|
Friday, August 2, 2002 |
Goin' mobile
Amy Ray of the Indigo Girls sings "I'm in love with my moblility"*on my earphones, and it's true. It's Friday afternoon and I'm sitting on the Union Terrace, watching sailboarders and sailboats as they travel Lake Mendota in the gentle breeze. I've had two t-shirt induced conversations (I'm wearing the "The Day Microsoft Builds A Product That Doesn't Suck Is The Day They Build A Vacuum Cleaner" t-shirt), one conversation started because I'm using a wireless connection, and one conversation from someone who's just bought a Titanium iBook like mine.I talked with some people who were here for a molecular biology conference. Several of them had wireless equipped laptops with them. None of them knew they could get access at the conference. I knew they could, because we'd gotten a request to set it up from a researcher who was bringing a demo of his latest software. But it wasn't mentioned in the conference program, nor did anyone make signs to publicize the additional access, so it remained underused. We need to get to a point where people expect wireless access in the same way they expect a working telephone.
* this is a quote from "Starkville", on the album "Become You"; of late it's been one of my favorite songs
she said, the future has just happened, and the worst is yet to come
When I did my talk at Lockdown this year, I mentioned the declining gap between publication of a vulnerability and the sighting of an exploit in the wild. This has dropped down to ten days in the case of an exploit of an Apache vulnerability on the FreeBSD operating system (a year ago I switched my test web server from Microsoft IIS to Apache, just becuase it was less likely to be the target of exploits).
We can expect this time to reduce to nearly 0 in the future, as worm authors prepare worms in advance, or borrow existing worm code, and simply drop in exploits as they are published. As we have already seen mail worm toolkits, we can expect similar active scanning worm toolkits. This means that the window of vulnerability between when an exploit or flaw is published, and when it is actively exploited, will quickly reduce to zero.see Risks Digest Volume 22, Issue 15 and look for the article by Nicholas Weaver.
