[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] windows future



I'm saying that the world's malware authors, in their race to stay 
ahead of AV, are engaging in an uncoordinated, slow-motion DDOS of 
the world's AV systems.  They are flooding the blacklists, and this 
flooding is accelerating.  If it continues, the world's AV systems 
will be useless, as will be the machines they are protecting.

Note, I have NOT gone off and compiled some stats, I've just noted an 
existing trend, and extrapolated it.  Here's an article from 2005, 
again, the numbers suggest an exponential curve. 
http://www.theregister.co.uk/2005/01/05/mcafee_avert_report/

The biological metaphor does suggest that Microsoft would take some 
kind of evasive action, and I think their only option is to license 
unix, just as Apple did (although Apple did it for different 
reasons).  Doing this will solve many problems, they can keep their 
proprietary interface and their reputation, and possibly even their 
licensing and marketing models, while under the hood, unix saves the 
day.  They will need to eat some very humble pie, a few diehards 
might jump from Redmond's towers, and the clash of cultures will 
toast some excellent marshmellows... but they will save their 
business.  Do they have a choice?  Malware numbers are suggesting 
they don't.

Licensing the solution suits Microsoft's business model (much easier 
for them to buy in a fix than build one, they tried that already), 
they did in fact do it many times previously, starting with a certain 
product called MS-DOS, and it means they can keep their customer 
base, they just sell them an upgrade which is in fact a completely 
new system - again, just as Apple did with OSX.

Actually, I think the simplest thing for them to do would be to buy 
Apple, then they can rebadge OSX, instead of reinventing it.

Stu

On 28 Aug 2009 at 10:24, Rohit Patnaik wrote:

Date sent:              Fri, 28 Aug 2009 10:24:25 -0500
From:                   Rohit Patnaik <quanticle@xxxxxxxxx>
To:                     full-disclosure@xxxxxxxxxxxxxxxxx
Subject:                Re: [Full-disclosure] windows future

