Re: Windows' future (reprise)

["lsi" <stuart () cyberdelix net>]

> IOW, you took what Symantec's numbers were for one year, and guessed
> they would be the same for this year, and then posted how you were
> almost right.

You definitely misunderstand.  AFAIK, Symantec do not publish the 
number 243%.  I calculated it myself, using this sum:

(0.92 + 3.67 + 1.64 + 1.24 + 4.44 + 2.65) / 6

I also calculated those numbers, using the general formula y(n+1) / 
y(n).  This is all explained on the link I gave in my original post:

http://www.cyberdelix.net/files/malware_mutation_projection.pdf

Even in the most recent report, Symantec only refer to the growth 
rate by saying it was "more than double" (eg, 200+%) - although I 
haven't read it closely, they may well elaborate on that at some 
point.

> You people really need to get your stories straight.

There is only one of me, I assure you.

> Then you blithe on about how people should "avoid any software that
> locks them into a Microsoft Platform like the plague" and specifically
> note .NET for businesses but of course fail to provide any examples of
> where they should go, or any real advice on your "mitigation
> strategy."  

I agree Windows needs mitigation, that is why I am posting.  I didn't 
mention alternatives as that's not my purpose, to promote a specific 
product, and I wouldn't want my observations to be tainted by it.  
However, now you've asked, I'd recommend FreeBSD, without even seeing 
your spec.  Desktops?  PC-BSD.  As for .NET, off top of head I'd 
suggest a .NET connector for PHP, running on FreeBSD of course.

> What it is about .NET that should be avoided like the plague?  Wait,

Sorry but I already answered that.   It's because it locks the 
customer into a Microsoft platform.

> One must assume that you are an expert .NET developer

You'd assume wrong - it doesn't take an expert to recognise a 
dependency.

> Additionally, you've clearly performed migration engagements for these
> people you "advise."  Please let us know what the actual migration
> plan was, and how you have so brilliantly created a one-off cost
> migration path.  I'm really interested in the details about that.  

I'm sure you are, and I'd be happy to oblige.  My rates for that kind 
of work start at £120/hr.  Please PM me for more info.

> Details on your SDL process would be fantastic as well. 

Continuous incremental improvement (TQM). RERO.  Prototyping.  Agile 
is the word used nowadays I believe... revolution through evolution, 
as I said....

