It’s all just a matter of time and accessibility and everything today is breakable in the short term future…
June 26th, 2008 Drazen Drazic Posted in Bad Developers, Bad Stuff, Dumb Security, Industry Specialists Talk, Research, WTF, cyber crime |
By YanaBanana and Drazen Drazic
Not talking about a new theory here but maybe some points worth discussion. Starting ramble:
With the increase in technology becoming more accessible and affordable to the masses, we face a good deal of unseen or unintended consequences on security in general.
Eg; Insurgencies in countries such as Iraq where homemade rockets are used, are getting more sophisticated. If anyone has ever tried to build a rocket (not the WMD type), (like myself), you will find that it is surprisingly hard to get it to fly straight. With processors/microcontrollers getting cheaper and more accessible, it’s relatively easy to make extremely good guidance systems now to attach to your homemade rocket - ready to fire at any target you wish.
Now apply this kind of thinking to something less bodily harm inducing such as GSM cracking. Not long ago, it was extremely expensive to get any sort of decent RF equipment to sniff GSM traffic, and then the computing power to actually break the poorly designed encryption (A5/1 and A5/2).
Present day, what you need is a relatively inexpensive FPGA and the help of rainbow tables (http://www.hackaday.com/2007/08/11/cccamp-2007-gsm-a5-cracking). Now all you need to do is sit outside any business and listen to their conversations in real time, (or any business competitors).
This applies to any technology that has previously been unable to be examined by the public. We’re seeing the same scrutiny to a lot of wireless devices in the past couple of years as the price of the technology has dramatically dropped. I’m picking on wireless examples here because they’re easy. The point I’m making here isn’t that the GSM encryption is crap but rather to promote the fact, that by making technology more accessible, it has a lot of unintended consequences.
The Internet started out like that, under the assumption that only a few people could get online and get connected to each other. All technological advancements have started with functionality and features as drivers. Recent ones have been introduced well after security was considered a major issue (and we should have known better), and we knew that we were developing everything on the Internet - on a system and protocols that are inherently insecure.
We’re not changing. We are not learning from the lessons of the past. More short and long term pain to come - no doubt about that, regardless of what the major security vendors feed us. Name a few new technologies today that we have faith and trust in that are secure now, and we believe will continue to be. Any in the former category at all before the latter is even questioned?
So they [vendors] talk about “clouds”, hitting the bad guys “at the source”, and a plethora of other BS plans that have no substance to them whatsoever.
Any solutions to even basic security issues need a starting point and a significant change to current thinking and even then, it will takes years to see the impacts of this. (I don’t want to say paradigm shift :-)).
But, we’re not seeing anything changing right now. We’re hearing talk and that’s about all! We’re not seeing new thinking and radically new implementation of security into technologies being released! So how can we honestly expect anything is going down a path of effective and significant change? There is nothing in the near future but more pain, but most of us know that already.
</rambling>
June 28th, 2008 at 8:57 am
IPv6? Some good points listed. It will be interesting to review a list. I’m not aware of anything right now I have confidence in that would translate into future confidence.
List the Web 2.0 popular applications and their issues now are the tip of the iceberg.
As you mention, the cloud will save us all. If we lump all the security problems into it, we only have one problem to fix. Yes laugh now because it sounds like a stupid statement but lets see in a few months if someone doesn’t take that stance.
June 28th, 2008 at 1:20 pm
Draz, simply(not-so-simply) put,
a) time + b) resources = c) cost
Put them together and what do you have…. a barrier to entry. Things are speeding up and ubiquity of interfaces and access to massively parallel systems is coming.
Basically we have known about this in computer science for quite some time, however most ‘cryptography’ and a lot of defenses are based upon a simple(but-not-so-simple) premise of sorts:
http://en.wikipedia.org/wiki/NP-complete
Essentially, time is of the essence(literally) and as we compress time via parallelism in cyberspace, lots of ‘barriers’ go away.
As per the Microsoft Penny Black project, we need to use time against the miscreants. Tarpits a la Labrea
So I dunno if you remember but one of my zanier ideas(or not) was cycling nodes like mayflies which is more plausible in this ‘virtualisation 2.0′ era.
Also D-wave could be fud, but who knows? Quantum anyone, deeper, harder, faster?
June 29th, 2008 at 10:11 am
@D2, my brain hurts so I give you benefit of the doubt.
Good points raised in the posting. We hear talk and more talk but see little action. It is important that we in our profession continue to be loud. Funny how 2.0, as much as it is adding to the problems is also the voice for change around the world through the various blogs and other channels that have been created.
Will change for the better evolve on its own, or be driven slowly by the voices in 2.0 around the world, or will it be forced upon us. Bet is that it will be a combination of the 3 but we’re a long way off as suggested in the posting.