Interesting People mailing list archives
re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley
From: Dave Farber <dave () farber net>
Date: Thu, 4 Mar 2010 13:04:26 -0500
Begin forwarded message:
From: Rich Kulawiec <rsk () gsp org> Date: March 4, 2010 11:07:39 AM EST To: David Farber <dave () farber net> Cc: Richard Forno <rforno () infowarrior org>Subject: Re: [IP] Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley
This pitch neatly overlooks something very important, I think. We have a plethora of Internet security problems, and any reader ofDave Farber's IP or Richard Forno's Infowarrior list or Bruce Schneier'sblog or Marcus Ranum's essays &etc. could enumerate many of them. However, the biggest problem we have, the one that dwarfs all others in terms of scale, scope, difficulty, etc. isn't really an Internet problem per se: it's a Microsoft Windows problem.The zombie/bot problem has been epidemic for the better part of a decade, and continue to monotonically increase is size. It started with malwarelike Sobig: Sobig.a and the Spam You Received Today http://www.secureworks.com/research/threats/sobig Sobig.e - Evolution of the Worm http://www.secureworks.com/research/threats/sobig-e/ Sobig.f Examined http://www.secureworks.com/research/threats/sobig-f and then escalated as The Bad Guys developed ever-better code that (a) took over Windows systems and (b) provided the command-and-control necessary to organize them into botnets. They've gotten really good at this."How many systems?" remains an open question, but it's clearly somewhere above 100 million. (Which is the consensus estimate that some of us who work in the anti-spam arena came up with several years ago.) Other estimates have been tossed out as well: 250M, 140M, etc. Nobody knows for sure because the answer is unknowable -- a botnet member isn't visible until it doessomething bot-like to something that's listening for it -- but we can come up with reasonable lower bounds based on years of observations. "How many botnets, and how large?" is another open question whose bestcurrent answers are probably "many" and "millions to tens of millions".For a recent example: Mariposa Botnet beheaded http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32 This articles says "as many as 12.7 million poisoned PCs" but does not elaborate how that number was arrived at. (But suppose it's a 400% overestimate: that's still a sizable botnet. And suppose it's a 400% underestimate: yipes.) Before anyone celebrates too much at this news: the takeaway from thisarticle is that the C&C structure has been taken down...which means that there are now putatively 12.7 million pre-compromised systems out there waiting for the first person(s) who can conscript them into *their* botnet.(Any bets on how long that'll take? I've got a dollar that says "it's already history".) "What are they running?" is one of the few questions that we have a decent answer to, and the answer is "Windows". We can use passive OS fingerprinting and other techniques to identify the likely OS on each zombie/bot that we see, and while we do from time to time see some that classify as "unknown" or "indeterminate" or "something other than Windows", they're quite rare. The numbers I've got from several years of doing this boil down to "a handful per million might not be Windows or might be Windows-behind-something-else". So here's the executive summary: there are something in excess of 100M systems out there which no longer belong, in any real sense, to the people who think they own them. They are the playthings of the people running botnets, who have full access to every scrap of data on them, every set of credentials stored or used on them, and can do *anything* they want with them. All but a negligible number of them are running Windows. All the band-aids -- patching, AV, etc. -- aren't working. They're ubiquitous: desktops, laptops, cellphones, and servers across commercial, ISP, academic, and government environments. And there are more every day. All of this has a tremendous ripple effect on everything else we're working on: anti-spam, anti-phishing, DoS attacks, identity theft, anti-forgery, data loss, MitM attacks, DNS forgery, etc. And while we occasionally see Microsoft doing something minor about it, e.g.: Court order helps Microsoft tear down Waledac botnet http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html these actions are clearly calculated to generate positive PR for Microsoft, not to seriously address the problem. (Note that all thisdid, like the bust above, was attempt to cut out the C&C network. It does nothing to remediate the "hundreds of thousands of infected machines".)This isn't just a security problem, it's THE security problem. And Microsoft owns it -- lock, stock and barrel. Now here's an interesting exercise: go try to find a statement made by anyone at Microsoft in which they acknowledge this: that is, in which they provide a realistic assessment of the scale of the problem, take corporate responsibility for it, and explain what they're going to do to clean up their mess. Scott Charney didn't do that, as far as I can tell. He didn't talk about the 100M bots out there or how they're almost all running hiscompany's operating system or how much this is costing us in anti- spam, anti-bruteforce, anti-DDoS, anti-whatever measures *even if we don't run Windows in our operations*. He didn't even come anywhere close to this. He just lumped all systems together, as if this was a systemic problem,not one almost entirely confined to Windows. And neither, as far as I can tell, has anyone else at Microsoft. They don't even want to be in the same room with this issue because even for a company with their enormous financial and personnel resources,it's a staggering task (with an equally-staggering cost) to contemplate.And as long as everyone buys into the Microsoft PR, that we have "a generic Internet security problem" and not "a Microsoft Windows security problem", they won't have to. ---Rsk
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley Dave Farber (Mar 04)
- <Possible follow-ups>
- re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley Dave Farber (Mar 04)