January 14, 2008

Ptacek vs. Lawson: 2007 predictions revisited

Filed under: Misc,Security — Nate Lawson @ 8:57 pm

You’ve just finished opening your seventh corporate calendar gift. You’re ten pounds heavier. What better way to celebrate 2008 than revisiting our predictions from last year ?

Nate: Predicted! 99% of spam comes via image attachments

[N] Wrong. I do get lots of image spam and PDF attachment spam was new in 2007, but the lack of “clickability” limits the usefulness of this type. This year, I resolve not to make predictions about spam.
[T] I got more spam from Ron Paul supporters this year than I did from image attachments. I may be 6 months behind the times in calling this an ’07 result, but the bigger news in antispam seems to be the failure of Bayesian antispam filters. Remember when Bruce Schneier wrote that article calling antispam software one of the industry’s success stories? I’d regret that column today if I had written it. And, not that I think this blinding flash of inspiration makes me Kreskin or anything, but the other trend? Email is no longer the frontier of spam; online communities like Facebook are.
[N] Akismet is still a success story.

Thomas: Predicted! A New Mainstream Bug-Class

[N] Right, although a lot of the C++ stuff was already started last year.
[T] I’m giving myself a clean win here: 2007 was the year that C++ fell, in the mainstream, thanks largely to Mark Dowd and John McDonald. The bug class everyone seems to remember here is the delete/delete[] thing: because of C++’s asinine inability to distinguish an array from other complex objects (including vectors), you can lose a program to using the wrong delete operator. But the “rest” of the problems here are far worse. For instance, pretty much nobody has ever written a C++ program without an STL iterator bug. And Alexandrescu-style “modern” C++, which replaces pointers with smart pointer templates, creates memory lifecycle vulnerabilities every time data passes an API boundary. A huge chunk of our infrastructure was written in C++ in the mid-late ’90s, and until recently there was a mass delusion that C++ was safer than C. I don’t want to get into predictions for ’08, but, I just did.

Nate: Predicted! The “Month of X Bugs” meme fades out, finally

[N] Yay, right.
[T] Thank god. Least said, soonest mended.

Thomas: Predicted! A Year Of Cisco Vulnerabilities

[N] Wrong, no one is paying attention to networks right now. As I said, PC/Windows and shiny devices (iPhone) were what attracted researchers this year.
[T] I can’t claim to have nailed this prediction. But I’m not so sure of your policework there, Nate. Nobody is paying attention to IOS vulnerabilities? That’s not what’s holding back the flood: the finger in the dike right now is the fact that few people can find bugs in IOS. How many skilled vulnerability researchers are there in the whole industry? Oh wait: we figured that out two years ago — a good SWAG guess is 1,000. Of 1,000, how many can do low-level C vulnerabilities? A generous half? Of those 500, how many read assembly fluently? Half again? Of those 250, how many have the time and inclination to reverse undocumented embedded operating systems? If there are 100 people in the world who are currently IOS-qualified researchers, I’m shocked.
[N] You mention that skilled researchers are lacking, but I still maintain that is because they’re all focused elsewhere right now. FX, initiator of Cisco buffer overflows, was talking about bar codes this year.

Nate: Predicted! Apple follows OpenBSD, Linux, and Windows, by adding OS hardening features

[N] Right, Leopard did although their ASLR needs some improvement. Also, they threw in a weird userland firewall implementation that no one expected.
[T] Swing and a miss! I grudgingly concede this prediction to you; they did add, uh, “stuff”. But it’s a huge mixed bag, and if you just look at the places where they followed OpenBSD and Windows, they failed decisively. Whatever the Wikipedia editors might want to say, Leopard ASLR is broken and irrelevant; a shellcode tweak speedbump at best. On the other hand, Apple is blazing a new trail in MAC and program sandboxing; the TrustedBSD extensions they’ve provided to lock programs into OS capabilities appear strong, and could finally give OS X a real security advantage over Win32, if Apple handles them well.
[N] You conveniently overlook the fact that I didn’t claim OSX would be more secure than Vista after the changes, only that they would add similar features. The MAC layer is already present in Darwin, just not enabled by default. It will also be interesting to see if they can do it [Allow?] in a less annoying [Allow?] way than Windows [Allow?].
[T] It’s interesting that the most effective Windows security solutions are the behind-the-scenes runtime improvements, and the most effective Apple security solutions are design-level changes. Oh, wait, no, that isn’t interesting.

