Dennis Fisher fails to grok. Patch Day was created because Microsoft was getting hammered by the poor press which resulted from releasing many patches in one month. Patch Day, as much as it sucks, is probably here to stay.
A more honest assessment of the state of Java on cell phones would paint a little less rosy of a picture than you paint, even as you've tempered it with such earth-tone phrases as "you dumb fuck".
Nowhere near the sum of the roughly 2 Billion cell phones in use today employ Java in the "3rd party apps" sense that people use when attempting to pre-emptively trash the iPhone. In fact, a bunch of them neither support nor use Java at all. We're really talking about higher end phones when we talk about 3rd party apps, for example.
Moreover, the vast majority of even the most expensive higher end Phones which do support 3rd party Java apps never see such an app installed in the entire lifetime of the phone.
I happen to know a few rational and technically saavy people who have experience both using and programming on every major cell phone platform. The fact is all major cell phone platfrom available today suck, which leaves a market opportunity for new players. ( These people love Java. Love it. Regular Java "boosters" even.) Yes, the described problems occur on some phones -- extremely slow response when Java apps are loaded, phones crashing when running 3rd party apps, various quirks that get resolved when the phone is rebooted, etc. Anybody who claims that thse problems have never occured with 2 Billion cell phones running Java, frankly, reveals themself as someone who hasn't been paying attention, or knows the truth and would prefer to troll than engage in a serious discussion.
The worst part of the current cell phone marketplace is that most cell phone manufacturers and service providers have decided that they don't want you to have easy access to firmware fixes because they would rather sell you a new handset, with different bugs. This problem will be solved by the iPhone, because Apple has made it clear that they intend to actually support and update the software on the device.
I for one welcome our new sofware-feature-adding, interface-usability-hoot-giving, screen-touching, bug-fixing cell phone firmware-updating OSX overlords.
Apple doesn't hate Java. WebObjects, a pure Java development framework made by Apple (fka "NeXT") is the foundation of the iTunes Music Store. Apple loves Java. LOVES IT I SAY!
As owner of 3 Macs, let me tell you something: Apple HATES Java, always hated and that is why we are stuck on Java 5 while the people using platform which tried to kill Java are enjoying Java 6 final release.
Schools are generating revenue through a variety of, uh, clever means. They lease vending machine space to junk food vendors. This amounts to a hidden tax on the society because schools are now promoting obesity, which results in taxpayers and parents forking over more money for health care down the line. Similarly, the schools are not exactly going to be market efficient spectrum brokers. Public schools should receive their funding from the same source that they receive their mandate. Except in Kansas, where they probably don't believe in radio waves anyway, and they could use the excuse to interact with science.
This same annoying tendency of banks has another artifact (it's probably not intentional). It typically prevents the user's password management scheme (like Keychain on Mac OS X and analogous 3rd party password managers for Windows) from working properly. Without a tool like this to support the effort, most people wind up using the same password for all their web logins, which exposes them to dramatically increased risk. (Bad guys can exploit this common human behavior by plucking username / password combinations from any arbitrary p0wn3d web site, and then testing them at all the banks.
...to warn the pope about some poop he's about to slip in, and the pope doesn't hear it, because, well, it's only one hand, or paw rather, but then a tree falls on the bear, killing the bear, and startling the pope, who looks up from the path, and slips on the poop, but the bear was well intentioned because the bear only *had* one hand, or rather paw, to begin with anyway, does the bear thusly enter into the kingdom of heaven?
My experience as a consultant delivering the bad news like (and even specificially including): "WEP has been cracked, you need to replace all your wireless access points immediately because they don't support WPA" indicates otherwise. Managers are often given many goals which are difficult to balance. Short term budget constraints are typically the foremost issue for them. Replacing systems that "work just fine" because they are vulnerable to a security defect which they don't understand is seldom high on thier "to do" list.
If I had been providing security consulting to TJX, managers all the way up the chain to the CIO would have been told over and over and over that they must consider WEP networks to be insecure and replace them.
I don't know what happened at TJX, but your assumption doesn't match my experience with other managers in orther organizations. Most IT staff and managers really didn't take the WEP crack seriously for a long, long time. Many security people had to actually demonstate the WEP crack to their managers or clents before they would take it seriously.
The only part of this story that surprises me is that we haven't heard a couple dozen identical stories from other organizations. There is no possible way that TJX is the only company to fall victim to a WEP crack.
