Peter Tippett on Biomedicine and Security

gManZboy writes "IT security borrows some of its most basic terminology (e.g., virus) from biomedicine. It's therefore no surprise then that some of the top minds in the field have backgrounds in biomedicine. Two such figure are Peter Tippett, CTO of Cybertrust, who earned a medical degree and went on to develop what later became Norton Antivirus; and Steve Hofmeyr, who studied the marriage of biology and computation at MIT and later founded Sana Security. In this roundtable discussion, the two discuss how biomedicine informs their thinking about security and when and when not to apply the metaphor. Of particular note is their discussion of the pros and cons of using both signature and non signature-based methods of intrusion detection."

After reading the interview...

[steelfood]

...has anyone else felt that the interview ended rather abruptly? I mean, just as they were starting to debate over the issues of technological improvement versus stability, there was nothing left. Was the ensuing conversation too embarassing to be recorded, or did the interviewer get too engrossed in listening to the arguments to write the rest of the interview down? Usually, the interviewer gets the last word (whether it's a brief "thank you for your time" or a quick summary/conclusion). What happened this time?

Otherwise, I found this a very interesting read. I've always wondered why people prefer signature-based active detection over the passive method of hashing (and checksumming) all the critical system files. I use the freeware Tiny Personal Firewall 2 (subsequent versions suck), which happens to include a feature that informs me if an application trying to connect out or listen for connections has had its MD5 changed. While it is particularly painful when a system file gets tampered with (a message pops up every time the modified executable tries to interface with the network and the messages won't stop appearing until the change is accepted), it was crucial in my finding that my Firefox executable had been modified without my knowledge.

The other thing I found interesting is the remark that the internet has lost its innocence. Back even ten years ago, so-called hackers were either kids too smart for their own good, or script kiddies wanting to impress their friends by opening CD trays. Those who exploited security holes for money were a minority. These figures have flipped over the past seven or eight years; today's equivalents are largely in it for the financial gains, with the ones feeling adventurous being in the minority now. When they were talking about worms being less prevelant these days and how it's possible we've seen the end of virii like Sasser and Code Red, I find myself wondering if the internet has left (or is in the process of leaving) its adolescence phase and has fully matured.

A biological analogy that occurred to me...

[Dr.+Manhattan]

Ecology has a concept called the "keystone predator". Predators often have a major influence on the ecology they hunt in. For example, sea otters that eat sea urchins. The sea urchins in turn eat kelp beds. If the sea otter population declines, the sea urchin population increases, and the kelp beds start getting overgrazed. When that happens, lots of other organisms that live in and on the kelp beds suffer.

Introducing new predators into an existing ecosystem can increase the overall diversity as they become keystone predators. This effect is seen even if the predator doesn't preferentially hunt the former dominant species, though it can be amplified in that case. In extreme cases, the former dominant species is replaced by other species, though the former dominant species doesn't necessarily go extinct.

What does this have to do with computers? The Internet has changed significantly in the last few years. Broadband connections are fundamentally different from dialup connections. First, obviously, they are much faster. Second, they are 'always on'. As broadband has spread, a new ecological niche has opened up - that of spyware/adware.

Even if it were just malicious teenagers writing these things, they'd be a significant problem. But there's a business model now - (unethical) people can make money with this stuff. Ads, selling demographic info, redirecting referral clicks, spam, protection rackets, fraud and identity theft. Of course, these guys are preferentially hunting Windows boxes right now. They're the current dominant species, and tend to be easy to subvert.

I think spyware is going to be the keystone predator of the operating system ecology. And I think we're going to see a lot more diversity in that area in the future.