Re: Personal Firewall Day?

[Gary Flynn <flynngn () jmu edu>]

Marcus J. Ranum wrote:

> But we're
> addicted to general purpose computing because we (mistakenly)
> perceive a need to upgrade system components in order to save costs
> over time. We also ae addicted to general purpose computing because
> our software base is so buggy that we need to upgrade software
> components constantly in hopes of finding something that doesn't
> crash. 
I think we're addicted to general purpose computing because of its 
versatility,
freedom, and associated potential to innovate. Indeed, GP computing itself
rather than some specific implementation of it, may be our monoculture.

We've forever been able to download some "neat new tool or app". Therein
lies the problem. Today, there are a lot more malicious "neat new tools and
apps". Today there are a lot more tools to exploit the increasing 
complexity
and defects found on today's desktops and infrastructure.

Who would have thought ten or fifteen years ago that today's common
consumer desktop would have dozens of background services running,
including several that open listening ports on the network?

But the problem isn't entirely with the platform. There are a lot more 
naive,
overwhelmed, paranoid, exploitative, and  uncooperative individuals 
connected
to our world wide network. A network that not too long ago was nowhere
near as accessible or commonplace. And with that increasing population and
associated increase in usage, has come motivation for evil doers - money,
fame, and worse.

> General purpose computing also brings gigantic hidden
> costs in terms of system administration and GP systems vulnerability
> to trojans and viruses. Reverting to a monoculture would actually help
> us address a lot of these issues.
I'd have to agree with that but the nature of the machine would have to
change drastically. I pondered this in the first wave of DDOS attacks in 
2000:

http://falcon.jmu.edu/~flynngn/whatnext.htm (currently down but its cached
through the magic of Google)

I'd even go so far as to say that such a machine would be adequate for the
vast majority of consumers. However, those machines would be significant
impediments to innovation and growth. While we might consider HTTP and
IMAP base functionality today, they weren't around a decade ago. I have
to wonder whether we would have had the explosion in growth and
functionality we've experienced if the installed base had to have ROM
upgrades or complete replacement to support new standards - HTTP,
IMAP, SSH, SSL, IPSEC, multicast, IM, etc. Shoot, it wasn't too long
ago that TCP/IP stacks were add-on software. Growth, fluidity, and
change have always brought some growing  pains. Unfortunately, I don't
think we've seen the worst of what is to come.

Certainly, the platform has to change to improve today's situation. But I
don't think we'll see universal, GP platform improvements that will solve
the problems. The nature of a GP computer is inherently unsecure in the
hands of untrained individuals in a hostile environment. And the 
Internet will
need to be considered hostile as long as its world-wide, unauthenticated,
and freely accessible. Perhaps what we need instead is a range of devices
with a range of functionality to be used in appropriate situations. 
Maybe that
is what we're beginning to see with handhelds, phones, and home
entertainment systems increasingly taking on data communications and
applet capabilities. But, of course, the closer they get in functionality to
a GP computer....

>  


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards