The security industry has undergone massive changes in the last 15 years, and in some cases it’s hard to imagine what things would be like had these events not taken place. Think of a world in which Google focuses on security and privacy and Microsoft never started Trustworthy Computing, and you get the idea.
So, having spent an inordinate amount of time thinking about these kinds of scenarios for no good reason, here are five completely random what-ifs from the last few years of the security industry. Have a better alternate scenario? Leave it in the comments.
What if George Bush had implemented the National Strategy?
What happened: In the months after the 9/11 attacks, Bush ordered Richard Clarke and the rest of his President’s Critical Infrastructure Protection Board to develop a comprehensive plan for shoring up the security of the country’s networks. It took more than a year and a lot of public and private screaming matches, but the report finally appeared on Valentine’s Day 2003. It was immediately criticized for being overly broad and lacking specific guidance for addressing existing problems. But all of that was soon forgotten, as the U.S. invaded Iraq five weeks later. The intelligence and security agencies turned all of their attention to the new war and the National Strategy to Secure Cyberspace was put on a shelf, where it has sat, virtually untouched ever since. Even after the wars in Iraq and Afghanistan had settled down, relatively speaking, Bush paid virtually no attention to the problem of information security, relegating it to a DHS backwater instead of keeping it in the White House, where it had been previously.
What might have been: Had Bush taken the National Strategy seriously and used it as the foundation for a comprehensive overhaul and upgrade of the country’s critical infrastructure systems, we might be in a drastically different situation than we are now. The government moves slowly, but seven years is more than enough time to make some serious progress, even in Washington. The strategy was by no means perfect, but imagine if the Bush administration had focused on just one of the five priorities: establishing a national cyber security cooperation system to help prevent national-level attacks. How much progress could they have made on that since 2003? If such a system was in place, it would have been easier for Google or the companies affected by the recent targeted attacks tied to a massive botnet to share intelligence with each other and the appropriate government and law enforcement agencies. Instead, little progress was made on any of the priorities and the Obama administration has essentially started over. The U.S. could have been a model for other countries on how law enforcement, government agencies, security vendors and the private sector could work together on intelligence-sharing and cross-referencing threats and effective defenses. We could have had one, or maybe two, long-serving cybersecurity advisers empowered with the authority, budget and personnel needed to truly effect change. Had Bush made cybersecurity a priority, the adviser would have been a major player in the administration and Congress would also have paid far more attention to this issue than they have, perhaps leading to a national data-breach notification law.
What if Symantec hadn’t bought @stake?
What happened: When news hit in fall 2004 that @stake had been acquired, it was no surprise. The pioneering security consulting and research firm had been hemorrhaging talent for more than a year and its financial backers were growing impatient, looking for some sort of return on their investment. The only surprise was that Symantec was the buyer. It was widely rumored at the time that one of the major consulting firms was going to buy @stake. But instead, John Thompson swooped in, seeing the acquisition as a quick and easy way to build a powerhouse security services business. That never happened. Many of the well-known @stake consultants and researchers left as soon as they could and Symantec was left with little to show for its (undisclosed) investment.
What might have been: If @stake’s management hadn’t found a buyer soon, the company may have had a tough road ahead of it. A good amount of the big-name talent already had left by the time of the acquisition: Mudge, Dave Aitel, David Litchfield, Joe Grand, not to mention CTO Dan Geer, who was famously fired for publicly criticizing Microsoft. The collection of application security talent that @stake had assembled was, and probably still is, unprecedented. But that worked against them by the end because there was almost no one left for them to hire and their consultants were already rapidly reaching burnout. So without the Symantec acquisition, it might have been a slow, painful deterioration for @stake. Several of its former employees had started their own firms and were competing for the same clients. For Symantec, the acquisition made almost no difference. Within three months of buying @stake, the company paid $13.5 billion for Veritas, which took up virtually all of the company’s focus for more than a year.
The view of someone who was there: Chris Wysopal, Veracode, and former director of R&D at @stake
“If Symantec hadn’t bought @stake and the company was able to survive as an independent entity the @stake team would be much more intact. Some employees leave over time as their careers progress beyond consulting but other talented security people join to fill their spots. Many individuals that make up the @stake alumni list at other security companies such as Veracode, iSec Partners, Matasano, and Leviathan stay at @stake. It is still a high end security consulting powerhouse. The technology and founding team behind Veracode which enables SaaS application security review service stays part of @stake. With the huge growth in demand over 2010-11 for application security services, both automated and manual, @stake goes public in 2012.”
What if Google focused on security and privacy?
