NNSquad - Network Neutrality Squad
[ NNSquad ] re Microsoft exec: Infected PCs should be quarantined (Q&A) (Same Exec)
----- Forwarded message from Dave Farber <dave@farber.net> ----- Date: Thu, 4 Mar 2010 17:05:24 -0500 From: Dave Farber <dave@farber.net> Subject: [IP] re Microsoft exec: Infected PCs should be quarantined (Q&A) (Same Exec) Reply-To: dave@farber.net To: ip <ip@v2.listbox.com> Begin forwarded message: > From: Rob Portil <BobPorter@theideasgroup.com> > Date: March 4, 2010 4:26:26 PM EST > To: dave@farber.net > Subject: Microsoft exec: Infected PCs should be quarantined (Q&A) (Same > Exec) > Reply-To: Rob@OrbitalWeb.com > > > > Microsoft exec: Infected PCs should be quarantined (Q&A) > > Same exec that was pitching the Internet Usage Tax > > > > http://news.cnet.com/8301-27080_3-10462649-245.html?tag=mncol;posts > > > > SAN FRANCISCO--In his keynote at the RSA security conference on > Tuesday, Scott Charney, Microsoft's corporate vice president of > Trustworthy Computing, suggested that the security industry should > follow the health care model of quarantining infected PCs to prevent > them from being used to send spam and conduct denial-of-service > attacks. > > In a follow-up interview afterward, Charney elaborated on his vision > for reducing the damage from botnets and explains how infected > computers should be kept off the Internet just like doctors quarantine > sick people and smokers are restricted as to where they can light up in > public. > > Q: So you teased us with references to a system of quarantining > computers during your keynote but didn't provide details. Can you > explain what you have in mind? > Scott Charney: When people get diseases and they run the risk of > contaminating other people the medical community has devised mechanisms > to help ensure the public's health. It's a combination of inspection, > quarantine, and treatment. I remember going to Asia during the SARS > epidemic and as soon as I got off the plane they were standing there > with these little guns that took your temperature as you got off the > plane and if they registered that you had a temperature they would talk > to you and if they thought you might have SARS they would quarantine you > and treat you. We've done this with other kinds of illnesses over > generations actually. In the enterprise in computers we do it today, we > have Network Access Protection...The theory is if a machine is known to > be infected do you want it to connect to the network and infect everyone > else? Or do you want to clean the machine and then let it connect? So, > the concept isn't that complicated but the challenge is once you move > into the consumer environment you raise a lot of interesting issues…. > > Snip from: > > http://news.cnet.com/8301-27080_3-10462649-245.html?tag=mncol;posts > > > > Rob Portil > > Orbital Web > > 408-256-3630 > > Rob@OrbitalWeb.com > > > > > > > > > > From: Dave Farber [mailto:dave@farber.net] > Sent: Thursday, March 04, 2010 10:04 AM > To: ip > Subject: [IP] re Microsoft exec pitches Internet usage tax to pay for > cybersecurity programs - The Hill's Hillicon Valley > > > > > > > > Begin forwarded message: > > From: Rich Kulawiec <rsk@gsp.org> > Date: March 4, 2010 11:07:39 AM EST > To: David Farber <dave@farber.net> > Cc: Richard Forno <rforno@infowarrior.org> > Subject: Re: [IP] Microsoft exec pitches Internet usage tax to pay for > cybersecurity programs - The Hill's Hillicon Valley > > > This pitch neatly overlooks something very important, I think. > > We have a plethora of Internet security problems, and any reader of > Dave Farber's IP or Richard Forno's Infowarrior list or Bruce > Schneier's > blog or Marcus Ranum's essays &etc. could enumerate many of them. > > However, the biggest problem we have, the one that dwarfs all others > in terms of scale, scope, difficulty, etc. isn't really an Internet > problem per se: it's a Microsoft Windows problem. > > The zombie/bot problem has been epidemic for the better part of a > decade, > and continue to monotonically increase is size. It started with > malware > like Sobig: > > Sobig.a and the Spam You Received Today > http://www.secureworks.com/research/threats/sobig > > Sobig.e - Evolution of the Worm > http://www.secureworks.com/research/threats/sobig-e/ > > Sobig.f Examined > http://www.secureworks.com/research/threats/sobig-f > > and then escalated as The Bad Guys developed ever-better code that > (a) took over Windows systems and (b) provided the command-and-control > necessary to organize them into botnets. They've gotten really good > at this. > > "How many systems?" remains an open question, but it's clearly > somewhere > above 100 million. (Which is the consensus estimate