Security in Ten Years

Schneier has posted a conversation between himself and Marcus Ranum, Chief Security Officer for Tenable Network Security, Inc. looking at where security is headed. "[...] at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."

Creativity

[foobsr]

From TFA: "Think of the iPhone model: You get what Apple decides to give you, and if you try to hack your phone, they can disable it remotely. We techie geeks won't like it, but it's the future. The Internet is all about commerce, and commerce won't survive any other way."

Amen.

An incredibly creative approach.

CC.

Re:

[timmarhy]

yeah wow so creative at cable box makers/companys have been trying the same nonsense for the better part of 10 years and look how well it's worked for them - it's spawned a legion of hackers all trying to out do each other at the speed they can create hacked cable cards.

and given the speed at which the iphone was unlocked, it doesn't seem like a good example of successful security.

the old mantra of something you are something you know combined with strong crypto and solid protocols is where true security

Re:Creativity

[veganboyjosh]

10 years? I remember my uncle trying to stay one step ahead of the cable companies back in the early 80's, ordering black box descramblers out of the back of Rolling Stone magazine, only to have the cable company then scramble the "newly" descrambled signal, and he'd have to find the new upgrade.

In the end, I think it would have been easier and cheaper to just subscribe to the damn cable, but that's not the point.

When I think of the history of hacking, of course there's the homebrew club, and it's ilk, and all the phreakers, etc. Are there other groups that predate computers? I'm imagining a group of people like HG Wells and his friends in The Time Machine...sort of steampunk hackers, or something...

Re:

[timmarhy]

we've only had cable in australia for about 10 years i think, atleast in my area so i guess your right, it predates my experiences.

i think my point is valid though, that bricking devices has been tried and failed long before the ipod.

Re:Creativity

[smittyoneeach]

I think it would have been easier and cheaper

But you don't seem to place any value on the sheer defiance of it all.

Re:

[veganboyjosh]

But you don't seem to place any value on the sheer defiance of it all.

Oh. I do now. But back then, it just seemed like as soon as he got his new descrambler in the mail, the cable company would re-scramble their signal, so he'd have to get a re-descrambler, etc etc. To the point where he had 4 or 5 black boxes on top of his tv, to get through all the crypto that got added as the cable theives got better tech.

At some point, my dad opined (and it made sense then, and it makes sense now) that it was pro

Re:

[pclminion]

Defiance? How about trespassing and/or illegal access? I'm usually a stickler for the clean differentiation between copyright infringement and theft, but this is clear-cut. The cable company has invested serious PHYSICAL RESOURCES into their distribution network. It's not just content -- there are wires in the dirt. Do you think that costs nothing?

This wasn't defiance. Just good old thievery.

Re:

[drsmithy]

In the end, I think it would have been easier and cheaper to just subscribe to the damn cable, but that's not the point.

For most people, it is. They're not "hacking" the cable boxes out of principle, or to see how it works, they're doing it because they don't want to pay for it. All the CableCos need to do is making buying the same cost - or only marginally more expensive - than the "hacking", and they're set.

This is pretty much the same principle Apple uses. So long as getting OS X working on a fran

Re:Creativity

[Kadin2048]

yeah wow so creative at cable box makers/companys have been trying the same nonsense for the better part of 10 years and look how well it's worked for them - it's spawned a legion of hackers all trying to out do each other at the speed they can create hacked cable cards.

Yeah, and how many people do you know who have hacked cable boxes? I don't know any, and I have some pretty geeky friends.

The point isn't what a few elites can do, it's what regular people can do. That's the benefit of technology, because it's what drives social change. (Incidentally, I think it's what a lot of geeks don't "get" sometimes.) History books will write about the Internet as a 1990s phenomenon, even though it existed long before, because only in the 1990s could most people use it. And it was only when lots of people started using it that it started to have effects that could be felt everywhere; that's when it started to change everything.

Dismissive hand-waving about hackers misses the point: when you limit the number of people who can effectively use a technology to a small number of hackers or hobbyists, you hobble the technology and you sharply reduce the effect that it could have had.

It's a pernicious problem because it's difficult to quantify the loss due to technology that the masses either never get, or never get in a form that's useful to them. How do you quantify the social benefits of a CableCard or DVR standard that doesn't suck royally? (The ability for everyone to do what I can do on a MythTV box: pause a program on one TV, walk away, and resume it from another one in a different part of the house an hour later?) It's not something that's easy to measure, but there's obviously some benefit there, even if it's not exactly a cure for cancer. Every time a company locks a product up and makes it difficult for a user to really take full advantage of its capabilities, we all lose a little. Or rather, we just fail to get something that we could have.

Re:

[ehrichweiss]

"Yeah, and how many people do you know who have hacked cable boxes? I don't know any, and I have some pretty geeky friends"

I worked in cable for a while a couple years ago and there are without a doubt people with the knowledge and equipment to stay one step ahead of the game. I never busted any of them that I met because they were hackers, not businesses looking to make money. To this day I have yet to see a particular hack by those guys that truly(and I mean TRULY) wiped PPV from cable boxes among othe

Re:

[drsmithy]

History books will write about the Internet as a 1990s phenomenon, even though it existed long before, because only in the 1990s could most people use it.

I would go so far as to say history books will write that the Internet was a 2000s phenomenon (driven by MySpace, Facebook, et al) and that the 1990s were the "early days" of "primitive internet connectivity".

It is unlikely things like Gopher or Usenet will be anything more than footnotes - if that - outside of specialised books.

And it's called....

[DrYak]

I wonder if a company would, in the long run, win when embracing hacking instead of fighting it

And it's called Linux.

(I mean, Really. It's openly hackable as per the bsaic freedom granted by GPL, and there are a lot of companies making a damn good use of it. Thanks to it hackability it has been ported to crazy range of hardware from wrist watches to super computers. And it's good at it if one pays attention at the world's top supercomputers. In the middle somewhere lie router box and similar [I don't know a

Re:

[KlaymenDK]

See what happened to Slim Devices. They got bought by Logitech, I'm sure that was profitable.

