Happy New Year. It’s now 2007 and what do we have to show for it? Seriously, what substantive progress can we point to in the world of Information Security? A couple mergers and acquisitions, but how about real progress? Surely, our adversaries seem to be making progress in leaps and bounds, but what about us?

So, in keeping with my own tradition, I’m not going to recap 2006 or predict what’s to come in 2007 and beyond (my crystal ball is rebooting). Instead, I’m just going to touch on a few topics here that are—or should be—important to us all. In the aggregate, they speak to both the past as well as to our future…maybe.

Recent Alignment Articles
Shaping Your Enterprise Privacy Management

Vista Exploit Looking For Achilles' Heel

TSpam Bust: The Lessons of Yesmail

Pirated Vista, Office 2007 Already on The 'Net

FREE IT Management Newsletters

Here’s my 2007 list, in no particular order:

DRM Battles

The DRM war is lost, but the battles rage on. There’s a common denominator in all forms of digital information representation that stops the DRM war dead in its tracks—the analog playback device. As long as we use our eyes and ears to play back digital information, we’re going to fail in protecting digital media. Why? Well, because the adversary can always intercept the plaintext signal in the “final millimeter.” When playing music, for example, the adversary can virtualize a computer and intercept the sound signal as it goes to the virtual speakers. Voila, any and every DRM scheme has just been circumvented.

Same thing goes for movies, digital books, etc. Until and unless the producers of these products come to terms with that, they’re going to continue battling in vain in a war that can’t possibly be won. How about making things so easy that it’s not worth the hassle of copying things, guys?

So what’s the big deal? Well, although the war can’t be won, there are losers too many to mention, starting with you and me. Why can’t I put a USB stick into my TiVo and take a show that I recorded to a friend’s house to watch? Most likely answer: DRM. Why can’t I download a DVD from (say) Netflix, burn it to disk, and watch it on my DVD player? Most likely answer: DRM. You get the picture–we all lose because technology advances are being hampered by DRM paranoia.

Surely the technology for cool features like these has been available for some time—often via “underground” groups and such. Surely the TiVo and Netflix guys and gals thought of these things years ago.

PKI: Where’s the I?

There’s (still) no “I” in PKI (Public Key Infrastructure). I recently did a architectural security review of a major credit card processing application for one of my customers. In it, I applauded their use of an internal PKI to rigorously mutually authenticate all of the system’s components to one another. However, years after PKI started appearing, there’s still no infrastructure in PKI. Those that are using PKI technologies continue to run in their own islands, with few exceptions. Granted, some of those islands are approaching the size of a small continent, but the best that an end consumer has available today is still pathetically lacking.

About a year ago, I announced here in my column that I was going to start signing all my emails using PGP (Pretty Good Privacy, an encryption program). Well, I’m indeed doing that, but it has generated more confusion than security, quite honestly. Although I haven’t given up on it yet, I’m pretty close to concluding that it was a failed (albeit highly unscientific) experiment. Yes, I know that PGP isn’t really a PKI to begin with, but it presents many of the components of a PKI in an inexpensive or even free manner to the end user—all the more reason for being disappointed by my experiment’s failure.

Next page: Mac/Linux security vs. Windows