 We've had a very late night and I see a lot of people that we're going to be here that weren't because they're completely out of it and We could not wake them up this morning for anything I'm Cyrus Bacari. I'm the chief technology officer of virus MD corporation We're in Dallas, Texas, and you may know us for our software lately we're doing antivirus applications for the pocket PC and wireless phones and and Before we get started, I just wanted to First of all, thank Jennifer Granick for this disclaimer. Is Jennifer here right now? No She suggested this one and that's remember you need permission to alter someone else's system even if you're trying to fix it and So basically what that's saying is don't try this at home because they will get you arrested and And a public service announcement for those of you that can't wait a whole nother year for death con There is going to be a security conference hacking conference in Dallas, Texas this winter you can visit it on the web at Dallas con calm and So far the sponsors are several different groups including soldier X com hack 3r Check some org Black code, which is a nice group security news portal and world of hell and Lately security writer's guild is going to be sponsoring it also. So if you have a hacking group and You want to Sponsor or speak of this conference. You can let me know For those of you that want the full version of this talk in detail. You can download it on the web It's at virus MD calm slash Def con dot html and you can grab it as a Word document or if you want a text file, you can just email me Through virus MD calm Now who can recognize this virus? Raise your hand Melissa close That's right. That's the Anacorna cova virus. So as you can see it's quite a deadly virus and And a lot of people that I talked to said it was worth opening this virus even though they knew it was a virus just to see her picture Now just as an overview of our talk What we're going to present today is that the unchecked proliferation of information network such as the internet Leave society vulnerable to collapse And we're going to show how viruses actually counter this vulnerability by stabilizing and strengthening global networks So in other words, we're going to show how virus writers can save the world now Who here has ever written a virus raise your hand? You don't have to admit to it if you don't want to who here has ever been infected with a virus raise your hand Probably most of you have Well, the problem is that the internet has become a single complex organism much like the human body and It's no longer to no longer sufficient to immunize Individual cells in that body for example putting antivirus scanners on individual computers is missing the whole picture and Basically, we need some way to immunize the entire body of the internet at once And we've seen that current antivirus solutions don't work Because one virus the I love you virus did an estimated 10 to 15 billion dollars of damage That's just from one piece of code So our current solutions fail Well, what we're going to show today is we're going to use examples from medicine to formulate a computer virus vaccine we're actually going to write a virus that's going to strengthen the entire internet and We're going to propose an attenuated computer virus attenuated means a weakened So basically you cut off part of the payload or some of the vectors and you have a weakened pathogen and We're going to draw on examples from both history and medicine to show that Good computer viruses are not only possible, but that they're inevitable if we want to prevent the collapse of civilization well, first let's start with some historical examples and those of you who are history majors and actually most of you are probably better at me than this but Looking back in the Middle Ages. We know that the black plague Set European civilization back the equivalent of a thousand years And we're going to show that in a second a more recent virus smallpox Single-handedly destroyed the Native American civilization. So viruses do cause the collapse of civilization Now this next slide is a graph showing the population of Europe in the Middle Ages and on the vertical axis you can see the units are in millions of persons and On the horizontal axis is time and if you look here in the center, you can see that Right around the 14th century the population of Europe was abruptly nearly cut in half So essentially one out of every two people dropped dead all throughout Europe and this was all from a single pathogen It took several years for the population to recover, but even longer for civilization to recover Because this virus caused famine and unemployment and widespread civil war What happened is the rich nobles severely suppress the poor people and at the whole process set civilization back about a thousand years There's a more recent biological virus that destroyed a civilization and that's smallpox and Smallpox was brought over by the Europeans when they invaded or when they explored the New World Now the problem is that the Native Americans had no immunity to smallpox the Europeans had been building up immunity for years but when the When they brought it over the natives had no resistance, so it basically killed all of them and 95% of the population of Central America and Mexico Was wiped out literally in a few years and that's that's almost overnight in the terms of global timescale and 50% of North America was wiped out So the Europeans basically walked into an empty continent. There were no warriors left to defend this continent just a handful That was the end of their civilization Now none of you have ever seen a case of this in your lives. This is a picture of smallpox and This is the caused by the virus now. This has actually been eradicated from the earth and the reason you haven't seen this is because we came up with a good vaccine to cure it and We're gonna show the why this is important with our computer virus vaccine later on Now when smallpox vaccine first came out it was extremely dangerous and a lot of people that took the vaccine died So people were violently opposed to any concept of a vaccine but with time the vaccine was improved and By 1977 the World Health Organization announced that smallpox was cured. There was no more smallpox left in the world The only sample