[luau] A more fundamental issue..

Thu Nov 6 11:15:01 PST 2003

Got this from a mailing list I subscribe to, Security Programming.
Interesting view that I thought some may be interested in...

Michael

---------------------- Forwarded by Michael Bishop/FARRINCS/HIDOE on
11/06/2003 11:14 AM ---------------------------

Jeroen van Drie <jeroen at 3va.net> on 11/05/2003 01:20:33 PM

To:    <secprog at securityfocus.com>
cc:

Subject:    A more fundamental issue..

A more fundamental issue...

As computing become ever more powerful and oop scripting languages ever
more
prevalent and simple, more and more programmers will know less about OS &
library component  fundamentals. As computing becomes ever more pervasive,
the security of code in the OS & library components will over the years
only
become more important while becoming the domain of an ever more exclusive
club (because their members are mainly highly experienced C/C++
programmers).

While it seems that we'll be stuck with fairly primitive interfaces
(keyboard,
mouse and two dimensional screen) for at least another decade, more
intimate
interfacing such as 3d displays and tacile feedback are on the horizon; the
sensors and feedback devices some scientists have implanted into living
tissue are on the radar. These new interfaces have the potential of
revolutionizing our computing experience. If at this point we were to add
the
convergence of the computing and bio/genetic sciences that seems imminent
over the next few decades to the mix, the result will most likely be a
computing experience that is almost as if not more intimate as any level of
human social intercourse. This century will most likely see advanced,
intimate human interface technologies introduced, and once they are
available
their benefits will most likely mandate their use. These technologies will
most likely aim to wire us directly into the computer.

And so we program in ever higher scripting abstractions, we interface ever
closer to and into our skins and minds, we integrate systems ever closer to
rely on and reuse of each other. All this is built on increasingly complex
layers in the OS and in library toolkits.

As computing becomes ever more pervasive, even intimate, exploits can lead
to
increasing disaster.

Our mode of thinking about security may have kept up to date with the
requirements but isn't yet really taking the foreseeable evolution and
convergence of computing and other sciences into account. Computing
security
is becoming a political concern but that concern is still too shallow and
mainly has to do with issues such as 'bundling', 'sharing' and 'digital
rights'. The OS and library components are becoming open, public
infrastructure but the trend is at risk from the current political focus on
private instead of public ownership protection.

Security socially is about accountability and transparency. Programmers and
the politicians now are setting the mold for other sciences to follow.
Especially the science of genetic and bioengineering requires a much more
accountable mold before its products can become as ubiquitous as our
handywork. If we are to see the same lack of security professionalism and a
similar level of expediency in bioindustries as we see in the software
industry we have a lot more to fear from vulnerabilities and exploits and
lack of patches there. Hopefully in the nearby future we have enough OS &
library knowhow of our own internals so that we can patch something like
Sars
quickly. The need for that knowhow to be "open source" is evident otherwise
we as a species could be ransom to profiteering.

ps: I've gone through a couple of drafts, don't mean to cry wolf, but we
are
on the eve of our development model spilling over into other sciences that
increasingly use computing in development and manufacturing. It's a fairly
alarming trend considering that we as a society seem to spend more media
time
on security issues within our computers than in our biosphere. It's also
alarming that after so much public scrutiny and debate we are still on the
 religious discourse of good and evil.