Interesting People mailing list archives
] re Lauren Weinstein -- Microsoft's Police State Vision? Exec Calls for Internet "Driver's Licenses"
From: Dave Farber <dave () farber net>
Date: Sun, 14 Feb 2010 18:09:29 -0500
Begin forwarded message:
From: Rich Kulawiec <rsk () gsp org> Date: February 14, 2010 6:03:09 PM EST To: synthesis.law.and.technology () gmail comCc: Dave Farber <dave () farber net>, Lauren Weinstein <lauren () vortex com>, Valdis.Kletnieks () vt edu, Paul Ferguson <fergdawgster () gmail com > Subject: Re: [IP] re Lauren Weinstein -- Microsoft's Police State Vision? Exec Calls for Internet "Driver's Licenses"
On Tue, Feb 02, 2010 at 04:36:57PM -0500, Dave Farber quoted:That flag might work temporarily in the US but I suspect there would be considerably more inertia outside your national boundaries. Where it would run into problems would be when someone points out that this is creating a huge security problem with the potential for forged credentials.I think the phrase "potential for" should be replaced with "reality of".We are sitting on an Internet with *at least* a hundred million fully-compromised, fully-owned systems. Personally, I suspect that the number is closer to double that. Others have postulated still higher values. Whatever that number is, though, it's (a) big and (b) getting bigger. And there's no reason, at present,to suspect that the trend will reverse, because nobody's doing anything that appears to -- in any significant way -- to be an effective countermeasure.The new owners of those systems have unfettered access to ANY credentialspresent on or used on those systems. The overwhelming majorityof them are end-user systems, of course, but how many login or email orother access credentials does the average user have? A work email account? One for home? A freemail account? Some number of social networking accounts? How about banks? Utilities? Shopping sites? VPN for a client? I think very conservative estimates might be "5 email accounts" and "10 web sites". (In my own case: more like 40 and 200) All of those now belong (or will soon belong) to any attacker who wishes to avail themself of them. Those attackers *can*, if they wish, turn all of putative/former owners of those systems into three-strikes-and-you're-out pariahs. They can disable anti-malware programs. They can report every incoming mail message as spam, or they can send spam. They can upload child pornography to/from them, and set up unsuspecting users to be the next Julie Amero -- only much worse. They can launch DoS attacks. They can host DNS and HTTP services for dubious web sites. They can do anything they want with their very large, highly distributed, fault tolerant networks. And they are. As Valdis Kletnieks observed on the funsec list: Real driver's licenses only work because there aren't 140 million joy riders on the road every day, driving around with perfectlyforged licenses. Of course, [Craig] Mundie would like to gloss overhis company's role in that little detail. And that's the real irony of this: passive OS fingerprinting and other techniques indicate that almost all of those compromised systems are running Windows. As in "all but a handful in a million, and maybethose too". The zombie problem is awfully close to a Windows-only problem,it's most of a decade old, and Microsoft has yet to publicly take responsibility for it or lift a finger to do anything about it. Nobody there even wants to be in the same *room* with this problem,because it's not just a failure, it's THE all-time IT failure, they own it, and the price tag for fixing it is enormous even by their standards. [1]But once we get past the irony, here's the reality: if we take the conservative estimates (above) we arrive at a number of credentials in the neighborhood of 1.5 billion. If we use what I think are more realistic numbers: 5 billion. If we use some of the higher/outlier numbers: 10-20 billion.I suggest that it doesn't matter. All of those numbers are so enormousthat *any* of them are sufficient to put an instant stop to anything that presumes (a) end-user systems still belong to the people who think they own them and (b) email/web/etc. credentials still belong to the people who think they own them. And I haven't yet tossed in estimates for how more fabricated/forged sets of credentials exist:that is, how many sets have been created on behalf of the former ownersof those compromised systems, either in their names or with fictitious ones. [2] There is no practical limit to high how that number could become -- should The Bad Guys find some reason to make it so. So I would say to Mundie that *before* we could even consider having any kind of practical discussion about a "driver's license", before we even get into the myriad privacy issues and all the reasons why it might or might not be a good idea, his company needs to fix this problem. Because otherwise it's just so much utter nonsense: the Bad Guys have *already* completely defeated it. ---Rsk[1] Among many reasons why the price tag is so huge: this problem can't be fixed remotely, because the fix starts with "boot from known- clean media".[2] Note that "fictitious ones" can include other owners of compromisedof systems or non-owners.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- ] re Lauren Weinstein -- Microsoft's Police State Vision? Exec Calls for Internet "Driver's Licenses" Dave Farber (Feb 14)