is in a very tight security government research station And they keep it there under observation and probably a few other countries have a sample as well so Getting back to our computer virus. Why do we need a vaccine? Well, we've seen that any attempts at Antivirus Program so far have been Limited and we saw that with the I love you virus which failed to prevent a global infection that brought the internet to its knees There's also been attempts at digital immune systems for example IBM corporation came up with a digital immune system where they Were able to pick up samples of viruses in the wild and automatically extract signatures and then send that Patch back out to their subscribers So this is kind of an encapsulated digital immune system But it's not really a true vaccine for the for the entire internet body Because they're not really using a virus. They're using just purified code and so what we've shown is from history and medicine that vaccines are very necessary and they're Inevitable if we want to prevent global catastrophe. We need some kind of holistic solution well, unfortunately, there's problems to any kind of idea of a vaccine and number one among that is the antivirus community The antivirus or AV community hates virus writers. They really really hate you guys and You can see that by going on newsgroups such as alt.com.virus and you can see the arguments go back and forth And And it's kind of funny to read it sometimes because you see the two sides arguing But you realize from an objective point that they're really not that far apart yet They're so they're so violently opposed to each other Now we can we can kind of the AV corporations arguments by looking at medicine and for them to say there's no such thing as a good virus is ridiculous For example, every day doctors inject kids with daily viruses when I give vaccines The polio virus vaccine for example is a real virus. It's it's live. It's just attenuated so you're getting the real virus and This falls under a utilitarian model Utilitarianism says that you should do the greatest good for the greatest number of people for those of you that study ethics and This is the model that society allows the government to do this to us under well, who will release this global vaccine and Most importantly, don't try it yourself Because if you do it's it's highly illegal right now Spreading live viral viral and you in jail Probably as far as I can see the government right now would be the only possible solution for that and For one thing they they can do what they want and get away with it. There's not much you can do you can't really sue the government Another benefit is they will indemnify you from harm Remember the polio virus that all of you get when you're young. That's a real virus now if you Say your brother when you're young gets the polio virus vaccine And you don't get the vaccine for some reason you can actually catch live polio from your brother That's called vaccine induced polio and it can kill you or paralyze you Now what happens in that case is the government will actually pay damages to your parents for the damage you suffered That's little constellation obviously, but that's how the the government works And that falls under a paternalistic model And paternalism means being fatherly in other words Society allows the government to do what it wants because we think that it knows best And as far as I can see you would this virus virus vaccine We're talking about would probably be released by a global epidemiology body like the world health organization They would have to create a particular branch made up of programmers Because you need somebody that knows how to track vaccines around the world Well, finally the talking about the computer virus itself what characteristics does it need to have For one thing the vaccine should be open source And the main reason for this is quality control Because we're releasing this vaccine globally. We know that open source models Give a much higher level of quality control and debugging And number two it should be international We can't have individual governments releasing vaccines for an obvious reason For example, suppose China released a vaccine, but they were the only ones who had immunity to that virus That would be viewed as an act of war by all the other all the other countries So in order to prevent that situation, it would have to be released internationally Third the virus should be attenuated, which basically means castrated You should take off part of its payload or reduce its number of vectors The goal what you're trying to do is create a virus that will confer immunity without severe damage And finally the vaccine should be live. In other words, you need real replicating code The Just to extract a virus signature like virus scanners do right now It's we know that's not as good Think back to the polio virus vaccine. That's why doctors use the real live virus in our bodies Okay. Now, here's your test for the day You guys go to school. So You thought you were gonna be free of test this summer, but you're not Who can tell me who said this quote if you if you can guess it raise your hand Who's that Fred Cohen, okay, we have a guess for Fred Cohen. Who agrees with that? Actually, that's incorrect Anyone else pardon McAfee Good guess you guys are going to be surprised when you hear the answer That's that's not correct Let me read it. It says that beneficial viruses are a simplest solution. That's always wrong The virus is not bad or good Based on its payload Viral propagation methods are inherently bad And giving them beneficial payloads doesn't help Is that bill gates close you're very close This was bruce schneyer. Actually. He said this in a talk in September 2000 He said that viral propagation methods are inherently bad So we all know bruce and we love him. He's a regular here at defcon But you may want to ask him about this one Now who knows which virus this is You guys got to know this Very good the jennifer lopez virus once again using the power of just her behind This virus infected millions of computers people were tempted to open the uh, I love you virus to get a glimpse of this Sorry the jennifer lopez virus So just winding down here they're they're in 1997 veselin bonchev and Wrote a famous paper about the 12 reasons why there can