In a recent post, I asked for a little indulgence in a game: "Anybody want to toss out their idea about what would happen if bugfinders stopped looking for bugs? What do you think the impact would be?"
Anton was nice enough to provide one in the comments:
"Well, I like SciFi, so I will play. In all likelyhood I am wrong, but then again this thing will never happen anyway...
In general, I think that some version of Thomas's scenario will get realized (obviously, circa 200X and not 1992). Let's assume that all white-and-light-shade-of-gray-hat folks just stopped researching and, obviously, publishing vulns. What will happen?
First, everything of value will get owned (from the pool of whatever is not 0wned now :-), of course) by a few people. There will be fewer "incidents", however, as many sites won't even know that they just got owned. They will be made aware that their IP and money are suddenly in the wrong hands. Malware will likely drop, the only worm/virus incidents (admittedly rare) will be hugely damaging as there will be no protections as reliable as current singature-based ones (anomaly-based stuff at this stage is generally less reliable; not that I am not saying that signature-based are better - only that currently they are more reliable). Script kiddies will all but vanish, left to pick up the pieces of whatever trickles from the underground.
I suspect the list of 'advanced blackhats' is now longer now than it was in 1992. Thus, they will be able to pretty much do whatever they want (maybe not launch ICBMs, however :-)). With time, as software security degrades even further, more folks will be able to 'join the club' and share the proceeds, first owning whatever the first group did not :-) Vendors will go to less patches (after all, why bother?), making life simpler for some people (admins!), but complicating it for others. Backup solutions will sell like crazy, though...
Overall risk? To be honest, I dunno (Celebrate, Pete! :-)). For folks running high-value targets, the risk will likely go up since they will lose all protections that rely on knowing about vulnerabilities e.g. NIDS, NIPS, scanners (and will keep the behavioral/anomaly-based ones). For others, it might decrease, as all the 'hunters for low hanging fruits' will go the way of the Dodo..."
I find it truly remarkable that folks place no faith in human ingenuity, except on the "dark side" and actually believe that we would just let something like this happen. But I have some followup questions:
1. What characteristics about our current situation preclude this exact thing from happening today?
2. How come people won't be able to figure out that they are 0wned (man, using that zero makes me feel so cool!)?
Btw, is there anyone out there (besides me) who disagrees with this "Doomsday Scenario"?
Update: Anton comments below that his scenario isn't intended to be a Doomsday one. Though he does indicate some question about the change in risk level, I believe that "everything of value" being "0wned" sounds pretty Doomsday-ish to me. You can decide for yourself.