Re: [Full-disclosure] windows future

Studies show that 78.3% of all statistics are worthless.

t

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-
disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Rohit Patnaik
Sent: Friday, September 04, 2009 8:04 AM
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] windows future

All this shows is that there's exponential growth in the number of
*threats*. It doesn't give any data about the number of actual
*infections*. I mean, its quite possible that all these bits of malware
are just targeting the same group of vulnerable Windows boxen, and
they're just competing to conquer the same fixed base.

After all, if you extrapolated from the exponential growth of maggots
on
a rotting carcass, you'd be predicting that the entire world would be
covered in maggots not too far from the future.

--Rohit Patnaik
lsi wrote:
Hi All,

Sorry for the delay, I had some urgent migration planning to attend
to ... ;) Stats below. Short version: evacuate. Long version:

- stats are in, exponential curve is real, see it for yourself here:

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-
whitepaper_internet_security_threat_report_xiv_04-2009.en-us.pdf

(page 10)

- I also added up the numbers at

http://www.virusbtn.com/resources/malwareDirectory/prevalence/index.xml
?year=2009
... exponential curve also visible, though I think their stats are
dodgy, their website is already suffering from math limits - it is
reporting current yearly stats as NaN% (Not A Number).

- average rate of change per year (annual growth rate), calculated
from Symantec's chart: 243%

- approximate date when number of NEW threats reached 1 Million: 2008

- approximate date when number of NEW threats will reach 1 Billion:
2015

- approximate date when number of NEW threats will reach 2 Billion:
2016

- charts showing this:
http://www.cyberdelix.net/files/malware_mutation_projection.pdf

- will the AV companies be able to classify 1 billion new threats per
year? that is 2.739 MILLION new threats per DAY (over 1900 new
threats per minute).

- will your computer cope with scanning every EXE, DLL, PIF etc 1
billion times, every time you use them?

- aside from the theoretical limits imposed by hardware and software,
there is one extra limit, imposed by users. Users will not tolerate
machines operating slowly, and will seek alternative platforms well
before 100% CPU utilisation (either as a direct result of the size of
the blacklist, or indirectly caused by swapping due to low RAM).
This user limit might be lower than 20% CPU utilisation. If users
figure out that 20% of their time is being wasted, and rising fast,
they will run for the exit.

- will you tolerate your machine constantly processing a list a
billion items long?

- do you plan to, and can you afford to, upgrade your compute power
by 243%, every year?

- will you do this, even though you know viable alternative platforms
exist, at less total cost to yourself?

- if you're already irritated that AV is slowing down your machine,
consider that malware levels will be 500 times higher in approx 5
years (assuming growth rates continue at 243%). That means your AV
will be running 500 times slower. Unless you upgrade your machine by
500 x current (eg. to an effective speed of approx 1000 GHz), your
machine is going to slow down even more. Given that chipmakers don't
seem to be able to get much past 5GHz, without melting the die, that
means you'll need 200 of today's processors, just for malware
filtering, by 2015.

- Moore's Law says compute power doubles (200%) every 24 months.
However, malware is growing at 243% every 12 months. Thus it is
already exceeding Moore's Law, by a massive margin. I suspect this
means this race is unwinnable, and we should give up now, and devote
our resources to something sustainable.

- how AV writers will generate 2.7 million new threats/day:

"Evolvable Malware":
http://www.genetic-programming.org/hc2009/3-Noreen/Noreen-
Presentation.ppt

"A Field Guide to Genetic Programming":
http://www.gp-field-guide.org.uk/

Wiki:
http://en.wikipedia.org/wiki/Genetic_programming

- the insecurity of Windows creates a public space, of sorts, an area
of common ground, with shared ownership - and this is thus
susceptible to the tragedy of the commons ...
http://en.wikipedia.org/wiki/Tragedy_of_the_commons ... so no, I
don't think malware authors will slow down the mutation rate, so as
to prolong the life of the platform, they do not work together. As
Messagelabs puts it, "there's no honour amongst thieves" ...
http://www.messagelabs.com/mlireport/MLIReport_Annual_2008_FINAL.pdf