that some of us > who > work in the anti-spam arena came up with several years ago.) Other > estimates > have been tossed out as well: 250M, 140M, etc. Nobody knows for sure > because > the answer is unknowable -- a botnet member isn't visible until it does > something bot-like to something that's listening for it -- but we can > come up with reasonable lower bounds based on years of observations. > > "How many botnets, and how large?" is another open question whose best > current answers are probably "many" and "millions to tens of millions". > For a recent example: > > Mariposa Botnet beheaded > http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32 > > This articles says "as many as 12.7 million poisoned PCs" but does not > elaborate how that number was arrived at. (But suppose it's a 400% > overestimate: that's still a sizable botnet. And suppose it's a 400% > underestimate: yipes.) > > Before anyone celebrates too much at this news: the takeaway from this > article is that the C&C structure has been taken down...which means > that > there are now putatively 12.7 million pre-compromised systems out there > waiting for the first person(s) who can conscript them into *their* > botnet. > (Any bets on how long that'll take? I've got a dollar that says "it's > already history".) > > "What are they running?" is one of the few questions that we have a > decent answer to, and the answer is "Windows". We can use passive > OS fingerprinting and other techniques to identify the likely OS on > each zombie/bot that we see, and while we do from time to time see > some that classify as "unknown" or "indeterminate" or "something > other than Windows", they're quite rare. The numbers I've got from > several years of doing this boil down to "a handful per million might > not be Windows or might be Windows-behind-something-else". > > So here's the executive summary: there are something in excess of 100M > systems out there which no longer belong, in any real sense, to the > people who think they own them. They are the playthings of the people > running botnets, who have full access to every scrap of data on them, > every set of credentials stored or used on them, and can do *anything* > they want with them. All but a negligible number of them are running > Windows. All the band-aids -- patching, AV, etc. -- aren't working. > They're ubiquitous: desktops, laptops, cellphones, and servers across > commercial, ISP, academic, and government environments. > > And there are more every day. > > All of this has a tremendous ripple effect on everything else we're > working on: anti-spam, anti-phishing, DoS attacks, identity theft, > anti-forgery, data loss, MitM attacks, DNS forgery, etc. > > And while we occasionally see Microsoft doing something minor > about it, e.g.: > > Court order helps Microsoft tear down Waledac botnet > http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html > > these actions are clearly calculated to generate positive PR for > Microsoft, not to seriously address the problem. (Note that all this > did, like the bust above, was attempt to cut out the C&C network. It > does > nothing to remediate the "hundreds of thousands of infected machines".) > > This isn't just a security problem, it's THE security problem. > And Microsoft owns it -- lock, stock and barrel. > > Now here's an interesting exercise: go try to find a statement made by > anyone at Microsoft in which they acknowledge this: that is, in which > they provide a realistic assessment of the scale of the problem, take > corporate responsibility for it, and explain what they're going to do > to clean up their mess. > > Scott Charney didn't do that, as far as I can tell. He didn't talk > about the 100M bots out there or how they're almost all running his > company's operating system or how much this is costing us in anti-spam, > anti-bruteforce, anti-DDoS, anti-whatever measures *even if we don't > run > Windows in our operations*. He didn't even come anywhere close to > this. > He just lumped all systems together, as if this was a systemic problem, > not one almost entirely confined to Windows. > > And neither, as far as I can tell, has anyone else at Microsoft. They > don't even want to be in the same room with this issue because even > for a company with their enormous financial and personnel resources, > it's a staggering task (with an equally-staggering cost) to > contemplate. > > And as long as everyone buys into the Microsoft PR, that we have > "a generic Internet security problem" and not "a Microsoft Windows > security problem", they won't have to. > > ---Rsk > > > Archives > > > > ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ----- End forwarded message -----