Dragan on Security

Michael Howard and Bryan Sullivan wrote a couple of articles for this month’s MSDN Magazine. One of them is Test Your Security IQ. It’s chance for you to take the challenge.

I have worked for some time on using of artificial intelligence (AI) for protecting computer / information systems and networks. My work is primarily in area of intrusion prevention and detection systems (IDS and IPS). Some of work and papers in this area has been published in journals and technical conferences. Also, I believe that is much more to come out in future.

But there is another angle of AI utilization. It is approach which considers machine intelligence usage for attack on systems’ security. Interesting article in IEEE Security and Privacy Magazine, by Carl E. Landwehr from University of Maryland, talks about topics and says:

Ray Kurzweil predicts that by 2040 or 2050, machine intelligence will exceed human intelligence – an event he and others have dubbed the “singularity”. Will such intelligent machines be better able to defend themselves than today’s relatively unsophisticated ones? Will their intelligence be used for attacks as well??

It is possible that, in future, we will have chance to see artificial intelligence systems which are able to fight. One side will be AI systems that attack and another AI supported systems which are in protection role and providing security.

Full citation of article: Carl E. Landwehr, “Cybersecurity and Artificial Intelligence: From Fixing the Plumbing to Smart Water,” IEEE Security and Privacy, vol. 6, no. 5, pp. 3-4, Sep/Oct, 2008.

Note: Article is available with subscription or can be bought as PDF.

It might happen even in middle of worlds’ financial crisis. We should wait and see. Or not just wait, you can really contribute to new search engine. To contribute, you should just install free software and use it. The name is Edgios and software is in Alpha stage.

Edgios already have got lot of publicity on Web sites and discussion forums. It is a large-scale distributed search ‘cloud’ that offers higher-quality search results. Users participate in the cloud by downloading the Edgios personal search software, and connecting that software to the net.

Recent discussion on one of most important developers’ forums in Serbia raised many questions about Edgios. Some of participants questioned idea, concept, and many raised privacy and security concerns as well. Also, it seems that many people are scared by Google and Yahoo and have no courage to question their solutions and to start something what may compete with big ones. It can be successful or not, but it is worth a try at least, especially if you have famous Venture Capital to back your ideas. If that is one who backed Skype it is then more serious.

Some of question raised in discussion are: Is it secure? Is it safe? Authors say:

Yes! That’s exactly the point. By having the Edgios personal search client on your computer, you’re in control of what you share and what you keep private. Traditional search engines keep much more information than you might expect, and they hang onto it for a long time. With Edgios, you’re in control.

I would add: do you know what Google or other search engines know about you already? Have you asked yourself that question?

Here are some facts grabbed from Edgios Web site about company:

Edgios is a US company, based in Palo Alto, CA. The company is backed by Draper Fisher Jurvetson (DFJ), a premier Venture Capital firm based in Menlo Park, CA. DFJ shares with Edgios a passion for distributed computing, having backed Skype, the most successful P2P startup to date. Edgios has additional offices in Portland, OR, and in Serbia.

About founder:

The company has very strong connections with Serbia, having been founded by Dr. Borislav Agapiev, who grew up in Belgrade before moving to the US in 1985. The technology that makes Edgios possible has been developed entirely in Serbia, by a team of extremely talented and bright young developers. The entire team is proud of demonstrating that world-class search technology can be developed in Serbia, relying on the deep talent pool of local developers.

Edgios is Dr. Agapiev’s second search startup. He was also the founder of Vast.com, a San Francisco-based search engine for online classifieds. Vast.com is a leader in the online classifieds market, reaching millions of customers in the US and worldwide, having as partners and customers several large US companies. From its start, Vast.com has also been relying on Serbian engineers for technology development and innovation.

About search mechanism:

Edgios does not use a centralized search index of the Web, located in a massive data center, fed by an algorithmic ‘crawler’. Instead, it has an index that’s built by users, for users, and it employs a fully distributed index residing in memory and on the disks of computers that are part of the search cloud. The power of a fully decentralized, distributed search system is dependent on the number of its users. We believe that with just a few hundred thousand users that the Edgios search cloud is capable of surpassing conventional search engines, in terms of freshness, depth, and quality of search results.

It will be interesting to watch progress of this story and to be part of story, why not?

Financial crisis is going to overflow from financial sector to real sector. It can result in slowdown and less spending for technology, higher unemployment rate etc. Results also can be in growth in the use of open source, cloud computing and virtualization technology as consumers cut back on their “discretionary” purchases while businesses, strapped for credit (because banks won’t have it to lend), decide to make the best of what they’ve got and squeeze the last possible drops of life from the hardware they have, while reducing costs on software as far as possible.

Security business will be certainly affected. Many managers consider this spending as something what does not give proper ROI (return of investment).  Effects of improper security processes, services and products are usually seen as only negative reference. Management will not prize people and teams responsible for security based on what could happen but not happened because you implemented proper security processes, mechanisms, policies, products, services. But, in case of security incident you will get negative publicity. It is role similar to goal keeper in football team.

Security researchers and developers will certainly face with cut of funds for this purpose in first sign of overflow of crisis from financial sector to, so called, real sector.

Is that good? Definitely it is not at all.

In vulnerable systems which are more than 90% systems in use at present, this will open new holes. Financial sector will be strongly affected. As result of ruined confidence to that industry, lack of proper security in future will continue derogation and eventually will result in lost confidence in sector. This is going to lead to new problems.

Some tradeoff should be found. That is tradeoff between necessary spending and mechanisms, products and services that can provide better security for less money.

Another view on result of economic crisis toward tech sector spending can be seen here. It says:

Meanwhile, for those aiming to start technology businesses, it might – ironically enough – be slightly easier than before to get venture capital cash. That’s because the people who have money need to find somewhere to invest it. Gold? Oil? USTreasury bonds? All are a rollercoaster right now. Finding a company with a really good idea and business plan – preferably not reliant only on advertising – looks, by contrast, like an excellent way to make money. After all, in 1976, when Apple was founded, US unemployment was 8.5% and inflation was 8.9%; at present the comparable numbers are 6.1% and 5.4%. But of course in 1976 the US was coming out of recession. Now? It’s anyone’s guess how bad it will get.

The squeeze will also push companies towards open-source models, since those don’t require expensive licenses as well as expensive support. That could be a threat to Microsoft and other big ones.
I would say that this is good chance for clever and bright people with good ideas to create next big things. Or said in different words: someone will take crisis as problem, somebody as challenge and opportunity. It is time to consider next big move.

As result of this crisis, we can expect not only problems but also some good outcomes. Every crisis teaches us something and makes us stronger.

So, go back question in title of post. Answer is: yes, it is almost certain now. We still don’t know level and impact. But, impact doesn’t have to be only negative. It can have positive outcomes as well.

Update on October 19, 2008: I’ve added question from title as poll with three possible choices as answers:

• Yes
• No
• I don’t know

I wish to hear your opinion on this topic.