There are many ways to remove a rogue server from the Internet, and a lot of them are quite legal. The key issue is to bring together those who can (almost literally) pull the plug and those who have the evidence that such drastic action is indeed necessary, and help them to establish something like trust.
The problem today is that there are so many tens of thousands of systems being used for scanning, automated attacks, DDoS, and whatnot. This approach is only practical for certain occasional centralized services, like phishing web servers or IRC servers controlling botnets. Even those are on the verge of being widely distributed over botnets, using P2P and other techniques. Once these techniques are available in the bot development kits, it will become impractical to hunt even phishing servers down in this way, and botnets won't have vulnerable centralized control points.
Oh, and for reference? The "Extreme Hacker" your link's about was a 37 year-old script kiddie who Haxx0red Us government machines direct from his own home connection.
Was his home connection a satellite link to a raft floating on a pond with ill-tempered Sea Bass at least?
Well, there are major sub-versions, too, like IE5.5SP2, etc.
Several times over the years I've discovered multiple code paths in Windows which apparently perform the same function. I discover them because performing what is ostensibly the same act via more than one of the typically myriad interface controls to initiate the given desired action sometimes differ ever so slightly (note the sarcasm in my voice) in result. I've seen these sorts of artifacts all the way up through Windows 2000. This problem exists without looking at multiple languages and how functions may vary on that axis -- who knows.
It's clear that the design of Windows contributes to the difficulty of patching and testing it. Given that, it's impressive that they can deliver interim security patches at all. The track record of not breaking random other stuff when they fix a buffer overflow vulnerability has been pretty good lately.
The Microsoft Tax has already excceeded the value of the hardware on the server side (for 1U dual processor systems at least). Your theory might be tested first by the XServe, once it's on the Intel architecture.
Agreed. I still wonder about the Cell as the basis of a killer real-time video processing system. The G5 with AltiVec does a pretty decent job of this stuff now, and it seems like the Cell would be dramatically better. Parts of Tiger even seem to be built in a way that could take advantage of the Cell for such tasks (Core Image / Core Video and the GPU offloading stuff).
Apple is clearly king of PC based video processing, and it seems like they would need something along the lines of the Cell in order to keep up. Of course, Apple doesn't need to completely discontinue Power based systems. They will retain the option of making a Cell based workstation if it were to make sense.
Otherwise, nothing stops Intel from coming up with a slightly more abstract version of SIMD that acts more like AltiVec, and adding something like the Cell streams processor to the mix.
The WWII Generation, lately called "The Greatest Generation" protected us in the U.S. from this slippery slope by remembering what happened. They are nearly all gone now and those who remain are elderly. They maintained a certain brand of idealism even as they aged which, for example, prevented a national ID card system in this country because it reminded them too much of the Fascistic blanket of bureaucratic control that nearly smothered the world when they were young, and the heavy price they paid to liberate the world from that grip. They created the United Nations and the Geneva Convention partly out of concern for the rest of the world -- but partly to prevent the need for sacrifice on the scale of WWII and to protect American soldiers when sacrifice couldn't be avoided.
Their children and grand children haven't learned these lessons of history as well as some of our contemporaries in Germany, Russia and other parts of Europe. As the leading example, no pun intended, we have today a child of a Veteran of World War II in the White House, leading the charge to trade a reduction in civil rights in this country for promised increases in security. On the bright side, there is a debate going on here, a public debate. Consider Bruce Schneier's recent book Beyond Fear, which seeks to help us learn how to consider the trade-offs that security decisions require at all levels, personal and societal.
The terrorists who struck The World Trade Center want a world run by an archaic, theocratic totalitarianism with eye-for-an-eye style justice meted out by them and their hand-picked like-minded sociopaths. When we give up civil rights to fight terrorism, the terrorists gain ground. However, we have many checks and balances here and we are a very long way from sliding into totalitarianism of any sort here in the U.S. Unfortunately there are many people who don't see the slippery slope when they step out upon it.
Back on the bright side, today we have more interaction between the people of different countries than ever before. The internet provides opportunity for dialog between the citizens of different countries which is historically unprecedented. German students come to the U.S. and talk to their friends about history, Russian emigrants in the U.S. talk to their friends about what's happening now in Russia, and how strange it is to see things like secret subpoenas and detention without charges and trials in the U.S. I've heard examples of both groups express surprise in conversations with young Americans ignorant of history, "Don't you realize this is how Fascism starts?" With fear. Yoda got that right, for sure.
Fear is the path to the dark side. Fear leads to anger. Anger leads to hate. Hate leads to suffering. --Yoda
As a citizen of the United States I would like to thank you for remembering and reminding us. There are many of us here who appreciate your patience. We are a young country, but an old Democracy. With your help, we will make it through this without sliding into an Orwellian 1984, nor a Fascistic 1934.
This is possibly cause for concern. Open Firmware is considerably more robust and extensible than the traditional PC BIOS stuff. Network boot stuff, for example, Still Doesn't Work Right on the PC.
I sure hope Apple has a plan for firmware that works better than what IBM, Dell, and other PC vendors tolerate for firmware enabled functions like network booting and re-imaging. This stuff Just Works on the Mac today, thanks to Open Firmware.
"What you don't know about testing, would float a battleship."
That might be true. I'm not sure the density of unthunk thoughts, though. Are they even liquid at room temperature?
Automated testing cannot prevent defects from recurring in subsequent builds as a pedantic interpretation of my passing observation might imply to a novice. I was sloppy with my terminology, yes.
However, automated testing can and does allow development teams to identify and correct defects which are accidentally re-introduced before they ship a new version with, say, seven year old security defects.
In the Java world automated unit tests are quite common, thanks to the ease with which they can be constructed with JUnit, and similarly with Python, Objective C and probably other Object Oriented languages and their respective unit testing frameworks. It seems to be less commonly practiced in the C/C++ world (although other types of automated testing are fairly well established in the commercial software industry and are largely language independent with respect to the product being tested).
With a feedback loop in the development/testing process one often sees Automated Unit Tests performing double-duty as a subset of what's normally called automated regression testing. Other types of defects might be caught with an external testing harness (e.g. WinRunner or MaxQ) typically employed in support of regression testing.
Heck, automated regression testing is even practiced by at least some folk in the visual basic world these days. (This commercial site has a nice summary of the practice.)
The point is, there are many types of automated testing, and many tools and techniques which support the concept. It seems from the perspective of a casually interested outside observer such as myself that some basic automated testing practices could be employed to help the Firefox team in their quest to create a secure, feature rich, standards compliant, and well performing web browser. I think most software developers, testers, and even development team managers would agree.
You'll be happy to learn that terminology in the testing world isn't as well established as it might seem at first blush. There are literally hundreds of different "types of testing" and you can find dozens of different and even conflicting definitions for many common types if you look a bit. So, if you seek to pick apart this post line by line I've given you enough material to do so. Just Google around a bit until you find a definition that doesn't fit those I've used and go to town.
Consider the Acid2 test. This is a functional test, perhaps. It might also be a regression test. It worked on the last build, and we didn't try to break it. Does it still work? Hooray! Acid2
"For a spoofing attempt to work, a surfer would need to have both the attacker's Web site and a trusted Web site open in different windows. A click on a link on the malicious site would then display the attacker's content in a frame on the trusted Web site, Secunia said. The company advised people not to visit trusted and untrusted Web sites at the same time."
The whole notion of a trusted web site is bogus. Many large and popular web sites are not maintained well enough to prevent them from getting defaced now and then.
The whole terminology used for web sites belies the myth of a trusted web site.
Web sites are placed on "sacrificial hosts" in a "DMZ". Web sites are not trusted by the people who build them and never have been. If the owner of a web site doesn't trust it, why should you?
A victim would never need to visit an "untrusted" web site, because this defect could be coupled with others (exploit chaining). It's even been done before with other defects, notably Download.ject.
This is interesting, though. Too bad meta moderators can't re-assign mod points to a follow-up.
Apple adopts this same style with bug reports, which can be quite frustrating. Submit a bug, hear back nothing, most times, until one day you install a patch and the bug is fixed. There should be a better way.
You may simply argue that although RISC and AltiVec were superior architectures, they simply can't compete with the overwhelming R&D investment poured into making slightly inferior architectures run faster and faster every year. Don't feel too bad. All the other RISC architectures folded their hands over the last decade, and Power isn't dead. You'll be able to game on it, and run AIX!
It seems likely that this frenzy of speculation will affect the stock price in the short term. It seems like no matter what Apple announces at WWDC today, the headline will be related to this speculation. The folks who drive the stock price probably don't read Slashdot, and the headline "Apple did or did not switch to Intel" may drive some pretty big buy/sell movement as soon as the keynote is over.
Which direction will it move? If it moves down, how long will it take to recover?