If your theory is correct, I'd say it's more like "until recently part of Apple's PR department because the people who tried this dumb-ass stunt have been quietly sacked" ("quietly" is a registered trademark of the Apple Rumor Mill).
It's clear to even the most casual observer that Apple strongly prefers to control, very tightly and very carefully, every aspect of their advertising and their corporate image in all contexts. They tend to avoid venues where that isn't possible. There's very little chance (approaching zero arbitrarily close) that anyone from Apple would post a story like this to Slashdot and encourage all the annoying comments about fanboys and the inevitable "it doesn't matter if Apple is green or if Steve will fix a customer support issue because the iPhone is too expensive so nobody will ever buy one and Apple is doomed so sell your stock now" comments (where *is* that one, by the way, anti-Apple-trolls seem to be slacking off here at Slashdot today).
You definitely missed the point. When you ride your motorcycle without a helmet, you are entertaining what society has deemed to be an unacceptanbly high risk that you will wind up a vegetable, on life support, sucking down tax dollars for decades. When you drive Windows, perhaps the externalized costs are significant, since you are part of the aggregate problem, whether you get hit by a truck or not.
You are aware, are you not, that there are documented cases within the past 12 months of zero-day exploits which were targetted at *individual* users? It may well be the case that the system that you, likely a trained and skilled system administrator, maintain, hasn't been equipped with a rootkit by a virus or worm. Howeverr, the fantastically high infestation rate of Windows, and the remarkably low (nearly zero) infestation rate of Macintosh systems, a condition which has persisted now for seven years, must at some point be accepted as evidence that perhaps something is amiss in Redmond. None of those people need more than a few minutes of training to run their refrigerator, their television, or their car, but 20% of them at any given time have an infested PC 0wn3d bi th3m.
Although I'm happy that you personally have managed to escape unscathed, your annecote is revealed to be irrelevant by the basic statistics.
You have a valid point. There's another interesting way to look at this issue, however. People's choices affect other people at times and in ways they don't always anticipate or even care about if informed. The classic example is the protective helmet. If you ride your bicycle or motorcycle without a helmet, you are contributing to a social problem (head injuries) which cost me (the taxpayer) money. Eventually somebody (insurance companies and Medicare) get tired of paying for stupidity and persuade Congress (or State Legislatures) change a law to reduce the cost to the society as a whole from individual stupidity.
If you choose to run Windows that's fine on the level of the individual decision. In theory, I don't care what you run on your PC so long as you and I have access to web sites, can exchange email and photographs, etc. We can be friends and share data freely without even knowing what type of system the other person uses.
However, I care about the fact that email is very nearly useless now. I care about identity theft. I care about industry and government data which is protected in order to reduce the proliferation of nuclear weapons technology.
How many billions of dollars must be stolen or wasted and how many years must pass before we admit that there are systemic problems with security on Windows which seem to be deeply rooted not solely in hubris as often thought, but also in more subtle philosophy, technology, and methodology choices? These go back decades, and have enabled an enormous industry in identity theft and spamvertising to take root and thrive despite, ahem, entirely new versions of Windows which are, ahem, more secure than ever. Some of these problems can be fixed, and some of them have been substantially mitigated if not outright fixed, for decades, on UNIX. The sad realization that Microsoft apologists refuse to admit is that development methodology and management philosophy affect the security of products produced by the organizations practicing them.
If software vendors were held liable for the expensive calamities that result from their security defects, would the technology industry collapse? Or would it adjust, and then march steadily on, with a greater emphasis placed on security? I suspect it would not collapse, but I don't have the lobbying dollars t back up my position, and neither does anybody else who shares it (thus far). The recent law suits brought against TJX by banks over stolen credit card data may portend a coming shift in alliances. If the banks turn against the software industry next, we will see a shakeup in political alliances and an eventual fight in Congress over this issue. Until then, the issue will remain the abstract musing of the occasional columnist or security analyst.
Discussions of botnets in forums like Slashdot often include the idea that individual home users should be held accountable for the security of their home PC. Well, should they really? They didn't sign up for that. Are they held accountable for the global security implications of their refrigerator? No, they are not because there aren't any except for a few highly abstract issues related to the resources it took to build it and the energy it takes to run it. With a home PC the global security implications are complex, but not highly abstract, rather they are quite direct. Your home PC can be used to steal your identity which could be sold to raise funds for terrorism, for example, which is pretty direct. It can be used to attack other hosts or assist with Distributed Denial of Service attacks on hosts or entire networks, which is unambiguously direct: PC -> Shitstorm.
Quite frankly, the statistics are stark and unforgiving. Windows: roughly 100,000 "known viruses" vs. roughly zero for the Macintosh (margin of error +/- 5 (five)). Twenty percent of home Windows PCs infected vs. roughly zero percent of home Macintosh or Linux systems infected (margin of error +/- 1/100 of 1%). If a relationship bet
"Blacklisted and ruined their economies" is an interesting perspective. To which nations you refer is not immediately apparent. When offshore banking was perceived to be merely the province of people seeking to reduce their tax load, the industry was largely ignored. It seems some of that activity wasn't even illegal, the industry helped people to exploit loopholes.
One could say the industry was exploited as an anonymous money laundering service by tax evaders, drug kingpins (not to be confused with the drug czars) and later by terrorists. When this became more commonly known, it found itself facing closed loopholes and reduced taxes on the upper income brackets (both of which had the effect of reducing their legitimate client base and could be more accurately characterized as "changing market conditions" not an attack on the offshore financial industry). Later it faced attempts at increased regulation to help law enforcement trace money flows related to organized crime and terrorism.
Despite changing market conditions and increased regulation of international money flows to and from the United States (and other democratic nations) the industry seems to be thriving. So far as I can tell, there hasn't been a concerted effort by the United States government to shut down the industry, rather to force the industry to help track activities which are not only illegal in the United States, but illegal in most nations of the world, including the host nations of these banking systems.
So what are you talking about? Am I missing some key bit of the history of this industry?
(I Am Not A Tax Attorney so my understanding of this issue may be incomplete, in error, or inane. I further admit to paying scant attention to the particulars of this issue, and you might well know a great deal more about the collapse of national economies due to a black list than I.)
My company, Intrinsic Security generates as an artifact of product testing a certain amount of data about botnet and worm infestations on company and government networks. I have always tought that these kinds of public exposures would scare off clients, not only the companies named, but many other companies that would lose respect for a security company publically shaming potential clients. I definitely understand the frustation mentioned in the summary, as many people in IT consider themselves to be malware experts and they always think they have "solved" the "problem" by applying the latest antivirus definitions or tweaking their IDS rules. Most IT managers don't seem to really quite understand that the typical malware today is a radically different threat than they were five years ago. Keystroke logging is routine now, a drop-in module for malware authors.
Am I wrong? Should I publish the list of companies that I know had bots on their networks in March?
174 private corporations and government agencies
48 schools & universities
118 telecom companies (these are partly home DSL / cable modem circuits, partly private companies where the ARIN records are not delegated but rather managed by the ISP)
Most of the other claims in the original post are not really controversial at all. This particular claim may have been overstated, but perhaps not. I haven't seen figures which total up the economic impact of malicious software, but I wouldn't be at all surprised if it was in excess of $100 billion dollars per year, if you total the damages, profits to the bad guys, cost to the good guys, and money spent on security products and consulting which might otherwise be spent on something more productive. Then decide if one should discount the official UN estimates for the drug trade, which may arguably be considered to be overstated by most governments for political reasons. Those two markets might not be as far apart as you intuition tells you. If you then add all the grey-market activity from advertising which drives spam, you might exceed handily the drug trade. Most likely not, but the botnet market is probably larger than most people would guess.
In any case, well funded organized crime groups control both markets. Maybe it's really a single market.
A side effect of code reuse and object orientation is that certain defects may have effects far beyond that originally reported. The full extent of the vulnerability might not be readily apparant to the person fixing the defect or writing the report. With respect to IE on Windows for example, there are many other things that can be affected by these defects, even 3rd party products. Remote / network defects on Windows are even harder to pin down, due to certain common elements in the core Windows services. If anything, Microsoft has historically been guilty of being less than clear when these defects had the potential to affect more than one listener on more than one port, or affect more than one application. It never looked like a coverup to me, though, because it was so inconsistent.
Smarter botnet herders may protect their zero-day exploits and use them sparingly, as you suggest. Within the past year, more than once, zero day exploits were discovered in the wild by security researchers. In one case the exploit discovered was apparently directed at a single user in a U.S. Federal government agency, suggesting that at least some of them do just that.
In my expeience, managers of large organizations do not take Zero Day risks seriously, and often don't really understand them. The risks appear to be quite real, and growing however. Has this Safari defect been independently discovered by one or more black-hats? How long ago?
