2008: The security wishlist

2008: The security wishlist

Summary: There's no sense in making predictions in the security space. There will be more creative attacks and vulnerabilities will multiply at a rapid clip.


There's no sense in making predictions in the security space. There will be more creative attacks and vulnerabilities will multiply at a rapid clip. Meanwhile, unsuspecting (or just plain stupid) users will enable hackers. All of those items are a given. But we can outline a few items that sure would be nice to have.

Here's my wish list for 2008:

A new QuickTime. Let's face it QuickTime is a sieve when it comes to security. Meanwhile, QuickTime is everywhere. Add it up and Apple has two choices: Keep patching QuickTime in an effort to keep up with flaws. Or rebuild QuickTime. Instead of patching QuickTime repeatedly Apple should launch a do-over. New features? Who cares? Just make QuickTime secure.

Take Web 2.0 security seriously. Shared APIs are great. Social networking features are wonderful. There's a lot to like about Web 2.0. But as these technologies make their way to the enterprise these composite Web apps will have to become more secure. IBM is pondering the policy implications for so-called Enterprise 2.0. You should too.

End the monoculture. Every IT shop out there should incorporate one word into its strategy: Diversify. In an effort to cut costs, find one throat to choke and simplify infrastructure technology managers are using fewer vendors (Microsoft, Oracle, SAP). What happens if this core software is hacked? The problem with monoculture is most evident with Windows. Diversify your operating systems. Sprinkle in Linux and Apple OS X along with Windows. Are the maintenance requirements more complicated? Possibly. But there are security benefits to be had.

Real penalties for data breaches. 2007 was the year of the data breach and TJX was among the headliners. TJX took a nice sized financial hit, but Wall Street largely gave the company a pass. Same store sales also held up so it's not like customers fled the retailer. This scenario plays out repeatedly. The current state of affairs has to change. I hate to say it but regulation may be the answer because executives just don't take protecting consumer data seriously--unless there's a breach of course. The costs associated with data breaches are on the rise, but by not enough to change behavior.

PC makers focus on security vulnerabilities in software updates and crapware. HP has been taking its lumps over flaws in its Software Update feature embedded on laptops. Memo to Dell: Get ready, you're next. Hackers will increasingly target hardware makers, which bundle in more and more software to automate customer support and gain slotting fees from software companies.

Topics: Software, Hardware, Hewlett-Packard, IBM, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Don't write QuickTime from scratch


    Joel Spolsky in the article "Netscape Goes Bonkers" explains why you should never rewrite from scratch your application.

    It's a worthwhile read if you don't understand the implications of writing from scratch.
    • Thanks for the link

      I wasn't suggesting a complete scrapping of the code, but some sort of do-over would be warranted just for security's sake. What do you suggest? I'd be curious to get feedback.
      Larry Dignan
      • Apple could publish code audit results

        I find that the Coverity scans of open source projects give a relatively objective assessment of the quality of open source code. I find it quite impressive that KDE is having 4.5 million lines of code scanned. The number of closed defects is over 1,500. But even more impressive, the number of remaining defects is under 100 and dropping.

        If Apple would publish the results of a similar scan, we could watch the quality of the code improve as Apple addresses the bugs found by this sort of automated tool. This isn't likely to happen, but it would certainly be a bold move by Apple.
      • Sure, a do-over could be good but...

        First we need to discover what is affected in each report.

        Since Apple is probably using code licensed from 3rd parties, it can't simply rewrite it, Apple needs to work with the company that is supplying the code.
  • Hope something mitigates the greatest vulnerability

    The user. And I think the media have an important role to play in this. Rather than focus on vulnerability count comparison, and blasting software companies for bug fixes, I do hope more attention will be given to educating the user.
    • the user, the loser

      i have vista. i want security. there are enough bells and whistles and productivity enhancements already. point out to me ONE user who knows how to really use all the stuff Word or Excel can do, or all the other gizmos you get for your money. just give me a machine that's reasonably easy to configure so i know it can't be hacked. yes, it's security. don't need anything more these days
      • You're a winner

        Actually, Vista is great on security. It's all over the Web that Vista is more secure than OS-X, and a few even say it's more secure than Linux. I've only been using Linux for a matter of months, which is about as long as I've messed around with Vista, so I can't say much about that. What I will say is, as tentative as I was about surfing without security software installed in Vista, I never caught anything.

