Seagate: The Hard Drive, Reconsidered
SPECIAL FEATURE It is a frame of mind that not even the smartest security engineers, working the problem for decades, may have considered: We speak of viruses infecting the operating system. We hold the manufacturers (or, more often, the manufacturer) of the operating system partly responsible, even partly liable, for the damage that malicious programs cause to people's work and livelihood, as if the entire work paradigm for information technology exists in software.
What if we think of the problem from a reverse angle: Aren't hard disk drives the things that get infected? Decades ago, we used to quarantine floppy diskettes that were believed infected, when diskettes were the primary means for viruses to spread, prior to the ubiquitousness of the Internet.
Today's malicious programs enter systems via this network, exploiting vulnerabilities in operating systems in order to become active, but inevitably, they get stored. For viruses to remain effective, at some point in their life cycle, they must become "data at rest" - files residing undetected amid a forest of millions along the surface of a perpetually spinning ceramic platter.
What if we could attack them there? Moreover, what if the mechanism that puts them there in the first place could prevent them from getting there? Viewed in that light, suppose hard drive manufacturers were to recognize the problem as a threat to their livelihood, and proposed a feasible, workable solution which involved the operating system only to a minimal degree?
This is not only the story of a technology, but also of a company that security engineers would consider a "bit player" on the security stage, though which considers itself not only a "bit" player but a big player in IT: Seagate Technology. Seagate's proposed solution to the information integrity problem could fundamentally redefine computing in a way Windows Vista could only dream.
Pursued to its fullest extent (though I grant you, no sweeping concept in the history of IT ever has been pursued to its fullest extent), it could uproot the very business model through which computers are sold. The hard disk drive itself, promoted from a passive storage receptacle to the role of co-provider of the "root of trust," could actually end up costing consumers and businesses less - one critical reason being, they won't be the ones paying for all of it.
Under this model, security software as we have come to know it may become demoted to the third, or perhaps even fourth, "line of defense." So the blasphemy that has become the notion of disengaging antivirus utilities, could metamorphose into feasibility.
Before you think this is just some other pipe dream promulgated by press releases, and predicated by a plethora of "what-ifs," consider the following underappreciated fact: Next week, the hard drive manufacturers of the world, along with that certain operating system manufacturer and other interested parties, will assemble together to vote on how they will actually do this. Their milestones include dates as soon as next year. And there may be little, if any, opposition to this plan among them.
If there is any opposition to be had, if there is any dark lining to be detected amid the silver cloud of interoperable solutions, it may yet come from the consumer. For riding piggy-back on this plan that bears the promise of terminating the current era of malware, is a subsidy which few may instantly embrace: a kind of lease agreement, where quite literally, other companies may reserve segments of the hidden memory inside the hard drive, for use for their own purposes.
Some of these companies could be security providers. Others will likely be content providers. And if this article stopped here, you could still see where it was leading.
Next: The Distrust Problem