Interesting People mailing list archives
re Microsoft exec: Infected PCs should be quarantined (Q&A) (Same Exec)
From: Dave Farber <dave () farber net>
Date: Thu, 4 Mar 2010 17:05:24 -0500
Begin forwarded message:
From: Rob Portil <BobPorter () theideasgroup com> Date: March 4, 2010 4:26:26 PM EST To: dave () farber netSubject: Microsoft exec: Infected PCs should be quarantined (Q&A) (Same Exec)Reply-To: Rob () OrbitalWeb com
Microsoft exec: Infected PCs should be quarantined (Q&A) Same exec that was pitching the Internet Usage Tax http://news.cnet.com/8301-27080_3-10462649-245.html?tag=mncol;postsSAN FRANCISCO--In his keynote at the RSA security conference on Tuesday, Scott Charney, Microsoft's corporate vice president of Trustworthy Computing, suggested that the security industry should follow the health care model of quarantining infected PCs to prevent them from being used to send spam and conduct denial-of-service attacks.In a follow-up interview afterward, Charney elaborated on his vision for reducing the damage from botnets and explains how infected computers should be kept off the Internet just like doctors quarantine sick people and smokers are restricted as to where they can light up in public.Q: So you teased us with references to a system of quarantining computers during your keynote but didn't provide details. Can you explain what you have in mind? Scott Charney: When people get diseases and they run the risk of contaminating other people the medical community has devised mechanisms to help ensure the public's health. It's a combination of inspection, quarantine, and treatment. I remember going to Asia during the SARS epidemic and as soon as I got off the plane they were standing there with these little guns that took your temperature as you got off the plane and if they registered that you had a temperature they would talk to you and if they thought you might have SARS they would quarantine you and treat you. We've done this with other kinds of illnesses over generations actually. In the enterprise in computers we do it today, we have Network Access Protection...The theory is if a machine is known to be infected do you want it to connect to the network and infect everyone else? Or do you want to clean the machine and then let it connect? So, the concept isn't that complicated but the challenge is once you move into the consumer environment you raise a lot of interesting issues ….Snip from: http://news.cnet.com/8301-27080_3-10462649-245.html?tag=mncol;posts Rob Portil Orbital Web 408-256-3630 Rob () OrbitalWeb com From: Dave Farber [mailto:dave () farber net] Sent: Thursday, March 04, 2010 10:04 AM To: ipSubject: [IP] re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon ValleyBegin forwarded message: From: Rich Kulawiec <rsk () gsp org> Date: March 4, 2010 11:07:39 AM EST To: David Farber <dave () farber net> Cc: Richard Forno <rforno () infowarrior org>Subject: Re: [IP] Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon ValleyThis pitch neatly overlooks something very important, I think. We have a plethora of Internet security problems, and any reader ofDave Farber's IP or Richard Forno's Infowarrior list or Bruce Schneier'sblog or Marcus Ranum's essays &etc. could enumerate many of them. However, the biggest problem we have, the one that dwarfs all others in terms of scale, scope, difficulty, etc. isn't really an Internet problem per se: it's a Microsoft Windows problem.The zombie/bot problem has been epidemic for the better part of a decade, and continue to monotonically increase is size. It started with malwarelike Sobig: Sobig.a and the Spam You Received Today http://www.secureworks.com/research/threats/sobig Sobig.e - Evolution of the Worm http://www.secureworks.com/research/threats/sobig-e/ Sobig.f Examined http://www.secureworks.com/research/threats/sobig-f and then escalated as The Bad Guys developed ever-better code that (a) took over Windows systems and (b) provided the command-and-control necessary to organize them into botnets. They've gotten really good at this."How many systems?" remains an open question, but it's clearly somewhere above 100 million. (Which is the consensus estimate that some of us who work in the anti-spam arena came up with several years ago.) Other estimates have been tossed out as well: 250M, 140M, etc. Nobody knows for sure because the answer is unknowable -- a botnet member isn't visible until it doessomething bot-like to something that's listening for it -- but we can come up with reasonable lower bounds based on years of observations. "How many botnets, and how large?" is another open question whose bestcurrent answers are probably "many" and "millions to tens of millions".For a recent example: Mariposa Botnet beheaded http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32 This articles says "as many as 12.7 million poisoned PCs" but does not elaborate how that number was arrived at. (But suppose it's a 400% overestimate: that's still a sizable botnet. And suppose it's a 400% underestimate: yipes.) Before anyone celebrates too much at this news: the takeaway from thisarticle is that the C&C structure has been taken down...which means that there are now putatively 12.7 million pre-compromised systems out there waiting for the first person(s) who can conscript them into *their* botnet.(Any bets on how long that'll take? I've got a dollar that says "it's already history".) "What are they running?" is one of the few questions that we have a decent answer to, and the answer is "Windows". We can use passive OS fingerprinting and other techniques to identify the likely OS on each zombie/bot that we see, and while we do from time to time see some that classify as "unknown" or "indeterminate" or "something other than Windows", they're quite rare. The numbers I've got from several years of doing this boil down to "a handful per million might not be Windows or might be Windows-behind-something-else". So here's the executive summary: there are something in excess of 100M systems out there which no longer belong, in any real sense, to the people who think they own them. They are the playthings of the people running botnets, who have full access to every scrap of data on them, every set of credentials stored or used on them, and can do *anything* they want with them. All but a negligible number of them are running Windows. All the band-aids -- patching, AV, etc. -- aren't working. They're ubiquitous: desktops, laptops, cellphones, and servers across commercial, ISP, academic, and government environments. And there are more every day. All of this has a tremendous ripple effect on everything else we're working on: anti-spam, anti-phishing, DoS attacks, identity theft, anti-forgery, data loss, MitM attacks, DNS forgery, etc. And while we occasionally see Microsoft doing something minor about it, e.g.: Court order helps Microsoft tear down Waledac botnet http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html these actions are clearly calculated to generate positive PR for Microsoft, not to seriously address the problem. (Note that all thisdid, like the bust above, was attempt to cut out the C&C network. It does nothing to remediate the "hundreds of thousands of infected machines".)This isn't just a security problem, it's THE security problem. And Microsoft owns it -- lock, stock and barrel. Now here's an interesting exercise: go try to find a statement made by anyone at Microsoft in which they acknowledge this: that is, in which they provide a realistic assessment of the scale of the problem, take corporate responsibility for it, and explain what they're going to do to clean up their mess. Scott Charney didn't do that, as far as I can tell. He didn't talk about the 100M bots out there or how they're almost all running hiscompany's operating system or how much this is costing us in anti- spam, anti-bruteforce, anti-DDoS, anti-whatever measures *even if we don't run Windows in our operations*. He didn't even come anywhere close to this. He just lumped all systems together, as if this was a systemic problem,not one almost entirely confined to Windows. And neither, as far as I can tell, has anyone else at Microsoft. They don't even want to be in the same room with this issue because even for a company with their enormous financial and personnel resources,it's a staggering task (with an equally-staggering cost) to contemplate.And as long as everyone buys into the Microsoft PR, that we have "a generic Internet security problem" and not "a Microsoft Windows security problem", they won't have to. ---Rsk Archives
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- re Microsoft exec: Infected PCs should be quarantined (Q&A) (Same Exec) Dave Farber (Mar 04)