- the greenhouse emissions caused by billions of computers checking
billions of items for billions of malware are likely to be
measurable, and will increasingly erode the world's ability to meet
environmental targets

- my own maths might be dodgy, please check it, spread***:
http://www.cyberdelix.net/files/malware_mutation_projection.ods

Stu

On 28 Aug 2009 at 15:32, lsi wrote:

From: "lsi" <stuart@xxxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxxx
Date sent: Fri, 28 Aug 2009 15:32:45 +0100


Thanks for the comments, indeed, the exponential issue arises due to
use the of blacklisting by current AV technologies, and a switch to
whitelisting could theoretically mitigate that, however, I'm not
sure
that would work in practice, there are so many little bits of code
that execute, right down to tiny javascripts that check you've
filled
in an online form correctly, and the user might be bombarded with
prompts. Falling back on tweaks to user privileges and UAC prompts
is hardly fixing the problem. The core problem is the platform is
inherently insecure, due to its development, licensing and marketing
models, and nothing is going to fix that. Even if fixing it became
somehow possible, the same effort could be spent improving a
competing system, rather than fixing a broken one.

Just to complete the extrapolation, the below.

Assuming that mutation rates continue to increase exponentially,
infection rates will reach a maximum when the average computer
reaches 100% utilisation due to malware filtering. Infection rates
will then decline as vulnerable hosts "die off" due to their
inability to filter. These hosts will either be replaced with new,
more powerful Windows machines (before these themselves surcumb to
the exponential curve), OR, they will be re-deployed, running a
different, non-Windows platform.

Eventually, the majority of computer owners will get the idea that
they don't need to buy ever-more powerful gear, just to do the same
job they did yesterday (there may come a time when the fastest
machine available is unable to cope, there is every possibility that
mutation rates will exceed Moore's Law). The number of vulnerable
hosts will then fall sharply, as the platform is abandoned en-masse.

At this time, crackers who have been depending upon a certain amount
of cracks per week for income, will find themselves short. They
will
then, if they have not already, refocus their activities on more
profitable revenue streams.

If every computer is running a diverse ecosystem, crackers will have
no choice but to resort to small-scale, targetted attacks, and the
days of mass-market malware will be over, just as the days of the
mass-market platform it depends on, will also be over.

And then, crackers will need to be very good crackers, to generate
enough income from their small-scale attacks. If they aren't very
good, they might find it easier and more profitable to get a 9-to-5
job. The number of malware authors will then fall sharply.

The world will awaken from the 20+ year nightmare that was Windows,
made possible only by manipulative market practices, driven by
greed,
and discover the only reason it was wracked with malware, was
because
it had all its eggs in one basket.

Certainly, vulnerabilities will persist, and skilled cracking groups
may well find new niches from which to operate. But diversifying
the
ecosystem raises the barrier to entry, to a level most garden-
variety
crackers will find unprofitable, and that will be all that is
required, to encourage most of them to do something else with their
lives, and significantly reduce the incidence of cybercrime.

(now I phrase it like that, it might be said, that by buying
Microsoft, you are indirectly channelling money to organised crime
gangs, who most likely engage in other kinds of criminal activity,
in
addition to cracking, such as identity theft, money laundering, and
smuggling. That is, when you buy Microsoft, you are propping up the
monoculture, and that monoculture feeds criminals, by way of its
inherent flaws. Therefore, if you would like to reduce criminal
activity, don't buy Microsoft.)