Thomas: Predicted! Bruce Schneier Will Not Score A New York Times Op-Ed

[N] I’m wrong also. Schneier did not make the move to tamper resistance, but attackers did enter crypto in a big way. Xbox hackers used timing attacks against the 360, and the Mifare stream cipher was reversed with hardware techniques.
[T] This prediction was wrong just days after I made it; Schneier got an op-ed on the airport security CLEAR program on January 21. Schneier gets steadily less relevant to hard skills security every year, but I’ll make a 2009 prediction: he’s going to be angling for a role in politics.

Nate: Predicted! Zero-day exploits in client apps like Office outnumber researcher advisories

[N] Wrong. It looks like Microsoft themselves are finding the most bugs, as should any company that cares about security.
[T] Zero day clientsides increased in ’07, but organically, not exponentially. I call this a miss.

Thomas: Predicted! Drastically Fewer Windows XP/Vista Vulnerabilities

[N] Easy gimme for you. But I was also right in that 3rd-party signing would prove ineffective (example: Joanna’s ioctl flaws found in common signed drivers).
[T] I give myself no credit for predicting this. You only have to make one assumption to figure this out: money buys improved security. Nobody in the industry spends as much as Microsoft on software security. Nobody spends more directly, on third-party software security testing. Nobody spends more internally, on full-time security practitioners, researchers, engineers and trainers. And nobody spends more indirectly, bearing the cost of improved security in every stage of their release cycle. My company probably does less Microsoft work than any other top-tier independent consultancy, but you can call me out for a conflict of interest here. I repeat and amplify this prediction for 2008.

Nate: Predicted! Content producers strike back: broadcast flag legislation passes and allofmp3.com shuts down

[N] Wrong, but Germany did outlaw “hacker tools”.
[T] Here’s what I think: either Macrovision is going to step up and make Blu-Ray’s BD+ scheme a success, and we’re going to have hundreds more crappy DRM schemes, or the critical mass of studios backing off on DRM is going to result in the end of software protection. In a way, it’s too bad: software protection is a fun problem, and one of the few (maybe spam is the only other) where each side of the fight is so evenly matched. I’m watching BD+ in 2008, and I’m not telling you who I’m rooting for.
[N] The big news for 2007 is that the battle for music DRM is over. MP3 (FLAC actually) wins. I’ve refused to buy music online until I can get it in a non-lossy format. It’s too early to predict an outcome for high-def movies, but it seems already obvious that revocation alone is a bad strategy. I’m shying away from making a prediction here due to conflict of interest (I’m a co-designer of BD+) but I will say that in 2008 studios will see the value in a system that requires continual effort by hackers to break each disc versus one that doesn’t.
[T] My siblings don’t share your hatred of DRM; I don’t think Steve has ever asked himself, “what would Nate do?” (people at Matasano do all the time, though).

Thomas: Predicted! TSA Starts Checking Software On Laptops

[N] Wrong, but they did start checking lithium batteries as I hinted.
[T] I retain this prediction for ’08. If you had asked me last year, “which is more likely: a TSA malware screening of laptops due to a scare about wifi and software radios interfering with avionics, or a blanket ban on a phase of matter”, I would not have predicted the ban on the phase of matter.

[N] In summary, both of us got two right. None of our far-reaching predictions came true.
[T] I was right about the bug class. We’ll be dealing with that one for the next 5 years.
[N] We also did something different in terms of giving counter-predictions in response.
[T] I got four counter-predictions right (anti-spam — though I did not anticipate the Paulbots, Month-of-X-Bugs, Apple, and Office zero-days).
[N] I got two right (no IOS hacks, crypto attacks mainstream).
[T] I’m apparently the better predictor, but only when I’m disagreeing with someone else.
[N] I disagree?


  1. I do not share Tom’s enthusiasm for C++ bugs.
    “A huge chunk of our infrastructure was written in C++ in the mid-late ’90s, and until recently there was a mass delusion that C++ was safer than C.” The mass delusion remains, largely, fact. C++ code is mostly still safer than C code. The C++ bugs are real, but the C bugs are realerer.

    Comment by newsham — January 19, 2008 @ 2:30 pm

  2. Actually, you guys were half right on the TSA prediction. One woman (UK nationality, flying UK/US) had her laptop seized by US customs and they demanded the passwords for it so they could access the info on it. Scary times….

    Comment by Andreas — February 27, 2008 @ 4:26 pm

  3. Yeah, Tom’s been gloating about that although I like to focus on the other half (that it didn’t involve malware or an actual threat to that particular flight). :)

    Comment by Nate Lawson — February 28, 2008 @ 1:03 am

RSS feed for comments on this post.

Blog at WordPress.com.