Analytics // Security Monitoring
12/18/2013
10:06 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

My 5 Wishes For Security In 2014

Security skeptic Dave Piscitello tells why his end-of-year InfoSec predictions are like a fine wine.

Year-end security predictions are really hard for InfoSec practitioners, in no small part because so many security matters linger for years without improvement or resolution. I've chosen five issues that have long legs (think "wine"). Here’s my wish list for how these might play out in 2014:

  • All governments will concede that IP addresses are not personally identifiable information. Sorry, IP addresses are different from telephone numbers. In the majority of use cases, they are ephemeral, assigned behind NAT boxes. They change as often in mobile societies as the chairs citizens occupy while mainlining espresso. They’ll become even less unique if Carrier-Grade NAT adoption trumps native deployment of IPv6. And speaking of CGN…
  • Opposition to Carrier-Grade NAT (CGN) will consolidate. If NATs opened Pandora’s box, CGN unleashes the dogs of hell. More worrisome than the technical issues CGN raises is how badly CGN breaks openness and interferes with popular applications. Fundamentally, ISPs use CGN as a tradeoff between IPv4 addresses that are scarce and ports that are not only plentiful but fully controlled by the carrier. The effect on net neutrality is potentially chilling. NLnet Labs director Olaf Kolkman explains in a presentation on IPv4 as a Strategy that "the CGN-based architecture cannot be neutral any longer because the address-scarcity cannot be fixed by investments or market competition."
  • National and global wailing over surveillance programs will give way to informed debate over how best to achieve balance, transparency, and accountability. While I don’t want to diminish the importance of revelations of collection or misuse, we seriously need to let go of the outrage and indignation, acknowledge that "none or all" are not practical solutions, and define acceptable parameters of behavior. This thoughtful analysis of surveillance is a good example of what I mean.
  • Legislators will heed educators and skeptics of STEM and embrace liberal arts as worthy and necessary elements of balanced education. I work in InfoSec alongside respected colleagues who earned philosophy, physics, psychology, and political science degrees. I recently met former concert and improv flautists who are rock-solid privacy experts. STEM-centric education won’t fill the short-horizon shortfall of cybersecurity talent -- and my head spins when I imagine the unintended consequences over the long term. For example, consider how critical trust and ethics are in cooperative society in general and InfoSec in particular. If you set yourselves on a course where only science matters, when and how do you teach ethics? If you must evangelize STEM, at the very least change the "T" to trust and "E" to ethics.
  • All invested communities will resist the temptation to solve the privacy/surveillance problem using technology (encryption) alone. To do so would avert an arms race or a proliferation of poorly conceived, possibly proprietary encryption-based solutions that offer rights or intellectual property protection, personal data protection, or protection against tracking and warrantless information collection.

I hope you’re able to enjoy time away from InfoSec this holiday season. Consider this wish list when you return in 2014, and let’s start the informed debate right here and now.

Dave Piscitello has been involved with Internet technologies (broadband access, routing, network management, and security) for over 35 years.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
12/20/2013 | 1:28:11 PM
Re: STEM & liberal arts
I think the obsession with STEM is more common among policy makers and parties with commercial or defense interests than among educators. Whenever there is a perceived shortage of a profession - law, medicine, teaching - there always seem be calls for "solutions" like STEM that promise to quickly fill the perceived shortage. 

People outside information security imagine that if we had several hundred thousand more InfoSec professionals then the Internet would "be secure". I don't think it's this simple. I do think that we need to raise awareness  and set expectations about privacy in education if we want a society that makes intelligent or informed choices about how technology and information is used.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/20/2013 | 7:44:53 AM
Re: STEM & liberal arts
What about the computer science and engineering schools? Do you think there is enogh emphasis on the liberal arts in the standard curriculum to provide context to the ambigious technical issues we're grappling with ( like security and privay) today? On the other hands liberal arts could do also a better job teaching people that technology is more than just sending snapchats or email from a smartphone. 
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
12/18/2013 | 2:15:43 PM
Re: STEM & liberal arts
Thanks Marilyn,

I think the narrow focus that STEM suggests is not as universally shared among InfoSec practitioners as we're led to believe. Many of my colleagues have excellent programming skills, but programming isn't the only basis from which we can develop amazing forensic or investigatory skills. I'll speculate that many successful InfoSec companies or departments are diverse background and multi-disciplinary.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/18/2013 | 10:22:23 AM
STEM & liberal arts
Dave -- There are so many thoughtful and provactive wishes on your list that I don't know where to begin to comment.  Given that I come from a liberal arts and not a STEM, background I'll jump in there. I can't say how gratifying it is to hear a technologist make the case for a balanced education. Yes, science matters but most of today's most vexing issues surrounding technology (think NSA & privacy) are not going to be revolved by a technology solution. We definitely need to change the "T" and "E" in STEM to trust and ethics. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?