Collaboration

ExploitHub: NSS Labs' radical way to check for vulnerabilities

Wouldn't using actual exploit code be the best way to determine if your systems are vulnerable? NSS Labs thinks so. Learn how they are making that possible.

Wouldn't using actual exploit code be the best way to determine if your systems are vulnerable? NSS Labs thinks so. Learn how they are making that possible.

--------------------------------------------------------------------------------------

To thoroughly vet an application, which method would you trust? Running tests in the lab or subjecting the product to the foibles of the Internet? Surviving the real deal seems like the better way, wouldn't you agree?

Awhile back when doing research for this article, I ran across a company called NSS Labs that strives to do just that. One of their procedures is to install the anti-malware application under test on a computer. Then visit actual malicious web sites, recording if and how the anti-malware handles the threat.

To insure good results, visiting a variety of malicious web sites multiple times is required. So NSS Labs has automated this process, with the test running around the clock for several days. To that point, Rick Moy, president of NSS Labs mentions:

"If you're not testing like the bad guys, what's the point? We go out to the live Internet and find out what is circulating on malicious campaigns in real time."

ExploitHub, the next step

NSS Labs has taken realistic testing one step further by creating ExploitHub. A system where actual malware is bought from exploit code developers and sold to security professionals to use in their testing. Rick Moy further comments:

"The goal is to close the capabilities gap between the cyber-criminals and white hats, by enabling defenders to perform more comprehensive testing of their defenses."

As I alluded to in the title, ExploitHub seems like a radical idea. Still, qualified experts seem to think it has merit. HD Moore, the creator of Metasploit has this to say:

"The NSS approach sounds like a great way for exploit developers to profit from their work and an excellent source of useful tools for penetration testers everywhere. Since they are only dealing with exploits for which vulnerability details are already available, it's less about safeguarding sensitive information and more about creating a market for exploit tools."

Rick Moy is quick to reiterate what HD Moore mentioned. Only non-zero-day malware will be part of ExploitHub. Besides, why bother testing a zero-day exploit that does not have a solution?

Benefits of ExploitHub

NSS Labs offers the following arguments on why ExploitHub is a good solution:

  • Improves data security by bolstering testing capabilities.
  • Levels the playing field by giving security professionals more resources.
  • Creates an economically-sustainable ecosystem for ongoing vulnerability testing.
  • Advances security product development, deployment, and testing.

Questions

As a writer about IT security, I had more than a few questions. Rick Moy has graciously answered my questions before. So, I had no doubt that he would once again. So here goes.

TechRepublic: Earlier in this article, I mentioned that you use a unique approach when it comes to testing anti-malware applications. Could you please give us your perspective on why it's different? Rick Moy: Simply put, our clients want to know where the holes in their defenses are - so they can make informed purchases and address any residual risk. By testing 24x7 using live malware on the Internet we're able to measure the proactive and reactive coverage of security products. TechRepublic: You seem to be the only company following this path. What advantages does it provide your customers? Rick Moy: Our customers tend to take data security very seriously and are not just looking to check a box. They are seeking actionable data to reduce their risk of infection. Our information services allow them to identify which products fit their asset profiles the best, determine whether patching is needed, model defense in depth, and ensure they're not overpaying for security, and even justify projects to management. TechRepublic: ExploitHub is being called the "App Store for Exploits". Is that a fair assessment? Exactly what are you trying to accomplish with ExploitHub? Rick Moy: We created ExploitHub as a marketplace, and with any marketplace, the goal is to accelerate commerce between many buyers and sellers. We recognized that single-company solutions were not adequately addressing the need. So, we are giving a voice and commercial channel to hundreds of researchers to sell their works. This makes more content available and affordable to users who need it most. TechRepublic: It seems that ExploitHub is an extension of your philosophy about using real-world malcode to test anti-malware applications. Is that how you see it? Rick Moy: Yes. Everything we are doing is about evangelizing real-world testing for the purpose of improving security. Whether we test in our lab or provide tools to end-users to test themselves, it must be real. We believe, if you're not testing like the bad guys, with the gloves off, what's the point? TechRepublic: I don't understand how you will go about buying exploits and selling them. It's almost like you are commercializing malcode. Rick Moy: We're not the first here. Selling exploits has been a legitimate business for several years now; e.g., companies that make pen testing tools. But, right now, the supply is constricted. We're really just optimizing and legitimizing the commercial process so more content can be delivered to people who need it.

For more details on how the marketing process works, please refer to this page on ExploitHub.com.

TechRepublic: What do other security researchers think about ExploitHub? I've read there is some apprehension about exploits getting into the wrong hands. Rick Moy: These exploits are already in the wrong hands and actively circulating on the net. And the good guys who are trying to defend their networks have but a fraction of them. This is typical of the asymmetrical war we're fighting. We need to level the playing field. That said, we are striving to limit access to legitimate and identifiable security professionals. TechRepublic: I have read that your products will integrate with the Metasploit Framework. How does that work? Rick Moy: The objective is to make the user experience easy, automatic, and trustworthy. Exploits will be submitted to the marketplace coded to run on the Metasploit framework. Users will also be able to easily shop in the marketplace using the results of their scans, and content will be downloaded directly into MSF. TechRepublic: ExploitHub seems like a unique way to test vulnerabilities. Do you have any concerns about the approach due to it being somewhat unorthodox? Rick Moy: When something isn't working, you need to find another way. Today, practitioners are not able to find all the known holes in their network, so we must innovate a new way. The app-store model has several successful examples of applying market dynamics to solve a seemingly large, intractable problem. Ebay, Craigslist, the iPod App Store, Android Market, etc.

Final thoughts

I find ExploitHub an interesting concept and it seems to be a win-win situation. Both exploit developers and security researchers stand to gain by using ExploitHub. Do you agree?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

54 comments
bboyd
bboyd

Is the exploit presented in an active frame work it can attack from? How is the purchaser expected to present the machine for exploit testing? Guess I'm confused, we aren't talking sale of Malware source code but just Applications that use the same exploit methods used by existing software.

Neon Samurai
Neon Samurai

That's Trojan's testing method. (Just don't ask how they get them re-rolled and packaged. ;) )

Michael Kassner
Michael Kassner

I am curious as to what the members think. Edit: Spelling

sabiodun
sabiodun

This is an interesting article and the approach by NSS is a refreshing one. I have concerns though? 1. How do they intend to source exploits? 2. Who will determine the cost/price of particular exploit? 3. Does this have any bearing/relationship with the MITRE maintained CVE database. Is there a problem with this list? 4. is this not tacitly legitimizing the work of exploit code writers, permit my maivety! Regards

seanferd
seanferd

Typhoid Mary, if the Salmonella typhi were altered to remain infectious, but not pathogenic.

Neon Samurai
Neon Samurai

I'd love to see a huge list of Add lines in my next svn update. But, I do realize that these are "value add" products sold for use with MSF rather than intended to contribute to the MSF base project. Still.. a geek can dream..

seanferd
seanferd

No, in fact this violates their intellectual property rights, LOL.

Neon Samurai
Neon Samurai

Exploit writers are already legitimized by black and white markets. Bad guys buy them, good guys buy them; I'd much rather the code in the hands of the good guys then limited to the bad guys. Really, it's not the writing of an exploit but the use of it after production. Pentesting skills are the same; being able to work your way into a protected system is not legitimate or illegitimate. What makes it one or the other is if your doing it with criminal intent or by the desire and approval of the target. I give myself permission to break into my own machines; no problem. You give me permission to break into your machines; no problem. I decide to break into your machines without your consent; problem. A guess for 1; they are researching and developing exploits in house and potentially buying exploits from others; two sources is better than one. A guess for 2; In the open market, exploits are bid on if I understand correctly. There are also bounty programs with set prices. One may also be able to price an exploit based on research time devoted to it. Consider the research times reported for last year's Pwn2Own contest; six months of work in some cases.

Michael Kassner
Michael Kassner

I will do my best to answer them. I also have passed them along to Rick Moy. 1. How do they intend to source exploits? The code developers will sell it to NSS Labs, who then will vet the code to see if it is correct. 2. Who will determine the cost/price of particular exploit? NSS Labs will determine the both. 3. Does this have any bearing/relationship with the MITRE maintained CVE database. Is there a problem with this list? To the best of knowledge, that is not the actual code. Knowing what is vulnerable and proving it are two different things. 4. Is this not tacitly legitimizing the work of exploit code writers, permit my maivety! To some it might be, but the malcode is being sold already. Why not give the good guys a fair shake so they can keep up.

