URL :

Print Icon  Printable Page
Print Icon  Web Page

November 2002

Brave New World, or Business as Usual?

5 infosecurity trends promise a more secure future--one of these days.

BY Marcus J. Ranum

This month, I'm switching gears, putting my Cool Tools away to talk about nothing less than "The Future of Information Security." Well, maybe not life, the universe and everything, but five key trends that could have a real impact in the coming years.

The past doesn't give us a warm and fuzzy feeling about infosecurity--problems like insecure code, lean security budgets and failure to apply patches or enforce even minimal security practices persist. But what about the future? Are we going to learn from the mistakes of the past, or are we doomed to repeat them? Will infosecurity get the upper hand over the bad guys and ease the burden of overwrought and understaffed sysadmins?

Well, maybe.

There are so many factors affecting computer security, and the technology it depends on, that it's very hard to identify even the broad trends. But I'll try. Here are five future trends that could have huge ramifications.

  1. Autopatching will become predominant. Today, we're stuck in the trench warfare of vulnerabilities and patches. Increasingly, a number of operating systems and applications patch themselves automatically, reducing the number of users who are running old, insecure code. Unfortunately, there are hundreds of different autopatching systems, some of which are insecure themselves. Look for a deep sigh of relief if we ever see a unified, tamper-resistant, digitally signed, patch-downloading archive. But don't hold your breath.

  2. System administration absorbs all life on Earth. The tragedy of modern computing is that we've turned nearly every man, woman and child in the plugged-in world into a Windows sysadmin. When people talk about "ubiquitous computing," be afraid, unless we can take a bite out of system administration in the near future. The fact that our operating system environments expect end users to do system administration is scandalous. From a security standpoint, it's terrifying.

  3. Software by subscription. Our current model of buying software is all backwards. Instead of buying software, we should be subscribing to it. There are huge benefits to both end users and vendors in this type of scenario, but, because of how we do system administration today, it's just not practical. The implications are too huge for most people to accept the paradigm shift. Will it happen? Not for 20 to 30 years, is my guess.

  4. Windows/Intel versus PlayStation. Was Microsoft's Xbox entry into the gaming console market a silly attempt to grab a chunk of a huge industry, or was it a fear-inspired move to head off the next colossus competitor? We'll know in 10 years. Sony's PlayStation 2 is already the most popular DVD player in Japan. Inside that little black box is a supercomputer with an ultra-reliable microkernel operating system that requires no system administration. This year, Sony added a hard disk to cache applications and a network interface. It already had a USB and FireWire interface. Want to terrify Redmond? Write a reliable office-automation and e-mail package for PlayStation 2.

  5. Linux is toast. Linux, the great hope of the anti-Microsoft backlash, is becoming a fragmented effort, just like all the Unix OSes that have gone before it. "Divide and conquer" will work against Linux just as it did against Apollo Computer, Digital Equipment Corp., Gould, Hewlett-Packard and the other Unix vendors of old. On the other hand, security may improve as a result of many divergent evolutionary branches dying out. Maybe we'd be better off if there was only one operating system. We'd have a prayer of fixing it, that way.

So, is there reason for optimism? In the long run, I think everything will be OK. But it will get a whole lot worse before it gets better. Humans are slow to apply safety techniques to new technologies. Look how long it took before seat belts were required in cars. If computer security follows the same time scale as other safety-critical systems, we'll have ubiquitous firewalls and AV in another 10 years, but won't mandate that our users turn them on for another 30. I won't hold my breath that long, and neither should you.

Columnist MARCUS J. RANUM is an independent security consultant and author. He is the founder of NFR Security and built the first commercial firewall product, DEC SEAL.




November 2002 Table of Contents

Copyright 2002 TechTarget