However, the *real* test is wether they will *remain* as open or if they will let themselves be assimilated and just produce regular consumer boxes.

Re:

[KlaymenDK]

I thought the future was about building a better mousetrap. Linux took its time to get out of the hole, so to speak, but has really grown a respectable market share.

I wonder, and hope, that the same will become true for hardware.
I wonder, and hope, that the OpenMoko will be a pioneer in opening up a truly closed arena.

Re:

[smallfries]

I thought that quote was a bit weird as well. It's not the first time that Bruce has sounded like a tool, from Bruce's own mouth. If the internet is all about commerce now - did they forget to send the memo to the owners off all the non-pay sites? I guess accademics and the open-source crowd are shit out of luck.

The other odd claim was that we haven't invented a new crime in a 1000 years. In a discussion about computer security? Trying to relate hacking to "impersonation" or lockpicking (which he didn't lis

Re:

[waterm]

How does DRM circumvention get described using 1000-year old criminal terminolgy.

What? "Pirating" doesn't fit the bill?

Re:

[OwnedByTwoCats]

"Pirating" used to mean the armed attacks (or threats thereof) on vessals on the high seas, in an effort to steal their cargo, and/or enslaving the passengers.

Modern copyright violation, often called "Pirating", presumes that users can illegally reproduce works, and do so for less than the cost of legitimately aquiring them. That requires a fair bit of kit.

Re:

[S. Traaken]

"Piracy" has been used to refer to copyright violation (and its predecessors) for hundreds of years.

Re:

[Anonymous Coward]

How does DRM circumvention get described using 1000-year old criminal terminolgy

What, suddenly "stealing" isn't good enough? ;)

Re:Creativity

[Sique]

First of all: DRM is some sort of lock.
Second: Reverse engineering keys is as old as creating locks.
Third: Having a librarian in a monastry's library was also some kind of DRM. He was the arbiter who decided (sometimes after consulting with the abbot) which monk was entitled to which book, and when he had to return it.

Re:

[smallfries]

A lock is something that you use to stop anyone without a key getting access to something.

Encryption is a lock (in the normal sense). DRM is a combination of a "lock" and a key, with the understanding that you probably shouldn't use the key if you've been asked not to. It's a very weak analogy at best, as encryption stores the secret under some technical problem. DRM stores the non-secret under some social problem, with weak technical barriers to uphold the social problem.

Reverse engineering a key is when y

Re:

[Sique]

That's where my Third comes in: Reading something without the librarian condoning it was a crime in mediaval monastries. You were still allowed to carry it around. And you had to keep it secret that you were able to read in certain circumstances.

Re:

[smallfries]

Erm.... I've never heard of that being a crime before. Have you got a single shred of evidence to back that claim up?

Re:

[Locklin]

They can pry my Free Software from my cold, dead platters

WTF: I thought, Socio/Cultural Creativity/Activity

[OldHawk777]

The communist/corporatist commerce that exist in the USA, EU, China ... is not what the Internet is all about.

The public/citizens seek "Openness" on the Internet.

Corporatist [and corrupt governments] seek institutionalized nepotism/hostage-welfare which in Present Proper-Political plebeian [AKA: spin-truth] could be called commerce. Present Proper-Political vernacular use of commerce as an economic concept, will never be Capitalism, Meritocracy, Free/Open Markets ....

Communism, oligarchy, plutocracy, aristo

Re:

[orclevegam]

From TFA: "Think of the iPhone model: You get what Apple decides to give you, and if you try to hack your phone, they can disable it remotely. We techie geeks won't like it, but it's the future. The Internet is all about commerce, and commerce won't survive any other way."

Amen.

An incredibly creative approach.

CC.

That's taken out of context. He was saying that's the direction it's going to move in, not the ultimate end state. At one point they basically say that somewhere around 2017 after all this systems as a service stuff has been implemented and we still have problems with major infrastructure being cracked, then people will be ready to try to do it right.

From TFA:

That's the problem with any system that relies on control: Once you figure out how to hack the control system, you're pretty much golden. So instead of a zillion pesky worms, by 2017 we're going to see fewer but worse super worms that sail past our defenses.

By then, though, we'll be ready to start building real security. As you pointed out, networks will be so embedded into our critical infrastructure -- and there'll probably have been at least one real disaster by then -- that we'll have no choice. The question is how much we'll have to dismantle and build over to get it right.

Well

[El Lobo]

The problems will definitly NOT be the same. New unknown problems will arise and new hacking techniques will be discovered. The problems will be of the same nature, tough, where the end user will often be the main responsible of the security of his/her system. Security holes will exist and they will be patched only to discover new. The same story

Re:

[AKAImBatman]

The problems will definitly NOT be the same.

Which is why after 40 years of computing, we're still getting hacked by buffer overflows.

It will be exactly the same until a charismatic visionary steps up to the plate, gets funding, and pushes one of the many well-known alternatives to today's Operating System and code design. Java and .NET* are a good start. Let's take it that much farther.

* Sorta. When it's not exposing brain-dead APIs lower in the system.

Re:

[TheRaven64]

Which is why after 40 years of computing, we're still getting hacked by buffer overflows.

Are we? OpenBSD has had stack-smashing protection for several years, and I believe Vista has something similar. That means you only have buffer overflows on the heap to worry about, and W^X gets rid of most of them...

Re:

[vertinox]

Security holes will exist and they will be patched only to discover new. The same story

Unless you make the system so propriety it is impossible to have any interaction with it or install your own software without permission from a central authority.

