lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 04 Sep 2009 18:44:59 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Cc: Valdis.Kletnieks@...edu
Subject: Re: windows future

> > - approximate date when number of NEW threats will reach 1 Billion: 2015

> This is assuming an exponential growth model, when there's no realistic
> reason to believe it to be so.  

The reason to believe the exponential model will remain valid, is 
that it is the model that is currently valid.  A different model will 
need to explain how the existing exponential curve is derailed.

> There are however good reasons to expect
> that the correct model is the "logistics curve" (slow growth at first,
> a steep middle section, then flattening out asymptotic to a horizontal line).

> For starters, new threats have to come from *somewhere* [...] From
> whence will the 1 billion new threats in the 2015-16 span come from?
> Who will create these, 

Did you see the link I posted to the "Evolvable Malware" PPT?  
Mutation will be automated.  Resistance is useless... ;)

> and who will make money from them?

Presumably, the same gangs who do so now.  They won't need to recruit 
billions of new coders to make their billions of new variants.  It'll 
all be generated overnight, by their botnet, which, when it's not 
sending spam, etc, will be "revectoring" itself, using the GP 
algorithms previously noted.

> At what point will some of the marginal players leave
> the game and find other avenues of making money?

I answered this one already as well... they will leave soon after the 
number of vulnerable hosts starts to fall, which will happen either 
though mass extinction (due to malware overload) or due to re-
deployment with a Real OS.

> [...]  A bigger danger here is if we start seeing *single* threats
> that include a really good real-time polymorphism/obfuscator - *that*
> could really suck. 

But Valdis old chap, that is exactly what the GP algorithms do, the 
proof-of-concept is already out there (see the GP PPT).

> Interesting statistic - year before last, around 10% of all new computer
> purchases were replacements for malware-infested boxes.  Just buying a new
> one was easier/cheaper than trying to fix the old one for a lot of people.

These numbers are probably skewed by some kind of newbie effect.  
Once you have had your machine for a while, as I'm sure you know, 
simply dumping it is not always an option.  Businesses, for example,
may simply be unable to dump an old system, as it runs some legacy 
something, which just happens to be mission-critical.

> Second interesting statistic - the vast majority of that 10% ended up using
> the exact same operating system.
> 
> So even when it's well past the 20% mark and the box is basically unusable,
> they *still* don't run for the exit.

They're newbies.  You wait till they've done that 5 times.  Then ask 
them, are you a happy bunny... and how much money have you spent, in 
total...

- I have already decommissioned one server, due to malware growth - 
it was an old 486 machine, whose sole purpose was to serve AV updates 
for a client's LAN.  All went well for a few years, however the hard 
drive started to fill with signature updates.  So, I upgraded the 
drive, however due to a BIOS limitation (or was that NT4? FAT16?), 
the maximum size I could use was 2Gb.  That would have filled as 
well, except I moved the AV server software onto their main server 
(and proceeded to fill its disk instead, but that's another story) - 
and sent the old 486 to recycling...

So this old server, you might think of course, it's a mere 486, to 
which I reply, and a canary is also a weakling.  That is why people 
put them in mines, because they are very sensitive to carbon monoxide 
levels, and drop dead well before humans do.  So when the canary 
dies, the mine is evacuated.  

This old server was a canary.  Its tight resource limits meant it was 
very sensitive to malware levels.  It dropped dead several years ago 
now. The NaN% on the Virus Bulletin site is another canary.  Sure, 
this can probably be fixed, weak coding you say - again, I say this 
weakness is merely the low-hanging fruit, the first victims of a 
rising tide, which is not even close to its peak.  

Stu

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