Predictions for information security in 2002

Kurt Seifried, [email protected]


The following are my predictions for information security in 2002:


Wireless networks will remain insecure. WEP is totally insecure, the replacements proposed for it have been found flawed even before they are deployed. What is needed is good old fashioned IPSec between clients, and clients and the gateway. This of course requires a lot of effort and is simply not possible on many wireless devices. Even if these problems were solved tomorrow there will still be thousands upon thousands of insecure wireless networks for attackers to exploit.

MS's security effort will not accomplish much, other then patching a few more holes. The code has been written, in huge volumes, fixing it is a Herculean task. Their claims that buffer overflows had been eradicated from XP are patently absurd, as we all know holes like the UPnP bug were found quite quickly, and there are more where that came from.

Linux security is getting better, with the addition of LSM the kernel will provide a robust security facility. For those that use it, and configure their policies correctly, and maintain them (in other words not to many people). Add on software will continue to have holes, especially the plethora of small projects hosted at SourceForge and run by people with no idea of programming securely let alone designing secure software.

FreeBSD and NetBSD will lurch along similarly to Linux, there will be bugs found, exploited and patched.

OpenBSD will continue to proactively audit, we'll see 20 or so security fixes announced, mostly in the "probably not exploitable but just in case" and "not by default" category.

OpenSSH will continue to pummel commercial ssh (which has moved onwards to VPN's in any event) in the Unix market, all that's really missing is an easy chroot widget for sftp.

Apache will hopefully release 2.0 this year, I suspect there is a nasty security bug lurking in the code, but hopefully I'm wrong. People will do incredibly strange things with the framework provided like building telnet servers and ftp servers, someone will build an ssh server, ultimately you will be able to run all your services via apache, just like Emacs allows you to edit and manage files, read mail and make cheese soufflé.

Software in general will still be a security disaster. No amount of C#, .NET or tools will change the basic fact that almost all programmers have no software security education or expertise.

The volume of attacks, incidents, port scans and so on will continue to rise. More and more people are getting high speed Internet access, more servers are going online, access costs are getting cheaper. You think it's bad now wait till all the male teenagers in China and India have Internet access.



Companies will spend more money on security for a number of reasons:

Companies will spend more money in security incidents; clean up costs will rise for the simple fact that companies will actually be cleaning things up rather then ignoring them.



More security laws will be proposed and passed, things like the DMCA are just to nice for most companies to pass up (they get a lot without giving much of anything up).

People will cotton on to the fact that terrorists don't need fancy peer to peer encrypted hidden networks. SSL web mail is all you need to communicate relatively securely (hint: HotMail). People will undoubtedly propose tough monitoring and restrictions on public Internet access points such as web cafe's and libraries.



Last updated 2/23/2002

Copyright Kurt Seifried 2002