        Windows Vista limits creator/owner privileges by default, just like Linux. It pre-defines driver functions, so even if one successfully injects code into one of them, they won't have much control over the computer. And if the program doesn't already exist in Microsoft's whitelist database, it's blocked from starting with Windows. And finally, IE7 runs with limited privileges in Vista. Combine all this with SDL (Security Development Lifecycle), and you've got some TIGHT security.

        There are vulnerabilities in Vista, but much fewer than for practically any other OS (OpenBSD would be an exception). And those that do exist require user intervention to install, from what I understand. I have one recommendation for you, which will boost your security even further: open up an e-mail account with AOL, and install the free McAfee SecurityCenter. It's a complete package of antivirus, antispyware, and firewall, and also adds IDS and script blocking. It's one of the lightest all-in-one suites I've found, as well as one of the least problematic and lightest on resources.

        If you manage to get infected with SecurityCenter running on Windows Vista, then you'll need to examine a LOT more discretion in what you do online. For average users, this will be quite enough. Get it here: http://safety.aol.com/isc/index.adp?
        • typo

          Sorry, I said twice that SecurityCenter was one of the "lightest." What I meant to say was: 'It's one of the best-rounded all-in-one suites I've found, as well as one of the least problematic and lightest on resources.'
  • Monoculture has security benefits

    I've heard the "diversify" mantra before, and it overlooks the fact that the more platforms you have, the *larger* your attack surface.

    Diversification goes against the doctrine of "minimal services". Let's take the Army as an example. Now they're incorporating Mac servers to "diversify".

    Anyone willing to bet their life on Mac server *not* having vulnerabilities? So now, instead of one set of vulnerabilities, you have two. And worse, Mac's vulnerabilities aren't known yet. We know Quicktime's a sieve, what about other services running on Mac servers?

    Diversification isn't a silver bullet, it has its own security downsides. It's time people remebered that.
    • diversity can be used to minimize attack service

      I may be able to justify Windows for desktops. But when it comes to servers, I may well be able to minimize my attack surface by using a diversity of operating systems. I like to think of the APIs as the surface of software and the lines of code as a measure of the volume of the underlying software. Defects per KLOC is a resonable measure of the quality of the underlying software.

      If I run Unix-like servers, I can vastly reduce the surface and volume. A minimal Linux (or BSD or Solaris or ...) is much smaller than a Window system (Windows, X-Window + KDE/Gnome, etc). This allows me to run a system that is customized to a role. OpenBSD/pf is a great firewall and quite small. A GUI-less *nix running PostgreSQL or MySQL is a simple database platform. Solaris & JRE 6 (in server mode) is a great platform for web services. By removing the GUI, there are entire APIs that I can remove as well as literally millions of lines of code. Heck, by removing a web browser, I can remove millions of lines of code. AND, the code that I am left with is likely to be over a decade old are carefully tested. Why should a server include software, especially new software, not related to its service?

      I can actually reduce the amount of source code needed for a system by diversifying my choices of operating systems - the code for the OS is usually much smaller than the code for complex software services ( e.g. .Net 2.0 's redistributable files are a 22.4 MB download, a minimal Linux can be 4 MB.) I would not advocate needless diversity (e.g. running multiple distros of Linux in one organization). But diversity can be used carefully.

      Besides, many of the *nix distributions use the same source. For example, OpenSSH is used in almost all of these OSes. So having multiple OSes running OpenSSL doesn't really add new attack vectors or add to the attack surface.