There is enough uncertainty in such a move that it sure seems to me -- a slashdot reader who doesn't affect stock prices -- that it could only move down if such a switch is announced. However, when I think about it from the perspective of a trader who probably doesn't know all that much beyond the headline that shows up on his pager at say 11:01 PST today, I wonder if a switch would be considered good, and a series of PowerPC related announcements would be considered as a sell indicator.
16% probably is too high, but the data you present probably doesn't provide a useful counter example. Stats on my own web site thus far in June with a similar (low) sample size are heavily skewed another way, with 39% Safari users (I don't know why). I'm pretty certain that this an artifact of the small sample size and some other quirks (e.g. a Macintosh oriented site may have linked to Intrinsic Security or something).
In any case, I wouln't leap to the conclusion that 39% of web surfers are using Safari. Stats from a high traffic site of general interest (say, CNN.com) might be more likely to reflect the general user base.
MSBlaster was actually a worm. It infected the system without the knowledge or assistance of an end user. The inherent vulnerability of the Windows platform to countless buffer overflow exploits enabled the massive large scale malware outbreaks that people think of by name - Code Red, MS Blaster, SQL Slammer, etc.
There exist however, countless email borne viruses, and for any one of them your point remains valid. A particularly clever email virus can trick an end user into clicking, "Yes", to the question, "Would you like your computer to be 0wn3d?" regardless of platform.
Although CA has identified an interesting bot, it's not really using new techniques, merely combining some. Adware and spyware has been downloading buddies for a few years now as a common technique, and many other worms have done similar things.
Exploit chaining is a more serious and under-reported threat. (Download.ject I think was the tip of a coming iceberg.)
Further hybrids of adware and spyware techniques with botnets are likely. A mini payload may ride in through a browser exploit, like adware and spyware, then start downloading buddies, emailing itself out, and using IRC to fetch instructions and other modules. All of that has been done by separate worms, and the total combination is due any moment, I suspect.
By the way, IRC is pretty easy to block. The coming use of P2P based techniques for inter-bot communications will be more adaptive and thus harder to combat.
Migrating your desktops to Macintosh or Linux is a sweet deal if you can get it. Most of my clients are strapped to Windows for the forseeable future. It surprising how many IT professionals in big enterprises are talking about Linux and Mac OS X these days, though. As recently as a few years ago, all they talked about was Windows. Now many of them seem to be considering and exploring alternatives. Hosting Windows as a virtual machine on top of Linux is an idea they seem to be exploring more and more.
It turns out that calls per week to the Help Desk isn't a very good measure of malware infestation rates. End users often don't realize when a system is infected, and other times they fear the consequences (IT staff re-images the PC).
Last year, at a client with about 50,000 devices on the TCP/IP network, I observed an accidental measurement of the ambient infestation rates by upgrading the PC clients to Symantec AntiVirus 9. (SAV 9 detects, but does not prevent, many additional types of malware over and above those detected by previous versions, so the first scan after the upgrade deteced the adware and spyware previously ignored.) The PC network had an 11% infestation rate, which was observed to be pretty consistent from office to office. This was mostly adware and associated spyware.
Although I thought this was a shockingly high rate of infestation, it turns out that it's quite a bit lower than
"A recent poll by Harris Survey did ask, and 92 percent of polled IT managers said their organizations had been infected with spyware -- with an average of 29 percent of their corporate PCs infected."
Prior to the upgrade, only a dozen or two calls per week to the helpdesk were observed.
There are other efforts (in addition to RBL style lists) to fix some of the problems which derive from the assumed trust that's built into the SMTP protocol. For a brief shining moment last year, I thought that we might all hold hands and sing together on this one, but Microsoft managed to drive of their early Sender ID adopters and alienate potential allies in the battle against spam by making vague patent claims and apparently refusing to even clarify.
Adoption of the Sender Policy Framework seems to have slowed, probably caught up in the confusion around Sender ID and the Microsoft patent claims. The linked site claims that SPF is unencumbered.
Well, it seems there is more than one problem. You're right about the platform-independent nature of getting users to install trojan horse software. UNIX based systems can't help that problem much, although they can limit the resulting damage in some cases.
The plague of adware and spyware infecting some significant percentage of pc systems is a separate issue that pretty clearly affects Windows, but not Mac OS X or Linux. FireFox users on Windows seem to receive some protection from this plague, too, so perhaps this issue is also platform independent, but vendor dependent.
After reading the article, I've just adjusted my registration page... to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.
