Re: [Full-disclosure] Windows' future (reprise)

[Christian Sciberras]

Oh my G!


I'm going to quote that site next time I get to help a *nix newbie figure
out permissions without sudo.

Seriously by that reason I could accuse linux users of exerting too much
freedom giving the allusion of godly control - which as you might have
guessed is a "sin".


...unless you redefined "sin" as "using MS windows"?




On Tue, May 25, 2010 at 6:13 PM, M.B.Jr.  wrote:

> Hey kids, whazup?
>
>
> On Sat, May 15, 2010 at 11:40 AM, Thor (Hammer of God)
>  wrote:
> > If you are still running Windows 95 that's your problem.
>
>
> Nevertheless, if one runs Windows 7, here is the problem:
>
> http://en.windows7sins.org/
>
>
> Regards,
>
>
>
> Marcio Barbado, Jr.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[M.B.Jr.]

Hey kids, whazup?


On Sat, May 15, 2010 at 11:40 AM, Thor (Hammer of God)
 wrote:
> If you are still running Windows 95 that's your problem.


Nevertheless, if one runs Windows 7, here is the problem:

http://en.windows7sins.org/


Regards,



Marcio Barbado, Jr.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Georgi Guninski]

On Tue, May 18, 2010 at 11:27:22AM -0400, valdis.kletni...@vt.edu wrote:
> 
> (Note that the esteemed Mroverlooked "unknown 
> knowns" - that class
> of stuff we don't realize or refuse to admit we actually *do* know:
>
ok, i know i am a writer not a reader (like a narcisist chukcha is ;) )

can you recommend reading about malware that belongs to a class of malware "the 
existence of which provably cannot be proved within  ... if 
one assumes  itself is consistent> [1]"

the disclosed idea of backdooring the compiler doesn't count, because currently 
people are *examining* compilers (well, assuming they can do it).

did someone {\TeX , .pdf } producer managed to represent in text some 
_abstract??_ backdooring that is undetectable with current plausible budgets 
(as in "god can backdoor all of your bases" or "it may be possible to screw the 
electric field in exploitable way in any circumstances" ) ?


[1] 
http://en.wikipedia.org/w/index.php?title=Large_cardinal_property&oldid=18071390

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer of God)]

LOL.  Actually, I *did* get a new version of Dreamweaver!  But I think I'll 
stick with Expression - I like it... but, I'll still have to see what DW will 
do for me.

It's great that we can make fun of each other without the other taking it too 
personally.  Good stuff.  

t

-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
Sent: Wednesday, May 19, 2010 1:08 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows' future (reprise)

On 18 May 2010 at 14:40, Thor (Hammer of God) wrote:

> In fact, this thread has inspired me to add a new section to the 
> Hammer of God website (currently undergoing major renovation)

Uh-huh... get a new version of Dreamweaver did we? :)

> I just want to make sure you understand that *I* didn't have anything 
> do with any ludicrous comments

Sure, we understand that completely. we really do :)

Just teasing, tx for the chats, lookin forward to next time...

Stu

---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

---
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

On 18 May 2010 at 14:40, Thor (Hammer of God) wrote:

> In fact, this thread has inspired me to add a new section to the
> Hammer of God website (currently undergoing major renovation)

Uh-huh... get a new version of Dreamweaver did we? :)

> I just want to make sure you understand that *I* didn't have anything
> do with any ludicrous comments 

Sure, we understand that completely. we really do :)

Just teasing, tx for the chats, lookin forward to next time...

Stu

---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Paul Schmehl]

--On Tuesday, May 18, 2010 14:40:45 + "Thor (Hammer of God)" 
 wrote:

>
>
> What messages warning you from using Windows?  I certainly hope you do not
> have me confused with the OP – I already used the term “hysteria” to
> describe his ideas and subsequent recommendations.  The entire premise is
> fatally flawed, and the subsequent replies show a level of ignorance that I
> have not seen in a “professional” security person in some time.   It’s
> not surprising to see that the background of his site “remains blackened in
> protest against the many illegal and unethical activities of the USA.”
> Hysterical indeed.
>
>
>
> In fact, this thread has inspired me to add a new section to the Hammer of
> God website (currently undergoing major renovation) called “Tard of the
> Month”  where I’ll take claims like the one submitted by the OP and
> basically… well, you know what I’ll do.
>
>
>
> I just want to make sure you understand that *I* didn’t have anything do
> with any ludicrous comments about abandoning the Windows platform because all
> the oxygen in my computer was being consumed by what Symantec notes as “new
> threats.”
>

OK.  What about the CO2 in your computer?  :-)


-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer Of God)]

All I saw was "sent from my HTC" from him.  Maybe I'm glad I missed  
it ;)




On May 18, 2010, at 8:15 AM, Christian Sciberras   
wrote:



Thor,

Sorry, I didn't make my points clear enough. I was replying  
sarcastically to Cassidy's remarks and asking him to prove his claims.


Regards.


On Tue, May 18, 2010 at 4:40 PM, Thor (Hammer of God) > wrote:
What messages warning you from using Windows?  I certainly hope you  
do not have me confused with the OP – I already used the term  
“hysteria” to describe his ideas and subsequent recommendations.   
The entire premise is fatally flawed, and the subsequent replies sho 
w a level of ignorance that I have not seen in a “professional”  
security person in some time.   It’s not surprising to see that the  
background of his site “remains blackened in protest against the man 
y illegal and unethical activities of the USA.”  Hysterical indeed.




In fact, this thread has inspired me to add a new section to the  
Hammer of God website (currently undergoing major renovation) called 
 “Tard of the Month”  where I’ll take claims like the one  
submitted by the OP and basically… well, you know what I’ll do.




I just want to make sure you understand that *I* didn’t have anythin 
g do with any ludicrous comments about abandoning the Windows platfo 
rm because all the oxygen in my computer was being consumed by what  
Symantec notes as “new threats.”




t



From: Christian Sciberras [mailto:uuf6...@gmail.com]
Sent: Tuesday, May 18, 2010 3:40 AM
To: Cassidy MacFarlane
Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk


Subject: Re: [Full-disclosure] Windows' future (reprise)


Happens they are completely unrelated stories. Also happens that I  
won't fall for someone's hysteria from using windows.


By the way, I don't know you, but I would depend on the _fact_ that  
I've been using a product without a hitch rather then someone's  
claims that the said product will fall in a year's time.


By the way, I think it would do you a lot of good if you quote  
Thor's messages warning us from using Windows etc.


If you only have a troll's remarks to add, then leave the discussion.

As of this time, there is only one huge security risk all  
researchers agree on; human error aka people's stupidity






On Tue, May 18, 2010 at 11:01 AM, Cassidy MacFarlane > wrote:


Sent from my HTC


-Original Message-
From: Thor (Hammer of God) 

Sent: 15 May 2010 21:59
To: full-disclosure@lists.grok.org.uk >

Subject: Re: [Full-disclosure] Windows' future (reprise)

No, It's Tim Mullen.  No "Bill" here.

No, I don't misunderstand:  You said "You may recall that last year,  
the average annual growth rate of new threats (as defined by  
Symantec) was 243%.  This enabled me to predict that the number of  
new threats in this year's Symantec Threat Report would be 243% of  
last years."  IOW, you took what Symantec's numbers were for one  
year, and guessed they would be the same for this year, and then  
posted how you were almost right.  Congratulation, you can make  
statements in the obvious.


You people really need to get your stories straight.  Isn't there  
some club or something you guys can join to at least sync up your  
talking points?   First we hear about how AV is stupid, unneeded,  
useless, a waste of money, and if you install it then you are  
ignorant.  Then we hear about how some people can "bypass AV" using  
kernel hooks on windows XP and call it an "8.0 Earthquake."  Now you  
come out and say that you predict that AV will not be able to keep  
up with these new "threats" and that people must stop using Windows  
as a result since Windows "is not likely of producing any secure  
version of anything anytime soon."



Then you blithe on about how people should "avoid any software that  
locks them into a Microsoft Platform like the plague" and  
specifically note .NET for businesses but of course fail to provide  
any examples of where they should go, or any real advice on your  
"mitigation strategy."


What it is about .NET that should be avoided like the plague?  Wait,  
before you answer that, let's make sure you are qualified to  
answer.  One must assume that you are an expert .NET developer and  
that you have keen insight into the very foundation of the platform  
in order to know unequivocally that it should not be used under any  
circumstances.   Please give us some code examples of your .NET  
projects where it failed so miserably, even given your expertise,  
and then provide the "proper" secure solution in your magic TardWare  
solution.  Certainly someone speaking with such authority on the  
matter can come up with examples in no time.


Additionally, you've clearly performed migration engagements for  
thes

Re: [Full-disclosure] Windows' future (reprise)

[Valdis . Kletnieks]

On Tue, 18 May 2010 18:00:52 +0300, Georgi Guninski said:

> why flame about constants about detectable malware when the world missed
> 100% of the undetectable malware? :)

"There are known knowns. These are things we know that we know. There are known
unknowns. That is to say, there are things that we now know we don't know.
But there are also unknown unknowns. These are things we do not know we
don't know." -- United States Secretary of Defense Donald Rumsfeld

(Note that the esteemed Mr Rumsfeld overlooked "unknown knowns" - that class
of stuff we don't realize or refuse to admit we actually *do* know:

"If Rumsfeld thinks that the main dangers in the confrontation with Iraq were
the "unknown unknowns," that is, the threats from Saddam whose nature we cannot
even suspect, then the Abu Ghraib scandal shows that the main dangers lie in
the "unknown knowns" - the disavowed beliefs, suppositions and obscene
practices we pretend not to know about, even though they form the background of
our public values." -- Slavoj Zizek

The computer industry is full of its own "unknown knowns"...


pgpyUDFQ0WN1c.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Christian Sciberras]

Thor,

Sorry, I didn't make my points clear enough. I was replying sarcastically to
Cassidy's remarks and asking him to prove his claims.

Regards.


On Tue, May 18, 2010 at 4:40 PM, Thor (Hammer of God)
wrote:

> What messages warning you from using Windows?  I certainly hope you do not
> have me confused with the OP – I already used the term “hysteria” to
> describe his ideas and subsequent recommendations.  The entire premise is
> fatally flawed, and the subsequent replies show a level of ignorance that I
> have not seen in a “professional” security person in some time.   It’s not
> surprising to see that the background of his site “remains blackened in
> protest against the many illegal and unethical activities of the USA.”
> Hysterical indeed.
>
>
>
> In fact, this thread has inspired me to add a new section to the Hammer of
> God website (currently undergoing major renovation) called “Tard of the
> Month”  where I’ll take claims like the one submitted by the OP and
> basically… well, you know what I’ll do.
>
>
>
> I just want to make sure you understand that **I** didn’t have anything do
> with any ludicrous comments about abandoning the Windows platform because
> all the oxygen in my computer was being consumed by what Symantec notes as
> “new threats.”
>
>
>
> t
>
>
>
> *From:* Christian Sciberras [mailto:uuf6...@gmail.com]
> *Sent:* Tuesday, May 18, 2010 3:40 AM
> *To:* Cassidy MacFarlane
> *Cc:* Thor (Hammer of God); full-disclosure@lists.grok.org.uk
>
> *Subject:* Re: [Full-disclosure] Windows' future (reprise)
>
>
>
> Happens they are completely unrelated stories. Also happens that I won't
> fall for someone's hysteria from using windows.
>
> By the way, I don't know you, but I would depend on the _fact_ that I've
> been using a product without a hitch rather then someone's claims that the
> said product will fall in a year's time.
>
> By the way, I think it would do you a lot of good if you quote Thor's
> messages warning us from using Windows etc.
>
> If you only have a troll's remarks to add, then leave the discussion.
>
> As of this time, there is only one huge security risk all researchers agree
> on; human error aka people's stupidity
>
>
>
>
> On Tue, May 18, 2010 at 11:01 AM, Cassidy MacFarlane <
> cassidy.macfarl...@grantmanagement.co.uk> wrote:
>
> Sent from my HTC
>
>
> -Original Message-
> From: Thor (Hammer of God) 
>
> Sent: 15 May 2010 21:59
> To: full-disclosure@lists.grok.org.uk 
> Subject: Re: [Full-disclosure] Windows' future (reprise)
>
> No, It's Tim Mullen.  No "Bill" here.
>
> No, I don't misunderstand:  You said "You may recall that last year, the
> average annual growth rate of new threats (as defined by Symantec) was 243%.
>  This enabled me to predict that the number of new threats in this year's
> Symantec Threat Report would be 243% of last years."  IOW, you took what
> Symantec's numbers were for one year, and guessed they would be the same for
> this year, and then posted how you were almost right.  Congratulation, you
> can make statements in the obvious.
>
> You people really need to get your stories straight.  Isn't there some club
> or something you guys can join to at least sync up your talking points?
> First we hear about how AV is stupid, unneeded, useless, a waste of money,
> and if you install it then you are ignorant.  Then we hear about how some
> people can "bypass AV" using kernel hooks on windows XP and call it an "8.0
> Earthquake."  Now you come out and say that you predict that AV will not be
> able to keep up with these new "threats" and that people must stop using
> Windows as a result since Windows "is not likely of producing any secure
> version of anything anytime soon."
>
>
> Then you blithe on about how people should "avoid any software that locks
> them into a Microsoft Platform like the plague" and specifically note .NET
> for businesses but of course fail to provide any examples of where they
> should go, or any real advice on your "mitigation strategy."
>
> What it is about .NET that should be avoided like the plague?  Wait, before
> you answer that, let's make sure you are qualified to answer.  One must
> assume that you are an expert .NET developer and that you have keen insight
> into the very foundation of the platform in order to know unequivocally that
> it should not be used under any circumstances.   Please give us some code
> examples of your .NET projects where it failed so miserably, even given your
> expertise, and then provide

Re: [Full-disclosure] Windows' future (reprise)

[Georgi Guninski]

On Sun, May 16, 2010 at 08:49:29PM -0400, valdis.kletni...@vt.edu wrote:
> On Sun, 16 May 2010 23:49:00 BST, lsi said:
> > Malware is flooding at 243% (+/- error).  This is consuming the
> > oxygen in your machine.
> 
> The basic error in your analysis is that although there may in fact be


why flame about constants about detectable malware when the world missed
100% of the undetectable malware? :)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer of God)]

What messages warning you from using Windows?  I certainly hope you do not have 
me confused with the OP - I already used the term "hysteria" to describe his 
ideas and subsequent recommendations.  The entire premise is fatally flawed, 
and the subsequent replies show a level of ignorance that I have not seen in a 
"professional" security person in some time.   It's not surprising to see that 
the background of his site "remains blackened in protest against the many 
illegal and unethical activities of the USA."  Hysterical indeed.

In fact, this thread has inspired me to add a new section to the Hammer of God 
website (currently undergoing major renovation) called "Tard of the Month"  
where I'll take claims like the one submitted by the OP and basically... well, 
you know what I'll do.

I just want to make sure you understand that *I* didn't have anything do with 
any ludicrous comments about abandoning the Windows platform because all the 
oxygen in my computer was being consumed by what Symantec notes as "new 
threats."

t

From: Christian Sciberras [mailto:uuf6...@gmail.com]
Sent: Tuesday, May 18, 2010 3:40 AM
To: Cassidy MacFarlane
Cc: Thor (Hammer of God); full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows' future (reprise)

Happens they are completely unrelated stories. Also happens that I won't fall 
for someone's hysteria from using windows.

By the way, I don't know you, but I would depend on the _fact_ that I've been 
using a product without a hitch rather then someone's claims that the said 
product will fall in a year's time.

By the way, I think it would do you a lot of good if you quote Thor's messages 
warning us from using Windows etc.

If you only have a troll's remarks to add, then leave the discussion.

As of this time, there is only one huge security risk all researchers agree on; 
human error aka people's stupidity




On Tue, May 18, 2010 at 11:01 AM, Cassidy MacFarlane 
mailto:cassidy.macfarl...@grantmanagement.co.uk>>
 wrote:
Sent from my HTC

-Original Message-
From: Thor (Hammer of God) mailto:t...@hammerofgod.com>>
Sent: 15 May 2010 21:59
To: full-disclosure@lists.grok.org.uk<mailto:full-disclosure@lists.grok.org.uk> 
mailto:full-disclosure@lists.grok.org.uk>>
Subject: Re: [Full-disclosure] Windows' future (reprise)
No, It's Tim Mullen.  No "Bill" here.

No, I don't misunderstand:  You said "You may recall that last year, the 
average annual growth rate of new threats (as defined by Symantec) was 243%.  
This enabled me to predict that the number of new threats in this year's 
Symantec Threat Report would be 243% of last years."  IOW, you took what 
Symantec's numbers were for one year, and guessed they would be the same for 
this year, and then posted how you were almost right.  Congratulation, you can 
make statements in the obvious.
You people really need to get your stories straight.  Isn't there some club or 
something you guys can join to at least sync up your talking points?   First we 
hear about how AV is stupid, unneeded, useless, a waste of money, and if you 
install it then you are ignorant.  Then we hear about how some people can 
"bypass AV" using kernel hooks on windows XP and call it an "8.0 Earthquake."  
Now you come out and say that you predict that AV will not be able to keep up 
with these new "threats" and that people must stop using Windows as a result 
since Windows "is not likely of producing any secure version of anything 
anytime soon."

Then you blithe on about how people should "avoid any software that locks them 
into a Microsoft Platform like the plague" and specifically note .NET for 
businesses but of course fail to provide any examples of where they should go, 
or any real advice on your "mitigation strategy."
What it is about .NET that should be avoided like the plague?  Wait, before you 
answer that, let's make sure you are qualified to answer.  One must assume that 
you are an expert .NET developer and that you have keen insight into the very 
foundation of the platform in order to know unequivocally that it should not be 
used under any circumstances.   Please give us some code examples of your .NET 
projects where it failed so miserably, even given your expertise, and then 
provide the "proper" secure solution in your magic TardWare solution.  
Certainly someone speaking with such authority on the matter can come up with 
examples in no time.

Additionally, you've clearly performed migration engagements for these people 
you "advise."  Please let us know what the actual migration plan was, and how 
you have so brilliantly created a one-off cost migration path.  I'm really 
interested in the details about that.  I would pa

Re: [Full-disclosure] Windows' future (reprise)

[Christian Sciberras]

Happens they are completely unrelated stories. Also happens that I won't
fall for someone's hysteria from using windows.

By the way, I don't know you, but I would depend on the _fact_ that I've
been using a product without a hitch rather then someone's claims that the
said product will fall in a year's time.

By the way, I think it would do you a lot of good if you quote Thor's
messages warning us from using Windows etc.

If you only have a troll's remarks to add, then leave the discussion.

As of this time, there is only one huge security risk all researchers agree
on; human error aka people's stupidity





On Tue, May 18, 2010 at 11:01 AM, Cassidy MacFarlane <
cassidy.macfarl...@grantmanagement.co.uk> wrote:

> Sent from my HTC
>
> -Original Message-
> From: Thor (Hammer of God) 
> Sent: 15 May 2010 21:59
> To: full-disclosure@lists.grok.org.uk 
> Subject: Re: [Full-disclosure] Windows' future (reprise)
>
> No, It's Tim Mullen.  No "Bill" here.
>
> No, I don't misunderstand:  You said "You may recall that last year, the
> average annual growth rate of new threats (as defined by Symantec) was 243%.
>  This enabled me to predict that the number of new threats in this year's
> Symantec Threat Report would be 243% of last years."  IOW, you took what
> Symantec's numbers were for one year, and guessed they would be the same for
> this year, and then posted how you were almost right.  Congratulation, you
> can make statements in the obvious.
>
> You people really need to get your stories straight.  Isn't there some club
> or something you guys can join to at least sync up your talking points?
> First we hear about how AV is stupid, unneeded, useless, a waste of money,
> and if you install it then you are ignorant.  Then we hear about how some
> people can "bypass AV" using kernel hooks on windows XP and call it an "8.0
> Earthquake."  Now you come out and say that you predict that AV will not be
> able to keep up with these new "threats" and that people must stop using
> Windows as a result since Windows "is not likely of producing any secure
> version of anything anytime soon."
>
> Then you blithe on about how people should "avoid any software that locks
> them into a Microsoft Platform like the plague" and specifically note .NET
> for businesses but of course fail to provide any examples of where they
> should go, or any real advice on your "mitigation strategy."
>
> What it is about .NET that should be avoided like the plague?  Wait, before
> you answer that, let's make sure you are qualified to answer.  One must
> assume that you are an expert .NET developer and that you have keen insight
> into the very foundation of the platform in order to know unequivocally that
> it should not be used under any circumstances.   Please give us some code
> examples of your .NET projects where it failed so miserably, even given your
> expertise, and then provide the "proper" secure solution in your magic
> TardWare solution.  Certainly someone speaking with such authority on the
> matter can come up with examples in no time.
>
> Additionally, you've clearly performed migration engagements for these
> people you "advise."  Please let us know what the actual migration plan was,
> and how you have so brilliantly created a one-off cost migration path.  I'm
> really interested in the details about that.  I would particularly like to
> know what authentication infrastructure you would build to support secure
> enterprise-based services, your solution for client access and
> administration, and your overall network concepts.  Also, what is your
> preferred replacement for .NET again?  Details on your SDL process would be
> fantastic as well.
>
> You've got a great opportunity to really contribute to the industry by
> providing us with your qualifications and subsequent solutions to these
> problems, so I'm really looking forward to seeing what you have to say on
> the matter beyond "Symantec said we'd have this amount of growth, so I said
> that too, and I was almost right.  And since I was almost right, it is
> imperative to drop all Windows products and re-write all of your .NET code
> immediately because AV won't be able to keep up with it."
>
> t
>
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk [mailto:
> full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
> Sent: Saturday, May 15, 2010 1:07 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Windows' future (reprise)
>
> Is that you, Bill?
>
> I think

Re: [Full-disclosure] Windows' future (reprise)

[Michael Simpson]

On 17 May 2010 21:49, lsi  wrote:
> My interpretation of risk assessment tells me that if the chances of
> denial-of-service due to malware flooding is small, but the potential
> damage is substantial, despite the improbability, then that risk must
> be mitigated.
>

Then your interpretation / risk assessment may be wrong
The risk of being hit on the head by a meteorite may be small but the
potential damage is substantial, despite the improbability, so that
risk must be mitigated - live in a bunker.
The risk of dying by slipping down the stairs in the morning (~1200
people per year in UK) is small but the potential damage is
substantial - outlaw stairs
The risk of dying putting on your slippers is small (~75 people each
year in UK) but the potential damage is substantial - outlaw slippers

I run windows and i run *nix. IMHO you can mitigate the risks
associated with either to an acceptable level.

mike

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Cassidy MacFarlane]

Sent from my HTC

-Original Message-
From: Thor (Hammer of God) 
Sent: 15 May 2010 21:59
To: full-disclosure@lists.grok.org.uk 
Subject: Re: [Full-disclosure] Windows' future (reprise)

No, It's Tim Mullen.  No "Bill" here.  

No, I don't misunderstand:  You said "You may recall that last year, the 
average annual growth rate of new threats (as defined by Symantec) was 243%.  
This enabled me to predict that the number of new threats in this year's 
Symantec Threat Report would be 243% of last years."  IOW, you took what 
Symantec's numbers were for one year, and guessed they would be the same for 
this year, and then posted how you were almost right.  Congratulation, you can 
make statements in the obvious.

You people really need to get your stories straight.  Isn't there some club or 
something you guys can join to at least sync up your talking points?   First we 
hear about how AV is stupid, unneeded, useless, a waste of money, and if you 
install it then you are ignorant.  Then we hear about how some people can 
"bypass AV" using kernel hooks on windows XP and call it an "8.0 Earthquake."  
Now you come out and say that you predict that AV will not be able to keep up 
with these new "threats" and that people must stop using Windows as a result 
since Windows "is not likely of producing any secure version of anything 
anytime soon."  

Then you blithe on about how people should "avoid any software that locks them 
into a Microsoft Platform like the plague" and specifically note .NET for 
businesses but of course fail to provide any examples of where they should go, 
or any real advice on your "mitigation strategy."  

What it is about .NET that should be avoided like the plague?  Wait, before you 
answer that, let's make sure you are qualified to answer.  One must assume that 
you are an expert .NET developer and that you have keen insight into the very 
foundation of the platform in order to know unequivocally that it should not be 
used under any circumstances.   Please give us some code examples of your .NET 
projects where it failed so miserably, even given your expertise, and then 
provide the "proper" secure solution in your magic TardWare solution.  
Certainly someone speaking with such authority on the matter can come up with 
examples in no time.  

Additionally, you've clearly performed migration engagements for these people 
you "advise."  Please let us know what the actual migration plan was, and how 
you have so brilliantly created a one-off cost migration path.  I'm really 
interested in the details about that.  I would particularly like to know what 
authentication infrastructure you would build to support secure 
enterprise-based services, your solution for client access and administration, 
and your overall network concepts.  Also, what is your preferred replacement 
for .NET again?  Details on your SDL process would be fantastic as well. 

You've got a great opportunity to really contribute to the industry by 
providing us with your qualifications and subsequent solutions to these 
problems, so I'm really looking forward to seeing what you have to say on the 
matter beyond "Symantec said we'd have this amount of growth, so I said that 
too, and I was almost right.  And since I was almost right, it is imperative to 
drop all Windows products and re-write all of your .NET code immediately 
because AV won't be able to keep up with it."

t

-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
Sent: Saturday, May 15, 2010 1:07 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows' future (reprise)

Is that you, Bill?

I think you misunderstand.  9 months ago, I measured the growth rate at 243%, 
using Symantec's stats.  9 months ago I posted that number here, together with 
a prediction of this year's stats.  Recently, I got this year's stats and 
compared them with that prediction.  I found that this prediction was 75.4% 
accurate.  I am now reporting those results back to the group.  And this is 
trolling how?

My point is that the prediction was not wildly wrong, and so that leads me to 
wonder if anything else I said, 9 months ago, was also not wildly wrong.

My main reason for claiming that Windows is inherently insecure is because it's 
closed source.  However it's also because of the sloppy, monolithic spaghetti 
code that Windows is made of.  If you're claiming Windows is in fact inherently 
secure, I assume this means you don't use AV on any of your Windows machines, 
and advise everyone you know to uninstall it?

I never said migration would be free or easy.  That is why I am posting this 
data here, because I see it as a vulnerability, a 

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

On 17 May 2010 at 0:18, valdis.kletni...@vt.edu wrote:

> On Mon, 17 May 2010 03:48:36 BST, lsi said:
> 
> > It is mutating at approx 243% per annum, a rate which is more than
> > twice as fast as Moore's Law (200% every 24 months).  I do find this
> > alarming, because I want my CPU back.  So does everyone else I know.
> 
> Unfortunately, you haven't shown that the CPU actually consumed is going up by
> 243% or any significant fraction thereof.  Admittedly, A/V products are slowly
> taking more and more resources, but nowhere near a Moore's Law rate.
> 
> Do some benchmarking.  Time how long it takes to scan a collection of 500 or 
> so
> random files using a 2007 version of your favorite A/V software and 
> signatures,
> and time how long this week's version take. The difference between the two
> numbers is the CPU you can "get back". I guarantee it has no relationship
> to the 243% you're complaining about (for starters, even if it *was* gaining
> 243% a year, that's a 243% grown rate of the 5% or so your anti-virus uses,
> not of your entire CPU capacity.

Indeed.

Although 243% of 5% will get quite large quite soon too.  I think it 
might be less than that right now - 2% maybe.  The problem is really 
that even 0.5% will turn into 42.36% after 5 years, at 243% growth.  
(I have triple checked that, I'm certain it's right, that's 
outrageous, it's because it's an exponential curve, gets steep 
quickly).

(It will be 243% of 5%, divided by the efficiency ratio you mentioned 
earlier.  That ratio is critical.  The smaller it is, the less it 
holds back the 243%.)

> > I'm not analysing infections, I'm analysing "new threats" (as defined
> > by Symantec).
> 
> Read Thor's description of the difference between threats and risks.
> 
> Defending against threats doesn't consume additional CPU.
> Defending against risks *may* consume additional CPU.

My interpretation of risk assessment tells me that if the chances of 
denial-of-service due to malware flooding is small, but the potential 
damage is substantial, despite the improbability, then that risk must 
be mitigated.

I do understand that additional "new threats" (as defined by 
Symantec) may, or may not, impact on CPU due to the efficiency ratio 
you explained earlier.

It's not possible to accurately quantify the risk until key numbers, 
such as the average CPU usage per detection rule, and the average 
efficiency ratio, are known.  What we can say right now is that there 
is a risk, of size unknown, that malware flooding will result in DOS 
conditions.

We cannot say how big the risk is yet.  But also, we cannot say that 
it does not exist.

As numbers such as average CPU usage per detection rule, and the 
average efficiency ratio, are likely to be commercial secrets, that 
will mean we will be forced to navigate blind.  This heightens the 
risk and thus the level of mitigation that is required.  That is why 
my advice remains to evacuate the platform.

Stu

---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

On 17 May 2010 at 18:08, Thor (Hammer of God) wrote:

> >Is my business at risk, if I
> >say the wrong thing, and my customers go out of business because
> >their hardware/software combination is no longer viable?

> In business, you are always exposed to some level of risk when you
> charge for professional services.  That's why you carry various
> business insurance

No, I'm not worried about being sued, I'm worried about my revenue 
streams disappearing.

> However, when you make public posts to a mailing list that is
> replicated worldwide about how you are consulting for a business that
> purchased a $24,000 .net application (or whatever it was) but then go
> on to say how you know absolutely nothing about .net, I do think you
> are opening yourself up for legal action

Not at all - my customer is fully aware that I know nothing about 
their software.  They got sick of me giving them my disclaimer.  They 
are happy for me to work on it because otherwise, they need to pay a 
large amount in annual support fees, to the company who wrote the 
software.

> However, I don't trust myself to set up a secure unix installation;
> certainly not to a point that I would provide professional services
> and bill clients for.  If I were to do that, I would (and should) be
> held liable for damages arising out errors I am responsible for. 

Small print is always good.  Also, some systems need to be more 
secure than others.  For public servers, I outsource to another 
outsourcer.

> The "right" thing to do here, from a business and ethics standpoint,
> is to subcontract a .net professional who can represent you properly. 

I am pushing my customer to re-sign the service contract with the 
developers of the product.  They don't want to spend the money.  
There's politics too - the guy who made the purchasing decision 
doesn't want to admit it was a mistake, so he is pretending there are 
no problems with the software, and therefore there is no need to pay 
for the service contract (or so goes his logic).

It'd make an excellent case study for someone...

> The job will get done properly, you will make money, and your customer
> will be happy.   You're in London, right?  Call up some guys at NGS
> and see if they can help you.  There are some really good people
> there. 

Thanks.  I don't have access to the source, however, so I doubt 
there's anything that can be done.  This app, even the error messages 
are encrypted!  (is that some .NET wheeze? lovely)  So it can be 
quite touch and go. But it still costs them less than their annual 
support contract would.

Stu

---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

On 16 May 2010 at 20:49, valdis.kletni...@vt.edu wrote:

To: stu...@cyberdelix.net
Copies to:  full-disclosure@lists.grok.org.uk
Subject:Re: [Full-disclosure] Windows' future (reprise)
From:   valdis.kletni...@vt.edu
Date sent:  Sun, 16 May 2010 20:49:29 -0400

> On Sun, 16 May 2010 23:49:00 BST, lsi said:
> > Malware is flooding at 243% (+/- error).  This is consuming the
> > oxygen in your machine.
> 
> The basic error in your analysis is that although there may in fact be
> 243% more malware samples, that doesn't translate into 243% more oxygen
> consumption.

Yes, I agree that the oxygen is not being used at 243%.  

Last year, I did get a bit excited and said some things like that, 
("you'll need 200 of today's processors, just for malware filtering, 
by 2015."), I do think that was wrong.  So this year, I took pains 
not to say that, you'll note I only said the oxygen was being 
consumed, I didn't say at what rate.  

To go with your pizza example, say the CPU is the pizza, back in the 
80's I had the whole pizza to myself (no AV).  Then I installed AV 
and I had slightly less pizza; the AV takes a small slice of pizza 
for itself.  

As the years have passed the AV is doing more and more work.  That 
means its slice of pizza is growing, and the remainder, which is what 
I get, is shrinking.  

This is to ignore all the other junk that modern systems run, which 
also have their bit of pizza too.  

What I don't know is *how much* extra pizza is being consumed.  As 
you say, 243% extra samples does not correspond to 243% less pizza 
for me.  I am not familiar with the innards of an AV scan engine, so 
this might be naive - but surely there will be more CPU used by the 
AV as the number of signatures increases.

Therefore, there must come a time, assuming malware continues to 
increase in number, when eventually, my PC will use all of its CPU on 
malware filtering.  

Yes - maybe that is 20 years away, and I will have upgraded by then.  
But is it 20 years away?  And what if I can't upgrade?  What about in 
the meantime - am I going to tolerate my slow machine?  How slow is 
too slow?  Time is money.  Why would anyone willingly allow their 
machine to run slowly, and thus cost themselves money?  

As I said last year - as soon as Joe Average Business User figures 
out he can do stuff 25% faster, just by dumping his OS*, he will want 
to dump his OS.  

Note, 25% faster was a guess, that would be easy enough to measure, 
will need some old AV software and signature sets, to clock how fast 
they run while a set of tests are run, then install new AV and new 
signature sets and rerun the tests.  Then run the tests with the AV 
switched off.  

* he doesn't realise what a pain it is, but it's not his problem... 
it's mine!  And everyone else who is paid to keep stuff running.  
Although I see it an an opportunity rather than a problem.  Even Thor 
has his chance, he should get coding on that connector, then sell it 
to all his former competitors  

> Consider a pizza cut into 8 pieces and somebody comes along and eats 6 of
> them.  Now consider an identical pizza cut 16 ways and somebody eats 12 
> slices.
> The rate of slice consumption has doubled, but the actual amount of pizza
> consumed hasn't changed.

> Similarly, the fact there's (say) 5 million new malware samples doesn't mean
> there's 5 million new holes in Windows this year.  What you have is 5 million
> new ways of poking the same 20 or 30 new holes.  This makes it a lot easier 
> for
> the A/V companies. Although they may have 37 different samples, there's a very
> good chance they were produced using a Metasploit-like mindset - "pick an
> exploit, add a payload, launch".  And 37 samples that use the same exploit but
> have 37 different payloads need one detection rule (for the exploit), not 37.

Thank you for explaining this.  So what it will come down to is how 
efficient the AV is at reducing that big number (total threats) to a 
smaller number (total detection rules).  37:1 is a big ratio, is that 
likely, however?  Would you know the ratio as currently enjoyed by 
current AV software, by any chance?

Stu

---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer of God)]

>Is my business at risk, if I
>say the wrong thing, and my customers go out of business because
>their hardware/software combination is no longer viable?  I imagine
>these questions are on the minds of many IT managers, and with a
>chart on the wall showing 243% mutation, it is only reasonable that
>they be asked.
>
>Stu
>
>---
>Stuart Udall
>stuart at () cyberdelix dot net - http://www.cyberdelix.net/

In business, you are always exposed to some level of risk when you charge for 
professional services.  That's why you carry various business insurance 
policies should you engage in a project in which you are responsible for some 
level of loss on behalf of your client.  $5 million in E&O is typical, though 
I've seen a little as $1 million as a requirement.

Given that malware and virus mitigation is a systemic issue, I doubt you could 
be held responsible for a company "going out of business" because an AV program 
made their hardware and software unviable.  However, when you make public posts 
to a mailing list that is replicated worldwide about how you are consulting for 
a business that purchased a $24,000 .net application (or whatever it was) but 
then go on to say how you know absolutely nothing about .net, I do think you 
are opening yourself up for legal action should the company have issues (which, 
they probably will) and there is basically "proof" in your own words that you 
are unqualified to do the work.

I know my way around different .nix installations a bit.  I can make stuff run, 
and I actually quite good at screwing up a kernel rebuild.  However, I don't 
trust myself to set up a secure unix installation; certainly not to a point 
that I would provide professional services and bill clients for.  If I were to 
do that, I would (and should) be held liable for damages arising out errors I 
am responsible for.

The "right" thing to do here, from a business and ethics standpoint, is to 
subcontract a .net professional who can represent you properly.  The job will 
get done properly, you will make money, and your customer will be happy.   
You're in London, right?  Call up some guys at NGS and see if they can help 
you.  There are some really good people there.

t

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Valdis . Kletnieks]

On Mon, 17 May 2010 03:48:36 BST, lsi said:

> It is mutating at approx 243% per annum, a rate which is more than
> twice as fast as Moore's Law (200% every 24 months).  I do find this
> alarming, because I want my CPU back.  So does everyone else I know.

Unfortunately, you haven't shown that the CPU actually consumed is going up by
243% or any significant fraction thereof.  Admittedly, A/V products are slowly
taking more and more resources, but nowhere near a Moore's Law rate.

Do some benchmarking.  Time how long it takes to scan a collection of 500 or so
random files using a 2007 version of your favorite A/V software and signatures,
and time how long this week's version take. The difference between the two
numbers is the CPU you can "get back". I guarantee it has no relationship
to the 243% you're complaining about (for starters, even if it *was* gaining
243% a year, that's a 243% grown rate of the 5% or so your anti-virus uses,
not of your entire CPU capacity.

> I'm not analysing infections, I'm analysing "new threats" (as defined
> by Symantec).

Read Thor's description of the difference between threats and risks.

Defending against threats doesn't consume additional CPU.
Defending against risks *may* consume additional CPU.




pgpLnEzQhKMdX.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

On 17 May 2010 at 1:06, Christian Sciberras wrote:

> Malware is not "flooding". It only s much as "changes" and not at an
> alarming rate neither.

It is mutating at approx 243% per annum, a rate which is more than 
twice as fast as Moore's Law (200% every 24 months).  I do find this 
alarming, because I want my CPU back.  So does everyone else I know.

> Happens that any piece of [individual] malware is smaller than 5Mb (as in my
> example) therefor what you call a flood is nothing more then a couple of
> droplets of water in a lake.

Did you ever try and use your computer when it was doing a virus 
scan?  That's much more than a droplet of CPU that you are missing.

> Besides, competent anti-viruses automatically clean their own signature base
> from systems immune to certain malware (eg patched).

Nice.  That would improve things I think (assuming the patch does in 
fact make the machine invulnerable to the malware that it can no 
longer detect).

> Also, thankfully, I don't get infected with new malware X times per day, in
> fact, I don't recall ever being infected in the last 6/7 years I've run
> Windows (your point of focus).
> I'm sure I'm not alone, so where do you put us in your equation? Surely you
> can't infect non-existent workstations?

I'm not analysing infections, I'm analysing "new threats" (as defined 
by Symantec).  

However if I was analysing infections, I'd call you an outlier 
(anomaly), and exclude you from my computation.  You would be one of 
the few.  Impressive though.

Stu

> On Mon, May 17, 2010 at 12:49 AM, lsi  wrote:
> 
> > Imagine you are in an enclosed space.  It starts to flood.  As the
> > water level rises, the amount of oxygen you have available falls.
> > Unless it stops flooding, eventually you will have no oxygen at all.
> >
> > So, the CPU, RAM, diskspace, and network bandwidth of your machine,
> > as well as limits imposed by integer math, are the enclosed space.
> > Those specify the finite processing limits of your machine.  Malware
> > is the flood.  Oxygen is what's left in your enclosed space/machine,
> > once your malware defences have run.
> >
> > Malware is flooding at 243% (+/- error).  This is consuming the
> > oxygen in your machine.  You can enlarge your enclosed space, with
> > hardware upgrades, but that's not stopping the flooding.
> >
> > Eventually you will find it's not possible to upgrade the machine
> > (usually a software dependency of some kind).  At this point the
> > machine will run slower and slower.  Your alternatives will be to
> > disconnect the machine from the internet, and partially/completely
> > disable malware filters; or to replace the machine.
> >
> > As you can see you're spending money on upgrades and replacements,
> > and losing productivity and/or capabilities (eg. internet access).
> >
> > Meanwhile, the malware is still flooding into your enclosed space.
> > Every second that goes by, the rate of flooding increases.  Your boss
> > is screaming at you for spending a zillion on hardware.  Your users
> > are whinging because everything is running like a dog.  Your support
> > staff are running around constantly fixing machines on which the AV
> > has failed (yet again) to stop the latest 0-day variant.  Your
> > company's customers are livid because you had to tell them you had a
> > trojan on an accounts machine and their credit card data is now on
> > the web.  Your wife has the hump because you're never home, except in
> > a bad mood, your kids think you are a boarder, and the dog hates you
> > because you never take it for walks anymore.
> >
> > And you now need to go to your boss and ask for more money for more
> > upgrades.
> >
> > What are you gonna do?  Are you going to let your IT run like this
> > forever?  Do you think your boss will like it when you ask him for
> > more budget?
> >
> > What is your long-term strategy for fixing this problem?
> >
> > Stu
> >
> > On 16 May 2010 at 19:08, Thor (Hammer of God) wrote:
> >
> > From:   "Thor (Hammer of God)" 
> > To: "full-disclosure@lists.grok.org.uk" <
> > full-disclosure@lists.grok.org.uk>
> > Date sent:  Sun, 16 May 2010 19:08:26 +
> > Subject:Re: [Full-disclosure] Windows' future (reprise)
> >
> > > The error in your overall thesis is your failure to identify the
> > difference between threat and risk.  You are interacting with Symantec's
> > report of "x new threats" as if it actually means something, or

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

On 16 May 2010 at 12:22, Christian Sciberras wrote:

>> An interesting point - Unicode?
>> 
>> I don't think 5Mb files are infeasible, especially as time passes,
>> that'll be just a blip before long.

> You call it a "blip" yet you are counting in infections for *everywhere* and
> *anyone* so, what makes you think service providers (which have been comfy
> in the last 6 years with a dialup-grade connection) to abruptly switch to
> high-speed fiber-optic?

Well, just because network capacity is also growing at an exponential 
rate.  I take your point, some people don't have high-speed 
connections.  This will slow things down a bit, but that's all..

> I'm just saying that your statistics are based on too little variables

What else could I use?  x=time, y=amount.  I'm not sure how I could 
use more than two variables.  Those are the only numbers I get from 
Symantec's data.

> You yourself mentioned an error margin of ~24%. This will only *grow* by
> next year.

It's an average, so I thought it might auto-correct.  There was a 
similar dip in 2006.

> Lastly, I stand my point: Malware cannot be taken is a combination (as you
> and other certain "specialists" think of it). Reason number one being that a
> software combination (hash) can vary from between "malware", "useful" or
> "utterly useless"; ie, the combination of having only malware is so
> undefinable that you can't put it in any equation.

I think I understand, you're saying a virus can't be a random string, 
and I agree.  That is the job of the obfuscator, to make the virus as 
random as possible, while retaining the integrity of the logic.

I thought you were saying that the ASCII character set has 
insufficient characters to permit x billion combinations, so I 
wondered whether Unicode would.

