- Security 1.0
- Web 2.0
- Attacker 3.0
To that might I add the following:
- Government -1.0
- User 0.5
- Application Developer 2.5
What do I mean by all of this?
- Government -1.0: in general, hopelessly clueless legislation leads to worse security than without such legislation -- often due to unintended consequences
- User 0.5: users are largely unaware and essentially helpless, but I wouldn't expect them to improve -- I'm not an automobile designer or electrical engineer, yet I can drive my car and watch TV
- Security 1.0: security tools and techniques are just about good enough to address yesterday's attacks
- Web 2.0: this is what is here, with more on the way -- essentially indefensible applications all running over port 80 TCP (or at least HTTP) that no developer really understands and for which no one takes responsibility
- Application Developer 2.5: by this I do not mean developers are ahead of anyone with respect to security; rather, they are introducing new features and capabilities without regard to security, thereby exposing vulnerabilities no one (except intruders and some security researchers) really understand
- Attacker 3.0: in Tao I said because some intruders are smarter than us and unpredictable, prevention eventually fails -- it's more true now than ever
The only way I know to deal with this problem is to stay aware of it through monitoring and to deter, prosecute, and incarcerate threats. Without Attacker 3.0 free to exploit at will without fear of attribution and retribution, I care less about these problems.