JCitizen
JCitizen

that are on business AT&T, as they force that crappy firewall modem on them, and it continually presents holes to the web, and is about as good as tissue paper. Norton is partially to blame, but my clients won't dump it. Comodo would probably close all ports to the hardware firewall. It works swimmingly, that way, with Skype and my perimeter gateway. I've rarely had any functionality problems, and if I do, Comodo resolves it automatically within a few days. They have an excellent software reporting system for compatibility.

Neon Samurai
Neon Samurai

For me, the biggest grief was Bell placing the onus on the end user where Rogers placed the onus on it's own hardware. Roger's simply put authentication in the hardware and whatever plugged into the NIC port on the modem got an IP issued to it; no software, no odd networking setups. Bell chose the method that meant adding software to my machine with complicated network setup; bad software none the less. For an old school BBs type modem setup, sure; it's a one host to many client relationship. You need to authenticate that with your trusty terminal app and user/pass. For Bell's setup at the time; it was a paired dsl modem on both ends of a dedicated wire. It was a one to one relationship; no reason not to simply have the paired modem at the client end simply bridge dhcp into the modem's network port. Granted, this is long ago.. Bell seems to have changed there setup to a client side dsl with router/wifi included (but WEP-128 with easily guessed passwords.. WTF is that?). Even if it's still PPoE, the modem has the client in it instead of forcing additional software onto the customer's machine. It appears to be more of a bridge between phone and cat5 wire sides.

JCitizen
JCitizen

Fortunately I don't use AT&T anymore. We have modern hardware here, and this protocol switch was a real speed gainer for us, out here in the desert. Sorry to hear this didn't work out for you and santee. :( We are supposed to be on 1Gbs fiber by the end of the year.

Neon Samurai
Neon Samurai

One of the reasons I droped Bell and flipped to Rogers at the time; PPoE.. why the F am I running a client app for authentication that should be done within the hardware modem. Bell put the grief on the customer.. Rogers put the grief on the hardware and there side of the connection.. Don't get me started on the bloated crap Bell provided for PPoE, the third party client was miles better though still bloaty extra software where none should have been needed.

santeewelding
santeewelding

Switched both internet DSL and telephone to cable as a business overhead cut, from ~ $165 to $108 a month. The guy from the flyover zone and I were in communication when things got flaky. Just a quick note to him that I was still alive.

JCitizen
JCitizen

with PPPoE... maybe that will work better!?

santeewelding
santeewelding

Flaky again. No telephone. Eking this message out before I lose the connection...

Neon Samurai
Neon Samurai

Better than what my twisted mind was thinking up.

bboyd
bboyd

Reduce, don't use it. Re-use, shake the @#$% out of it Recycle, melt it down and remake it. What grace?

Michael Kassner
Michael Kassner

I appreciate your input and comments at all times. Tongue in cheek

Neon Samurai
Neon Samurai

I really want to make a joke about Reduce, Reuse, Recycle.. I'll let this tangent die gracefully though

santeewelding
santeewelding

Sent you to Google, did I? There is method to my madness.

Neon Samurai
Neon Samurai

I'm not familiar with the group you mention (more reading for me to do). Your area should have local professional groups with meetings once a month or some such thing. Here, TASK is a free to join infosec group meeting at the end of each month. The meeting itself will have speakers covering relevant topics; after the annual conferences one or two meetings seem to be devoted to review and summary of those conf talks. The real value is getting to know other infosec professionals in your area in addition to the content of the meeting.

Neon Samurai
Neon Samurai

My guess would be that vetting is up to the buyer in the development and pre-development stages. If your obtaining exploits by bidding or bounty then you have to validate what you recieve. US CERT has it's own reserachers for vetting reports and researching them further. In terms of things like Metasploit and OpenVAS, your leveraging the FOSS model of peer review. Like the folks that work on the core of OpenSSH/OpenSSL, your dealing with high skill and knowledge levels in there fields. Nessus and similar proprietary product; your limited to trusting the company's staff and reputation (Nessus having a very strong reputation in the industry). Infosec is also a very small community by comparison to other areas of focus. If your in Infosec, you probably know everyone else in your city working Infosec. In the Toronto area, we have TASK where you'll get to know most of the local Infosec and similar organizations exist in other areas. I think more collaboration by the infosec folks on centralized vuln/exploit data stores could only help things though. Everyone contributes modules to Metasploit and everyone can vett those through peer review. You'll find out pretty quickly if your duplicating an existing module where you should instead be enhancing that existing module. If you submit a payload clearly designed to be malicious then that's going to get spotted by the svn maintainers and peer review also. With US gov, I think it's NSA that runs the tigerteams and nerds. They are probably the biggest buyer of exploit code because of it. That was actually from an interview with a gov tigerteamer. From the interview; it's not if they can get into a system but how much effort is required to do so. Any system they've gone after, they've gotten into. He was an operative versus a developer. He'd say "we need to get into this" and the nerds would whip up a tools based on developed/baught exploits. That particular article is on paper so hopefully I still have it floating around in one of my packrat piles. Since I'm working with whatever published material I can get hands on, your probably in a better position to investigate further through contacts you've made at NSS Labs and similar. (years in the city and I'm still stuck in small-town mode thinking geeks like me are far more obscure than they are here in the big city. I really need to get myself out to the local TASK and 2600 meetings.)

Michael Kassner
Michael Kassner

That was what I was trying to get at. If a responsible source is doing just that, I would feel better.

Neon Samurai
Neon Samurai

"why not leverage the bad guys" I'm missing the connection. How would we leverage the bad guys or how are we not doing so now. Also, what point am I kind of making for you? From my perspective, I'm thinking that more vuln and exploit code included in tools like Metasploit improves it's use for proactive security testing. The malicious tools already include the exploits so we're left to play catchup with our defensive tools. I hadn't actually looked at the number side by side before but Metasploit's library is les than half the next smallest number; it can only benefit from additions to the list of modules. AV software is the same way; more signatures in Avira's data files means more effective detection of live malware by Avira. Currently, AV/AM companies compete through the scanning engines and signature counts. The same signature regularly has different names from AV producer to AV producer. Effort is duplicated and wasted where competition does not improve the product. Competition doesn't change the malware signature but it can drive improvement in the scanning engine that uses those signatures. Ideally, AV/AM would compete through the scanning engines and collaborate on the signature database. All AV users would benefit because all AV gains a massive signature database which reacts faster to new discoveries. The competition would push scanning engines to improve rather than putting energy into several separate signature databases.

Michael Kassner
Michael Kassner

Why not leverage the bad guys. I hear all the time we should legalize certain things, it would be less of a concern. Thoughts?

Neon Samurai
Neon Samurai

My brain is not working today so I'm sure I wasn't as clear as I could have been in the beginning. I've also wondered how MSF coverage was for vulnerabilities. When I svn update "U" is great but "A" is better to see at the start of the line. Additions did increase briefly when Rapid7 first took over ownership but seem to have averaged out again. If I check as of 2010.09.28: 00,592 exploits MSF 00,302 auxiliary MSF 00,225 payloads MSF 18,900 plugins OpenVAS 12,751 exploits over at Offensive Security's archive 39,163 plugins Nessus4 (And a free for personal use debian package.. yoink!!) - personal use; $free - business use; $1,200 (annually?) I can't quickly spot if Rapid7 has all the available exploits in the free Metasploit or if they save some for the premium products. Mostly, they seem to provide a more automated front end with the retail ExpressMetasploit product. Of course, these are only a few source of exploit counts versus a complete list of vulns in existence.

Michael Kassner
Michael Kassner

Sorry, I did not understand your previous comments. What percentage of exploits do you think Metasploit covers? I have been told it does not have a majority of them.