The problem of defining malware is not mine.  All I'm doing is 
analysing Symantec's stats.  Symantec have already examined the 
sample and classified it as malware, before it gets included in the 
stats.  Symantec's stats might be dodgy, but I doubt it, surely they 
wouldn't waste their time?

> Symantec's results are not wrong, it is how you/people use them that may be
> wrong, such as attempting to predict anything out of them.

The time-series analysis I did is commonly used to make forecasts.  
It is an accepted practice to take time-series data and extrapolate 
from it.  Of course, there is an element of uncertainty, especially 
if the data is weak (small sample size, bias in the data etc).  I was 
disappointed I only got 75.4%.

What I will concede is that the conclusions I have drawn from the 
results of the analysis may well be wrong.  I don't work in an AV 
company and can only report what I see in the field.  I can see those 
numbers going up, and up, and up, and it's only natural to wonder 
where it will end.  I can also see my customers' computers running 
slower and slower, and I know what sort of performance kick is 
possible if AV is disabled, and I know that virus scans take longer 
and longer to complete.

So I do think it's a fair question to ask - will my computer handle 
billions of threats?  Does it make sense to be relying on AV to 
protect my customer's computers?  Is this house really on fire, or is 
that completely normal?  What answer should I give, when my customers 
ask me, how can I stop this from happening  again?  When my customer 
is about to make an expensive strategic purchase, what points should 
I make, concerning long-term planning?  Is my business at risk, if I 
say the wrong thing, and my customers go out of business because 
their hardware/software combination is no longer viable?  I imagine 
these questions are on the minds of many IT managers, and with a 
chart on the wall showing 243% mutation, it is only reasonable that 
they be asked.

Stu

---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Valdis . Kletnieks]

On Sun, 16 May 2010 23:49:00 BST, lsi said:
> Malware is flooding at 243% (+/- error).  This is consuming the
> oxygen in your machine.

The basic error in your analysis is that although there may in fact be
243% more malware samples, that doesn't translate into 243% more oxygen
consumption.

Consider a pizza cut into 8 pieces and somebody comes along and eats 6 of
them.  Now consider an identical pizza cut 16 ways and somebody eats 12 slices.
The rate of slice consumption has doubled, but the actual amount of pizza
consumed hasn't changed.

Similarly, the fact there's (say) 5 million new malware samples doesn't mean
there's 5 million new holes in Windows this year.  What you have is 5 million
new ways of poking the same 20 or 30 new holes.  This makes it a lot easier for
the A/V companies. Although they may have 37 different samples, there's a very
good chance they were produced using a Metasploit-like mindset - "pick an
exploit, add a payload, launch".  And 37 samples that use the same exploit but
have 37 different payloads need one detection rule (for the exploit), not 37.



pgpS5P6hT3cAt.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Christian Sciberras]

Malware is not "flooding". It only s much as "changes" and not at an
alarming rate neither.
Happens that any piece of [individual] malware is smaller than 5Mb (as in my
example) therefor what you call a flood is nothing more then a couple of
droplets of water in a lake.
Sometimes I do wonder whether some people actually know what a virus is. I
mean, this isn't eg, milk which you can market X times with different brand
names.
Besides, competent anti-viruses automatically clean their own signature base
from systems immune to certain malware (eg patched).

Also, thankfully, I don't get infected with new malware X times per day, in
fact, I don't recall ever being infected in the last 6/7 years I've run
Windows (your point of focus).
I'm sure I'm not alone, so where do you put us in your equation? Surely you
can't infect non-existent workstations?

Cheers.



On Mon, May 17, 2010 at 12:49 AM, lsi  wrote:

> Imagine you are in an enclosed space.  It starts to flood.  As the
> water level rises, the amount of oxygen you have available falls.
> Unless it stops flooding, eventually you will have no oxygen at all.
>
> So, the CPU, RAM, diskspace, and network bandwidth of your machine,
> as well as limits imposed by integer math, are the enclosed space.
> Those specify the finite processing limits of your machine.  Malware
> is the flood.  Oxygen is what's left in your enclosed space/machine,
> once your malware defences have run.
>
> Malware is flooding at 243% (+/- error).  This is consuming the
> oxygen in your machine.  You can enlarge your enclosed space, with
> hardware upgrades, but that's not stopping the flooding.
>
> Eventually you will find it's not possible to upgrade the machine
> (usually a software dependency of some kind).  At this point the
> machine will run slower and slower.  Your alternatives will be to
> disconnect the machine from the internet, and partially/completely
> disable malware filters; or to replace the machine.
>
> As you can see you're spending money on upgrades and replacements,
> and losing productivity and/or capabilities (eg. internet access).
>
> Meanwhile, the malware is still flooding into your enclosed space.
> Every second that goes by, the rate of flooding increases.  Your boss
> is screaming at you for spending a zillion on hardware.  Your users
> are whinging because everything is running like a dog.  Your support
> staff are running around constantly fixing machines on which the AV
> has failed (yet again) to stop the latest 0-day variant.  Your
> company's customers are livid because you had to tell them you had a
> trojan on an accounts machine and their credit card data is now on
> the web.  Your wife has the hump because you're never home, except in
> a bad mood, your kids think you are a boarder, and the dog hates you
> because you never take it for walks anymore.
>
> And you now need to go to your boss and ask for more money for more
> upgrades.
>
> What are you gonna do?  Are you going to let your IT run like this
> forever?  Do you think your boss will like it when you ask him for
> more budget?
>
> What is your long-term strategy for fixing this problem?
>
> Stu
>
> On 16 May 2010 at 19:08, Thor (Hammer of God) wrote:
>
> From:   "Thor (Hammer of God)" 
> To: "full-disclosure@lists.grok.org.uk" <
> full-disclosure@lists.grok.org.uk>
> Date sent:  Sun, 16 May 2010 19:08:26 +
> Subject:Re: [Full-disclosure] Windows' future (reprise)
>
> > The error in your overall thesis is your failure to identify the
> difference between threat and risk.  You are interacting with Symantec's
> report of "x new threats" as if it actually means something, or more
> specifically, that these new threats somehow translate into some new level
> of risk.  They don't.
> >
> > According to Stephen Hawking, there are new threats emerging based on the
> statistical probability of the existence of aliens.  Therefore, a "threat"
> exists where I may be struck in the head by a falling block of green alien
> poo, frozen in the atmosphere after being flushed out by a passing
> pan-galactic alien survey ship.  However, the actual *risk* of me being hit
> in the head while walking to a matinée of The Rocky Horror Picture Show
> doesn't dictate that I apply a small mixture of Purell and Teflon to my
> umbrella and fill my squirt gun with alien repellent.
> >
> > The risk of me personally being struck by falling alien poo is *far*
> lower than the risk of any one of the almost 7 billion people on the planet
> being struck by falling alien poo.  You may be able to calculate the risk of
> my being poo

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

Imagine you are in an enclosed space.  It starts to flood.  As the 
water level rises, the amount of oxygen you have available falls.  
Unless it stops flooding, eventually you will have no oxygen at all.

So, the CPU, RAM, diskspace, and network bandwidth of your machine, 
as well as limits imposed by integer math, are the enclosed space. 
Those specify the finite processing limits of your machine.  Malware 
is the flood.  Oxygen is what's left in your enclosed space/machine, 
once your malware defences have run.

Malware is flooding at 243% (+/- error).  This is consuming the 
oxygen in your machine.  You can enlarge your enclosed space, with 
hardware upgrades, but that's not stopping the flooding.

Eventually you will find it's not possible to upgrade the machine 
(usually a software dependency of some kind).  At this point the 
machine will run slower and slower.  Your alternatives will be to 
disconnect the machine from the internet, and partially/completely 
disable malware filters; or to replace the machine.

As you can see you're spending money on upgrades and replacements, 
and losing productivity and/or capabilities (eg. internet access).

Meanwhile, the malware is still flooding into your enclosed space.  
Every second that goes by, the rate of flooding increases.  Your boss 
is screaming at you for spending a zillion on hardware.  Your users 
are whinging because everything is running like a dog.  Your support 
staff are running around constantly fixing machines on which the AV 
has failed (yet again) to stop the latest 0-day variant.  Your 
company's customers are livid because you had to tell them you had a 
trojan on an accounts machine and their credit card data is now on 
the web.  Your wife has the hump because you're never home, except in 
a bad mood, your kids think you are a boarder, and the dog hates you 
because you never take it for walks anymore.

And you now need to go to your boss and ask for more money for more 
upgrades.

What are you gonna do?  Are you going to let your IT run like this 
forever?  Do you think your boss will like it when you ask him for 
more budget?

What is your long-term strategy for fixing this problem?

Stu

On 16 May 2010 at 19:08, Thor (Hammer of God) wrote:

From:   "Thor (Hammer of God)" 
To: "full-disclosure@lists.grok.org.uk" 
Date sent:  Sun, 16 May 2010 19:08:26 +0000
Subject:Re: [Full-disclosure] Windows' future (reprise)

> The error in your overall thesis is your failure to identify the difference 
> between threat and risk.  You are interacting with Symantec's report of "x 
> new threats" as if it actually means something, or more specifically, that 
> these new threats somehow translate into some new level of risk.  They don't.
> 
> According to Stephen Hawking, there are new threats emerging based on the 
> statistical probability of the existence of aliens.  Therefore, a "threat" 
> exists where I may be struck in the head by a falling block of green alien 
> poo, frozen in the atmosphere after being flushed out by a passing 
> pan-galactic alien survey ship.  However, the actual *risk* of me being hit 
> in the head while walking to a matinée of The Rocky Horror Picture Show 
> doesn't dictate that I apply a small mixture of Purell and Teflon to my 
> umbrella and fill my squirt gun with alien repellent.
> 
> The risk of me personally being struck by falling alien poo is *far* lower 
> than the risk of any one of the almost 7 billion people on the planet being 
> struck by falling alien poo.  You may be able to calculate the risk of my 
> being poo'd in relation to any given human being poo'd, but no level of math 
> will allow you to determine what my or any other person's individual chance 
> of being poo'd is.
> 
> Your argument would call everyone to change the way they protect themselves 
> from falling alien poo out of the mere existence of a threat without really 
> qualifying the associated risk.  That does nothing for anyone, and would only 
> cause a rise in the cost of umbrellas and squirt guns and would probably 
> result in the theater putting the kibosh on Rock Horror completely and 
> charging people to watch Born Free.  (Insert clever association of "Born 
> Free" with "free" open source products here.  See what I did there?)
> 
> Further, the basis of this "threat" is that you would actually have to trust 
> what Stephen Hawking is saying in the first place.  In his case, there really 
> isn't any way to know that he's the one saying it, is there?  For all we 
> know, the ghost of Carl Sagan could have hacked into his computer and has 
> made Mr. Hawking's requests to have his Depends changed translated into "run 
> for your lives, the aliens a

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer of God)]

The error in your overall thesis is your failure to identify the difference 
between threat and risk.  You are interacting with Symantec's report of "x new 
threats" as if it actually means something, or more specifically, that these 
new threats somehow translate into some new level of risk.  They don't.

According to Stephen Hawking, there are new threats emerging based on the 
statistical probability of the existence of aliens.  Therefore, a "threat" 
exists where I may be struck in the head by a falling block of green alien poo, 
frozen in the atmosphere after being flushed out by a passing pan-galactic 
alien survey ship.  However, the actual *risk* of me being hit in the head 
while walking to a matinée of The Rocky Horror Picture Show doesn't dictate 
that I apply a small mixture of Purell and Teflon to my umbrella and fill my 
squirt gun with alien repellent.

The risk of me personally being struck by falling alien poo is *far* lower than 
the risk of any one of the almost 7 billion people on the planet being struck 
by falling alien poo.  You may be able to calculate the risk of my being poo'd 
in relation to any given human being poo'd, but no level of math will allow you 
to determine what my or any other person's individual chance of being poo'd is.

Your argument would call everyone to change the way they protect themselves 
from falling alien poo out of the mere existence of a threat without really 
qualifying the associated risk.  That does nothing for anyone, and would only 
cause a rise in the cost of umbrellas and squirt guns and would probably result 
in the theater putting the kibosh on Rock Horror completely and charging people 
to watch Born Free.  (Insert clever association of "Born Free" with "free" open 
source products here.  See what I did there?)

Further, the basis of this "threat" is that you would actually have to trust 
what Stephen Hawking is saying in the first place.  In his case, there really 
isn't any way to know that he's the one saying it, is there?  For all we know, 
the ghost of Carl Sagan could have hacked into his computer and has made Mr. 
Hawking's requests to have his Depends changed translated into "run for your 
lives, the aliens are coming, the aliens are coming"  when his computer talks.

My point is that you are taking threat statistics from Symantec that don't mean 
anything on their own, as there is no definition of how those threats would 
apply to any given system, and directly converting them into some global level 
of risk - and you are doing so to such extremes that you actually conclude that 
the solution is to do away with Microsoft products based on some unproven and 
imagined postulate that closed source is somehow at the core of the issue while 
at the same time admitting you don't know anything about the platform.   The 
fact that you are actually using Windows and programs written with Visual 
Studio out of convenience to you critically damages your argument.  If you as 
the author of this idea refuse to migrate from Windows or applications written 
with Windows development products and frameworks just because it is *not 
convenient* for you, how could you possibly expect anyone supporting any 
infrastructure of consequence to take your advice or even consider your ideas 
as anything other than hysteria when they would have to engage in unfathomable 
expense, effort and time to create a total and complete paradigm change in 
their business simply to try to defend against being hit by falling alien poo?

t


>An interesting point - Unicode?
>
>I don't think 5Mb files are infeasible, especially as time passes,
>that'll be just a blip before long.
>
>Stu
>
>On 15 May 2010 at 14:59, Christian Sciberras wrote:
>
>Date sent:  Sat, 15 May 2010 14:59:46 +0100
>Subject:Re: [Full-disclosure] Windows' future (reprise)
>From:   Christian Sciberras 
>To: stuart () cyberdelix net


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Christian Sciberras]

An interesting point - Unicode?

I don't think 5Mb files are infeasible, especially as time passes,
that'll be just a blip before long.

Stu


You call it a "blip" yet you are counting in infections for *everywhere* and
*anyone* so, what makes you think service providers (which have been comfy
in the last 6 years with a dialup-grade connection) to abruptly switch to
high-speed fiber-optic?

I'm just saying that your statistics are based on too little variables - it
would be like saying Earth will die of hunger just because a product is out
of stock at a local supermarket.

You yourself mentioned an error margin of ~24%. This will only *grow* by
next year.
Lastly, I stand my point: Malware cannot be taken is a combination (as you
and other certain "specialists" think of it). Reason number one being that a
software combination (hash) can vary from between "malware", "useful" or
"utterly useless"; ie, the combination of having only malware is so
undefinable that you can't put it in any equation.

Symantec's results are not wrong, it is how you/people use them that may be
wrong, such as attempting to predict anything out of them.

On Sun, May 16, 2010 at 6:32 AM, lsi  wrote:

> Hi Bill!
>
> Thanks for the tip on the DIR command, I did in fact notice that,
> however it doesn't give percentages (or total space), AFAIK, and my
> monitoring bot wants percentages.  My df also reports the computer
> name (so I can make sense of the output when the space on multiple
> machines is listed one after the other in a report, and if an alert
> is generated by the monitoring bot).
>
> The new version of my df uitil is 1951 bytes, the version on my site
> is old.
>
> I'm sorry I upset you because I mentioned .NET, is it because you
> make a living off it?  Sorry to be the bearer of bad tidings.  .NET
> is merely one case of many, I picked it as an example because I am
> currently supporting a customer with a £23,000 .NET application that
> has them utterly locked to Microsoft, and I have no hope at all of
> selling them unix anything.  Which is a shame for them (I just made a
> packet cleaning a nasty virus infection from one of their XP PCs).
>
> As for the .NET connector for PHP, yes, I made that up, and the
> problem is where?  You wanted a migration strategy, I gave you one! I
> did say off top of head.  You want me to research it?  That's
> £120/hr.
>
> I also don't see a problem posting my mail from a Windows PC.  Why do
> I need to be running unix before I can report that malware is
> mutating at 243%?  I don't, is the short answer.
>
> Why don't you criticise my arguments, instead of myself, or my job,
> or my computer, or my email program, or my personal migration
> strategy, or my software?  Is it because you can't?  I think so.
>
> Stu
>
> On 16 May 2010 at 3:06, Thor (Hammer of God) wrote:
>
> From:       "Thor (Hammer of God)" 
> To: "full-disclosure@lists.grok.org.uk"  disclos...@lists.grok.org.uk>
> Date sent:  Sun, 16 May 2010 03:06:18 +
> Subject:Re: [Full-disclosure] Windows' future (reprise)
>
> > This just gets better all the time.  I have to admit, it was fun at
> first, but now's I grow weary, mostly because this is just sad.
> >
> > For you to actually think that one can't find out how much free drive
> space in Windows would be funny it were not so ridiculous.  And it's been
> built into DIR forever.  Oh, and your .bas file is 60,000 some odd bytes,
> not 1951.  I think you are confusing the size with the last time you
> actually did research into what you are talking about.
> >
> > The main point here is for people to see how easy it is for someone who
> admits that they know nothing about .NET, nor care to learn anything about
> .NET, to honestly and publically say that people must uninstall it as if it
> were the plague.  You actually get paid to tell people to uninstall it and
> use "a .NET connector to PHP" - whatever the hell that is.  Simply amazing
> to me.
> >
> > And yet, it's fine for YOU to continue to use a "closed source" operating
> system to run your "dear Peg" closed source email program because you don't
> feel like practicing what you preach.   To think that you consider insight
> into moving a couple of computers over to *nix as the basis to make sweeping
> generalized statements of how migrating is a one-off cost staggers the
> imagination.  But, everyone is entitled to their opinion, so good luck with
> yours dude.   But what you are doing to the poor people who not only trust
> you but also pay you seems to be q

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

Hi Bill!

Thanks for the tip on the DIR command, I did in fact notice that, 
however it doesn't give percentages (or total space), AFAIK, and my 
monitoring bot wants percentages.  My df also reports the computer 
name (so I can make sense of the output when the space on multiple 
machines is listed one after the other in a report, and if an alert 
is generated by the monitoring bot).

The new version of my df uitil is 1951 bytes, the version on my site 
is old.

I'm sorry I upset you because I mentioned .NET, is it because you 
make a living off it?  Sorry to be the bearer of bad tidings.  .NET 
is merely one case of many, I picked it as an example because I am 
currently supporting a customer with a £23,000 .NET application that 
has them utterly locked to Microsoft, and I have no hope at all of 
selling them unix anything.  Which is a shame for them (I just made a 
packet cleaning a nasty virus infection from one of their XP PCs).

As for the .NET connector for PHP, yes, I made that up, and the 
problem is where?  You wanted a migration strategy, I gave you one! I 
did say off top of head.  You want me to research it?  That's 
£120/hr.

I also don't see a problem posting my mail from a Windows PC.  Why do 
I need to be running unix before I can report that malware is 
mutating at 243%?  I don't, is the short answer.

Why don't you criticise my arguments, instead of myself, or my job, 
or my computer, or my email program, or my personal migration 
strategy, or my software?  Is it because you can't?  I think so.

Stu

On 16 May 2010 at 3:06, Thor (Hammer of God) wrote:

From:   "Thor (Hammer of God)" 
To: "full-disclosure@lists.grok.org.uk" 
Date sent:  Sun, 16 May 2010 03:06:18 +0000
Subject:Re: [Full-disclosure] Windows' future (reprise)

> This just gets better all the time.  I have to admit, it was fun at first, 
> but now's I grow weary, mostly because this is just sad.
> 
> For you to actually think that one can't find out how much free drive space 
> in Windows would be funny it were not so ridiculous.  And it's been built 
> into DIR forever.  Oh, and your .bas file is 60,000 some odd bytes, not 1951. 
>  I think you are confusing the size with the last time you actually did 
> research into what you are talking about.
> 
> The main point here is for people to see how easy it is for someone who 
> admits that they know nothing about .NET, nor care to learn anything about 
> .NET, to honestly and publically say that people must uninstall it as if it 
> were the plague.  You actually get paid to tell people to uninstall it and 
> use "a .NET connector to PHP" - whatever the hell that is.  Simply amazing to 
> me.
> 
> And yet, it's fine for YOU to continue to use a "closed source" operating 
> system to run your "dear Peg" closed source email program because you don't 
> feel like practicing what you preach.   To think that you consider insight 
> into moving a couple of computers over to *nix as the basis to make sweeping 
> generalized statements of how migrating is a one-off cost staggers the 
> imagination.  But, everyone is entitled to their opinion, so good luck with 
> yours dude.   But what you are doing to the poor people who not only trust 
> you but also pay you seems to be quite a disservice indeed.  But that's 
> between you and whatever your ethic is.
> 
> So in a nutshell (and I'll drop off after this as I think this has played 
> itself out) you hate closed source and .NET and get paid to tell other people 
> to migrate to non-existent ".NET connector's to PHP" after switching from 
> Windows to BSD, but compose the very email that you so vehemently condemn 
> them on a closed source operating system with a closed source program because 
> you don't have "time to figure out how to use your computer at the same 
> time." (direct quote).  I think I got it.  Thanks for sharing.
> 
> Oh, one last thing - your "dear Pegasus" 4.51 Windows-based program that you 
> hypocritically hold on to while demonizing Windows and .NET was...   wait for 
> it   wait for it   written with Visual Studio 2008 C++  - a proud 
> Microsoft .NET Framework development platform!
> 
> Ladies and Gentlemen, Goodnight!
> 
> t
> 
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
> Sent: Saturday, May 15, 2010 7:15 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Windows' future (reprise)
> 
> On 16 May 2010 at 0:09, Thor (Hammer of God) wrote:
> 
> > Just as I expected.   A wishy washy respo

Re: [Full-disclosure] Windows' future (reprise)

[Sabahattin Gucukoglu]

On 16 May 2010, at 04:06, Thor (Hammer of God) wrote:
> Oh, one last thing - your "dear Pegasus" 4.51 Windows-based program that you 
> hypocritically hold on to while demonizing Windows and .NET was...   wait for 
> it   wait for it   written with Visual Studio 2008 C++  - a proud 
> Microsoft .NET Framework development platform!

