Sometimes writing about security is just too easy. Making predictions about next year is like this in some ways.
Lets pick some of the low-hanging fruit early. Even though most spam-tracking companies show that spam already comprises 75 percent or more of all e-mail, that proportion will go up in 2005. We are approaching the situation in which, I have always assumed, users will begin to withdraw from e-mail because it is so unpleasant.
It seems to me that the consensus number at the end of last year was at or just above 50 percent, so Ill assume it will go up another 50 percent of legit percentage, up to 87.5 percent. Of course, with an overall number like that, there will be many days where 95 percent or more of all e-mail is spam. No matter how good filters are, more and more is going to get through.
Will authentication, the last great hope to save e-mail, make a difference? We can hope that by the end of 2005 it will have taken deep roots, but will we be in a position where domains can really begin blocking and rejecting mail that isnt authenticated? Thats the ultimate goal, and I think it will take longer.
Perhaps this is some more low-hanging fruit. You might have noticed that December has so far been a gangbusters month for vulnerability reports. Microsoft is well-represented, not just on its own controversial December patch day, but with a separate report about the Windows Firewall and an independent report about Internet Explorer.
But its not just Microsoft. Weve also had reports this month of vulnerabilities in products from Cisco and Veritas, along with the Samba file-sharing system.
December must have been the most bug-ridden month of 2004, but researchers tell me that inventories of unpublished vulnerabilities are running high. I think that months like December will become more the norm than the exception in 2005.
Well need some new metric to quantify this, but I think the average number of vulnerabilities reported per month in 2005 will increase substantially over 2004.