Stu

> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
> lsi
> Sent: Saturday, May 15, 2010 1:07 PM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Windows' future (reprise)
>
> Is that you, Bill?
>
> I think you misunderstand.  9 months ago, I measured the growth rate at 243%, using Symantec's stats.  9 months ago I 
> posted that number here, together with a prediction of this year's stats.  Recently, I got this year's stats and 
> compared them with that prediction.  I found that this prediction was 75.4% accurate.  I am now reporting those 
> results back to the group.  And this is trolling how?
>
> My point is that the prediction was not wildly wrong, and so that leads me to wonder if anything else I said, 9 
> months ago, was also not wildly wrong.
>
> My main reason for claiming that Windows is inherently insecure is because it's closed source.  However it's also 
> because of the sloppy, monolithic spaghetti code that Windows is made of.  If you're claiming Windows is in fact 
> inherently secure, I assume this means you don't use AV on any of your Windows machines, and advise everyone you know 
> to uninstall it?
>
> I never said migration would be free or easy.  That is why I am posting this data here, because I see it as a 
> vulnerability, a very big vulnerability that many companies have not woken up to.  The very fact that migration is 
> hard, lengthy, and expensive, means that the vulnerability is larger than ever.
>
> Stu
>
> On 15 May 2010 at 14:40, Thor (Hammer of God) wrote:
>
> From:                 "Thor (Hammer of God)" <Thor () hammerofgod com>
> To:                   "full-disclosure () lists grok org uk" <full-
> disclosure () lists grok org uk>
> Date sent:            Sat, 15 May 2010 14:40:29 +0000
> Subject:              Re: [Full-disclosure] Windows' future (reprise)
>
> > I am constantly amazed at posts like this where you make yourself sound like some sort of statistical genius 
> > because you were "able to predict" that since last year was %243, that this year would be %243.  Wow.  Really?
> >
> > And for the record, these claims of 'inherent insecurity' in Windows are simply ignorant.  If you are still running 
> > Windows 95 that's your problem.  Do a little research before post assertions based on 10 or 20 year old issues.
> >
> > This smacks of the classic troll, where you say things like "nothing that Microsoft makes is secure and it never 
> > will be" and then go on to say how easy it is to migrate, and how it's free, with only a one off cost, and how to 
> > move off of .NET.
> >
> > Obvious "predictions," ignorant assumptions, and a total lack of any true understanding of business computing.  
> > Yep, "troll."
> >
> > t
> >
> > -----Original Message-----
> > From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf 
> > Of lsi
> > Sent: Saturday, May 15, 2010 6:12 AM
> > To: full-disclosure () lists grok org uk
> > Subject: [Full-disclosure] Windows' future (reprise)
> >
> > Hi All!
> >
> > Just a followup from my posting of 9 months ago (which can be found
> > here):
> >
> > http://www.mail-archive.com/full-disclosure () lists grok org uk/msg37173.html
> >
> > Symantec have released "Internet Security Threat Report: Volume XV: 
> > April 2010".  My posting from last year was based on the previous "Internet Security Threat Report: Volume XIV: 
> > April 2009".  So I thought it would be interesting to check my numbers.  The new edition of the Threat Report is 
> > here:
> >
> > http://www4.symantec.com/Vrt/wl?tu_id=SUKX1271711282503126202
> >
> > You may recall that last year, the average annual growth rate of new threats (as defined by Symantec) was 243%.  
> > This enabled me to predict that the number of new threats in this year's Symantec Threat Report would be 243% of 
> > last years; eg. I predicted 9 months ago the number of new threats in this year's Symantec Threat Report would be 
> > 243% * 1656227, or 3840485.87.
> >
> > The actual number of new threats in this year's Symantec Threat Report is 2895802, an error on my part of 24.6%.
> >
> > This is quite a chunk, however it is not that far off.  My excuses:
> >
> > - my number was based on averages, so it will never be exact.  There will be a natural variance in the growth rate, 
> > caused by many factors.
> >
> > - in the new edition, Symantec have altered the raw data a little - the number of new threats for 2009, 2008, 2007 
> > etc is slightly different to those same years, as listed in the previous version of the report.  I have not updated 
> > my projection to allow for this.
> >
> > - Symantec note that "The slight decline in the rate of growth should not discount the significant number of new 
> > signatures created in 2009. Signature-based detection is lagging behind the creation of malicious threats..." (page 
> > 48).
> >
> > Am I retreating from my position?  Absolutely not.  I am now expecting the number of new threats in next years' 
> > report to be 7036798.86. This is 2895802 * 243%.  This includes the error introduced by Symantec's changes to the 
> > raw data.  I don't think it matters much.
> >
> > As this flood of new threats will soon overpower AV companies' 
> > ability to catalogue them (by 2015, at 243% growth, there will be
> > 2.739 MILLION new threats PER DAY (over 1900 new threats per minute)), and as Symantec admits above that 
> > "signature-based detection is lagging", and as Microsoft are not likely to produce a secure version of anything 
> > anytime soon, I am not at all hopeful of a clean resolution to this problem.
> >
> > I continue to advise that users should, where possible, deploy alternatives; that they should, if they have not 
> > already, create and action a migration strategy; and that they should avoid like the plague, any software which 
> > locks them into a Microsoft platform.  
> > Business .NET applications, I'm lookin' at you.
> >
> > Those failing to migrate will discover their hardware runs slower and slower, while doing the same job as it did 
> > previously.  They will need to take this productivity hit, OR buy a new computer, which will also eventually 
> > surcumb to the same increasing slowness.  They will need to buy new machines more and more frequently.  Eventually, 
> > they will run out of money - or, for the especially deep-pocketed, they will find they cannot deploy the new 
> > machines fast enough, before they are already too slow to use.  The only alternative to this treadmill is to dump 
> > Windows.  The sooner it is dumped, the less money is wasted buying new hardware, simply to keep up with security- 
> > induced slowness.
> >
> > Why spend all that time and money on a series of new Windows machines, without fixing the actual problem, which is 
> > the inherent insecurity of Windows?  People can spend the same time and money replacing Windows, and then they 
> > won't need to worry about the problem any more.  The difference is that sticking with Windows incurs ongoing and 
> > increasing costs, while a migration incurs a one- off cost.
> >
> > I don't think it takes a genius to see which approach will cost less.
> >
> > Notes:
> > - see page 10 of the Volume XIV (2009) edition, and page 48 of Volume XV (2010) edition, for the relevant stats
> >
> > - since my post of last year, I have also noticed a similar exponential curve in the number of threats detected by 
> > Spybot Search and Destroy (a popular anti-spyware tool). This curve can be seen
> > here:
> >
> > http://www.safer-networking.org/en/updatehistory/index.html
> >
> >  - my projection of growth rates up to 2016 (written last year) is
> > here:
> >
> > http://www.cyberdelix.net/files/malware_mutation_projection.pdf
> >
> > Comments welcome..
> >
> > Stu
> >
> > ---
> > Stuart Udall
> > stuart at () cyberdelix dot net - http://www.cyberdelix.net/
> >
> > ---
> >  * Origin: lsi: revolution through evolution (192:168/0.2)
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> ---
> Stuart Udall
> stuart at () cyberdelix dot net - http://www.cyberdelix.net/
>
> --- 
>  * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/