Sadly, a bad example: it was ported from Borland, an increasingly fragile and 
unsupported compiler.  It's also not a .net app, which IMNSHO makes a world of 
difference to the point being made, but never mind that, you've had your last 
word.

FTR: David did say some supportive things about RAD and .net.  It's all there 
in his blog, and I can't be bothered looking for it.  I also note that Pegasus 
wines reasonably well, so using the header to identify the platform of the 
sender may mislead you.  It is, alas, a well-rounded GUI mailer that Unix 
people such as myself rather like compared to the mint-flavoured-wire GUI 
alternatives.

Cheers,
Sabahattin



smime.p7s
Description: S/MIME cryptographic signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer of God)]

This just gets better all the time.  I have to admit, it was fun at first, but 
now's I grow weary, mostly because this is just sad.

For you to actually think that one can't find out how much free drive space in 
Windows would be funny it were not so ridiculous.  And it's been built into DIR 
forever.  Oh, and your .bas file is 60,000 some odd bytes, not 1951.  I think 
you are confusing the size with the last time you actually did research into 
what you are talking about.

The main point here is for people to see how easy it is for someone who admits 
that they know nothing about .NET, nor care to learn anything about .NET, to 
honestly and publically say that people must uninstall it as if it were the 
plague.  You actually get paid to tell people to uninstall it and use "a .NET 
connector to PHP" - whatever the hell that is.  Simply amazing to me.

And yet, it's fine for YOU to continue to use a "closed source" operating 
system to run your "dear Peg" closed source email program because you don't 
feel like practicing what you preach.   To think that you consider insight into 
moving a couple of computers over to *nix as the basis to make sweeping 
generalized statements of how migrating is a one-off cost staggers the 
imagination.  But, everyone is entitled to their opinion, so good luck with 
yours dude.   But what you are doing to the poor people who not only trust you 
but also pay you seems to be quite a disservice indeed.  But that's between you 
and whatever your ethic is.

So in a nutshell (and I'll drop off after this as I think this has played 
itself out) you hate closed source and .NET and get paid to tell other people 
to migrate to non-existent ".NET connector's to PHP" after switching from 
Windows to BSD, but compose the very email that you so vehemently condemn them 
on a closed source operating system with a closed source program because you 
don't have "time to figure out how to use your computer at the same time." 
(direct quote).  I think I got it.  Thanks for sharing.

Oh, one last thing - your "dear Pegasus" 4.51 Windows-based program that you 
hypocritically hold on to while demonizing Windows and .NET was...   wait for 
it   wait for it   written with Visual Studio 2008 C++  - a proud 
Microsoft .NET Framework development platform!

Ladies and Gentlemen, Goodnight!

t

-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
Sent: Saturday, May 15, 2010 7:15 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows' future (reprise)

On 16 May 2010 at 0:09, Thor (Hammer of God) wrote:

> Just as I expected.   A wishy washy response, nothing concrete or even
> vaguely resembling substantive material, backtracking on an exact
> quote, the obligatory reference to your formula ala Craig Wright, with
> the final "oh, I'm sure you would like to know, but I'll have to
> charge you in order to tell you."

Well spotted, I am a consultant... I get paid to behave that way!

It was your misquote I corrected, if you call that a backtrack, suit yourself!  
I was giving you my working so you could reproduce my numbers... never mind.

> I was wrong to assume that you would try to educate yourself about
> .NET

Other than how to uninstall it, I have no desire to know anything about it.

> The "amount of free disk space on a drive" utility you wrote

Yeah, how crap, it's called df in unix, everyone hates it enormously!
A truly useless tool.  That must be why a df command appeared in Version 1 of 
AT&T UNIX.  Windows doesn't have something like that, so I made one myself.  
You should see the new version, writes to STDOUT, supports multiple drives on 
one commandline, 1951 bytes of source, 154k uncompressed EXE, beat it if you 
can

> P.S.  The headers on your email show that you are using Pegasus Mail
> for Windows (4.51).  I know a guy who can help you switch to Linux if
> you want.  I think he charges about £120/hr.

Amusing, however Pegasus is a perfect example of the difficulty users face when 
migrating.  As my dear Peg isn't open source, it's one of the reasons this 
machine still runs Windows (along with Quake, and the tools I have created over 
years to help me work, and their PowerBasic compiler).  I don't want to be on 
the phone to a customer and trying to figure out how to use my computer at the 
same time, so I decided to go slow for now.  I think this is a fair decision.  
My servers run unix, it's just this desktop that is left.  I'm not in a big 
hurry, this machine is nicely optimised.  I'm not looking forward to the day 
that I have to rewrite all my tools.  I know it will be a total PITA, take 
ages, introduce bugs and generally cost me a pack

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

On 16 May 2010 at 3:15, lsi wrote:

> > The "amount of free disk space on a drive" utility you wrote
> 
> supports multiple drives on one commandline

Sorry, correction, it doesn't do that.

Stu

---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

On 16 May 2010 at 0:09, Thor (Hammer of God) wrote:

> Just as I expected.   A wishy washy response, nothing concrete or even
> vaguely resembling substantive material, backtracking on an exact
> quote, the obligatory reference to your formula ala Craig Wright, with
> the final "oh, I'm sure you would like to know, but I'll have to
> charge you in order to tell you." 

Well spotted, I am a consultant... I get paid to behave that way!

It was your misquote I corrected, if you call that a backtrack, suit 
yourself!  I was giving you my working so you could reproduce my 
numbers... never mind.

> I was wrong to assume that you would try to educate yourself about .NET

Other than how to uninstall it, I have no desire to know anything 
about it.

> The "amount of free disk space on a drive" utility you wrote

Yeah, how crap, it's called df in unix, everyone hates it enormously! 
A truly useless tool.  That must be why a df command appeared in 
Version 1 of AT&T UNIX.  Windows doesn't have something like that, so 
I made one myself.  You should see the new version, writes to STDOUT, 
supports multiple drives on one commandline, 1951 bytes of source, 
154k uncompressed EXE, beat it if you can

> P.S.  The headers on your email show that you are using Pegasus Mail
> for Windows (4.51).  I know a guy who can help you switch to Linux if
> you want.  I think he charges about £120/hr. 

Amusing, however Pegasus is a perfect example of the difficulty users 
face when migrating.  As my dear Peg isn't open source, it's one of 
the reasons this machine still runs Windows (along with Quake, and 
the tools I have created over years to help me work, and their 
PowerBasic compiler).  I don't want to be on the phone to a customer 
and trying to figure out how to use my computer at the same time, so 
I decided to go slow for now.  I think this is a fair decision.  My 
servers run unix, it's just this desktop that is left.  I'm not in a 
big hurry, this machine is nicely optimised.  I'm not looking forward 
to the day that I have to rewrite all my tools.  I know it will be a 
total PITA, take ages, introduce bugs and generally cost me a packet. 
Unfortunately, long-term, the alternative is even worse.  I am very 
familiar with the issues faced when migrating, as I have those 
issues.  Does this surprise you?

Stu

> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
> Sent: Saturday, May 15, 2010 4:15 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Windows' future (reprise)
> 
> > IOW, you took what Symantec's numbers were for one year, and guessed 
> > they would be the same for this year, and then posted how you were 
> > almost right.
> 
> You definitely misunderstand.  AFAIK, Symantec do not publish the number 
> 243%.  I calculated it myself, using this sum:
> 
> (0.92 + 3.67 + 1.64 + 1.24 + 4.44 + 2.65) / 6
> 
> I also calculated those numbers, using the general formula y(n+1) / y(n).  
> This is all explained on the link I gave in my original post:
> 
> http://www.cyberdelix.net/files/malware_mutation_projection.pdf
> 
> Even in the most recent report, Symantec only refer to the growth rate by 
> saying it was "more than double" (eg, 200+%) - although I haven't read it 
> closely, they may well elaborate on that at some point.
> 
> > You people really need to get your stories straight.
> 
> There is only one of me, I assure you.
> 
> > Then you blithe on about how people should "avoid any software that 
> > locks them into a Microsoft Platform like the plague" and specifically 
> > note .NET for businesses but of course fail to provide any examples of 
> > where they should go, or any real advice on your "mitigation 
> > strategy."
> 
> I agree Windows needs mitigation, that is why I am posting.  I didn't mention 
> alternatives as that's not my purpose, to promote a specific product, and I 
> wouldn't want my observations to be tainted by it.  
> However, now you've asked, I'd recommend FreeBSD, without even seeing your 
> spec.  Desktops?  PC-BSD.  As for .NET, off top of head I'd suggest a .NET 
> connector for PHP, running on FreeBSD of course.
> 
> > What it is about .NET that should be avoided like the plague?  Wait,
> 
> Sorry but I already answered that.   It's because it locks the 
> customer into a Microsoft platform.
> 
> > One must assume that you are an expert .NET developer
> 
> You'd assume wrong - it doesn't take an expert to recognise a dependency.
> 
> > Additionally, you've cle

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer of God)]

Just as I expected.   A wishy washy response, nothing concrete or even vaguely 
resembling substantive material, backtracking on an exact quote, the obligatory 
reference to your formula ala Craig Wright, with the final "oh, I'm sure you 
would like to know, but I'll have to charge you in order to tell you."

And you are right; I was wrong to assume that you would try to educate yourself 
about .NET before recommending to the people you advise (as well as to everyone 
on this list) to avoid it like the plague.  Seeing the code samples on your 
website have actually set me straight, and I apologize.

The "amount of free disk space on a drive" utility you wrote and your other 
QBASIC references truly illustrate your Mad Skilz as a developer.I guess we 
should all dump all Windows machines and switch to FreeBSD as you have 
illustrated.  Thanks for the advise.

T

P.S.  The headers on your email show that you are using Pegasus Mail for 
Windows (4.51).  I know a guy who can help you switch to Linux if you want.  I 
think he charges about £120/hr.



-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
Sent: Saturday, May 15, 2010 4:15 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows' future (reprise)

> IOW, you took what Symantec's numbers were for one year, and guessed 
> they would be the same for this year, and then posted how you were 
> almost right.

You definitely misunderstand.  AFAIK, Symantec do not publish the number 243%.  
I calculated it myself, using this sum:

(0.92 + 3.67 + 1.64 + 1.24 + 4.44 + 2.65) / 6

I also calculated those numbers, using the general formula y(n+1) / y(n).  This 
is all explained on the link I gave in my original post:

http://www.cyberdelix.net/files/malware_mutation_projection.pdf

Even in the most recent report, Symantec only refer to the growth rate by 
saying it was "more than double" (eg, 200+%) - although I haven't read it 
closely, they may well elaborate on that at some point.

> You people really need to get your stories straight.

There is only one of me, I assure you.

> Then you blithe on about how people should "avoid any software that 
> locks them into a Microsoft Platform like the plague" and specifically 
> note .NET for businesses but of course fail to provide any examples of 
> where they should go, or any real advice on your "mitigation 
> strategy."

I agree Windows needs mitigation, that is why I am posting.  I didn't mention 
alternatives as that's not my purpose, to promote a specific product, and I 
wouldn't want my observations to be tainted by it.  
However, now you've asked, I'd recommend FreeBSD, without even seeing your 
spec.  Desktops?  PC-BSD.  As for .NET, off top of head I'd suggest a .NET 
connector for PHP, running on FreeBSD of course.

> What it is about .NET that should be avoided like the plague?  Wait,

Sorry but I already answered that.   It's because it locks the 
customer into a Microsoft platform.

> One must assume that you are an expert .NET developer

You'd assume wrong - it doesn't take an expert to recognise a dependency.

> Additionally, you've clearly performed migration engagements for these 
> people you "advise."  Please let us know what the actual migration 
> plan was, and how you have so brilliantly created a one-off cost 
> migration path.  I'm really interested in the details about that.

I'm sure you are, and I'd be happy to oblige.  My rates for that kind of work 
start at £120/hr.  Please PM me for more info.

> Details on your SDL process would be fantastic as well. 

Continuous incremental improvement (TQM). RERO.  Prototyping.  Agile is the 
word used nowadays I believe... revolution through evolution, as I said

Stu

> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
> Sent: Saturday, May 15, 2010 1:07 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Windows' future (reprise)
> 
> Is that you, Bill?
> 
> I think you misunderstand.  9 months ago, I measured the growth rate at 243%, 
> using Symantec's stats.  9 months ago I posted that number here, together 
> with a prediction of this year's stats.  Recently, I got this year's stats 
> and compared them with that prediction.  I found that this prediction was 
> 75.4% accurate.  I am now reporting those results back to the group.  And 
> this is trolling how?
> 
> My point is that the prediction was not wildly wrong, and so that leads me to 
> wonder if anything else I said, 9 months ago, was also not wildly wrong.
> 
> My mai

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

> IOW, you took what Symantec's numbers were for one year, and guessed
> they would be the same for this year, and then posted how you were
> almost right.

You definitely misunderstand.  AFAIK, Symantec do not publish the 
number 243%.  I calculated it myself, using this sum:

(0.92 + 3.67 + 1.64 + 1.24 + 4.44 + 2.65) / 6

I also calculated those numbers, using the general formula y(n+1) / 
y(n).  This is all explained on the link I gave in my original post:

http://www.cyberdelix.net/files/malware_mutation_projection.pdf

Even in the most recent report, Symantec only refer to the growth 
rate by saying it was "more than double" (eg, 200+%) - although I 
haven't read it closely, they may well elaborate on that at some 
point.

> You people really need to get your stories straight.

There is only one of me, I assure you.

> Then you blithe on about how people should "avoid any software that
> locks them into a Microsoft Platform like the plague" and specifically
> note .NET for businesses but of course fail to provide any examples of
> where they should go, or any real advice on your "mitigation
> strategy."  

I agree Windows needs mitigation, that is why I am posting.  I didn't 
mention alternatives as that's not my purpose, to promote a specific 
product, and I wouldn't want my observations to be tainted by it.  
However, now you've asked, I'd recommend FreeBSD, without even seeing 
your spec.  Desktops?  PC-BSD.  As for .NET, off top of head I'd 
suggest a .NET connector for PHP, running on FreeBSD of course.

> What it is about .NET that should be avoided like the plague?  Wait,

Sorry but I already answered that.   It's because it locks the 
customer into a Microsoft platform.

> One must assume that you are an expert .NET developer

You'd assume wrong - it doesn't take an expert to recognise a 
dependency.

> Additionally, you've clearly performed migration engagements for these
> people you "advise."  Please let us know what the actual migration
> plan was, and how you have so brilliantly created a one-off cost
> migration path.  I'm really interested in the details about that.  

I'm sure you are, and I'd be happy to oblige.  My rates for that kind 
of work start at £120/hr.  Please PM me for more info.

> Details on your SDL process would be fantastic as well. 

Continuous incremental improvement (TQM). RERO.  Prototyping.  Agile 
is the word used nowadays I believe... revolution through evolution, 
as I said

Stu

> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
> Sent: Saturday, May 15, 2010 1:07 PM
> To: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] Windows' future (reprise)
> 
> Is that you, Bill?
> 
> I think you misunderstand.  9 months ago, I measured the growth rate at 243%, 
> using Symantec's stats.  9 months ago I posted that number here, together 
> with a prediction of this year's stats.  Recently, I got this year's stats 
> and compared them with that prediction.  I found that this prediction was 
> 75.4% accurate.  I am now reporting those results back to the group.  And 
> this is trolling how?
> 
> My point is that the prediction was not wildly wrong, and so that leads me to 
> wonder if anything else I said, 9 months ago, was also not wildly wrong.
> 
> My main reason for claiming that Windows is inherently insecure is because 
> it's closed source.  However it's also because of the sloppy, monolithic 
> spaghetti code that Windows is made of.  If you're claiming Windows is in 
> fact inherently secure, I assume this means you don't use AV on any of your 
> Windows machines, and advise everyone you know to uninstall it?
> 
> I never said migration would be free or easy.  That is why I am posting this 
> data here, because I see it as a vulnerability, a very big vulnerability that 
> many companies have not woken up to.  The very fact that migration is hard, 
> lengthy, and expensive, means that the vulnerability is larger than ever.
> 
> Stu
> 
> On 15 May 2010 at 14:40, Thor (Hammer of God) wrote:
> 
> From: "Thor (Hammer of God)" 
> To:   "full-disclosure@lists.grok.org.uk"  disclos...@lists.grok.org.uk>
> Date sent:Sat, 15 May 2010 14:40:29 +
> Subject:  Re: [Full-disclosure] Windows' future (reprise)
> 
> > I am constantly amazed at posts like this where you make yourself sound 
> > like some sort of statistical genius because you were "able to predict" 
> > that since last year was %243, that this year would be %243.  Wow

Re: [Full-disclosure] Windows' future (reprise)

[Peter Besenbruch]

On Sat, 15 May 2010 16:22:26 -0400
Jeffrey Walton  wrote:

> This is
> along the lines of, 'Linux does not get viruses' argument. Give me a
> break...

I set up a dual boot arrangement on a friend's machine. The Windows
side promptly got infected. The guy was furious and blamed his son.
Fortunately, it was a relatively easy infection to clean. The tip off
that all was not as the man claimed, was when I found several copies of
the virus saved to his home directory in the Linux side. It seems he
hadn't been able to get the attachment to run under Linux, and had
switched to Windows.

Now, I am NOT arguing about Linux being safe because no-one writes
malware for it. I am arguing that that the guy was safe running
Linux because:

a) He could only save the attachment to disk.
b) Had it been Linux malware, he would have had to make it executable.

The guy wasn't knowledgeable enough to do all that. He also didn't know
that much about how malware gets delivered. I suspect that there is a
broad correlation between computer knowledge and safe on-line behavior.
The irony is that the less a person, or employee knows about computers,
the better off everyone would be if that person ran Linux.

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[shawn Davison]

Sent from my HTC Touch Pro2 on the Now Network from Sprint®.

-Original Message-
From: BMF 
Sent: Saturday, May 15, 2010 4:54 PM
To: full-disclosure@lists.grok.org.uk 
Subject: Re: [Full-disclosure] Windows' future (reprise)

On Sat, May 15, 2010 at 7:40 AM, Thor (Hammer of God)
 wrote:
> I am constantly amazed at posts like this where you make yourself sound like 
> some sort of statistical genius because you were "able to predict" that since 
> last year was %243, that this year would be %243.  Wow.  Really?

I agree that the post is a bit pompous...however:

> And for the record, these claims of 'inherent insecurity' in Windows are 
> simply ignorant.  If you are still running Windows 95 that's your problem.  
> Do a little research before post assertions based on 10 or 20 year old issues.


> This smacks of the classic troll, where you say things like "nothing that 
> Microsoft makes is secure and it never will be"

But...it is true that nothing Microsoft (or anyone, perhaps) makes is
secure. And given that Microsoft has a decades long history of far
worse than industry average security I think it is pretty reasonable
to surmise that Windows will never be secure.

> and then go on to say how easy it is to migrate, and how it's free, with only 
> a one off cost, and how to move off of .NET.

We migrated. With only a one off cost. Been a few years now. Business
is looking good.

> Obvious "predictions," ignorant assumptions, and a total lack of any true 
> understanding of business computing.  Yep, "troll."

Trollish but not entirely wrong.

BMF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[rdsears]

And what of the pass the hash group of attacks, not to mention the  
insecure hashing to begin with? Combine that with token manipulation  
and process migration and you have a very deadly combination to almost  
any windows network that you don't see anywhere else. Exploiting  
windows networks in this way is trivial at best, and is built in to  
the operating system as a set of 'features'.

That's not to say the *nix platform doesn't have it's own security  
problems, but at least they're a.) dealt with in a more timely manner,  
and b.) easily analyzed by anyone. Even if 99/100 people that looks at  
it is 'uneducated' as you put it i'd rather have the one set of eyes  
on it going 'hey this needs to be fixed' and educating eveyone else on  
how to manage it, a la the Debian PRNG SSH bug a couple years ago.  
Imagine how that wouldve gone if Microsoft had dealt with a similar  
issue.

Having said that I have to say even though some people may not find  
Stuart's research interesting, he's simply trying to report his  
findings. He's doing this to help paint a picture of security in the  
state it's ACTUALLY in, and try to predict where it's progressing to.

Everything in nature can be modeled with mathematics, why not threat  
trends?

