Evolution is Punctuated Equilibria

In evolutionary biology, the theory of punctuated equilibiria states that evolution is not a gradual process but instead consists of long periods of stasis interrupted by rapid, catastrophic change.  This is supported by fossil evidence that shows little variation within a species and new species that appear to come out of nowhere.  These changes are found to occur in small groups on the periphery of the central population where selection pressures are higher and often in response to changes in the external environment.  Eventually those peripheral groups replace the dominant species in an abrupt change.  While this theory has also been applied to the social sciences and business, it also applies to Internet security.

In the late 80’s, it was the “summer of love” era on the Internet.  Research institutions and universities were freely connecting to each other in a way that would make anyone of modern Internet sensibilities blush.  Internet sites regularly engaged in risky behavior, including exchanging traffic without the use of a protective firewall to protect against accidental infections (as such things were rare in those days).  Most users used weak passwords and some (Richard Stallman, notably) used none at all.  And then, just like in the Guns N’ Roses music video, the party was unceremoniously ended in the sudden cold November rain.  The Morris Worm swept through the Internet, taking machines down faster than anyone could imagine.  The era of innocence and non-disclosure of security vulnerabilities on the Internet had come to a close.

After the Internet worm, a variety of organizations were quickly established in order to track and address vulnerabilities in the Internet infrastructure.  The Computer Emergency Response Team (CERT) was established to handle any similar situations and a variety of mailing lists such as Phage, the Zardoz Security Digest, and Core Security Mailing List were established to discuss and track security vulnerabilities.  All of these lists and groups, however, were closed communities and the CERT security advisories were light on details in fear that revealing full details would enable attackers.  Thus began the era of partial-disclosure of security vulnerabilities.

A small full-disclosure movement began to grow on the periphary of the Internet.  This community believed that CERT was doing the community a disservice by not pressuring vendors to address vulnerabilities and revealing full information because system administrators were not able to determine whether they were vulnerable or not and should take the potentially disruptive risk of patching security vulnerabilities.  With full-disclosure, all parties are notified of the vulnerability at the same time.  Vendors are pressured to address serious vulnerabilities quickly and users have enough information to decide whether they should work around the vulnerability and/or apply the patch when it becomes available.  This community was centered around the Bugtraq mailing list.  This community quickly grew through the mid 90’s and early 2000’s until it became the dominant method of vulnerability disclosure on the Internet.

If the late 80’s was the era of free love on the Internet, the late 90’s and early 2000’s was the era of free exploits.  Fully working exploits for serious vulnerabilities were regularly published on Bugtraq often as part of the disclosure of the vulnerability.  These were often remote privileged code execution exploits in serious Internet infrastructure like BIND, SSH, NCSA HTTPD, Sendmail, and Apache.  These exploits allowed administrators to easily test if they were vulnerable or not.  If they ran the exploit and they got a remote shell, they were definitely vulnerable.  Similarly, if someone wanted to take joyrides on the Internet, all they had to do was subscribe to Bugtraq, wait for an exploit to be posted, and then start scanning for vulnerable machines.  Thus were “script kiddies” born.  This environment continued through the early 2000’s.

The early to mid-2000’s could be considered the hangover from the free love 80’s and free exploit 90’s of the Internet.  Instead of Internet worms being a one-time event, they became an almost regular occurrence with ILOVEYOU (May 4, 2000), Code Red (July 13, 2001), Code Red II (August 4, 2001), Nimda (September 18, 2001), SQL Slammer (January 24, 2003), Blaster (August 12, 2003), and many others in between.  Many of these worms used exploits that had been posted publicly to Bugtraq to spread.  Clearly something was not right.  This onslaught of Internet-crippling worm outbreaks quickly brought about several evolutions in Internet security: “responsible” disclosure, the home router firewall, and Microsoft’s Security Push and Secure Development Lifecycle (SDL).  It was no longer enough to respond to security vulnerabilities and incidents as they happened; Internet security required proactive measures to protect against future disasters.

From 2003 until roughly the present, “responsible” disclosure and the duality of offensive security research and defensive security products have driven the security industry forward.  Security researchers have investigated and discovered volumes of security weaknesses, vulnerabilities, and attacks.  All of these have required security patches, restructuring, and risk mitigating technologies née product opportunities: anti-virus, firewalls, intrusion detection/prevention, patch management, etc.  Hundreds of vulnerabilities have been “responsibly” disclosed and patched.  Patching has become a monthly Shamanistic ritual for most IT departments.  There are now defensive security products to defend against every possible perceived security threat (imagined and real).

With all of this, Internet malware has only become more prevalent on users’ systems.  The United States Departments of Commerce, State, and Defense, have sustained targeted attacks and on multiple occasions detected large amounts of sensitive information being remotely extracted from their networks.  There is a serious DNS cache poisoning vulnerability that currently affects 50% of the nameservers on the Internet, almost a month after the issue has been disclosed throughout the tech and mainstream media and a week after a highly-effective exploit for it has been publicly released.  The Internet security community is holding its breath waiting for (hoping for?) widespread attacks, perhaps to justify their continued existence.

