[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <54B0B7ACDC1422469902A6D39654DEEE016A98709F61@gandalf.optimum.bm>
Date: Fri, 4 Sep 2009 12:52:48 -0300
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Rohit Patnaik <quanticle@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: windows future
Studies show that 78.3% of all statistics are worthless.
t
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-
> disclosure-bounces@...ts.grok.org.uk] On Behalf Of Rohit Patnaik
> Sent: Friday, September 04, 2009 8:04 AM
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] windows future
>
> All this shows is that there's exponential growth in the number of
> *threats*. It doesn't give any data about the number of actual
> *infections*. I mean, its quite possible that all these bits of malware
> are just targeting the same group of vulnerable Windows boxen, and
> they're just competing to conquer the same fixed base.
>
> After all, if you extrapolated from the exponential growth of maggots
> on
> a rotting carcass, you'd be predicting that the entire world would be
> covered in maggots not too far from the future.
>
> --Rohit Patnaik
> lsi wrote:
> > Hi All,
> >
> > Sorry for the delay, I had some urgent migration planning to attend
> > to ... ;) Stats below. Short version: evacuate. Long version:
> >
> > - stats are in, exponential curve is real, see it for yourself here:
> >
> > http://eval.symantec.com/mktginfo/enterprise/white_papers/b-
> whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf
> >
> > (page 10)
> >
> > - I also added up the numbers at
> >
> http://www.virusbtn.com/resources/malwareDirectory/prevalence/index.xml
> ?year=2009
> > ... exponential curve also visible, though I think their stats are
> > dodgy, their website is already suffering from math limits - it is
> > reporting current yearly stats as NaN% (Not A Number).
> >
> > - average rate of change per year (annual growth rate), calculated
> > from Symantec's chart: 243%
> >
> > - approximate date when number of NEW threats reached 1 Million: 2008
> >
> > - approximate date when number of NEW threats will reach 1 Billion:
> > 2015
> >
> > - approximate date when number of NEW threats will reach 2 Billion:
> > 2016
> >
> > - charts showing this:
> > http://www.cyberdelix.net/files/malware_mutation_projection.pdf
> >
> > - will the AV companies be able to classify 1 billion new threats per
> > year? that is 2.739 MILLION new threats per DAY (over 1900 new
> > threats per minute).
> >
> > - will your computer cope with scanning every EXE, DLL, PIF etc 1
> > billion times, every time you use them?
> >
> > - aside from the theoretical limits imposed by hardware and software,
> > there is one extra limit, imposed by users. Users will not tolerate
> > machines operating slowly, and will seek alternative platforms well
> > before 100% CPU utilisation (either as a direct result of the size of
> > the blacklist, or indirectly caused by swapping due to low RAM).
> > This user limit might be lower than 20% CPU utilisation. If users
> > figure out that 20% of their time is being wasted, and rising fast,
> > they will run for the exit.
> >
> > - will you tolerate your machine constantly processing a list a
> > billion items long?
> >
> > - do you plan to, and can you afford to, upgrade your compute power
> > by 243%, every year?
> >
> > - will you do this, even though you know viable alternative platforms
> > exist, at less total cost to yourself?
> >
> > - if you're already irritated that AV is slowing down your machine,
> > consider that malware levels will be 500 times higher in approx 5
> > years (assuming growth rates continue at 243%). That means your AV
> > will be running 500 times slower. Unless you upgrade your machine by
> > 500 x current (eg. to an effective speed of approx 1000 GHz), your
> > machine is going to slow down even more. Given that chipmakers don't
> > seem to be able to get much past 5GHz, without melting the die, that
> > means you'll need 200 of today's processors, just for malware
> > filtering, by 2015.
> >
> > - Moore's Law says compute power doubles (200%) every 24 months.
> > However, malware is growing at 243% every 12 months. Thus it is
> > already exceeding Moore's Law, by a massive margin. I suspect this
> > means this race is unwinnable, and we should give up now, and devote
> > our resources to something sustainable.
> >
> > - how AV writers will generate 2.7 million new threats/day:
> >
> > "Evolvable Malware":
> > http://www.genetic-programming.org/hc2009/3-Noreen/Noreen-
> Presentation.ppt
> >
> > "A Field Guide to Genetic Programming":
> > http://www.gp-field-guide.org.uk/
> >
> > Wiki:
> > http://en.wikipedia.org/wiki/Genetic_programming
> >
> > - the insecurity of Windows creates a public space, of sorts, an area
> > of common ground, with shared ownership - and this is thus
> > susceptible to the tragedy of the commons ...
> > http://en.wikipedia.org/wiki/Tragedy_of_the_commons ... so no, I
> > don't think malware authors will slow down the mutation rate, so as
> > to prolong the life of the platform, they do not work together. As
> > Messagelabs puts it, "there's no honour amongst thieves" ...
> > http://www.messagelabs.com/mlireport/MLIReport_Annual_2008_FINAL.pdf
> >
> > - the greenhouse emissions caused by billions of computers checking
> > billions of items for billions of malware are likely to be
> > measurable, and will increasingly erode the world's ability to meet
> > environmental targets
> >
> > - my own maths might be dodgy, please check it, spreadsheet:
> > http://www.cyberdelix.net/files/malware_mutation_projection.ods
> >
> > Stu
> >
> > On 28 Aug 2009 at 15:32, lsi wrote:
> >
> > From: "lsi" <stuart@...erdelix.net>
> > To: full-disclosure@...ts.grok.org.uk
> > Date sent: Fri, 28 Aug 2009 15:32:45 +0100
> >
> >
> >> Thanks for the comments, indeed, the exponential issue arises due to
> >> use the of blacklisting by current AV technologies, and a switch to
> >> whitelisting could theoretically mitigate that, however, I'm not
> sure
> >> that would work in practice, there are so many little bits of code
> >> that execute, right down to tiny javascripts that check you've
> filled
> >> in an online form correctly, and the user might be bombarded with
> >> prompts. Falling back on tweaks to user privileges and UAC prompts
> >> is hardly fixing the problem. The core problem is the platform is
> >> inherently insecure, due to its development, licensing and marketing
> >> models, and nothing is going to fix that. Even if fixing it became
> >> somehow possible, the same effort could be spent improving a
> >> competing system, rather than fixing a broken one.
> >>
> >> Just to complete the extrapolation, the below.
> >>
> >> Assuming that mutation rates continue to increase exponentially,
> >> infection rates will reach a maximum when the average computer
> >> reaches 100% utilisation due to malware filtering. Infection rates
> >> will then decline as vulnerable hosts "die off" due to their
> >> inability to filter. These hosts will either be replaced with new,
> >> more powerful Windows machines (before these themselves surcumb to
> >> the exponential curve), OR, they will be re-deployed, running a
> >> different, non-Windows platform.
> >>
> >> Eventually, the majority of computer owners will get the idea that
> >> they don't need to buy ever-more powerful gear, just to do the same
> >> job they did yesterday (there may come a time when the fastest
> >> machine available is unable to cope, there is every possibility that
> >> mutation rates will exceed Moore's Law). The number of vulnerable
> >> hosts will then fall sharply, as the platform is abandoned en-masse.
> >>
> >> At this time, crackers who have been depending upon a certain amount
> >> of cracks per week for income, will find themselves short. They
> will
> >> then, if they have not already, refocus their activities on more
> >> profitable revenue streams.
> >>
> >> If every computer is running a diverse ecosystem, crackers will have
> >> no choice but to resort to small-scale, targetted attacks, and the
> >> days of mass-market malware will be over, just as the days of the
> >> mass-market platform it depends on, will also be over.
> >>
> >> And then, crackers will need to be very good crackers, to generate
> >> enough income from their small-scale attacks. If they aren't very
> >> good, they might find it easier and more profitable to get a 9-to-5
> >> job. The number of malware authors will then fall sharply.
> >>
> >> The world will awaken from the 20+ year nightmare that was Windows,
> >> made possible only by manipulative market practices, driven by
> greed,
> >> and discover the only reason it was wracked with malware, was
> because
> >> it had all its eggs in one basket.
> >>
> >> Certainly, vulnerabilities will persist, and skilled cracking groups
> >> may well find new niches from which to operate. But diversifying
> the
> >> ecosystem raises the barrier to entry, to a level most garden-
> variety
> >> crackers will find unprofitable, and that will be all that is
> >> required, to encourage most of them to do something else with their
> >> lives, and significantly reduce the incidence of cybercrime.
> >>
> >> (now I phrase it like that, it might be said, that by buying
> >> Microsoft, you are indirectly channelling money to organised crime
> >> gangs, who most likely engage in other kinds of criminal activity,
> in
> >> addition to cracking, such as identity theft, money laundering, and
> >> smuggling. That is, when you buy Microsoft, you are propping up the
> >> monoculture, and that monoculture feeds criminals, by way of its
> >> inherent flaws. Therefore, if you would like to reduce criminal
> >> activity, don't buy Microsoft.)
> >>
> >> -EOF
> >>
> >> On 27 Aug 2009 at 13:45, lsi wrote:
> >>
> >> From: "lsi" <stuart@...erdelix.net>
> >> To: full-disclosure@...ts.grok.org.uk
> >> Date sent: Thu, 27 Aug 2009 13:45:01 +0100
> >> Priority: normal
> >>
> >> Subject: [Full-disclosure] windows future
> >> Send reply to: stuart@...erdelix.net
> >> <full-disclosure.lists.grok.org.uk>
> >>
> >> <mailto:full-disclosure-
> >> request@...ts.grok.org.uk?subject=unsubscribe>
> >> <mailto:full-disclosure-
> request@...ts.grok.org.uk?subject=subscribe>
> >>
> >>
> >>
> >>> [Some more extrapolations, this time taken from the fact that
> malware
> >>> mutation rates are increasing exponentially. - Stu]
> >>>
> >>> (actually, this wasn't written for an FD audience, please excuse
> the
> >>> bit where it urges you to consider your migration strategy, I know
> >>> you're all ultra-l33t and don't have a single M$ box on your LAN)
> >>>
> >>> http://www.theregister.co.uk/2009/08/13/malware_arms_race/
> >>>
> >>> If this trend continues, there will come a time when the amount of
> >>> malware is so large, that anti-malware filters will need more power
> >>> than the systems they are protecting are able to provide.
