Plus ca change, plus c'est la meme chose.
I just jumped of the last train from Paris. I enjoyed myself for a full week in one of Europe's most beautiful cities. What can I say, it was a nice journey in a city that really sparked my imagination and provoked a lot of thoughts. One thought was about change. How things can change but remain the same, I guess that is how things work. Especially in hacking, because it is clear to me that we are undergoing a big change in security and hacking and how the two interact. If you were witness of the early days of hacking you would notice a clear pattern. This pattern is repeating itself, but instead of network security and hacking, the pattern shifted into the application layer.
Many old school hackers thought that hacking died when network security came. And a lot of those old school hackers made the change from network hacking to network security. Little did they know about the present day. The day we are in now, the web application layer shows the same kind of curve. It's easy to tell what is going to happen the coming years. it dawned upon me that we are now in the phase where everyone is becoming aware of what is possible in the application layer. We now know that even more is possible than ever before. Granted, it also has become harder to hack a server in some way. But the shift from complete network security to complete web application security still has to come. So I ask you, what will be next? What does your imagination tells you? I presumed long before that the interconnectivity of the Internet will be it's biggest blessing and it's biggest curse. We traded security in for luxury and usability. You can secure something, but it will limit you in a great deal. Since progress demands things to be more complex, some say that security will be thrown off as tight shackles and risks will be taken, or we will move along the lines of the so called trade-off. But it is a huge misconception when one evaluates this measure by comparing the Internet to the real world.
Some time ago I read "Secrets and Lies" written by Bruce Schneier where he compares the real world with the Internet. I think that he is mistaken. You cannot compare the Internet to the real world because I cannot automate safe-cracking whereas I can on the Internet. I cannot automate stealing everyone's personal files in his or her desk. I can do this on the Internet. I cannot automate the shutdown of many social meeting places in the real world. I can do this on the Internet due to it's massive interconnectivity. It's easier and it can be automated on the Internet. Your safety is in the hands of individuals who can obtain absolute power on the Internet.
My guess is that in the next 2 to 5 years people will master application security just like we did with network security. This means that less servers or services can be hacked in the future due to current research and massive attacks that are being performed. This seems a comfortable idea, but sadly it will be momentarily. When we solve application security, another group will stand up and overthrow our secure mindset we've obtained. We simply cannot let that happen. But how do you foretell the future? Well, you can foretell future problems when you envisage a certain risk. Application hacking could be foretold in the past if the current hackers back then didn't throw it off. The difference between hacking a box with telnet and the sheer massive application hacks of today is only bound by a limited imagination by people back then.
My guess is that if we want to stop criminal hacking, we have to change our complete perception of the Internet. We have to limit ourselves in our luxurious Internet lifestyle. The only way to resolve it is to create an environment that doesn't interest criminal hackers instead of making it them more difficult. Because they will succeed if they want to. That means you have to use some common sense and don't store personal or sensitive data that can be automated to be stolen in a massive fashion. Take away the prize and there is nothing to gain. Is there really a need to store your whole life online? if so, be also prepared to treat it as public information.
Envisage about 10 years from now. When every single bit of your life could be publicly available, correlated, and maybe used against you. Tell me, is that freedom?
