| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Sep 2009 12:52:48 -0300 From: "Thor (Hammer of God)" <thor@...merofgod.com> To: Rohit Patnaik <quanticle@...il.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: windows future Studies show that 78.3% of all statistics are worthless. t > -----Original Message----- > From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full- > disclosure-bounces@...ts.grok.org.uk] On Behalf Of Rohit Patnaik > Sent: Friday, September 04, 2009 8:04 AM > Cc: full-disclosure@...ts.grok.org.uk > Subject: Re: [Full-disclosure] windows future > > All this shows is that there's exponential growth in the number of > *threats*. It doesn't give any data about the number of actual > *infections*. I mean, its quite possible that all these bits of malware > are just targeting the same group of vulnerable Windows boxen, and > they're just competing to conquer the same fixed base. > > After all, if you extrapolated from the exponential growth of maggots > on > a rotting carcass, you'd be predicting that the entire world would be > covered in maggots not too far from the future. > > --Rohit Patnaik > lsi wrote: > > Hi All, > > > > Sorry for the delay, I had some urgent migration planning to attend > > to ... ;) Stats below. Short version: evacuate. Long version: > > > > - stats are in, exponential curve is real, see it for yourself here: > > > > http://eval.symantec.com/mktginfo/enterprise/white_papers/b- > whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf > > > > (page 10) > > > > - I also added up the numbers at > > > http://www.virusbtn.com/resources/malwareDirectory/prevalence/index.xml > ?year=2009 > > ... exponential curve also visible, though I think their stats are > > dodgy, their website is already suffering from math limits - it is > > reporting current yearly stats as NaN% (Not A Number). > > > > - average rate of change per year (annual growth rate), calculated > > from Symantec's chart: 243% > > > > - approximate date when number of NEW threats reached 1 Million: 2008 > > > > - approximate date when number of NEW threats will reach 1 Billion: > > 2015 > > > > - approximate date when number of NEW threats will reach 2 Billion: > > 2016 > > > > - charts showing this: > > http://www.cyberdelix.net/files/malware_mutation_projection.pdf > > > > - will the AV companies be able to classify 1 billion new threats per > > year? that is 2.739 MILLION new threats per DAY (over 1900 new > > threats per minute). > > > > - will your computer cope with scanning every EXE, DLL, PIF etc 1 > > billion times, every time you use them? > > > > - aside from the theoretical limits imposed by hardware and software, > > there is one extra limit, imposed by users. Users will not tolerate > > machines operating slowly, and will seek alternative platforms well > > before 100% CPU utilisation (either as a direct result of the size of > > the blacklist, or indirectly caused by swapping due to low RAM). > > This user limit might be lower than 20% CPU utilisation. If users > > figure out that 20% of their time is being wasted, and rising fast, > > they will run for the exit. > > > > - will you tolerate your machine constantly processing a list a > > billion items long? > > > > - do you plan to, and can you afford to, upgrade your compute power > > by 243%, every year? > > > > - will you do this, even though you know viable alternative platforms > > exist, at less total cost to yourself? > > > > - if you're already irritated that AV is slowing down your machine, > > consider that malware levels will be 500 times higher in approx 5 > > years (assuming growth rates continue at 243%). That means your AV > > will be running 500 times slower. Unless you upgrade your machine by > > 500 x current (eg. to an effective speed of approx 1000 GHz), your > > machine is going to slow down even more. Given that chipmakers don't > > seem to be able to get much past 5GHz, without melting the die, that > > means you'll need 200 of today's processors, just for malware > > filtering, by 2015. > > > > - Moore's Law says compute power doubles (200%) every 24 months. > > However, malware is growing at 243% every 12 months. Thus it is > > already exceeding Moore's Law, by a massive margin. I suspect this > > means this race is unwinnable, and we should give up now, and devote > > our resources to something sustainable. > > > > - how AV writers will generate 2.7 million new threats/day: > > > > "Evolvable Malware": > > http://www.genetic-programming.org/hc2009/3-Noreen/Noreen- > Presentation.ppt > > > > "A Field Guide to Genetic Programming": > > http://www.gp-field-guide.org.uk/ > > > > Wiki: > > http://en.wikipedia.org/wiki/Genetic_programming > > > > - the insecurity of Windows creates a public space, of sorts, an area > > of common ground, with shared ownership - and this is thus > > susceptible to the tragedy of the commons ... > > http://en.wikipedia.org/wiki/Tragedy_of_the_commons ... so no, I > > don't think malware authors will slow down the mutation rate, so as > > to prolong the life of the platform, they do not work together. As > > Messagelabs puts it, "there's no honour amongst thieves" ... > > http://www.messagelabs.com/mlireport/MLIReport_Annual_2008_FINAL.pdf > > > > - the greenhouse emissions caused by billions of computers checking > > billions of items for billions of malware are likely to be > > measurable, and will increasingly erode the world's ability to meet > > environmental targets > > > > - my own maths might be dodgy, please check it, spreadsheet: > > http://www.cyberdelix.net/files/malware_mutation_projection.ods > > > > Stu > > > > On 28 Aug 2009 at 15:32, lsi wrote: > > > > From: "lsi" <stuart@...erdelix.net> > > To: full-disclosure@...ts.grok.org.uk > > Date sent: Fri, 28 Aug 2009 15:32:45 +0100 > > > > > >> Thanks for the comments, indeed, the exponential issue arises due to > >> use the of blacklisting by current AV technologies, and a switch to > >> whitelisting could theoretically mitigate that, however, I'm not > sure > >> that would work in practice, there are so many little bits of code > >> that execute, right down to tiny javascripts that check you've > filled > >> in an online form correctly, and the user might be bombarded with > >> prompts. Falling back on tweaks to user privileges and UAC prompts > >> is hardly fixing the problem. The core problem is the platform is > >> inherently insecure, due to its development, licensing and marketing > >> models, and nothing is going to fix that. Even if fixing it became > >> somehow possible, the same effort could be spent improving a > >> competing system, rather than fixing a broken one. > >> > >> Just to complete the extrapolation, the below. > >> > >> Assuming that mutation rates continue to increase exponentially, > >> infection rates will reach a maximum when the average computer > >> reaches 100% utilisation due to malware filtering. Infection rates > >> will then decline as vulnerable hosts "die off" due to their > >> inability to filter. These hosts will either be replaced with new, > >> more powerful Windows machines (before these themselves surcumb to > >> the exponential curve), OR, they will be re-deployed, running a > >> different, non-Windows platform. > >> > >> Eventually, the majority of computer owners will get the idea that > >> they don't need to buy ever-more powerful gear, just to do the same > >> job they did yesterday (there may come a time when the fastest > >> machine available is unable to cope, there is every possibility that > >> mutation rates will exceed Moore's Law). The number of vulnerable > >> hosts will then fall sharply, as the platform is abandoned en-masse. > >> > >> At this time, crackers who have been depending upon a certain amount > >> of cracks per week for income, will find themselves short. They > will > >> then, if they have not already, refocus their activities on more > >> profitable revenue streams. > >> > >> If every computer is running a diverse ecosystem, crackers will have > >> no choice but to resort to small-scale, targetted attacks, and the > >> days of mass-market malware will be over, just as the days of the > >> mass-market platform it depends on, will also be over. > >> > >> And then, crackers will need to be very good crackers, to generate > >> enough income from their small-scale attacks. If they aren't very > >> good, they might find it easier and more profitable to get a 9-to-5 > >> job. The number of malware authors will then fall sharply. > >> > >> The world will awaken from the 20+ year nightmare that was Windows, > >> made possible only by manipulative market practices, driven by > greed, > >> and discover the only reason it was wracked with malware, was > because > >> it had all its eggs in one basket. > >> > >> Certainly, vulnerabilities will persist, and skilled cracking groups > >> may well find new niches from which to operate. But diversifying > the > >> ecosystem raises the barrier to entry, to a level most garden- > variety > >> crackers will find unprofitable, and that will be all that is > >> required, to encourage most of them to do something else with their > >> lives, and significantly reduce the incidence of cybercrime. > >> > >> (now I phrase it like that, it might be said, that by buying > >> Microsoft, you are indirectly channelling money to organised crime > >> gangs, who most likely engage in other kinds of criminal activity, > in > >> addition to cracking, such as identity theft, money laundering, and > >> smuggling. That is, when you buy Microsoft, you are propping up the > >> monoculture, and that monoculture feeds criminals, by way of its > >> inherent flaws. Therefore, if you would like to reduce criminal > >> activity, don't buy Microsoft.) > >> > >> -EOF > >> > >> On 27 Aug 2009 at 13:45, lsi wrote: > >> > >> From: "lsi" <stuart@...erdelix.net> > >> To: full-disclosure@...ts.grok.org.uk > >> Date sent: Thu, 27 Aug 2009 13:45:01 +0100 > >> Priority: normal > >> > >> Subject: [Full-disclosure] windows future > >> Send reply to: stuart@...erdelix.net > >> <full-disclosure.lists.grok.org.uk> > >> > >> <mailto:full-disclosure- > >> request@...ts.grok.org.uk?subject=unsubscribe> > >> <mailto:full-disclosure- > request@...ts.grok.org.uk?subject=subscribe> > >> > >> > >> > >>> [Some more extrapolations, this time taken from the fact that > malware > >>> mutation rates are increasing exponentially. - Stu] > >>> > >>> (actually, this