> >>>
> >>> At this time, those systems will become essentially worthless, and
> >>> unusable.
> >>>
> >>> You can choose to leave now, or later. But you cannot choose to
> >>> stay...
> >>>
> >>> (I mean, that the Windows platform seems destined to fill,
> >>> completely, with malware, such that your computer will spend ALL
> its
> >>> time on security matters, and will have no CPU, RAM etc left for
> >>> actual work. At the end of the day, the ability of malware to
> infect
> >>> Windows machines is due to the fact that Windows is a monoculture,
> a
> >>> monolith, built by a single company, with many interconnections and
> >>> hidden alleyways. It's hard to imagine a platform LESS vulnerable
> -
> >>> compare with open-source efforts, which are diverse, homogenous and
> >>> connect via open protocols. Malware finds life hard in the
> sterile,
> >>> purified world of RFCs, where one of many different programs may
> >>> process your malicious payload, all of which have been peer-
> reviewed.
> >>> In Windows, malware knows that a specific Microsoft EXE will
> process
> >>> its data, knows that the code has not been thoroughly checked, and
> >>> can make use of undocumented mechanisms.
> >>>
> >>> So basically Microsoft, by hoarding their source, by tightly
> >>> integrating functionality, and by seeking to monopolise the various
> >>> markets created by the platform (browser, media player, office
> >>> software), have doomed Windows, and everything that runs on it.
> The
> >>> lack of diversity in the Windows ecosystem means that it is highly
> >>> vulnerable to attack by predators. The fact that malware mutation
> >>> rates are accelerating is a clear indicator that the foxes are
> >>> circling. This is the beginning of a death spiral; the malware
> >>> numbers we've seen in the past 20 years were the low end of an
> >>> exponential curve, and we're now getting to the steep part.
> >>>
> >>> The problem is that any given computer is only capable of so much
> >>> processing. It has an upper limit to the amount of malware it can
> >>> filter, those limits being related to CPU speed, RAM, diskspace,
> >>> network bandwidth. This upper limit looks like a horizontal line,
> on
> >>> the chart that shows the exponential curve mentioned above.
> >>>
> >>> So my point, is that eventually, the exponential curve is going to
> >>> cross that horizontal line, for any given computer, and when that
> >>> happens, that computer will no longer be able to filter malware.
> It
> >>> will only be able to filter a subset, and thus be vulnerable to the
> >>> rest. Consequently it will not be usable, for instance, on the web,
> >>> and will essentially become a doorstop...
> >>>
> >>> The only escape from this inevitability is to ditch the platform
> that
> >>> is permitting the malware - that is, the only escape is to ditch
> >>> Windows. It is being eaten alive, by predators that only have a
> >>> foothold because there are weaknesses in the platform.
> >>>
> >>> Given that it can take years to migrate to a new operating system,
> I
> >>> do recommend, if you have not already done so, that you commence
> >>> planning to ditch Windows. I might be wrong about the exponential
> >>> curve, but if I'm not, then there may not be a lot of time in
> between
> >>> when malware levels seem managable, and the time when they are not.
> >>> If your business depends on Windows machines and they all become
> >>> unusable, you will have no business. What you definitely must NOT
> >>> do, is assume that Windows is going to be around for a long time.
> It
> >>> is a dead man walking.
> >>>
> >>> - Of course, there might be a few years yet. You can spend those
> >>> years running up your IT bill, with lots of new computers that are
> >>> required to filter all that malware while still performing at a
> >>> useful speed. Or, you can ditch Windows, and keep your existing
> >>> hardware - it runs perfectly well, when it's not weighed down
> >>> defending the indefensible.
> >>>
> >>> [If Microsoft dooming Windows isn't ironic enough, consider that
> >>> every time malware authors pump out another set of mutations, they
> >>> are nailing one more nail in the coffin of the platform that they
> >>> depend on to make their living! Ahh, there is justice in the world
> >>> after all.]
> >>>
> >>> [And the end game? Well, M$ could open-source Windows, but
> frankly,
> >>> why would anyone bother trying to fix it? As the old saying goes,
> >>> don't flog a dead horse...]
> >>>
> >>> ---
> >>>
> >
> >
> > ---
> > Stuart Udall
> > stuart at@...erdelix.dot net - http://www.cyberdelix.net/
> >
> > ---
> > * Origin: lsi: revolution through evolution (192:168/0.2)
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists