        Repetitive exploits in the same software, such as the recent BIND exploits in the latest version (and the eighty or ninety exploits that came before it).
        Latest version? I don't think so. BIND currently has three main code bases:

        v4.x - essentially an ugly, bug ridden hack (or at least it seemed like it).

        v8.x - a very stable DNS server, but unfortunately largely built upon the v4.x codebase and inheriting issues galore as a result.

        v9.x - A complete rewrite of v8.x, plus extra features, with much more attention paid to code integrity.
        Almost ALL of the recent serious BIND exploits, including the recent one you are referring to, have been focused upon the v4.x and 8.x trees. Sure, v9.x isn't without it's problems, but all in all, it's proven to be pretty secure and stable so far.

    • He didn't say open source was bad - he said it was a technology 'about which we should exercise caution'. The listed technologies are not Bad Things, they are just things that require caution when incorporating them. Biometrics were also listed in the technologies where caution needs to be exercised. I think what he's getting at is that it is completely possible to build an insecure system with secure components, and that something can't be assumed to be good just because it is grouped with things that are.

  • As far as you web server is concerned, getting slashdotted ranks way up there, along with using IIS (gratuitous MS baching). =)
  • Consumers and technologists will continue to be enamored with fads and flash rather than quality and safety. Wireless will continue to be deployed in sensitive locations despite the terrible vulnerabilities and risks. Furthermore, we'll see policymakers and technicians continue to place faith in technology to solve our problems instead of investing in sound management and trained personnel. Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics.

    Is exactly what? Placing open source in that list makes no sense to me. Why?

    • Take a look at CERIAS's sponsor list for a few reasons;

      http://www.cerias.purdue.edu/about/related/spons or s/
    • after listening to a lecture he gave at AUSCERT2002 I think it comes down to his belief that even open source doesn't use methodologies that promote secure code from design. The example he gave was an old kerberos security flaw that existed for several years. many people had looked at the code but none picked it up. Just having a hundred people look at code doesn't make it secure. see trojan code that has been added to tcpdump as an example
    • by coj ( 20757 ) on Thursday November 14, 2002 @09:29AM (#4667880) Homepage
      FYI, My day job is CERIAS webmaster.

      I believe he mentions it in response to the common belief that OSS is *inherently* more secure than closed source. We use tons of open-source software at CERIAS, so it's not the case that Spaf has a dislike for open source.

      -Ed
      • I believe he mentions it in response to the common belief that OSS is *inherently* more secure than closed source. We use tons of open-source software at CERIAS, so it's not the case that Spaf has a dislike for open source.

        Thanks for that info :) I guess the thing that I did not understand, is why he put open source inbetween words that describe specific technologies (VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics) - I mean, open source/closed source/shared source whatever are methods(not maybe the correct word, blame my english) under which you can create the other mentioned specific technologies. It just seemed to me that for some reason, he wanted to put open source in that -wrong- family.

        • Thanks for that info :) I guess the thing that I did not understand, is why he put open source inbetween words that describe specific technologies (VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics) - I mean, open source/closed source/shared source whatever are methods(not maybe the correct word, blame my english) under which you can create the other mentioned specific technologies. It just seemed to me that for some reason, he wanted to put open source in that -wrong- family.

          I can't speak for him, but I didn't read that deeply into it. I took it as a list of technologies/methods of solving problems that we have to look closely at, because they could be problematic from a security standpoint (mostly because people make assumptions about how secure they are).

          -Ed
  • by DrXym ( 126579 ) on Thursday November 14, 2002 @07:34AM (#4667290)
    Mozilla 1.3 is adding support for Bayesian spam filters [mozilla.org]
    • Unfortunately, allowing the clueful few who wouldn't buy or respond to spam anyway (meaning mozilla users) to filter mail easier does nothing in the way of telling spammers to get knotted. That's where integrating the spam-check at the MTA receipt stage would come in handy; you don't have to passively accept crap, nor do you have to waste bandwidth sending complete bounce emails (potentially to innocent victims), but rather you drop things at injection. Fine by me :)

      There's a patch and spiel about an exim module and filter that hooks into SpamAssassin at http://marc.merlins.org/linux/exim/sa.html

      HTH,
      • by DrXym ( 126579 ) on Thursday November 14, 2002 @08:27AM (#4667477)
        That is not the point. The point is that if Mozilla can have a Bayesian filter and it proves effective at catching spam then in a few years *every* mail application and many services such as AOL/MSN/Yahoo etc. will have one too. There will be no more need for the user to set up 20-odd advanced filter rules to filter for crap like $$$, xxx, Nigeria etc., or buy spam filtering shareware or anything else requiring effort - they simply click "this is spam" or whatever on their mail software and it's dealt with.


        There was a slashdot article the other day that mentioned the return rate on spam was something like 0.001-0.002%. If a filter that learns can kill 90% of it or more then you can stick an extra 0 in there at least. Let the fuckers burn their money if they wish, but there will be a point when most of them will simply give up.

        • That's also not the point. It might not cost them 10x as much to send 10x as much spam if that becomes the case. Not to mention, someone's bound to *try* circumventing any sufficiently common anti-spam system.

          (And Bayesian filters are no panacea, nor are they invulnerable, btw; I still get the occasional junk-mail through here, despite my better efforts. I even had one over the weekend that fell back to SpamAssassin and scored over 27 but bogofilter considered clean - simply base64-encoded all its body, and I don't know that bogofilter either handles that well, or if it does, it hadn't been well enough trained against that sort of mail.)

          The best way is still a moderately aggressive "just say NO!", not a passive acceptance, IMO. Spam should always be nuked at source.
          • But these types of filters are unique to the user. Words that might get though my filter might hit a red light in yours because you've never seen that word outside of spam. Therefore, there's no common technique that will get through all filters, and never will be one.
            • That doesn't have to happen. All the spammers need to do is carry on pushing crap out and someone's bound to get it - drop a block of varied nice-words in the bottom of the mail (start "talking about" PHP, java, diet-coke and stuff, and you'll be going up in my estimation) and the damage potential will increase.
              And in the process, more bandwidth will be consumed (which is where the real work-load is inflicted on the 'Net, not and the end-recipient) and the poor eejits out there *not* using these filters will still be getting crap.
  • by UnderAttack ( 311872 ) on Thursday November 14, 2002 @07:35AM (#4667292) Homepage

    I like the part about cooperation. Hackers do it for years successfully, while network administrators prefer to sit in their closets under tin-foil hats hoping to preotect themself with obscurity.


    Systems to share already exist. Just check the "Internet Storm Center" [incidents.org] and DShield [dshield.org] for a place to exchange logs and ideas.

    • OK, as an admin, I take offense to this statement. I don't "sit in my closet", and I don't rely on obscurity for security. Blanket statements (that don't make sense, no less) don't show any sort of *insight* at all. Modded up...sheesh.

  • by ifoxtrot ( 529292 ) on Thursday November 14, 2002 @07:46AM (#4667324)
    I don't think that any of these predictions are particularly insightful, but the 8th is a good illustration of the root of the problem with security.

    Consumers and technologists will continue to be enamored with fads and flash rather than quality and safety. Wireless will continue to be deployed in sensitive locations despite the terrible vulnerabilities and risks. Furthermore, we'll see policymakers and technicians continue to place faith in technology to solve our problems instead of investing in sound management and trained personnel.

    The point being that security is frequently misunderstood, isn't sexy and doesn't appeal to the mass market. Possibly the only way to change this is for security to become a major feature of the products (a bit like microsoft is saying it's doing now) so that people will come to expect the security... Somewhat similar to the safety features in cars...

  • "Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics."

    Slashdot reporting on something that says Open Source has security problems? Wow!

    For all of you who's wondering what he's talking about, think: trojan in OpenSSL, trojan in libpcap, immediate disclosure of apache vulnerabilities... its not all peaches and cream just because its open. Closed source has some important inherant security benefits.
  • Appliances? (Score:5, Insightful)

    by Omkar ( 618823 ) on Thursday November 14, 2002 @07:53AM (#4667349) Homepage Journal
    "Consumers will embrace appliance-based computing as it becomes available."

    Spaf apparently believes that consumers aren't capable of dealing with real computers; he thinks dedicated apps and devices are the future.

    This reminds me of the NC vs. PC debate. PCs were supposedly too clunky, hard to use, and powerful for the average user; NCs were going to replace them. Eventually, PCs ate NCs.

    I believe that looking at this issue from a security point of view is somewhat misleading. As Spaf himself seems to realize, most domestic consumers are misinformed and apathetic about security. The average person will see a refrigerator, that for no good reason, can go online, rather than a secure online service. PCs will still be more versatile than appliances, and will continue to provide more value. Remember how the next big thing 10 years ago was the iCoffeeMaker?

    Domestic consumers won't use them. Corporate consumers won't use them. Who will adopt appliances?
    • Re:Appliances? (Score:5, Interesting)

      by Chanc_Gorkon ( 94133 ) <gorkon@gma[ ]com ['il.' in gap]> on Thursday November 14, 2002 @08:08AM (#4667395)
      Actually I kind of agree with him. I will tell ya why. Personally, when I am at home it's my time. I usually love unplugging for at least an hour if not the whole evening. Yeah I love technology and all, but why I want to is invariably, I always start to ask the question is it worth it when I start working on something. If it isn't, I push away and relaxe by watching a DVD. Now if I didn't have the hassle of normal day to day computer using, I would use it more. Case in point, my PDA is what I take with me on trips rather then a laptop. It works EVERYTIME and powers on in less then a second. People hate having to wait for the boot sequence and all of that. People want to work. Remember when the first home computers came out and they were real popular? Remember why? The reason it was was that they were instant on. No waiting for a disk to be read or any of that. On my Atari 800XL, when I wanted to write a paper for school, I would insert the cartridge for the word processor and turn it on. THAT'S IT! The software was available soon after (less then a second) I flipped the power switch. The only downside of the older ones was that saves took forever because you usually could not afford the disk drive so you were stuck with tape. My Atari 800XL cost LESS then the disk drive! We used a tape drive. There's no reason we can't have these type of computers and no reason to kill off the PC because of them. The PC could turn out to be a household server more then anything with everyone having a laptop style or pad style computer that could be used anywhere. When you were at home, the pad could periodically dump it's contents to the PC and when you leave you can make sure you have the files you really need with you. Appliance computers will happen eventually. Even us geeks will use them.
    • Re:Appliances? (Score:4, Insightful)

      by fferreres ( 525414 ) on Thursday November 14, 2002 @09:00AM (#4667626)
      Price. Start offering NC for $4,99 a month (say you already have a monitor and only need to plug a micro NC that is netword card + video display and some simple bios).

      You can only win against a PC if you can offer the NC at "ridiculous" (for past standards) price. Everything should be thin clients if you ask me, and if I need I could "network to my own server" or to a server provider i hired (for my personal apps, my disk space, email, whatever). Everything will be distributed services.

      The PC will then be a seens as a "local NC + server" all-in-one.

      But we'll have to wait some years. It will be fun:
      - No instalation of software
      - Almost no configuration, except for user choices

      Just imagine: click here to play Doom IV (service cost $0,05 a minute, or buy a monthly pack at $10). Here to launch a word process (prices start at $0,02 (OO) and up to $0,10 (MSO)). Click here for phone service, etc. etc.

      Companies offering lots of "service packs" (not the MS ones! Real service packs). Your own computer will be irrelevant, the best stuff WILL NOT INSTALL ON YOUR COMPUTER.

      The reasoning behind this is simple: as network speeds become incresingly powerfull, there will an inflexion point in the economics of running a local computer: when the needed "combined" bandwith for using all the applications you need + upgrade to them and updates surpasses the needed bandwith to just broadcat the "video stream" to your computer, network computing will arrive.

      And the needed bandwith to broadcast a video signal grows little over time and can even go down (small screens, PDAs) but the bandwith to install new games, OSs, to watch video and applications and to stay current is growing exponentially.

      It's just a matter of time! Gone will be the days one will have a computer faster than your friend. You could compile your kernel in 3 seconds in a virtualized mainframe as long as you don't exceed your CPU/hour quota!

      People will ask what CPU/hour you are hiring (if you run a server) and how many clients/hour are you serving, not how much mbits you have :)

    • Re:Appliances? (Score:2, Informative)

      by fermion ( 181285 )
      This is absolutely the case. When consumers can buy a flexible device that just works, they will. It is not that we can't understand how to make a computer work, it is that there are other things we would rather do

      For instance, I have a store bought firewall. I have an extra box that I could have made into a linux firewall, but i just didn't feel like it. There was a time when I might have done it for the educational benefits, but there are other things I want to do and people I want to those thing with.

      This was also what was great about the original Mac. I don't know if anyone remembers the morass of the pc world 20 years ago. Hacked up cables, printer codes in word processor documents, device drivers for each program, networks that were hand configured, if not coded. The original Mac ushered in a world of microcomputers and component that just worked. Cables would work, layers were abstracted so one printer driver, or set of menus, or modem drivers, would work for all applications. It was a box on the table that let the user compute. It was, in fact, an appliance. Like a TV things could be plugged into it. MS ran with part of this idea, but for the most part never fully implemented the 'appliance' part.

