[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] windows future



As for businesses, any business of even medium size is going to have a
backup and recovery plan these days. Businesses will be less affected than
individuals because they'll have backups, and can restore from them if an
infection hits.

In any case, this still doesn't address my contention - that the actual
number of threats doesn't matter, because the vast majority of them are not
viable, in the sense that they attack vulnerabilities that have been
patched.  As long as users keep up with vendor patches (whether they're on
Windows or Linux) the number of threats that will affect them will remain
fairly constant over time.

-- Rohit Patnaik

On Fri, Sep 4, 2009 at 12:44 PM, lsi <stuart@xxxxxxxxxxxxxx> wrote:

> > > - approximate date when number of NEW threats will reach 1 Billion:
> 2015
>
> > This is assuming an exponential growth model, when there's no realistic
> > reason to believe it to be so.
>
> The reason to believe the exponential model will remain valid, is
> that it is the model that is currently valid.  A different model will
> need to explain how the existing exponential curve is derailed.
>
> > There are however good reasons to expect
> > that the correct model is the "logistics curve" (slow growth at first,
> > a steep middle section, then flattening out asymptotic to a horizontal
> line).
>
> > For starters, new threats have to come from *somewhere* [...] From
> > whence will the 1 billion new threats in the 2015-16 span come from?
> > Who will create these,
>
> Did you see the link I posted to the "Evolvable Malware" PPT?
> Mutation will be automated.  Resistance is useless... ;)
>
> > and who will make money from them?
>
> Presumably, the same gangs who do so now.  They won't need to recruit
> billions of new coders to make their billions of new variants.  It'll
> all be generated overnight, by their botnet, which, when it's not
> sending spam, etc, will be "revectoring" itself, using the GP
> algorithms previously noted.
>
> > At what point will some of the marginal players leave
> > the game and find other avenues of making money?
>
> I answered this one already as well... they will leave soon after the
> number of vulnerable hosts starts to fall, which will happen either
> though mass extinction (due to malware overload) or due to re-
> deployment with a Real OS.
>
> > [...]  A bigger danger here is if we start seeing *single* threats
> > that include a really good real-time polymorphism/obfuscator - *that*
> > could really suck.
>
> But Valdis old chap, that is exactly what the GP algorithms do, the
> proof-of-concept is already out there (see the GP PPT).
>
> > Interesting statistic - year before last, around 10% of all new computer
> > purchases were replacements for malware-infested boxes.  Just buying a
> new
> > one was easier/cheaper than trying to fix the old one for a lot of
> people.
>
> These numbers are probably skewed by some kind of newbie effect.
> Once you have had your machine for a while, as I'm sure you know,
> simply dumping it is not always an option.  Businesses, for example,
> may simply be unable to dump an old system, as it runs some legacy
> something, which just happens to be mission-critical.
>
> > Second interesting statistic - the vast majority of that 10% ended up
> using
> > the exact same operating system.
> >
> > So even when it's well past the 20% mark and the box is basically
> unusable,
> > they *still* don't run for the exit.
>
> They're newbies.  You wait till they've done that 5 times.  Then ask
> them, are you a happy bunny... and how much money have you spent, in
> total...
>
> - I have already decommissioned one server, due to malware growth -
> it was an old 486 machine, whose sole purpose was to serve AV updates
> for a client's LAN.  All went well for a few years, however the hard
> drive started to fill with signature updates.  So, I upgraded the
> drive, however due to a BIOS limitation (or was that NT4? FAT16?),
> the maximum size I could use was 2Gb.  That would have filled as
> well, except I moved the AV server software onto their main server
> (and proceeded to fill its disk instead, but that's another story) -
> and sent the old 486 to recycling...
>
> So this old server, you might think of course, it's a mere 486, to
> which I reply, and a canary is also a weakling.  That is why people
> put them in mines, because they are very sensitive to carbon monoxide
> levels, and drop dead well before humans do.  So when the canary
> dies, the mine is evacuated.
>
> This old server was a canary.  Its tight resource limits meant it was
> very sensitive to malware levels.  It dropped dead several years ago
> now. The NaN% on the Virus Bulletin site is another canary.  Sure,
> this can probably be fixed, weak coding you say - again, I say this
> weakness is merely the low-hanging fruit, the first victims of a
> rising tide, which is not even close to its peak.
>
> Stu
>
> ---
> Stuart Udall
> stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/
>
> ---
>  * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/