.:Computer Defense:.

I feel I should put a bit of a disclaimer on this... I started out knowing exactly what I wanted to say... about 3/4 of the way through I was distracted. I'm also battling a nasty cold, so I'm not sure if, between the distraction and the cold, I made sense but hopefully you all understand what I want to say. 
We wouldn't improve the "good things" in life if it wasn't for the "bad things"...

A lot of people would say that statement is true. They could probably pull up plenty of evidence to prove their point as well.

- People fought with wood (clubs) and rocks, until they learned they could combine the two and sharpen the rock to make spears. To counter this, people made smaller spears and attached rope to pliable wood and created the bow and arrow. To counter the club and spear in close combat as metal working was learned they created the sword... In long range fights they went from the catapult to the cannon. Then the single shot gun was introduced, then guns where you didn't have to reload, you just kept pulling the trigger. This wasn't fast enough so guns were developed that fired repeatedly just by holding the trigger down. I know.. this is a pretty crude history of weapons... but it's fairly accurate and most of the time these improvements were due to war (A "bad thing").

- Food storage is another great example... Originally you'd eat what you killed... Then as civilization set in farming began, food had to be stored... Meat was cured or salted, vegetables stored underground.. Iceboxes made it possible to store meat that wasn't cured or salted so you could have "fresh" meat for longer periods of time and then the fridge was introduced which allowed you to store all types of food... These improvements were to prevent the spoiling of food (A "bad thing").

Many people seem to think the same is true regarding computers. New versions of software are generally released for one of two reasons:
a) To introduce new functionality.
b) To fix flaws in a previous version.

I don't think anyone could argue that (a) is not driven by "bad things". It's driven by a human need to constantly improve, to increase productivity. It is (b) that introduces this belief that the bad drives the good. I disagree with this belief. I don't believe that malicious persons or actions drive the movement forward in security, I believe it's a need to explore... a curiosity.

I've heard the argument that people in IT have jobs because of viruses. I don't have my job because of a virus and I'm pretty sure the majority of you feel the same way. Generally it's people at places like Geek Squad and Nerds on Site that have jobs because of viruses, and in reality even saying their jobs exist because of viruses is incorrect... it would be more correct to say their jobs exist because of user stupidity. When I was working in in System Support and System Administration, viruses weren't our focal point, viruses added to our daily tasks... they increased our workload and forced us to put in overtime. We didn't have people on staff specifically to deal with viruses.

I've also heard the argument that viruses drive vendors to release patches. I don't agree with this... but to better prove my point I decided to head over to Symantec and take a look at their "latest viruses" list.

VirusBurst - Accompanies other Trojans.
Trojan.Schoeberl.D - Appears as .pdf.exe (takes advantage of user stupidity)
Downloader.Dowdec - No mention of how it "appears" on your machine.
W32.Mobler.A - A worm that copies itself to all writeable media on the computer (including usb drives, etc)
W32.Bacalid - A polymorphic PE file infector that can download and execute remote files.
Trojan.Mdropper.Q - Exploits a vulnerability in Word 2000
W32.Bacalid!inf - Detection for files infected with W32.Bacalid
W97M.Blackurs - A simple macro virus.
W32.Bustoy - A Worm that copies itself to removeable storage.

That's 9 virus threats... the most recent ones according to Symantec and only one of them is going to drive a patch release.. 1/9, not the greatest odds. That means more often than not patch releases are driven by something other than viruses.

My belief is that patches and updates are driven by a need to explore. Just like man explores space and the dark abyss of the ocean, we explore the lines of code and disassembly information. Take a look at the Microsoft advisories, most of the time the information is disclosed to them by researchers, not by malicious persons. You'll see H.D. Moore, TippingPoint, eEye, David Litchfield, etc. These people are not virus authors, they aren't malicious people... they are well respected in the security community and research because of an interest, a need to explore.

I think people that say IT Professionals only exist because of viruses are naive, they don't see what goes on in the background to keep them up and running, to ensure that an organization runs smoothly. It frustrates me even more to hear a person in IT proclaim this. It's an insult to themselves and to the rest of the IT community.

Do software vendors release patches only because of pressure from businesses to protect them from malicious individuals? Highly doubtful. Is it part of the reason? Most likely. However the majority of these malicious individuals are using exploits and would fall into what the media would dub "hackers" and "crackers". I think there's more to it than that though, there's pressure to patch from a productivity stand point. I don't want my Exchange server to crash because some misdirected traffic happened to provoke an unexpected action. That same human need to improve and increase productivity... to ensure we stay productive. Software is improved upon and bugs are fixed. Everything around us is improved upon over time, improved due to flaws or a need for a better system.

The automobile has seen a huge improvement in the last century or so. Mechanical and Structural flaws were fixed, improvements were made. We made it more convenient, more dependable, more affordable. Think of the movie October Sky, Homer Hickam and the Rocket Boys... they were kids playing with model rockets. Time and time again they fixed design flaws and made improvements until they did some pretty amazing things. It's human nature and human need.

Take the two examples I gave you at the start of this article. Weapons and Food Storage. Perhaps the arguments above would be given by the pessimists that believe human developments are driven by the "bad things"... I don't even believe that. Weapons were improved upon for hunting (a "good thing" as it provides a food source) and protection (another "good thing"). Food storage... well this was to prevent spoilage (which is a "bad thing") but for many, many years people got along just fine without a fridge (which hasn't even been around for 100 years yet)... The fridge, I believe, was just the next step in the constant need for human improvement.

Sure "bad things" can speed up research and development... that's been evident many times in history... but it can also slow down research and development... I'm pretty sure that during the world wars, when research made leaps and bounds in certain fields, that environmental friendliness wasn't a large concern.

I don't think that malicious persons, or virus releases drive patch development and release processes. Sure a specific flaw (WMF for example) may cause the cycle to speed up, but even without 0-day releases and viruses... I don't believe that patch releases would slow and halt.

It's an insult to vendors to say that they only release patches because of the malicious people and it's an insult to IT professionals to say they only have jobs because of malicious people. Sure some fields wouldn't be as prevalent but that would focus more on the security community than IT as a whole. It's like saying the military wouldn't exist if not for war, and the police wouldn't exist if not for criminals... Every field is driven by a need, otherwise the job would not exist. However that need doesn't always have to be the "bad thing". The military exists for our safety as do the police (a "good thing").

Believing in the "good thing" or the "bad thing" all depends on the spin you put on it. I believe vulnerabilities and flaws are found by security researchers because they have an interest in exploring and software is their "uncharted waters". I believe that Vulnerability and Risk Management solutions exist because companies want to ensure that private data is safe, whether or not someone is looking for it. This may be a naivete on my part but I believe it's closer to the truth than a belief in all things being driven by the bad.

Good and bad will both always exist... Malicious people will always exist. Pirates.. Slave Traders... War Lords... Organized Crime... Criminals... Hackers, Crackers and Virus Authors... Malicious individuals have lasted throughout time....I don't think that the bad drives the good any more than the good drives the bad... It's a competition of sorts, a constant struggle. I don't feel I'd be without a job if we suddenly eliminated all the hackers, crackers and virus authors and I'm sure there are plenty of police officers that feel they wouldn't be without a job if we suddenly eliminated all the criminals. This will never happen, so it's not something we have to worry about... but bad things don't drive good things and we'd still have improvement and "betterment" without the bad things happening.

Peace,
HT