The security industry should start tracking the ship date of the vulnerable software, so that organizations can get a better understanding of their exposure. The risk period wasn't just one day, the "Zero Day" but rather could be as long as "every day since the shipment (or installation) of the version of the product with the defect."
For every defect it might be interesting to have a small chart showing the versions of the products, the dates they shipped, the date the vulnerability was discovered by the vendor or security industry, the date it was patched, and whether or not there are indications or confirmation that the defect was exploited by or known to the underground prior to the Zero Day. The chart could be color coded.
Pink: The vulnerability existed in a shipping product, but was unknown to the vendor, the customers, and security researchers.
Red: The vulnerability was exploited by the underground and unknown to the security community.
Orange: The vulnerability was known to exist by the vendor and public, but a patch was not yet available.
The browser exploits you mention almost invariably rely on
a) IE and
b) settings that no sane person would have on his machine.
Given that surveys last year by Earthlink and others indicate that the typical home user Windows system has a 20% chance of being infested at any given time, the insanity rates must be somewhat higher than generally assumed. (I have suspected roughly a 49% to 51% insanity rate among the general population of the United States since about 2004.)
Regarding IE, well, yes, it has historically had more holes than any other browser, but a zero day hole in Safari just won a guy a laptop yesterday. The niche status of a platform isn't security.
And with Vista, I predict more malware that uses clever social engineering to lure the user into granting their application the necessary privileges rather than using escalation exploits. Simply because it is just as efficient and by far less work.
Actually a programmatic approach will generally be close to 100% efficient for the target population vulnerable, whereas social engineering must be very, very clever to fool more than a few percent of the exposed users, and extremely clever to get into the half-to-all range. Of course, if you SPAM enough people with the attempt, social engineering only needs to work on a small percentage to yeild a nice botnet fleet.
I don't know if anybody has done a survey to figure this out for other platforms, but I've seen a couple different sources suggest that as many as 20% of home user systems running Windows are actually infested with malware. I've seen large organizations that has ambient infestation rates as high as 11% to 15%, even running an industry leading antivirus. The pool of potential targets might be larger than you expect. Also, any zero-day (or really any number of days before a patch is available) attacks will have a potential target pool as large as the entire population.
I recall reading a few years back that if Microsoft revenue stopped cold they could continue operating at their present rate of expenditure for over 20 years, based on their cash reserves. This isn't their final chance to be wrong by any stretch.
Well, not really. Within a given corporation that's sometimes the case, but the interfaces between companies tend to be... phone messages, plain text emails, increasingly SMS text messages, and PDF documents. The iPhone will probably run my business just fine, and I intend to try it, advice to the contrary from Microsoft notwithstanding.
Hmm... I suppose that if an open source effort were orchestrated and hosted from a non-extradition country, such a botnet fleet could be designed and maintained without running afoul of this law. The idea still has a number of other problems, not least of which is that it's not clear how R&D would be funded. Botnets are evolving rapidly due to the influx of R&D money. The Anti-botnet won't benefit from revenue generated by stolen credit card numbers, data stolen and then sold to corporations and governments, and SPAM.
Slashdot Mirror
Dennis Fisher fails to grok. Patch Day was created because Microsoft was getting hammered by the poor press which resulted from releasing many patches in one month. Patch Day, as much as it sucks, is probably here to stay.
A more honest assessment of the state of Java on cell phones would paint a little less rosy of a picture than you paint, even as you've tempered it with such earth-tone phrases as "you dumb fuck".
Nowhere near the sum of the roughly 2 Billion cell phones in use today employ Java in the "3rd party apps" sense that people use when attempting to pre-emptively trash the iPhone. In fact, a bunch of them neither support nor use Java at all. We're really talking about higher end phones when we talk about 3rd party apps, for example.
Moreover, the vast majority of even the most expensive higher end Phones which do support 3rd party Java apps never see such an app installed in the entire lifetime of the phone.
I happen to know a few rational and technically saavy people who have experience both using and programming on every major cell phone platform. The fact is all major cell phone platfrom available today suck, which leaves a market opportunity for new players. ( These people love Java. Love it. Regular Java "boosters" even.) Yes, the described problems occur on some phones -- extremely slow response when Java apps are loaded, phones crashing when running 3rd party apps, various quirks that get resolved when the phone is rebooted, etc. Anybody who claims that thse problems have never occured with 2 Billion cell phones running Java, frankly, reveals themself as someone who hasn't been paying attention, or knows the truth and would prefer to troll than engage in a serious discussion.