On May 15, 2010, at 4:22 PM, Jeffrey Walton  wrote:

>> My main reason for claiming that Windows is inherently insecure is
>> because it's closed source.
> As opposed to crowd sourcing, which some claim is inherently more
> secure because more [uneducated] eyes review the source code? This is
> along the lines of, 'Linux does not get viruses' argument. Give me a
> break...
>
> On Sat, May 15, 2010 at 4:06 PM, lsi  wrote:
>> Is that you, Bill?
>>
>> I think you misunderstand.  9 months ago, I measured the growth rate
>> at 243%, using Symantec's stats.  9 months ago I posted that number
>> here, together with a prediction of this year's stats.  Recently, I
>> got this year's stats and compared them with that prediction.  I
>> found that this prediction was 75.4% accurate.  I am now reporting
>> those results back to the group.  And this is trolling how?
>>
>> My point is that the prediction was not wildly wrong, and so that
>> leads me to wonder if anything else I said, 9 months ago, was also
>> not wildly wrong.
>>
>> My main reason for claiming that Windows is inherently insecure is
>> because it's closed source.  However it's also because of the sloppy,
>> monolithic spaghetti code that Windows is made of.  If you're
>> claiming Windows is in fact inherently secure, I assume this means
>> you don't use AV on any of your Windows machines, and advise everyone
>> you know to uninstall it?
>>
>> I never said migration would be free or easy.  That is why I am
>> posting this data here, because I see it as a vulnerability, a very
>> big vulnerability that many companies have not woken up to.  The very
>> fact that migration is hard, lengthy, and expensive, means that the
>> vulnerability is larger than ever.
>>
>> Stu
>>
>> On 15 May 2010 at 14:40, Thor (Hammer of God) wrote:
>>
>> From:   "Thor (Hammer of God)" 
>> To: "full-disclosure@lists.grok.org.uk" > disclos...@lists.grok.org.uk>
>> Date sent:  Sat, 15 May 2010 14:40:29 +
>> Subject:Re: [Full-disclosure] Windows' future  
>> (reprise)
>>
>>> I am constantly amazed at posts like this where you make yourself  
>>> sound like some sort of statistical genius because you were "able  
>>> to predict" that since last year was %243, that this year would be  
>>> %243.  Wow.  Really?
>>>
>>> And for the record, these claims of 'inherent insecurity' in  
>>> Windows are simply ignorant.  If you are still running Windows 95  
>>> that's your problem.  Do a little research before post assertions  
>>> based on 10 or 20 year old issues.
>>>
>>> This smacks of the classic troll, where you say things like  
>>> "nothing that Microsoft makes is secure and it never will be" and  
>>> then go on to say how easy it is to migrate, and how it's free,  
>>> with only a one off cost, and how to move off of .NET.
>>>
>>> Obvious "predictions," ignorant assumptions, and a total lack of  
>>> any true understanding of business computing.  Yep, "troll."
>>>
>>> t
>>>
>>> [SNIP]
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[BMF]

On Sat, May 15, 2010 at 1:22 PM, Jeffrey Walton  wrote:
> As opposed to crowd sourcing, which some claim is inherently more
> secure because more [uneducated] eyes review the source code?

There are far more educated eyes able to review the Linux source code
than the Windows source code. The uneducated people reviewing it don't
seem to be hurting anything while the educated people reviewing it are
helping a lot if all of the patches I see coming in every day are any
measure.

> This is along the lines of, 'Linux does not get viruses' argument.

Well...has it ever? I've been running it on a day to day basis on my
desktop since 1994 and have never once gotten a virus. I have been
active in the community since then and I have never met anyone who got
one. So...

BMF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer of God)]

No, It's Tim Mullen.  No "Bill" here.  

No, I don't misunderstand:  You said "You may recall that last year, the 
average annual growth rate of new threats (as defined by Symantec) was 243%.  
This enabled me to predict that the number of new threats in this year's 
Symantec Threat Report would be 243% of last years."  IOW, you took what 
Symantec's numbers were for one year, and guessed they would be the same for 
this year, and then posted how you were almost right.  Congratulation, you can 
make statements in the obvious.

You people really need to get your stories straight.  Isn't there some club or 
something you guys can join to at least sync up your talking points?   First we 
hear about how AV is stupid, unneeded, useless, a waste of money, and if you 
install it then you are ignorant.  Then we hear about how some people can 
"bypass AV" using kernel hooks on windows XP and call it an "8.0 Earthquake."  
Now you come out and say that you predict that AV will not be able to keep up 
with these new "threats" and that people must stop using Windows as a result 
since Windows "is not likely of producing any secure version of anything 
anytime soon."  

Then you blithe on about how people should "avoid any software that locks them 
into a Microsoft Platform like the plague" and specifically note .NET for 
businesses but of course fail to provide any examples of where they should go, 
or any real advice on your "mitigation strategy."  

What it is about .NET that should be avoided like the plague?  Wait, before you 
answer that, let's make sure you are qualified to answer.  One must assume that 
you are an expert .NET developer and that you have keen insight into the very 
foundation of the platform in order to know unequivocally that it should not be 
used under any circumstances.   Please give us some code examples of your .NET 
projects where it failed so miserably, even given your expertise, and then 
provide the "proper" secure solution in your magic TardWare solution.  
Certainly someone speaking with such authority on the matter can come up with 
examples in no time.  

Additionally, you've clearly performed migration engagements for these people 
you "advise."  Please let us know what the actual migration plan was, and how 
you have so brilliantly created a one-off cost migration path.  I'm really 
interested in the details about that.  I would particularly like to know what 
authentication infrastructure you would build to support secure 
enterprise-based services, your solution for client access and administration, 
and your overall network concepts.  Also, what is your preferred replacement 
for .NET again?  Details on your SDL process would be fantastic as well. 

You've got a great opportunity to really contribute to the industry by 
providing us with your qualifications and subsequent solutions to these 
problems, so I'm really looking forward to seeing what you have to say on the 
matter beyond "Symantec said we'd have this amount of growth, so I said that 
too, and I was almost right.  And since I was almost right, it is imperative to 
drop all Windows products and re-write all of your .NET code immediately 
because AV won't be able to keep up with it."

t

-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
Sent: Saturday, May 15, 2010 1:07 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Windows' future (reprise)

Is that you, Bill?

I think you misunderstand.  9 months ago, I measured the growth rate at 243%, 
using Symantec's stats.  9 months ago I posted that number here, together with 
a prediction of this year's stats.  Recently, I got this year's stats and 
compared them with that prediction.  I found that this prediction was 75.4% 
accurate.  I am now reporting those results back to the group.  And this is 
trolling how?

My point is that the prediction was not wildly wrong, and so that leads me to 
wonder if anything else I said, 9 months ago, was also not wildly wrong.

My main reason for claiming that Windows is inherently insecure is because it's 
closed source.  However it's also because of the sloppy, monolithic spaghetti 
code that Windows is made of.  If you're claiming Windows is in fact inherently 
secure, I assume this means you don't use AV on any of your Windows machines, 
and advise everyone you know to uninstall it?

I never said migration would be free or easy.  That is why I am posting this 
data here, because I see it as a vulnerability, a very big vulnerability that 
many companies have not woken up to.  The very fact that migration is hard, 
lengthy, and expensive, means that the vulnerability is larger than ever.

Stu

On 15 May 2010 a

Re: [Full-disclosure] Windows' future (reprise)

[BMF]

On Sat, May 15, 2010 at 7:40 AM, Thor (Hammer of God)
 wrote:
> I am constantly amazed at posts like this where you make yourself sound like 
> some sort of statistical genius because you were "able to predict" that since 
> last year was %243, that this year would be %243.  Wow.  Really?

I agree that the post is a bit pompous...however:

> And for the record, these claims of 'inherent insecurity' in Windows are 
> simply ignorant.  If you are still running Windows 95 that's your problem.  
> Do a little research before post assertions based on 10 or 20 year old issues.


> This smacks of the classic troll, where you say things like "nothing that 
> Microsoft makes is secure and it never will be"

But...it is true that nothing Microsoft (or anyone, perhaps) makes is
secure. And given that Microsoft has a decades long history of far
worse than industry average security I think it is pretty reasonable
to surmise that Windows will never be secure.

> and then go on to say how easy it is to migrate, and how it's free, with only 
> a one off cost, and how to move off of .NET.

We migrated. With only a one off cost. Been a few years now. Business
is looking good.

> Obvious "predictions," ignorant assumptions, and a total lack of any true 
> understanding of business computing.  Yep, "troll."

Trollish but not entirely wrong.

BMF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Jeffrey Walton]

> My main reason for claiming that Windows is inherently insecure is
> because it's closed source.
As opposed to crowd sourcing, which some claim is inherently more
secure because more [uneducated] eyes review the source code? This is
along the lines of, 'Linux does not get viruses' argument. Give me a
break...

On Sat, May 15, 2010 at 4:06 PM, lsi  wrote:
> Is that you, Bill?
>
> I think you misunderstand.  9 months ago, I measured the growth rate
> at 243%, using Symantec's stats.  9 months ago I posted that number
> here, together with a prediction of this year's stats.  Recently, I
> got this year's stats and compared them with that prediction.  I
> found that this prediction was 75.4% accurate.  I am now reporting
> those results back to the group.  And this is trolling how?
>
> My point is that the prediction was not wildly wrong, and so that
> leads me to wonder if anything else I said, 9 months ago, was also
> not wildly wrong.
>
> My main reason for claiming that Windows is inherently insecure is
> because it's closed source.  However it's also because of the sloppy,
> monolithic spaghetti code that Windows is made of.  If you're
> claiming Windows is in fact inherently secure, I assume this means
> you don't use AV on any of your Windows machines, and advise everyone
> you know to uninstall it?
>
> I never said migration would be free or easy.  That is why I am
> posting this data here, because I see it as a vulnerability, a very
> big vulnerability that many companies have not woken up to.  The very
> fact that migration is hard, lengthy, and expensive, means that the
> vulnerability is larger than ever.
>
> Stu
>
> On 15 May 2010 at 14:40, Thor (Hammer of God) wrote:
>
> From:                   "Thor (Hammer of God)" 
> To:                     "full-disclosure@lists.grok.org.uk"  disclos...@lists.grok.org.uk>
> Date sent:              Sat, 15 May 2010 14:40:29 +
> Subject:                Re: [Full-disclosure] Windows' future (reprise)
>
>> I am constantly amazed at posts like this where you make yourself sound like 
>> some sort of statistical genius because you were "able to predict" that 
>> since last year was %243, that this year would be %243.  Wow.  Really?
>>
>> And for the record, these claims of 'inherent insecurity' in Windows are 
>> simply ignorant.  If you are still running Windows 95 that's your problem.  
>> Do a little research before post assertions based on 10 or 20 year old 
>> issues.
>>
>> This smacks of the classic troll, where you say things like "nothing that 
>> Microsoft makes is secure and it never will be" and then go on to say how 
>> easy it is to migrate, and how it's free, with only a one off cost, and how 
>> to move off of .NET.
>>
>> Obvious "predictions," ignorant assumptions, and a total lack of any true 
>> understanding of business computing.  Yep, "troll."
>>
>> t
>>
>> [SNIP]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

An interesting point - Unicode?  

I don't think 5Mb files are infeasible, especially as time passes, 
that'll be just a blip before long.

Stu

On 15 May 2010 at 14:59, Christian Sciberras wrote:

Date sent:  Sat, 15 May 2010 14:59:46 +0100
Subject:    Re: [Full-disclosure] Windows' future (reprise)
From:   Christian Sciberras 
To: stu...@cyberdelix.net

> In a nutshell, I disagree. For one thing, that much variants would exhaust
> the number of combinations per malware, unless we are talking about malware
> in excess of 5 Mb.
> I'm not disagreeing with the prediction of an increase, nor for a
> possibility of a grim future for windows. I'm just saying that at those
> numbers, there is more probability of a (very) wrong predication.
> 
> Cheers.
> 
> 
> 
> 
> 
> 
> On Sat, May 15, 2010 at 2:11 PM, lsi  wrote:
> 
> > Hi All!
> >
> > Just a followup from my posting of 9 months ago (which can be found
> > here):
> >
> > http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg37173.html
> >
> > Symantec have released "Internet Security Threat Report: Volume XV:
> > April 2010".  My posting from last year was based on the previous
> > "Internet Security Threat Report: Volume XIV: April 2009".  So I
> > thought it would be interesting to check my numbers.  The new edition
> > of the Threat Report is here:
> >
> > http://www4.symantec.com/Vrt/wl?tu_id=SUKX1271711282503126202
> >
> > You may recall that last year, the average annual growth rate of new
> > threats (as defined by Symantec) was 243%.  This enabled me to
> > predict that the number of new threats in this year's Symantec Threat
> > Report would be 243% of last years; eg. I predicted 9 months ago the
> > number of new threats in this year's Symantec Threat Report would be
> > 243% * 1656227, or 3840485.87.
> >
> > The actual number of new threats in this year's Symantec Threat
> > Report is 2895802, an error on my part of 24.6%.
> >
> > This is quite a chunk, however it is not that far off.  My excuses:
> >
> > - my number was based on averages, so it will never be exact.  There
> > will be a natural variance in the growth rate, caused by many
> > factors.
> >
> > - in the new edition, Symantec have altered the raw data a little -
> > the number of new threats for 2009, 2008, 2007 etc is slightly
> > different to those same years, as listed in the previous version of
> > the report.  I have not updated my projection to allow for this.
> >
> > - Symantec note that "The slight decline in the rate of growth should
> > not discount the significant number of new signatures created in
> > 2009. Signature-based detection is lagging behind the creation of
> > malicious threats..." (page 48).
> >
> > Am I retreating from my position?  Absolutely not.  I am now
> > expecting the number of new threats in next years' report to be
> > 7036798.86. This is 2895802 * 243%.  This includes the error
> > introduced by Symantec's changes to the raw data.  I don't think it
> > matters much.
> >
> > As this flood of new threats will soon overpower AV companies'
> > ability to catalogue them (by 2015, at 243% growth, there will be
> > 2.739 MILLION new threats PER DAY (over 1900 new threats per
> > minute)), and as Symantec admits above that "signature-based
> > detection is lagging", and as Microsoft are not likely to produce a
> > secure version of anything anytime soon, I am not at all hopeful of a
> > clean resolution to this problem.
> >
> > I continue to advise that users should, where possible, deploy
> > alternatives; that they should, if they have not already, create and
> > action a migration strategy; and that they should avoid like the
> > plague, any software which locks them into a Microsoft platform.
> > Business .NET applications, I'm lookin' at you.
> >
> > Those failing to migrate will discover their hardware runs slower and
> > slower, while doing the same job as it did previously.  They will
> > need to take this productivity hit, OR buy a new computer, which will
> > also eventually surcumb to the same increasing slowness.  They will
> > need to buy new machines more and more frequently.  Eventually, they
> > will run out of money - or, for the especially deep-pocketed, they
> > will find they cannot deploy the new machines fast enough, before
> > they are already too slow to use.  The only alternative to this
> > treadmill is to dump Windows.  The sooner it i

Re: [Full-disclosure] Windows' future (reprise)

[lsi]

Is that you, Bill?

I think you misunderstand.  9 months ago, I measured the growth rate 
at 243%, using Symantec's stats.  9 months ago I posted that number 
here, together with a prediction of this year's stats.  Recently, I 
got this year's stats and compared them with that prediction.  I 
found that this prediction was 75.4% accurate.  I am now reporting 
those results back to the group.  And this is trolling how?

My point is that the prediction was not wildly wrong, and so that 
leads me to wonder if anything else I said, 9 months ago, was also 
not wildly wrong.

My main reason for claiming that Windows is inherently insecure is 
because it's closed source.  However it's also because of the sloppy, 
monolithic spaghetti code that Windows is made of.  If you're 
claiming Windows is in fact inherently secure, I assume this means 
you don't use AV on any of your Windows machines, and advise everyone 
you know to uninstall it?

I never said migration would be free or easy.  That is why I am 
posting this data here, because I see it as a vulnerability, a very 
big vulnerability that many companies have not woken up to.  The very 
fact that migration is hard, lengthy, and expensive, means that the 
vulnerability is larger than ever.

Stu

On 15 May 2010 at 14:40, Thor (Hammer of God) wrote:

From:   "Thor (Hammer of God)" 
To: "full-disclosure@lists.grok.org.uk" 
Date sent:  Sat, 15 May 2010 14:40:29 +0000
Subject:Re: [Full-disclosure] Windows' future (reprise)

> I am constantly amazed at posts like this where you make yourself sound like 
> some sort of statistical genius because you were "able to predict" that since 
> last year was %243, that this year would be %243.  Wow.  Really?
> 
> And for the record, these claims of 'inherent insecurity' in Windows are 
> simply ignorant.  If you are still running Windows 95 that's your problem.  
> Do a little research before post assertions based on 10 or 20 year old issues.
> 
> This smacks of the classic troll, where you say things like "nothing that 
> Microsoft makes is secure and it never will be" and then go on to say how 
> easy it is to migrate, and how it's free, with only a one off cost, and how 
> to move off of .NET.
> 
> Obvious "predictions," ignorant assumptions, and a total lack of any true 
> understanding of business computing.  Yep, "troll."
> 
> t
> 
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk 
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
> Sent: Saturday, May 15, 2010 6:12 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: [Full-disclosure] Windows' future (reprise)
> 
> Hi All!
> 
> Just a followup from my posting of 9 months ago (which can be found
> here):
> 
> http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg37173.html
> 
> Symantec have released "Internet Security Threat Report: Volume XV: 
> April 2010".  My posting from last year was based on the previous "Internet 
> Security Threat Report: Volume XIV: April 2009".  So I thought it would be 
> interesting to check my numbers.  The new edition of the Threat Report is 
> here:
> 
> http://www4.symantec.com/Vrt/wl?tu_id=SUKX1271711282503126202
> 
> You may recall that last year, the average annual growth rate of new threats 
> (as defined by Symantec) was 243%.  This enabled me to predict that the 
> number of new threats in this year's Symantec Threat Report would be 243% of 
> last years; eg. I predicted 9 months ago the number of new threats in this 
> year's Symantec Threat Report would be 243% * 1656227, or 3840485.87.
> 
> The actual number of new threats in this year's Symantec Threat Report is 
> 2895802, an error on my part of 24.6%.
> 
> This is quite a chunk, however it is not that far off.  My excuses:
> 
> - my number was based on averages, so it will never be exact.  There will be 
> a natural variance in the growth rate, caused by many factors.
> 
> - in the new edition, Symantec have altered the raw data a little - the 
> number of new threats for 2009, 2008, 2007 etc is slightly different to those 
> same years, as listed in the previous version of the report.  I have not 
> updated my projection to allow for this.
> 
> - Symantec note that "The slight decline in the rate of growth should not 
> discount the significant number of new signatures created in 2009. 
> Signature-based detection is lagging behind the creation of malicious 
> threats..." (page 48).
> 
> Am I retreating from my position?  Absolutely not.  I am now expecting the 
> number of new threats in n

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer Of God)]

That kind of goes for everything, doesn't it?

T



On May 15, 2010, at 10:32 AM, Peter Besenbruch  wrote:

> On Sat, 15 May 2010 14:40:29 +
> "Thor (Hammer of God)"  wrote:
>
>> And for the record, these claims of 'inherent insecurity' in Windows
>> are simply ignorant.  If you are still running Windows 95 that's your
>> problem.  Do a little research before post assertions based on 10 or
>> 20 year old issues.
>
> To be fair to the original poster, there are activities that I  
> wouldn't
> want to do on a Windows machine, and if you read Brian Krebs' blog,  
> the
> same goes double for small businesses: Online banking comes to mind.
>
> -- 
> Hawaiian Astronomical Society: http://www.hawastsoc.org
> HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Peter Besenbruch]

On Sat, 15 May 2010 14:40:29 +
"Thor (Hammer of God)"  wrote:

> And for the record, these claims of 'inherent insecurity' in Windows
> are simply ignorant.  If you are still running Windows 95 that's your
> problem.  Do a little research before post assertions based on 10 or
> 20 year old issues.

To be fair to the original poster, there are activities that I wouldn't
want to do on a Windows machine, and if you read Brian Krebs' blog, the
same goes double for small businesses: Online banking comes to mind.

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Windows' future (reprise)

[Thor (Hammer of God)]

I am constantly amazed at posts like this where you make yourself sound like 
some sort of statistical genius because you were "able to predict" that since 
last year was %243, that this year would be %243.  Wow.  Really?

And for the record, these claims of 'inherent insecurity' in Windows are simply 
ignorant.  If you are still running Windows 95 that's your problem.  Do a 
little research before post assertions based on 10 or 20 year old issues.

This smacks of the classic troll, where you say things like "nothing that 
Microsoft makes is secure and it never will be" and then go on to say how easy 
it is to migrate, and how it's free, with only a one off cost, and how to move 
off of .NET.

Obvious "predictions," ignorant assumptions, and a total lack of any true 
understanding of business computing.  Yep, "troll."

t

-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk 
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of lsi
Sent: Saturday, May 15, 2010 6:12 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Windows' future (reprise)

Hi All!

Just a followup from my posting of 9 months ago (which can be found
here):

http://www.mail-archive.com/full-disclosure@lists.grok.org.uk/msg37173.html

Symantec have released "Internet Security Threat Report: Volume XV: 
April 2010".  My posting from last year was based on the previous "Internet 
Security Threat Report: Volume XIV: April 2009".  So I thought it would be 
interesting to check my numbers.  The new edition of the Threat Report is here:

http://www4.symantec.com/Vrt/wl?tu_id=SUKX1271711282503126202

You may recall that last year, the average annual growth rate of new threats 
(as defined by Symantec) was 243%.  This enabled me to predict that the number 
of new threats in this year's Symantec Threat Report would be 243% of last 
years; eg. I predicted 9 months ago the number of new threats in this year's 
Symantec Threat Report would be 243% * 1656227, or 3840485.87.

The actual number of new threats in this year's Symantec Threat Report is 
2895802, an error on my part of 24.6%.

This is quite a chunk, however it is not that far off.  My excuses:

- my number was based on averages, so it will never be exact.  There will be a 
natural variance in the growth rate, caused by many factors.

- in the new edition, Symantec have altered the raw data a little - the number 
of new threats for 2009, 2008, 2007 etc is slightly different to those same 
years, as listed in the previous version of the report.  I have not updated my 
projection to allow for this.

- Symantec note that "The slight decline in the rate of growth should not 
discount the significant number of new signatures created in 2009. 
Signature-based detection is lagging behind the creation of malicious 
threats..." (page 48).

