Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12/18/2013
10:06 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

My 5 Wishes For Security In 2014

Security skeptic Dave Piscitello tells why his end-of-year InfoSec predictions are like a fine wine.

Year-end security predictions are really hard for InfoSec practitioners, in no small part because so many security matters linger for years without improvement or resolution. I've chosen five issues that have long legs (think "wine"). Here’s my wish list for how these might play out in 2014:

  • All governments will concede that IP addresses are not personally identifiable information. Sorry, IP addresses are different from telephone numbers. In the majority of use cases, they are ephemeral, assigned behind NAT boxes. They change as often in mobile societies as the chairs citizens occupy while mainlining espresso. They’ll become even less unique if Carrier-Grade NAT adoption trumps native deployment of IPv6. And speaking of CGN…
  • Opposition to Carrier-Grade NAT (CGN) will consolidate. If NATs opened Pandora’s box, CGN unleashes the dogs of hell. More worrisome than the technical issues CGN raises is how badly CGN breaks openness and interferes with popular applications. Fundamentally, ISPs use CGN as a tradeoff between IPv4 addresses that are scarce and ports that are not only plentiful but fully controlled by the carrier. The effect on net neutrality is potentially chilling. NLnet Labs director Olaf Kolkman explains in a presentation on IPv4 as a Strategy that "the CGN-based architecture cannot be neutral any longer because the address-scarcity cannot be fixed by investments or market competition."
  • National and global wailing over surveillance programs will give way to informed debate over how best to achieve balance, transparency, and accountability. While I don’t want to diminish the importance of revelations of collection or misuse, we seriously need to let go of the outrage and indignation, acknowledge that "none or all" are not practical solutions, and define acceptable parameters of behavior. This thoughtful analysis of surveillance is a good example of what I mean.
  • Legislators will heed educators and skeptics of STEM and embrace liberal arts as worthy and necessary elements of balanced education. I work in InfoSec alongside respected colleagues who earned philosophy, physics, psychology, and political science degrees. I recently met former concert and improv flautists who are rock-solid privacy experts. STEM-centric education won’t fill the short-horizon shortfall of cybersecurity talent -- and my head spins when I imagine the unintended consequences over the long term. For example, consider how critical trust and ethics are in cooperative society in general and InfoSec in particular. If you set yourselves on a course where only science matters, when and how do you teach ethics? If you must evangelize STEM, at the very least change the "T" to trust and "E" to ethics.
  • All invested communities will resist the temptation to solve the privacy/surveillance problem using technology (encryption) alone. To do so would avert an arms race or a proliferation of poorly conceived, possibly proprietary encryption-based solutions that offer rights or intellectual property protection, personal data protection, or protection against tracking and warrantless information collection.

I hope you’re able to enjoy time away from InfoSec this holiday season. Consider this wish list when you return in 2014, and let’s start the informed debate right here and now.

Dave Piscitello has been involved with Internet technologies (broadband access, routing, network management, and security) for over 35 years.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
12/20/2013 | 1:28:11 PM
Re: STEM & liberal arts
I think the obsession with STEM is more common among policy makers and parties with commercial or defense interests than among educators. Whenever there is a perceived shortage of a profession - law, medicine, teaching - there always seem be calls for "solutions" like STEM that promise to quickly fill the perceived shortage. 

People outside information security imagine that if we had several hundred thousand more InfoSec professionals then the Internet would "be secure". I don't think it's this simple. I do think that we need to raise awareness  and set expectations about privacy in education if we want a society that makes intelligent or informed choices about how technology and information is used.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/20/2013 | 7:44:53 AM
Re: STEM & liberal arts
What about the computer science and engineering schools? Do you think there is enogh emphasis on the liberal arts in the standard curriculum to provide context to the ambigious technical issues we're grappling with ( like security and privay) today? On the other hands liberal arts could do also a better job teaching people that technology is more than just sending snapchats or email from a smartphone. 
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
12/18/2013 | 2:15:43 PM
Re: STEM & liberal arts
Thanks Marilyn,

I think the narrow focus that STEM suggests is not as universally shared among InfoSec practitioners as we're led to believe. Many of my colleagues have excellent programming skills, but programming isn't the only basis from which we can develop amazing forensic or investigatory skills. I'll speculate that many successful InfoSec companies or departments are diverse background and multi-disciplinary.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/18/2013 | 10:22:23 AM
STEM & liberal arts
Dave -- There are so many thoughtful and provactive wishes on your list that I don't know where to begin to comment.  Given that I come from a liberal arts and not a STEM, background I'll jump in there. I can't say how gratifying it is to hear a technologist make the case for a balanced education. Yes, science matters but most of today's most vexing issues surrounding technology (think NSA & privacy) are not going to be revolved by a technology solution. We definitely need to change the "T" and "E" in STEM to trust and ethics. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...