      A big reason we do not have such a device is that MS sucks at embedded software and lives at the teat of yearly upgrade cycles, and has convinced consumers that MS is the only solution. For instance, I tried to give one relative a old mac that did exactly what she wanted, did not need to be upgraded every month(it was very stable software that had not been upgraded in two years). The problem was she was so indoctrinated into the MS world and did not believe that this machine could do what she wanted. She basically was so branded by MS that anything else would not do. So now she has a machine that does not consistently work, and will have this machine until MS and companies like Dell develop machine that just works. I am not holding my breath.

      So yes I do expect to see many computing devices being made into appliances. I know my life would be much easier if I could just give my relatives a secure box that they can plug into the wall and use. It would dial, download mail and surf the web. It would not be so flexible that it could run spyware, download webbugs in email, or become owned.

    • Two words:

      Game consoles.
    • Re:Appliances? (Score:3, Insightful)

      by Tassach ( 137772 )
      You seem to be missing the point. "Network Appliance" doesn't mean "Toaster with a RJ-45 port", it means "Dedicated computing device". Domestic and Corporate customers are buying single-purpose, dedicated appliances like mad. Security applicances [watchguard.com]. Network-Attached Storage appliances. [snapappliance.com] Search appliances. [google.com] And so forth.

      When you want to do one job, and do it well, a dedicated piece of hardware almost always wins out over a general-purpose computer. Can a PC with 2 nics and the appropriate software do everything a high-end router can do? Sure it can. Then why do people by dedicated routers? Because they are more reliable, have better performance, consume less power, and are simpler to administer. It's the same reason you have a toaster and an oven. A toater does one thing: it converts bread into toast easily, reliably, and efficiently. You can't cook your Thanksgiving turkey in the toaster, but that's why you have an oven. You can make toast in your regular oven, but it takes more power, it's easier to burn it, and it's far less convienient.

  • With utmost respect I can't see any predictions, he's just stating obvious facts and logical conclusions derived from the present state of things. I feel the hidden message in the whole prophecy: M$ sux, Linux sux, closed source UNICES rules. A few rants/unconstructive comments follow:

    1) Consumers will never be able to 'distinguish safe code from the typical dreck they're used to buying' just because there's no _SAFE_ code and they're not supposed to do so. They're _CONSUMERS_.

    2) Yes the sales of security products will grow, US goverment and media are working around the clock with their 'war on human rights'.

    3) I don't understand the point behind this rant.

    4) The spam _IS_ a problem already, but there're effective solutions. Smart ISP already offer SPAM filtering service.

    5) I hope he's not talking about US DOJ way of international cooperation when any human being living on earth is subject to US laws, which is also known as "All your ass belongs to us".

    6) When lawyers and insurance companies jump in, software prices will skyrocket and we're going to see even more stupid EULAs and laws. That's the way lawyers work.

    7) Oh, consumers _ALWAYS_ focus on wrong things, it's hardly any news. But, honestly who made him (or me) god to say: What you do is the wrong thing?

    8) Open source isn't technology it's more a philosophy, a way of thinking. Other mentioned technologies can be safe enough for average consumer or company when implemented properly. Even matches are dangerous technology in the fire-lighter's hands.

  • by quadcitytj ( 320706 ) <tj@wackycow.com> on Thursday November 14, 2002 @08:29AM (#4667489) Homepage
    Other technologies about which we should exercise caution include VOIP, Bluetooth, open source, automated patching, RFIDs and biometrics.{Emphasis mine}

    It would be nice if he could give us a concrete reason why we should "exercise caution" with open source. Does he really have a valid point, or is he just propogating the "open source is less secure because crackers can see the code" myth?
    • Spaf is simply trying to drive a point home that he teaches constantly at Purdue--and yes, I had the privelage of taking his class. When it comes to computer security, you should never blindly trust anything! Why is he saying that we should be cautious? Simple... Too many people have the impression that open source == security. And we've all heard it: "It's open source, it must be secure..."

      Why is that a bad thing? Risk Analysis... You can never achieve 100% security. At best, you can develop a plan that takes into account most anything that can go wrong: Fire, Burglary, Natural Disaster, Hacking, etc. If you blindly trust a component, then your risk analysis isn't worth anything.

      PS: Spaf... See... I wasn't asleep in class.
    • Spaf is a Smart Guy, and of the many things he's said, 'open source == less secure' is certainly not one that I'm aware of!

      Open source may or may not be more secure because it allows for independent code review. It is NOT, however, inherently secure which is something that some people seem to think.

      What he's saying is that none of these things are a panacea. We can't say that we're secure because we use open source software (like tcpdump, sendmail, BIND), nor can we say that we're safe from bad guys because of biometrics.

      He's reminding us of the fundamental point of security: It's a journey, not a destination. The technologies that he mentioned are great cases of either or both (a) easily breakable technology, and (b) technology that too many people are willing to wave their hands at and call 'secure.'

      Caution is a fair attitude, I'd say.
  • by Bocaj ( 84920 ) on Thursday November 14, 2002 @08:47AM (#4667555) Homepage
    We need a good appliance that can detect spam/intruders/viruses. In a nice little package with an LCD "Iris" that closes when it detects a "bad" incomming packet and the makes a thud sound when it kills it. :-)

    Ok, yes, I watch too much Sci-Fi channel...
  • Ineffective laws (Score:2, Informative)

    by Vincy ( 178810 )

    7. Consumers will still focus on the wrong things. Insiders will defraud companies because all the defenses will point outwards. Bad software will continue to be purchased and deployed because "it's what everyone else uses." Little funding will be provided for education and long-term research because it has no obvious impact on the quarterly report. Instead, untold billions of dollars will be spent on short-term patches and fixes that need to be replaced every few months. Military systems will be purchased because they are COTS, not because they are safe or well-tested. Many disasters will make the news in coming years as a result.

    As reports of spectacular security failures increase, the public will feel more and more insecure. Instead of taking their own responsibility, they will turn to the lawmakers to provide them with laws that will give them back their security. These laws will come, since the lawmakers have to do something, even if the effect would be largely debatable.

  • On the whole, this is a good essay that makes a lot of valid points. Some are just common sense, others show some real insight. But he says something that strikes me as just wrong:
    The market for add-on security (firewalls, intrusion detection, antivirus, monitoring, probing, etc.) will continue to grow, although we'll see considerable consolidation in the marketplace as the similarity of many tools becomes apparent. Sales of these items will be strong for years to come, despite the fact that the only real solutions require rearchitecting the underlying systems.
    It sounds like he is saying that intrusion detection, antivirus, firewalls, etc. are combinable, which is pretty questionable, and even more questionable, that they can be integrated into the "underlying systems". If I understand this correctly, he's talking about rolling all of this functionality into operating systems.

    The last thing I want is all my security tools prepackaged in my OS. Not all intrusion detection is the same. Not all firewalls are the same. I want to be able to pick the tools that make sense for the needs of my network. I want to be able to run some of my critical security services on separate dedicated boxes from critical network services. (Obviously the firewall, but other stuff too.) I want to create multiple layers of security distributed around my network. I don't want the OS of my production box to give away all the details of my security posture.

    We all know that admins out there fail to keep up patch levels at an enormous rate, let alone creating a well designed multi-layered security posture. Maybe rolling it all into one box would simplify the job of getting to a minimally secure configuration. But seriously, who doesn't believe that the black-hats wouldn't have a field day with this? He talks about real solutions, but the only real solution, now or 10 years from now, is hiring IT security experts to create and maintain a real comprehensive security solution.

    I don't disagree that "underlying systems" need to be "rearchitected" to meet basic security needs, if that means, for example, that MS needs a radically different approach to integrating security concerns into the OS development process. But that isn't a solution to the problems addressed by what he calls "add-on" security tools. That's a different problem, and an important one. But no matter how well designed my underlying OS, I'm still going to put it behind a firewall, I'm still going to run some sort of IDS, I'm still going to monitor the logs, and I want control over how I do those things.

    Or maybe I'm reading his relatively sketchy argument wrong, but I can't figure out a different way to take it.

  • The problem I see with absolutely every new protcol, going all the way back to the telephone and postal service is that there is an inherent assumption that all communication attempts are desired, and should be brought to the attention of the recipient. Only later are additions made to secure the protocol, such as Caller ID and the Telezapper for the phone, and requirments that large packages be delivered in person to protect the mail system.

    For that reason, I think eventually every commincation protocol will have requirements that clearance to send be requested before the actual payload is allowed. And furthermore, upstream routers would remember when permission is denied for a limited time and repeat the denial, therefore cutting off DOS attacks early in their journey, and assuring most people still have access to the apparent target.

  • This interview with Spaf [geartest.com] goes into much more depth about his thinking about security -- or 'assurance' as he says -- because '...security really is a property that's an absolute that we can never quite achieve.'

    Read the interview. [geartest.com]

  • With every passing hour our solar system comes forty-three thousand
    miles closer to globular cluster M13 in the constellation Hercules, and
    still there are some misfits who continue to insist that there is no
    such thing as progress.
    -- Ransom K. Ferm

    - this post brought to you by the Automated Last Post Generator...

Lend money to a bad debtor and he will hate you.

Working...