Am I retreating from my position?  Absolutely not.  I am now expecting the 
number of new threats in next years' report to be 7036798.86. This is 2895802 * 
243%.  This includes the error introduced by Symantec's changes to the raw 
data.  I don't think it matters much.

As this flood of new threats will soon overpower AV companies' 
ability to catalogue them (by 2015, at 243% growth, there will be
2.739 MILLION new threats PER DAY (over 1900 new threats per minute)), and as 
Symantec admits above that "signature-based detection is lagging", and as 
Microsoft are not likely to produce a secure version of anything anytime soon, 
I am not at all hopeful of a clean resolution to this problem.

I continue to advise that users should, where possible, deploy alternatives; 
that they should, if they have not already, create and action a migration 
strategy; and that they should avoid like the plague, any software which locks 
them into a Microsoft platform.  
Business .NET applications, I'm lookin' at you.

Those failing to migrate will discover their hardware runs slower and slower, 
while doing the same job as it did previously.  They will need to take this 
productivity hit, OR buy a new computer, which will also eventually surcumb to 
the same increasing slowness.  They will need to buy new machines more and more 
frequently.  Eventually, they will run out of money - or, for the especially 
deep-pocketed, they will find they cannot deploy the new machines fast enough, 
before they are already too slow to use.  The only alternative to this 
treadmill is to dump Windows.  The sooner it is dumped, the less money is 
wasted buying new hardware, simply to keep up with security- induced slowness.

Why spend all that time and money on a series of new Windows machines, without 
fixing the actual problem, which is the inherent insecurity of Windows?  People 
can spend the same time and money replacing Windows, and then they won't need 
to worry about the problem any more.  The difference is that sticking with 
Windows incurs ongoing and increasing costs, while a migration incurs a one- 
off cost.

I don't think it takes a genius t

Re: [Full-disclosure] windows future

[Rohit Patnaik]

As for businesses, any business of even medium size is going to have a
backup and recovery plan these days. Businesses will be less affected than
individuals because they'll have backups, and can restore from them if an
infection hits.

In any case, this still doesn't address my contention - that the actual
number of threats doesn't matter, because the vast majority of them are not
viable, in the sense that they attack vulnerabilities that have been
patched.  As long as users keep up with vendor patches (whether they're on
Windows or Linux) the number of threats that will affect them will remain
fairly constant over time.

-- Rohit Patnaik

On Fri, Sep 4, 2009 at 12:44 PM, lsi  wrote:

> > > - approximate date when number of NEW threats will reach 1 Billion:
> 2015
>
> > This is assuming an exponential growth model, when there's no realistic
> > reason to believe it to be so.
>
> The reason to believe the exponential model will remain valid, is
> that it is the model that is currently valid.  A different model will
> need to explain how the existing exponential curve is derailed.
>
> > There are however good reasons to expect
> > that the correct model is the "logistics curve" (slow growth at first,
> > a steep middle section, then flattening out asymptotic to a horizontal
> line).
>
> > For starters, new threats have to come from *somewhere* [...] From
> > whence will the 1 billion new threats in the 2015-16 span come from?
> > Who will create these,
>
> Did you see the link I posted to the "Evolvable Malware" PPT?
> Mutation will be automated.  Resistance is useless... ;)
>
> > and who will make money from them?
>
> Presumably, the same gangs who do so now.  They won't need to recruit
> billions of new coders to make their billions of new variants.  It'll
> all be generated overnight, by their botnet, which, when it's not
> sending spam, etc, will be "revectoring" itself, using the GP
> algorithms previously noted.
>
> > At what point will some of the marginal players leave
> > the game and find other avenues of making money?
>
> I answered this one already as well... they will leave soon after the
> number of vulnerable hosts starts to fall, which will happen either
> though mass extinction (due to malware overload) or due to re-
> deployment with a Real OS.
>
> > [...]  A bigger danger here is if we start seeing *single* threats
> > that include a really good real-time polymorphism/obfuscator - *that*
> > could really suck.
>
> But Valdis old chap, that is exactly what the GP algorithms do, the
> proof-of-concept is already out there (see the GP PPT).
>
> > Interesting statistic - year before last, around 10% of all new computer
> > purchases were replacements for malware-infested boxes.  Just buying a
> new
> > one was easier/cheaper than trying to fix the old one for a lot of
> people.
>
> These numbers are probably skewed by some kind of newbie effect.
> Once you have had your machine for a while, as I'm sure you know,
> simply dumping it is not always an option.  Businesses, for example,
> may simply be unable to dump an old system, as it runs some legacy
> something, which just happens to be mission-critical.
>
> > Second interesting statistic - the vast majority of that 10% ended up
> using
> > the exact same operating system.
> >
> > So even when it's well past the 20% mark and the box is basically
> unusable,
> > they *still* don't run for the exit.
>
> They're newbies.  You wait till they've done that 5 times.  Then ask
> them, are you a happy bunny... and how much money have you spent, in
> total...
>
> - I have already decommissioned one server, due to malware growth -
> it was an old 486 machine, whose sole purpose was to serve AV updates
> for a client's LAN.  All went well for a few years, however the hard
> drive started to fill with signature updates.  So, I upgraded the
> drive, however due to a BIOS limitation (or was that NT4? FAT16?),
> the maximum size I could use was 2Gb.  That would have filled as
> well, except I moved the AV server software onto their main server
> (and proceeded to fill its disk instead, but that's another story) -
> and sent the old 486 to recycling...
>
> So this old server, you might think of course, it's a mere 486, to
> which I reply, and a canary is also a weakling.  That is why people
> put them in mines, because they are very sensitive to carbon monoxide
> levels, and drop dead well before humans do.  So when the canary
> dies, the mine is evacuated.
>
> This old server was a canary.  Its tight resource limits meant it was
> very sensitive to malware levels.  It dropped dead several years ago
> now. The NaN% on the Virus Bulletin site is another canary.  Sure,
> this can probably be fixed, weak coding you say - again, I say this
> weakness is merely the low-hanging fruit, the first victims of a
> rising tide, which is not even close to its peak.
>
> Stu
>
> ---
> Stuart Udall
> stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/
>
> ---
>  * Or

Re: [Full-disclosure] windows future

[lsi]

> > - approximate date when number of NEW threats will reach 1 Billion: 2015

> This is assuming an exponential growth model, when there's no realistic
> reason to believe it to be so.  

The reason to believe the exponential model will remain valid, is 
that it is the model that is currently valid.  A different model will 
need to explain how the existing exponential curve is derailed.

> There are however good reasons to expect
> that the correct model is the "logistics curve" (slow growth at first,
> a steep middle section, then flattening out asymptotic to a horizontal line).

> For starters, new threats have to come from *somewhere* [...] From
> whence will the 1 billion new threats in the 2015-16 span come from?
> Who will create these, 

Did you see the link I posted to the "Evolvable Malware" PPT?  
Mutation will be automated.  Resistance is useless... ;)

> and who will make money from them?

Presumably, the same gangs who do so now.  They won't need to recruit 
billions of new coders to make their billions of new variants.  It'll 
all be generated overnight, by their botnet, which, when it's not 
sending spam, etc, will be "revectoring" itself, using the GP 
algorithms previously noted.

> At what point will some of the marginal players leave
> the game and find other avenues of making money?

I answered this one already as well... they will leave soon after the 
number of vulnerable hosts starts to fall, which will happen either 
though mass extinction (due to malware overload) or due to re-
deployment with a Real OS.

> [...]  A bigger danger here is if we start seeing *single* threats
> that include a really good real-time polymorphism/obfuscator - *that*
> could really suck. 

But Valdis old chap, that is exactly what the GP algorithms do, the 
proof-of-concept is already out there (see the GP PPT).

> Interesting statistic - year before last, around 10% of all new computer
> purchases were replacements for malware-infested boxes.  Just buying a new
> one was easier/cheaper than trying to fix the old one for a lot of people.

These numbers are probably skewed by some kind of newbie effect.  
Once you have had your machine for a while, as I'm sure you know, 
simply dumping it is not always an option.  Businesses, for example,
may simply be unable to dump an old system, as it runs some legacy 
something, which just happens to be mission-critical.

> Second interesting statistic - the vast majority of that 10% ended up using
> the exact same operating system.
> 
> So even when it's well past the 20% mark and the box is basically unusable,
> they *still* don't run for the exit.

They're newbies.  You wait till they've done that 5 times.  Then ask 
them, are you a happy bunny... and how much money have you spent, in 
total...

- I have already decommissioned one server, due to malware growth - 
it was an old 486 machine, whose sole purpose was to serve AV updates 
for a client's LAN.  All went well for a few years, however the hard 
drive started to fill with signature updates.  So, I upgraded the 
drive, however due to a BIOS limitation (or was that NT4? FAT16?), 
the maximum size I could use was 2Gb.  That would have filled as 
well, except I moved the AV server software onto their main server 
(and proceeded to fill its disk instead, but that's another story) - 
and sent the old 486 to recycling...

So this old server, you might think of course, it's a mere 486, to 
which I reply, and a canary is also a weakling.  That is why people 
put them in mines, because they are very sensitive to carbon monoxide 
levels, and drop dead well before humans do.  So when the canary 
dies, the mine is evacuated.  

This old server was a canary.  Its tight resource limits meant it was 
very sensitive to malware levels.  It dropped dead several years ago 
now. The NaN% on the Virus Bulletin site is another canary.  Sure, 
this can probably be fixed, weak coding you say - again, I say this 
weakness is merely the low-hanging fruit, the first victims of a 
rising tide, which is not even close to its peak.  

Stu

---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Rohit Patnaik]

And that's also ignoring the fact that you don't have to scan for things 
that you know you're not exposed/vulnerable to. For example, I don't 
take precautions against Feline Immunodeficiency Virus, because I know 
it can't infect humans. I also don't take precautions against Ebola or 
Smallpox because the chance I'd be exposed to them is vanishingly small.

In the same way, I don't worry about IIS threats - I'm not running an 
IIS server. I'm not worried about threats to Outlook - its not my mail 
client.  I don't worry about boot sector virii from the late 80s/early 
90s - they're far too rare to spend time on.  Likewise, I don't care 
about threats against which I've already applied vendor patches or 
service packs.  The total number of threats may be growing 
exponentially, but once you factor in the growing immunity of my 
computer system to said threats, the number of outstanding threats 
(things for which I don't have immunity, and are capable of infecting my 
machine) drops to a much more manageable level.

--Rohit Patnaik

valdis.kletni...@vt.edu wrote:
> On Fri, 04 Sep 2009 15:46:19 BST, lsi said:
>
>   
>> - approximate date when number of NEW threats reached 1 Million: 2008
>>
>> - approximate date when number of NEW threats will reach 1 Billion: 2015
>>
>> - approximate date when number of NEW threats will reach 2 Billion: 2016
>> 
>
> This is assuming an exponential growth model, when there's no realistic
> reason to believe it to be so.  There are however good reasons to expect
> that the correct model is the "logistics curve" (slow growth at first,
> a steep middle section, then flattening out asymptotic to a horizontal line).
>
> For starters, new threats have to come from *somewhere*, and there's only
> a limited supply of dark-side code hackers, and a limited supply of people
> worth fleecing (sure, OLPC may distribute 100M laptops - but those are going 
> to
> people who can't be monetized easily).  From whence will the 1 billion
> new threats in the 2015-16 span come from? Who will create these, and who will
> make money from them?  At what point will some of the marginal players leave
> the game and find other avenues of making money?  Remember - if the threat
> pool is 100,000, and you have 1,000 threats, you have 1% of the market, and
> can probably live well off that 1% if monetized.  But if you have 1,000 
> threats
> in a pool of a billion, you're a marginal player and not likely to get rich
> fast doing that.
>
>   
>> - charts showing this: 
>> http://www.cyberdelix.net/files/malware_mutation_projection.pdf
>>
>> - will the AV companies be able to classify 1 billion new threats per 
>> year? that is 2.739 MILLION new threats per DAY (over 1900 new 
>> threats per minute).
>>
>> - will your computer cope with scanning every EXE, DLL, PIF etc 1 
>> billion times, every time you use them?
>> 
>
> You don't have to scan it a billion times. You need to scan it *once* for
> one billion attacks.  And proper pattern-matching should help a lot here - 
> quite
> often, you'll have 2,934 exploit codes in the wild, all using the same attack
> code lifted from Metasploit or milw0rm or whatever.  So only one check is
> needed.  A bigger danger here is if we start seeing *single* threats that
> include a really good real-time polymorphism/obfuscator - *that* could really
> suck.
>
>   
>> - aside from the theoretical limits imposed by hardware and software, 
>> there is one extra limit, imposed by users.  Users will not tolerate 
>> machines operating slowly, and will seek alternative platforms well 
>> before 100% CPU utilisation (either as a direct result of the size of 
>> the blacklist, or indirectly caused by swapping due to low RAM).  
>> This user limit might be lower than 20% CPU utilisation.  If users 
>> figure out that 20% of their time is being wasted, and rising fast, 
>> they will run for the exit.
>> 
>
> Interesting statistic - year before last, around 10% of all new computer
> purchases were replacements for malware-infested boxes.  Just buying a new
> one was easier/cheaper than trying to fix the old one for a lot of people.
>
> Second interesting statistic - the vast majority of that 10% ended up using
> the exact same operating system.
>
> So even when it's well past the 20% mark and the box is basically unusable,
> they *still* don't run for the exit.
>   
> 
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Valdis . Kletnieks]

On Fri, 04 Sep 2009 15:46:19 BST, lsi said:

> - approximate date when number of NEW threats reached 1 Million: 2008
> 
> - approximate date when number of NEW threats will reach 1 Billion: 2015
> 
> - approximate date when number of NEW threats will reach 2 Billion: 2016

This is assuming an exponential growth model, when there's no realistic
reason to believe it to be so.  There are however good reasons to expect
that the correct model is the "logistics curve" (slow growth at first,
a steep middle section, then flattening out asymptotic to a horizontal line).

For starters, new threats have to come from *somewhere*, and there's only
a limited supply of dark-side code hackers, and a limited supply of people
worth fleecing (sure, OLPC may distribute 100M laptops - but those are going to
people who can't be monetized easily).  From whence will the 1 billion
new threats in the 2015-16 span come from? Who will create these, and who will
make money from them?  At what point will some of the marginal players leave
the game and find other avenues of making money?  Remember - if the threat
pool is 100,000, and you have 1,000 threats, you have 1% of the market, and
can probably live well off that 1% if monetized.  But if you have 1,000 threats
in a pool of a billion, you're a marginal player and not likely to get rich
fast doing that.

> - charts showing this: 
> http://www.cyberdelix.net/files/malware_mutation_projection.pdf
> 
> - will the AV companies be able to classify 1 billion new threats per 
> year? that is 2.739 MILLION new threats per DAY (over 1900 new 
> threats per minute).
> 
> - will your computer cope with scanning every EXE, DLL, PIF etc 1 
> billion times, every time you use them?

You don't have to scan it a billion times. You need to scan it *once* for
one billion attacks.  And proper pattern-matching should help a lot here - quite
often, you'll have 2,934 exploit codes in the wild, all using the same attack
code lifted from Metasploit or milw0rm or whatever.  So only one check is
needed.  A bigger danger here is if we start seeing *single* threats that
include a really good real-time polymorphism/obfuscator - *that* could really
suck.

> - aside from the theoretical limits imposed by hardware and software, 
> there is one extra limit, imposed by users.  Users will not tolerate 
> machines operating slowly, and will seek alternative platforms well 
> before 100% CPU utilisation (either as a direct result of the size of 
> the blacklist, or indirectly caused by swapping due to low RAM).  
> This user limit might be lower than 20% CPU utilisation.  If users 
> figure out that 20% of their time is being wasted, and rising fast, 
> they will run for the exit.

Interesting statistic - year before last, around 10% of all new computer
purchases were replacements for malware-infested boxes.  Just buying a new
one was easier/cheaper than trying to fix the old one for a lot of people.

Second interesting statistic - the vast majority of that 10% ended up using
the exact same operating system.

So even when it's well past the 20% mark and the box is basically unusable,
they *still* don't run for the exit.


pgpnpWV6NEzFm.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Thor (Hammer of God)]

Studies show that 78.3% of all statistics are worthless.

t

> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-
> disclosure-boun...@lists.grok.org.uk] On Behalf Of Rohit Patnaik
> Sent: Friday, September 04, 2009 8:04 AM
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] windows future
>
> All this shows is that there's exponential growth in the number of
> *threats*. It doesn't give any data about the number of actual
> *infections*. I mean, its quite possible that all these bits of malware
> are just targeting the same group of vulnerable Windows boxen, and
> they're just competing to conquer the same fixed base.
>
> After all, if you extrapolated from the exponential growth of maggots
> on
> a rotting carcass, you'd be predicting that the entire world would be
> covered in maggots not too far from the future.
>
> --Rohit Patnaik
> lsi wrote:
> > Hi All,
> >
> > Sorry for the delay, I had some urgent migration planning to attend
> > to ... ;)  Stats below.  Short version: evacuate.  Long version:
> >
> > - stats are in, exponential curve is real, see it for yourself here:
> >
> > http://eval.symantec.com/mktginfo/enterprise/white_papers/b-
> whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf
> >
> > (page 10)
> >
> > - I also added up the numbers at
> >
> http://www.virusbtn.com/resources/malwareDirectory/prevalence/index.xml
> ?year=2009
> > ... exponential curve also visible, though I think their stats are
> > dodgy, their website is already suffering from math limits - it is
> > reporting current yearly stats as NaN% (Not A Number).
> >
> > - average rate of change per year (annual growth rate), calculated
> > from Symantec's chart: 243%
> >
> > - approximate date when number of NEW threats reached 1 Million: 2008
> >
> > - approximate date when number of NEW threats will reach 1 Billion:
> > 2015
> >
> > - approximate date when number of NEW threats will reach 2 Billion:
> > 2016
> >
> > - charts showing this:
> > http://www.cyberdelix.net/files/malware_mutation_projection.pdf
> >
> > - will the AV companies be able to classify 1 billion new threats per
> > year? that is 2.739 MILLION new threats per DAY (over 1900 new
> > threats per minute).
> >
> > - will your computer cope with scanning every EXE, DLL, PIF etc 1
> > billion times, every time you use them?
> >
> > - aside from the theoretical limits imposed by hardware and software,
> > there is one extra limit, imposed by users.  Users will not tolerate
> > machines operating slowly, and will seek alternative platforms well
> > before 100% CPU utilisation (either as a direct result of the size of
> > the blacklist, or indirectly caused by swapping due to low RAM).
> > This user limit might be lower than 20% CPU utilisation.  If users
> > figure out that 20% of their time is being wasted, and rising fast,
> > they will run for the exit.
> >
> > - will you tolerate your machine constantly processing a list a
> > billion items long?
> >
> > - do you plan to, and can you afford to, upgrade your compute power
> > by 243%, every year?
> >
> > - will you do this, even though you know viable alternative platforms
> > exist, at less total cost to yourself?
> >
> > - if you're already irritated that AV is slowing down your machine,
> > consider that malware levels will be 500 times higher in approx 5
> > years (assuming growth rates continue at 243%). That means your AV
> > will be running 500 times slower.  Unless you upgrade your machine by
> > 500 x current (eg. to an effective speed of approx 1000 GHz), your
> > machine is going to slow down even more.  Given that chipmakers don't
> > seem to be able to get much past 5GHz, without melting the die, that
> > means you'll need 200 of today's processors, just for malware
> > filtering, by 2015.
> >
> > - Moore's Law says compute power doubles (200%) every 24 months.
> > However, malware is growing at 243% every 12 months.  Thus it is
> > already exceeding Moore's Law, by a massive margin.  I suspect this
> > means this race is unwinnable, and we should give up now, and devote
> > our resources to something sustainable.
> >
> > - how AV writers will generate 2.7 million new threats/day:
> >
> > "Evolvable Malware":
> > http://www.genetic-programming.org/hc2009/3-Noreen/Noreen-
> Presentation.ppt
> >
> > "A Field Gui

Re: [Full-disclosure] windows future

[Rohit Patnaik]

All this shows is that there's exponential growth in the number of 
*threats*. It doesn't give any data about the number of actual 
*infections*. I mean, its quite possible that all these bits of malware 
are just targeting the same group of vulnerable Windows boxen, and 
they're just competing to conquer the same fixed base.

After all, if you extrapolated from the exponential growth of maggots on 
a rotting carcass, you'd be predicting that the entire world would be 
covered in maggots not too far from the future.

