Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12/18/2013
10:06 AM
Dave Piscitello
Dave Piscitello
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

My 5 Wishes For Security In 2014

Security skeptic Dave Piscitello tells why his end-of-year InfoSec predictions are like a fine wine.

Year-end security predictions are really hard for InfoSec practitioners, in no small part because so many security matters linger for years without improvement or resolution. I've chosen five issues that have long legs (think "wine"). Here’s my wish list for how these might play out in 2014:

  • All governments will concede that IP addresses are not personally identifiable information. Sorry, IP addresses are different from telephone numbers. In the majority of use cases, they are ephemeral, assigned behind NAT boxes. They change as often in mobile societies as the chairs citizens occupy while mainlining espresso. They’ll become even less unique if Carrier-Grade NAT adoption trumps native deployment of IPv6. And speaking of CGN…
  • Opposition to Carrier-Grade NAT (CGN) will consolidate. If NATs opened Pandora’s box, CGN unleashes the dogs of hell. More worrisome than the technical issues CGN raises is how badly CGN breaks openness and interferes with popular applications. Fundamentally, ISPs use CGN as a tradeoff between IPv4 addresses that are scarce and ports that are not only plentiful but fully controlled by the carrier. The effect on net neutrality is potentially chilling. NLnet Labs director Olaf Kolkman explains in a presentation on IPv4 as a Strategy that "the CGN-based architecture cannot be neutral any longer because the address-scarcity cannot be fixed by investments or market competition."
  • National and global wailing over surveillance programs will give way to informed debate over how best to achieve balance, transparency, and accountability. While I don’t want to diminish the importance of revelations of collection or misuse, we seriously need to let go of the outrage and indignation, acknowledge that "none or all" are not practical solutions, and define acceptable parameters of behavior. This thoughtful analysis of surveillance is a good example of what I mean.
  • Legislators will heed educators and skeptics of STEM and embrace liberal arts as worthy and necessary elements of balanced education. I work in InfoSec alongside respected colleagues who earned philosophy, physics, psychology, and political science degrees. I recently met former concert and improv flautists who are rock-solid privacy experts. STEM-centric education won’t fill the short-horizon shortfall of cybersecurity talent -- and my head spins when I imagine the unintended consequences over the long term. For example, consider how critical trust and ethics are in cooperative society in general and InfoSec in particular. If you set yourselves on a course where only science matters, when and how do you teach ethics? If you must evangelize STEM, at the very least change the "T" to trust and "E" to ethics.
  • All invested communities will resist the temptation to solve the privacy/surveillance problem using technology (encryption) alone. To do so would avert an arms race or a proliferation of poorly conceived, possibly proprietary encryption-based solutions that offer rights or intellectual property protection, personal data protection, or protection against tracking and warrantless information collection.

I hope you’re able to enjoy time away from InfoSec this holiday season. Consider this wish list when you return in 2014, and let’s start the informed debate right here and now.

Dave Piscitello has been involved with Internet technologies (broadband access, routing, network management, and security) for over 35 years.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
12/20/2013 | 1:28:11 PM
Re: STEM & liberal arts
I think the obsession with STEM is more common among policy makers and parties with commercial or defense interests than among educators. Whenever there is a perceived shortage of a profession - law, medicine, teaching - there always seem be calls for "solutions" like STEM that promise to quickly fill the perceived shortage. 

People outside information security imagine that if we had several hundred thousand more InfoSec professionals then the Internet would "be secure". I don't think it's this simple. I do think that we need to raise awareness  and set expectations about privacy in education if we want a society that makes intelligent or informed choices about how technology and information is used.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/20/2013 | 7:44:53 AM
Re: STEM & liberal arts
What about the computer science and engineering schools? Do you think there is enogh emphasis on the liberal arts in the standard curriculum to provide context to the ambigious technical issues we're grappling with ( like security and privay) today? On the other hands liberal arts could do also a better job teaching people that technology is more than just sending snapchats or email from a smartphone. 
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
12/18/2013 | 2:15:43 PM
Re: STEM & liberal arts
Thanks Marilyn,

I think the narrow focus that STEM suggests is not as universally shared among InfoSec practitioners as we're led to believe. Many of my colleagues have excellent programming skills, but programming isn't the only basis from which we can develop amazing forensic or investigatory skills. I'll speculate that many successful InfoSec companies or departments are diverse background and multi-disciplinary.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/18/2013 | 10:22:23 AM
STEM & liberal arts
Dave -- There are so many thoughtful and provactive wishes on your list that I don't know where to begin to comment.  Given that I come from a liberal arts and not a STEM, background I'll jump in there. I can't say how gratifying it is to hear a technologist make the case for a balanced education. Yes, science matters but most of today's most vexing issues surrounding technology (think NSA & privacy) are not going to be revolved by a technology solution. We definitely need to change the "T" and "E" in STEM to trust and ethics. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...