456 - Security-Is-Currently-Insanity

At work last Wednesday we had a talk from Eugene Spafford, a professor of Information Security at Purdue University. It was about the current state of security in computer applications, systems and networks at the current time. Essentially, he made the point that it is pretty woeful at the moment: all of us are besieged by viruses, malware, spam and phishing attacks. Following are my thoughts on his talk; I’m doing this from memory so hopefully I haven’t made errors.

The fact that our approach to securing computer systems hasn’t really changed over the years was mentioned; advances in security research are not really making it into mainstream operating systems. Radical and innovative solutions are not being pursued, but rather ways to patch up existing operating systems — focusing narrowly on Windows and Linux — seem to be the preferred approach by those (often corporations) funding research (i.e., taking an “if it doesn’t work on our current infrastructure, we’re not looking at it” approach). Especially if note is that we are still looking at detecting and defeating attacks-in-progress, rather than ways to prevent attacks.

Additionally, we are still doing much work in languages that do not provide many safeguards against common attacks. For example, we are still doing a lot of work in C, a language prone to buffer overrun errors and other memory bugs that are the stock in trade of exploit writers everywhere. I would think that as software gets more complicated, we should be moving towards languages which help us to avoid common errors; having to maintain both a high level view of the complex interactions between large scale components whilst still also focusing on the low-level minutiae of memory management and so on isn’t something that is likely to lead to robust software.

The talk went on to say that the reasons behind this are tied to economics. For someone to go forward and produce a secure operating system requires a lot of time and money, and the markets are not pushing for such an operating system currently. For all that people bemoan the viruses and other security issues that plague our current computing environment, most would not accept paying more for an operating system for which the necessary time had been spent crafting it well. This is evident in many other facets of computing; the endless treadmill of new features. Why not produce fewer features but in a program that is far more robust? The answer being that people would probably not buy it because at the time of purchase they are interested in features rather than robustness (robustness being hard to quantify when purchasing vs ease of feature comparisons at the same time probably contribute here). At work, Word drives us nuts with its oddities and pure brain-deadness at times [1] but we still use it because it’s always had the most features and so has become a de facto standard. The market has demanded features over robustness and security, so this is where we find ourselves today.

How to progress from this? Eugene didn’t seem particularly confident that it would happen any time soon; that things will have to get worse before security is taken seriously enough by the market place to mean that radical solutions would be tried out and some ease of use will be a trade off for a more robust and secure system. Still, he was confident that is is possible to fix the problems that plague us, at least — but as to when it will happen, that is un-guessable.

¹ On one occasion trying to create a numbered list by pushing the “numbered list” button on the toolbar instead resulted in all the items in the list becoming “Heading 2” and having page breaks inserted in front of each. No-one can tell me that is sane.