[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090830081920.02F60B8043@smtp.hushmail.com>
Date: Sun, 30 Aug 2009 04:19:19 -0400
From: "Elazar Broad" <elazar@...hmail.com>
To: quanticle@...il.com, stuart@...erdelix.net
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: windows future
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Like them or not, M$ has done quite a bit with its SDL[1], and
though quite late in the game, the memory protection mechanism's in
Vista and Windows 7. As far as anti-virus software goes, it's
mostly useless[2][there was a recent article on signature lead
time, I can't find it for some reason] already.
[1]http://www.pcworld.com/businesscenter/blogs/bizfeed/167111/opinio
n_pigs_fly_microsoft_leads_in_security.html?tk=rss_news
[2]http://pcworld.about.com/od/virusesphishingspam/Botnets-Defeat-
Most-Anti-Virus.htm
On Sat, 29 Aug 2009 20:09:55 -0400 lsi <stuart@...erdelix.net>
wrote:
>I'm saying that the world's malware authors, in their race to stay
>
>ahead of AV, are engaging in an uncoordinated, slow-motion DDOS of
>
>the world's AV systems. They are flooding the blacklists, and
>this
>flooding is accelerating. If it continues, the world's AV systems
>
>will be useless, as will be the machines they are protecting.
>
>Note, I have NOT gone off and compiled some stats, I've just noted
>an
>existing trend, and extrapolated it. Here's an article from 2005,
>
>again, the numbers suggest an exponential curve.
>http://www.theregister.co.uk/2005/01/05/mcafee_avert_report/
>
>The biological metaphor does suggest that Microsoft would take
>some
>kind of evasive action, and I think their only option is to
>license
>unix, just as Apple did (although Apple did it for different
>reasons). Doing this will solve many problems, they can keep
>their
>proprietary interface and their reputation, and possibly even
>their
>licensing and marketing models, while under the hood, unix saves
>the
>day. They will need to eat some very humble pie, a few diehards
>might jump from Redmond's towers, and the clash of cultures will
>toast some excellent marshmellows... but they will save their
>business. Do they have a choice? Malware numbers are suggesting
>they don't.
>
>Licensing the solution suits Microsoft's business model (much
>easier
>for them to buy in a fix than build one, they tried that already),
>
>they did in fact do it many times previously, starting with a
>certain
>product called MS-DOS, and it means they can keep their customer
>base, they just sell them an upgrade which is in fact a completely
>
>new system - again, just as Apple did with OSX.
>
>Actually, I think the simplest thing for them to do would be to
>buy
>Apple, then they can rebadge OSX, instead of reinventing it.
>
>Stu
>
>On 28 Aug 2009 at 10:24, Rohit Patnaik wrote:
>
>Date sent: Fri, 28 Aug 2009 10:24:25 -0500
>From: Rohit Patnaik <quanticle@...il.com>
>To: full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] windows future
>
>> I'm not sure I agree with the basic premise of this scenario.
>You're
>> suggesting that getting exposed to malware is some kind of
>> inevitability, and that eventually there will be enough
>different kinds
>> of malware that filtering them all will be impossible. I don't
>think
>> that's valid. Good browsing habits, running a firewall, and
>keeping your
>> machine updated will prevent almost all malware from even
>getting access
>> to your machine. Then all we have to worry about are the few
>bits of
>> code that are capable of getting through our defenses.
>>
>> To reiterate the biological analogy, we don't rely on
>antibiotics to
>> stop infection. We rely on good hygiene. In the same way, just
>as
>> increased biological infection rates led to a push for greater
>public
>> hygiene (e.g. indoor plumbing, closed sewers, etc.) we'll see a
>push for
>> greater computer hygiene as malware infection rates rise.
>Windows
>> already includes a firewall to prevent automated worm
>infections, and
>> Microsoft is working to harden network facing applications, as
>evidenced
>> by their recent decision to have IE run with limited privileges.
>As
>> malware becomes more virulent, the "immunity" of Windows will
>likewise
>> grow, putting a damper on any sort of exponential growth curve.
>>
>> --Rohit Patnaik
>>
>> lsi wrote:
>> > Thanks for the comments, indeed, the exponential issue arises
>due to
>> > use the of blacklisting by current AV technologies, and a
>switch to
>> > whitelisting could theoretically mitigate that, however, I'm
>not sure
>> > that would work in practice, there are so many little bits of
>code
>> > that execute, right down to tiny javascripts that check you've
>filled
>> > in an online form correctly, and the user might be bombarded
>with
>> > prompts. Falling back on tweaks to user privileges and UAC
>prompts
>> > is hardly fixing the problem. The core problem is the
>platform is
>> > inherently insecure, due to its development, licensing and
>marketing
>> > models, and nothing is going to fix that. Even if fixing it
>became
>> > somehow possible, the same effort could be spent improving a
>> > competing system, rather than fixing a broken one.
>> >
>> > Just to complete the extrapolation, the below.
