When Alan Turing was thinking about computer programs there were very few programs. Today with billions of processors connected via the internet protocol we have more programs than people. Yep, just on this webpage there are numerous programs that were executed when you clicked on.
That the programs executed without your knowledge makes the internet and its connected world seem like magic — things just happen to work. Good Job engineers! One of the down sides of billions of processors is the “bad guys.” Yes, there are folks that don’t understand how to secure networks or their information and the “evildoers” can get ahold of some relevant and at times kennetic stuff all via a keyboard.
I keep rethinking this idea of how we should be allowing our programs to run in the face of “Fake News.” For humans, fake news is about changing hearts and minds where as malware is a similar threat vector for your computer. Humans don’t like it when they are convinced to vote for something that is untrue and computers shouldn’t run code that would be harmful to them.
I don’t [yet] have an algorithm to understand when a piece of news is fake; however, I have stumbled upon a method for deciding if a computer should allow some code to run. I call this area of research the Starting Problem. It is a form of data racism which works just like you might think. If you could look at a program and you knew it was bad, could you assume that another program that looks like it is also bad? If a program lived in a neighborhood of other known bad software would it be ok to prevent all the programs in the neighborhood from execution?
The blue dot is where our software lives in the land of Turingville it has many neighbors and I can tell you after allowing a few of the programs to run in this neighborhood — they all appear to be evil, though in many different ways. For an interactive map of this image see Icewater.
Two programs from the cluster above can be imaged to better understand what I mean when asking about how a program looks.
The Virus Total Reports for the above are at 59c4d05e59a38a02083e8f87de012196 and 54935db39d5385d9668d6f762988259c which both have detections of 36 out of 62 engines in VT say that these samples are a form of malware called Symmi.
The Starting Problem works like this: if we get another program that looks like these two, should we allow it to run? In meat space we call it racial profiling — if something looks like something we assume is bad, can we assume that all of it and its neighbors are bad? When it comes to programs we are allowed to discriminate in this way.
The above is another sample from this same cluster, would you let it run? See for yourself what the AV industry thinks of the program. This kind of profiling gets humans in trube such as when Florida state attorney is pulled over in traffic stop that goes nowhere fast. Humans are fantastic pattern matchers which is often exploited, misunderstood and rarely discussed.
In another post I’ll walk around the neighborhood of n3e9.6114ea48c0000b12 and look at other samples in the fascinating land of Turingville.