Evolution is punctuated equilibria

Evolution is punctuated equilibria

Summary: Guest editorial by Dino Dai ZoviIn evolutionary biology, the theory of punctuated equilibiria states that evolution is not a gradual process but instead consists of long periods of stasis interrupted by rapid, catastrophic change.  This is supported by fossil evidence that shows little variation within a species and new species that appear to come out of nowhere.

TOPICS: Security, Browser

Guest editorial by Dino Dai Zovi

Evolution is punctuated equilibria

In evolutionary biology, the theory of punctuated equilibiria states that evolution is not a gradual process but instead consists of long periods of stasis interrupted by rapid, catastrophic change.  This is supported by fossil evidence that shows little variation within a species and new species that appear to come out of nowhere.  These changes are found to occur in small groups on the periphery of the central population where selection pressures are higher and often in response to changes in the external environment.  Eventually those peripheral groups replace the dominant species in an abrupt change.  While this theory has also been applied to the social sciences and business, it also applies to Internet security.

In the late 80’s, it was the “summer of love” era on the Internet.  Research institutions and universities were freely connecting to each other in a way that would make anyone of modern Internet sensibilities blush.  Internet sites regularly engaged in risky behavior, including exchanging traffic without the use of a protective firewall to protect against accidental infections (as such things were rare in those days).  Most users used weak passwords and some (Richard Stallman, notably) used none at all.  And then, just like in the Guns N’ Roses music video, the party was unceremoniously ended in the sudden cold November rain.  The Morris Worm swept through the Internet, taking machines down faster than anyone could imagine.  The era of innocence and non-disclosure of security vulnerabilities on the Internet had come to a close.

After the Internet worm, a variety of organizations were quickly established in order to track and address vulnerabilities in the Internet infrastructure.  The Computer Emergency Response Team (CERT) was established to handle any similar situations and a variety of mailing lists such as Phage, the Zardoz Security Digest, and Core Security Mailing List were established to discuss and track security vulnerabilities.  All of these lists and groups, however, were closed communities and the CERT security advisories were light on details in fear that revealing full details would enable attackers.  Thus began the era of partial-disclosure of security vulnerabilities.

A small full-disclosure movement began to grow on the periphary of the Internet.  This community believed that CERT was doing the community a disservice by not pressuring vendors to address vulnerabilities and revealing full information because system administrators were not able to determine whether they were vulnerable or not and should take the potentially disruptive risk of patching security vulnerabilities.  With full-disclosure, all parties are notified of the vulnerability at the same time.  Vendors are pressured to address serious vulnerabilities quickly and users have enough information to decide whether they should work around the vulnerability and/or apply the patch when it becomes available.  This community was centered around the Bugtraq mailing list.  This community quickly grew through the mid 90’s and early 2000’s until it became the dominant method of vulnerability disclosure on the Internet.

If the late 80’s was the era of free love on the Internet, the late 90’s and early 2000’s was the era of free exploits.  Fully working exploits for serious vulnerabilities were regularly published on Bugtraq often as part of the disclosure of the vulnerability.  These were often remote privileged code execution exploits in serious Internet infrastructure like BIND, SSH, NCSA HTTPD, Sendmail, and Apache.  These exploits allowed administrators to easily test if they were vulnerable or not.  If they ran the exploit and they got a remote shell, they were definitely vulnerable.  Similarly, if someone wanted to take joyrides on the Internet, all they had to do was subscribe to Bugtraq, wait for an exploit to be posted, and then start scanning for vulnerable machines.  Thus were “script kiddies” born.  This environment continued through the early 2000’s.

The early to mid-2000’s could be considered the hangover from the free love 80’s and free exploit 90’s of the Internet.  Instead of Internet worms being a one-time event, they became an almost regular occurrence with ILOVEYOU (May 4, 2000), Code Red (July 13, 2001), Code Red II (August 4, 2001), Nimda (September 18, 2001), SQL Slammer (January 24, 2003), Blaster (August 12, 2003), and many others in between.  Many of these worms used exploits that had been posted publicly to Bugtraq to spread.  Clearly something was not right.  This onslaught of Internet-crippling worm outbreaks quickly brought about several evolutions in Internet security: “responsible” disclosure, the home router firewall, and Microsoft’s Security Push and Secure Development Lifecycle (SDL).  It was no longer enough to respond to security vulnerabilities and incidents as they happened; Internet security required proactive measures to protect against future disasters.

From 2003 until roughly the present, “responsible” disclosure and the duality of offensive security research and defensive security products have driven the security industry forward.  Security researchers have investigated and discovered volumes of security weaknesses, vulnerabilities, and attacks.  All of these have required security patches, restructuring, and risk mitigating technologies née product opportunities: anti-virus, firewalls, intrusion detection/prevention, patch management, etc.  Hundreds of vulnerabilities have been “responsibly” disclosed and patched.  Patching has become a monthly Shamanistic ritual for most IT departments.  There are now defensive security products to defend against every possible perceived security threat (imagined and real).

With all of this, Internet malware has only become more prevalent on users’ systems.  The United States Departments of Commerce, State, and Defense, have sustained targeted attacks and on multiple occasions detected large amounts of sensitive information being remotely extracted from their networks.  There is a serious DNS cache poisoning vulnerability that currently affects 50% of the nameservers on the Internet, almost a month after the issue has been disclosed throughout the tech and mainstream media and a week after a highly-effective exploit for it has been publicly released.  The Internet security community is holding its breath waiting for (hoping for?) widespread attacks, perhaps to justify their continued existence.

Clearly, we are not any closer to securing the Internet, if that is even possible.  If anything, the dangers on the Internet have gotten worse as the malicious actors have changed from joyriding teenagers to Internet worms to espionage and organized crime.

Right now, Internet security is due for another period of rapid change.

* Dino Dai Zovi is an information security professional, researcher, and author.  He is perhaps best known in the security and Mac communities for discovering the vulnerability and writing the exploit to win the first PWN2OWN contest at CanSecWest 2007.  He publishes the Trail of Bits blog and can also be found on Twitter.

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Funny thing...

    ...how the definition and *theory* of Evolution (note the capital) continues to morph. It's utter scientific fraud and debauchery!
    • wow

      I didn't realize those who don't believe in evolution even used computers. Learn something every day...

      • Yeah, well...

        It's true...learning is what happens (ahem...intelligence), not evolution (macro-evolution, that is...micro-evolution certainly does). If you're really struggling with the concept that Big-E Evolution is a very flawed theory, read up on the Piltdown man, the Coelocanth, the fact that Charles Darwin himself later recanted much of what he had written.
        • 2+2

          So let me get this straight. You believe in "micro" evolution, just not "macro" evolution? So what happens if you string multiple "micro" evolutional changes together? Doesn't that ultimately add up to a "macro"?

          Honestly, arguing evolution for me is so utterly pointless. For me evolution is as plain as the air I breathe. For me personally it's a fact, not even a theory. You and I will have to agree to disagree on this one. I'm counting on evolution to take care of all the non-believers.

        • Wait, so what if your point?

          You do realize that the Pildtown Man was a hoax, actually one of the largest hoaxes in evolutionary biology, and one of the longest running. The coelacanth is an example of a species that evolved to a stable point and has not needed to change since, see nautili and sharks for more examples of fairly unchanged animals. Darwin was an actual genius, one of the few that moder times have seen. And he is not a genius for his theory but for how well he placed patterns together and how far ahead he was. He spoke, always with reverence to religion because to do otherwise was stupid in his time. I'm actually interested in your arguments against Macro evolution as you attacks thus far include, evidence for (coelacanth), evidence of scientific processes (Piltdown man) and evidence that the writer of this article, who is an evolutionary biologist subscribes to a theory of natural selection. Please email me at "lung dot mau at gmail dot com".

          As for the article, very interesting, have you any idea of where or what that shift might be?
    • Scientific Theory of Evolution

      "It's utter scientific fraud and debauchery!"

      I didn't realize that.

      Debauchery. Wow.


      • !

        Hold the fraud.
        To go, please.

        Darwin Bacchanalian.
  • RE: Evolution is punctuated equilibria

    > Clearly, we are not any closer to securing the Internet, if that is even possible.

    I don't think it's possible, but it IS possible to secure a computer. Put the code you don't want to change into ROM or the functional equivalent. Then you're no further from recovering from a crash than a reboot. And installs / uninstalls consist of inserting or removing a chip, respectively. I 100% agree with your conclusion...we're in for rapid change. And it's about time...

  • RE: Evolution is punctuated equilibria

    Internet has a great source of information, but it just might be a big downfall when and if we lose all satalites that are controlling them, I can do without computer and do without cell phones, they both hace advantages but also disadvantages as with cell phones linked to cancer and pc's linked to crime, my son went to sell his dirtbike from a person on the internet on cl and was robed.

    What im getting at is all this was vreated from man and it is only doing harm to everyone including our children. Let go back to them good ole days where you had to visit a libary and type from a type writter, and send a letter to a good friend we haven't spoke with, or meet someone by running into them and not online thinking wev'e found true love.

    Big D
  • Next step?

    Any ideas about what the next evolutionary leap will look like? If we've gone from no disclosure (no security) to partial disclosure to full disclosure to responsible disclosure, what's next? And if we've gone from no attacks to isolated attacks to unsophisticated scripted attacks to sophisticated, fully automated attacks, what's next? Attackers are already making use of multiple vulnerabilities to launch multipronged attacks. As security on individual computers improves, attackers will need ways to identify the most vulnerable users (not computers), then they can target attacks based on social engineering vectors.
  • RE: Evolution is punctuated equilibria

    And yet companies are pushing to hang their corporate data and applications on the "cloud" with the Internet as it's backbone...man this is going to be fun!