I think it was John Carmack (it could have been someone else so don't shoot) of all people who said that online gaming will never be free of hacks or exploits until all you have is a keyboard and mouse sending input to a server who is the one to send you a raw vi

Re:

[moderatorrater]

They discuss that, and it's the difference between security and control. You're describing control, not security, because the central authority can and will still have security problems. If you can solve the security problems in the central authority, then it's often a simple extension to fix the security of the clients. In other words, a keyboard and mouse sending input and you getting a video feed still doesn't fix the problem of aimbots because they can still plug the video feed into a computer and have

Re:

[eli pabst]

I agree with you. New threats have emerged in recent years, like the use of virtualization in 'undetectable' Blue-pill Rootkits and attacks against drivers. The days of standard buffer overflows are waning as operating systems incorporate stack-protection measure like w^x and canaries. As a result hackers have to evolve and find new paradigms for exploiting systems...it's Darwinian evolution at its finest.

But information wants to be free!

[Anonymous Coward]

"Those who are willing to give up a little liberty for a little security, will deserve neither and loose both. Or something."

-Ben Franklin

what a fucking visionary

oblig south park

[thegnu]

ooooh, it's benjamin franklin. franklin, franklin, benjamin franklin.

Re:

[nuzak]

I'm pretty sure he didn't say "lose both", let alone "loose both." (Ben Franklin was literate, for starters)

Re:

[Macgrrl]

Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin, An Historical Review of the Constitution and Government of Pennsylvania. (1759) [source: http://en.wikiquote.org/wiki/Benjamin_Franklin%5D [wikiquote.org]

Re:

[zymurgyboy]

Oh, come now, don't be so picky! He clearly meant to say such people would be flushing their security and their liberty down multiple toilets. The appended "e" was simply a fat-finger mistake.

Software Freedom.

[Erris]

Software Freedom is never mentioned. Instead the authors depressingly assume a complete triumph of ISPs and software owners. No wonder their outlook for "security" is so bleak. Real security comes from freedom. Every step away from freedom hands someone else a tool to hurt you. Their future is too bad to let happen and it won't because it will be too expensive.

Re:

[ColdWetDog]

Twitter, will you stop it already? The FOSS system is great - probably the one thing that someone ten years ago would not have predicted. It, by itself and alone, will do nothing to stop the threats and problems that are likely to devil us in the future.

If you could take nothing FTFA but "security is a process" than you would have progressed farther along the path of enlightenment than you usually get.

Back to Digg with you! Begone!

Re:

[dougmc]

The FOSS system is great - probably the one thing that someone ten years ago would not have predicted.

Of course they would not have predicted it 10 years ago -- because it had already existed for quite some time.

Free/Open source software is a lot older than ten years old. Even Linux, perhaps one of the most commonly mentioned examples, is sixteen years old, and GNU was around long before that, and free/open source software was certainly around before that, even if people didn't usually call it such. R [gnu.org]

Re:

[ColdWetDog]

Or perhaps referring to how it has really taken off?

Pretty much that. I don't recall pundits thinking that Linux / Apache and the rest of the higher profile open source projects would be really giving Microsoft a run for it's money in certain markets. Of course, the pundit track record isn't particularly a good one.

And, of course, I can't remember much of what was supposed to be happening last month, much less ten years ago.... I think though I was playing with a Slackware distro on an early Pentium.

Re:

[thethibs]

The FOSS system is great - probably the one thing that someone ten years ago would not have predicted.

(Chuckle)

Oh, to be that young again!

Back around the time of the dinosaurs (1969 or so) SDS shipped the OS source code with the hardware. SDS wasn't alone; this was common practice. I don't know how the other guys did it, but SDS had a SIDR (Software Improvement or Difficulty Report) system that gave anyone working on our systems a channel for submitting patches or, on occasion, whole modules for inc

Re:

[dedazo]

Security is a process and a state of mind. Free software is not going to be some sort of silver bullet to the world's problems, and commercial software isn't going away any time soon, much as you would like that to be the case.

Real security comes from knowledge, not freedom.

Re:

[Torvaun]

Actually, every step towards freedom gives someone else a tool to hurt you. Every step away from freedom takes away one of your tools to defend yourself. See also: Germany.

Re:

[Red Flayer]

Their future is too bad to let happen and it won't because it will be too expensive.

What? Whose future? The authors?

OK, so the authors' future won't happen because it's too expensive. But since their future is too bad to let happen, it's a good thing that it's too expensive to take place, right?

We can all be happy that the cheap future not invisioned by the authors takes place?

Skynet

[im_thatoneguy]

It would seem like some sort of super intelligent artificial intelligence system which actively protects the cyber world would be the obvious solution to all of our problems. We should also give it some sort of cool name and since it sort of watches over the Internet like a big super powerful being in the sky we should call it skynet. That would solve all of our problems once and for all.

Re:Skynet

[zappepcs]

Actually, that may be the way things go, with the near typical science fiction results. The trouble with such a system (which should be obvious) is that it would be written/programmed by the same people that can't get security correct right now.

A leap in security technology will take a requisite leap in human intelligence. IDS systems do a couple of things well. Routers do a couple of things well. Antivirus software does a couple of things well. Nobody has put them all together in an intelligent way, nor have they replaced them with an intelligent alternative. Remember that any computer system is as dumb (read useless) as the dumbest asshat human operating it. (place old adage here) When you build an idiot proof system, the idiots only get smarter.

And I quote TFA

I'd like to officially modify my position somewhat: I believe it's increasingly likely that we'll suffer catastrophic failures in critical infrastructure systems by 2017. It probably won't be terrorists that do it, though. More likely, we'll suffer some kind of horrible outage because a critical system was connected to a non-critical system that was connected to the Internet so someone could get to MySpace -- and that ancillary system gets a piece of malware. Or it'll be some incomprehensibly complex software, layered with Band-Aids and patches, that topples over when some "merely curious" hacker pushes the wrong e-button. We've got some bad-looking trend lines; all the indicators point toward a system that is more complex, less well-understood and more interdependent. With infrastructure like that, who needs enemies?

