X
Tech

Who guards the guards: Security

Who predicted the death of the password -- and spam? Why is PKI not ubiquitous? Who makes these daft predictions anyway? ZDNet.com.au looks at how the security market was supposed to shape up, according to so-called "experts".
Written by David Braue, Contributor

Who predicted the death of the password -- and spam? Why is PKI not ubiquitous? Who makes these daft predictions anyway? ZDNet.com.au looks at how the security market was supposed to shape up, according to so-called "experts".

A history of over-enthusiasm | Putting your finger on it | Technology nobody wants

There's always something dangerous about being in the prognostication business, but the Internet poses special challenges for those looking into the future. With global reach and permanent memory, it's hard to escape what may have seemed like a reasonable, albeit optimistic, forecast at the time.

Bill Gates has most notoriously copped the pain of Internet-assisted reminiscing, after his 2004 edict that Microsoft would free the world of spam by 2006

Bill Gates has most notoriously copped the pain of Internet-assisted reminiscing, after his 2004 edict that Microsoft would free the world of spam by 2006. That statement, made during a speech to the World Economic Forum in Switzerland, was an uncharacteristically confident -- even for him -- vote of confidence in the software giant's ability to control something that was seemingly far beyond its control.

One way Gates believed this would happen was for e-mail systems to incorporate a human-based e-mail challenge, with the reasoning that people would be better at spotting and stopping spam than machines would.

Yet most normal, everyday users remain blissfully ignorant of the ways to spot spam, and spammers are continually developing more creative ways around whichever filters users are installing. Spam filtering firm MessageLabs reports that spam accounted for 72.7 percent of all e-mails sent in February (PDF), with around one percent of those containing viruses or malware. And, no doubt to Gates' chagrin, MSN and Hotmail combined accounted for 8.8 percent of all spam.

Predictions about security have a remarkable tendency to fall flat on their faces -- largely because any effective security defence not only requires the deployment of new technology but also requires things like user training and, in some cases, the establishment of complex frameworks to confirm security credentials and manage access to secured information.

Difficulties in predicting the future of security, however, haven't stopped people making more predictions -- predictions that usually fall flat on their faces.

A history of over-enthusiasm
One of the biggest security turkeys of the past decade has been public key infrastructure (PKI), a complex system of identifying individuals, then encrypting data so only they can see it.

PKI rode the late-1990s wave of paranoia about Internet security to create a solution for which there just wasn't any demand. PKI was even the subject of forecasts at the RSA Conference as early as 1993, when the widespread use of digital electronic signatures was forecast.

Australia Post, among many others, believed in PKI so much that it started KeyPOST, a retail service selling digital certificates to consumers on floppy disk. It was a colossal flop, with the organisation pulling the service in mid 2000.

That experience contradicts the predictions of firms like IDC, which at the time predicted the PKI market would rise from US$281 million in 1999 to US$3 billion in 2004 -- a heady growth rate that would have required customers to actually purchase the software.

PKI as a concept certainly lives on in things like SSL -- used to secure data moving to and from Web pages -- and for authenticating systems and users in many closed government and business systems. However, as a mass-market concept, it has fallen flat on its face.

Digital rights management (DRM) has proved to be another classic in the technology-nobody-wants arena, if only because of the number of times vendors have tried to make it work over the years through incompatible products that interoperate poorly and invariably cause problems for users who just want to listen to or watch their content.

Frost & Sullivan was among the firms holding out optimistic forecasts for DRM: in 2002, it forecast the DRM market would expand from US$285.6 million in 2001 to be worth US$864 million by 2007. "New solutions and supporting technologies that provide additional security layers to existing DRM systems are generating trust among users," the firm reported.

This laughable conclusion is at odds with the real history of DRM -- one which has at best been tolerated by users (as with Apple's iTunes Music Store that made Apple's FairPlay DRM generally accepted but only because iPods are near ubiquitous in the market) and at worst, channelled untold billions in R&D funding straight into the circular file.

To reach strong market figures, DRM needs to be widely adopted, seamlessly compatible between content providers and devices, and able to operate without users knowing about it. The best DRM may in fact be no DRM at all. The music industry is a great example: after years of consumer frustration with DRM, strong acceptance of moves by major music labels to release DRM-free music reflect the market's true sentiment about DRM.

Unlike general-use PKI, however, there is still hope for DRM: the rise of mobile content, the spread of digital content on the Internet, and the studios' desire to protect their high-definition content on discs and over the airwaves, have led to continued demand from studios for new DRM technologies.

Putting your finger on it
Maybe it's because so many IT types grew up watching Star Trek, but biometric security has long been one of those great ideas that just won't die -- even though the market has failed to take off.

Maybe it's because so many IT types grew up watching Star Trek, but biometric security has long been one of those great ideas that just won't die.

Voice print identification is the latest biometric system to be identified, with the Commonwealth Bank apparently investigating the technology's usefulness for verifying the identity of phone bankers.

Fingerprint scanners have been around for a long time, and their derivatives -- including scanners for hand, foot, iris, retina and facial scanning -- have rapidly evolved to the point where many of them actually work.

There's only one small problem: as a rule, people don't like being scanned. They certainly won't go out of their way, despite any perceived benefits: although a number of banks have toyed with fingerprint scanners as an option for securing their Internet banking customers' access, to say the devices are commonplace is to significantly stretch the truth.

Analysts are still expecting big things from the technology, which has seen its biggest uptake in one-off deployments such as securing high-tech datacentres. WinterGreen Research, for example, has forecast the biometric security market will grow from US$142.4 million in 2004 to US$12.6 billion by 2010.

That's a 43.82 percent compound annual growth rate, but hold onto your investment dollars: despite more than a decade of trying, biometrics have yet to take off in any significant deployment that would suggest optimistic forecasts are anything more than pipe dreams.

All the fingerprint scanners in the world won't be able to get rid of one of the most elusive, yet apparently one of the fastest-growing, threats on the Internet today. If anyone needed proof that security baddies are outpacing those charged with catching them, it's in the area of drive-by downloads -- those Net nasties that invite themselves onto the computers of users who click where they're not supposed to.

As footsoldiers in the war to create malicious "botnets", these downloads have forced security firms onto the back foot and caused histrionic predictions: no less than Vint Cerf was last year sounding the alarm.

In a speech at the World Economic Forum, he warned that a quarter of all PCs currently connected to the Internet may already have been hijacked into the botnet community -- and likened the problem to a pandemic.

Cerf's prediction of doom-and-gloom takes an opposite stance to Gates' we-will-eliminate-spam rhetoric, and time will tell whether the situation proves as bad as he has predicted. The thing with any of these predictions is that nobody can reliably quantify their true extent -- and there is no way to follow them up.

Since Cerf seems to have predicted nothing less than the downfall of the Internet, we can only assume he will be proven to have been overstating the case just a little.

Since Cerf seems to have predicted nothing less than the downfall of the Internet, we can only assume he will be proven to have been overstating the case just a little.

Technology nobody wants
IPv6 and IPSec, two improvements to the Internet Protocol stack, have been around for years but -- because they require wholesale changes to the underlying infrastructure of company networks and the Internet at large -- they have had little real-world relevance. Sure, companies are always looking for better ways to confirm users' identities, but things like IPSec don't just get implemented overnight -- and IPv6 requires nothing less than an
upgrade to most of the Internet.

It's surprising, then, that Bill Gates would once again take the stand at last year's RSA Conference to predict the rise of IPSec and IPv6 -- two technologies the corporate world seems to have been falling over itself to avoid.

Arguing that their tighter built-in security controls will help improve the Internet's overall security profile, he and Microsoft chief research and strategy officer Craig Mundie used the statements to highlight recent Microsoft advances in the area.

Whether those advances can prove to be any more relevant than the dozens before them remains to be seen. Certainly, the lackadaisical response to those two technologies makes that prediction reflect Gates' belief in 2004 that we were seeing the gradual phasing-out of passwords.

Four years on, their possible replacements -- which at various times have included smartcards, two-factor authentication devices, single sign-on (SSO) technology on corporate networks, and automatic sign-on via strict identity management regimes -- have still failed to make a mark. Although some institutions have seen limited success with two-factor devices, the majority of applications are still secured using the old user id-password combination.

Why? The simple answer is that despite all the hand-wringing and forecasts of doom, few people are actually ready to change their behaviour. So while keynote speakers the world over stand up to highlight the latest technological advances, without real and widespread deployments they're just blowing hot air -- and adding to the already deep well of security predictions that never came true.

Editorial standards