Another Doomsday Scenario

In a recent post, I asked for a little indulgence in a game: "Anybody want to toss out their idea about what would happen if bugfinders stopped looking for bugs? What do you think the impact would be?"

Anton was nice enough to provide one in the comments:

"Well, I like SciFi, so I will play. In all likelyhood I am wrong, but then again this thing will never happen anyway…

In general, I think that some version of Thomas’s scenario will get realized (obviously, circa 200X and not 1992). Let’s assume that all white-and-light-shade-of-gray-hat folks just stopped researching and, obviously, publishing vulns. What will happen?

First, everything of value will get owned (from the pool of whatever is not 0wned now :-) , of course) by a few people. There will be fewer "incidents", however, as many sites won’t even know that they just got owned. They will be made aware that their IP and money are suddenly in the wrong hands. Malware will likely drop, the only worm/virus incidents (admittedly rare) will be hugely damaging as there will be no protections as reliable as current singature-based ones (anomaly-based stuff at this stage is generally less reliable; not that I am not saying that signature-based are better – only that currently they are more reliable). Script kiddies will all but vanish, left to pick up the pieces of whatever trickles from the underground.

I suspect the list of ‘advanced blackhats’ is now longer now than it was in 1992. Thus, they will be able to pretty much do whatever they want (maybe not launch ICBMs, however :-) ). With time, as software security degrades even further, more folks will be able to ‘join the club’ and share the proceeds, first owning whatever the first group did not :-) Vendors will go to less patches (after all, why bother?), making life simpler for some people (admins!), but complicating it for others. Backup solutions will sell like crazy, though…

Overall risk? To be honest, I dunno (Celebrate, Pete! :-) ). For folks running high-value targets, the risk will likely go up since they will lose all protections that rely on knowing about vulnerabilities e.g. NIDS, NIPS, scanners (and will keep the behavioral/anomaly-based ones). For others, it might decrease, as all the ‘hunters for low hanging fruits’ will go the way of the Dodo…"

I find it truly remarkable that folks place no faith in human ingenuity, except on the "dark side" and actually believe that we would just let something like this happen. But I have some followup questions:

1. What characteristics about our current situation preclude this exact thing from happening today?

2. How come people won’t be able to figure out that they are 0wned (man, using that zero makes me feel so cool!)?

Btw, is there anyone out there (besides me) who disagrees with this "Doomsday Scenario"?

Update: Anton comments below that his scenario isn’t intended to be a Doomsday one. Though he does indicate some question about the change in risk level, I believe that "everything of value" being "0wned" sounds pretty Doomsday-ish to me. You can decide for yourself.

6 comments for “Another Doomsday Scenario

  1. November 2, 2005 at 8:25 am

    They’ll be about as effective at knowing they’re owned as they are today, which would be the problem. Don’t even need lots of experience to know the answer to that question: it’s why everyone’s so concerned about Windows rootkits, not to mention the reason rootkits were invented (around 1992) in the first place.

  2. November 2, 2005 at 10:23 am

    Hmm, I never meant to project an impression that it is a ‘doomsday scenario’ – see my comment in the end about the overall risk…

  3. November 2, 2005 at 12:39 pm

    Fine, I’ll bite! This is fun discussion.

    >1. What characteristics about our current
    >situation preclude this exact thing from
    >happening today?

    On the positive side and assuming that vuln research ‘squashes bugs’ that are possessed by blackhats (at least part of the time), there is a chance of fixing the problems before they are exploited

    On the negative side, current situation has too much ‘fighting noise’

    >2. How come people won’t be able to figure out
    >that they are 0wned?

    Well, if a novel approach was used to attack you (new vuln or even a new class of vulns), you are left with a heap of evidence and a need for a bunch of skilled forensic investigators. You might be able to figure out that ‘yes, indeed you got owned’ and possibly ‘what they took’ but might be left in the dark about ‘how they did it’. At least, the latter is not a certainty.

  4. Pete
    November 2, 2005 at 2:58 pm

    @Chris – I do think the Rescorla paper is interesting, though there was an attempt to refute it by Andy Ozment.

    @Anton -

    re: your assumption that vuln researchers “squash” the bugs of black hats – isn’t that a big assumption? The only related research on software rediscovery that I’ve seen suggests that may 6-8% are rediscovered. Wouldn’t you need to take away all an attacker’s “guns” or “bullets” in order to protect against being shot? (I only need one).

    re: being 0wned – I think you indicate that people would be 0wned over and over. Do you really think they would just all accept their fate forever?

  5. Chris Q
    November 2, 2005 at 11:42 pm

    All it takes to turn a black hat into a white hat is a big company offering them lots of money. If there are no volunteers looking for holes, corporations will have to buy the services of someone who can keep their site up and running.

Comments are closed.