What happened: Google owns the Internet. This is not literally true, but it is true for practical purposes. If you want to use the Internet, you have to make a concerted, sustained effort not to use any of Google’s products or services. The company’s business is built on gathering as much data about its users as possible, and it is frighteningly good at this process. Google reads your Gmail messages looking for keywords it can use to serve you ads. Google records your search activity to more efficiently serve you ads. Google auto-enrolled every Gmail user in its Buzz service without consent. And those are the things we know about. Some people have the impression that Google is a benevolent ruler, giving us all free services such as Gmail, YouTube and Google Apps out of the goodness of its heart. No. Google is a business, and a very efficient one at that. It is essentially the world’s largest ad agency and its customers pay good money for access to Google’s users.
What might have been: If Google had designed its products and services with privacy and security in mind from the beginning, it would be a far less powerful and successful company. Gmail has succeeded in large part because it is simple, intuitive and, most importantly, free. If Google removed the ads, Gmail either would be a paid service or it wouldn’t exist. It’s that simple. The same is true of Google search. No ads, no data mining, means no free search. In this alternate universe, Microsoft likely would have the upper hand in search, webmail and other online services. Because it has so many other revenue streams, Microsoft can afford to provide these services for free without selling ads against them. And because Microsoft took its hits on security and privacy years ago and has learned many of its lessons since then, users may be better off. This is not to say that Microsoft doesn’t collect data on its users and analyze it every which way from Sunday, because they do. But security and privacy matter in a way that isn’t clear they do at Google. (For the record, yes, I understand that Google and Microsoft are being held to different standards here. That’s the point.) My colleague Ryan Naraine contends that Google could make a huge difference in desktop security simply by pushing patches for Flash to YouTube users. This needs to happen. Who’s against this?
What if Aleph1 hadn’t written “Smashing the Stack for Fun and Profit”?
What happened: In August 1996 Elias Levy, a security researcher better known as Aleph1, published a paper called “Smashing the Stack for Fun and Profit” in Phrack magazine. At the time, Levy was the moderator of Bugtraq and his paper caused a huge stir in the security community. It was essentially the first paper to provide a detailed explanation of how to exploit buffer overflows, a very common programming error that would later become the bane of every Microsoft developer. Levy’s paper didn’t introduce the concept of memory corruption attacks; they had been known publicly since at least 1986 when the Morris worm hit. (Think of Levy’s paper as the “Fear of a Black Planet” to the Morris worm’s “The Message.”) And there had been a series of buffer overflow flaws in Unix applications in the mid-1990s that had brought the problem into the spotlight. But Levy’s paper is considered by many researchers to be the seminal work of its kind, and it’s possible to draw a direct line from “Smashing the Stack” through the work done by the L0pht, Litchfield, Tom Ptacek, Dave Goldsmith, Aitel, Mark Dowd, Dino Dai Zovi, Alex Sotirov and dozens of other current researchers.
What might have been: This one is virtually impossible to predict because of the broad influence that the paper has had on security research, software development, exploitation techniques and defenses. Entire companies were started expressly to defend against buffer overflows. But if Levy hadn’t written the paper when he did, someone else would have done it sooner or later. Buffer overflows had been a problem for years before Levy’s paper hit, but no one had really articulated exactly what a devious mind could do with them until then. So without Levy’s paper, exploitation of the buffer overflows might have remained an ad hoc, underground practice. Understanding of the technique may not have become as widespread as it did after Levy’s paper was published, and so attacks such as Code Red and Nimda, which took advantage of buffer overflows in Microsoft products, might not have happened, or at least not have been as effective as they were. Those huge, news-making attacks also were a big part of the back story on what prompted Bill Gates to write his famous Trustworthy Computing memo (see below), the Magna Carta of Microsoft’s huge company-wide effort to improve the security of its products. Pressure from huge enterprise customers who had been affected by these worms and other attacks exploiting serious flaws in Windows, IIS, IE and Outlook was a major factor in this chain of events. So, without Levy’s paper and the subsequent flood of buffer overflow exploitation, perhaps that pressure doesn’t build as quickly and Microsoft doesn’t make its huge TC push, or, at a minimum, it’s delayed for several years until things inevitably pile up on them.
The view of someone who was there: Tom Ptacek, Matasano Security
“If you want to be pedantic about it, you’d probably say Thomas Lopatic got the ball rolling when, in 1995, he posted an HP-UX web server stack overflow, the first modern buffer overflow. That post was a big deal on Bugtraq, but didn’t get much notice off the list. It didn’t start a gold rush for stack overflow bugs. What it did do was inspire a group of grey hat security researchers in England called the 8lgm to post a taunt that did shake things up. Back in the ’90s, the gold standard for vulnerabilities were Sendmail exploits. We had all just come off a really horrific run of Sendmail 8.6.9 exploits (this is a big enough deal that I vividly remember the version numbers, by the way), and had settled in at Sendmail 8.6.12. Then 8lgm posts that they have a working 8.6.12 remote, that it’s a buffer overflow in syslog and that they aren’t going to post the exploit. Everyone immediately started trying to figure out how to write stack overflow exploits.
I remember sitting in an apartment in DC with Mudge while we all figured out how to get these things working. Dave [Goldsmith], Matasano’s fearless leader, published the first x86 stack overflow exploit a couple weeks later. So, in 1995, within a relatively short period of time, you have Lopatic’s web server bug, then 8lgm’s hugely more important Sendmail 8.6.12 bug, then Dave and Vic’s Linux splitvt bug that demonstrated how to do overflows on PC hardware.
By the time Smashing the Stack is published in ’96, overflows were pretty well known. For example, the famous systemwide audit of OpenBSD was already underway. Elias’ paper is still the best intro to the topic, but I think you could debate whether it really started the frenzy. I think 8lgm did that, by holding back a coveted vulnerability (8.6.12 would have gotten you access to a WHOLE LOT of computers back then).
The real question is this: The first stack overflow exploit wasn’t published in 1995. It was in 1986. It’s one of the most studied exploits of all time: the Morris Worm (in ’95, when we were figuring out how 8lgm did it, we all cribbed off that paper Gene Spafford wrote about the Morris Worm). So what the hell happened between ’86 and ’95? That’s almost 10 years! And not just any 10 years. Those 10 years were like the renaissance of computer hacking. That’s the LoD vs. MoD years, the Sun Devil raids, and Kevin Mitnick. And we’re talking about a class of bugs that would have gotten you into *any computer hooked up to a network*. And not one published exploit!”
What if Bill Gates never wrote the Trustworthy Computing memo?
What happened: This is the white whale of all what-ifs. In 2000 and 2001, Microsoft was getting hammered on security from every angle. Researchers were finding bugs in Windows, IIS, Word and Internet Explorer and posting exploit code on a daily basis. Mass-mailing email viruses such as Melissa, Iloveyou and others were a weekly occurrence. And some of the world’s larger companies were making it very clear to Microsoft executives that they needed to get their act together on security, and fast. So on Jan. 15, 2002, Gates sent out a company-wide email elevating security to a top priority within Microsoft for all employees. Much of the memo focuses on .NET and its need to be a secure platform, but the part that most people remember and focus on is about the need for the company to write more secure software from the start. “Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it,” Gates wrote. This eventually resulted in the creation of a big internal group focused on secure software development, the famous “security push” in which all of Microsoft’s developers went through security training and the decision to delay some major products to fix security problems. It also led directly to the release of Windows XP Service Pack 2, a huge security upgrade.
What might have been: It’s almost impossible to overstate the effect of Gates’s memo, so unwinding all of the repercussions and ripples it caused is just as difficult. But there was a tremendous amount of public and private pressure on Microsoft at the time, so it’s a virtual certainty that something would have happened. If Gates had decided that security was the problem of the security vendors and his company should continue to focus on features and functionality, it’s entirely possible that Microsoft’s enterprise business would have begun a long decline, resulting in a serious weakening of the company as a whole. In 2002 enterprises didn’t have a lot of other options if they decided Windows was too risky. While Linux and Unix servers were common, Linux on the desktop essentially didn’t exist, so there was basically no alternative.
But within a few years the drop in hardware prices, the rise of Web-based applications such as Salesforce.com, Google Apps and others, and the debut of user-friendly desktop Linux distributions combined to make ditching desktop Windows a much more viable option. Plenty of small and medium businesses now give their employees netbooks running Linux, and had the demand for higher end Linux-based laptops and desktops developed, someone (or several someones) would have filled it.
From a security perspective, Gates’s memo had the effect of focusing of not just Microsoft’s developers, but ISVs, in-house developers and others on the problem of software security and addressing flaws at the source. Microsoft—and Gates—have gotten an extraordinary amount of credit for what eventually became the Trustworthy Computing effort. But, they didn’t invent this idea out of whole cloth. Experts such as Gary McGraw, John Viega and others had been talking about this problem for years. But the TC memo and Microsoft’s subsequent development of the SDL, threat modeling tools and other paraphernalia raised the profile of software security to a much higher level. Desktop and server security is much better now than it was eight years ago, but it’s still not great. Without all of that attention created by Gates’s memo? Things are much worse for all of us.
The view of someone who was there: The first rule of Microsoft is you don’t talk about Microsoft. Next question.