Neon Samurai
Neon Samurai

"You block the pen, you win. Besides, your assumption that all security types are aware of every exploit is not a good one." I assume the opposite; that all security types are not aware of all exploits and do not have maximum access to defensive tools. They do not remotely have time to understand and run each possible attack against there own systems manually but the idea is not to wait until some criminal comes along and does it for you. "It's like everything else, the bad guy only needs to focus on one pen exploit at a time, the good guy has to block all of them. That is what is being gained by ExploitHub. The security experts can shop around and get what will help them the most for a particular network." Absolutely, the defensive professional is on the loosing end of a many to one relationship. An attacker need only find one success out of many potentials. I also agree that ExploitHub is a fantastic appliance for automating the process and providing the knowledge that the defensive professional does not have. Given available budget, one can shop around and the appliance increases the options available during that shopping. My understanding is that we have the hardware appliance. Within the appliance, we have Metasploit plus the exploit modules it includes. We also have the additional proprietary exploit modules that NSS Labs produces and adds in. A module being a software plugin (though I don't think the confusion is software plugin versus hardware "module"). Metasploit is freely available as are the exploit modules it includes. The NSS Labs additional exploit modules and rest of the appliance hardware and functions are not. For Alice who has budget available to buy the automating appliance, this is fantastic. Bob does not have that kind of budget. He must rely on a more manual process. He can't humanly understand and perform all possible exploits to test his systems by hand but he can afford to go download Metasploit. This increases the scope of testing to it's limitations rather than his own. Bob can run OpenVAS and get a vulnerability report. He can import that report into Metasploit and get a list of exploits from it's library. He can fire those exploits at his own systems to verify if they are effectively mitigated or not. He is basically manually replicating the functions of the appliance that Alice has on her network but without the larger library of exploits that the appliance includes. The artificial scarcity is limiting those additional MSF plugin modules to just the people who purchase the full appliance since they could easily be included into the MSF project benefiting all. Mallory is pounding out attacks from her library of live malware. The safe assumption is that the Mallory's of the world have all possible attacks available since we don't want to assume they don't and ignore the one she managed to get in using. The Alices of the world that can afford the appliance get automated testing and the greater exploit library. At a minimum, they are better off by the margin of MSF exploits NSS produces and ships in the appliance. The Bobs of the world are hindered. They don't have Alice's budget and resulting larger tool set but must still protect from mallory's onslaught. The Mallory's of the world benefit because the defensive tools are not maximized among Alice&Bob as a total of the defensive side. Mallory needs one exploitable vulnerability on one machine for a win. She has Bob's limited toolset to target. NSS Labs could benefit the defensive side more by providing the MSF modules the develop for inclusion into MSF and use by any Bob lacking Alice's budget. Understandably, this reduces there retail proposition to the automation and hardware packaging of the appliance and would be counter productive to the profit motive. It would support the "think of the children" motive of giving the defensive professional a more even playing field. That they provide the appliance is fantastic. That they provide the proprietary MSF exploit modules only with the appliance rather than to the MSF project for all to benefit from is the point I'm focusing on. (I'm working on too little sleep so I'm not sure if I'm clarifying the point here but hopefully it does)

Michael Kassner
Michael Kassner

You block the pen, you win. Besides, your assumption that all security types are aware of every exploit is not a good one. It's like everything else, the bad guy only needs to focus on one pen exploit at a time, the good guy has to block all of them. That is what is being gained by ExploitHub. The security experts can shop around and get what will help them the most for a particular network.

Neon Samurai
Neon Samurai

"I just think it limits pro-active pentesting more than it inhibits malicious use of the real thing." I don't think withholding the modules hinders criminals as much as it hinders those defending against criminals. NSS Labs may intend to even the playing field by producing the modules but the result is an imbalanced playing field by limiting distribution among defensive players. We know all the bad guys have baseball bats so we developed baseball bats the defensive players can test there helmets with; we just didn't allow all defensive players to have one of our baseball bat to test there helmet with. Criminals already have the live malware and are interested in what it does after the penetration rather than the penetration itself. Duplicating the penetration does not benefit them. They have a full toolbox already. On the other hand, not all systems being attacked by that live malware are protected by someone who has access to the modules. They do not have a full toolbox to defend against attacks. The defensive side can not test there systems as thoroughly as the offensive side can attack them due to artificial scarcity of the testing tools. That's why I fully understand the profit motive. They provide a product which adds value to MSF in exchange for money. If "think of the children" was the primary motive then they would be contributing modules to MSF so all security professionals benefit. I think they would level the playing field more with a business model closer Rapid7; the base product accessible by all with value added retail product stacked on top. Give anyone who uses Metasploit the modules through the MSF project while providing the prepackaged appliance as the retail product on top.

Michael Kassner
Michael Kassner

By this: "I just think it limits pro-active pentesting more than it inhibits malicious use of the real thing."

Neon Samurai
Neon Samurai

I do respect the choice to vett customers and profit from the code they produce. I just think it limits pro-active pentesting more than it inhibits malicious use of the real thing. Heck, malicious use of there own product obtained through questionable means. Granted, these days malware is as much a retail commodity as software designed for defensive use. For the really malicious stuff, your either writing it yourself or paying a noticable fee (given the last report on costing of pre-packaged malware I saw). I'm just not sure how one evens the playing field by charging a premium for defensive tools when the offensive tools they are based on are readily available. At the same time, I'd love to have my professional focus afford the budget of such tools as Nessus and such. Until then, I'm limited to defensive work based on the tools I can obtain legally.

