-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Like them or not, M$ has done quite a bit with its SDL[1], and though quite late in the game, the memory protection mechanism's in Vista and Windows 7. As far as anti-virus software goes, it's mostly useless[2][there was a recent article on signature lead time, I can't find it for some reason] already.
[1]http://www.pcworld.com/businesscenter/blogs/bizfeed/167111/opinio n_pigs_fly_microsoft_leads_in_security.html?tk=rss_news [2]http://pcworld.about.com/od/virusesphishingspam/Botnets-Defeat- Most-Anti-Virus.htm On Sat, 29 Aug 2009 20:09:55 -0400 lsi <stu...@cyberdelix.net> wrote: >I'm saying that the world's malware authors, in their race to stay > >ahead of AV, are engaging in an uncoordinated, slow-motion DDOS of > >the world's AV systems. They are flooding the blacklists, and >this >flooding is accelerating. If it continues, the world's AV systems > >will be useless, as will be the machines they are protecting. > >Note, I have NOT gone off and compiled some stats, I've just noted >an >existing trend, and extrapolated it. Here's an article from 2005, > >again, the numbers suggest an exponential curve. >http://www.theregister.co.uk/2005/01/05/mcafee_avert_report/ > >The biological metaphor does suggest that Microsoft would take >some >kind of evasive action, and I think their only option is to >license >unix, just as Apple did (although Apple did it for different >reasons). Doing this will solve many problems, they can keep >their >proprietary interface and their reputation, and possibly even >their >licensing and marketing models, while under the hood, unix saves >the >day. They will need to eat some very humble pie, a few diehards >might jump from Redmond's towers, and the clash of cultures will >toast some excellent marshmellows... but they will save their >business. Do they have a choice? Malware numbers are suggesting >they don't. > >Licensing the solution suits Microsoft's business model (much >easier >for them to buy in a fix than build one, they tried that already), > >they did in fact do it many times previously, starting with a >certain >product called MS-DOS, and it means they can keep their customer >base, they just sell them an upgrade which is in fact a completely > >new system - again, just as Apple did with OSX. > >Actually, I think the simplest thing for them to do would be to >buy >Apple, then they can rebadge OSX, instead of reinventing it. > >Stu > >On 28 Aug 2009 at 10:24, Rohit Patnaik wrote: > >Date sent: Fri, 28 Aug 2009 10:24:25 -0500 >From: Rohit Patnaik <quanti...@gmail.com> >To: full-disclosure@lists.grok.org.uk >Subject: Re: [Full-disclosure] windows future > >> I'm not sure I agree with the basic premise of this scenario. >You're >> suggesting that getting exposed to malware is some kind of >> inevitability, and that eventually there will be enough >different kinds >> of malware that filtering them all will be impossible. I don't >think >> that's valid. Good browsing habits, running a firewall, and >keeping your >> machine updated will prevent almost all malware from even >getting access >> to your machine. Then all we have to worry about are the few >bits of >> code that are capable of getting through our defenses. >> >> To reiterate the biological analogy, we don't rely on >antibiotics to >> stop infection. We rely on good hygiene. In the same way, just >as >> increased biological infection rates led to a push for greater >public >> hygiene (e.g. indoor plumbing, closed sewers, etc.) we'll see a >push for >> greater computer hygiene as malware infection rates rise. >Windows >> already includes a firewall to prevent automated worm >infections, and >> Microsoft is working to harden network facing applications, as >evidenced >> by their recent decision to have IE run with limited privileges. >As >> malware becomes more virulent, the "immunity" of Windows will >likewise >> grow, putting a damper on any sort of exponential growth curve. >> >> --Rohit Patnaik >> >> lsi wrote: >> > Thanks for the comments, indeed, the exponential issue arises >due to >> > use the of blacklisting by current AV technologies, and a >switch to >> > whitelisting could theoretically mitigate that, however, I'm >not sure >> > that would work in practice, there are so many little bits of >code >> > that execute, right down to tiny javascripts that check you've >filled >> > in an online form correctly, and the user might be bombarded >with >> > prompts. Falling back on tweaks to user privileges and UAC >prompts >> > is hardly fixing the problem. The core problem is the >platform is >> > inherently insecure, due to its development, licensing and >marketing >> > models, and nothing is going to fix that. Even if fixing it >became >> > somehow possible, the same effort could be spent improving a >> > competing system, rather than fixing a broken one. >> > >> > Just to complete the extrapolation, the below. >> > >> > Assuming that mutation rates continue to increase >exponentially, >> > infection rates will reach a maximum when the average computer > >> > reaches 100% utilisation due to malware filtering. Infection >rates >> > will then decline as vulnerable hosts "die off" due to their >> > inability to filter. These hosts will either be replaced with >new, >> > more powerful Windows machines (before these themselves >surcumb to >> > the exponential curve), OR, they will be re-deployed, running >a >> > different, non-Windows platform. >> > >> > Eventually, the majority of computer owners will get the idea >that >> > they don't need to buy ever-more powerful gear, just to do the >same >> > job they did yesterday (there may come a time when the fastest > >> > machine available is unable to cope, there is every >possibility that >> > mutation rates will exceed Moore's Law). The number of >vulnerable >> > hosts will then fall sharply, as the platform is abandoned en- >masse. >> > >> > At this time, crackers who have been depending upon a certain >amount >> > of cracks per week for income, will find themselves short. >They will >> > then, if they have not already, refocus their activities on >more >> > profitable revenue streams. >> > >> > If every computer is running a diverse ecosystem, crackers >will have >> > no choice but to resort to small-scale, targetted attacks, and >the >> > days of mass-market malware will be over, just as the days of >the >> > mass-market platform it depends on, will also be over. >> > >> > And then, crackers will need to be very good crackers, to >generate >> > enough income from their small-scale attacks. If they aren't >very >> > good, they might find it easier and more profitable to get a 9- >to-5 >> > job. The number of malware authors will then fall sharply. >> > >> > The world will awaken from the 20+ year nightmare that was >Windows, >> > made possible only by manipulative market practices, driven by >greed, >> > and discover the only reason it was wracked with malware, was >because >> > it had all its eggs in one basket. >> > >> > Certainly, vulnerabilities will persist, and skilled cracking >groups >> > may well find new niches from which to operate. But >diversifying the >> > ecosystem raises the barrier to entry, to a level most garden- >variety >> > crackers will find unprofitable, and that will be all that is >> > required, to encourage most of them to do something else with >their >> > lives, and significantly reduce the incidence of cybercrime. >> > >> > (now I phrase it like that, it might be said, that by buying >> > Microsoft, you are indirectly channelling money to organised >crime >> > gangs, who most likely engage in other kinds of criminal >activity, in >> > addition to cracking, such as identity theft, money >laundering, and >> > smuggling. That is, when you buy Microsoft, you are propping >up the >> > monoculture, and that monoculture feeds criminals, by way of >its >> > inherent flaws. Therefore, if you would like to reduce >criminal >> > activity, don't buy Microsoft.) >> > >> > -EOF >> > >> > On 27 Aug 2009 at 13:45, lsi wrote: >> > >> > From: "lsi" <stu...@cyberdelix.net> >> > To: full-disclosure@lists.grok.org.uk >> > Date sent: Thu, 27 Aug 2009 13:45:01 +0100 >> > Priority: normal > >> > >> > Subject: [Full-disclosure] windows future >> > Send reply to: stu...@cyberdelix.net >> > <full-disclosure.lists.grok.org.uk> > >> > >> > <mailto:full-disclosure- >> > requ...@lists.grok.org.uk?subject=unsubscribe> >> > <mailto:full-disclosure- >requ...@lists.grok.org.uk?subject=subscribe> >> > >> > >> > >> >> [Some more extrapolations, this time taken from the fact that >malware >> >> mutation rates are increasing exponentially. - Stu] >> >> >> >> (actually, this wasn't written for an FD audience, please >excuse the >> >> bit where it urges you to consider your migration strategy, I >know >> >> you're all ultra-l33t and don't have a single M$ box on your >LAN) >> >> >> >> http://www.theregister.co.uk/2009/08/13/malware_arms_race/ >> >> >> >> If this trend continues, there will come a time when the >amount of >> >> malware is so large, that anti-malware filters will need more >power >> >> than the systems they are protecting are able to provide. >> >> >> >> At this time, those systems will become essentially >worthless, and >> >> unusable. >> >> >> >> You can choose to leave now, or later. But you cannot choose >to >> >> stay... >> >> >> >> (I mean, that the Windows platform seems destined to fill, >> >> completely, with malware, such that your computer will spend >ALL its >> >> time on security matters, and will have no CPU, RAM etc left >for >> >> actual work. At the end of the day, the ability of malware >to infect >> >> Windows machines is due to the fact that Windows is a >monoculture, a >> >> monolith, built by a single company, with many >interconnections and >> >> hidden alleyways. It's hard to imagine