> I'm not sure I agree with the basic premise of this scenario. You're 
> suggesting that getting exposed to malware is some kind of 
> inevitability, and that eventually there will be enough different kinds 
> of malware that filtering them all will be impossible. I don't think 
> that's valid. Good browsing habits, running a firewall, and keeping your 
> machine updated will prevent almost all malware from even getting access 
> to your machine. Then all we have to worry about are the few bits of 
> code that are capable of getting through our defenses.
> 
> To reiterate the biological analogy, we don't rely on antibiotics to 
> stop infection. We rely on good hygiene. In the same way, just as 
> increased biological infection rates led to a push for greater public 
> hygiene (e.g. indoor plumbing, closed sewers, etc.) we'll see a push for 
> greater computer hygiene as malware infection rates rise. Windows 
> already includes a firewall to prevent automated worm infections, and 
> Microsoft is working to harden network facing applications, as evidenced 
> by their recent decision to have IE run with limited privileges. As 
> malware becomes more virulent, the "immunity" of Windows will likewise 
> grow, putting a damper on any sort of exponential growth curve.
> 
> --Rohit Patnaik
> 
> lsi wrote:
> > Thanks for the comments, indeed, the exponential issue arises due to 
> > use the of blacklisting by current AV technologies, and a switch to 
> > whitelisting could theoretically mitigate that, however, I'm not sure 
> > that would work in practice, there are so many little bits of code 
> > that execute, right down to tiny javascripts that check you've filled 
> > in an online form correctly, and the user might be bombarded with 
> > prompts.  Falling back on tweaks to user privileges and UAC prompts 
> > is hardly fixing the problem.  The core problem is the platform is 
> > inherently insecure, due to its development, licensing and marketing 
> > models, and nothing is going to fix that.  Even if fixing it became 
> > somehow possible, the same effort could be spent improving a 
> > competing system, rather than fixing a broken one.
> >
> > Just to complete the extrapolation, the below.
> >
> > Assuming that mutation rates continue to increase exponentially, 
> > infection rates will reach a maximum when the average computer 
> > reaches 100% utilisation due to malware filtering.  Infection rates 
> > will then decline as vulnerable hosts "die off" due to their 
> > inability to filter.  These hosts will either be replaced with new, 
> > more powerful Windows machines (before these themselves surcumb to 
> > the exponential curve), OR, they will be re-deployed, running a 
> > different, non-Windows platform.
> >
> > Eventually, the majority of computer owners will get the idea that 
> > they don't need to buy ever-more powerful gear, just to do the same 
> > job they did yesterday (there may come a time when the fastest 
> > machine available is unable to cope, there is every possibility that 
> > mutation rates will exceed Moore's Law).  The number of vulnerable 
> > hosts will then fall sharply, as the platform is abandoned en-masse.
> >
> > At this time, crackers who have been depending upon a certain amount 
> > of cracks per week for income, will find themselves short.  They will 
> > then, if they have not already, refocus their activities on more 
> > profitable revenue streams.
> >
> > If every computer is running a diverse ecosystem, crackers will have 
> > no choice but to resort to small-scale, targetted attacks, and the 
> > days of mass-market malware will be over, just as the days of the 
> > mass-market platform it depends on, will also be over.
> >
> > And then, crackers will need to be very good crackers, to generate 
> > enough income from their small-scale attacks.  If they aren't very 
> > good, they might find it easier and more profitable to get a 9-to-5 
> > job.  The number of malware authors will then fall sharply.
> >
> > The world will awaken from the 20+ year nightmare that was Windows, 
> > made possible only by manipulative market practices, driven by greed, 
> > and discover the only reason it was wracked with malware, was because 
> > it had all its eggs in one basket.
> >
> > Certainly, vulnerabilities will persist, and skilled cracking groups 
> > may well find new niches from which to operate.  But diversifying the 
> > ecosystem raises the barrier to entry, to a level most garden-variety 
> > crackers will find unprofitable, and that will be all that is 
> > required, to encourage most of them to do something else with their 
> > lives, and significantly reduce the incidence of cybercrime.
> >
> > (now I phrase it like that, it might be said, that by buying 
> > Microsoft, you are indirectly channelling money to organised crime 
> > gangs, who most likely engage in other kinds of criminal activity, in 
> > addition to cracking, such as identity theft, money laundering, and 
> > smuggling. That is, when you buy Microsoft, you are propping up the 
> > monoculture, and that monoculture feeds criminals, by way of its 
> > inherent flaws.  Therefore, if you would like to reduce criminal 
> > activity, don't buy Microsoft.)
> >
> > -EOF
> >
> > On 27 Aug 2009 at 13:45, lsi wrote:
> >
> > From:               "lsi" <stuart@xxxxxxxxxxxxxx>
> > To:                 full-disclosure@xxxxxxxxxxxxxxxxx
> > Date sent:          Thu, 27 Aug 2009 13:45:01 +0100
> > Priority:           normal                                               
> >             
> > Subject:            [Full-disclosure] windows future
> > Send reply to:      stuart@xxxxxxxxxxxxxx
> >     <full-disclosure.lists.grok.org.uk>                                  
> >       
> >     <mailto:full-disclosure-
> > request@xxxxxxxxxxxxxxxxx?subject=unsubscribe>     
