Five-Year Security Review

By Larry Seltzer  |  Posted 2008-02-24 Print this article Print

Opinion:  Five years after I began writing about security, things aren't as different as you'd think they'd be.

Where does all the time go? It's been five years since I began writing these columns. I thought it would be interesting to look back and see how much things have really changed.

In my inaugural column, I stated my philosophy that it stunk that people had to waste time and money on computer security, and I haven't changed my mind. At least it's clearer now to more people that they do need to pay attention and spend money.

Some of my attitudes have changed. For instance, I used to be bothered a lot more by "researchers" who disclosed vulnerabilities publicly. There definitely still are responsible and irresponsible ways to handle vulnerability data, but the genie's just out of the bottle on this stuff.

But more things are basically the same now as then. One of my very early columns asked why users ignore security updates and then, months later, blame Microsoft when they are attacked through the patched vulnerabilities? This is still a common, dumb attitude: Blame Microsoft vaguely for deficiencies in their patching process, wait, get owned (there's a word I didn't use five years ago). Anyway, it's still the case that the vast majority of compromised systems took inadequate defensive measures.

Today I would argue that companies that take security seriously, put money into protection of their systems and enforce reasonable policies are going to be very hard to compromise - not impossible, mind you, but very hard. Certainly that was less true five years ago, but it was true to a degree.

How much has the spam problem changed? There are good, sophisticated protections from numerous respectable companies that can keep spam out of your mailboxes, even off your network, and they're very good at what they do. On the other hand, the systemic problems are as bad as ever, even somewhat worse: The percentage of e-mail that is spam is more than 90, SMTP authentication has not been widely adopted and botnets still run rampant.

Phishing attacks are really not that different from what they were before; They're still attacking most of the same targets (eBay, Paypal, banks), and their English is still appalling. The major advance now is fast flux networks, which make them much harder to take down.

Early on, I warned users of one of my favorite truisms of computer security, that without physical security, no system is secure. The advances in this are mostly limited to things like disk encryption, which are not nothing, but they're not a complete solution. If someone can get physical access to your computer, there are plenty of ways they can hurt you.

I'll go out on a limb and make another judgment: New computers are much safer than they were five years ago, and users are better-equipped to protect themselves. They have been told to be skeptical of unsolicited communications and they are, but they're unsophisticated about that skepticism.

And even experts are unsophisticated about the protections in Vista, which does a great job of helping users to protect themselves against attack. Five years ago, I was skeptical that education would ever make a real difference in security because of how much ordinary users had to learn. They're not the only ones.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel