Well I was catching up on my google reader and I ran into this post by Chris Gates/Carnal Ownage, an acquaintance from security cons: http://carnal0wnage.blogspot.com/2009/11/past-present-and-future-of-security-and.html. I agree with a key tenant shown through out these clips: security researchers tend to forget the lessons they learned last year and move onto the next fad (i.e. from virtualization to iPhones)
December 8th, 2009
I know it’s not like we can just come up with a security framework, but as Bruce Potter wrote in his article in Security & Privacy this month: “High Times for Trusted Computing” we need to have a better understanding of what is allowed to run on our computer. UAC didn’t work. You continue to be able to exploit the browser, so what will we have to do to really have control over what is run on our systems?
Another excellent point FX makes is that the adults and guru’s in the security industry need to take more of an interest in training their successors. I agree with this. I teach at a university and I see a lot of student while yea, they didn’t grow up building computers, they did learn most of what’s important inside one. The difference is that an education in IT is much easily obtained these days, but there’s no way that can replace the interest of a 15 year old plugging away in their bedroom with the appeal of controlling some really powerful computers. (Don’t get me wrong… I do see some of them) What’s the answer to get the kids thinking more like hackers? Nearly everything that’s a great learning expereince into how things work from a “what a teenager has access to” is frowned upon these days (modding your iPhone, your XBox — at least Sony encourages some PSP and PS3 modding)
Another point brought up was a perception of the futility of Pen Testing. I feel Pen Testing has it’s place, and you need to be a smart cookie to be effective at it. Problem is you have rules of engagement. You can only attack what they want you to. You don’t have the ability — like the bad guys — to actually attack anything you want/can. Chris Nickerson does a great job of thinking outside the box on this topic.
I see the next generation of hackers coming from a grass roots movement; a combination of the internet, hackerspaces and similar spaces, and a willingness of adults to take the time to be role models and transfer some of their knowledge over to the next gen of kids getting ready to enter the field. By the time companies realize they need this breed of kid though, it may be already too late… unless we drastically change our security paradigms and ways of thinking to how we compute (TPM?) and how we approach securing ourselves.