Clearly, we are not any closer to securing the Internet, if that is even possible.  If anything, the dangers on the Internet have gotten worse as the malicious actors have changed from joyriding teenagers to Internet worms to espionage and organized crime.  Right now, Internet security is due for another period of rapid change.

UPDATE @ 20080729: As pointed out in the comments below, the “cybercrime is bigger than drugs” figure is bogus.  I have removed it and instead used a reference to Microsoft’s latest Security Intelligence Report showing a general growth in malware.


  1. Utility / Cloud will not take over but drive price comparison in internal IT shops. Atomic metrics must have abstract units or dollar costs associated.

    It is nuts. It is scary. Breeding out the ‘old guard’ wil happen also, as it’s a social and geo-political problem. Incentives and penalties will need to be introduced per country. Once RIRs get auth and sBGP, DNSSEC happens we may look at penalising entities. Virtual hosts, servers, networks and storage will also drive fluidity yet static nature of ‘virtual nodes’ transacting with each other.

    Just a though…

  2. Kinda updated this here, mebad http://bsdosx.blogspot.com/2008/07/future-shock-security-20.html .. anyway, fun and games.

  3. I found this quote from the Stallman talk pretty funny:

    “But for us, when an outsider started to change the system programs, that meant he was showing a real interest in becoming a contributing member of the community.”

    I think he’d find things have changed slightly these days. Then again, I guess it depends on his definition of ‘community’ and ‘contributing.’

    +5 points for including Lopatic’s NCSA exploit. He’ll find this in two months when ego-surfing and smile to himself. Hey Thomas! :>

  4. Good post. Concise history, and well told.

    Two small quibbles: you might’ve included Marcus Ranum’s 2000 Black Hat talk as the clarion blast that foreshadowed the “responsible disclosure” movement — it pre-dated the OIS by two years, and Microsoft’s SDL by about a year-and-a-half.

    Also, the “global cybercrime is more profitable than the illicit drug trade” meme is without basis in fact. Ryan Paul debunks that notion here: http://arstechnica.com/news.ars/post/20051129-5648.html (That said, cybercrime is indeed a good business to be in, even if it doesn’t generate as much revenue as drugs. It is almost certainly more profitable.)

  5. @AndrewJaquith
    Thanks for the comments. You are totally right about the cybercrime/drug meme and I have removed that reference from the post.

    As for Ranum’s talk, I didn’t agree with him when I saw it at BH 2000, nor do I agree with it now. He had been saying the same thing about full disclosure since 1998 or so. Script kiddies suck, but they were nothing compared to today’s malware/cybercrime threat. Did the IIS WebDAV, WMF, ANI, or the Microsoft Word doc exploits that popped the State Department come from Bugtraq? No. These attackers are finding their own vulnerabilities and writing their own exploits and tools. And they aren’t so kind as to share them on a public mailing list, let alone inform the vendor and responsibly disclose.

    Pre-cybercrime hacking by skilled underground groups, full-disclosure, and script kiddies were all part of the wake-up call that the Internet slept through. Why did no one think that something was seriously wrong when teenagers were breaking into government agencies? Were those specific teenagers the problem? Or the fact that teenagers could break into the DoD over the Internet? I think the latter.

    That is part of the reason why the current state of Internet security can best be described as damage control. More on this in a future blog rant.

  6. First of all re: MS, it’s properly spelled “Security Putsch”. =)

    I like Marcus as a human being, if for nothing else, for his awesome side work as a fetish photog, but I’ve watched and read several of the anti-disclosure rants as well, and they just don’t compute.

    If nothing else, the history above shows that both approaches have been tried, and neither have made much of difference. Looking to the next evolutionary leap forward out there somewhere.

  7. @dino
    Great article! minor comments: skript kiddies pre-date Bugtraq (or at least they can be traced to independent sources of “skripts”). They used to get their warez by trading with others that in turn obtained them from leaks or breakins to systems of those subscribed to the closed-group mailing lists like Zardoz and Core. This was described in Suelette Dreyfuss and Julian Assanges’s book “Underground” (http://reactor-core.org/underground.html).
    BTW as the original post indicated the SSH exploit posted to the Bugtraq mailing list was “skript-kiddie proof”, it did not work out-of-the-box unless you knew what you were doing.

  8. @Ivan

    Oh man, I totally remember trying to find the magic bit that was broken in exploits on Bugtraq back then. It at least motivated me to learn enough C to get things to compile, so I suppose it was a good public service. =)

  9. Wow, Dino, my first reading from your blog (referred by Google Reader) and I must wonder, are you an old geezer like me that remembers the history of malware on the Internet from personal experience or do you, unlike everyone else, actually learn from history?

    What a terrific post to read first from your blog.

  10. @Kent

    Thanks. I am not yet an old geezer, just a curmudgeony late 20-something who wasted too much of his youth on the Internet. I’ve been on the Internet since ’93, so I did get to see some of the fun. But now the Internet is SERIOUS BUSINESS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 5,896 other followers

%d bloggers like this: