Bit9

Hand CodeLooking for a good book to read at the beach? I highly recommend the techno-thriller Daemon (and its sequel Freedomâ„¢) by Daniel Suarez. The story follows the fallout when a fictional game designer writes a powerful Internet daemon that activates after his death. I find the world Daniel Suarez created for his Daemon novels compelling. A voice-activated heads-up-display integrated with glasses seems like a cool way to process and interact with information. Automated cars would have a huge effect on commuting, energy usage and safety. I enjoy gamification, and find it works well at getting me to do things I might not otherwise accomplish. Finally, the American dream idealizes our society into a meritocracy, but we often are reminded how far we actually have to go to achieve that. Along with the positives I wish we had, Suarez also highlights many negatives that exist today. Many of which have security implications.

The story’s cataclysmic daemon consists of a narrow-AI construct rather than a sentient ghost in the machine. The daemon’s creator, Matthew A. Sobol, leveraged his video game AI experience to predict human behavior and make a glorified decision tree act and look like Skynet. Now picture an automated decision tree of cyber attacks where the last node is leaving a little video on your screen that says “U R pwned.� 

Sobol’s daemon uses a number of methods to recruit human operatives, with the most prolific being one of his massively multiplayer online role-playing game (MMORPG). The stereotypical players of this game consist of the disenfranchised with lots of time on their hands, exactly the types who would help the daemon.

Suarez repeatedly uses the failure of a supposed solution as a plot device. It works nearly every time to create thrills, but it also illustrates another concept: “the death of ‘clever.’â€? Qui-Gon Jin’s statement “There’s always a bigger fishâ€? addresses this as complacency due to assumed safety usually leads to disaster.

The study of security should include steganography. The daemon uses it to pass messages to its human operatives, sometimes hiding things in plain sight but not through methods easily detected via computer algorithms. Whether hiding outgoing data or incoming attacks, advanced malware will exercise stealth.

Our rush toward efficiency often sacrifices flexibility. We build larger and more complex software systems that end up more brittle and susceptible to attack. Although autonomy makes things more convenient, it also increases the cascading of failures. Think about that as you pull back funding on your IT helpdesk.

Most successful malware acts as a parasite, trying to achieve its goal without unduly affecting the host. Aberrant host behavior would draw attention to the parasite, or possibly reduce host (and therefore parasite) functionality.

For a business, the IT costs of security do not exist in a vacuum. It does no good to have an over-the-top security system but then underfund R&D so it produces no intellectual property worth protecting. With that said, it’s important to revisit earlier decisions and continually sharpen the saw. Too often an initial security solution is deployed to pass some legal or societal requirement and once that task is checked off, it’s never thought of again – until there’s a breach. “Good-enough� computing and security never works in the long-run.

We often like to compartmentalize responsibility, both to focus our efforts and limit our blame. Individuals who do that with security do so at their company’s peril. The CSO and his or her team may focus more than others on security, but all employees are responsible for it. Take ownership of your personal and professional security before some new piece of malware takes ownership of it for you.

Many different vulnerabilities and exploits get used throughout the story, by both protagonists and antagonists. This includes phishing, brute-force password attacks, Wi-Fi spoofing, image corruption, impersonation, SQL buffer overflows, format string vulnerabilities, and many others. I mention this just to highlight that the list of attack vectors grows longer by the day.

The story of Daemon touches on all these and many other issues relevant to us today. Suarez’s faithfulness to the technology allows for interpolation and pontification. We may not be all the way there yet, but we’re certainly on our way. Are you prepared to accept the daemon?