,
Comparing the state of security in 1994 versus 2004, has anything really changed over the course of ten long years?
A co-worker and I were discussing trends the other day, and he was loudly proclaiming (after cursing a hardware failure) that nothing has significantly changed for most people who interact with computers in the last 10 years. The only exception we could agree upon was with the exception of a major improvement in the quality of graphics. On the surface, I think I would have to agree with him.In 1994, Windows was already heavily adopted in the PC world. WordPerfect 5.1 was still around, but MS-Word and WordPerfect for Windows were in far broader use for the wordsmiths out there. The World Wide Web and e-mail were spreading to a wide audience, and were starting to be seen in many businesses. Back then Unix was only on powerful workstations, and back office servers that most people didn't ever see. Doesn't sound a whole lot different today, other than now we have much prettier displays, an enormously fat Start menu sits on most people's desktops, and there is far more information available on the Internet.
That discussion of what's changed leads to the obvious question: what about the security world? Have we advanced at all? To find out how much has changed in ten years, I decided to do a non-academically rigorous study of the security culture from way back in September 1994 and then compare it to September 2004 -- as represented by one of the cornerstones of the community, both then and now: the Bugtraq mailing list.
Survey Says
In September of 1994, the Bugtraq mailing list (according to the archive located at http://www.securityfocus.com) received 98 posts. In September 2004, the mailing list received over four times that number, 461 individual messages. A definite increase to be sure, but I wouldn't say it's a surprising increase when we consider the "security visibility" today of the population at large. My impressions of the discussion 10 years ago is that the participants then were primarily experienced administrators who REALLY knew their systems. By contrast, contributors in 2004 shows only some posters are incredibly strong in technical their knowledge, and the generalist administrator who truly understands security is a rare bird indeed.
What about the content of those messages? What security issues were most common in 1994, and has the posting demographic changed at all? What about the types of vulnerabilities that were discussed then versus now?
The emergence of the Web and Web programming has accounted for a lot of volume in Bugtraq posts over the last few years. I was expecting to find SQL injection and cross-site scripting (XSS) to be the most significant contributors to vulnerability announcements in 2004. At least, it sure seems that way when I wade through my email on a daily basis. Surprising to me was the reality that only 44 of the posts were regarding these Web programming bugs. Perhaps I simply have a low tolerance for these amazingly monotonous, mind-numbing bugs that can expose tremendous amounts of data on many Web sites. The volume of Web applications that are being developed today, and the widely varied skill levels of these developers means that this class of vulnerability alone will continue to make up a significant part of these posts. This class of vulnerability really crosses platform boundaries and so isn't Unix specific.
Other vulnerability and exploit postings accounted for 101 of the posts in September 2004, almost 1/4 of the mailing list volume for the month. These vulnerabilities and exploits included buffer overflows (both heap and stack), denial of service vulnerabilities and warnings about a series of vulnerabilities in large commercial databases for which full details will come out later. Many of these 101 posts applied to software that is commonly deployed on Unix and Linux systems, although much of that software can also be compiled and deployed on Windows systems.
The remaining volume for the month (almost half of the posts) was made up of follow-up discussions, tool announcements, and discussions about service pack application problems.
Contrasting 2004 and 1994 postings related to exploits and vulnerabilities, I see an entirely different tone of discussion. The tone in 1994 often took on a "I have something weird happening on my server, I did X, Y, Z, and then the service crashed. Is there a security vulnerability that I should be concerned about?" with follow-up discussions and the occasional search instruction (no Google back then, but a couple references to ARCHIE). Broadly discussed in 1994 was a race condition on Solaris with the /bin/mail program and the status of patches from Sun. Mysterious Syslog crashes and a discussion about SetUID scripts also on Sun systems, were also prevalent.
In September 1994, there were no posts of buffer overflow vulnerabilities at all, and no widespread posting of exploit code. Some friendly soul, through an anonymous re-mailer, posted Sun Solaris kernel source code (which has long since been removed from the archive). Many of the more advanced exploitation methods, although understood by a handful of people back then, wouldn't become widely known for a few more years. For example: often cited as the first widespread education about buffer overflows, "Smashing the stack for fun and profit" was not published in Phrack until late 1996.
There has also been a definite shift in the demographics of the posters. Vendor notifications and vendor participation on the list has become a significant contributor to the volume with vendor communications accounting for 97 of the 461 messages. In September of 1994 there were no official "vendor announcements". Largely these vendor announcements today are regarding Linux distributions and vulnerable applications that the distributions ship with. To me, these vendor posts are a reflection of the fact that Bugtraq (and I imagine other security related mailing lists) are important ways to publish information about security fixes and ensure a wide portion of the community receives them.
Judging solely by the posts on Bugtraq, ten years ago Sun dominated the discussions, with people concerned about patches that break applications, other patch issues, and other problems that people now much more widely report about Microsoft products (and not always without justification).
Ten years ago Windows wasn't a blip on the radar of exploitable platforms. It would be the understatement of the year to observe how much things have changed since that point, as Windows now has taken the role of whipping boy to the security industry. To judge by Bugtraq, traditional Unix is going the way of the dinosaur and Linux/BSD has overtaken it. I don't know that this is an accurate assessment, but from my sample set, it certainly seems to be the case. Alternatively, you might want to believe that all the traditional Unix systems may just not have any vulnerabilities left for administrators to worry about (or rather, they're just not heavily in use any longer).
Those who don't learn from history are condemned to repeat it
The programming errors that led to problems 10 years ago would, in many cases, be considered quite simple to avoid today. Since that time, programming methodologies, libraries and testers have all been added to the development arsenal to help prevent some of these problems. The advent of more powerful machines has allowed languages such as Java and Python to be used in more places, removing many of the mistakes that can happen when programming poorly in C.
At that time, a computer connected to the Internet was still an emerging paradigm, just gaining ground, and what was considered safe on the LAN then just isn't in this bold new world. It's taken a number of years to develop strategies to deal with this, and it's happened in many steps. Firewalls, IDSs, personal firewalls and host based IDSs have slowly been trying to establish a perimeter around potentially vulnerable hosts, and an ongoing battle occurs to keep vulnerabilities out of systems connected to the network.
Have the winds of change blown?
I believe the world for security practitioners has changed more than for many other heavy users of computers. The widespread movement towards Microsoft Windows systems in the server room, and the integration of the Windows desktop world with the Internet means the threat landscape has changed. This change is widely reflected in the types of discussions that are occurring on the Bugtraq mailing list. The emergence of Linux has also had a tremendous effect on the content of similar lists.
Other changes I noticed are largely based on changes in the community itself. Reading the old archives, I got the feeling of a small, intimate community, which compares with a very loud and harried community these days. To me, it's the difference between walking down main street in a small farming town versus walking down a busy downtown street in a major metropolitan area.
What about your observations? What changes have you seen that can't be quantified in my limited look at Bugtraq over a period of a month. For those of you who have worked in the field for some time, leave a comment and let us know your thought.