Educause Security Discussion mailing list archives
Re: Future Impact of Viruses on Internet
From: Gary Flynn <flynngn () JMU EDU>
Date: Thu, 29 Jan 2004 00:01:15 -0500
Tim Lane wrote:
Hi All, just as a topic of interest for academic discussion, does anyone have a viewpoint on the potential likely future of the impacts of worms and viruses etc on the future of the Internet and its use? As an example, I consider future scenarios could potentially be: 1) A continual and escalating situation of attack and defend (as is the case now); 2) An future implementation of technology that largely mitigates the seriousness of attacks rendering them of little concern; 3) A substantial and slow degradation of the Internet such that it becomes largely unusable; 4) A sudden enormous impact on the Internet that forces an almost total rebuild/re architecturing. If anyone has any thoughts I would be interested. I am sure someone out there is involved in the development of a more robust Internet and is aware of likely future scenarios.
Worms and viruses get the press and make life uncomfortable. The same exploits, targeted quietly at individuals, institutions, or infrastructures may be of much greater consequence. We're at #4. The "sudden enormous impact" has already happened. It was the period of commercial and governmental adoption (take-over?) of the Internet. #1 and #3 are ongoing and will be for the next several years. To start off with, there is a big installed base out there. And I believe the changes that would be needed to reign in anarchy would be so radical that a lot of inertia would have to be overcome. Even if the Internet melted tomorrow, nothing could be done overnight. #2 Not likely. Our situation isn't a technical problem. Its an architectural/philosophical one - open network, open computers, open access. An acceptance of anarchy and the rapid innovation and exploitation that accompanies it. After increasing strife, loss of trust, public outcry, governmental confusion, much money, failure of incremental solutions or their mass market implementations (firewalls, Trusted Computing Platform, IPSEC) , failure of vendors to take responsibility for their products and buyers to discriminate accordingly (they tell you in their licenses when you buy them they don't claim them to be suitable for any purpose!!!), and repeated studies with the same general security recommendations decade after decade, something core will have to change if we want the results of the environment to change: 1) The openness of the network 2) The computing platform 3) The operators So: http://falcon.jmu.edu/~flynngn/whatnext.htm More than likely, it will be incremental approaches towards those major architectural/philosophical changes. Accelerated by incidents. Decelerated by awareness of what is being lost and more responsible behavior on the part of everyone (vendors, buyers, operators, implementers). Depending upon TCPA implementation and legislation, parts of this may be closer than I think My very limited reading tends to make me think it depends on who is allowed to be the TPM Owner. The individual? The organization? The ISP? Software agents? Maybe only TCPA machines with delegated Ownership will be allowed on the "secure" network. Similarly, access control and policy enforcement (av software checks) are being pushed into the heretofore dumb network. 802.1x. Cisco's Network Admission Control. The price we'll pay is in speed of innovation, lowest common denominator functionality and access, loss of choice, and loss (ha) of privacy. On the other hand, or perhaps in the short term to stave off more radical measures: 1) Maybe vendors will finally figure out that shipping computers with open ports is socially irresponsible and act accordingly. 2) Maybe governments (or contracts) will force recalls of products with defects that result in a system compromise without user interaction with mandatory shipments of CD fixes to all registered users and 60 minutes of free telephone support. Might motivate #1 and put increased emphasis on software testing and better cost/benefit decision making about including questionable functionality. If somebody could open and start our cars without a key, would we stand for this? Not sure how this would work with free software though. 3) Maybe users will accept running day to day activities using an unprivileged account. 4) Maybe users will become discriminating about what software authors they allow to control their machine no matter the gee-whiz functionality they're offered. (Or maybe the ISPs will demand to hold the TCPA Ownership rights on their customer's computers.) 5) Maybe ISPs will be required to offer some standardized training and testing to prospective network node operators. 6) Maybe an Internet connection will be a privilege, not a right and behavior will change accordingly. Then again, maybe not. :) Until a major change happens, we'll have to sleep in the bed we've made. Attack and defend. Innovate and exploit. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Future Impact of Viruses on Internet Tim Lane (Jan 28)
- <Possible follow-ups>
- Re: Future Impact of Viruses on Internet Daniel Medina (Jan 28)
- Re: Future Impact of Viruses on Internet Herrera Reyna Omar (Jan 28)
- Re: Future Impact of Viruses on Internet Gene Spafford (Jan 28)
- Re: Future Impact of Viruses on Internet Gary Flynn (Jan 28)
- Re: Future Impact of Viruses on Internet Gary Dobbins (Jan 29)
- Re: Future Impact of Viruses on Internet Marty Hoag (Jan 29)
- Re: Future Impact of Viruses on Internet Gordon D. Wishon (Jan 29)
- Re: Future Impact of Viruses on Internet Cal Frye (Jan 29)
- Re: Future Impact of Viruses on Internet Gary Dobbins (Jan 29)
- Re: Future Impact of Viruses on Internet Cal Frye (Jan 29)
- Re: Future Impact of Viruses on Internet Gene Spafford (Jan 29)
- Re: Future Impact of Viruses on Internet Jim Moore (Feb 03)
- Re: Future Impact of Viruses on Internet Scott Weeks (Feb 03)
- Re: Future Impact of Viruses on Internet Jim Moore (Feb 03)
(Thread continues...)