--Rohit Patnaik
lsi wrote:
> Hi All,
>
> Sorry for the delay, I had some urgent migration planning to attend 
> to ... ;)  Stats below.  Short version: evacuate.  Long version:
>
> - stats are in, exponential curve is real, see it for yourself here:
>
> http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf
>
> (page 10)
>
> - I also added up the numbers at 
> http://www.virusbtn.com/resources/malwareDirectory/prevalence/index.xml?year=2009
> ... exponential curve also visible, though I think their stats are 
> dodgy, their website is already suffering from math limits - it is 
> reporting current yearly stats as NaN% (Not A Number).
>
> - average rate of change per year (annual growth rate), calculated 
> from Symantec's chart: 243%
>
> - approximate date when number of NEW threats reached 1 Million: 2008
>
> - approximate date when number of NEW threats will reach 1 Billion: 
> 2015
>
> - approximate date when number of NEW threats will reach 2 Billion: 
> 2016
>
> - charts showing this: 
> http://www.cyberdelix.net/files/malware_mutation_projection.pdf
>
> - will the AV companies be able to classify 1 billion new threats per 
> year? that is 2.739 MILLION new threats per DAY (over 1900 new 
> threats per minute).
>
> - will your computer cope with scanning every EXE, DLL, PIF etc 1 
> billion times, every time you use them?
>
> - aside from the theoretical limits imposed by hardware and software, 
> there is one extra limit, imposed by users.  Users will not tolerate 
> machines operating slowly, and will seek alternative platforms well 
> before 100% CPU utilisation (either as a direct result of the size of 
> the blacklist, or indirectly caused by swapping due to low RAM).  
> This user limit might be lower than 20% CPU utilisation.  If users 
> figure out that 20% of their time is being wasted, and rising fast, 
> they will run for the exit.
>
> - will you tolerate your machine constantly processing a list a 
> billion items long?
>
> - do you plan to, and can you afford to, upgrade your compute power 
> by 243%, every year?
>
> - will you do this, even though you know viable alternative platforms 
> exist, at less total cost to yourself?
>
> - if you're already irritated that AV is slowing down your machine, 
> consider that malware levels will be 500 times higher in approx 5 
> years (assuming growth rates continue at 243%). That means your AV 
> will be running 500 times slower.  Unless you upgrade your machine by 
> 500 x current (eg. to an effective speed of approx 1000 GHz), your 
> machine is going to slow down even more.  Given that chipmakers don't 
> seem to be able to get much past 5GHz, without melting the die, that 
> means you'll need 200 of today's processors, just for malware 
> filtering, by 2015.
>
> - Moore's Law says compute power doubles (200%) every 24 months.  
> However, malware is growing at 243% every 12 months.  Thus it is 
> already exceeding Moore's Law, by a massive margin.  I suspect this 
> means this race is unwinnable, and we should give up now, and devote 
> our resources to something sustainable.
>
> - how AV writers will generate 2.7 million new threats/day: 
>
> "Evolvable Malware":
> http://www.genetic-programming.org/hc2009/3-Noreen/Noreen-Presentation.ppt
>
> "A Field Guide to Genetic Programming":
> http://www.gp-field-guide.org.uk/
>
> Wiki:
> http://en.wikipedia.org/wiki/Genetic_programming
>
> - the insecurity of Windows creates a public space, of sorts, an area 
> of common ground, with shared ownership - and this is thus 
> susceptible to the tragedy of the commons ... 
> http://en.wikipedia.org/wiki/Tragedy_of_the_commons ... so no, I 
> don't think malware authors will slow down the mutation rate, so as 
> to prolong the life of the platform, they do not work together.  As 
> Messagelabs puts it, "there's no honour amongst thieves" ... 
> http://www.messagelabs.com/mlireport/MLIReport_Annual_2008_FINAL.pdf
>
> - the greenhouse emissions caused by billions of computers checking 
> billions of items for billions of malware are likely to be 
> measurable, and will increasingly erode the world's ability to meet 
> environmental targets
>
> - my own maths might be dodgy, please check it, spreadsheet: 
> http://www.cyberdelix.net/files/malware_mutation_projection.ods
>
> Stu
>
> On 28 Aug 2009 at 15:32, lsi wrote:
>
> From: "lsi" 
> To:   full-d

Re: [Full-disclosure] windows future

[lsi]

Hi All,

Sorry for the delay, I had some urgent migration planning to attend 
to ... ;)  Stats below.  Short version: evacuate.  Long version:

- stats are in, exponential curve is real, see it for yourself here:

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf

(page 10)

- I also added up the numbers at 
http://www.virusbtn.com/resources/malwareDirectory/prevalence/index.xml?year=2009
... exponential curve also visible, though I think their stats are 
dodgy, their website is already suffering from math limits - it is 
reporting current yearly stats as NaN% (Not A Number).

- average rate of change per year (annual growth rate), calculated 
from Symantec's chart: 243%

- approximate date when number of NEW threats reached 1 Million: 2008

- approximate date when number of NEW threats will reach 1 Billion: 
2015

- approximate date when number of NEW threats will reach 2 Billion: 
2016

- charts showing this: 
http://www.cyberdelix.net/files/malware_mutation_projection.pdf

- will the AV companies be able to classify 1 billion new threats per 
year? that is 2.739 MILLION new threats per DAY (over 1900 new 
threats per minute).

- will your computer cope with scanning every EXE, DLL, PIF etc 1 
billion times, every time you use them?

- aside from the theoretical limits imposed by hardware and software, 
there is one extra limit, imposed by users.  Users will not tolerate 
machines operating slowly, and will seek alternative platforms well 
before 100% CPU utilisation (either as a direct result of the size of 
the blacklist, or indirectly caused by swapping due to low RAM).  
This user limit might be lower than 20% CPU utilisation.  If users 
figure out that 20% of their time is being wasted, and rising fast, 
they will run for the exit.

- will you tolerate your machine constantly processing a list a 
billion items long?

- do you plan to, and can you afford to, upgrade your compute power 
by 243%, every year?

- will you do this, even though you know viable alternative platforms 
exist, at less total cost to yourself?

- if you're already irritated that AV is slowing down your machine, 
consider that malware levels will be 500 times higher in approx 5 
years (assuming growth rates continue at 243%). That means your AV 
will be running 500 times slower.  Unless you upgrade your machine by 
500 x current (eg. to an effective speed of approx 1000 GHz), your 
machine is going to slow down even more.  Given that chipmakers don't 
seem to be able to get much past 5GHz, without melting the die, that 
means you'll need 200 of today's processors, just for malware 
filtering, by 2015.

- Moore's Law says compute power doubles (200%) every 24 months.  
However, malware is growing at 243% every 12 months.  Thus it is 
already exceeding Moore's Law, by a massive margin.  I suspect this 
means this race is unwinnable, and we should give up now, and devote 
our resources to something sustainable.

- how AV writers will generate 2.7 million new threats/day: 

"Evolvable Malware":
http://www.genetic-programming.org/hc2009/3-Noreen/Noreen-Presentation.ppt

"A Field Guide to Genetic Programming":
http://www.gp-field-guide.org.uk/

Wiki:
http://en.wikipedia.org/wiki/Genetic_programming

- the insecurity of Windows creates a public space, of sorts, an area 
of common ground, with shared ownership - and this is thus 
susceptible to the tragedy of the commons ... 
http://en.wikipedia.org/wiki/Tragedy_of_the_commons ... so no, I 
don't think malware authors will slow down the mutation rate, so as 
to prolong the life of the platform, they do not work together.  As 
Messagelabs puts it, "there's no honour amongst thieves" ... 
http://www.messagelabs.com/mlireport/MLIReport_Annual_2008_FINAL.pdf

- the greenhouse emissions caused by billions of computers checking 
billions of items for billions of malware are likely to be 
measurable, and will increasingly erode the world's ability to meet 
environmental targets

- my own maths might be dodgy, please check it, spreadsheet: 
http://www.cyberdelix.net/files/malware_mutation_projection.ods

Stu

On 28 Aug 2009 at 15:32, lsi wrote:

From:   "lsi" 
To: full-disclosure@lists.grok.org.uk
Date sent:  Fri, 28 Aug 2009 15:32:45 +0100 

> Thanks for the comments, indeed, the exponential issue arises due to 
> use the of blacklisting by current AV technologies, and a switch to 
> whitelisting could theoretically mitigate that, however, I'm not sure 
> that would work in practice, there are so many little bits of code 
> that execute, right down to tiny javascripts that check you've filled 
> in an online form correctly, and the user might be bombarded with 
> prompts.  Falling back on tweaks to user privileges and UAC prompts 
> is hardly fixing the problem.  The core problem is the platform is 
> inherently insecure, due to its development, licensing and marketing 

Re: [Full-disclosure] windows future

[Valdis . Kletnieks]

On Sun, 30 Aug 2009 01:09:55 BST, lsi said:

> The biological metaphor does suggest that Microsoft would take some 
> kind of evasive action, and I think their only option is to license 
> unix, just as Apple did (although Apple did it for different 
> reasons).  Doing this will solve many problems, they can keep their 
> proprietary interface and their reputation, and possibly even their 
> licensing and marketing models, while under the hood, unix saves the 
> day.

Unlikely to work - there's just Too Damned Many legacy binaries that have all
sorts of dependencies on undocumented quirks of the Windows APIs.  So you end
up needing to use a Wine-like shim to provide the API the binaries need - and
if the shim is good enough for the backward-combatable binaries, it's *also*
good enough for the malware to attack.  If IE9 has a bug and some Javascript
scribbles something into the 'Documents' folder, that Javascript really doesn't
care if it's a Documents folder on a real Windows box, or one that's in a
directory being managed by a shim on a Unix/Linux box.  All it cares about is
that it *behaves* like a Documents folder.

Hint:  If a Windows user's home directory is on a remote file share, it
really doesn't care if it's a Genuine Windows(TM) or a Samba share, does it?
Heck, it doesn't even know/care if its domain controller is Windows or Samba.
All it cares is that the file share and the DC *act* like Windows.

And unfortunately, that's true for both legitimate binaries and malware.



pgphsCyqnpSar.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Elazar Broad]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Like them or not, M$ has done quite a bit with its SDL[1], and
though quite late in the game, the memory protection mechanism's in
Vista and Windows 7. As far as anti-virus software goes, it's
mostly useless[2][there was a recent article on signature lead
time, I can't find it for some reason] already.

[1]http://www.pcworld.com/businesscenter/blogs/bizfeed/167111/opinio
n_pigs_fly_microsoft_leads_in_security.html?tk=rss_news
[2]http://pcworld.about.com/od/virusesphishingspam/Botnets-Defeat-
Most-Anti-Virus.htm

On Sat, 29 Aug 2009 20:09:55 -0400 lsi 
wrote:
>I'm saying that the world's malware authors, in their race to stay
>
>ahead of AV, are engaging in an uncoordinated, slow-motion DDOS of
>
>the world's AV systems.  They are flooding the blacklists, and
>this
>flooding is accelerating.  If it continues, the world's AV systems
>
>will be useless, as will be the machines they are protecting.
>
>Note, I have NOT gone off and compiled some stats, I've just noted
>an
>existing trend, and extrapolated it.  Here's an article from 2005,
>
>again, the numbers suggest an exponential curve.
>http://www.theregister.co.uk/2005/01/05/mcafee_avert_report/
>
>The biological metaphor does suggest that Microsoft would take
>some
>kind of evasive action, and I think their only option is to
>license
>unix, just as Apple did (although Apple did it for different
>reasons).  Doing this will solve many problems, they can keep
>their
>proprietary interface and their reputation, and possibly even
>their
>licensing and marketing models, while under the hood, unix saves
>the
>day.  They will need to eat some very humble pie, a few diehards
>might jump from Redmond's towers, and the clash of cultures will
>toast some excellent marshmellows... but they will save their
>business.  Do they have a choice?  Malware numbers are suggesting
>they don't.
>
>Licensing the solution suits Microsoft's business model (much
>easier
>for them to buy in a fix than build one, they tried that already),
>
>they did in fact do it many times previously, starting with a
>certain
>product called MS-DOS, and it means they can keep their customer
>base, they just sell them an upgrade which is in fact a completely
>
>new system - again, just as Apple did with OSX.
>
>Actually, I think the simplest thing for them to do would be to
>buy
>Apple, then they can rebadge OSX, instead of reinventing it.
>
>Stu
>
>On 28 Aug 2009 at 10:24, Rohit Patnaik wrote:
>
>Date sent: Fri, 28 Aug 2009 10:24:25 -0500
>From:  Rohit Patnaik 
>To:full-disclosure@lists.grok.org.uk
>Subject:   Re: [Full-disclosure] windows future
>
>> I'm not sure I agree with the basic premise of this scenario.
>You're
>> suggesting that getting exposed to malware is some kind of
>> inevitability, and that eventually there will be enough
>different kinds
>> of malware that filtering them all will be impossible. I don't
>think
>> that's valid. Good browsing habits, running a firewall, and
>keeping your
>> machine updated will prevent almost all malware from even
>getting access
>> to your machine. Then all we have to worry about are the few
>bits of
>> code that are capable of getting through our defenses.
>>
>> To reiterate the biological analogy, we don't rely on
>antibiotics to
>> stop infection. We rely on good hygiene. In the same way, just
>as
>> increased biological infection rates led to a push for greater
>public
>> hygiene (e.g. indoor plumbing, closed sewers, etc.) we'll see a
>push for
>> greater computer hygiene as malware infection rates rise.
>Windows
>> already includes a firewall to prevent automated worm
>infections, and
>> Microsoft is working to harden network facing applications, as
>evidenced
>> by their recent decision to have IE run with limited privileges.
>As
>> malware becomes more virulent, the "immunity" of Windows will
>likewise
>> grow, putting a damper on any sort of exponential growth curve.
>>
>> --Rohit Patnaik
>>
>> lsi wrote:
>> > Thanks for the comments, indeed, the exponential issue arises
>due to
>> > use the of blacklisting by current AV technologies, and a
>switch to
>> > whitelisting could theoretically mitigate that, however, I'm
>not sure
>> > that would work in practice, there are so many little bits of
>code
>> > that execute, right down to tiny javascripts that check you've
>filled
>> > in an online form correctly, 

Re: [Full-disclosure] windows future

[Elazar Broad]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1



On Fri, 28 Aug 2009 16:34:27 -0400 Paul Schmehl
 wrote:
>--On Friday, August 28, 2009 13:40:28 -0500 Rohit Patnaik
>
>wrote:
>
>>
>> To be fair, Linux has come a very long way in that regard. I
>purchased
>> an Asus Eee 900 with Linux preinstalled, and everything worked
>right out
>> of the box. Flash, Java, OpenOffice, the works. It was a
>vindication of
>> my view that the real obstacle to Linux on the desktop isn't the
>user,
>> but rather the OEM.
>>
>> With low-cost, low-power netbooks becoming more prevalent, OEMs
>are
>> finding that the cost of the Windows license begins to take up a
>rather
>> high percentage of the overall cost.  Therefore, many are
>preinstalling
>> and preconfiguring Linux. At the same time, consumers are
>finding that
>> application incompatibilities don't really matter for them,
>since the
>> Linux equivalents are able to handle data coming from a Windows
>box with
>> a minimum of fuss.
>
>That's good news.  Once updating issues are resolved and Xorg
>becomes as good
>as Mac and Windows graphics (it's almost there now - it just
>doesn't quite have
>the "pop" or "wow factor" of Macs), the obstacles to migration
>(for the
>consumer) will be availability and the knowledge that an
>alternative exists.
>At that point I think we'll see Microsoft's market share begin
>eroding badly.

KDE4 is quite close, but it definitely requires a bit of
tweaking(or that might just be Slackware)...
-BEGIN PGP SIGNATURE-
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkqaLzcACgkQi04xwClgpZgCWwP7BaycPtYOq1SDbt5YWDUlM8xsO/RE
SJDYoEAqiju+Gb64r/UEmS62pP5sMGTB4i6CUkXLHavVXbKun0J26VHFFYLQAWLSACB8
t960F7ICYFkZrgdDTcyMOSVDrIKZWu2gaKLo9wHQxdCLNI6O1kRUtI1LAGKHSYu7bTmb
UhXJFxg=
=2h6t
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Peter Ferrie]

> I'm saying that the world's malware authors, in their race to stay
> ahead of AV, are engaging in an uncoordinated, slow-motion DDOS of
> the world's AV systems.  They are flooding the blacklists, and this
> flooding is accelerating.  If it continues, the world's AV systems
> will be useless, as will be the machines they are protecting.

You are extrapolating, based on an incorrect assumption - that
blacklists will exist forever.
When the number of bad files exceeds the number of good files, then
whitelists will reign instead.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[lsi]

I'm not saying malware will frighten users away, I am saying that 
malware will leave them no choice but to leave.  This is not a 
decision users make, they will not be able to buy a Windows computer, 
as they will no longer work.  Sure you can turn them on, but that's 
all.  Once you load up your AV, you'll have no RAM left to load 
Notepad.  Your CPU will be constantly processing AV updates and your 
disk will fill with AV sigs.  The machine will be unusable.

Also, there are software-imposed limits to malware filtering, as well 
as the hardware limits I mentioned earlier, I can only think of one 
right now, and that is 32-bit integer math, I'm pretty sure once the 
number of mutations gets a bit past 2 billion, there will be problems 
with this, possibly mitigated, at a significant cost to performance, 
by using double integers, or by using 64-bit integers and dropping 
support for 32-bit machines (again, long term these approaches will 
also be exhausted).

Whitelisting ... my guess is that there will be trillions of 
legitimate pieces of code, and this list will also grow too large for 
the average computer to handle.

However, as noted in my other mail to Rohit, I think that before 
these limits are reached, Microsoft will bite the bullet and drop in 
a unix core.

Social engineering: yes, point taken, although, someone is still 
cranking out binaries, as per the original link I posted: 
http://www.theregister.co.uk/2009/08/13/malware_arms_race/ ... and to 
be honest, it doesn't matter if it's only one guy who pumps out 
trillions of mutations, it's still gonna DOS the AV.

I'm not commenting on Windows vs unix vs Mac, I didn't mean to start 
that thread, I'm just commenting on Windows, and how it appears to be 
holding a one-way ticket to oblivion.  Is that an iceberg, dead 
ahead?  The numbers are telling us that it is.

PS. Have you seen PC-BSD? :) http://www.pcbsd.org/ ... it's FreeBSD + 
KDE + sexy installer ... 

On 28 Aug 2009 at 16:45, Paul Schmehl wrote:

Date sent:  Fri, 28 Aug 2009 16:45:39 +
From:   Paul Schmehl 
To: full-disclosure@lists.grok.org.uk
Subject:Re: [Full-disclosure] windows future
Send reply to:  Paul Schmehl 
  
  
<mailto:full-disclosure-
requ...@lists.grok.org.uk?subject=unsubscribe> 
<mailto:full-disclosure-requ...@lists.grok.org.uk?subject=subscribe> 
  

> --On Friday, August 28, 2009 09:32:45 -0500 lsi  wrote:
> >
> > The world will awaken from the 20+ year nightmare that was Windows,
> > made possible only by manipulative market practices, driven by greed,
> > and discover the only reason it was wracked with malware, was because
> > it had all its eggs in one basket.
> >
> 
> That's crazy talk.  I hate Windows as much as the next guy, but there's a 
> reason they have such a large market share and it's not *just* manipulative 
> market practices.  Most people outside the insular geek world use computers 
> to 
> perform tasks for them.  They think of the computer as a tool, and they 
> expect 
> it to do the job they want without getting in the way or requiring them to 
> learn to count in hex.
> 
> When someone else comes up with a system that has excellent graphics, runs 
> Flash and other things without complaint, and "just works" without expecting 
> them to lift the hood and diagnose problems, doesn't require them to install 
> all sorts of "extras" to have a working system *and* is priced competitively 
> with Windows, they will buy it.
> 
> Macs are competitive with Windows in every category except one; price.  And 
> by 
> price I mean the cost of walking into a store and walking out with a working 
> system.  Apple's biggest mistake has always been trying to "hoard" the 
> hardware 
> market for their OS - the same mistake Sun makes - which drives up the price 
> and makes them less competitive.  Unix (really Linux mostly) is getting there 
> but still has a ways to go.
> 
> I say these things as a hard core Unix user who loves FreeBSD.  There are 
> many 
> reasons that I love FreeBSD and use it exclusively when I can, but things 
> like 
> making Flash work are not for the faint of heart.
> 
> It won't be the malware that will drive people *away* from Windows (if it was 
> they would have been driven away long ago), it will be the (dare I say it?) 
> user friendliness of a system *and* price competitiveness that will *attract* 
> buyers to it.
> 
> BTW, your comments about crackers and ecosystems are several years behind.  
> The 
> current "technology" crackers are using to great success is social 
> engineering

Re: [Full-disclosure] windows future

[lsi]

I'm saying that the world's malware authors, in their race to stay 
ahead of AV, are engaging in an uncoordinated, slow-motion DDOS of 
the world's AV systems.  They are flooding the blacklists, and this 
flooding is accelerating.  If it continues, the world's AV systems 
will be useless, as will be the machines they are protecting.

Note, I have NOT gone off and compiled some stats, I've just noted an 
existing trend, and extrapolated it.  Here's an article from 2005, 
again, the numbers suggest an exponential curve. 
http://www.theregister.co.uk/2005/01/05/mcafee_avert_report/

The biological metaphor does suggest that Microsoft would take some 
kind of evasive action, and I think their only option is to license 
unix, just as Apple did (although Apple did it for different 
reasons).  Doing this will solve many problems, they can keep their 
proprietary interface and their reputation, and possibly even their 
licensing and marketing models, while under the hood, unix saves the 
day.  They will need to eat some very humble pie, a few diehards 
might jump from Redmond's towers, and the clash of cultures will 
toast some excellent marshmellows... but they will save their 
business.  Do they have a choice?  Malware numbers are suggesting 
they don't.

Licensing the solution suits Microsoft's business model (much easier 
for them to buy in a fix than build one, they tried that already), 
they did in fact do it many times previously, starting with a certain 
product called MS-DOS, and it means they can keep their customer 
base, they just sell them an upgrade which is in fact a completely 
new system - again, just as Apple did with OSX.

Actually, I think the simplest thing for them to do would be to buy 
Apple, then they can rebadge OSX, instead of reinventing it.

