Of Guns and Malware

I came across this video the other day:

It's a really entertaining TED Talk about the world of computer security from the perspective of malware and presented by Mikko Hypponen of F-Secure. I encourage you to watch.

He closes with the following:

I've spent my life defending the Net, and I do feel that if we don't fight online crime, we are running a risk of losing it all. We have to do this globally, and we have to do it right now. What we need is more global, international law enforcement work to find online criminal gangs -- these organized gangs that are making millions out of their attacks. That's much more important than running anti-viruses or running firewalls. What actually matters is actually finding the people behind these attacks, and even more importantly, we have to find the people who are about to become part of this online world of crime, but haven't yet done it. We have to find the people with the skills, but without the opportunities and give them the opportunities to use their skills for good.

In other words, anti-virus and firewalls aren't the solution to our problem. Stopping the people who create and produce malware is.

At the same time, we have this sentiment that bubbled up in the news recently:

Is antivirus software a waste of money?

As it turns out, many of his security-minded peers don't use [antivirus software] either. The reason: If someone is going to try and attack them, they're likely to use a new technique, one that most antivirus products will miss. "If you asked the average security expert whether they use antivirus or not," Grossman says "a significant proportion of them do not."

That's a pretty clear indictment of the status quo. What we are doing is not working.

Guns don't kill people, people kill people

What I believe is happening here is a growing realization of what I've talked about before. The current security situation is a never ending battle of measure and counter-measure with ever increasing casualties. What is needed is a dramatic change in the way we approach this battle.

Mikko points to one way to change this. Stop trying to stop the "guns" in this battle from being manufactured and distributed; instead go after the people who are using them to commit crimes.

However, the same Wired article from above goes on to cite another approach:

Patterson said his company, Patco, had “good AV” at the time of the attack, but nevertheless it missed the password-stealing Trojan. Now, two years later, he’s taken an inexpensive step that every small business should take to prevent his company from becoming victim to this type of fraud: He’s told his bank give him a call before it authorizes any big money transfers.

This to me is the real game changer. And I hope to make Trust Inn the catalyst for that change.