Security 2007: Issues to Be Aware Of
Some thoughts on this years security trends: Mac/Linux vs. Windows, DRM, e-mail snafus, and more.
So, in keeping with my own tradition, Im not going to recap 2006 or predict whats to come in 2007 and beyond (my crystal ball is rebooting). Instead, Im just going to touch on a few topics here that areor should beimportant to us all. In the aggregate, they speak to both the past as well as to our future maybe.
|Recent Alignment Articles|
Shaping Your Enterprise Privacy Management
Vista Exploit Looking For Achilles' Heel
Heres my 2007 list, in no particular order:
The DRM war is lost, but the battles rage on. Theres a common denominator in all forms of digital information representation that stops the DRM war dead in its tracksthe analog playback device. As long as we use our eyes and ears to play back digital information, were going to fail in protecting digital media. Why? Well, because the adversary can always intercept the plaintext signal in the final millimeter. When playing music, for example, the adversary can virtualize a computer and intercept the sound signal as it goes to the virtual speakers. Voila, any and every DRM scheme has just been circumvented.
Same thing goes for movies, digital books, etc. Until and unless the producers of these products come to terms with that, theyre going to continue battling in vain in a war that cant possibly be won. How about making things so easy that its not worth the hassle of copying things, guys?
So whats the big deal? Well, although the war cant be won, there are losers too many to mention, starting with you and me. Why cant I put a USB stick into my TiVo and take a show that I recorded to a friends house to watch? Most likely answer: DRM. Why cant I download a DVD from (say) Netflix, burn it to disk, and watch it on my DVD player? Most likely answer: DRM. You get the picturewe all lose because technology advances are being hampered by DRM paranoia.
Surely the technology for cool features like these has been available for some timeoften via underground groups and such. Surely the TiVo and Netflix guys and gals thought of these things years ago.
PKI: Wheres the I?
Theres (still) no I in PKI (Public Key Infrastructure). I recently did a architectural security review of a major credit card processing application for one of my customers. In it, I applauded their use of an internal PKI to rigorously mutually authenticate all of the systems components to one another. However, years after PKI started appearing, theres still no infrastructure in PKI. Those that are using PKI technologies continue to run in their own islands, with few exceptions. Granted, some of those islands are approaching the size of a small continent, but the best that an end consumer has available today is still pathetically lacking.
About a year ago, I announced here in my column that I was going to start signing all my emails using PGP (Pretty Good Privacy, an encryption program). Well, Im indeed doing that, but it has generated more confusion than security, quite honestly. Although I havent given up on it yet, Im pretty close to concluding that it was a failed (albeit highly unscientific) experiment. Yes, I know that PGP isnt really a PKI to begin with, but it presents many of the components of a PKI in an inexpensive or even free manner to the end userall the more reason for being disappointed by my experiments failure.
Next page: Mac/Linux security vs. Windows
January 05, 2007
Eight security bulletins will address an undisclosed number of issues.