What is they all stop? Musings on vulnerability research

by Anton Chuvakin

Related link: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/11/another_doomsd…



Can one man change the world of security? Pete Lindstrom quest to "eliminate" vulnerability research seems to suggest 'no' :-)


Here is some discussion that occurs on his blog after he posted a challenge to describe a fictitious scenario: 'what will happen if all whitehat vulnerability discovery will stop, as if by magic?'



>Anybody want to toss out their idea about what would happen if bugfinders stopped looking for bugs? What do you think the impact would be?


In brief, I said the following:


"Well, I like SciFi, so I will play. In all likelyhood I am wrong, but then again this thing will never happen anyway...



In general, I think that some version of Thomas's scenario will get realized (obviously, circa 200X and not 1992). Let's assume that all white-and-light-shade-of-gray-hat folks just stopped researching and, obviously, publishing vulns. What will happen?



First, everything of value will get owned (from the pool of whatever is not 0wned now :-), of course) by a few people. There will be fewer "incidents", however, as many sites won't even know that they just got owned. They will be made aware that their IP and money are suddenly in the wrong hands. Malware will likely drop, the only worm/virus incidents (admittedly rare) will be hugely damaging as there will be no protections as reliable as current singature-based ones (anomaly-based stuff at this stage is generally less reliable; not that I am not saying that signature-based are better - only that currently they are more reliable). Script kiddies will all but vanish, left to pick up the pieces of whatever trickles from the underground.



I suspect the list of 'advanced blackhats' is now longer now than it was in 1992. Thus, they will be able to pretty much do whatever they want (maybe not launch ICBMs, however :-)). With time, as software security degrades even further, more folks will be able to 'join the club' and share the proceeds, first owning whatever the first group did not :-) Vendors will go to less patches (after all, why bother?), making life simpler for some people (admins!), but complicating it for others. Backup solutions will sell like crazy, though...



Overall risk? To be honest, I dunno (Celebrate, Pete! :-)). For folks running high-value targets, the risk will likely go up since they will lose all protections that rely on knowing about vulnerabilities e.g. NIDS, NIPS, scanners (and will keep the behavioral/anomaly-based ones). For others, it might decrease, as all the 'hunters for low hanging fruits' will go the way of the Dodo..."


Discussion still continues...