[ISN] Professor 'horrified' by poor security

InfoSec News isn at c4i.org
Thu Oct 28 04:31:23 EDT 2004

Forwarded from: William Knowles <wk at c4i.org>


By Edmund Tadros
October 26, 2004

Western computer systems are becoming more vulnerable to 
cyber-attacks, according to an information technology expert.

Most commercial software makers have "abrogated" their responsibility 
to create truly secure software, says Professor William Caelli, head 
of the school of software engineering and data communications at the 
Queensland University of Technology. Caelli told last week's 
Australian Institute of Professional Intelligence Officers conference 
that he was "horrified" at the thought that intelligence-related 
systems might be developed on unprotected off-the-shelf platforms.

"Under no conditions should anyone in their sane mind run intelligence 
analytical systems on a Microsoft platform," he says. He recommends 
"Solaris version eight or better" as a secure platform for 
intelligence systems and says the only way to secure a Microsoft-based 
system would be by "air gapping", or disconnecting the computer system 
completely from the internet.

"I'm talking about the problem of putting highly security-relevant 
systems on a totally insecure base," Caelli says.

He believes there is no commercial motivation for the information 
technology industry to develop truly secure systems. "The problem is, 
essentially, the (information technology) industry itself abrogated 
its responsibility relating to security some 20 years ago. Today's 
servers and client systems are less secure than (the) mainframes I 
used in the 1970s."

He says manufacturers are unlikely to improve their standards unless 
there is "some sort of legislation" to mandate security levels.

Outsourcing and moving systems offshore also increase the risk of 
cyber-attack because it is a "delegation of information security to a 
third party".

Caelli is also critical of the lack of deep technology skills being 
produced by universities, singling out the US, Japan and Australia as 
being too focused on producing "business ready" IT graduates.

"There are many cases now where (the universities) are training IT 
personnel and IT professionals who really have no idea how the 
underlying structure of their systems work."

Caelli contrasts this with the deep technology skills coming out of 
countries such as Russia, Estonia and Hungary.

"I've seen code coming out from these guys written in assembler 
language. We don't do that any more. They do. They have (the) 

He says similar skills will emerge from countries such as India, China 
and Indonesia, and warns that automated spyware will become a "major 
threat over the next five years".

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list