In a recent post, I asked for a little indulgence in a game: "Anybody want to toss out their idea about what would happen if bugfinders stopped looking for bugs? What do you think the impact would be?"
Anton was nice enough to provide one in the comments:
"Well, I like SciFi, so I will play. In all likelyhood I am wrong, but then again this thing will never happen anyway…
In general, I think that some version of Thomas’s scenario will get realized (obviously, circa 200X and not 1992). Let’s assume that all white-and-light-shade-of-gray-hat folks just stopped researching and, obviously, publishing vulns. What will happen?
First, everything of value will get owned (from the pool of whatever is not 0wned now
, of course) by a few people. There will be fewer "incidents", however, as many sites won’t even know that they just got owned. They will be made aware that their IP and money are suddenly in the wrong hands. Malware will likely drop, the only worm/virus incidents (admittedly rare) will be hugely damaging as there will be no protections as reliable as current singature-based ones (anomaly-based stuff at this stage is generally less reliable; not that I am not saying that signature-based are better – only that currently they are more reliable). Script kiddies will all but vanish, left to pick up the pieces of whatever trickles from the underground.
I suspect the list of ‘advanced blackhats’ is now longer now than it was in 1992. Thus, they will be able to pretty much do whatever they want (maybe not launch ICBMs, however
Overall risk? To be honest, I dunno (Celebrate, Pete!
I find it truly remarkable that folks place no faith in human ingenuity, except on the "dark side" and actually believe that we would just let something like this happen. But I have some followup questions:
1. What characteristics about our current situation preclude this exact thing from happening today?
2. How come people won’t be able to figure out that they are 0wned (man, using that zero makes me feel so cool!)?
Btw, is there anyone out there (besides me) who disagrees with this "Doomsday Scenario"?
Update: Anton comments below that his scenario isn’t intended to be a Doomsday one. Though he does indicate some question about the change in risk level, I believe that "everything of value" being "0wned" sounds pretty Doomsday-ish to me. You can decide for yourself.
They’ll be about as effective at knowing they’re owned as they are today, which would be the problem. Don’t even need lots of experience to know the answer to that question: it’s why everyone’s so concerned about Windows rootkits, not to mention the reason rootkits were invented (around 1992) in the first place.
Hmm, I never meant to project an impression that it is a ‘doomsday scenario’ – see my comment in the end about the overall risk…
Funny you should ask:
http://www.interesting-people.org/archives/interesting-people/200406/msg00035.html
Fine, I’ll bite! This is fun discussion.
>1. What characteristics about our current
>situation preclude this exact thing from
>happening today?
On the positive side and assuming that vuln research ‘squashes bugs’ that are possessed by blackhats (at least part of the time), there is a chance of fixing the problems before they are exploited
On the negative side, current situation has too much ‘fighting noise’
>2. How come people won’t be able to figure out
>that they are 0wned?
Well, if a novel approach was used to attack you (new vuln or even a new class of vulns), you are left with a heap of evidence and a need for a bunch of skilled forensic investigators. You might be able to figure out that ‘yes, indeed you got owned’ and possibly ‘what they took’ but might be left in the dark about ‘how they did it’. At least, the latter is not a certainty.
@Chris – I do think the Rescorla paper is interesting, though there was an attempt to refute it by Andy Ozment.
@Anton -
re: your assumption that vuln researchers “squash” the bugs of black hats – isn’t that a big assumption? The only related research on software rediscovery that I’ve seen suggests that may 6-8% are rediscovered. Wouldn’t you need to take away all an attacker’s “guns” or “bullets” in order to protect against being shot? (I only need one).
re: being 0wned – I think you indicate that people would be 0wned over and over. Do you really think they would just all accept their fate forever?
All it takes to turn a black hat into a white hat is a big company offering them lots of money. If there are no volunteers looking for holes, corporations will have to buy the services of someone who can keep their site up and running.