I’m not against using a more restrictive, default-deny technology such as Trustifier; my point is that as these systems start to get deployed on a large scale, the balance is going to shift greatly in favor of security.

I wasn’t arguing that “this is all we need”. I was just saying that as security gets built into more and more deployed technologies, things will change.

I’m not against using a more restrictive, default-deny technology such as Trustifier; my point is that as these systems start to get deployed on a large scale, the balance is going to shift greatly in favor of security.

I wasn’t arguing that “this is all we need”. I was just saying that as security gets built into more and more deployed technologies, things will change.

What is more, they are in the vein of network security which has a fundamental failing; they protect the containers, not the contents of those containers, (that is,the data), on the network.

That is the fundamental difference between network security and information-centric security. Why can’t security people get it through their heads that denying access to the network is not the same thing as allowing access to information?

The best way to do this is a la Ranum, with deny-by-default and enumerating goodness by using white lists etc..

So as an entension of your thoughts, it seems to me that not only is infosec doing the wrong thing, they are also doing it the wrong way as well!

What is more, they are in the vein of network security which has a fundamental failing; they protect the containers, not the contents of those containers, (that is,the data), on the network.

That is the fundamental difference between network security and information-centric security. Why can’t security people get it through their heads that denying access to the network is not the same thing as allowing access to information?

The best way to do this is a la Ranum, with deny-by-default and enumerating goodness by using white lists etc..

So as an entension of your thoughts, it seems to me that not only is infosec doing the wrong thing, they are also doing it the wrong way as well!

In other words, I’m not arguing that there will soon be a lack of problems; I’m arguing that soon (10 years?) the defenses will be mature enough to prohibit all but the most advanced, custom attacks — which I agree, will always find a way. Once the new protection technologies arrive, the primary obstacles to security will be slow adoption of said systems, configuration errors, insider attacks, and social engineering.

Anyway, I am still thinking this through. I’m not completely convinced of my own argument because I seem to have a fundamental flaw in my reasoning — one that fails to take into account certain critical elements that I can’t quite isolate.

For example, if one were to have asked me 50 years ago whether or not there would still be cracks in newly laid sidewalks I would have bet against it. Surely the new cement would last 100 years or so, right? Wrong. Or if I could have bet 100 years ago on whether or not the United States would be highly religious in 2006, I would have bet against that. In fact, I would have bet on us becoming increasingly secular.

In both cases I’m failing to take into account some major variables, and I can’t help but wonder if I could be making the same mistake with this idea. Namely, failing to take into account the exceedingly gradual pace at which progress is made. I feel technology (and market-driven demand for dependable systems) allow this boundary to be crossed, but I am not sure of it.

Anyway, I think that your three points were valid only based on us still using our current, inferior technologies. If you have weaknesses in something, and you reproduce it on a mass scale then you’re obviously going to have continued widespread problems.

I think the key is having all these new systems and technologies rolled out using more secure and stable IDEs, programming languages, platforms, etc. Notice none of that involved human developers doing anything better. They can continue to produce thrown-together garbage, but with increasingly fewer ramifications.

So the real question, in my mind, becomes: “What can stop this from materializing?”

I guess the only answer is the idea I put in my post — the notion that technology is still in its infancy as well, and its growth rate is going to be so fast (and so haphazard) that nobody will take the time to implement any of these superior security technologies.

Thoughts?

In other words, I’m not arguing that there will soon be a lack of problems; I’m arguing that soon (10 years?) the defenses will be mature enough to prohibit all but the most advanced, custom attacks — which I agree, will always find a way. Once the new protection technologies arrive, the primary obstacles to security will be slow adoption of said systems, configuration errors, insider attacks, and social engineering.

Anyway, I am still thinking this through. I’m not completely convinced of my own argument because I seem to have a fundamental flaw in my reasoning — one that fails to take into account certain critical elements that I can’t quite isolate.

For example, if one were to have asked me 50 years ago whether or not there would still be cracks in newly laid sidewalks I would have bet against it. Surely the new cement would last 100 years or so, right? Wrong. Or if I could have bet 100 years ago on whether or not the United States would be highly religious in 2006, I would have bet against that. In fact, I would have bet on us becoming increasingly secular.

In both cases I’m failing to take into account some major variables, and I can’t help but wonder if I could be making the same mistake with this idea. Namely, failing to take into account the exceedingly gradual pace at which progress is made. I feel technology (and market-driven demand for dependable systems) allow this boundary to be crossed, but I am not sure of it.

Anyway, I think that your three points were valid only based on us still using our current, inferior technologies. If you have weaknesses in something, and you reproduce it on a mass scale then you’re obviously going to have continued widespread problems.

I think the key is having all these new systems and technologies rolled out using more secure and stable IDEs, programming languages, platforms, etc. Notice none of that involved human developers doing anything better. They can continue to produce thrown-together garbage, but with increasingly fewer ramifications.

So the real question, in my mind, becomes: “What can stop this from materializing?”

I guess the only answer is the idea I put in my post — the notion that technology is still in its infancy as well, and its growth rate is going to be so fast (and so haphazard) that nobody will take the time to implement any of these superior security technologies.

Thoughts?

The problem is:

1. The threat is always growing in number, becoming smarter, and more creative.

2. The number of assets as targets continues to grow and the type of assets is constantly changing. Think cell phones, Blackberrys, etc.

3. Vulnerabilities are growing with complexity, lines of code, and feature sets.

I agree that those “with average skills and little interest in the field” will lose ground, but not because security will improve overall. Security may improve for specific cases, but overall we are still in trouble. Like a previous comment, I expect to stay busy for the next 50 years.

The problem is:

1. The threat is always growing in number, becoming smarter, and more creative.

2. The number of assets as targets continues to grow and the type of assets is constantly changing. Think cell phones, Blackberrys, etc.

3. Vulnerabilities are growing with complexity, lines of code, and feature sets.

I agree that those “with average skills and little interest in the field” will lose ground, but not because security will improve overall. Security may improve for specific cases, but overall we are still in trouble. Like a previous comment, I expect to stay busy for the next 50 years.