Michael Kassner
Michael Kassner

You are making my point for me. Rick Moy realizes that the bad guys already have the exploit code. What he and NSS Labs are trying to do is even the playing field. Not all security researchers are well-versed in obtaining malcode or have impediments in the way preventing them from getting what is more or less illegal. Edit: Spelling

Neon Samurai
Neon Samurai

I do understand the desire to only release one's tools to the vetted "good guys" but I don't think he's achieving that through obscurity. - if one with malicious intent wants the plugins, they are going to get them; a legitimate looking front isn't hard to pull off. - since the tools replicate malicous software, those with malicious intent already have the originals. - those with malicious intent also have the existing Metasploit library to draw on yet we don't have an overwhelming onslaught of MSF criminal use. - as such, the obscurity only serves to limit those with honorable intent and lack of budget/access to the value-add plugins. I could see them contributing to the metasploit project while moving the value-add proposition to their own appliance; "you can use the plugins by hand yourself or buy our nifty box that does it's thing for you and comes with our support." But, I fully admit that I'm selfish on this one by wanting OpenVAS and Metasploit to get as many plugins as possible for my playing with and learning from. I feel similar about Nessus; shame it's fully proprietary with that lovely library of plugins that came after they stopped maintaining Nessus2. In neither case, I'm not suggesting raging a campaign against them.. just expressing interest in what's outside my current reach. (and, with that much business speak, I have to go rince my mouth out.)

Michael Kassner
Michael Kassner

Rick Moy was adamant about making sure people who want to purchase the exploits are not going to misuse them. So a general update would/could be devastating.

Michael Kassner
Michael Kassner

That researchers have found copyright types of verbiage in some malcode.

Neon Samurai
Neon Samurai

The connection is questionable regarding Stuxnet being that researchers are still figuring out where it comes from and what it does. I skimmed it more for the mention of exploit/malware markets. It'd have been better if they focused on the market and compared it to the licit markets between honorable researchers and buyers.

Michael Kassner
Michael Kassner

I agree with the intent, but the piece goes over the top. Stuxnet was being alluded to that it could be bought. They don't even really know what it's all about yet, let alone on the market.

Neon Samurai
Neon Samurai

The competitors mention the licit exploit market in interviews. In passing, I've seen it from other researchers separate from the Pwn2Own competitions. I'll see if I can track down specific articles on the topic. (edit): Inside NSA Red Team Secret Ops With Government's Top Hackers By Glenn Derene Published on: June 30, 2008 " And like any good geek at a desk talking to a guy with a really cool job, I wondered just where the NSA finds the members of its superhacker squad. "The bulk is military personnel, civilian government employees and a small cadre of contractors," OWNSAVAOG says. The military guys mainly conduct the ops (the actual breaking and entering stuff), while the civilians and contractors mainly write code to support their endeavors. " From memory, interviews after this and last years Pwn2Own are worth skimming. I know they are in my library but can't spot them in five minutes or less here.

Michael Kassner
Michael Kassner

I just don't see that many operations selling exploits to legitimate sources. Do you have any references?

Neon Samurai
Neon Samurai

The key point was that developing and selling exploits is already legitimized. In the illicit markets, they are commodity goods legitimized by buyers with malicious intent. In the licit markets, they are commodity goods legitimized by AV companies and similar buyers. (One can choose for themselves which category government buyers fall into but .gov/.mil are big buyers in the exploit market). I'd personally prefer the licit buyers get access to the exploits so defensive systems can be improved. With my terminology, I was thinking in terms of supply chain. A manufacturer has a production process which starts with raw materials and such at one end and finished products at the other. Metal, plastic and schematics go in one end and cars come out the other. Those cars are "in production" for the duration of time that the factory produces them. The Pinto would now be "out of production" (I'm guessing, I'm not really of a gearhead (car hacker)). Similarly, things like Zeus and Stuxnet are under constant development, they are still being produced; they are "in production". They are not being written by amateurs tossing them together adhoc. Today, these are sophisticated pieces of software being developed by skilled programmers and researchers. They are the realm of organized crime and nation states. They continually go through a development cycle improving them with each generation. They are commodity retail products sold through illicit markets. A more accurate term may have been "in development" since we more often refer to software being developed rather than produced. So I understand both sides of this though, what in my use of "in production" caused the question? What was your interpretation when you read it initially? (I may be off my rocker here so I'm interested in what alternative interpretation it caused.)

Michael Kassner
Michael Kassner

I guess that is a new expression. Is that what you really think?

Editor's Picks