never be a good virus And has anyone read that paper raise your hand a couple of you. Okay. I see there's some hardcore virus people out here and uh Now this was a very famous paper and for a couple years this was the gold standard But then in april 1999 Member of the ultimate chaos virus group came along and utterly destroyed these arguments And that author was midnight and if you read his paper, it's quite eloquent I'm not going to go into all his arguments right now But what we're going to do is present arguments from a different angle saying why you can have a good virus And I just want to go through these 12 points very quickly Uh, well number one the antivirus companies argue that You can't have a good virus because it takes away your control And you you just feel helpless But actually we know that That's a good thing and sometimes for example There's certain vaccines doctors give where It confers what's called herd immunity like a herd of sheep They know if they could only immunize 50 of kids in a class Those 50 percent will infect their classmates either by sneezing on them or by smearing snot all over them Or by not washing their hands after they wipe themselves And this actually is a good thing because they pass the immunity on to their friends That's called herd immunity so that lack of control can be good Number two is recognition difficulty and this argument is that Well, our scanners won't be able to tell your good virus from a bad one But that's what we want. We want a immune response from the world antivirus software That's how it's going to work Number three is resource wasting and This argument says that Computer viruses waste cpu and memory. They're just a waste of time and money But actually that can be a good thing For example, how many of you have had a flu shot? I'm sure most of you have a flu shot at some point What happens after you get a flu shot? How do you feel the next day? You feel sick A lot of times you'll get a sore throat or a fever And the reason is the when you fight this weekend attenuated flu vaccine Your body shuts down critical pathways and strengthens others And so basically it's wasting your resources But in the end you end up being immune to influenza, which is a good thing So that takes care of that argument Next number four is bug containment And the avs argue that badly written viruses spread software bugs But we know that Software bugs are ubiquitous. They're everywhere. Anyway, that's not really a big issue And this is just one more argument for an open source model Next is compatibility problems And this is the The avs argue that well your virus vaccine will set off all our checks on monitors and integrity checkers But again, we want that we want to do that in an attenuated fashion before it becomes a real problem Next is effectiveness And the argument here is that you should use some kind of emulator or simulator You shouldn't infect the total system. You should stop it at a firewall or a sandbox But again, we know from examples from medicine like the polio vaccine Really getting the full replicating code in your system is the best way to really test it and strengthen it Just continuing the last six Unauthorized data modification states that it's illegal to modify someone else's attack someone else's system But again, this just argues for It needs to be done probably by a central agency We all we all let doctors inject us with deadly vaccines when we get vaccinations anyway We permit that in fact we embrace it So a society will embrace this with time Next is copyright and ownership problems And this is not a big argument. It says that basically viruses can void copyright contracts But again, the government could indemnify you from this and say that if you're infected with our vaccine Then that's not going to affect your copyright at all Next is possible misuse and this argument says that It argues that while virus writers will use our good vaccine to spread viruses But this is kind of silly because a virus writer could Write a much better virus himself or herself. He doesn't want to use a weakened or attenuated vector Next is responsibility And this states that we should not give any excuse to these quote juvenile virus writers We don't want them to you know if we do this and they're going to say well I was just writing a virus to save the world. I was just trying to help people But those of you who heard sarah gordon talk at defcon here last year She spoke on the ethics of virus writers and she talked about a cycle Where virus writers start out at a low ethical cycle sometimes and progress through to higher levels of ethics But that there's always a continuing cycle There will always be people releasing viruses without the need for an excuse So I think this whole argument is kind of irrelevant The last two are closely related And they They talk about negative common meeting and trust problems And what this says is that people will never trust the idea of a virus The word virus is just too nasty. It's too evil. We're never going to accept it in society but I think if we uh We look back to uh Our medical vaccines. We see that in in time people will embrace it Now one of my colleagues who heard me practicing this talk Suggested that well, why don't you just change your virus learn from the fbi and change the name of your virus to dcs 1000 or something like they did with carnivore and uh And uh, you guys watch the whole fbi carnivore carnivore issue They've changed the name to dcs 1000 as far as I know in a public relations move But that didn't help them too much in conclusion We've shown that viruses are needed to stabilize global networks and to prevent the collapse of civilization And we proposed an open source international attenuated computer virus vaccine And we've shown that it's not only possible, but that it's inevitable if we want to prevent the collapse of society And for those of you that are new to defcon Or who are new to hacking or security? Uh, let me make a shameless plug for my book. It's called Windows internet security protecting your critical data And it's going to be published by apprentice hall this fall And it's basically a very gentle introduction to hacking and If you've never done a buffer overflow or you don't understand what such things are I recommend you get this book before