[Infowarrior] - more on...Microsoft exec pitches Internet usage tax to pay for cybersecurity programs - The Hill's Hillicon Valley

[Richard Forno]

Begin forwarded message:

> From: Rich Kulawiec <rsk at gsp.org>
> Date: March 4, 2010 11:07:39 AM EST
> To: David Farber <dave at farber.net>
> Cc: Richard Forno <rforno at infowarrior.org>
>
>
> This pitch neatly overlooks something very important, I think.
>
> We have a plethora of Internet security problems, and any reader of
> Dave Farber's IP or Richard Forno's Infowarrior list or Bruce  
> Schneier's
> blog or Marcus Ranum's essays &etc. could enumerate many of them.
>
> However, the biggest problem we have, the one that dwarfs all others
> in terms of scale, scope, difficulty, etc. isn't really an Internet
> problem per se: it's a Microsoft Windows problem.
>
> The zombie/bot problem has been epidemic for the better part of a  
> decade,
> and continue to monotonically increase is size.  It started with  
> malware
> like Sobig:
> 	
> 	Sobig.a and the Spam You Received Today
> 	http://www.secureworks.com/research/threats/sobig
> 	
> 	Sobig.e - Evolution of the Worm
> 	http://www.secureworks.com/research/threats/sobig-e/
>
> 	Sobig.f Examined
> 	http://www.secureworks.com/research/threats/sobig-f
>
> and then escalated as The Bad Guys developed ever-better code that
> (a) took over Windows systems and (b) provided the command-and-control
> necessary to organize them into botnets.  They've gotten really good
> at this.
>
> "How many systems?" remains an open question, but it's clearly  
> somewhere
> above 100 million.  (Which is the consensus estimate that some of us  
> who
> work in the anti-spam arena came up with several years ago.)  Other  
> estimates
> have been tossed out as well: 250M, 140M, etc.  Nobody knows for  
> sure because
> the answer is unknowable -- a botnet member isn't visible until it  
> does
> something bot-like to something that's listening for it -- but we can
> come up with reasonable lower bounds based on years of observations.
>
> "How many botnets, and how large?" is another open question whose best
> current answers are probably "many" and "millions to tens of  
> millions".
> For a recent example:
>
> 	Mariposa Botnet beheaded
> 	http://hosted.ap.org/dynamic/stories/U/US_TEC_BOTNET_BUSTED?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2010-03-02-14-26-32
>
> This articles says "as many as 12.7 million poisoned PCs" but does not
> elaborate how that number was arrived at.  (But suppose it's a 400%
> overestimate: that's still a sizable botnet.  And suppose it's a 400%
> underestimate: yipes.)
>
> Before anyone celebrates too much at this news: the takeaway from this
> article is that the C&C structure has been taken down...which means  
> that
> there are now putatively 12.7 million pre-compromised systems out  
> there
> waiting for the first person(s) who can conscript them into *their*  
> botnet.
> (Any bets on how long that'll take?  I've got a dollar that says "it's
> already history".)
>
> "What are they running?" is one of the few questions that we have a
> decent answer to, and the answer is "Windows".  We can use passive
> OS fingerprinting and other techniques to identify the likely OS on
> each zombie/bot that we see, and while we do from time to time see
> some that classify as "unknown" or "indeterminate" or "something
> other than Windows", they're quite rare.  The numbers I've got from
> several years of doing this boil down to "a handful per million might
> not be Windows or might be Windows-behind-something-else".
>
> So here's the executive summary: there are something in excess of 100M
> systems out there which no longer belong, in any real sense, to the
> people who think they own them.  They are the playthings of the people
> running botnets, who have full access to every scrap of data on them,
> every set of credentials stored or used on them, and can do *anything*
> they want with them.  All but a negligible number of them are running
> Windows.  All the band-aids -- patching, AV, etc. -- aren't working.
> They're ubiquitous: desktops, laptops, cellphones, and servers across
> commercial, ISP, academic, and government environments.
>
> And there are more every day.
>
> All of this has a tremendous ripple effect on everything else we're
> working on: anti-spam, anti-phishing, DoS attacks, identity theft,
> anti-forgery, data loss, MitM attacks, DNS forgery, etc.
>
> And while we occasionally see Microsoft doing something minor
> about it, e.g.:
>
> 	Court order helps Microsoft tear down Waledac botnet
> 	http://www.networkworld.com/news/2010/022510-court-order-helps-microsoft-tear.html
>
> these actions are clearly calculated to generate positive PR for
> Microsoft, not to seriously address the problem.  (Note that all this
> did, like the bust above, was attempt to cut out the C&C network.   
> It does
> nothing to remediate the "hundreds of thousands of infected  
> machines".)
>
> This isn't just a security problem, it's THE security problem.
> And Microsoft owns it -- lock, stock and barrel.
>
> Now here's an interesting exercise: go try to find a statement made by
> anyone at Microsoft in which they acknowledge this: that is, in which
> they provide a realistic assessment of the scale of the problem, take
> corporate responsibility for it, and explain what they're going to do
> to clean up their mess.
>
> Scott Charney didn't do that, as far as I can tell.  He didn't talk
> about the 100M bots out there or how they're almost all running his
> company's operating system or how much this is costing us in anti- 
> spam,
> anti-bruteforce, anti-DDoS, anti-whatever measures *even if we don't  
> run
> Windows in our operations*.  He didn't even come anywhere close to  
> this.
> He just lumped all systems together, as if this was a systemic  
> problem,
> not one almost entirely confined to Windows.
>
> And neither, as far as I can tell, has anyone else at Microsoft. They
> don't even want to be in the same room with this issue because even
> for a company with their enormous financial and personnel resources,
> it's a staggering task (with an equally-staggering cost) to  
> contemplate.
>
> And as long as everyone buys into the Microsoft PR, that we have
> "a generic Internet security problem" and not "a Microsoft Windows
> security problem", they won't have to.
>
> ---Rsk
>