Just as depressing is the fact that our security software continues to get buffer-overflowed on a regular basis. Hey security vendors: Stop adding new features and review your frigging code! Send your programmers to secure programming classes, have independent reviews, offer incentives for bug free code, and give cash awards for any employee who finds a bug.
I do have a list of questions for 2006, ones that I hope we'll finally get an answer for. For example, will the Code Red and Slammer worms ever die? They are still among the most common worms on the Internet. Can there possibly be people who haven’t patched their servers for more than two years? (Apparently, yes.)
Will Microsoft ever speed up Internet Explorer patching? Averaging more than a dozen unpatched vulnerabilities at any one time isn’t a track record to be proud of. What’s the holdup, Microsoft? Not enough hands to patch faster, or just inconvenient priorities? IE 7 looks like the most secure browser I’ve seen to date, but why leave the IE 6 people hanging in the wind for so long and so often? The IE team should talk to the Windows Server 2003 and IIS teams more regularly.
Will trusted computing actually improve security? The Sony DRM debacle showed that our trusted vendors can’t be trusted; is there any hope that other companies will learn from that lesson?
Will vendors stop writing insane EULA clauses that can’t possibly be enforced in court?
Will PKI and digital certificates actually help security when widely deployed?
Will two-factor authentication improve banking security, or will the hackers and malware just move to other vectors, as I think they will?
What am I doing in 2006, you ask? First, I’m going to start playing more with my Ubuntu Linux install. Ubuntu is a user-friendly Linux distro based on Debian, and comes with a superb GUI, Firefox, and Open Office preloaded. It’s often described as the Linux for the Windows crowd. Now comes the tough decision: Do I blow away my Knoppix, FreeBSD, or Fedora partition to make room?