jumping into hacking exposed or something more advanced and uh I was asked to announce that coming up after this talk We have a talk by little elam. I hope i'm pronouncing that right on renegade wireless networks And then after that in this room, there's going to be a talk by the famous robert graham the chief technology officer of Uh network ice he was scheduled to speak yesterday So if anyone missed came to that talk and was disappointed Stick around for the talk In an hour and that's going to be really good And what i'm going to do now is open the floor up to questions Yes, we have a question back here You said Okay, we have a question saying how do we attenuate the virus, you know lowering the number of vectors and things like that and uh Basically, this is going to be up to a lot smarter people such as yourselves For example, think back to the melissa virus. Those of you who studied melissa know that it had A certain number of vectors like it infected the first 50 people on your outlook contact list But once you got it, you have your immune to it it conferred immunity. It doesn't reinfect you So in a way it had kind of a vaccinating immunizing property to it If you wanted to create a vaccine you might try Reducing the number of vectors making it two or three for example In that way it's or even give a time delay Saying that it couldn't spread that fast maybe one email every Hour every six hours That way you wouldn't shut down the whole internet within a couple days You'd still get the immunity, but nobody would notice it would just be a minor Infection did that answer your question? Okay, yes question here could you So what's the good virus going to do is it going to provide some immunity Or is it going to just induce people to upgrade their antivirus software? Well, thanks. I think you've answered my question for me. It's uh, probably the most important effect I can see right off the bat is it'll raise awareness And that in itself confers a lot of immunity because I mean if you ask somebody off the street They probably have never updated their antivirus software Ever, you know, since they put their computer up and that may be three four years out of date We're talking about normal people off the street and most of us I mean Probably a lot of us don't even update it every two weeks or every month or so So in one way it can raise awareness, but we're hoping it'll have a lot more A lot more impact that we can't even foresee So how's that going to stop another global killer like I love you? That's a that's a another excellent question. And uh The the only thing I can foresee is examples from medicine. What what we do in uh What the doctors do in medicine is They research what viruses are coming from asia or taiwan in the summer months They create a vaccine. They quickly synthesize Big vat folds of it and they distribute that by the time the virus makes it over from Asia They've already got these samples ready. Everyone's already immunized in the united states Now we'd have to work much faster Obviously in computers and maybe a system like ibm's would help in that situation where it could be done automatically In the wild But I feel personally that it's going to be done by people who Who actually are fanatics about viruses. They scour the news groups and they know what's up and coming There's always going to be some that slip through the cracks Just as in medicine Okay Question right here. Oh, I'm sorry. You were first Okay Okay, the question is uh We proposed that the virus be released by the government Um, I don't know that that's the best answer, but I think that's probably the only answer That's the paternalistic model Pardon Will we trust the government? Okay. So there's two questions One is why would we think the government would help us because they're spending money building up their military and things like that Uh, to be honest, I don't know that the government in its present state Would would be able to do that and again, I think would have to be a world body I think we're talking about the future when Uh, we'll have a more world-encompassing government And that's one of the things I really believe in is that in the future we'll have a more world embracing government We won't have these petty, uh Power hungry individual governments that don't really Care as much and your question again was Okay, the quit Okay, the question is how can we trust the government to do the right thing How to do it quickly enough that's a that the reason that's a good question Is because if any of you work for the government or have dealt with the government It's a huge bureaucracy and basically we're talking about Years and decades before things I'll get your question next before things, uh get done and I don't have a good answer to that but I can say that with groups like the world health organization where they Those groups are actually much better if they had the money and resources For the resources they have they do a really good job. For example, eradicating smallpox Now that's a government organization, but that's a really good example of one. So it may be possible, but like you said It's it's hard to trust the government and I think open source will help a lot if I mean That's one thing we can lobby for is for open source you and then a question over here Is Okay, the question is can I explain why replication or The actual The viral lifecycle that the thing that bruce schnire said is always bad How can that possibly be good? As opposed to just a controlled environment where For example administrators update their scanning software Okay, it kind of happens automatically and Uh I'm not sure I can justify that except through the analogy again. I don't have a working model That's what we're going to be working on in the next year. Hopefully we'll have something by next year And if anyone here is a really good coder, please talk to me because we're going to need a lot of help building this I think we had a question Yes As a vector Excellent I hadn't even thought of that and the statement was that you can look at it from a genetic engineering perspective and in genetic engineering You often use viruses as vectors Uh, I can tell you're a molecular biologist. Is that physicist? Okay close enough But uh, that's that's a good way to put it. I'm just teasing you Uh, but