re Microsoft exec: Infected PCs should be quarantined (Q&A) (Same Exec)

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: Rob Portil <BobPorter () theideasgroup com>
> Date: March 4, 2010 4:26:26 PM EST
> To: dave () farber net
> Subject: Microsoft exec: Infected PCs should be quarantined (Q&A)  
> (Same Exec)
> Reply-To: Rob () OrbitalWeb com

> Microsoft exec: Infected PCs should be quarantined (Q&A)
>
> Same exec that was pitching the Internet Usage Tax
>
>
>
> http://news.cnet.com/8301-27080_3-10462649-245.html?tag=mncol;posts
>
>
>
> SAN FRANCISCO--In his keynote at the RSA security conference on  
> Tuesday, Scott Charney, Microsoft's corporate vice president of  
> Trustworthy Computing, suggested that the security industry should  
> follow the health care model of quarantining infected PCs to prevent  
> them from being used to send spam and conduct denial-of-service  
> attacks.
>
> In a follow-up interview afterward, Charney elaborated on his vision  
> for reducing the damage from botnets and explains how infected  
> computers should be kept off the Internet just like doctors  
> quarantine sick people and smokers are restricted as to where they  
> can light up in public.
>
> Q: So you teased us with references to a system of quarantining  
> computers during your keynote but didn't provide details. Can you  
> explain what you have in mind?
> Scott Charney: When people get diseases and they run the risk of  
> contaminating other people the medical community has devised  
> mechanisms to help ensure the public's health. It's a combination of  
> inspection, quarantine, and treatment. I remember going to Asia  
> during the SARS epidemic and as soon as I got off the plane they  
> were standing there with these little guns that took your  
> temperature as you got off the plane and if they registered that you  
> had a temperature they would talk to you and if they thought you  
> might have SARS they would quarantine you and treat you. We've done  
> this with other kinds of illnesses over generations actually. In the  
> enterprise in computers we do it today, we have Network Access  
> Protection...The theory is if a machine is known to be infected do  
> you want it to connect to the network and infect everyone else? Or  
> do you want to clean the machine and then let it connect? So, the  
> concept isn't that complicated but the challenge is once you move  
> into the consumer environment you raise a lot of interesting issues 
> ….
>
> Snip from:
>
> http://news.cnet.com/8301-27080_3-10462649-245.html?tag=mncol;posts
>
>
>
> Rob Portil
>
> Orbital Web
>
> 408-256-3630
>
> Rob () OrbitalWeb com
>
>
>
>
>
>
>
>
>
> From: Dave Farber [mailto:dave () farber net]
> Sent: Thursday, March 04, 2010 10:04 AM
> To: ip
> Subject: [IP] re Microsoft exec pitches Internet usage tax to pay  
> for cybersecurity programs - The Hill's Hillicon Valley
>
>
>
>
>
>
>
> Begin forwarded message:
>
> From: Rich Kulawiec <rsk () gsp org>
> Date: March 4, 2010 11:07:39 AM EST
> To: David Farber <dave () farber net>
> Cc: Richard Forno <rforno () infowarrior org>
> Subject: Re: [IP] Microsoft exec pitches Internet usage tax to pay  
> for cybersecurity programs - The Hill's Hillicon Valley
>
>
> This pitch neatly overlooks something very important, I think.
>
> We have a plethora of Internet security problems, and any reader of
> Dave Farber's IP or Richard Forno's Infowarrior list or Bruce  
> Schneier's
> blog or Marcus Ranum's essays &etc. could enumerate many of them.
>
> However, the biggest problem we have, the one that dwarfs all others
> in terms of scale, scope, difficulty, etc. isn't really an Internet
> problem per se: it's a Microsoft Windows problem.
>
> The zombie/bot problem has been epidemic for the better part of a  
> decade,
> and continue to monotonically increase is size.  It started with  
> malware
> like Sobig:
>
>    Sobig.a and the Spam You Received Today
>    http://www.secureworks.com/research/threats/sobig
>
>    Sobig.e - Evolution of the Worm
>    http://www.secureworks.com/research/threats/sobig-e/
>
>    Sobig.f Examined
>    http://www.secureworks.com/research/threats/sobig-f
>
> and then escalated as The Bad Guys developed ever-better code that
> (a) took over Windows systems and (b) provided the command-and-control
> necessary to organize them into botnets.  They've gotten really good
> at this.
>
> "How many systems?" remains an open question, but it's clearly  
> somewhere
> above 100 million.  (Which is the consensus estimate that some of us  
> who
> work in the anti-spam arena came up with several years ago.)  Other  
> estimates