The worst part of the current cell phone marketplace is that most cell phone manufacturers and service providers have decided that they don't want you to have easy access to firmware fixes because they would rather sell you a new handset, with different bugs. This problem will be solved by the iPhone, because Apple has made it clear that they intend to actually support and update the software on the device.
I for one welcome our new sofware-feature-adding, interface-usability-hoot-giving, screen-touching, bug-fixing cell phone firmware-updating OSX overlords.
Schools are generating revenue through a variety of, uh, clever means. They lease vending machine space to junk food vendors. This amounts to a hidden tax on the society because schools are now promoting obesity, which results in taxpayers and parents forking over more money for health care down the line. Similarly, the schools are not exactly going to be market efficient spectrum brokers. Public schools should receive their funding from the same source that they receive their mandate. Except in Kansas, where they probably don't believe in radio waves anyway, and they could use the excuse to interact with science.
This same annoying tendency of banks has another artifact (it's probably not intentional). It typically prevents the user's password management scheme (like Keychain on Mac OS X and analogous 3rd party password managers for Windows) from working properly. Without a tool like this to support the effort, most people wind up using the same password for all their web logins, which exposes them to dramatically increased risk. (Bad guys can exploit this common human behavior by plucking username / password combinations from any arbitrary p0wn3d web site, and then testing them at all the banks.
...to warn the pope about some poop he's about to slip in, and the pope doesn't hear it, because, well, it's only one hand, or paw rather, but then a tree falls on the bear, killing the bear, and startling the pope, who looks up from the path, and slips on the poop, but the bear was well intentioned because the bear only *had* one hand, or rather paw, to begin with anyway, does the bear thusly enter into the kingdom of heaven?
"I demand a sum of... ONE MILLION DOLLARS!"
-- Dr. Evil
"Why must I be surrounded by frickin' idiots?"
-- Dr. Evil
My experience as a consultant delivering the bad news like (and even specificially including): "WEP has been cracked, you need to replace all your wireless access points immediately because they don't support WPA" indicates otherwise. Managers are often given many goals which are difficult to balance. Short term budget constraints are typically the foremost issue for them. Replacing systems that "work just fine" because they are vulnerable to a security defect which they don't understand is seldom high on thier "to do" list.
If I had been providing security consulting to TJX, managers all the way up the chain to the CIO would have been told over and over and over that they must consider WEP networks to be insecure and replace them.
I don't know what happened at TJX, but your assumption doesn't match my experience with other managers in orther organizations. Most IT staff and managers really didn't take the WEP crack seriously for a long, long time. Many security people had to actually demonstate the WEP crack to their managers or clents before they would take it seriously.
The only part of this story that surprises me is that we haven't heard a couple dozen identical stories from other organizations. There is no possible way that TJX is the only company to fall victim to a WEP crack.
Possibly:
Tphtroll
If your theory is correct, I'd say it's more like "until recently part of Apple's PR department because the people who tried this dumb-ass stunt have been quietly sacked" ("quietly" is a registered trademark of the Apple Rumor Mill).
It's clear to even the most casual observer that Apple strongly prefers to control, very tightly and very carefully, every aspect of their advertising and their corporate image in all contexts. They tend to avoid venues where that isn't possible. There's very little chance (approaching zero arbitrarily close) that anyone from Apple would post a story like this to Slashdot and encourage all the annoying comments about fanboys and the inevitable "it doesn't matter if Apple is green or if Steve will fix a customer support issue because the iPhone is too expensive so nobody will ever buy one and Apple is doomed so sell your stock now" comments (where *is* that one, by the way, anti-Apple-trolls seem to be slacking off here at Slashdot today).
You definitely missed the point. When you ride your motorcycle without a helmet, you are entertaining what society has deemed to be an unacceptanbly high risk that you will wind up a vegetable, on life support, sucking down tax dollars for decades. When you drive Windows, perhaps the externalized costs are significant, since you are part of the aggregate problem, whether you get hit by a truck or not.
Why do you hate America?
You are aware, are you not, that there are documented cases within the past 12 months of zero-day exploits which were targetted at *individual* users? It may well be the case that the system that you, likely a trained and skilled system administrator, maintain, hasn't been equipped with a rootkit by a virus or worm. Howeverr, the fantastically high infestation rate of Windows, and the remarkably low (nearly zero) infestation rate of Macintosh systems, a condition which has persisted now for seven years, must at some point be accepted as evidence that perhaps something is amiss in Redmond. None of those people need more than a few minutes of training to run their refrigerator, their television, or their car, but 20% of them at any given time have an infested PC 0wn3d bi th3m.
Although I'm happy that you personally have managed to escape unscathed, your annecote is revealed to be irrelevant by the basic statistics.
You have a valid point. There's another interesting way to look at this issue, however. People's choices affect other people at times and in ways they don't always anticipate or even care about if informed. The classic example is the protective helmet. If you ride your bicycle or motorcycle without a helmet, you are contributing to a social problem (head injuries) which cost me (the taxpayer) money. Eventually somebody (insurance companies and Medicare) get tired of paying for stupidity and persuade Congress (or State Legislatures) change a law to reduce the cost to the society as a whole from individual stupidity.
If you choose to run Windows that's fine on the level of the individual decision. In theory, I don't care what you run on your PC so long as you and I have access to web sites, can exchange email and photographs, etc. We can be friends and share data freely without even knowing what type of system the other person uses.
However, I care about the fact that email is very nearly useless now. I care about identity theft. I care about industry and government data which is protected in order to reduce the proliferation of nuclear weapons technology.
How many billions of dollars must be stolen or wasted and how many years must pass before we admit that there are systemic problems with security on Windows which seem to be deeply rooted not solely in hubris as often thought, but also in more subtle philosophy, technology, and methodology choices? These go back decades, and have enabled an enormous industry in identity theft and spamvertising to take root and thrive despite, ahem, entirely new versions of Windows which are, ahem, more secure than ever. Some of these problems can be fixed, and some of them have been substantially mitigated if not outright fixed, for decades, on UNIX. The sad realization that Microsoft apologists refuse to admit is that development methodology and management philosophy affect the security of products produced by the organizations practicing them.
If software vendors were held liable for the expensive calamities that result from their security defects, would the technology industry collapse? Or would it adjust, and then march steadily on, with a greater emphasis placed on security? I suspect it would not collapse, but I don't have the lobbying dollars t back up my position, and neither does anybody else who shares it (thus far). The recent law suits brought against TJX by banks over stolen credit card data may portend a coming shift in alliances. If the banks turn against the software industry next, we will see a shakeup in political alliances and an eventual fight in Congress over this issue. Until then, the issue will remain the abstract musing of the occasional columnist or security analyst.
Discussions of botnets in forums like Slashdot often include the idea that individual home users should be held accountable for the security of their home PC. Well, should they really? They didn't sign up for that. Are they held accountable for the global security implications of their refrigerator? No, they are not because there aren't any except for a few highly abstract issues related to the resources it took to build it and the energy it takes to run it. With a home PC the global security implications are complex, but not highly abstract, rather they are quite direct. Your home PC can be used to steal your identity which could be sold to raise funds for terrorism, for example, which is pretty direct. It can be used to attack other hosts or assist with Distributed Denial of Service attacks on hosts or entire networks, which is unambiguously direct: PC -> Shitstorm.
Quite frankly, the statistics are stark and unforgiving. Windows: roughly 100,000 "known viruses" vs. roughly zero for the Macintosh (margin of error +/- 5 (five)). Twenty percent of home Windows PCs infected vs. roughly zero percent of home Macintosh or Linux systems infected (margin of error +/- 1/100 of 1%). If a relationship bet
I laughed, I cried, I wished I had mod points to shower upon you.
"Blacklisted and ruined their economies" is an interesting perspective. To which nations you refer is not immediately apparent. When offshore banking was perceived to be merely the province of people seeking to reduce their tax load, the industry was largely ignored. It seems some of that activity wasn't even illegal, the industry helped people to exploit loopholes.
One could say the industry was exploited as an anonymous money laundering service by tax evaders, drug kingpins (not to be confused with the drug czars) and later by terrorists. When this became more commonly known, it found itself facing closed loopholes and reduced taxes on the upper income brackets (both of which had the effect of reducing their legitimate client base and could be more accurately characterized as "changing market conditions" not an attack on the offshore financial industry). Later it faced attempts at increased regulation to help law enforcement trace money flows related to organized crime and terrorism.
Despite changing market conditions and increased regulation of international money flows to and from the United States (and other democratic nations) the industry seems to be thriving. So far as I can tell, there hasn't been a concerted effort by the United States government to shut down the industry, rather to force the industry to help track activities which are not only illegal in the United States, but illegal in most nations of the world, including the host nations of these banking systems.
So what are you talking about? Am I missing some key bit of the history of this industry?
(I Am Not A Tax Attorney so my understanding of this issue may be incomplete, in error, or inane. I further admit to paying scant attention to the particulars of this issue, and you might well know a great deal more about the collapse of national economies due to a black list than I.)
Am I wrong? Should I publish the list of companies that I know had bots on their networks in March?
Most of the other claims in the original post are not really controversial at all. This particular claim may have been overstated, but perhaps not. I haven't seen figures which total up the economic impact of malicious software, but I wouldn't be at all surprised if it was in excess of $100 billion dollars per year, if you total the damages, profits to the bad guys, cost to the good guys, and money spent on security products and consulting which might otherwise be spent on something more productive. Then decide if one should discount the official UN estimates for the drug trade, which may arguably be considered to be overstated by most governments for political reasons. Those two markets might not be as far apart as you intuition tells you. If you then add all the grey-market activity from advertising which drives spam, you might exceed handily the drug trade. Most likely not, but the botnet market is probably larger than most people would guess.
In any case, well funded organized crime groups control both markets. Maybe it's really a single market.
A side effect of code reuse and object orientation is that certain defects may have effects far beyond that originally reported. The full extent of the vulnerability might not be readily apparant to the person fixing the defect or writing the report. With respect to IE on Windows for example, there are many other things that can be affected by these defects, even 3rd party products. Remote / network defects on Windows are even harder to pin down, due to certain common elements in the core Windows services. If anything, Microsoft has historically been guilty of being less than clear when these defects had the potential to affect more than one listener on more than one port, or affect more than one application. It never looked like a coverup to me, though, because it was so inconsistent.
In my expeience, managers of large organizations do not take Zero Day risks seriously, and often don't really understand them. The risks appear to be quite real, and growing however. Has this Safari defect been independently discovered by one or more black-hats? How long ago?
The security industry should start tracking the ship date of the vulnerable software, so that organizations can get a better understanding of their exposure. The risk period wasn't just one day, the "Zero Day" but rather could be as long as "every day since the shipment (or installation) of the version of the product with the defect."
For every defect it might be interesting to have a small chart showing the versions of the products, the dates they shipped, the date the vulnerability was discovered by the vendor or security industry, the date it was patched, and whether or not there are indications or confirmation that the defect was exploited by or known to the underground prior to the Zero Day. The chart could be color coded.
Regarding IE, well, yes, it has historically had more holes than any other browser, but a zero day hole in Safari just won a guy a laptop yesterday. The niche status of a platform isn't security. Actually a programmatic approach will generally be close to 100% efficient for the target population vulnerable, whereas social engineering must be very, very clever to fool more than a few percent of the exposed users, and extremely clever to get into the half-to-all range. Of course, if you SPAM enough people with the attempt, social engineering only needs to work on a small percentage to yeild a nice botnet fleet.
I don't know if anybody has done a survey to figure this out for other platforms, but I've seen a couple different sources suggest that as many as 20% of home user systems running Windows are actually infested with malware. I've seen large organizations that has ambient infestation rates as high as 11% to 15%, even running an industry leading antivirus. The pool of potential targets might be larger than you expect. Also, any zero-day (or really any number of days before a patch is available) attacks will have a potential target pool as large as the entire population.
I recall reading a few years back that if Microsoft revenue stopped cold they could continue operating at their present rate of expenditure for over 20 years, based on their cash reserves. This isn't their final chance to be wrong by any stretch.
Well, not really. Within a given corporation that's sometimes the case, but the interfaces between companies tend to be... phone messages, plain text emails, increasingly SMS text messages, and PDF documents. The iPhone will probably run my business just fine, and I intend to try it, advice to the contrary from Microsoft notwithstanding.
Hmm... I suppose that if an open source effort were orchestrated and hosted from a non-extradition country, such a botnet fleet could be designed and maintained without running afoul of this law. The idea still has a number of other problems, not least of which is that it's not clear how R&D would be funded. Botnets are evolving rapidly due to the influx of R&D money. The Anti-botnet won't benefit from revenue generated by stolen credit card numbers, data stolen and then sold to corporations and governments, and SPAM.