Hmm... if this policy were implemented by one or more widely used webware packages (forum / discussion site software for example) it would become possible to perform a distributed denial of service attack on any arbitrary inbox.
search google to find the URL of the registration page for, say, a zillion deployed instances of the software system (a zillion should be enough)
employ a script to visit the zillion sites and attempt to register a few times, using the target's email address
Each site becomes an unwitting stooge which now sends, first an email to the target saying they have registered a new account, and then two more emails that say that the account has already been registered -- on the first day of the attack. On the second day, they each send three notices of the latter type. Target receives 3 zillion emails each day.
On the bright side, perhaps those emails would be similar enough that the target could filter most of them out automatically.
And of course there are plenty of other opportunities to perform DDoS on an inbox which are simpler and more effective, so it's unlikely anyone would exploit this. The simplest technique is placing the target's email address on a web page and letting spambots trawl it, resulting in zillions and zillions of unwanted emails which are all very different, effectively making email unusable for the victim... oh, wait a second... this describes the current situation of most of the inboxes on the planet today.
Slashdot Mirror
Well, there are major sub-versions, too, like IE5.5SP2, etc.
Several times over the years I've discovered multiple code paths in Windows which apparently perform the same function. I discover them because performing what is ostensibly the same act via more than one of the typically myriad interface controls to initiate the given desired action sometimes differ ever so slightly (note the sarcasm in my voice) in result. I've seen these sorts of artifacts all the way up through Windows 2000. This problem exists without looking at multiple languages and how functions may vary on that axis -- who knows.
It's clear that the design of Windows contributes to the difficulty of patching and testing it. Given that, it's impressive that they can deliver interim security patches at all. The track record of not breaking random other stuff when they fix a buffer overflow vulnerability has been pretty good lately.
The Microsoft Tax has already excceeded the value of the hardware on the server side (for 1U dual processor systems at least). Your theory might be tested first by the XServe, once it's on the Intel architecture.
Agreed. I still wonder about the Cell as the basis of a killer real-time video processing system. The G5 with AltiVec does a pretty decent job of this stuff now, and it seems like the Cell would be dramatically better. Parts of Tiger even seem to be built in a way that could take advantage of the Cell for such tasks (Core Image / Core Video and the GPU offloading stuff).
Apple is clearly king of PC based video processing, and it seems like they would need something along the lines of the Cell in order to keep up. Of course, Apple doesn't need to completely discontinue Power based systems. They will retain the option of making a Cell based workstation if it were to make sense.
Otherwise, nothing stops Intel from coming up with a slightly more abstract version of SIMD that acts more like AltiVec, and adding something like the Cell streams processor to the mix.
Their children and grand children haven't learned these lessons of history as well as some of our contemporaries in Germany, Russia and other parts of Europe. As the leading example, no pun intended, we have today a child of a Veteran of World War II in the White House, leading the charge to trade a reduction in civil rights in this country for promised increases in security. On the bright side, there is a debate going on here, a public debate. Consider Bruce Schneier's recent book Beyond Fear, which seeks to help us learn how to consider the trade-offs that security decisions require at all levels, personal and societal.
The terrorists who struck The World Trade Center want a world run by an archaic, theocratic totalitarianism with eye-for-an-eye style justice meted out by them and their hand-picked like-minded sociopaths. When we give up civil rights to fight terrorism, the terrorists gain ground. However, we have many checks and balances here and we are a very long way from sliding into totalitarianism of any sort here in the U.S. Unfortunately there are many people who don't see the slippery slope when they step out upon it.
Back on the bright side, today we have more interaction between the people of different countries than ever before. The internet provides opportunity for dialog between the citizens of different countries which is historically unprecedented. German students come to the U.S. and talk to their friends about history, Russian emigrants in the U.S. talk to their friends about what's happening now in Russia, and how strange it is to see things like secret subpoenas and detention without charges and trials in the U.S. I've heard examples of both groups express surprise in conversations with young Americans ignorant of history, "Don't you realize this is how Fascism starts?" With fear. Yoda got that right, for sure. As a citizen of the United States I would like to thank you for remembering and reminding us. There are many of us here who appreciate your patience. We are a young country, but an old Democracy. With your help, we will make it through this without sliding into an Orwellian 1984, nor a Fascistic 1934.
This whole dance has been strange. There is still this thread dangling from Steve Jobs telling Fortune Magazine that PC vendors want Mac OS X, which led to speculation that PC makers might ship PowerPC systems.