Not to be all pessimistic on the great new security shock and awe campaign, but it will only work when we can get universal agreement from all humans (and possible non-humans) to not mess with it or obstruct its operation in any way. (queue other bad science fiction films here) Uhmmm, yeah, that's going to happen. Tell me again, when will the last Win95 system be decommissioned?

total security... no
really good security... possibly
good enough security... probably
thought it was good security... most likely

Security is expensive, difficult, inconvenient, troublesome, and seldom seems worth the cost.

Re:

[naasking]

A leap in security technology will take a requisite leap in human intelligence.

Not at all. A leap in security will take a requisite change in our development tools, from identity-centric abstractions, to authorization-centric abstractions so we can achieve the Principle of Least Authority (POLA) for all software. Ultimately, it's not about adding security, it's about removing insecurity; most languages have insecure abstractions baked into them, and when those are removed, the resulting software is signific

Re:

[pclminion]

Not at all. A leap in security will take a requisite change in our development tools

The problem is bootstrapping. Sure, this POLA stuff is great. But how do we know that the tools we believe give us these things, are actually working correctly?

If you run "ps" on a computer system and see nothing suspicious, does that mean that nothing is wrong? Ever heard of a root kit? If you can't trust (or you are not SURE that you can trust) the tools you can't trust what the tools produce. See Ken Thompson.

Conc

Verification

[naasking]

But how do we know that the tools we believe give us these things, are actually working correctly?

A capability design is actually quite simple. To get it right is not hard at all, relatively speaking. Most of the languages I mentioned already have a capability core, and they went out of their way to bypass it. Securing those languages means removing features, not adding them.

Of course, reasoning about complex systems assembled from myriad low-level objects can be quite complex. Security experts usually try

Re:

[eli pabst]

Security is expensive, difficult, inconvenient, troublesome, and seldom seems worth the cost.

TJMaxx may disagree with you on that last part.

No, sorry.

[Poromenos1]

Your post is well-worded but I disagree. No program can have a 100% malware recognition rate, when the definition of "malware" is not even objective. Where do you draw the line? Is VNC malware? It can be used to spy on people. Computers were created to do stuff people tell them to, and as long as people tell them to steal other peoples' data/delete their files/etc, we're always going to have that problem. Perhaps the single most important advice you could give a user is "don't run stuff you don't completely

Re:

[mrbluze]

Nah, what we need is a Brutha to watch over us and make sure we don't do nuffin rong. He can look like Mister T and have all sorts of gold chains around his neck with symbols and shit. He'll have a deep, friendly-like voice and every time we swap music or surf with a proxy he'll say "hey li'l brutha, don't do that, it's naughty". And we'll all feel so much better.

iLove my iBig iBrother already.

Re:

[dougmc]

What seems more likely would be some sort of technological singularity [wikipedia.org] happening sometime after we start making intelligent machines. Of course, this might turn into this `Skynet' that you're referring to -- but if it does, I don't think there will be much of a chance of humankind prevailing if the machines decide that we should be gotten rid of.

so much DRM, most data will be inaccessible

[petes_PoV]

in 10 years time so much of what we not take for granted will have been patented, copyrighted, DRMd, protected or licenced that the average net user will have much less access to information, and therefore much less reason to "surf".

We will have become used to having a small number of portals that provide the vast majority of the data we will be allowed to access (for a fee, of course) and security will have become the problem of these portals.

Users simply won't have much incentive to surf freely from site to site as there will be so little free data available. Therefore the sort of security issues we have today will have gone away. The problem in the future will be for providers (that's you amd me bloggers and other website owners) to prove to the portals that they are clean and meet the standards of the day.

Two Internets

[mrbluze]

In 10 years there will be two internets. One for educated, free-minded people and one for everyone else. The educated, free-minded ones will have the ability to discuss anything openly and freely, but nothing they do can be seen by the rest of the public. That's because they will all be in special concentration camps in an unknown location, awaiting re-education or enlistment into various secret government jobs.

The rest of the internet will be limited to a relatively small list of 'allowable' applications

Re:

[Culture20]

The other problem that the future will face is that people will turn to other things(TM) when the free nature of the Internet is removed. The portals will lose their revenue, and start charging more per person, driving more people away. There will be an equalibrium at some point, but then the information will be the province of the rich.

Re:so much DRM, most data will be inaccessible

[kebes]

We will have become used to having a small number of portals that provide the vast majority of the data we will be allowed to access (for a fee, of course) ... Users simply won't have much incentive to surf freely from site to site as there will be so little free data available.

While I agree that DRM is a danger we must be wary of, I don't agree with your prediction that we will end up with a small number of "Internet portals," and will lose the "pluralistic" web we currently have.

I had the same worry as you some years ago, but I would guess we are now beyond that particular tipping point. Quite simply, the diversity of the web is now "mainstream." The public at large is now very much used to having billions of web-pages out there, and are also getting used to the idea of self-publishing. The number of blogs and commenting systems is growing by massive amounts. I agree that some of this is hype that will die down, but my point is that now that people are accustomed to such things, they are not going to be willing to give them up. (Put otherwise, there will remain a market for such things.)

I see the worry that people will increasingly get locked into content-portals like Facebook or whatever (where their data is captive)... but there are corresponding efforts to keep content open and free (Wikipedia, Creative Commons, OpenDocument, etc.). These efforts are also growing, and it may very well be that they will cross a tipping point soon enough (maybe they already have?) and they will be too "mainstream" to die.

(Note: My post, of course, is subject to the usual inaccuracy of futurism: I could be totally wrong.)

Re:

[tepples]

The public at large is now very much used to having billions of web-pages out there, and are also getting used to the idea of self-publishing.

Sure, you can self-publish all you want, as long as you do it on a valid subscription to an operating-system-maker-approved web hosting service. And don't try to use a Free operating system; if you do, the dialer will detect that it is running on a configuration that your ISP does not support, and you won't get an IP address [slashdot.org].

Dystopian future

[Spy der Mann]

in 10 years time so much of what we not take for granted will have been patented, copyrighted, DRMd, protected or licenced that the average net user will have much less access to information, and therefore much less reason to "surf".

It's funny, I wrote a journal entry about such a future. I called it "Trapping Mozart in a soundproof cage" [slashdot.org].

Re:

[porpnorber]

More worrisome is not that universal DRM and DMCA-like measures, patent abuse, etc., will restrict us by requiring us to pay money for access to our data, or by narrowing our selection of data sources, but that they will continue to require us to install shoddy and insecure client/plugin software. These legal measures provide a specific incentive for the trusted components of a computing environment to be the least trustworthy; in short, for a security meltdown. We are already seeing the consequences, thoug

Arms race

[ZonkerWilliam]

It's an arm's race, new and better hacks' spur new and better protection which spurs better hack's and so on...Just like today there won't be any one solution to provide security and their won't be anything that's 100% secure. No matter what the speed of the processor.

Love those futurists

[Cathoderoytube]

It's always interesting to read the tripe these people spout when attempting to predict the future
'In the year 2020 man will be as one with the four legged zebra, and so shall our notions of internet security!'
'Could you elaborate please?'
'We suspect hackers will become more sophisticated in their methods'
'So where does that lead internet security?'
'We suspect new security issues will be addressed as they become apparent'
'So in ten years say, where will internet security be?'
'I believe I addressed that ques

Re:

[Cryacin]

It's always interesting to read the tripe these people spout when attempting to predict the future 'In the year 2020 man will be as one with the four legged zebra, and so shall our notions of internet security!' 'Could you elaborate please?' 'We suspect hackers will become more sophisticated in their methods' 'So where does that lead internet security?' 'We suspect new security issues will be addressed as they become apparent' 'So in ten years say, where will internet security be?' 'I believe I addressed that question previously with my statement of man becoming as one with the four legged zebra'

I see it more as an angry mutant sea bass with a frikkin la-ser on its head.

And if you disagree with me sir, I shall slap you with it!

Re:

[OriginalArlen]

Er, this is Marcus Ranum you're talking about. Not a "futurist". He wrote this thing called fwtk...

I agree

[gweihir]

Without a change in attitude, both on the developer side and on the customer side, the problems will remain the same. I do not see that attitude change happening.

Well worth the read.

Windows UAP is a bolted on afterward system.......

[Joe The Dragon]

Windows and many windows apps are still coded with a bolted on afterward Security design.

Mac os X is set up to make it a lot harder to get carpware running on it.

Re:Windows UAP is a bolted on afterward system....

[Blakey Rat]

That's called "backwards compatibility." Unfortunately, there's not a lot Microsoft can do as long as so much "professionally-developed" software writes directly to the /Program Files folder, doesn't work correctly with limited permissions, opens ports for no reason, etc.

Re:Windows UAP is a bolted on afterward system....

[triffid_98]

Regardless of how secure you make your OS, the weak link will always be the chair to keyboard interface. You may be able to stop overflow exploits, but what about trojans? These are regular apps, you installed them, and the OS has no idea that you are a moron. The more resident services and apps you have running, the easier it is for these applications to hide. Since OS bloat basically guarantees that to be the case, things are looking more bleak than ever moving forward.

Windows and many windows ap

making stupidity _less_ painful

[rbanffy]

Just a thought that crossed my mind the other day (actually after watching "Idiocracy" on TV).

By making our products ad foolproof as we can aren't we inviting fools to use them? And, by doing so, aren't we removing an evolutionary pressure that prevented really dumb people from being socially functional?

Are we making stupidity _less_ painful?

Re:

[jdigriz]

Yes, for the stupid person. We're making it more painful for everyone else.

here is the problem...

[mseidl]

Technology in 10 years will be much more ubiquitous. While attacks will go more "high tech," end users intelligence will drop. Take for instance right now, "net savvy" users of Myspace? "Net savvy" enough to use google, but that's really about all they can do. People don't care about security, they just take it for granted. When I worked in IT, I was shocked at how many people had their passwords on post it notes on the monitors, or the number of VPs that wrote their password down and just handed it to

umm ineffective?

[holophrastic]

I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago. That alone leaves me with the conclusion that things aren't bad.

That's not to say that security is perfect. But in the balance of security versus convenience, privacy, and general humanism, I think we're resting in a perfectly reasonable situation.

You know, I'm pretty sick of people calling for more security in everything. A few weeks ago, someone stole an infant out of a hospital nursery -- walked right out the front door. Millions of people yelled that hospitals need more security -- even though it hadn't happened in this city for decades.

I spent two weeks in the middle-east many years ago. When you see armed security guards outside every pizza parlour, it's not a warm and fuzzy feeling.

And that's not even raising the issue of false positives.

Re:

[Anonymous Coward]

I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago.

This is a very good point. Let's consider security in 1997. Sending passwords over telnet and FTP were common. HTTPS wasn't nearly as common. Avoiding buffer overflows wasn't nearly as emphasized. The most common desktop operating systems didn't protect the address spaces of other processes. ActiveX, which amounts to running native code f

Re:

[ppanon]

I have a hard time with the concept of today's security responses being described as ineffective. I don't think that we're any worse-off today than we were years ago. That alone leaves me with the conclusion that things aren't bad.

Compared to ten years ago, instead of botnets of thousands of machines being used to perform denial of service attacks by prankers, you've now got botnets of tens of thousands of machines being used to deliver spam and to search for people's financial information for use in identi

Re:

[ppanon]

I'm living on my planet, in my life, and I've never wound up anywhere near any such security issues. And neither have you.
Well, in my case, I'm borderline paranoid when it comes to computer security, to the point of running a custom OpenBSD-based firewall at home. I've also seen enough poor application and network security from other companies during my work as a consultant that I'm not willing to do a lot of e-commerce except with a few very select sites.

