[Previous entry: "Updating Kazantzakis"] [Next entry: "HTML O' The Day"]

02/14/2007: "Vista security and botnets"

I've been thinking some about the botnet problem of late.

I've got relatives in Las Vegas who ask me to 'fix' their computers whenver I'm in town. Typically this reduces to "reload the OS" because it is infested with malware, and invariably, the machine has joined a botnet. Several of my relatives are now on notice that the next "reload" is likely to involve an "upgrade" to Ubuntu, though a few of the parental units are concerned about preserving their ability to install the 'spyware' they feel is necessary to watch their kid's online activity.

Anyway, botnets. One approach is to watch one's outgoing traffic carefully. Most consumer-grade firewalls are much more concerned with inbound traffic, and allow all outbound traffic. The bad news is (a) its far too easy to load software on the box via holes in the browser, (b) there are a zillion ways of embedding undetectable covert messages inside of perfectly legitimate traffic, and (c) the problem is probably worse than I thought. Gartner, for instance, thinks the problem will all but saturate enterprise networks in the very near future:

Gartner: 10 Key Predictions for 2007:

#5: By the end of 2007, 75 percent of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.

Source: eWeek

Of course, if enterprise systems are this bad, home and small office systems are likely to be worse. Especially (but not exclusively) the ones running Windows XP. The worse news is that Vista is not going to fix this --- there are already Vista rootkits in the wild.

There is one piece of good news and one piece of news that I hate to mention.
Lets do the bad news first.

There is a widget called a Trusted Platform Module (TPM) which is essentially firmware that:

(a) assigns a non-forgeable unique identifier to your computer,
(b) requires you to prove who you are before the TPM will allow you to use your computer, and
(c) has the potential to end anonymity on the internet.

TPM hardware has shipped with several PCs and nearly all modern Macs, but nobody has activated it, yet. Stallman makes reference to this as "Treacherous Computing".

In some respects, TPM could help control botnets and their proliferation IF IT IS IMPLEMENTED PROPERLY. That's a big IF, which shows few signs of happening.

Like The Force, TPM has a dark side: regardless of how well TPM is implemented, it will further restrict customer's use of copyrighted material, and will make lock-in an unavoidable, eternal, impossible problem. "Lock in" means those techniques that vendors like Microsoft employ to make it hard for you to buy or use anyone else's products. Many folks use Microsoft Word because everyone is more or less locked-in to Microsoft Word. At least now we have an option (maybe our last chance) to switch to something else. When TPM is fully realized, that door will slam shut, hard. From that point forward, any document created in Word (for example) will be readable exclusively by Microsoft products which you will have to buy whenever Microsoft decides it's time for you to do so. That last statement is somewhat oversimplified, but true at it's core.

OK, we were talking about botnets. Quick summary: TPM in theory could reduce the botnet threat, but in practice it is more likely to used to make total lock-in inescapable.

There is one piece of good news, as promised above. There are some smart people working on the botnet problem --- one of the smartest and most capable is a surprisingly attractive hacker named Joanna Rutkowska (most hackers -- I can say this because I was one in the past --- resemble either Don Knotts or Jabba the Hutt). Ms. Rutkowska is pro-Vista, because she thinks that people are going to knuckle under and keep buying Microsoft products --- and Vista at least has the potential to be more secure than Windows XP (although so far that potential has not been well realized).

I hope she's wrong, and that enough people get sick enough of the whole Windows mess that they switch to something better.

But we were talking about botnets. As the attached article shows, Ms. Rutkowska agrees that eliminating bots will require the introduction of Verifiable Operating Systems. She has some ideas about how that might actually be accomplished --- ideas that don't require TPM. It turns out the Operating System that comes closest to realizing Rutkowska's ideas is BSD Unix -- which forms the underpinning of MacOS.

Here is an article on the topic from Ms. Rutkowska's blog, and one on installing undetectable malware (on the fly!) on XP and Vista.