] re Lauren Weinstein -- Microsoft's Police State Vision? Exec Calls for Internet "Driver's Licenses"

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: Rich Kulawiec <rsk () gsp org>
> Date: February 14, 2010 6:03:09 PM EST
> To: synthesis.law.and.technology () gmail com
> Cc: Dave Farber <dave () farber net>, Lauren Weinstein  
> <lauren () vortex com>, Valdis.Kletnieks () vt edu, Paul Ferguson <fergdawgster () gmail com 
> >
> Subject: Re: [IP] re Lauren Weinstein -- Microsoft's Police State  
> Vision? Exec Calls for Internet "Driver's Licenses"

> On Tue, Feb 02, 2010 at 04:36:57PM -0500, Dave Farber quoted:
> > That flag might work temporarily in the US but I suspect there
> > would be considerably more inertia outside your national
> > boundaries.  Where it would run into problems would be when
> > someone points out that this is creating a huge security problem
> > with the potential for forged credentials.
>
> I think the phrase "potential for" should be replaced with "reality  
> of".
>
> We are sitting on an Internet with *at least* a hundred million
> fully-compromised, fully-owned systems.  Personally, I suspect
> that the number is closer to double that.  Others have postulated
> still higher values.  Whatever that number is, though, it's
> (a) big and (b) getting bigger.  And there's no reason, at present,
> to suspect that the trend will reverse, because nobody's doing  
> anything that
> appears to -- in any significant way -- to be an effective  
> countermeasure.
>
> The new owners of those systems have unfettered access to ANY  
> credentials
> present on or used on those systems.  The overwhelming majority
> of them are end-user systems, of course, but how many login or email  
> or
> other access credentials does the average user have?  A work email
> account?  One for home?  A freemail account?  Some number of social
> networking accounts?  How about banks?  Utilities?  Shopping sites?
> VPN for a client?
>
> I think very conservative estimates might be "5 email accounts"
> and "10 web sites".  (In my own case: more like 40 and 200)
>
> All of those now belong (or will soon belong) to any attacker who
> wishes to avail themself of them.  Those attackers *can*, if they
> wish, turn all of putative/former owners of those systems into
> three-strikes-and-you're-out pariahs.  They can disable anti-malware
> programs.  They can report every incoming mail message as spam,
> or they can send spam.  They can upload child pornography to/from
> them, and set up unsuspecting users to be the next Julie Amero -- only
> much worse.  They can launch DoS attacks.  They can host DNS and HTTP
> services for dubious web sites.  They can do anything they want with
> their very large, highly distributed, fault tolerant networks.
>
> And they are.
>
> As Valdis Kletnieks observed on the funsec list:
>
>    Real driver's licenses only work because there aren't 140 million
>    joy riders on the road every day, driving around with perfectly
>    forged licenses.  Of course, [Craig] Mundie would like to gloss  
> over
>    his company's role in that little detail.
>
> And that's the real irony of this: passive OS fingerprinting and other
> techniques indicate that almost all of those compromised systems are
> running Windows.  As in "all but a handful in a million, and maybe
> those too".  The zombie problem is awfully close to a Windows-only  
> problem,
> it's most of a decade old, and Microsoft has yet to publicly take
> responsibility for it or lift a finger to do anything about it.
> Nobody there even wants to be in the same *room* with this problem,
> because it's not just a failure, it's THE all-time IT failure, they  
> own it,
> and the price tag for fixing it is enormous even by their standards.  
> [1]
>
> But once we get past the irony, here's the reality: if we take the
> conservative estimates (above) we arrive at a number of credentials
> in the neighborhood of 1.5 billion.  If we use what I think are more
> realistic numbers: 5 billion.  If we use some of the higher/outlier
> numbers: 10-20 billion.
>
> I suggest that it doesn't matter.  All of those numbers are so  
> enormous
> that *any* of them are sufficient to put an instant stop to anything
> that presumes (a) end-user systems still belong to the people who
> think they own them and (b) email/web/etc. credentials still belong
> to the people who think they own them.  And I haven't yet tossed in
> estimates for how more fabricated/forged sets of credentials exist:
> that is, how many sets have been created on behalf of the former  
> owners
> of those compromised systems, either in their names or with fictitious
> ones. [2]  There is no practical limit to high how that number could
> become -- should The Bad Guys find some reason to make it so.
>
> So I would say to Mundie that *before* we could even consider having
> any kind of practical discussion about a "driver's license", before
> we even get into the myriad privacy issues and all the reasons why
> it might or might not be a good idea, his company needs to fix this
> problem.  Because otherwise it's just so much utter nonsense:
> the Bad Guys have *already* completely defeated it.
>
> ---Rsk
>
> [1] Among many reasons why the price tag is so huge: this problem  
> can't
> be fixed remotely, because the fix starts with "boot from known- 
> clean media".
>
> [2] Note that "fictitious ones" can include other owners of  
> compromised
> of systems or non-owners.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com