> have been tossed out as well: 250M, 140M, etc.  Nobody knows for  
> sure because
> the answer is unknowable -- a botnet member isn't visible until it  
> does
> something bot-like to something that's listening for it -- but we can
> come up with reasonable lower bounds based on years of observations.
>
> "How many botnets, and how large?" is another open question whose best
> current answers are probably "many" and "millions to tens of  
> millions".
> For a recent example:
>
>    Mariposa Botnet beheaded
>    
> http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32
>
> This articles says "as many as 12.7 million poisoned PCs" but does not
> elaborate how that number was arrived at.  (But suppose it's a 400%
> overestimate: that's still a sizable botnet.  And suppose it's a 400%
> underestimate: yipes.)
>
> Before anyone celebrates too much at this news: the takeaway from this
> article is that the C&C structure has been taken down...which means  
> that
> there are now putatively 12.7 million pre-compromised systems out  
> there
> waiting for the first person(s) who can conscript them into *their*  
> botnet.
> (Any bets on how long that'll take?  I've got a dollar that says "it's
> already history".)
>
> "What are they running?" is one of the few questions that we have a
> decent answer to, and the answer is "Windows".  We can use passive
> OS fingerprinting and other techniques to identify the likely OS on
> each zombie/bot that we see, and while we do from time to time see
> some that classify as "unknown" or "indeterminate" or "something
> other than Windows", they're quite rare.  The numbers I've got from
> several years of doing this boil down to "a handful per million might
> not be Windows or might be Windows-behind-something-else".
>
> So here's the executive summary: there are something in excess of 100M
> systems out there which no longer belong, in any real sense, to the
> people who think they own them.  They are the playthings of the people
> running botnets, who have full access to every scrap of data on them,
> every set of credentials stored or used on them, and can do *anything*
> they want with them.  All but a negligible number of them are running
> Windows.  All the band-aids -- patching, AV, etc. -- aren't working.
> They're ubiquitous: desktops, laptops, cellphones, and servers across
> commercial, ISP, academic, and government environments.
>
> And there are more every day.
>
> All of this has a tremendous ripple effect on everything else we're
> working on: anti-spam, anti-phishing, DoS attacks, identity theft,
> anti-forgery, data loss, MitM attacks, DNS forgery, etc.
>
> And while we occasionally see Microsoft doing something minor
> about it, e.g.:
>
>    Court order helps Microsoft tear down Waledac botnet
>    http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html
>
> these actions are clearly calculated to generate positive PR for
> Microsoft, not to seriously address the problem.  (Note that all this
> did, like the bust above, was attempt to cut out the C&C network.   
> It does
> nothing to remediate the "hundreds of thousands of infected  
> machines".)
>
> This isn't just a security problem, it's THE security problem.
> And Microsoft owns it -- lock, stock and barrel.
>
> Now here's an interesting exercise: go try to find a statement made by
> anyone at Microsoft in which they acknowledge this: that is, in which
> they provide a realistic assessment of the scale of the problem, take
> corporate responsibility for it, and explain what they're going to do
> to clean up their mess.
>
> Scott Charney didn't do that, as far as I can tell.  He didn't talk
> about the 100M bots out there or how they're almost all running his
> company's operating system or how much this is costing us in anti- 
> spam,
> anti-bruteforce, anti-DDoS, anti-whatever measures *even if we don't  
> run
> Windows in our operations*.  He didn't even come anywhere close to  
> this.
> He just lumped all systems together, as if this was a systemic  
> problem,
> not one almost entirely confined to Windows.
>
> And neither, as far as I can tell, has anyone else at Microsoft. They
> don't even want to be in the same room with this issue because even
> for a company with their enormous financial and personnel resources,
> it's a staggering task (with an equally-staggering cost) to  
> contemplate.
>
> And as long as everyone buys into the Microsoft PR, that we have
> "a generic Internet security problem" and not "a Microsoft Windows
> security problem", they won't have to.
>
> ---Rsk
>
>
> Archives



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com