you're probably in a better industry than the molecular biologists right now because those guys are having trouble getting jobs We'll do one back here and then we'll come up to you I'm not worthy. We have sarah gordon here in the audience Okay, well the the correction was from the legendary sarah gordon who I'm actually quite humbled is actually here, uh in this talk and the correction she made was that The avi community doesn't uh necessarily hate virus writers and for me to make that statement was a stereotype and I apologize Uh, so is that acceptable? Thank you. Thank you. I'm sorry Uh, we have a one here and then sorry. I'm missing you. Let's let's do yours and then Is And you know who wrote that Okay, most of you probably do uh, the question was that uh, and The question was that there was recently a virus that went through and fixed the bind vulnerability Basically, it was a worm That did kind of exactly what we're talking about here The only flaw with that is that it left a back door In all the systems that infected and it was released in the department of defense And I believe the person who wrote that has just started their jail term Unfortunately, I believe that was written by max vision who is quite famous in this circle The irony of that is in the future the Government will probably be coming to him for help on how to write this vaccine Uh, because he's he actually did it. He wrote a worm that went through and immediately patched this vulnerability Which was a huge vulnerability for the department of defense The only problem is he did it without permission And what what the heck by the way he put in a back door On every system of the department of defense, so he had the right idea But I hope you all go about it in a way that doesn't get you arrested. We had a question here and back Okay, the uh The question is if this is going to be open source, so what's going to stop someone from taking what we've got and putting in a uh, nasty payload and again, um Excellent question. I may be wrong here, but but I From what from the virus writers that I know they to me a lot of them are real geniuses And they can often go beyond what society even Or even the best programmers That I know can write so they I think they can personally do even better Okay, uh, the question is uh, what's to keep? Uh script kitties from downloading this code compiling it And then releasing it uh before it's available And I don't have an answer to that yet, but hopefully by next year I will question here and then We're we're about to wrap up. So let's take a question here Okay, and the I'll get his question and yours the question is We have a What's the logic of having a virus that just come or confers immunity to one organism when antivirus Uh, you can do it automatically and much more efficiently. Is that your question and you may be right There's no guarantee that this would ever work. It's all hypothetical But may perhaps a combination of two and the thing I the thing I'm trying to Present that I think will be the most important is the actual power of replication And from what we've seen in medicine it it can be very powerful and useful But it may be that we have to really harness it into an antivirus system such as One that IBM or other companies have developed. So you may be totally right I may be totally wrong. We'll see I'm sorry. Can you speak up just a little bit Okay 90% are already Pardon They won't want that Okay, that's a very good point and what he mentioned that first of all after there's a big infection like I love you You said statistically there's a dip in the Number of viruses for the next few weeks or months after that And so that may kind of be supportive of this whole theory, but at the same time you said people will People don't want that. I love you virus in the first place. They're never going to accept The the idea of a computer virus in the first place They don't want the infection even if it gives them that dip is that Most corporations don't want to stop getting viruses by getting viruses and again, you may be perfectly correct This is just a theory that is coming from medicine, which is my background Yeah, yeah Are you uh in medicine then? Okay, so this is a genetic engineer. We have a physicist. I'm actually a medical doctor myself. That's my background So that's kind of how i'm coming from it Uh bringing that now there's a last question I guess Is So the comment was wouldn't you say that virus is already doing what I have proposed up here in the last decade Uh viruses have caused a resultant upsurge in antivirus technology Which has effectively gotten rid of most viruses and given us a great degree of protection. Is that Corporations Okay Okay, and so he pointed out the first the vbs script virus already did this it caused corporations to block vbs or to Uh update their systems in a way to protect from it. So you're perfectly correct This is already happening and I think if it weren't for the viruses that have already been written and the resultant antivirus community Society would be geared up for a big collapse Just like the native americans in smallpox. They were wiped out overnight So I think the viruses we've had that have infected us have actually been really good for us They've given us an eight built-in immunity and the last question is right here We better have better security Okay, then the probably the best point of the day is that uh The gentleman suggested that the Proposal here is kind of like bringing a bomb to an airport and blowing it up And saying well, that's going to improve airport security. Why don't we go, you know blow up some airports? That's going to increase their defenses point taken And again, this is Like you say, this is probably an extremely radical idea and I think av will Be violently opposed to it may never accept it and What I've tried to do is kind of bring what I've learned from medicine To to this technology and remember back in the early smallpox vaccine days People, you know, if they told you they were going to immunize you you'd you'd either kill them or run away You didn't want that vaccine. I think that's probably where we're going to be at the beginning so Very good point and you really got to the heart of the matter Well, thank you all for coming. I'll be around if any of you have any questions or comments