What was the point of dropping that hint, at that time, in that way, if Apple really doesn't plan to license Mac OS X to other PC vendors?
This is possibly cause for concern. Open Firmware is considerably more robust and extensible than the traditional PC BIOS stuff. Network boot stuff, for example, Still Doesn't Work Right on the PC.
I sure hope Apple has a plan for firmware that works better than what IBM, Dell, and other PC vendors tolerate for firmware enabled functions like network booting and re-imaging. This stuff Just Works on the Mac today, thanks to Open Firmware.
Automated testing cannot prevent defects from recurring in subsequent builds as a pedantic interpretation of my passing observation might imply to a novice. I was sloppy with my terminology, yes.
However, automated testing can and does allow development teams to identify and correct defects which are accidentally re-introduced before they ship a new version with, say, seven year old security defects.
In the Java world automated unit tests are quite common, thanks to the ease with which they can be constructed with JUnit, and similarly with Python, Objective C and probably other Object Oriented languages and their respective unit testing frameworks. It seems to be less commonly practiced in the C/C++ world (although other types of automated testing are fairly well established in the commercial software industry and are largely language independent with respect to the product being tested).
With a feedback loop in the development/testing process one often sees Automated Unit Tests performing double-duty as a subset of what's normally called automated regression testing. Other types of defects might be caught with an external testing harness (e.g. WinRunner or MaxQ) typically employed in support of regression testing.
Some folks claim that application design can influence the ease and robustness of automated testing, and suggest design patterns to "Pattern your way to automated regression testing."
Heck, automated regression testing is even practiced by at least some folk in the visual basic world these days. (This commercial site has a nice summary of the practice.)
The point is, there are many types of automated testing, and many tools and techniques which support the concept. It seems from the perspective of a casually interested outside observer such as myself that some basic automated testing practices could be employed to help the Firefox team in their quest to create a secure, feature rich, standards compliant, and well performing web browser. I think most software developers, testers, and even development team managers would agree.
You'll be happy to learn that terminology in the testing world isn't as well established as it might seem at first blush. There are literally hundreds of different "types of testing" and you can find dozens of different and even conflicting definitions for many common types if you look a bit. So, if you seek to pick apart this post line by line I've given you enough material to do so. Just Google around a bit until you find a definition that doesn't fit those I've used and go to town.
Consider the Acid2 test. This is a functional test, perhaps. It might also be a regression test. It worked on the last build, and we didn't try to break it. Does it still work? Hooray! Acid2
The whole terminology used for web sites belies the myth of a trusted web site.
Web sites are placed on "sacrificial hosts" in a "DMZ". Web sites are not trusted by the people who build them and never have been. If the owner of a web site doesn't trust it, why should you?
A victim would never need to visit an "untrusted" web site, because this defect could be coupled with others (exploit chaining). It's even been done before with other defects, notably Download.ject.
Does the Firefox team use any automated testing on the project? Seems like these sort of errors could stay dead, if so.
Software testing automation tools
Apple adopts this same style with bug reports, which can be quite frustrating. Submit a bug, hear back nothing, most times, until one day you install a patch and the bug is fixed. There should be a better way.
You may simply argue that although RISC and AltiVec were superior architectures, they simply can't compete with the overwhelming R&D investment poured into making slightly inferior architectures run faster and faster every year. Don't feel too bad. All the other RISC architectures folded their hands over the last decade, and Power isn't dead. You'll be able to game on it, and run AIX!
even the BBC
It seems likely that this frenzy of speculation will affect the stock price in the short term. It seems like no matter what Apple announces at WWDC today, the headline will be related to this speculation. The folks who drive the stock price probably don't read Slashdot, and the headline "Apple did or did not switch to Intel" may drive some pretty big buy/sell movement as soon as the keynote is over.
Which direction will it move? If it moves down, how long will it take to recover?
There is enough uncertainty in such a move that it sure seems to me -- a slashdot reader who doesn't affect stock prices -- that it could only move down if such a switch is announced. However, when I think about it from the perspective of a trader who probably doesn't know all that much beyond the headline that shows up on his pager at say 11:01 PST today, I wonder if a switch would be considered good, and a series of PowerPC related announcements would be considered as a sell indicator.
The Register weighs in with two articles this morning.
Apple shifts to Intel: What is all the fuss about
Apple to announce Intel 'Switch' - WSJ
16% probably is too high, but the data you present probably doesn't provide a useful counter example. Stats on my own web site thus far in June with a similar (low) sample size are heavily skewed another way, with 39% Safari users (I don't know why). I'm pretty certain that this an artifact of the small sample size and some other quirks (e.g. a Macintosh oriented site may have linked to Intrinsic Security or something).