I didn't fall for the propaganda in 2003 from the Bu

Re:

[holophrastic]

All true. And I'm glad. Just please remember that whatever you've seen over 15 years has been over a 15 year period, and not a 15 day period.

Incidentally, I've gotten into many a fight with my bank to avoid giving anyone with my stationary the right to fax banking instructions to my financial advisors. For that, I've lost the ability to talk to them over the phone -- same form, stupid legal department. So I know where from you speak.

Hey, I just swore at a TigerDirect cashier. First they wanted my telep

Re:

[holophrastic]

Heh, just watched a TNG episode. Enterprise got infected by an ancient virus when viewing a personal log. Sounds like oh so many a buffer overflow when reading what should be a straight data file.

You just gotta love the way old science fiction predicts old problems. For all the creativity, it's still difficult for creators to create (or perhaps sell) futuristic problems.

Oh yeah, and your transmission is cutting out -- with static and negative colour shifts reminiscent of UHF. I guess the deflector dish

My prediction...

[Spy der Mann]

In 10 years Windows will be over. There will be native Linux versions (still proprietary binaries) of Photoshop and productivity software, but a few people will see the newborn open source alternatives and try them out. Perhaps there will be price-fixing lawsuits against free software by proprietary software makers, and, in the worst case, patent lawsuits (depending on whether software patents are abolished by then or not).

Most people will run old versions of Windows (probably XP SP3, maybe SP4 - or perhaps Windows 7, but Vista will be another WinME) or ReactOS 1.x (it'll be too early for 2.x) in a virtualized PC running Linux. Unixphobes will run ReactOS (around 60 to 70%) or Windows (the rest) natively. Probably Microsoft will retreat from the OS business and stick with consoles or Office software, and Google will absorb the MSN messenger network.

I really hope that the Windows^H^H^H^H^H^H^H^HReactOS and similar OSs' security model will be revamped, with sandboxed registries and directories. Passwords will be asked for installations, unless software is ran by only one user.
Botnets will be rarer (and therefore much more expensive to rent than they are now), but they'll still exist due to user stupidity ("this game needs to run with root privileges"). They'll run in Anonymous P2P nets.

About Anonymous P2P, they'll be the norm for file sharing, but they'll be definitely banned by draconian governments - whether or not the US goes that way, is up to your imagination. Perhaps we'll see a struggle between anonymous P2P and content providers/law enforcement agencies, similar to what happened with Napster a few years ago.

However, website security will face more or less the same problems we're facing now, due to negligence to patch existing webservers. Botnets and phishers will use infected servers to keep stealing identities, and let's not forget about inside jobs and "user account info gone missing". These will go on. Hackers will be government sponsored - to hack into other countries' machines. Buffer overflows will be the favorite vulnerability, while hacker websites will run in anonymous P2P networks.

Let's put this post in a time capsule and see how well it fares in 2018.

Re:

[cerberusss]

I noticed your sig, calling for donation to Wine. Have you thought about just buying the Codeweavers [codeweavers.com] products? Of course it's not the same, but it's a nice alternative that gets you a solidly-working MS Office under Linux.

Why I think Codeweavers suck (OT)

[Spy der Mann]

Have you thought about just buying the Codeweavers products?

It's very different. Buying the Codeweavers products will just provide money to the Crossover developers, and will not help the community. Sponsoring Codeweavers and the Crossover products is making Linux NON-FREE (oh, if you want to use Office, you have to PURCHASE crossover), which is very different than having a free implementation of the Win32 API (Linux supports MS Office FOR FREE! Just install Wine!).

One of the reasons for not using Linux is

Re:

[cerberusss]

Are you sure you've got your facts right? As far as I can tell, all changes that Codeweavers makes, are rolled back into Wine. What they do is wrap it packaged friendly and the like. One of the big people behind the Wine project, Alexandre, is actually CTO at Codeweavers.

Re:

[Aram Fingal]

Along the lines of what you're saying, I wonder if Windows will go the way of terminals like the VT-100 and such where emulators running on PCs gradually replaced the genuine terminal machines. Increasingly, Windows will be used in virtual machines running on other OSes. VMWare is one example, but noting your mention of WINE in your sig, I suppose WINE is a sort of minimal VM... in a sense.

I said it before...

[MichaelCrawford]

From I Don't Know What This New Internet Will Look Like [goingware.com], which began life as a Slashdot comment:

... but I am as confident as I am that the Sun will rise tomorrow that it will be safe from terrorists. After all, we have the children to think about.

July 12, 2005

Copyright © 2005 Michael David Crawford.

This work is licensed under a [creativecommons.org] Creative Commons Attribution-NoDerivs 2.5 License [creativecommons.org].

It seems that David Clark, who led the development of the Internet way back in the '70's - did you know there even was a '70's? - wants to create a whole new Internet [wired.com] that will fix many of the problems the current Internet is plagued with. The New Internet's engineers will be much more careful this time around to make sure it works better than the first one did.

I'm afraid, though, that the engineers are not the only ones who will be deciding how our New Internet will work.

If one is able to find any privacy [gnupg.org] or anonymity in this New Internet, it will be because of some undiscovered security hole [microsoft.com], which will be quickly repaired, rather than any kind of conscious design decision. Probably one reason they are accepting proposals before rolling it out is to avoid the sort of accidental security holes that enable pr0n, peer-to-peer filesharing and left-wing political activism [stallman.org].

Microsoft [sergey.com], a leading contributor both to this nation's technology base [wikipedia.org] and to the campaign coffers [goingware.com] of its leaders, will embrace this new technology and extend it in such a way that the development and dissemination of Open Source [opensource.org] software will be, if not mathematically and physically impossible, at least as intractible as factoring a 2048-bit public key.

Imagine, if you will, Trusted Computing [cam.ac.uk] implemented at the router level, in such a way that any packets that go farther than one hop are certified not only to support protocols [ietf.org] whose patent [mit.edu] licenses are fully paid-up and on file with the legal department in Redmond [state.or.us], but whose content is compliant with the Windows [linspire.com] standard. The faintest whisp of a Public License [fsf.org], GNU [gnu.org] or otherwise [apple.com], will result in the dropping not only of the individual packet, not only in the cancellation of the entire file transmission, but, within microseconds, the reporting of the physical location of the offending server to responsible law enforcement personnel. The identities of its rogue administrators [wikipedia.org] will be fetched instantly from the database maintained by the Department of Homeland Security [dhs.gov]. (You will have to submit fingerprints and DNA samples to obtain a Windows [x.org] server license, as after all, Internet servers [linux.org] can be used to disseminate explosives [mtech.edu] r [koeln.ccc.de]

Wait...

[dunezone]

Your telling me that Windows Firewall wont cut it anymore? Well...touche internet.

Security

[KinakeM]

I admire Schneier for his work over all these years. I think everyone should... it's required reading for some of us ;-P

I think what I most agree with is Schneier's contention that security is really about people or services. And therefore, the consequences of having poorly trained and educated people is in kind; regardless of how sophisticated or brilliant the math is. (SIDE: I cant stand the mathematicians. I am a physicist. We score more e.g. Schrodinger, Einstein, Feynman... were all pimps. Newton died a virgin. Turing was gay. Godel was emaciated and his wife just had to be cheating on him.)

What bothers me most about a security craze is the trade-offs one has to accept. Kind of like laws in physics i.e. momentum and position or energy and time. In my opinion, it looks like functionality and security are the two factors we need to juggle. But with the service-side being pushed, it's apparent how much functionality is really strained with more than just security but also competence. You all know this anytime you try to get support.

Anyhow, just putting in my two cents. Cheap as it is. I understand that the mark of our civilization as commonly encountered is all this technology, but I am starting to get the feeling that maybe all the technological progress is so short-sighted because we just are not capable of being civilized. Therefore... we get these half-measures, "band-aids" and "patches."

Re:

[owlstead]

... (SIDE: I cant stand the mathematicians. I am a physicist. We score more e.g. Schrodinger, Einstein, Feynman... were all pimps. Newton died a virgin. Turing was gay. Godel was emaciated and his wife just had to be cheating on him.) ... maybe all the technological progress is so short-sighted because we just are not capable of being civilized.

And I agree, at least for physicists :)

Razor and Blade said it best

[Master of Transhuman]

"Hacking - it's not just a crime - it's a survival trait!"

Other resource costs in 10 years...

[my_left_nut]

may make this issue moot.

Or perhaps least turn some of us now law-abiding citizens into "criminals" (and some to "cyber-criminals") as things get more desperate and people can't make ends meet. Or, more often, see whatever dreams they may have entertained vanish in a puff of greasy black smoke.

Take one crucial resource, gasoline, for example:

http://www.oregon.gov/ODOT/CS/FS/gas_prices.shtml [oregon.gov]

Taking the average of the 1997, and the average of the 2007 values Jan-Aug of both years, at least in Oregon:

Cheap gas

Obvious isn't it?

[Anonymous Coward]

As a security professional, I've noticed this for a long time. I've worked on IDS, vulnerabilty scanning and NAC products as a software engineer. There are a couple truths that still permiate the industry. 1) Engineering at large doesn't want to change, we have as rich a development ecosystem as ever and it seems that just about everybody is aware that security is a problem but there are still a lot of really buggy C programs being written. There is also a somewhat macho attitude in some circles of geekdom that if you cannot write safe code and manage your own memory and pointers then you're a shitty engineer which in turn reinforces the idea in some minds that they should continue to use C for problems which are just as solvable in something else, nobody wants to think of themselves as shitty engineers... Simple fact is, some platforms like Java make entire classes of exploits go away, they require more resources but the performance is very compelling and are vulnerable to design flaws, architecture flaws and very seldomly they will still have buffer overflows and stack smashes but it is multiple orders of magnitude less frequently that typical C and C++ applications. This isn't simply a C problem, it's just a very easy target.

2) Businesses by and large don't want to change or don't know how to change. Security isn't a title or job or position, or even a department, it's a matter of policy and every member of the enterprise takes part in some way. If you don't solve that problem, you'll never solve the larger problem, certainly not with point solutions that scan email or network traffice or logs looking for "insecurity" and vulnerability and attacks. The single biggest step any organization can take to improving security is to write a concise policy and educate every single employee and maintain some accountabilty. You can't simply buy something and get "security." It requires changes in habbits, changes in attitudes, and education. I think this is very hard, so many businesses have become so lazy that their work forces kind of look at policies and scoff, it takes a lot of strong leadership to change that kind of culture. It also crosses technological lines as well as physical, you lock your car doors right? You lock your house when you leave right? Do you lock your desk or office door at work when you leave? Places are willing to pay cintas to shred documents and iron mountain to store documents but they don't take that policy to their working rank and file. Developing a culture of security will do far more than any product you can buy on the market. Do employees know what to do with intellectual property? Do they even know what the company's intellectual property is?

3) The "security industry" has largely been a money grab. After 9/11, the US Federal governement published some figures about federal security spending and basically it was going to grow exponentially over the first 10 to 15 years of this century. Hundreds or maybe even thousands of companies were formed to try and exploit that. What is totally amazing to me is how few of them are actually about really increasing security, these are all for profit businesses. What's more amazing, is how stupid the consumers are that bandwagon them and go along with the feature plays. Take NAC for example, basically the idea to to authenticate devices or users as they enter a network and possibly restrict their access based upon some policy. The policy can be anything, it could be permissions set in a RADIUS or LDAP database, it could be based upon the results of some sort of scanning system, it could be based upon time of day. Rather than pushing the auth component or the policy aspect all these jackasses are concerned with scanning the end point device for anti-virus software or whatever. It strikes a chord with certain IT types, they think "oh yes, I need to scan the devices on my network before they enter the network, that will make everything better" but there isn't a correllation between that and

Predictions

[Vexorian]

This reminds me of some "The Daily Show global edition" episode.

Ranum's philosophy

[bluefoxlucid]

"at a meta-level, the problems are going to stay the same. What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective."

Yeah I met Ranum, he made a snide comment about me and girls. The guy is pretty much a bitter old man with wild views on security; pretty much his idea is "if it doesn't work don't do it." He believes patching systems and software is the wrong way to do it; google and find his site and he's

Fun but useless

[pokerdad]

Trying to guess where security will be in 10 years may be fun, but useless.

Just think back to 1997 and imgine how impossible it would have been to predict where things would be today. In 1997 state of the art was windows 95. In 1997 people were more worried about getting a virus from a floppy than over their network. In 1997 the word phishing didn't exist. In 1997, there had never been a virus that had been the top news story of the day. In 1997 most homes didn't have an internet connection, most businesses didn't have an internet connection, and the businesses that did rarely would have every desktop in the company able to go online. In 1997 many forms of active content that are now part of darn near every web page didn't exist. (I could go on, but you get the point)

The OLPC may show us the way out

[Animats]

The OLPC effort may show us the way out. The great hope with the OLPC is that it doesn't have any legacy applications that rely on security holes. It might actually work, and they have a chance of fixing it if it doesn't.

Neither the Windows nor the Linux world really support untrusted applications, ones with fewer privileges than their user. That's the fundamental problem. But OLPC does. They've thought about the problem correctly, and have something implemented that's reasonable. Now we'll have to

Software Stalinism!

[MCTFB]

Those two words, jumped right out at me from the page. Seriously, I don't think there I have seen a more succinct and accurate way to describe Microsoft's "Trustworthy Computing Initiative", than "Software Stalinism".

The ironic thing is that by centralizing all of your data and services, you make your network more vulnerable to denial of service attacks and more vulnerable to sabotage because all of the data is managed by one entity. Even if you have a very sophisticated backup system, those backup systems are vulnerable as well to sabotage.

ARPANet was designed in such a way that if a bunch of nodes were taken down through sabotage, accident, military strike or whatever, the network as a whole would still be functional. Unfortunately, the trends are toward turning the brilliant P2P design of the internet into a giganto sized version of a corporate network where everything is centralized and controlled.

Client/Server networks are great for a lot of things, but they are inherently vulnerable to all the pitfalls of centralized command and control systems as they scale. Just like communism works fine and dandy for very small groups of people (like primitive hunter/gatherer tribes), communism starts to have big problems once it tries to scale to larger and larger sizes. Capitalism does not work at all on a very small scale because you need a critical mass of people to establish a fair market value for goods and services, however, capitalism does shine as the size of the markets increase in size.

In other words, you can compare Client/Server networks to Communism and P2P networks to Capitalism if you think of people as nodes on a network whose value on that network is determined dynamically and democratically just as money is a democratic tool to vote for the value of a good or service as opposed to having their value on the network determined statically and autocratically in the way command and control economies impose price controls and central planning with regard to goods and services.

The direction Microsoft and unfortunately much of the software world seems to be going with this "software as a service" and the centralized authentication schemes that support "software as a service" I feel is a huge disaster waiting to happen. If I was a terrorist or an agent of a foreign nation and I wanted to take down the economy of the United States overnight, I would prefer to be be dealing with a command and control computing monoculture than one that is fragmented, redundant, and diverse.

It is both sad and alarming that many Americans reflexively feel that the way to have better security is to centralize computing operations rather than spread computing operations to as many interconnected nodes as possible.

If by 'we' you mean 'Microsoft'

[raddan]

then I would be inclined to agree with Mr. Ranum's points. But the fact is that there are lots of people out there working on Real Security. Let's see, there's OpenBSD's work to integrate cryptography as a system service [acm.org], there's Neils Provos' work on systrace [umich.edu], there's GCC's ProPolice stack-smashing protection [ibm.com], there's OpenBSD's write XOR execute [wikipedia.org] protection (which, BTW, Windows now has to some small extent), there are phishing mitigation features [mozilla.com] in Firefox, there are Free implementations of good authenti

"We" includes open source folks too...

[argent]

The only difference I see between XPI and ActiveX, from the point of view of security, is that XPI makes you jump through an extra dialog for trusting sites, and wait an extra 10 seconds (oh, no, it's 3 seconds) before presenting you with the "yes, I want to spread my legs" dialog.

It's harder to accidentally click OK with XPI. But it's still possible. It still puts J Random User in the position of deciding "do I want to install this program" right then and there. And it still means that there's a code path

Re:

[raddan]

I never said anything about open source. That was your inference-- go back and read my post. Now, it turns out that my personal opinion is that the good open source tends to do better on security-- in general-- than even the good proprietary stuff. There are some exceptions. Both Sun and IBM have invested some real brainpower thinking about how to do security right, and you can't get much more proprietary than Sun and IBM (or at least Sun and IBM of yore-- they're changing now). There are probably many

"We" includes "most people".

[argent]

I never said anything about open source.

Beg pardon, the products you listed were primarily open source, so I jumped to that conclusion.

My point is that deep security problems are not limited to Windows. I will happily agree that they are one of the worst examples, and I will happily agree that there are alternatives to Windows. The implication I read in your message was that as long as you avoid Microsoft you're home free. If you didn't intend to imply that, I apologize for overreacting, but the fact that t

Re:

[hedwards]

Perhaps I'm a bit of an optimist, but I hardly believe that we will be in a similar situation 10 years from now in terms of security.

I don't think that its necessarily going to be good, but I hardly think that it is a lost cause at this point.

What a lot of people seem to forget is that during the 80s and a ways into the 90s, the primary means of compromising a computer was to type commands directly into it. Sure there were networks, but they were a minority of the total computers, and they were costly enoug