I'm deeply suspicious of anyone who claims to have created a new paradigm in security. In fact, I usually hit the delete button faster than you can say "snake oil." But this week, allow me to entertain one such vendor claim that relates to how the entire security community approaches insecurity.
It involves a man named John Munson, who has spent the last 30 years thinking about software reliability — and we're talking about serious software like the stuff that powers the Space Shuttle and the Cassini spacecraft that's currently hurtling toward Saturn. Dr. Munson, a University of Idaho professor and NASA contractor turned entrepreneur, is not a man you want to find out is a kook. Yet he's skittering on the edge of a conspiracy theory that, if it turns out to be true, could turn the security community on its head and empty out its pockets.
His premise? That the security community doesn't want to solve security problems once and for all, because the whole business relies on the very existence of computer crime and malicious code.
The technical details of the research that led Munson to this conclusion are far beyond the scope of this column, but here's the 250-word version. Munson's life work involves researching and monitoring how software responds, and sometimes breaks, because of what a user does to the software. Software doesn't wear out like hardware; it crashes because of user input. Astronauts can only hit so many buttons in the Space Shuttle, and Munson used to make sure that none of those combinations would cause the systems to break.
Then, about three years ago, he decided that this research could be applied to computer security. By monitoring the kernel of an operating system, he set out to find nuances of behaviour change when a system was under attack from a hacker or computer virus. "It turns out there were no such nuances," explains Munson, at work at Software Systems International, the second obscure company (the first one went bankrupt) attempting to profit from these principles. "Assaults were astonishingly obvious. In fact, we have yet to observe a malicious activity that is not wearing a Day-Glo orange shirt."
If an attack on a computer system were so easy to identify, he asked himself, then why not build in controls that identify and allow normal behaviour and stop abnormal behaviour? There'd be no need for patches to fix specific vulnerabilities, and no need for antivirus software to fight malicious code.
Munson says he has a few Linux servers up and running that are protected by an early version of these operating system controls, which are calibrated based on how the server normally operates. He says the controls could eventually be built into a computer's hardware.
Needless to say, his work has been met with considerable scepticism. "The reaction is, we don't believe you," Munson says. "But this is not an act of faith. All the research I have done is reproducible to scientific standards."
Munson suspects more than scepticism. "They (security vendors) thrive on your misery. It's a conspiracy of inertia. I don't think there's collusion. I don't think McAfee is sitting there kicking viruses out the back door. I do believe that they're making money at it and would like to keep making money at it. But they're working on the wrong problem."
Whether Munson (or anyone) can actually deliver a product that avoids security problems altogether — and whether hackers and coders couldn't then launch attacks designed to look "normal" — I cannot say. But his logic is tempting. The way things are done today is terribly inefficient and ineffective, and a lot of people are profiting from it.
Suppose, just for a moment, that there is a solution to the security woes plaguing corporate America — the endless cycle of installing patches against new vulnerabilities, of stopping viruses and security breaches, of fixing damage done. I'm not talking about a magical elixir but a so-called disruptive technology that comes from an outsider whose ideas could make columns like this obsolete. CIOs would be ready to hear it. But what about the rest of us?