      The other big issue with diversity is that you need an admin that is competent in each OS that you deploy. If you don't have that, you simply shouldn't be running that OS. So, if you only have admins that are competent in one OS, that is the only OS you should be running.
  • Real penalties for breeches?

    Riiight! Corps don't get fined for a lot of breeches and law breaking sufficiently enough. Take corporate pollution such as oil spills, they get fined a pittance of what it would cost to put better safe guards in. And this is over violations that cause death, harm to health and environment! And you expect stiffer fines for a security breech? Uh huh! Like that's gonna happen!
    Linux User 147560
    • Ha, perhaps a better title

      For this article would have been "Wishful thinking list"
      Larry Dignan
  • no stupid users

    It's pointless to call the users stupid. They are the customer and the customer is always right. It's bad design that's the problem. Any system that allows the badguys (or the users) to overright code that shouldn't be overwritten is simply poor design. Put the static stuff in ROM or it's hardware equivalent. You can't modify ROM from across the internet, no matter how smart or financially motivated the hacker is.

    Diversify? I disagree. At my company we simply don't have the staff to support multiple platforms. So our diversification is in the backup process.

    • And I disagree

      Users ARE stupid. Customers are not always right. That is a stupid phrase I have rallied against for ages. It should be customers always THINK they are right, but that is like a CEO thinking he knows how to run a network.

      Users just want it to WORK. They have an uncanny knack for installing stuff they shouldn't (read: Spyware and crap like that). and i hear more users complaining about the UAC in vista, and they will just click it without reading it now. THIS IS STUPIDITY. and they wonder why they get virii and spyware.

      Yes, better coding is part, but NO amount of coding, ROMchips (which is kind of pointless for most computers nowadays for anything that is dynamic at all (read: the entire OS anymore)) Security software, Access Controls, ETC, will prevent human stupidity.
      • RE: And I disagree

        It's actually a very wise adage and you're simply missing the point. Between you and I, of course the users are generally stupid. But these stupid people are ALSO the consumers and THAT'S what makes them "always right". If they don't purchase your product, calling them stupid won't save your business from bankruptcy.

        Computers are simply immature products, not yet appliances. Automobiles are extremely complex, even encompassing computers, yet anyone can drive to the supermarket. So it is possible to make even highly complex systems usable by stupid people.

        And for the record, I didn't make up the saying. It's older than you.

        • older doesn't make it right...

          Marketing class, you learn that the customer is most certainly NOT always right. If they buy a product because they think one thing, you can EDUCATE THEM about why your product is better... it's how companies compete. Don't assume they're right, but the main idea that one should learn from "the customer is always right" is that you can't be condescending or hostile to them.
          • older doesn't make it right...

            Good points! Perhaps the better saying is "The customer is king".

            With regards to computers, the customer really IS right. As a product they're crap. Far too fragile and difficult to maintain. We really do need serious breakthroughs with respect to computer security. My own feeling is that MOST of those bits do NOT need to change every time MS releases a patch. Most people would be perfectly content with a ten year old version of Office, specifically a version stored in the hardware equivalent of ROM.

      • Have you ever seen the IT Guy skit on SNL ?

        It is easy to assume that "Users" are stupid. But then you may as well live up to the SNL skit. If we all take a step back for one second and think about products and solutions around the CUSTOMER, we might do things correctly.

        We serve customers that fund our budgets. The reason customers/users have unreasonable expectations is because we sell it to them. Maybe not directly, but you must educate the customer as opposed to asking if they want fries with their order. If you don't believe that the customer is always right, you are in the wrong business.
        • but...

          I generally agree with you, but not all solutions can be thrown back to user eductation. We can't require everyone who writes a letter to be an IT professional. That would be a very inefficient system. In the case of computers, we have a very immature product.

          • Agreed

            I agree with you. My stance was that it is wrong to state that users are stupid and it is up to us to minimize unreasonable expectations.

            Because I know how to build a road I don't state that drivers are stupid...Oh wait a minute, I do that all the time....lol