>> >
>> > Assuming that mutation rates continue to increase
>exponentially,
>> > infection rates will reach a maximum when the average computer
>
>> > reaches 100% utilisation due to malware filtering. Infection
>rates
>> > will then decline as vulnerable hosts "die off" due to their
>> > inability to filter. These hosts will either be replaced with
>new,
>> > more powerful Windows machines (before these themselves
>surcumb to
>> > the exponential curve), OR, they will be re-deployed, running
>a
>> > different, non-Windows platform.
>> >
>> > Eventually, the majority of computer owners will get the idea
>that
>> > they don't need to buy ever-more powerful gear, just to do the
>same
>> > job they did yesterday (there may come a time when the fastest
>
>> > machine available is unable to cope, there is every
>possibility that
>> > mutation rates will exceed Moore's Law). The number of
>vulnerable
>> > hosts will then fall sharply, as the platform is abandoned en-
>masse.
>> >
>> > At this time, crackers who have been depending upon a certain
>amount
>> > of cracks per week for income, will find themselves short.
>They will
>> > then, if they have not already, refocus their activities on
>more
>> > profitable revenue streams.
>> >
>> > If every computer is running a diverse ecosystem, crackers
>will have
>> > no choice but to resort to small-scale, targetted attacks, and
>the
>> > days of mass-market malware will be over, just as the days of
>the
>> > mass-market platform it depends on, will also be over.
>> >
>> > And then, crackers will need to be very good crackers, to
>generate
>> > enough income from their small-scale attacks. If they aren't
>very
>> > good, they might find it easier and more profitable to get a 9-
>to-5
>> > job. The number of malware authors will then fall sharply.
>> >
>> > The world will awaken from the 20+ year nightmare that was
>Windows,
>> > made possible only by manipulative market practices, driven by
>greed,
>> > and discover the only reason it was wracked with malware, was
>because
>> > it had all its eggs in one basket.
>> >
>> > Certainly, vulnerabilities will persist, and skilled cracking
>groups
>> > may well find new niches from which to operate. But
>diversifying the
>> > ecosystem raises the barrier to entry, to a level most garden-
>variety
>> > crackers will find unprofitable, and that will be all that is
>> > required, to encourage most of them to do something else with
>their
>> > lives, and significantly reduce the incidence of cybercrime.
>> >
>> > (now I phrase it like that, it might be said, that by buying
>> > Microsoft, you are indirectly channelling money to organised
>crime
>> > gangs, who most likely engage in other kinds of criminal
>activity, in
>> > addition to cracking, such as identity theft, money
>laundering, and
>> > smuggling. That is, when you buy Microsoft, you are propping
>up the
>> > monoculture, and that monoculture feeds criminals, by way of
>its
>> > inherent flaws. Therefore, if you would like to reduce
>criminal
>> > activity, don't buy Microsoft.)
>> >
>> > -EOF
>> >
>> > On 27 Aug 2009 at 13:45, lsi wrote:
>> >
>> > From: "lsi" <stuart@...erdelix.net>
>> > To: full-disclosure@...ts.grok.org.uk
>> > Date sent: Thu, 27 Aug 2009 13:45:01 +0100
>> > Priority: normal
>
>> >
>> > Subject: [Full-disclosure] windows future
>> > Send reply to: stuart@...erdelix.net
>> > <full-disclosure.lists.grok.org.uk>
>
>> >
>> > <mailto:full-disclosure-
>> > request@...ts.grok.org.uk?subject=unsubscribe>
>> > <mailto:full-disclosure-
>request@...ts.grok.org.uk?subject=subscribe>
>> >
>> >
>> >
>> >> [Some more extrapolations, this time taken from the fact that
>malware
>> >> mutation rates are increasing exponentially. - Stu]
>> >>
>> >> (actually, this wasn't written for an FD audience, please
>excuse the
>> >> bit where it urges you to consider your migration strategy, I
>know
>> >> you're all ultra-l33t and don't have a single M$ box on your
>LAN)
>> >>
>> >> http://www.theregister.co.uk/2009/08/13/malware_arms_race/
>> >>
>> >> If this trend continues, there will come a time when the
>amount of
>> >> malware is so large, that anti-malware filters will need more
>power
>> >> than the systems they are protecting are able to provide.
>> >>
>> >> At this time, those systems will become essentially
>worthless, and
>> >> unusable.
>> >>
>> >> You can choose to leave now, or later. But you cannot choose
>to
>> >> stay...
>> >>
>> >> (I mean, that the Windows platform seems destined to fill,
>> >> completely, with malware, such that your computer will spend
>ALL its
>> >> time on security matters, and will have no CPU, RAM etc left
>for
>> >> actual work. At the end of the day, the ability of malware
>to infect
>> >> Windows machines is due to the fact that Windows is a
>monoculture, a
>> >> monolith, built by a single company, with many
>interconnections and
>> >> hidden alleyways. It's hard to imagine a platform LESS
>vulnerable -
>> >> compare with open-source efforts, which are diverse,
>homogenous and
>> >> connect via open protocols. Malware finds life hard in the
>sterile,
>> >> purified world of RFCs, where one of many different programs
>may
>> >> process your malicious payload, all of which have been peer-
>reviewed.
>> >> In Windows, malware knows that a specific Microsoft EXE will
>process
>> >> its data, knows that the code has not been thoroughly
>checked, and
>> >> can make use of undocumented mechanisms.
>> >>
>> >> So basically Microsoft, by hoarding their source, by tightly
>> >> integrating functionality, and by seeking to monopolise the
>various
>> >> markets created by the platform (browser, media player,
>office
>> >> software), have doomed Windows, and everything that runs on
>it. The
>> >> lack of diversity in the Windows ecosystem means that it is
>highly
>> >> vulnerable to attack by predators. The fact that malware
>mutation
>> >> rates are accelerating is a clear indicator that the foxes
>are
>> >> circling. This is the beginning of a death spiral; the
>malware
>> >> numbers we've seen in the past 20 years were the low end of
>an
>> >> exponential curve, and we're now getting to the steep part.
>> >>
>> >> The problem is that any given computer is only capable of so
>much
>> >> processing. It has an upper limit to the amount of malware
>it can
>> >> filter, those limits being related to CPU speed, RAM,
>diskspace,
>> >> network bandwidth. This upper limit looks like a horizontal
>line, on
>> >> the chart that shows the exponential curve mentioned above.
>> >>
>> >> So my point, is that eventually, the exponential curve is
>going to
>> >> cross that horizontal line, for any given computer, and when
>that
>> >> happens, that computer will no longer be able to filter
>malware. It
>> >> will only be able to filter a subset, and thus be vulnerable
>to the
>> >> rest. Consequently it will not be usable, for instance, on
>the web,
>> >> and will essentially become a doorstop...
>> >>
>> >> The only escape from this inevitability is to ditch the
>platform that
>> >> is permitting the malware - that is, the only escape is to
>ditch
>> >> Windows. It is being eaten alive, by predators that only have
>a
>> >> foothold because there are weaknesses in the platform.
>> >>
>> >> Given that it can take years to migrate to a new operating
>system, I
>> >> do recommend, if you have not already done so, that you
>commence
>> >> planning to ditch Windows. I might be wrong about the
>exponential
>> >> curve, but if I'm not, then there may not be a lot of time in
>between
>> >> when malware levels seem managable, and the time when they
>are not.
>> >> If your business depends on Windows machines and they all
>become
>> >> unusable, you will have no business. What you definitely
>must NOT
>> >> do, is assume that Windows is going to be around for a long
>time. It
>> >> is a dead man walking.
>> >>
>> >> - Of course, there might be a few years yet. You can spend
>those
>> >> years running up your IT bill, with lots of new computers
>that are
>> >> required to filter all that malware while still performing at
>a
>> >> useful speed. Or, you can ditch Windows, and keep your
>existing
>> >> hardware - it runs perfectly well, when it's not weighed down
>
>> >> defending the indefensible.
>> >>
>> >> [If Microsoft dooming Windows isn't ironic enough, consider
>that
>> >> every time malware authors pump out another set of mutations,
>they
>> >> are nailing one more nail in the coffin of the platform that
>they
>> >> depend on to make their living! Ahh, there is justice in the
>world
>> >> after all.]
>> >>
>> >> [And the end game? Well, M$ could open-source Windows, but
>frankly,
>> >> why would anyone bother trying to fix it? As the old saying
>goes,
>> >> don't flog a dead horse...]
>> >>
>> >> ---
>> >> Stuart Udall
>> >> stuart at@...erdelix.dot net - http://www.cyberdelix.net/
>> >>
>> >> ---
>> >> * Origin: lsi: revolution through evolution (192:168/0.2)
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-
>charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >
>> >
>> >
>> > ---
>> > Stuart Udall
>> > stuart at@...erdelix.dot net - http://www.cyberdelix.net/
>> >
>> > ---
>> > * Origin: lsi: revolution through evolution (192:168/0.2)
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
>---
>Stuart Udall
>stuart at@...erdelix.dot net - http://www.cyberdelix.net/
>
>---
> * Origin: lsi: revolution through evolution (192:168/0.2)
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
wpwEAQECAAYFAkqaNgcACgkQi04xwClgpZizFAP9EtndE4QUApbFpOoasdJW0Ymc1BF3
uMLNlwe5Fud8hDNAaArsdHgN8wj3hXtWeJkg3O/cuG9IImaYrRb9R9rE5R+sYs/wQNjI
yueqWcidj4v0UY1F/GmhKj9U5JiPZw2yHrCo1Y+ePddNhxefZgHlop3NUOpfUWmL1fgO
q3vE3OE=
=GPMR
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists