Why Adobe promotes cybercrime.
The Last Watchdog recently posted an interesting article:
Adobe surpasses Microsoft as favorite hacker’s target
To quote:
On Dec. 31, 2008, a well-intentioned researcher posted this report on Adobe’s “Bug and Issue Management System” (BIMS) web page. The researcher described how invoking a Flash video clip playback in Flash Player, under certain parameters, caused his Web browser to crash.
In more innocent times, this would’ve been a normal beta testing scenario: user reports glitch in a cool new feature; vendor updates. But in today’s world of teeming cybercrime, one man’s glitch is another man’s exploitable zero-day flaw.
While BIMS helps Adobe keep an open dialogue with users, the web site also “gives cyber criminals a convenient place to look for vulnerabilities they can exploit,” says Purewire researcher Paul Royal. “Here you can find bugs that cause crashes, and any bug that can cause a crash can potentially also be used to execute code arbitrarily.”
This article illustrates Broken Windows in action:
- "one man's glitch is another man's exploitable zero-day flaw."
- "any bug that can cause a crash can potentially also be used to execute code arbitrarily."
Of course, I'm referring to the Theory of Broken Windows, proposed by George Kelling and James Wilson. The Theory states that small elements of disorder (like a broken window), if not addressed, leads to greater elements of disorder even crime. What Kelling and Wilson observed as a trend towards disorder in the physical space of communities and neighborhoods, I contend also applies to cyberspace, namely:
Seemingly small elements of disorder (like a software glitch) invite greater elements of disorder (like arbitrary code execution), even cybercrime (you are free to cite any news story from years past as example).
The grand irony in this situation is that hackers do not "break" windows in cyberspace; that is, hackers did not break Adobe's software, hackers simply discover software defects software manufacturers failed to detect themselves before shipping their products. In other words, our software products arrive in our computer systems already broken - already loaded with broken windows - thus directly contributing to the sense of disorder in cyberspace and the growing trend in cybercrime. Adobe is but one example highlighted by this article; Apple, Oracle, Microsoft and many other software manufacturers have given us legion more.
Byron Acohido, the author of The Last Watchdog article, infers that in today's world of "teeming cybercrime" these seemingly small bugs now incur large consequences. But I argue otherwise, small bugs are not now more devastating because of teeming cybercrime, cybercrime has become teeming precisely because of small software bugs...these small broken windows of cyberspace that communicate a message of disorder and thus invites greater elements of disorder, even cyber criminals. So to be explicit: Adobe's glitches invite cybercrime, and so does Apple's, Microsoft's, Oracle's and many others. We collectively scratch our heads wondering how cybercrime got so out of control; the Theory of Broken Windows offers one possible, if not outright compelling, explanation.
Using the Theory of Broken Windows as a solution framework then, small elements of disorder must be reduced as much as possible in cyberspace; that is, the supply of software vulnerabilities must be drastically reduced by software manufacturers in order to combat the more dangerous and insidious elements of cybercrime. The onus is on software manufacturers - all of them - not on security products, not on security practitioners, and certainly not on cybersecurity compliance mandates. Recognizing this as a key leverage point in the battle for a safe cyberspace is critical to our success (and our national interest).
Byron Acohido goes on to state, "Adobe has replaced Microsoft as professional cybercriminals’ favorite target." Unless software development practices dramatically change, they won't be the last.
Comments