Vxers are more innovative than big software firms
Complexity kills innovation
Comment There's more innovation coming from today's virus writers than from the big software companes whose core goals are to progress and innovate, says SecurityFocus columnist Kelly Martin.
Viruses grew by over 25 per cent in 2004. We're at about 115,000 viruses today, and the virus variants and mutations continue to grown in record numbers. One might venture to forecast, using current trends, that we'll have 150,000 Windows viruses by the end of 2005, although it's anyone's guess. Look for anti-virus vendors starting to deliver definition updates every day, or even twice a day. Are we ever going to find a solution to the virus problem?
The problem is complex. The solutions are even more complex. Security leaders and visionaries, who disagree over many things, all agree that the growing virus, spyware and security threats are a large and difficult problem. There's with no easy solution. Even Bill Gates has been humbled by the sheer magnitude of the problem, as evidenced by his unusually modest speech at the RSA Conference this week. Yes, it's complicated and many smart people, including Bill Gates, are not sure what to do. One thing is clear, however - we're headed down the wrong path, yet our big engines are set to full steam ahead.
Software complexity is killing innovation because of security flaws. I don't mean complexity such as complex algorithms, which are always a welcome sight. I'm referring to bloatware: complexity in operating systems and large applications, now developed in record time, that in an unpatched state can be taken down in minutes due to design flaws and vulnerabilities. I'm also referring to the bloated nature of unaudited software projects from companies who can clearly afford to do better. Until security becomes part of every aspect of the software design and implementation lifecycles, we'll continue to take one step forward, and then one step back.
Byte for byte, there's far more innovation coming out of the dark basement of a few clever virus writers than from the big software companies who are trying to advance technology and truly innovate. On one side we have smart programmers who are trying to pack more and more functionality into a smaller and smaller size. On the other side, we have smart programmers at large companies building applications faster than ever before, bigger than ever before, using rapid development tools that allow human beings to design software with more holes and flaws than ever before. Do you see a pattern here?
I've heard all the arguments on how these new applications are by their very nature a sign of innovation, but when David the virus writer can continually and repeatedly take down any Goliath software company product time and again, despite the latest security tools and technologies, have we really innovated at all? Viruses are costing us billions of dollars in lost productivity and actual damanges --numbers which easily offset the slow and steady gains we get from upgrading to the latest version of product XYZ.
We all love to pick apart analogies, so here's your opportunity. The calculator application in Windows XP is 112kbytes. This wonderful, exciting and full-featured application, picked from my System32 directory at random, tells us little about complexity or programming prowess, I'll admit - until you consider that there are, oh, several thousand nasty, feature-rich Trojans with full backdoor and remote access capabilities that easily fit within 112kbytes. They call home, they report on their progress, they slice and dice and make chopped liver of your operating system.
Is this an unfair comparison? Of course it is. If Microsoft, or anyone else, wanted to create an even better calculator than this in one-tenth the size, it wouldn't take one good programmer even one day to do it. The point is, they have clearly have no intention, need or desire to do so, just as any software company believes in the fallacy that there is no need to prevent bloatware. After all, hardware gets faster, storage gets bigger, and profits soar higher. If your computer didn't start running more slowly over time due to increasingly bloated applications and a plethora of security packs, why would you ever need to upgrade? Ah, yes. Innovation. Better productivity. New features. Right.
Perhaps the calculator app in Windows 2015 will approach a megabyte in size. And that's just plain silly. But with the hardware that will be available in 2015, will you care?
Then there's the story of a famous storage area networking company, which shall remain nameless, whose innovations turned the storage world upside down because of a core piece of software small enough to fit on a floppy disk. Before the concepts of dynamic disk partitioning, partition resizing and multiple OS support were commonplace in the SAN arena, some very smart people figured out that the key to success in managing these large, fridge-sized storage arrays would be with efficient software that was very small - tight code that ran very quickly and was relatively bug-free. That floppy disk, with the time value of money, would be worth several hundred million dollars today. Not bad for a few months of late-night programming. Sound like it happened twenty years ago? No, you're mistaken. Let's put it in context. At the same time, a typical Windows installation fit nicely in about four or five gigabytes.
I don't believe we'll ever see a reversal of the trend towards bloatware in software. But with security now a major threat to every single software company in the world, the security issues that stem from increasing software complexity must be addressed. The solution to all this complexity cannot be more complexity; we must find a more elegant and simple solution. Security must become ingrained into everything we do.