I don't really agree with most of the ideas presented here. Setting your corporate firewall to "default deny" is just security theater, not real security. If a black hat installs malware somewhere, it can just as easily phone home via HTTP as on some random port. Arguably, the security theater of forcing everything on to HTTP actually makes it harder to spot anomalous traffic patterns. Earlier someone might have seen a lot of traffic on port 1234 and said "hmm, that's funny..." but with default deny it's impossible to see anything weird except by doing deep packet inspection.
As another poster here pointed out, hacking has gone pro. Clearly governments and organized crime have gotten into the business. The idea that people are going into hacking because "the media lionizes hackers" (like this blog post suggests) just seems kind of silly now. I think if anything, the media tends to exaggerate how scary most hackers are in order to sell more product.
I agree with the author that we are on a treadmill of patching vulnerabilities while creating new vulnerabilities. We'll never really get anywhere as long as we are on the treadmill. But this post doesn't point out any of the things that would actually help. For example, I think better sandboxing techniques in operating systems would help reduce the number of vulnerabilities. Unmanaged programming languages such as C/C++ are a perennial source of vulnerabilities, as everyone seems to know by now. Although most people don't seem to comment on this, languages with eval() such as Python, Perl, Lisp, SQL and Javascript have their own set of vulnerabilities that come from this construct. If we wanted to, we could get rid of these constructs.
Djikstra famously argued that computer science was not about computers. You could make a pretty good case that computer security is not (primarily) about computers, either. A lot of great hackers like Kevin Mitnick were able to penetrate systems just by calling up a technician and pretending to be someone they were not. Computers have given more power to individuals, but the problem of finding trustworthy individuals for your organization is no different than it was before computers came on the scene. A lot of hacks are really just cases of where too much information was shared with too many people who didn't need to have it, or systems were run with inadequate oversight... neither of which are technical problems.
Many in IT then and now think security was the domain of people who managed routers and proxies (also responsible from preventing non-approved use, like too much downloading or reading bad things) and IT minions who install an anti-virus. From the network perspective, they block 'malicious' javascript (impossible!) and bad websites (outsourced of course) and they block all ports and websites they can in a constant struggle against actual business needs.
These people are doing what they can, but it mostly involves buying snake oil because they don't understand software.
The idea of running someone else's code (javascript, flash, macros) on the same box as the confidential data, i.e. the end user box, is completely mad when sandboxing technology is still in its infancy. Letting unverified parsers touch untrusted data is mad too, but confining everything (SELinux style) is too hard for most. But why do we let these parsers talk to the network? Why can't I prevent my android/iOS apps from talking to any site on the internet?
We need a sea change in expectation from users (corporate and individual) that their data won't leave their box without them knowing about it, that it will be authenticated and encrypted in transit, who will demand operating systems support for enforcing this, and demand that their applications are written to expect only limited and mediated access to the network, file system and kernel.
As another poster here pointed out, hacking has gone pro. Clearly governments and organized crime have gotten into the business. The idea that people are going into hacking because "the media lionizes hackers" (like this blog post suggests) just seems kind of silly now. I think if anything, the media tends to exaggerate how scary most hackers are in order to sell more product.
I agree with the author that we are on a treadmill of patching vulnerabilities while creating new vulnerabilities. We'll never really get anywhere as long as we are on the treadmill. But this post doesn't point out any of the things that would actually help. For example, I think better sandboxing techniques in operating systems would help reduce the number of vulnerabilities. Unmanaged programming languages such as C/C++ are a perennial source of vulnerabilities, as everyone seems to know by now. Although most people don't seem to comment on this, languages with eval() such as Python, Perl, Lisp, SQL and Javascript have their own set of vulnerabilities that come from this construct. If we wanted to, we could get rid of these constructs.
Djikstra famously argued that computer science was not about computers. You could make a pretty good case that computer security is not (primarily) about computers, either. A lot of great hackers like Kevin Mitnick were able to penetrate systems just by calling up a technician and pretending to be someone they were not. Computers have given more power to individuals, but the problem of finding trustworthy individuals for your organization is no different than it was before computers came on the scene. A lot of hacks are really just cases of where too much information was shared with too many people who didn't need to have it, or systems were run with inadequate oversight... neither of which are technical problems.