Stu

On 28 Aug 2009 at 10:24, Rohit Patnaik wrote:

Date sent:  Fri, 28 Aug 2009 10:24:25 -0500
From:   Rohit Patnaik 
To: full-disclosure@lists.grok.org.uk
Subject:    Re: [Full-disclosure] windows future

> I'm not sure I agree with the basic premise of this scenario. You're 
> suggesting that getting exposed to malware is some kind of 
> inevitability, and that eventually there will be enough different kinds 
> of malware that filtering them all will be impossible. I don't think 
> that's valid. Good browsing habits, running a firewall, and keeping your 
> machine updated will prevent almost all malware from even getting access 
> to your machine. Then all we have to worry about are the few bits of 
> code that are capable of getting through our defenses.
> 
> To reiterate the biological analogy, we don't rely on antibiotics to 
> stop infection. We rely on good hygiene. In the same way, just as 
> increased biological infection rates led to a push for greater public 
> hygiene (e.g. indoor plumbing, closed sewers, etc.) we'll see a push for 
> greater computer hygiene as malware infection rates rise. Windows 
> already includes a firewall to prevent automated worm infections, and 
> Microsoft is working to harden network facing applications, as evidenced 
> by their recent decision to have IE run with limited privileges. As 
> malware becomes more virulent, the "immunity" of Windows will likewise 
> grow, putting a damper on any sort of exponential growth curve.
> 
> --Rohit Patnaik
> 
> lsi wrote:
> > Thanks for the comments, indeed, the exponential issue arises due to 
> > use the of blacklisting by current AV technologies, and a switch to 
> > whitelisting could theoretically mitigate that, however, I'm not sure 
> > that would work in practice, there are so many little bits of code 
> > that execute, right down to tiny javascripts that check you've filled 
> > in an online form correctly, and the user might be bombarded with 
> > prompts.  Falling back on tweaks to user privileges and UAC prompts 
> > is hardly fixing the problem.  The core problem is the platform is 
> > inherently insecure, due to its development, licensing and marketing 
> > models, and nothing is going to fix that.  Even if fixing it became 
> > somehow possible, the same effort could be spent improving a 
> > competing system, rather than fixing a broken one.
> >
> > Just to complete the extrapolation, the below.
> >
> > Assuming that mutation rates continue to increase exponentially, 
> > infection rates will reach a maximum when the average computer 
> > reaches 100% utilisation due to malware filtering.  Infection rates 
> > will then decline as vulnerable hosts "die off" due to their 
> > inability to filter.  These hosts will either be replaced with new, 
> > more powerful Windows machines (before these them

Re: [Full-disclosure] windows future

[Robinson DELAUGERRE]

>Then all we have to worry about are the few bits of 
code that are capable of getting through our defenses.

Problem is, to go forth with the bio analogy, while our antibodies "forget" 
with time how to deal with aggressive agents we are not exposed to, antiviruses 
cannot. This would imply running a full system check, to see what the host is 
vulnerable to. How can you know? Are you packed with a vulnerability tester? Do 
you trust the updates installed on the system? If so, what with a malware that 
makes the system think it's patched?
So to me an antivirus still has to check files for "system-irrelevant" malware 
(even if it was to prevent the user from being a sane carrier). As an antivirus 
manufacturer I can't make assumptions about users' hygiene.

IMO, this "malware threshold" will be reached, where signature-based 
antiviruses will consume a hell of a lot machine ressource to check a given 
file against all possible signatures (even with optim in the checking process). 
This will force the manufacturers to move to another paradigm, perhaps 
behaviour based, checking what the file does to the system rather than what it 
contains.

My 2 cents on the matter..

BTW, I'm all for good hygiene, I'm just not confident the average user is ready 
for it yet. User education FTW

-rd*

- Mail Original -
De: "Rohit Patnaik" 
À: full-disclosure@lists.grok.org.uk
Envoyé: Vendredi 28 Août 2009 17h24:25 GMT +01:00 Amsterdam / Berlin / Berne / 
Rome / Stockholm / Vienne
Objet: Re: [Full-disclosure] windows future

I'm not sure I agree with the basic premise of this scenario. You're 
suggesting that getting exposed to malware is some kind of 
inevitability, and that eventually there will be enough different kinds 
of malware that filtering them all will be impossible. I don't think 
that's valid. Good browsing habits, running a firewall, and keeping your 
machine updated will prevent almost all malware from even getting access 
to your machine. Then all we have to worry about are the few bits of 
code that are capable of getting through our defenses.

To reiterate the biological analogy, we don't rely on antibiotics to 
stop infection. We rely on good hygiene. In the same way, just as 
increased biological infection rates led to a push for greater public 
hygiene (e.g. indoor plumbing, closed sewers, etc.) we'll see a push for 
greater computer hygiene as malware infection rates rise. Windows 
already includes a firewall to prevent automated worm infections, and 
Microsoft is working to harden network facing applications, as evidenced 
by their recent decision to have IE run with limited privileges. As 
malware becomes more virulent, the "immunity" of Windows will likewise 
grow, putting a damper on any sort of exponential growth curve.

--Rohit Patnaik

lsi wrote:
> Thanks for the comments, indeed, the exponential issue arises due to 
> use the of blacklisting by current AV technologies, and a switch to 
> whitelisting could theoretically mitigate that, however, I'm not sure 
> that would work in practice, there are so many little bits of code 
> that execute, right down to tiny javascripts that check you've filled 
> in an online form correctly, and the user might be bombarded with 
> prompts.  Falling back on tweaks to user privileges and UAC prompts 
> is hardly fixing the problem.  The core problem is the platform is 
> inherently insecure, due to its development, licensing and marketing 
> models, and nothing is going to fix that.  Even if fixing it became 
> somehow possible, the same effort could be spent improving a 
> competing system, rather than fixing a broken one.
>
> Just to complete the extrapolation, the below.
>
> Assuming that mutation rates continue to increase exponentially, 
> infection rates will reach a maximum when the average computer 
> reaches 100% utilisation due to malware filtering.  Infection rates 
> will then decline as vulnerable hosts "die off" due to their 
> inability to filter.  These hosts will either be replaced with new, 
> more powerful Windows machines (before these themselves surcumb to 
> the exponential curve), OR, they will be re-deployed, running a 
> different, non-Windows platform.
>
> Eventually, the majority of computer owners will get the idea that 
> they don't need to buy ever-more powerful gear, just to do the same 
> job they did yesterday (there may come a time when the fastest 
> machine available is unable to cope, there is every possibility that 
> mutation rates will exceed Moore's Law).  The number of vulnerable 
> hosts will then fall sharply, as the platform is abandoned en-masse.
>
> At this time, crackers who have been depending upon a certain amount 
> of cracks per week for income, will find thems

Re: [Full-disclosure] windows future

[Rob Thompson]

First off, I want to second what Rohit said below.  I have a 901 and it
came that way as well.  Granted I've hacked the shit out of it and now
it's running something else and very well at that, but by default they
are super easy machines to run.  And everything just works.


Paul Schmehl wrote:
> --On Friday, August 28, 2009 13:40:28 -0500 Rohit Patnaik 
>  
> wrote:
> 
>> To be fair, Linux has come a very long way in that regard. I purchased
>> an Asus Eee 900 with Linux preinstalled, and everything worked right out
>> of the box. Flash, Java, OpenOffice, the works. It was a vindication of
>> my view that the real obstacle to Linux on the desktop isn't the user,
>> but rather the OEM.
>>
>> With low-cost, low-power netbooks becoming more prevalent, OEMs are
>> finding that the cost of the Windows license begins to take up a rather
>> high percentage of the overall cost.  Therefore, many are preinstalling
>> and preconfiguring Linux. At the same time, consumers are finding that
>> application incompatibilities don't really matter for them, since the
>> Linux equivalents are able to handle data coming from a Windows box with
>> a minimum of fuss.
> 
> That's good news.  Once updating issues are resolved and Xorg becomes as good 
> as Mac and Windows graphics (it's almost there now - it just doesn't quite 
> have 
> the "pop" or "wow factor" of Macs), the obstacles to migration (for the 
> consumer) will be availability and the knowledge that an alternative exists. 
> At that point I think we'll see Microsoft's market share begin eroding badly.
> 

IMO - the Linux graphics are equivalent with Windows.  Mac though,
that's another thing.  Ubuntu did good to try to add a lot more "pretty"
into their desktop with the last release, to specifically compete with
Mac, but Mac still owns that beast.

Mac's really are something else to look at.  But I'd never own one.  ;p
 I like Apple as much as I like Microsoft.

Y'all have a great weekend.  :)

-- 
Rob  (I am a PC and I run Linux.)

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
| _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|/ \  |
| |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Paul Schmehl]

--On Friday, August 28, 2009 13:40:28 -0500 Rohit Patnaik  
wrote:

>
> To be fair, Linux has come a very long way in that regard. I purchased
> an Asus Eee 900 with Linux preinstalled, and everything worked right out
> of the box. Flash, Java, OpenOffice, the works. It was a vindication of
> my view that the real obstacle to Linux on the desktop isn't the user,
> but rather the OEM.
>
> With low-cost, low-power netbooks becoming more prevalent, OEMs are
> finding that the cost of the Windows license begins to take up a rather
> high percentage of the overall cost.  Therefore, many are preinstalling
> and preconfiguring Linux. At the same time, consumers are finding that
> application incompatibilities don't really matter for them, since the
> Linux equivalents are able to handle data coming from a Windows box with
> a minimum of fuss.

That's good news.  Once updating issues are resolved and Xorg becomes as good 
as Mac and Windows graphics (it's almost there now - it just doesn't quite have 
the "pop" or "wow factor" of Macs), the obstacles to migration (for the 
consumer) will be availability and the knowledge that an alternative exists. 
At that point I think we'll see Microsoft's market share begin eroding badly.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Rohit Patnaik]

To be fair, Linux has come a very long way in that regard. I purchased 
an Asus Eee 900 with Linux preinstalled, and everything worked right out 
of the box. Flash, Java, OpenOffice, the works. It was a vindication of 
my view that the real obstacle to Linux on the desktop isn't the user, 
but rather the OEM.

With low-cost, low-power netbooks becoming more prevalent, OEMs are 
finding that the cost of the Windows license begins to take up a rather 
high percentage of the overall cost.  Therefore, many are preinstalling 
and preconfiguring Linux. At the same time, consumers are finding that 
application incompatibilities don't really matter for them, since the 
Linux equivalents are able to handle data coming from a Windows box with 
a minimum of fuss.

--Rohit Patnaik

Paul Schmehl wrote:
> --On Friday, August 28, 2009 09:32:45 -0500 lsi  wrote:
>   
>> The world will awaken from the 20+ year nightmare that was Windows,
>> made possible only by manipulative market practices, driven by greed,
>> and discover the only reason it was wracked with malware, was because
>> it had all its eggs in one basket.
>>
>> 
>
> That's crazy talk.  I hate Windows as much as the next guy, but there's a 
> reason they have such a large market share and it's not *just* manipulative 
> market practices.  Most people outside the insular geek world use computers 
> to 
> perform tasks for them.  They think of the computer as a tool, and they 
> expect 
> it to do the job they want without getting in the way or requiring them to 
> learn to count in hex.
>
> When someone else comes up with a system that has excellent graphics, runs 
> Flash and other things without complaint, and "just works" without expecting 
> them to lift the hood and diagnose problems, doesn't require them to install 
> all sorts of "extras" to have a working system *and* is priced competitively 
> with Windows, they will buy it.
>
> Macs are competitive with Windows in every category except one; price.  And 
> by 
> price I mean the cost of walking into a store and walking out with a working 
> system.  Apple's biggest mistake has always been trying to "hoard" the 
> hardware 
> market for their OS - the same mistake Sun makes - which drives up the price 
> and makes them less competitive.  Unix (really Linux mostly) is getting there 
> but still has a ways to go.
>
> I say these things as a hard core Unix user who loves FreeBSD.  There are 
> many 
> reasons that I love FreeBSD and use it exclusively when I can, but things 
> like 
> making Flash work are not for the faint of heart.
>
> It won't be the malware that will drive people *away* from Windows (if it was 
> they would have been driven away long ago), it will be the (dare I say it?) 
> user friendliness of a system *and* price competitiveness that will *attract* 
> buyers to it.
>
> BTW, your comments about crackers and ecosystems are several years behind.  
> The 
> current "technology" crackers are using to great success is social 
> engineering. 
> Actually breaking into systems is almost passe these days.
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Paul Schmehl]

--On Friday, August 28, 2009 09:32:45 -0500 lsi  wrote:
>
> The world will awaken from the 20+ year nightmare that was Windows,
> made possible only by manipulative market practices, driven by greed,
> and discover the only reason it was wracked with malware, was because
> it had all its eggs in one basket.
>

That's crazy talk.  I hate Windows as much as the next guy, but there's a 
reason they have such a large market share and it's not *just* manipulative 
market practices.  Most people outside the insular geek world use computers to 
perform tasks for them.  They think of the computer as a tool, and they expect 
it to do the job they want without getting in the way or requiring them to 
learn to count in hex.

When someone else comes up with a system that has excellent graphics, runs 
Flash and other things without complaint, and "just works" without expecting 
them to lift the hood and diagnose problems, doesn't require them to install 
all sorts of "extras" to have a working system *and* is priced competitively 
with Windows, they will buy it.

Macs are competitive with Windows in every category except one; price.  And by 
price I mean the cost of walking into a store and walking out with a working 
system.  Apple's biggest mistake has always been trying to "hoard" the hardware 
market for their OS - the same mistake Sun makes - which drives up the price 
and makes them less competitive.  Unix (really Linux mostly) is getting there 
but still has a ways to go.

I say these things as a hard core Unix user who loves FreeBSD.  There are many 
reasons that I love FreeBSD and use it exclusively when I can, but things like 
making Flash work are not for the faint of heart.

It won't be the malware that will drive people *away* from Windows (if it was 
they would have been driven away long ago), it will be the (dare I say it?) 
user friendliness of a system *and* price competitiveness that will *attract* 
buyers to it.

BTW, your comments about crackers and ecosystems are several years behind.  The 
current "technology" crackers are using to great success is social engineering. 
Actually breaking into systems is almost passe these days.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] windows future

[Rohit Patnaik]

I'm not sure I agree with the basic premise of this scenario. You're 
suggesting that getting exposed to malware is some kind of 
inevitability, and that eventually there will be enough different kinds 
of malware that filtering them all will be impossible. I don't think 
that's valid. Good browsing habits, running a firewall, and keeping your 
machine updated will prevent almost all malware from even getting access 
to your machine. Then all we have to worry about are the few bits of 
code that are capable of getting through our defenses.

To reiterate the biological analogy, we don't rely on antibiotics to 
stop infection. We rely on good hygiene. In the same way, just as 
increased biological infection rates led to a push for greater public 
hygiene (e.g. indoor plumbing, closed sewers, etc.) we'll see a push for 
greater computer hygiene as malware infection rates rise. Windows 
already includes a firewall to prevent automated worm infections, and 
Microsoft is working to harden network facing applications, as evidenced 
by their recent decision to have IE run with limited privileges. As 
malware becomes more virulent, the "immunity" of Windows will likewise 
grow, putting a damper on any sort of exponential growth curve.

--Rohit Patnaik

lsi wrote:
> Thanks for the comments, indeed, the exponential issue arises due to 
> use the of blacklisting by current AV technologies, and a switch to 
> whitelisting could theoretically mitigate that, however, I'm not sure 
> that would work in practice, there are so many little bits of code 
> that execute, right down to tiny javascripts that check you've filled 
> in an online form correctly, and the user might be bombarded with 
> prompts.  Falling back on tweaks to user privileges and UAC prompts 
> is hardly fixing the problem.  The core problem is the platform is 
> inherently insecure, due to its development, licensing and marketing 
> models, and nothing is going to fix that.  Even if fixing it became 
> somehow possible, the same effort could be spent improving a 
> competing system, rather than fixing a broken one.
>
> Just to complete the extrapolation, the below.
>
> Assuming that mutation rates continue to increase exponentially, 
> infection rates will reach a maximum when the average computer 
> reaches 100% utilisation due to malware filtering.  Infection rates 
> will then decline as vulnerable hosts "die off" due to their 
> inability to filter.  These hosts will either be replaced with new, 
> more powerful Windows machines (before these themselves surcumb to 
> the exponential curve), OR, they will be re-deployed, running a 
> different, non-Windows platform.
>
> Eventually, the majority of computer owners will get the idea that 
> they don't need to buy ever-more powerful gear, just to do the same 
> job they did yesterday (there may come a time when the fastest 
> machine available is unable to cope, there is every possibility that 
> mutation rates will exceed Moore's Law).  The number of vulnerable 
> hosts will then fall sharply, as the platform is abandoned en-masse.
>
> At this time, crackers who have been depending upon a certain amount 
> of cracks per week for income, will find themselves short.  They will 
> then, if they have not already, refocus their activities on more 
> profitable revenue streams.
>
> If every computer is running a diverse ecosystem, crackers will have 
> no choice but to resort to small-scale, targetted attacks, and the 
> days of mass-market malware will be over, just as the days of the 
> mass-market platform it depends on, will also be over.
>
> And then, crackers will need to be very good crackers, to generate 
> enough income from their small-scale attacks.  If they aren't very 
> good, they might find it easier and more profitable to get a 9-to-5 
> job.  The number of malware authors will then fall sharply.
>
> The world will awaken from the 20+ year nightmare that was Windows, 
> made possible only by manipulative market practices, driven by greed, 
> and discover the only reason it was wracked with malware, was because 
> it had all its eggs in one basket.
>
> Certainly, vulnerabilities will persist, and skilled cracking groups 
> may well find new niches from which to operate.  But diversifying the 
> ecosystem raises the barrier to entry, to a level most garden-variety 
> crackers will find unprofitable, and that will be all that is 
> required, to encourage most of them to do something else with their 
> lives, and significantly reduce the incidence of cybercrime.
>
> (now I phrase it like that, it might be said, that by buying 
> Microsoft, you are indirectly channelling money to organised crime 
> gangs, who most likely engage in other kinds of criminal activity, in 
> addition to cracking, such as identity theft, money laundering, and 
> smuggling. That is, when you buy Microsoft, you are propping up the 
> monoculture, and that monoculture feeds criminals, by way of its 
> inherent flaws.  There

Re: [Full-disclosure] windows future

[lsi]

Thanks for the comments, indeed, the exponential issue arises due to 
use the of blacklisting by current AV technologies, and a switch to 
whitelisting could theoretically mitigate that, however, I'm not sure 
that would work in practice, there are so many little bits of code 
that execute, right down to tiny javascripts that check you've filled 
in an online form correctly, and the user might be bombarded with 
prompts.  Falling back on tweaks to user privileges and UAC prompts 
is hardly fixing the problem.  The core problem is the platform is 
inherently insecure, due to its development, licensing and marketing 
models, and nothing is going to fix that.  Even if fixing it became 
somehow possible, the same effort could be spent improving a 
competing system, rather than fixing a broken one.

Just to complete the extrapolation, the below.

Assuming that mutation rates continue to increase exponentially, 
infection rates will reach a maximum when the average computer 
reaches 100% utilisation due to malware filtering.  Infection rates 
will then decline as vulnerable hosts "die off" due to their 
inability to filter.  These hosts will either be replaced with new, 
more powerful Windows machines (before these themselves surcumb to 
the exponential curve), OR, they will be re-deployed, running a 
different, non-Windows platform.

Eventually, the majority of computer owners will get the idea that 
they don't need to buy ever-more powerful gear, just to do the same 
job they did yesterday (there may come a time when the fastest 
machine available is unable to cope, there is every possibility that 
mutation rates will exceed Moore's Law).  The number of vulnerable 
hosts will then fall sharply, as the platform is abandoned en-masse.

At this time, crackers who have been depending upon a certain amount 
of cracks per week for income, will find themselves short.  They will 
then, if they have not already, refocus their activities on more 
profitable revenue streams.

If every computer is running a diverse ecosystem, crackers will have 
no choice but to resort to small-scale, targetted attacks, and the 
days of mass-market malware will be over, just as the days of the 
mass-market platform it depends on, will also be over.

And then, crackers will need to be very good crackers, to generate 
enough income from their small-scale attacks.  If they aren't very 
good, they might find it easier and more profitable to get a 9-to-5 
job.  The number of malware authors will then fall sharply.

The world will awaken from the 20+ year nightmare that was Windows, 
made possible only by manipulative market practices, driven by greed, 
and discover the only reason it was wracked with malware, was because 
it had all its eggs in one basket.

Certainly, vulnerabilities will persist, and skilled cracking groups 
may well find new niches from which to operate.  But diversifying the 
ecosystem raises the barrier to entry, to a level most garden-variety 
crackers will find unprofitable, and that will be all that is 
required, to encourage most of them to do something else with their 
lives, and significantly reduce the incidence of cybercrime.

(now I phrase it like that, it might be said, that by buying 
Microsoft, you are indirectly channelling money to organised crime 
gangs, who most likely engage in other kinds of criminal activity, in 
addition to cracking, such as identity theft, money laundering, and 
smuggling. That is, when you buy Microsoft, you are propping up the 
monoculture, and that monoculture feeds criminals, by way of its 
inherent flaws.  Therefore, if you would like to reduce criminal 
activity, don't buy Microsoft.)

-EOF

On 27 Aug 2009 at 13:45, lsi wrote:

From:   "lsi" 
To: full-disclosure@lists.grok.org.uk
Date sent:  Thu, 27 Aug 2009 13:45:01 +0100
Priority:   normal   

Subject:[Full-disclosure] windows future
Send reply to:  stu...@cyberdelix.net
  
  
 
 
  

> [Some more extrapolations, this time taken from the fact that malware 
> mutation rates are increasing exponentially. - Stu]
> 
> (actually, this wasn't written for an FD audience, please excuse the 
> bit where it urges you to consider your migration strategy, I know 
> you're all ultra-l33t and don't have a single M$ box on your LAN)
> 
> http://www.theregister.co.uk/2009/08/13/malware_arms_race/
> 
> If this trend continues, there will come a time when the amount of 
> malware is so large, that anti-malware filters will need more power 
> than the systems they are protecting are able to provide.
> 
> At this time, those systems will become essentially worthless, and 
> unusable.
> 
> You can choose to