In any case, I wouln't leap to the conclusion that 39% of web surfers are using Safari. Stats from a high traffic site of general interest (say, CNN.com) might be more likely to reflect the general user base.
MSBlaster was actually a worm. It infected the system without the knowledge or assistance of an end user. The inherent vulnerability of the Windows platform to countless buffer overflow exploits enabled the massive large scale malware outbreaks that people think of by name - Code Red, MS Blaster, SQL Slammer, etc.
There exist however, countless email borne viruses, and for any one of them your point remains valid. A particularly clever email virus can trick an end user into clicking, "Yes", to the question, "Would you like your computer to be 0wn3d?" regardless of platform.
Although CA has identified an interesting bot, it's not really using new techniques, merely combining some. Adware and spyware has been downloading buddies for a few years now as a common technique, and many other worms have done similar things.
Exploit chaining is a more serious and under-reported threat. (Download.ject I think was the tip of a coming iceberg.)
Further hybrids of adware and spyware techniques with botnets are likely. A mini payload may ride in through a browser exploit, like adware and spyware, then start downloading buddies, emailing itself out, and using IRC to fetch instructions and other modules. All of that has been done by separate worms, and the total combination is due any moment, I suspect.
By the way, IRC is pretty easy to block. The coming use of P2P based techniques for inter-bot communications will be more adaptive and thus harder to combat.
Migrating your desktops to Macintosh or Linux is a sweet deal if you can get it. Most of my clients are strapped to Windows for the forseeable future. It surprising how many IT professionals in big enterprises are talking about Linux and Mac OS X these days, though. As recently as a few years ago, all they talked about was Windows. Now many of them seem to be considering and exploring alternatives. Hosting Windows as a virtual machine on top of Linux is an idea they seem to be exploring more and more.
Last year, at a client with about 50,000 devices on the TCP/IP network, I observed an accidental measurement of the ambient infestation rates by upgrading the PC clients to Symantec AntiVirus 9. (SAV 9 detects, but does not prevent, many additional types of malware over and above those detected by previous versions, so the first scan after the upgrade deteced the adware and spyware previously ignored.) The PC network had an 11% infestation rate, which was observed to be pretty consistent from office to office. This was mostly adware and associated spyware.
Although I thought this was a shockingly high rate of infestation, it turns out that it's quite a bit lower than
other reported infestation rates. Prior to the upgrade, only a dozen or two calls per week to the helpdesk were observed.
There are other efforts (in addition to RBL style lists) to fix some of the problems which derive from the assumed trust that's built into the SMTP protocol. For a brief shining moment last year, I thought that we might all hold hands and sing together on this one, but Microsoft managed to drive of their early Sender ID adopters and alienate potential allies in the battle against spam by making vague patent claims and apparently refusing to even clarify.
Adoption of the Sender Policy Framework seems to have slowed, probably caught up in the confusion around Sender ID and the Microsoft patent claims. The linked site claims that SPF is unencumbered.
Well, it seems there is more than one problem. You're right about the platform-independent nature of getting users to install trojan horse software. UNIX based systems can't help that problem much, although they can limit the resulting damage in some cases.
The plague of adware and spyware infecting some significant percentage of pc systems is a separate issue that pretty clearly affects Windows, but not Mac OS X or Linux. FireFox users on Windows seem to receive some protection from this plague, too, so perhaps this issue is also platform independent, but vendor dependent.
- search google to find the URL of the registration page for, say, a zillion deployed instances of the software system (a zillion should be enough)
- employ a script to visit the zillion sites and attempt to register a few times, using the target's email address
Each site becomes an unwitting stooge which now sends, first an email to the target saying they have registered a new account, and then two more emails that say that the account has already been registered -- on the first day of the attack. On the second day, they each send three notices of the latter type. Target receives 3 zillion emails each day.On the bright side, perhaps those emails would be similar enough that the target could filter most of them out automatically.
And of course there are plenty of other opportunities to perform DDoS on an inbox which are simpler and more effective, so it's unlikely anyone would exploit this. The simplest technique is placing the target's email address on a web page and letting spambots trawl it, resulting in zillions and zillions of unwanted emails which are all very different, effectively making email unusable for the victim... oh, wait a second... this describes the current situation of most of the inboxes on the planet today.