> >     <mailto:full-disclosure-request@xxxxxxxxxxxxxxxxx?subject=subscribe> 
> >       
> >
> >   
> >> [Some more extrapolations, this time taken from the fact that malware 
> >> mutation rates are increasing exponentially. - Stu]
> >>
> >> (actually, this wasn't written for an FD audience, please excuse the 
> >> bit where it urges you to consider your migration strategy, I know 
> >> you're all ultra-l33t and don't have a single M$ box on your LAN)
> >>
> >> http://www.theregister.co.uk/2009/08/13/malware_arms_race/
> >>
> >> If this trend continues, there will come a time when the amount of 
> >> malware is so large, that anti-malware filters will need more power 
> >> than the systems they are protecting are able to provide.
> >>
> >> At this time, those systems will become essentially worthless, and 
> >> unusable.
> >>
> >> You can choose to leave now, or later.  But you cannot choose to 
> >> stay...
> >>
> >> (I mean, that the Windows platform seems destined to fill, 
> >> completely, with malware, such that your computer will spend ALL its 
> >> time on security matters, and will have no CPU, RAM etc left for 
> >> actual work.  At the end of the day, the ability of malware to infect 
> >> Windows machines is due to the fact that Windows is a monoculture, a 
> >> monolith, built by a single company, with many interconnections and 
> >> hidden alleyways.  It's hard to imagine a platform LESS vulnerable - 
> >> compare with open-source efforts, which are diverse, homogenous and 
> >> connect via open protocols.  Malware finds life hard in the sterile, 
> >> purified world of RFCs, where one of many different programs may 
> >> process your malicious payload, all of which have been peer-reviewed. 
> >>  In Windows, malware knows that a specific Microsoft EXE will process 
> >> its data, knows that the code has not been thoroughly checked, and 
> >> can make use of undocumented mechanisms.
> >>
> >> So basically Microsoft, by hoarding their source, by tightly 
> >> integrating functionality, and by seeking to monopolise the various 
> >> markets created by the platform (browser, media player, office 
> >> software), have doomed Windows, and everything that runs on it.  The 
> >> lack of diversity in the Windows ecosystem means that it is highly 
> >> vulnerable to attack by predators.  The fact that malware mutation 
> >> rates are accelerating is a clear indicator that the foxes are 
> >> circling.  This is the beginning of a death spiral; the malware 
> >> numbers we've seen in the past 20 years were the low end of an 
> >> exponential curve, and we're now getting to the steep part.
> >>
> >> The problem is that any given computer is only capable of so much 
> >> processing.  It has an upper limit to the amount of malware it can 
> >> filter, those limits being related to CPU speed, RAM, diskspace, 
> >> network bandwidth.  This upper limit looks like a horizontal line, on 
> >> the chart that shows the exponential curve mentioned above.
> >>
> >> So my point, is that eventually, the exponential curve is going to 
> >> cross that horizontal line, for any given computer, and when that 
> >> happens, that computer will no longer be able to filter malware.  It 
> >> will only be able to filter a subset, and thus be vulnerable to the 
> >> rest. Consequently it will not be usable, for instance, on the web, 
> >> and will essentially become a doorstop...
> >>
> >> The only escape from this inevitability is to ditch the platform that 
> >> is permitting the malware - that is, the only escape is to ditch 
> >> Windows. It is being eaten alive, by predators that only have a 
> >> foothold because there are weaknesses in the platform.
> >>
> >> Given that it can take years to migrate to a new operating system, I 
> >> do recommend, if you have not already done so, that you commence 
> >> planning to ditch Windows.  I might be wrong about the exponential 
> >> curve, but if I'm not, then there may not be a lot of time in between 
> >> when malware levels seem managable, and the time when they are not.  
> >> If your business depends on Windows machines and they all become 
> >> unusable, you will have no business.  What you definitely must NOT 
> >> do, is assume that Windows is going to be around for a long time.  It 
> >> is a dead man walking.
> >>
> >> - Of course, there might be a few years yet.  You can spend those 
> >> years running up your IT bill, with lots of new computers that are 
> >> required to filter all that malware while still performing at a 
> >> useful speed.  Or, you can ditch Windows, and keep your existing 
> >> hardware - it runs perfectly well, when it's not weighed down 
> >> defending the indefensible.
> >>
> >> [If Microsoft dooming Windows isn't ironic enough, consider that 
> >> every time malware authors pump out another set of mutations, they 
> >> are nailing one more nail in the coffin of the platform that they 
> >> depend on to make their living! Ahh, there is justice in the world 
> >> after all.]
> >>
> >> [And the end game?  Well, M$ could open-source Windows, but frankly, 
> >> why would anyone bother trying to fix it?  As the old saying goes, 
> >> don't flog a dead horse...]
> >>
> >> ---
> >> Stuart Udall
> >> stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/
> >>
> >> --- 
> >>  * Origin: lsi: revolution through evolution (192:168/0.2)
> >>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>     
> >
> >
> >
> > ---
> > Stuart Udall
> > stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/
> >
> > --- 
> >  * Origin: lsi: revolution through evolution (192:168/0.2)
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >   
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



---
Stuart Udall
stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/