[LUAU] Vista security and botnets

Jim Thompson jim at netgate.com
Wed Feb 14 12:52:08 PST 2007 

Warning:  very little Hawaii or Linux content in the enclosed.    
Flame me if you object but I feel a need to share.

I've been thinking some about the botnet problem of late. I've got  
relatives in Las Vegas who ask me to 'fix' their computers whenver  
I'm in town.  Typically this reduces to "reload the OS" because it is  
infested with malware, and invariably, the machine has joined a  
botnet.  Several of my relatives are now on notice that the next  
"reload" is likely to involve an "upgrade" to Ubuntu, though a few of  
the parental units are concerned about preserving their ability to  
install the 'spyware' they feel is necessary to watch their kid's  
online activity.

Anyway, botnets.  One approach is to watch one's outgoing traffic  
carefully.  Most consumer-grade firewalls are much more concerned  
with inbound traffic, and allow all outbound traffic.  The bad news  
is (a) its far too easy to load software on the box via holes in the  
browser, (b) there are a zillion ways of embedding undetectable  
covert messages inside of perfectly legitimate traffic, and (c) the  
problem is probably worse than I thought.   Gartner, for instance,  
thinks the
problem will all but saturate enterprise networks in the very near  
future:

Gartner: 10 Key Predictions for 2007:

#5: By the end of 2007, 75 percent of enterprises will be infected  
with undetected, financially motivated, targeted
malware that evaded their traditional perimeter and host defenses.

Source: eWeek: http://www.careers.eweek.com/article/Gartners+10+Key 
+Predictions+for+2007/196328_1.aspx

Of course, if enterprise systems are this bad, home and small office  
systems are likely to be worse.  Especially (but not exclusively) the  
ones
running Windows XP. The worse news is that Vista is not going to fix  
this  --- there are already Vista rootkits in the wild.

There is one piece of good news and one piece of news that I hate to  
mention.   Bad news first.  There is a widget called a Trusted  
Platform Module
(TPM) which is essentially firmware that:

	(a) assigns a non-forgeable unique identifier to your computer,
	(b) requires you to prove who you are before the TPM will allow you  
to use your computer, and
	(c) has the potential to end anonymity on the internet.

TPM hardware has shipped with several PCs and nearly all modern Macs,  
but nobody has activated it, yet.  Stallman makes reference to this  
as "Treacherous Computing".

In some respects, TPM could help control botnets and their  
proliferation IF IT IS IMPLEMENTED PROPERLY.  That's a big IF, which  
shows few signs of happening.  Also, like The Force, TPM has a dark  
side: regardless of how well TPM is implemented, it will further  
restrict customer's use of copyrighted material, and will make lock- 
in an unavoidable, eternal, impossible problem.  "Lock in" means  
those techniques that vendors like Microsoft  employ to make it hard  
for you to buy or use anyone else's products.  Many folks use  
Microsoft Word because everyone is more or less locked-in to  
Microsoft Word.  At least now we have an option (maybe our last  
chance) to switch to something else.  When TPM is fully realized,  
that door will slam shut, hard.  From that point forward, any  
document created in Word (for example) will be readable exclusively  
by Microsoft products which you will have to buy whenever Microsoft  
decides it's time for you to do so.   That last statement is somewhat  
oversimplified, but true at it's core.

OK, we were talking about botnets.  Quick summary:  TPM in theory  
could reduce the botnet threat, but in practice it is more likely to  
used to make total lock-in inescapable.

There is one piece of good news, as promised above.  There are some  
smart people working on the botnet problem --- one of the smartest  
and most capable is a surprisingly attractive hacker named Joanna  
Rutkowska (most hackers -- I can say this because I was one in the  
past --- resemble either Don Knotts or Jabba the Hutt).  Ms.  
Rutkowska is pro-Vista, because she thinks that people are going to  
knuckle under and keep buying Microsoft products --- and Vista at  
least has the potential to be more secure than Windows XP (although  
so far that potential has not been well realized).

I hope she's wrong, and that enough people get sick enough of the  
whole Windows mess that they switch to something better.

But we were talking about botnets.  As the attached article shows,  
Ms. Rutkowska agrees that eliminating bots will require the  
introduction of Verifiable Operating Systems.   She has some ideas  
about how that might actually be accomplished --- ideas that don't  
require TPM.   It turns out the Operating System that comes closest  
to realizing Rutkowska's ideas is BSD Unix -- which forms the  
underpinning of MacOS.

Here is an article on the topic  from Ms. Rutkowska's blog:

http://theinvisiblethings.blogspot.com/2007/01/towards-verifiable- 
operating-systems.html

and one on installing undetectable malware (on the fly!) on XP and  
Vista:

http://theinvisiblethings.blogspot.com/2006/07/blue-pill-hype.html


Jim

More information about the LUAU mailing list