Recently I was asked what keeps me up at night, in view of my work in IT. Here's the reply I penned.
1. Our IT infrastructure rests on a bed of sand. The security model we all use right now is based on the idea of trusting the user, or not trusting them. This is great if you are talking about 1970's area college campuses prior to the internet, but falls far short of today's security needs. No amount of cybersecurity can fix bad design. It's going to take a series of total system collapses to get people to consider alternatives seriously, because it's a deep problem which very few people understand. If you want to understand it... read on...
When you run a program, you are essentially giving ALL of your rights to the program. It's like going to pay at the store and handing your wallet to the cashier when you need to pay.... and hoping that they don't just take everything from you. Actually... it's worse than that even.... because you can examine the actions of the cashier, computers are a box that just sits there.
When paying at the store, you don't give everything away... you decide what resources you wish to give to the cashier... and they can't get more without coercion. Paying for a gallon of milk with cash can never cause the cashier to be able to drain your bank accounts, because you didn't give them the CAPABILITY to access your bank account.
We don't have operating systems that incorporate the idea of handing a limited set of capabilities to a program, instead of every capability the user possesses.
This means that ANY program running can be subverted to do anything, provided it has a bug.
It means that all computers hooked to the internet are vulnerable to attack, security is mostly a matter of luck.
Because the computers on the net aren't secure, this provides a rich environment for theft and fraud.
The criminal element has found this resource, and is now exploiting it, worldwide.
Most people don't even see the root cause, which I've just explained. Most people believe that firewalls and virus scanners can deliver adequate security. Most people don't even think the problem can be truly solved. If you've read this far, you might be one who thinks otherwise.
THAT is the FIRST thing that keeps me up and night.
2. We're at Peak oil, according the the Department of Energy world oil production peaked in 2005. This means that the foundation of our industrial infrastructure is going to be harder and harder to maintain at it's current level of complexity. This could lead to the end of the progress brought with Moore's law... and even a slide backwards in the future.
3. Computer security is a political issue, and not a technical one. When is the last time political decisions actually made rational sense for the general public?
Thanks for your time and attention...
Sweet Dreams
-
-Mike--
1. Our IT infrastructure rests on a bed of sand. The security model we all use right now is based on the idea of trusting the user, or not trusting them. This is great if you are talking about 1970's area college campuses prior to the internet, but falls far short of today's security needs. No amount of cybersecurity can fix bad design. It's going to take a series of total system collapses to get people to consider alternatives seriously, because it's a deep problem which very few people understand. If you want to understand it... read on...
When you run a program, you are essentially giving ALL of your rights to the program. It's like going to pay at the store and handing your wallet to the cashier when you need to pay.... and hoping that they don't just take everything from you. Actually... it's worse than that even.... because you can examine the actions of the cashier, computers are a box that just sits there.
When paying at the store, you don't give everything away... you decide what resources you wish to give to the cashier... and they can't get more without coercion. Paying for a gallon of milk with cash can never cause the cashier to be able to drain your bank accounts, because you didn't give them the CAPABILITY to access your bank account.
We don't have operating systems that incorporate the idea of handing a limited set of capabilities to a program, instead of every capability the user possesses.
This means that ANY program running can be subverted to do anything, provided it has a bug.
It means that all computers hooked to the internet are vulnerable to attack, security is mostly a matter of luck.
Because the computers on the net aren't secure, this provides a rich environment for theft and fraud.
The criminal element has found this resource, and is now exploiting it, worldwide.
Most people don't even see the root cause, which I've just explained. Most people believe that firewalls and virus scanners can deliver adequate security. Most people don't even think the problem can be truly solved. If you've read this far, you might be one who thinks otherwise.
THAT is the FIRST thing that keeps me up and night.
2. We're at Peak oil, according the the Department of Energy world oil production peaked in 2005. This means that the foundation of our industrial infrastructure is going to be harder and harder to maintain at it's current level of complexity. This could lead to the end of the progress brought with Moore's law... and even a slide backwards in the future.
3. Computer security is a political issue, and not a technical one. When is the last time political decisions actually made rational sense for the general public?
Thanks for your time and attention...
Sweet Dreams
-
-Mike--
No comments:
Post a Comment