Rolling Dice With Python

I’ve been saying for years that the time of the mediocre security
professional is nearly up. We in information security are a bunch of maggots
playing in an open wound if you ask me. That’s what Information Technology
is today — a gaping wound. Once that’s not the case anymore, i.e. once the
industry matures a bit,
most many in the field
are going to need to find new careers.

To put some numbers on overall IT maturity (which is inherently stupid,
btw), I’d say that we have a scale from 0 to 99 — with 0 being the bottom,
where most everything is exploitable and nothing is safe once on a network.
99 would represent a time when we can deploy any IT solution and have it be
uncrackable (not going to happen). A score of roughly 80 yields systems that
can be put on the Internet and not be cracked for years at a time, with no
updates whatsoever.

Well, friends and neighbors, we’re in our infancy. We’re hovering around a
10 or so on this scale of mine, and it’s highly foolish to think that we are
at a 10 because the problems are unsolvable.

They only linger because our entire infrastructure is based on the very
first attempts at computer technology — and those
attempts were put together with no consideration for security
whatsoever.

As a result, it’s quite foolish to just throw up our hands (like the media
tend to do) and say that the bad guys are just too smart, and there’s
nothing we can do to keep our infrastructure from being potentially rooted
every few weeks.

We’re using technology that was never built to be audited, probed, or
otherwise tested for quality. Hell, no one even planned on it becoming
popular. You can’t take that paradigm, stack a billion users on it (many of
which are now malicious), watch it buckle, and say, “we tried our best, we
can’t secure it”.

Consider what’ll happen when new technologies are released that don’t allow
arbitrary code to be executed. What happens when only “known good” content
can be run? What about when the languages used are so safe that it’s nearly
impossible to write dangerous code? And what about the compilers? It won’t
be long before compilers are able to audit your code, see you’re getting
sloppy, refuse to compile it, and then send an email to your manager.

Once these types of approaches are put into place at all levels (processors,
memory management, languages, IDEs, compilers, etc.) we’re going to jump
from like a 10 to a 60 in roughly 10 years (I’m guessing).

To be blunt, the IT tools in use today (our operating systems, etc) are
giant stacks of Legos surrounded by piecemeal bits of cardboard
“protection”. Attackers merely stand back, choose their opening, and tear
things up at will. Another (also quite imperfect) analogy I like is that of
current computers being idiot robots that will run *anything* once their
simple filters are passed.

Get a weekly breakdown of what’s happening in security and tech—and why it matters.

Someone wants to hide shellcode in an email address entry? Sure, sounds good
— I’ll run that rm -rf command for you. It’s almost like every computer is
offering users *all* of its functionality, and all you have to do is confuse
it in order to get to the “extended” features.

Take Microsoft’s SMB services, for example. The computer is
claiming to offer a file/print sharing service (and ONLY a file/print
sharing service) but using recent vulnerabilities you can add users via the
very same service. How in the hell can you add
administrator-level users through a file sharing interface?

Idiot robots guarding their powers — that’s how.

The fact of the matter is that file sharing interfaces shouldn’t have access
to *any* “powers” other than file sharing — not adding users, not binding
shells — nothing.

These issues are transient, however. Changes will come, and when they do
we’re going to start seeing highly resilient systems that stand up to most
anything for very long periods of time. Will this “fix” technology?
Will it make things “secure”? Of course not. You can never solve idiocy, and
idiocy is what will keep many of us in business long after the technology
gets cleaned up.

But the days of anyone with “security” in their title getting paid stupid
amounts of money are coming to an end. As the wound closes, there will be
less room for semi-enthused opportunists who feed off the misfortune spawned
from IT’s youth. Our industry is filled with these types right now, and
they’d be wise to start looking for the next big thing.