Shall We Play A Game?

Anybody want to toss out their idea about what would happen if bugfinders stopped looking for bugs? What do you think the impact would be?

Update: Thomas was nice enough to give me the benefit of his techno-elite wisdom (which, apparently I don’t have) and lower himself to my level:

Things would revert to the way they were in 1992, when, apparently, you weren’t working in security. 4 "elite" people on a closed security mailing list would know about 5-10 unpublished vulnerabilities, which they’d hold on to for 6-36 months before releasing to CERT. 10-15 very strong black hat attackers — toolsmiths, like the one wrote Kevin Mitnick’s TCP sequencer — would know about the rest of the vulnerabilities, which they’d hold on to for 6-36 months before releasing to #hack, 6-36 months before CERT would then notice and publish.

The nice thing about — apparently — having so much more experience than you is that I don’t have to guess about this stuff.

Things are becoming clearer to me now: Thomas apparently believes that the entire world has been spinning its wheels for 13 years, with no advances in learning, no building of knowledge, no developing of new models and systems and approaches to security occurring. (why 1992 is the "Groundhog" year in world history is beyond me, although it does apparently coincide with Thomas’ career.)

Thomas’ response indicating a wheel-spinning world partially clarifies my second question which is:

What aspects of the scenario you describe is different from what we have today, and why do you believe this to be the case?

I do want to note one other thing: Notice how his comments don’t say anything about attacks or incidents or compromises. It simply reflects some perceived state of fear with no evidence to back it up. That is fine (heck, I believe in God) as long as you realize it is a leap of faith and not science.

2 comments for “Shall We Play A Game?

  1. November 1, 2005 at 8:17 am

    Things would revert to the way they were in 1992, when, apparently, you weren’t working in security. 4 “elite” people on a closed security mailing list would know about 5-10 unpublished vulnerabilities, which they’d hold on to for 6-36 months before releasing to CERT. 10-15 very strong black hat attackers — toolsmiths, like the one wrote Kevin Mitnick’s TCP sequencer — would know about the rest of the vulnerabilities, which they’d hold on to for 6-36 months before releasing to #hack, 6-36 months before CERT would then notice and publish.

    The nice thing about — apparently — having so much more experience than you is that I don’t have to guess about this stuff.

  2. November 1, 2005 at 6:15 pm

    >Anybody want to toss out their idea about what
    >would happen if bugfinders stopped looking for
    >bugs? What do you think the impact would be?

    Well, I like SciFi, so I will play. In all likelyhood I am wrong, but then again this thing will never happen anyway…

    In general, I think that some version of Thomas’s scenario will get realized (obviously, circa 200X and not 1992). Let’s assume that all white-and-light-shade-of-gray-hat folks just stopped researching and, obviously, publishing vulns. What will happen?

    First, everything of value will get owned (from the pool of whatever is not 0wned now :-) , of course) by a few people. There will be fewer “incidents”, however, as many sites won’t even know that they just got owned. They will be made aware that their IP and money are suddenly in the wrong hands. Malware will likely drop, the only worm/virus incidents (admittedly rare) will be hugely damaging as there will be no protections as reliable as current singature-based ones (anomaly-based stuff at this stage is generally less reliable; not that I am not saying that signature-based are better – only that currently they are more reliable). Script kiddies will all but vanish, left to pick up the pieces of whatever trickles from the underground.

    I suspect the list of ‘advanced blackhats’ is now longer now than it was in 1992. Thus, they will be able to pretty much do whatever they want (maybe not launch ICBMs, however :-) ). With time, as software security degrades even further, more folks will be able to ‘join the club’ and share the proceeds, first owning whatever the first group did not :-) Vendors will go to less patches (after all, why bother?), making life simpler for some people (admins!), but complicating it for others. Backup solutions will sell like crazy, though…

    Overall risk? To be honest, I dunno (Celebrate, Pete! :-) ). For folks running high-value targets, the risk will likely go up since they will lose all protections that rely on knowing about vulnerabilities e.g. NIDS, NIPS, scanners (and will keep the behavioral/anomaly-based ones). For others, it might decrease, as all the ‘hunters for low hanging fruits’ will go the way of the Dodo…

Comments are closed.