Final grumblings from SecurityFocus columnist Jon Lasser, as he bids farewell to the computer security world and moves to Colorado.
No matter how many columns I write suggesting that we do things right the first time, it's unlikely that the message will get though.
The SecurityFocus editorial staff has finally heard the overwhelming reader reaction to my column and fired me.
Just kidding. In fact, I'll be in Boulder, looking for an apartment. In the Fall, I will begin work on a master's degree in creative writing. I'm leaving the computer security field, and Unix consulting in general.
I've traded in my trusty Linux Thinkpad for a 12-inch Powerbook -- what, did you expect me to give up Unix? -- and found other consultants to take on my clients. I've unsubscribed from Bugtraq. I've stopped running the local SAGE meetings.
Every major transition is a time to look back as well as forward. When I look back on my previous thirty-one columns in this space, I recall the principle (variously attributed to Bill Gates, Ian Morrison, Arthur C. Clarke, and Roy Amara, among others) that we overestimate short-term technological change and underestimate long-term change.
Is computer security a special case? Peter Neumann, a computer scientist at SRI International, has convincingly
Of everyone in the computer security world, I admire Dr. Neumann the most. He's the longtime moderator of the
Dr. Neumann displays endless perseverance by continuing to edit the forum, despite the endless stream of fundamentally similar accidents and near-accidents caused by sloppy programming and inadequately consideration of possible failure modes.
That Risks is still going strong demonstrates that little has changed over the years. Certainly nothing has improved in the short time since I started writing my column. Buffer overflows and input validation are still the biggest holes; the spam problem has gone from merely annoying to nearly intolerable; users are still insufficiently trained in proper security procedures; and the widespread acceptance of inappropriate security certifications marches on.
What's more, I don't see the possibility of long-term improvement of computer security.
Backups Aren't Sexy
With rare exception, computer security is not an overriding concern in the initial decision to purchase a particular software package. Other concerns, ranging from ease of use to hardware compatibility to marketing campaigns, have a much greater influence. Until that changes, software makers have no incentive to improve product security, no matter how much bad publicity poor programming may engender.
Open-source software, driven less by the marketing department's feature checklists, certainly has the potential to be better -- but it's not there yet. And, as I've written before, unless coders change their attitudes regarding performance and low-level control, it's unlikely to get better in the near future.
Besides, code quality has little to do with IT departments' failure to train staff adequately, their failure to spend enough time on initial network and system architecture, and their failure to write and adhere to appropriate security policies.
But backups aren't sexy. Basic system hardening isn't sexy, either. Too many shops ignore both. Intrusion detection is interesting -- more interesting than useful, at most smaller sites -- and clients inevitably prefer that sort of work, even when a different approach is more likely to solve practical problems.
This is perfectly understandable: People will always pay more attention to new and exciting toys than to basic, well-understood practices. And they'll pay more attention to fixing problems in released systems than to designing and testing those systems before release. No matter how many columns I write suggesting that we do things right the first time, it's unlikely that the message will get though.
And that's why I admire Peter Neumann: he keeps saying the true, important thing. Even though he must know that he will be ignored, for the most part.
Until people -- not just programmers and system administrators, but managers and lawyers -- begin listening to Dr. Neumann and others, that long-term change in computer security is unlikely. Other than an influx of users, and the spam problem, little has changed since Robert T. Morris released the first Internet worm in 1988.
I suppose that there's always hope that some great and unimaginable solution will sweep down from the sky and fix all of our computer security woes. But I'm certainly not holding my breath.
Change or not, the computer security world will proceed without me much as before. I hope that, in my short time writing this column, I informed, entertained, and provoked you.