Interesting People mailing list archives
re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley
From: Dave Farber <dave () farber net>
Date: Thu, 4 Mar 2010 13:43:46 -0500
Begin forwarded message:
From: "David P. Reed" <dpreed () reed com> Date: March 4, 2010 1:32:14 PM EST To: dave () farber net Cc: ip <ip () v2 listbox com>Subject: Re: [IP] re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley
Let's agree: botnets are big and scary.Let's also agree - MSFT dominates the end user operating system market.Given this, why would any botnet builder expend effort to build a "multiplatform" botnet? The dominance of the market by Microsoft *ensures* that any serious botnet builder will target Microsoft's bugs and not Apple's bugs. Any serious phisher will target Internet Explorer users, and not Safari users, to the extent that Safari requires different code.Trying to blame Microsoft for the problem is the kind of knee-jerk thinking that I predicted in my previous email. Worse, trying to pillory Scott Charney, who is hardly an apologist for the weaknesses in Microsoft's design, is counterproductive.I have not been a great fan of Microsoft (that's understatement, if you know anything about how I spent about 10% of my time in the years from 1992 to about 2001, but I can't discuss it further).But being a grownup about computing security, it is shocking to me that so many are blind to the *fact* that the same class of vulnerabilities exist far outside the Microsoft realm, in Linux, OSX, embedded operating systems, etc. The relative lack of comparative levels of exploitation in those environments proves nothing about their "strength". It is mostly evidence of a well- known phenomenon: attack the place with the most return for the least effort. And "most return" is at least as important as "least effort".On 03/04/2010 01:04 PM, Dave Farber wrote:Begin forwarded message:From: Rich Kulawiec <rsk () gsp org> Date: March 4, 2010 11:07:39 AM EST To: David Farber <dave () farber net> Cc: Richard Forno <rforno () infowarrior org>Subject: Re: [IP] Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon ValleyThis pitch neatly overlooks something very important, I think. We have a plethora of Internet security problems, and any reader ofDave Farber's IP or Richard Forno's Infowarrior list or Bruce Schneier'sblog or Marcus Ranum's essays &etc. could enumerate many of them. However, the biggest problem we have, the one that dwarfs all others in terms of scale, scope, difficulty, etc. isn't really an Internet problem per se: it's a Microsoft Windows problem.The zombie/bot problem has been epidemic for the better part of a decade, and continue to monotonically increase is size. It started with malwarelike Sobig: Sobig.a and the Spam You Received Today http://www.secureworks.com/research/threats/sobig Sobig.e - Evolution of the Worm http://www.secureworks.com/research/threats/sobig-e/ Sobig.f Examined http://www.secureworks.com/research/threats/sobig-f and then escalated as The Bad Guys developed ever-better code that(a) took over Windows systems and (b) provided the command-and- controlnecessary to organize them into botnets. They've gotten really good at this."How many systems?" remains an open question, but it's clearly somewhere above 100 million. (Which is the consensus estimate that some of us who work in the anti-spam arena came up with several years ago.) Other estimates have been tossed out as well: 250M, 140M, etc. Nobody knows for sure because the answer is unknowable -- a botnet member isn't visible until it does something bot-like to something that's listening for it -- but we cancome up with reasonable lower bounds based on years of observations."How many botnets, and how large?" is another open question whose best current answers are probably "many" and "millions to tens of millions".For a recent example: Mariposa Botnet beheaded http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32This articles says "as many as 12.7 million poisoned PCs" but does notelaborate how that number was arrived at. (But suppose it's a 400%overestimate: that's still a sizable botnet. And suppose it's a 400%underestimate: yipes.)Before anyone celebrates too much at this news: the takeaway from this article is that the C&C structure has been taken down...which means that there are now putatively 12.7 million pre-compromised systems out there waiting for the first person(s) who can conscript them into *their* botnet. (Any bets on how long that'll take? I've got a dollar that says "it'salready history".) "What are they running?" is one of the few questions that we have a decent answer to, and the answer is "Windows". We can use passive OS fingerprinting and other techniques to identify the likely OS on each zombie/bot that we see, and while we do from time to time see some that classify as "unknown" or "indeterminate" or "something other than Windows", they're quite rare. The numbers I've got fromseveral years of doing this boil down to "a handful per million mightnot be Windows or might be Windows-behind-something-else".So here's the executive summary: there are something in excess of 100Msystems out there which no longer belong, in any real sense, to thepeople who think they own them. They are the playthings of the people running botnets, who have full access to every scrap of data on them, every set of credentials stored or used on them, and can do *anything* they want with them. All but a negligible number of them are runningWindows. All the band-aids -- patching, AV, etc. -- aren't working.They're ubiquitous: desktops, laptops, cellphones, and servers acrosscommercial, ISP, academic, and government environments. And there are more every day. All of this has a tremendous ripple effect on everything else we're working on: anti-spam, anti-phishing, DoS attacks, identity theft, anti-forgery, data loss, MitM attacks, DNS forgery, etc. And while we occasionally see Microsoft doing something minor about it, e.g.: Court order helps Microsoft tear down Waledac botnet http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html these actions are clearly calculated to generate positive PR forMicrosoft, not to seriously address the problem. (Note that all this did, like the bust above, was attempt to cut out the C&C network. It does nothing to remediate the "hundreds of thousands of infected machines".)This isn't just a security problem, it's THE security problem. And Microsoft owns it -- lock, stock and barrel.Now here's an interesting exercise: go try to find a statement made by anyone at Microsoft in which they acknowledge this: that is, in which they provide a realistic assessment of the scale of the problem, take corporate responsibility for it, and explain what they're going to doto clean up their mess. Scott Charney didn't do that, as far as I can tell. He didn't talk about the 100M bots out there or how they're almost all running hiscompany's operating system or how much this is costing us in anti- spam, anti-bruteforce, anti-DDoS, anti-whatever measures *even if we don't run Windows in our operations*. He didn't even come anywhere close to this. He just lumped all systems together, as if this was a systemic problem,not one almost entirely confined to Windows.And neither, as far as I can tell, has anyone else at Microsoft. Theydon't even want to be in the same room with this issue because even for a company with their enormous financial and personnel resources,it's a staggering task (with an equally-staggering cost) to contemplate.And as long as everyone buys into the Microsoft PR, that we have "a generic Internet security problem" and not "a Microsoft Windows security problem", they won't have to. ---RskArchives
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley Dave Farber (Mar 04)
- <Possible follow-ups>
- re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley Dave Farber (Mar 04)