a platform LESS >vulnerable - >> >> compare with open-source efforts, which are diverse, >homogenous and >> >> connect via open protocols. Malware finds life hard in the >sterile, >> >> purified world of RFCs, where one of many different programs >may >> >> process your malicious payload, all of which have been peer- >reviewed. >> >> In Windows, malware knows that a specific Microsoft EXE will >process >> >> its data, knows that the code has not been thoroughly >checked, and >> >> can make use of undocumented mechanisms. >> >> >> >> So basically Microsoft, by hoarding their source, by tightly >> >> integrating functionality, and by seeking to monopolise the >various >> >> markets created by the platform (browser, media player, >office >> >> software), have doomed Windows, and everything that runs on >it. The >> >> lack of diversity in the Windows ecosystem means that it is >highly >> >> vulnerable to attack by predators. The fact that malware >mutation >> >> rates are accelerating is a clear indicator that the foxes >are >> >> circling. This is the beginning of a death spiral; the >malware >> >> numbers we've seen in the past 20 years were the low end of >an >> >> exponential curve, and we're now getting to the steep part. >> >> >> >> The problem is that any given computer is only capable of so >much >> >> processing. It has an upper limit to the amount of malware >it can >> >> filter, those limits being related to CPU speed, RAM, >diskspace, >> >> network bandwidth. This upper limit looks like a horizontal >line, on >> >> the chart that shows the exponential curve mentioned above. >> >> >> >> So my point, is that eventually, the exponential curve is >going to >> >> cross that horizontal line, for any given computer, and when >that >> >> happens, that computer will no longer be able to filter >malware. It >> >> will only be able to filter a subset, and thus be vulnerable >to the >> >> rest. Consequently it will not be usable, for instance, on >the web, >> >> and will essentially become a doorstop... >> >> >> >> The only escape from this inevitability is to ditch the >platform that >> >> is permitting the malware - that is, the only escape is to >ditch >> >> Windows. It is being eaten alive, by predators that only have >a >> >> foothold because there are weaknesses in the platform. >> >> >> >> Given that it can take years to migrate to a new operating >system, I >> >> do recommend, if you have not already done so, that you >commence >> >> planning to ditch Windows. I might be wrong about the >exponential >> >> curve, but if I'm not, then there may not be a lot of time in >between >> >> when malware levels seem managable, and the time when they >are not. >> >> If your business depends on Windows machines and they all >become >> >> unusable, you will have no business. What you definitely >must NOT >> >> do, is assume that Windows is going to be around for a long >time. It >> >> is a dead man walking. >> >> >> >> - Of course, there might be a few years yet. You can spend >those >> >> years running up your IT bill, with lots of new computers >that are >> >> required to filter all that malware while still performing at >a >> >> useful speed. Or, you can ditch Windows, and keep your >existing >> >> hardware - it runs perfectly well, when it's not weighed down > >> >> defending the indefensible. >> >> >> >> [If Microsoft dooming Windows isn't ironic enough, consider >that >> >> every time malware authors pump out another set of mutations, >they >> >> are nailing one more nail in the coffin of the platform that >they >> >> depend on to make their living! Ahh, there is justice in the >world >> >> after all.] >> >> >> >> [And the end game? Well, M$ could open-source Windows, but >frankly, >> >> why would anyone bother trying to fix it? As the old saying >goes, >> >> don't flog a dead horse...] >> >> >> >> --- >> >> Stuart Udall >> >> stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/ >> >> >> >> --- >> >> * Origin: lsi: revolution through evolution (192:168/0.2) >> >> >> >> _______________________________________________ >> >> Full-Disclosure - We believe in it. >> >> Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >> >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > >> > >> > >> > --- >> > Stuart Udall >> > stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/ >> > >> > --- >> > * Origin: lsi: revolution through evolution (192:168/0.2) >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > >--- >Stuart Udall >stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/ > >--- > * Origin: lsi: revolution through evolution (192:168/0.2) > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkqaNgcACgkQi04xwClgpZizFAP9EtndE4QUApbFpOoasdJW0Ymc1BF3 uMLNlwe5Fud8hDNAaArsdHgN8wj3hXtWeJkg3O/cuG9IImaYrRb9R9rE5R+sYs/wQNjI yueqWcidj4v0UY1F/GmhKj9U5JiPZw2yHrCo1Y+ePddNhxefZgHlop3NUOpfUWmL1fgO q3vE3OE= =GPMR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/