wasn't written for an FD audience, please excuse > the > >>> bit where it urges you to consider your migration strategy, I know > >>> you're all ultra-l33t and don't have a single M$ box on your LAN) > >>> > >>> http://www.theregister.co.uk/2009/08/13/malware_arms_race/ > >>> > >>> If this trend continues, there will come a time when the amount of > >>> malware is so large, that anti-malware filters will need more power > >>> than the systems they are protecting are able to provide. > >>> > >>> At this time, those systems will become essentially worthless, and > >>> unusable. > >>> > >>> You can choose to leave now, or later. But you cannot choose to > >>> stay... > >>> > >>> (I mean, that the Windows platform seems destined to fill, > >>> completely, with malware, such that your computer will spend ALL > its > >>> time on security matters, and will have no CPU, RAM etc left for > >>> actual work. At the end of the day, the ability of malware to > infect > >>> Windows machines is due to the fact that Windows is a monoculture, > a > >>> monolith, built by a single company, with many interconnections and > >>> hidden alleyways. It's hard to imagine a platform LESS vulnerable > - > >>> compare with open-source efforts, which are diverse, homogenous and > >>> connect via open protocols. Malware finds life hard in the > sterile, > >>> purified world of RFCs, where one of many different programs may > >>> process your malicious payload, all of which have been peer- > reviewed. > >>> In Windows, malware knows that a specific Microsoft EXE will > process > >>> its data, knows that the code has not been thoroughly checked, and > >>> can make use of undocumented mechanisms. > >>> > >>> So basically Microsoft, by hoarding their source, by tightly > >>> integrating functionality, and by seeking to monopolise the various > >>> markets created by the platform (browser, media player, office > >>> software), have doomed Windows, and everything that runs on it. > The > >>> lack of diversity in the Windows ecosystem means that it is highly > >>> vulnerable to attack by predators. The fact that malware mutation > >>> rates are accelerating is a clear indicator that the foxes are > >>> circling. This is the beginning of a death spiral; the malware > >>> numbers we've seen in the past 20 years were the low end of an > >>> exponential curve, and we're now getting to the steep part. > >>> > >>> The problem is that any given computer is only capable of so much > >>> processing. It has an upper limit to the amount of malware it can > >>> filter, those limits being related to CPU speed, RAM, diskspace, > >>> network bandwidth. This upper limit looks like a horizontal line, > on > >>> the chart that shows the exponential curve mentioned above. > >>> > >>> So my point, is that eventually, the exponential curve is going to > >>> cross that horizontal line, for any given computer, and when that > >>> happens, that computer will no longer be able to filter malware. > It > >>> will only be able to filter a subset, and thus be vulnerable to the > >>> rest. Consequently it will not be usable, for instance, on the web, > >>> and will essentially become a doorstop... > >>> > >>> The only escape from this inevitability is to ditch the platform > that > >>> is permitting the malware - that is, the only escape is to ditch > >>> Windows. It is being eaten alive, by predators that only have a > >>> foothold because there are weaknesses in the platform. > >>> > >>> Given that it can take years to migrate to a new operating system, > I > >>> do recommend, if you have not already done so, that you commence > >>> planning to ditch Windows. I might be wrong about the exponential > >>> curve, but if I'm not, then there may not be a lot of time in > between > >>> when malware levels seem managable, and the time when they are not. > >>> If your business depends on Windows machines and they all become > >>> unusable, you will have no business. What you definitely must NOT > >>> do, is assume that Windows is going to be around for a long time. > It > >>> is a dead man walking. > >>> > >>> - Of course, there might be a few years yet. You can spend those > >>> years running up your IT bill, with lots of new computers that are > >>> required to filter all that malware while still performing at a > >>> useful speed. Or, you can ditch Windows, and keep your existing > >>> hardware - it runs perfectly well, when it's not weighed down > >>> defending the indefensible. > >>> > >>> [If Microsoft dooming Windows isn't ironic enough, consider that > >>> every time malware authors pump out another set of mutations, they > >>> are nailing one more nail in the coffin of the platform that they > >>> depend on to make their living! Ahh, there is justice in the world > >>> after all.] > >>> > >>> [And the end game? Well, M$ could open-source Windows, but > frankly, > >>> why would anyone bother trying to fix it? As the old saying goes, > >>> don't flog a dead horse...] > >>> > >>> --- > >>> > > > > > > --- > > Stuart Udall > > stuart at@...erdelix.dot net - http://www.cyberdelix.net/ > > > > --- > > * Origin: lsi: revolution through evolution (192:168/0.2) > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists