I spent much of last week at the InfoSec World conference. (Here’s a tip: Never go to Orlando during school spring break…)
InfoSec is for security professionals. Most of the attendees work for large organizations and are responsible for protecting digital assets for their companies. They have a tough, tough job.
When I first got into computing in the late 1960s, digital information security mostly meant keeping unauthorized people out of the glass-walled computer room. The mainframe computers sat in air-conditioned comfort, and the main threat was someone could steal a reel of tape with customer lists, or whatever.
The “terminals” were nothing but screens and a keyboard, and were hardwired directly to the computer over leased phone lines.
Think of what these people are up against now. Any Army Private can (allegedly) download half our country’s secrets and walk out with them on a Lady Gaga CD. A retail chain can get hacked via wifi from the parking lot and lose 45 million credit card numbers. Laptops with huge amounts of confidential information are forever getting lost or stolen.
And then we have the Internet. That wondrous facility that cross-connects practically every person and every computer on the planet, offering endless opportunities for subterfuge.
How do you know who, or what, is at the other end? How do you prevent the theft of information or corruption of your operations (think Stuxnet and Iran)? Or even someone bringing down the entire Internet?
Amidst all this, the most entertaining speaker was Marcus Ranum. Besides having a delicious sense of humor, he also has been around long enough to have an interesting perspective and draw illuminating parallels.
Marcus started off making this point: “We are still suffering from two decisions made in the 1980s.” One was to distribute processing off the mainframes, which have very robust security, onto remote servers (called minicomputers at the time), which were, and still are, far less secure. The other was to rely on Windows for “personal computing,” which had no security whatsoever at the time. Microsoft has been scrambling ever sense to retrofit security, but we are all still suffering from the original weakness.
However, that is just a metaphor for the much more serious problems which we will experience in the next ten to fifteen years, when we will have to deal with our current practices and decisions, such as:
- Outsourcing: Critical data is in far away, poorly paid hands.
- Having so much critical information on highly insecure mobile devices.
- Less-vigorous software development and testing methodologies.
- Decentralized databases, which are inherently less secure than the old glass-walled computer center.
And here are two quotes — one scary, one funny — from Marcus’ presentation:
- Scary quote: “As systems become more complex, our ability to understand what will happen if something goes wrong approaches zero.”
- Funny quote: “Evolution is a ridiculously inefficient mechanism for progress. In order for it to work, billions have to die.”
The Dark Side of HTML5
Ming Chow, Lecturer in the Department of Computer Science, Tufts University, gave a very interesting presentation on HTML5. HTML is the primary language for developing websites, and Version 5 will be released shortly. He demonstrated some of the cool things that can be done in HTML5, but then started on the dark side.
HTML5 changes the game. It is now a full-fledged programming language, with incredible power. It takes HTML way beyond making websites look pretty.
For example, with HTML5, a website can now store large amounts of data on your device, including as SQL databases.
Most of us are just understanding what simple cookies can to do us in terms of being tracked, and we ain’t seen nothin’ yet…
Challenging Web Browser Security
HTML scripts run in browsers, just like programs run in operating systems. One of the functions of an operating system is to make sure that programs can’t do anything they are not supposed to do, either intentionally or unintentionally.
Well, what is happening now is that HTML5 has changed the role of browser from a simple web navigation tool into an operating system. But browsers were never intended to have the security protections that an operating system needs. And it is very hard to retrofit security as an afterthought — just ask Microsoft, which has spent hundreds of billions trying to shore up security on Windows.
With HTML5, do you realize that every time you visit a website, you are potentially ceding control of your laptop, tablet, or phone to someone else? Frankly, I think no one knows what that will mean and where it will lead.
Correction to this article: I didn’t present the HTML5 session at InfoSec World. I was orginally supposed to present but was required to cancel.
Apologies to James Tait. I took the presenter’s name from the conference program, and did not catch the change in presenters, because I arrived at the session a few minutes after it started.