NNSquad - Network Neutrality Squad
[ NNSquad ] re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley
----- Forwarded message from Dave Farber <dave@farber.net> ----- Date: Thu, 4 Mar 2010 13:43:46 -0500 From: Dave Farber <dave@farber.net> Subject: [IP] re Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley Reply-To: dave@farber.net To: ip <ip@v2.listbox.com> Begin forwarded message: > From: "David P. Reed" <dpreed@reed.com> > Date: March 4, 2010 1:32:14 PM EST > To: dave@farber.net > Cc: ip <ip@v2.listbox.com> > Subject: Re: [IP] re Microsoft exec pitches Internet usage tax to pay > for cybersecurity programs - The Hill's Hillicon Valley > > Let's agree: botnets are big and scary. > > Let's also agree - MSFT dominates the end user operating system market. > > Given this, why would any botnet builder expend effort to build a > "multiplatform" botnet? The dominance of the market by Microsoft > *ensures* that any serious botnet builder will target Microsoft's bugs > and not Apple's bugs. Any serious phisher will target Internet > Explorer users, and not Safari users, to the extent that Safari > requires different code. > > Trying to blame Microsoft for the problem is the kind of knee-jerk > thinking that I predicted in my previous email. Worse, trying to > pillory Scott Charney, who is hardly an apologist for the weaknesses in > Microsoft's design, is counterproductive. > > I have not been a great fan of Microsoft (that's understatement, if you > know anything about how I spent about 10% of my time in the years from > 1992 to about 2001, but I can't discuss it further). > > But being a grownup about computing security, it is shocking to me that > so many are blind to the *fact* that the same class of vulnerabilities > exist far outside the Microsoft realm, in Linux, OSX, embedded operating > systems, etc. The relative lack of comparative levels of exploitation > in those environments proves nothing about their "strength". It is > mostly evidence of a well-known phenomenon: attack the place with the > most return for the least effort. And "most return" is at least as > important as "least effort". > > > > > On 03/04/2010 01:04 PM, Dave Farber wrote: >> >> >> >> >> >> Begin forwarded message: >> >>> From: Rich Kulawiec <rsk@gsp.org> >>> Date: March 4, 2010 11:07:39 AM EST >>> To: David Farber <dave@farber.net> >>> Cc: Richard Forno <rforno@infowarrior.org> >>> Subject: Re: [IP] Microsoft exec pitches Internet usage tax to pay >>> for cybersecurity programs - The Hill's Hillicon Valley >>> >> >>> >>> This pitch neatly overlooks something very important, I think. >>> >>> We have a plethora of Internet security problems, and any reader of >>> Dave Farber's IP or Richard Forno's Infowarrior list or Bruce >>> Schneier's >>> blog or Marcus Ranum's essays &etc. could enumerate many of them. >>> >>> However, the biggest problem we have, the one that dwarfs all others >>> in terms of scale, scope, difficulty, etc. isn't really an Internet >>> problem per se: it's a Microsoft Windows problem. >>> >>> The zombie/bot problem has been epidemic for the better part of a >>> decade, >>> and continue to monotonically increase is size. It started with >>> malware >>> like Sobig: >>> >>> Sobig.a and the Spam You Received Today >>> http://www.secureworks.com/research/threats/sobig >>> >>> Sobig.e - Evolution of the Worm >>> http://www.secureworks.com/research/threats/sobig-e/ >>> >>> Sobig.f Examined >>> http://www.secureworks.com/research/threats/sobig-f >>> >>> and then escalated as The Bad Guys developed ever-better code that >>> (a) took over Windows systems and (b) provided the command-and- >>> control >>> necessary to organize them into botnets. They've gotten really good >>> at this. >>> >>> "How many systems?" remains an open question, but it's clearly >>> somewhere >>> above 100 million. (Which is the consensus estimate that some of >>> us who >>> work in the anti-spam arena came up with several years ago.) Other >>> estimates >>> have been tossed out as well: 250M, 140M, etc. Nobody knows for >>> sure because >>> the answer is unknowable -- a botnet member isn't visible until it >>> does >>> something bot-like to something that's listening for it -- but we >>> can >>> come up with reasonable lower bounds based on years of observations. >>> >>> "How many botnets, and how large?" is another open question whose >>> best >>> current answers are probably "many" and "millions to tens of >>> millions". >>> For a recent example: >>> >>> Mariposa Botnet beheaded >>> http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32 >>> >>> This articles says "as many as 12.7 million poisoned PCs" but does >>> not >>> elaborate how that number was arrived at. (But suppose it's a 400% >>> overestimate: that's still a sizable botnet. And suppose it's a >>> 400% >>> underestimate: yipes.) >>> >>> Before anyone celebrates too much at this news: the takeaway from >>> this >>> article is that the C&C structure has been taken down...which means >>> that >>> there are now putatively 12.7 million pre-compromised systems out >>> there >>> waiting for the first person(s) who can conscript them into *their* >>> botnet. >>> (Any bets on how long that'll take? I've got a dollar that says >>> "it's >>> already history".) >>> >>> "What are they running?" is one of the few questions that we have a >>> decent answer to, and the answer is "Windows". We can use passive >>> OS fingerprinting and other techniques to identify the likely OS on >>> each zombie/bot that we see, and while we do from time to time see >>> some that classify as "unknown" or "indeterminate" or "something >>> other than Windows", they're quite rare. The numbers I've got from >>> several years of doing this boil down to "a handful per million >>> might >>> not be Windows or might be Windows-behind-something-else". >>> >>> So here's the executive summary: there are something in excess of >>> 100M >>> systems out there which no longer belong, in any real sense, to the >>> people who think they own them. They are the playthings of the >>> people >>> running botnets, who have full access to every scrap of data on >>> them, >>> every set of credentials stored or used on them, and can do >>> *anything* >>> they want with them. All but a negligible number of them are >>> running >>> Windows. All the band-aids -- patching, AV, etc. -- aren't working. >>> They're ubiquitous: desktops, laptops, cellphones, and servers >>> across >>> commercial, ISP, academic, and government environments. >>> >>> And there are more every day. >>> >>> All of this has a tremendous ripple effect on everything else we're >>> working on: anti-spam, anti-phishing, DoS attacks, identity theft, >>> anti-forgery, data loss, MitM attacks, DNS forgery, etc. >>> >>> And while we occasionally see Microsoft doing something minor >>> about it, e.g.: >>> >>> Court order helps Microsoft tear down Waledac botnet >>> http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html >>> >>> these actions are clearly calculated to generate positive PR for >>> Microsoft, not to seriously address the problem. (Note that all >>> this >>> did, like the bust above, was attempt to cut out the C&C network. >>> It does >>> nothing to remediate the "hundreds of thousands of infected >>> machines".) >>> >>> This isn't just a security problem, it's THE security problem. >>> And Microsoft owns it -- lock, stock and barrel. >>> >>> Now here's an interesting exercise: go try to find a statement made >>> by >>> anyone at Microsoft in which they acknowledge this: that is, in >>> which >>> they provide a realistic assessment of the scale of the problem, >>> take >>> corporate responsibility for it, and explain what they're going to >>> do >>> to clean up their mess. >>> >>> Scott Charney didn't do that, as far as I can tell. He didn't talk >>> about the 100M bots out there or how they're almost all running his >>> company's operating system or how much this is costing us in anti- >>> spam, >>> anti-bruteforce, anti-DDoS, anti-whatever measures *even if we >>> don't run >>> Windows in our operations*. He didn't even come anywhere close to >>> this. >>> He just lumped all systems together, as if this was a systemic >>> problem, >>> not one almost entirely confined to Windows. >>> >>> And neither, as far as I can tell, has anyone else at Microsoft. >>> They >>> don't even want to be in the same room with this issue because even >>> for a company with their enormous financial and personnel resources, >>> it's a staggering task (with an equally-staggering cost) to >>> contemplate. >>> >>> And as long as everyone buys into the Microsoft PR, that we have >>> "a generic Internet security problem" and not "a Microsoft Windows >>> security problem", they won't have to. >>> >>> ---Rsk >>> >>> >> Archives > ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ----- End forwarded message -----