[LUAU] Vista security and botnets
Jim Thompson
jim at netgate.com
Wed Feb 14 12:52:08 PST 2007
Warning: very little Hawaii or Linux content in the enclosed.
Flame me if you object but I feel a need to share.
I've been thinking some about the botnet problem of late. I've got
relatives in Las Vegas who ask me to 'fix' their computers whenver
I'm in town. Typically this reduces to "reload the OS" because it is
infested with malware, and invariably, the machine has joined a
botnet. Several of my relatives are now on notice that the next
"reload" is likely to involve an "upgrade" to Ubuntu, though a few of
the parental units are concerned about preserving their ability to
install the 'spyware' they feel is necessary to watch their kid's
online activity.
Anyway, botnets. One approach is to watch one's outgoing traffic
carefully. Most consumer-grade firewalls are much more concerned
with inbound traffic, and allow all outbound traffic. The bad news
is (a) its far too easy to load software on the box via holes in the
browser, (b) there are a zillion ways of embedding undetectable
covert messages inside of perfectly legitimate traffic, and (c) the
problem is probably worse than I thought. Gartner, for instance,
thinks the
problem will all but saturate enterprise networks in the very near
future:
Gartner: 10 Key Predictions for 2007:
#5: By the end of 2007, 75 percent of enterprises will be infected
with undetected, financially motivated, targeted
malware that evaded their traditional perimeter and host defenses.
Source: eWeek: http://www.careers.eweek.com/article/Gartners+10+Key
+Predictions+for+2007/196328_1.aspx
Of course, if enterprise systems are this bad, home and small office
systems are likely to be worse. Especially (but not exclusively) the
ones
running Windows XP. The worse news is that Vista is not going to fix
this --- there are already Vista rootkits in the wild.
There is one piece of good news and one piece of news that I hate to
mention. Bad news first. There is a widget called a Trusted
Platform Module
(TPM) which is essentially firmware that:
(a) assigns a non-forgeable unique identifier to your computer,
(b) requires you to prove who you are before the TPM will allow you
to use your computer, and
(c) has the potential to end anonymity on the internet.
TPM hardware has shipped with several PCs and nearly all modern Macs,
but nobody has activated it, yet. Stallman makes reference to this
as "Treacherous Computing".
In some respects, TPM could help control botnets and their
proliferation IF IT IS IMPLEMENTED PROPERLY. That's a big IF, which
shows few signs of happening. Also, like The Force, TPM has a dark
side: regardless of how well TPM is implemented, it will further
restrict customer's use of copyrighted material, and will make lock-
in an unavoidable, eternal, impossible problem. "Lock in" means
those techniques that vendors like Microsoft employ to make it hard
for you to buy or use anyone else's products. Many folks use
Microsoft Word because everyone is more or less locked-in to
Microsoft Word. At least now we have an option (maybe our last
chance) to switch to something else. When TPM is fully realized,
that door will slam shut, hard. From that point forward, any
document created in Word (for example) will be readable exclusively
by Microsoft products which you will have to buy whenever Microsoft
decides it's time for you to do so. That last statement is somewhat
oversimplified, but true at it's core.
OK, we were talking about botnets. Quick summary: TPM in theory
could reduce the botnet threat, but in practice it is more likely to
used to make total lock-in inescapable.
There is one piece of good news, as promised above. There are some
smart people working on the botnet problem --- one of the smartest
and most capable is a surprisingly attractive hacker named Joanna
Rutkowska (most hackers -- I can say this because I was one in the
past --- resemble either Don Knotts or Jabba the Hutt). Ms.
Rutkowska is pro-Vista, because she thinks that people are going to
knuckle under and keep buying Microsoft products --- and Vista at
least has the potential to be more secure than Windows XP (although
so far that potential has not been well realized).
I hope she's wrong, and that enough people get sick enough of the
whole Windows mess that they switch to something better.
But we were talking about botnets. As the attached article shows,
Ms. Rutkowska agrees that eliminating bots will require the
introduction of Verifiable Operating Systems. She has some ideas
about how that might actually be accomplished --- ideas that don't
require TPM. It turns out the Operating System that comes closest
to realizing Rutkowska's ideas is BSD Unix -- which forms the
underpinning of MacOS.
Here is an article on the topic from Ms. Rutkowska's blog:
http://theinvisiblethings.blogspot.com/2007/01/towards-verifiable-
operating-systems.html
and one on installing undetectable malware (on the fly!) on XP and
Vista:
http://theinvisiblethings.blogspot.com/2006/07/blue-pill-hype.html
Jim
More information about the LUAU
mailing list