-EOF

On 27 Aug 2009 at 13:45, lsi wrote:

From: "lsi" <stuart@xxxxxxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxxx
Date sent: Thu, 27 Aug 2009 13:45:01 +0100
Priority: normal

Subject: [Full-disclosure] windows future
Send reply to: stuart@xxxxxxxxxxxxxx
<full-disclosure.lists.grok.org.uk>

<mailto:full-disclosure-
request@xxxxxxxxxxxxxxxxx?subject=unsubscribe>
<mailto:full-disclosure-
request@xxxxxxxxxxxxxxxxx?subject=subscribe>



[Some more extrapolations, this time taken from the fact that
malware
mutation rates are increasing exponentially. - Stu]

(actually, this wasn't written for an FD audience, please excuse
the
bit where it urges you to consider your migration strategy, I know
you're all ultra-l33t and don't have a single M$ box on your LAN)

http://www.theregister.co.uk/2009/08/13/malware_arms_race/

If this trend continues, there will come a time when the amount of
malware is so large, that anti-malware filters will need more power
than the systems they are protecting are able to provide.

At this time, those systems will become essentially worthless, and
unusable.

You can choose to leave now, or later. But you cannot choose to
stay...

(I mean, that the Windows platform seems destined to fill,
completely, with malware, such that your computer will spend ALL
its
time on security matters, and will have no CPU, RAM etc left for
actual work. At the end of the day, the ability of malware to
infect
Windows machines is due to the fact that Windows is a monoculture,
a
monolith, built by a single company, with many interconnections and
hidden alleyways. It's hard to imagine a platform LESS vulnerable
-
compare with open-source efforts, which are diverse, homogenous and
connect via open protocols. Malware finds life hard in the
sterile,
purified world of RFCs, where one of many different programs may
process your malicious payload, all of which have been peer-
reviewed.
In Windows, malware knows that a specific Microsoft EXE will
process
its data, knows that the code has not been thoroughly checked, and
can make use of undocumented mechanisms.

So basically Microsoft, by hoarding their source, by tightly
integrating functionality, and by seeking to monopolise the various
markets created by the platform (browser, media player, office
software), have doomed Windows, and everything that runs on it.
The
lack of diversity in the Windows ecosystem means that it is highly
vulnerable to attack by predators. The fact that malware mutation
rates are accelerating is a clear indicator that the foxes are
circling. This is the beginning of a death spiral; the malware
numbers we've seen in the past 20 years were the low end of an
exponential curve, and we're now getting to the steep part.

The problem is that any given computer is only capable of so much
processing. It has an upper limit to the amount of malware it can
filter, those limits being related to CPU speed, RAM, diskspace,
network bandwidth. This upper limit looks like a horizontal line,
on
the chart that shows the exponential curve mentioned above.

So my point, is that eventually, the exponential curve is going to
cross that horizontal line, for any given computer, and when that
happens, that computer will no longer be able to filter malware.
It
will only be able to filter a subset, and thus be vulnerable to the
rest. Consequently it will not be usable, for instance, on the web,
and will essentially become a doorstop...

The only escape from this inevitability is to ditch the platform
that
is permitting the malware - that is, the only escape is to ditch
Windows. It is being eaten alive, by predators that only have a
foothold because there are weaknesses in the platform.

Given that it can take years to migrate to a new operating system,
I
do recommend, if you have not already done so, that you commence
planning to ditch Windows. I might be wrong about the exponential
curve, but if I'm not, then there may not be a lot of time in
between
when malware levels seem managable, and the time when they are not.
If your business depends on Windows machines and they all become
unusable, you will have no business. What you definitely must NOT
do, is assume that Windows is going to be around for a long time.
It
is a dead man walking.

- Of course, there might be a few years yet. You can spend those
years running up your IT bill, with lots of new computers that are
required to filter all that malware while still performing at a
useful speed. Or, you can ditch Windows, and keep your existing
hardware - it runs perfectly well, when it's not weighed down
defending the indefensible.

[If Microsoft dooming Windows isn't ironic enough, consider that
every time malware authors pump out another set of mutations, they
are nailing one more nail in the coffin of the platform that they
depend on to make their living! Ahh, there is justice in the world
after all.]

[And the end game? Well, M$ could open-source Windows, but
frankly,
why would anyone bother trying to fix it? As the old saying goes,
don't flog a dead horse...]

---



---
Stuart Udall
stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/

---
* Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading