Predictions 2007: Ptacek vs. Lawson

Thomas Ptacek | January 4th, 2007 | Filed Under: Industry Punditry, Navel Gazing, Uncategorized

This year, a “Hannity and Colmes” prediction face-off between Matasano’s Thomas Ptacek and Cryptography Research’s Nate Lawson. Round 0: Fight!

Nate: Predicted! 99% of spam comes via image attachments

And nearly all are “CAPTCHA-style”. GIFs prove too easy to block so spammers switch to JPEG. Administrators respond by blocking all single image attachments. Complaints from Moms who can’t get photos of kids sent to work email abound. Overall spam volume decreases very slightly over the year as spammers alienate their customers who can’t be troubled to type in a URL.

Thomas: Didn’t Schneier Say Anti-Spam Was a Success Story?

I don’t have a lot to say about spam; I’ve been desensitized. Here are some things I think will happen in 2007: a major enforcement effort against a spam ringleader, which will be cathartic but won’t change the overall volume. A pronounced shift away from handing businesses your email address. A “Web 2.0” style company that does a barium-style trace of “honey addresses” through various businesses and list brokers.

Thomas: Predicted! A New Mainstream Bug-Class

Maybe it’s uninitialized variables, or delete/delete[], or STL iterators, or some deterministic way of grabbing EIP when malloc returns NULL, or a way to corrupt memory reliably when mutexes are misused. There’s too much hushed talking right now for this not to happen. I think it’s a toss-up between Mark Dowd figuring out how to exploit NULL pointer loads and Halvar Flake figuring out how to exploit help file typos. However it happens, by this time next year, there will be at least 40 Bugtraq advisories in a single new bug class that had fewer than 5 Bugtraq posts the years before 2007.

Nate: You wish… XSS 4eva

There are new bug classes (Shatter, blech) and then there are new bug classes (format string). The latter generates a flood of exploits, and the former one mini-paper. In 2007, XSS and related attacks will continue to dominate, and interesting but inconsequential mini-papers will continue to appear at their typical rate.

Nate: Predicted! The “Month of X Bugs” meme fades out, finally

You know it’s run its course when people begin pre-announcing a month of bugs, armed only with a fuzzer and PR template. Didn’t we see this in 1996? Weren’t they supposed to collect 30 bugs before announcing a month of bugs? The declining quality of submissions hits an all-time low, and the stunt loses all publicity value. Perhaps until 2016.

Thomas: Better that it burn out than fade away.

I agree with this prediction completely. The MOXB trend is DOA. The most important problem vulnerability researchers have is being taken seriously by vendors. The story needs to be about how vendors are shipping software that is not safe for deployment. With MOXB games, the story is instead about how we’re not disclosing responsibly. The smart people playing the MOXB game are going to realize they’re handing recalcitrant vendors a win. The dumb ones are going to tar their reputations.

Thomas: Predicted! A Year Of Cisco Vulnerabilities

This sounds like a bit of a lay-up, until you realize that it hasn’t happened yet. Why not? Cisco IOS is a top-tier software platform with a market share that dwarfs Apple’s. It’s a monolithic operating system, written in C. Microsoft hires smart people and spends tens of millions of dollars on securing Windows; there’s no way IOS is more secure now than Windows XP was 2 years ago, and look what’s happened with Win32 in those two years. Too many people are working on IOS reversing tools now for nothing to come of it. I predict a bloodbath.

Nate: Nope, PCs and shiny gadgets only

The security community is splitting into two camps: PC (software) and shiny gadgets (hardware). The PC camp will expand out into OSX more but stays centered on Wintel/BIOS/reversing. The shiny gadget camp will grow rapidly as every new device (i.e. Zune) gets hacked and loaded with Linux. Network security and devices that don’t fit these categories will languish although they are eventually due for a renaissance.

Nate: Predicted! Apple follows OpenBSD, Linux, and Windows, by adding OS hardening features

To back up their claims of being the safe choice, Apple adds features like randomized stack, segment bases, etc. to the default install of OSX. They tone the randomness down a bit to allow for optimizations based on prebinding. (The reason they had not added these capabilities before was concerns about randomization slowing application launch times). This is probably a layup.

Thomas: And they’re still going to lag.

Apple has announced some of these changes already. But, by this time in 2008, the number of OS-native, default-install Apple vulnerabilities will eclipse the number of Vista vulnerabilities. Despite whatever hardening features Darwin and XCode add, there will be more exploitable Apple vulnerabilities announced in 2007 than will be announced for Windows XP SP2.

Thomas: Predicted! Bruce Schneier Will Not Score A New York Times Op-Ed

Dan Bernstein will publish multiple new algorithms that break speed records and, because of the trend towards competitions like NIST ran for AES and ECRYPT is running for stream ciphers, will receive real cryptanalytic attention. He will also replace OpenSSH. But he will not write a book about airport security and will not attempt to get the mainstream media to take him as seriously as Richard Clarke. Schneier will not publish a single technical result this year, but I will read his blog anyways.

Nate: Bruce Schneier will make another career change

Ok, it’s not fair of me to use this space for another prediction, but it also wasn’t fair of you to pick on someone from our advisory board. Just like he moved from crypto to managed intrusion detection, I’m guessing he’ll make a jump into tamper resistance. As for your general prediction, I agree that 2007 will be the year that crypto hits the mainstream with vulnerability researchers actually exploiting problems like lack of domain parameter validation (what’s taking you so long???) Of course, this is very similar to your prediction last year that timing attacks would go mainstream. I guess if you keep making it, it will eventually be true, right?

Nate: Predicted! Zero-day exploits in client apps like Office outnumber researcher advisories

Until a few years ago, legitimate researchers were publishing advisories in common software often, and zero-day bugs were found in the wild occasionally. The trend has been changing as pressure from companies has slowed the disclosure process down significantly (6-9 months for responsive vendors, never for unresponsive ones). This benefits attackers with profit motives, who have longer to exploit bugs they’ve discovered or borrowed from the researcher’s or vendor’s archives. Researchers and end-users lose. In 2007, a common client-side product (possibly Office) will release more patches for holes found in the wild than as a result of legitimate 3rd-party research.

Thomas: Only if the Chinese Mafia dumps their vulnerabilities

I think the reality is, despite the hype about clientsides getting less valuable due to ASLR and NX, too much of the malware market share will be running vulnerable software on vulnerable platforms in 2007 to change the dynamic. A zero-day clientside in an application used by 50 million people will still be worth ten thousand dollars in 2007. The only way your prediction can come true is if criminals actually outpace researchers, which I think is unlikely.

Thomas: Predicted! Drastically Fewer Windows XP/Vista Vulnerabilities

Yes, localhost privilege escalation vulnerabilities in Vista will be found, and will be mercilessly hyped: “hackers break Vista protections!” But in the macro-view, Microsoft’s efforts to secure their platform will be successful. The key moves: company-wide security development lifecycle (SDLC), which triggers formal threat modeling from everything to new sample Word macros to updates to Microsoft Flight Simulator, and pervasive third-party reviews. Not one pre-auth, remote, reliable vulnerability will be found in the default install of Windows Vista Home Edition during 2007. Caveat: I’m going to give myself partial credit if one is found, but it’s some crazy logic flaw.

Nate: Never eat anything bigger than your head

While I applaud their efforts, the “build a higher wall” mentality is missing a lot of necessary supporting concepts like “monitor actual exploitation” and “guarantee the platform can adapt to new attacks”. PatchGuard is a great example. Unsigned driver code won’t run when it’s enabled, but they have to allow signed 3rd-party code that has arbitrary capabilities. The platform is simply too big to have such rigid policies while accomodating all the OEMs and ISVs that have made Windows successful. All or nothing (i.e. brittle) approaches will start to be proven ineffective soon, and I expect them to retreat slightly to adopt a more flexible approach in 2008.

Nate: Predicted! Content producers strike back: broadcast flag legislation passes and allofmp3.com shuts down

The new Democratic majority passes legislation making the FCC responsible for enforcing a broadcast flag. Without any other hurdle, rules are enacted to require broadcast flag capabilities in all new equipment. Watermarks (“copy never”, “copy once”, “no record”, etc.) are used as the flag indicator. Pressure from the US, especially regarding WTO membership for Russia, forces allofmp3.com to shut down, not the trillion-dollar lawsuit. Piracy rages on.

Thomas: And yet not one software-only DRM scheme survives 2007

Zune’s won’t. iTunes’ won’t (and the break won’t be with cheats that re-encode the raw audio). No mainstream DVD release will fail to appear, as a DVD-rip, in its highest available quality, on BitTorrent. We’ve seen what a smart DRM scheme looks like: it’s renewable, and based on more primitives than “a single hidden key”. No mainstream DRM scheme looks like that. The MPAA and RIAA will still be suing people in 2008, but general-purpose computers will still be playing movies. Special bonus prediction: Microsoft will pull Zune off the shelves.

Thomas: Predicted! TSA Starts Checking Software On Laptops

Countering some vague, highly-unlikely “cyber threat” involving wireless and aircraft control systems, all laptops passing TSA checkpoints at LaGuardia must run some TSA-sponsored security scan program that only works on Windows. TSA allows Macs through (their software doesn’t work there, too many people have Macs) but repeatedly deny Linux users. USB devices will need to be gate-checked. Schneier will complain, coherently, and he’ll be right, but nobody will care. Intrusive computer checks will continue into 2009.

Nate: But all the lithium ion batteries are an explosive liquid or gel!

Risky prediction but mostly wrong. They’re still focused on obscure physical threats and defending the previous ones from criticism. (I love this quote after the liquid policy changed after only a month: “It is unlikely that additional changes in the liquid, aerosol and gel policy will be made in the near future.”) Airlines and airport shops love the rules since they speed up boarding and increase drink purchases, so any future changes will be along those lines (no aerosols? no hamburgers?). Whatever the new rules, they’ll still be so spottily enforced that you can continue leaving your toiletries in your carry-on at a total replacement cost of 25 cents a flight (average).