brain - a first in so many ways

i've seen a couple of articles now about this being the 25th anniversary of the computer virus known as brain.

brain was the first PC virus in the wild. it was the first bootsector infector. it was the first stealth virus.

supposedly it was created in the (somewhat hypocritical) hopes of attacking software piracy, so the history of intellectual property maximalism has a particularly odious chapter to add.

the thought occurred to me, however (and i'm probably not the first but i haven't seen this said anywhere that i can remember), that if the stated motivation behind the virus is correct then brain is, on top of everything else, the first commercially motivated malware. before zeus, before gpcode, before adware, before the porn dialers there was the brain virus intended to get people to contact the virus' manufacturer for support.

how do you get to the top?

so how do you get to the top? well, if you're an anti-virus company it stands to reason you get there through technical excellence (yes, i can hear you snickering from here). of course if you have technical excellence then it also stands to reason that your people know what it is they're talking about when they go and say something about malware in public.

specifically, what i and many other people expect is that people working for the #1 anti-virus company to at the very least know the difference between viral and non-viral malware. those kinds of basics seem like they should be prerequisites for achieving technical excellence in the anti-virus industry.

apparently that is expecting too much, since some people (in the industry, no less) are still using the term 'virus' as the umbrella term instead of the more accurate term 'malware'. i'm not sure exactly when it happened, but at some point i started hearing more terminology misuse from media sources within the industry than i hear from general media sources in the world at large.

to say that cancels out any willingness i might have had to suspend disbelief about the question of technical excellence is an understatement.

now one explanation i could entertain is that this is actually part of a very clever plot to keep the public confused and disoriented. governments long ago figured out that it was easier to control their subjects if they kept them stupid and uneducated. it doesn't seem unreasonable to suppose that corporations might make use of similar tactics. the foundation upon which greater understanding and ultimately greater self-reliance is built on is an accurate and consistent body of knowledge about the topic at hand. authoritatively using terms where they don't belong unquestionably undermines the process of developing that body of knowledge. it is precisely the type of tactic i would expect if corporations were trying to keep the masses easily manipulated.

that being said, i'm still prone to give the benefit of the doubt. never attribute to malice that which can easily be explained by incompetence. of course, since that reflects poorly on the possibility of technical excellence, that still leaves open the question of how one can get to the top and stay there.

without technical excellence being the driving force to keep the top players on top, we eliminate the possibility that the system is a meritocracy - or at least if there is a meritocracy, it's not the merits of the technology that are important but rather the merits of the efforts to manipulate people into thinking their technology has the most merit. that's called marketing. in essence, it's the best manipulator, not the best technology, that wins.

(though a system that rewards manipulation seems like it should eventually evolve into one that actively tries to keep people stupid in order to manipulate them more easily)

revisiting the 3 preventative paradigms

i've been thinking about the 3 preventative paradigms lately [actually i found this languishing in my drafts pile since jan '09].

framing the 3 preventative paradigms

in the ideal case:
  1. a blacklist blocks access to a protected resource for things/actions that are bad
  2. a whitelist blocks access to a protected resource for those things/actions that are not good
  3. a sandbox blocks access to a protected resource unconditionally, offering a comparable low-value alternative resource as a surrogate
as you can see, this covers all conceivable options except the degenerate case of no prevention where access to the protected resource is not blocked under any circumstance (though realistically we can ignore this case when we're talking about prevention).

balancing the 3 preventative paradigms

the world is not an ideal place, however, and those cases cannot be implemented perfectly:
  1. the halting problem prevents us from implementing a perfect blacklist and limits us to only blocking things/actions that are known to be bad, thus leading to the so-called reactive nature of blacklists
  2. while the halting problem does affect whitelists in the same way, whitelists actually benefit in a way from being limited to only known things/actions. however the generality of interpretation prevents us from implementing perfect whitelists (as the security world is bound to discover when whitelisting finally crosses the chasm) because we will only ever be able to apply application whitelisting to known program types and thus will have to react whenever we discover a new program type being abused.
  3. while the generality of interpretation may make it difficult to know when a sandbox needs to be used, what prevents sandboxes from being perfect when they are used (baring implementation failures that lead to unaided sandbox escape) is the need to share data (across the barrier erected by the sandbox) that is inherent to the division of labour, not to mention a variety of other useful and interesting things we do with computers.
thus with blacklists handling everything known to be bad, whitelists handling everything known to be good, and sandboxes handling everything in between, one might naively consider prevention to be a done deal; but with each one having problems that the others can't fully compensate for there will always be those edge cases that slip through and demonstrate that prevention is only the beginning of what a defender must consider.