One of the biggest challenges living someplace like Cambodia (which I do) is finding all of the cool tech toys that my geek genes tell me I need. Finding software is similarly difficult, at least when it comes to legal copies of software. I can go down the block to my local market and find almost any software program, music CD, or DVD my little heart could desire, for somewhere around $2 per disc. Finding a legitimate copy of, say, Microsoft Office, is much more of a challenge.
So how does this impact the security scene here? Well, for one thing, those pirated copies at the local markets almost certainly contain what they advertise (whether it be Office, Oracle, or Myst). Many of them also almost certainly contain a little bit more (insert name of your favorite virus/trojan/spambot here). Uh oh.
Now, Cambodia is small, remote, and extremely unconnected. Very few people here can afford a PC, let alone the monthly Internet access. I pay over $100 each month for my 128-kbit/s ADSL link. In a country where $60 a month is a good salary, there are clearly few people even thinking about home network access, let alone spending hundreds of dollars on software, or even $4 on pirated software.
However, this "a little bit more" situation is what's happening in the rest of the developing world, including countries like, say, China, which are much more populous and connected. Think about half a billion people using pirated software, with perhaps 64k connections for each. Add in a few thousand Internet cafes. Even if only 1 percent of the pirated software is infected with some sort of malware (and my hunch is that this is an underestimate), this is clearly a non-trivial problem.
Suddenly all that spam that has been making it through my two layers of filters is not so surprising. All of a sudden we have a large portion of the developing world essentially acting as open relays for spammers. We also have half the world available for a very, very big DDOS attack. This is not good.
So, how do we deal with this problem? That's far less clear to me. There are several problems that need to be addressed to solve it entirely, but it seems relatively intractible on the consumer end. Before you can get consumers to use licensed software, it has to be affordable.
As soon as it is affordable for the local populations, it is going to be purchased locally and resold internationally at deep discounts (already done in the electronics/photo equipment world, where "gray market" equipment is available with no warranty but otherwise in new condition). That makes it unlikely that large (or small) software companies will go for it. The other option would be to solve in a robust way the problem of malware in the operating system. Clearly that's not going to happen any time soon. A third option would be to encourage the use of free (as in beer) equivalent programs.
I'm writing this article using OpenOffice Writer, which is great for me, but I just don't see it taking the world by storm right now. For one thing, knowing OpenOffice doesn't give one much of a leg up in the job market, where knowing Microsoft Office certainly does, and computer skills are one of the few things that show promise at getting people out of poverty around here.
The other thing is a distribution problem. OpenOffice at the local market costs the same as Microsoft Office. If I download OpenOffice it actually costs me more money, since here I pay up to $0.10 per MByte for traffic over my DSL link.
So what's the world to do? I don't see a practical way to eliminate pirated software in the developing world right now. The incentives just aren't there for the local populations. Perhaps if we can develop good filtering, or at least monitoring, at the ISP level we'll be able to reduce the volume of such traffic.
Until then, I guess the best we security professionals can do is keep patching holes on the machines we control and be happy that our own PCs are free of the evil beasties. It seems that escaping being a target is just not likely to happen any time soon.
Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading