Forgot your password?
typodupeerror
Security The Internet

Botnets As "eWMDs" 172

Posted by kdawson
from the trying-to-wake-sleeping-policymakers dept.
John Kelly writes "The current issue of Policy Review has a paper by an American computer scientist and the recent Permanent Undersecretary of Defense for Estonia. Drawing on the Estonian cyber attacks a year and a half ago, as well as other recent examples, they argue that botnets are the major problem. They propose that botnets should be designated as 'eWMDs' — electronic weapons of mass destruction. The paper also proposes a list of reforms that would help to limit the scale and impact of future botnet attacks, beginning with defining and outlawing spam, internationally." Many of the proposed solutions are common-sensical and won't be news to this audience, but it is interesting to see the botnet threat painted in such stark terms for readers of the Hoover Institution's Policy Review. For a more comprehensive overview of cyber-security threats, listen to NPR's interview with security experts on the occasion of the release of a new report, "Securing Cyberspace for the 44th Presidency," which recommends creating a cyber-security czar reporting to the President.
This discussion has been archived. No new comments can be posted.

Botnets As "eWMDs"

Comments Filter:
  • by llamalad (12917) on Tuesday December 09, 2008 @08:23PM (#26053815)

    Subject says it all.

    This is... ridiculous.

    • by punkmanandy (592682) on Tuesday December 09, 2008 @08:32PM (#26053887) Journal
      WMD isn't about the actual history of attack. There hasn't been a nuke detonated in an offensive capacity since World War II, but that hasn't stopped them from being a preoccupation of defense strategy since then. It's about the fear. And the concept of hundreds of thousands of zombie computers attacking an institution without the proper defenses could be devastating, especially if that institution is critical to the public health/safety.
      • Re: (Score:1, Insightful)

        by Anonymous Coward

        As critical to public safety as, say, a city?

        Botnets are serious stuff, but let's be honest here, they're not really on a level with a thermonuclear warhead or VX.

        "eWMD" is simply disingenuous.

        • by Anonymous Coward on Tuesday December 09, 2008 @09:47PM (#26054449)

          Yeah, maybe not a city, but think about what would happen if they took WoW offline for more than an hour. Oh the horror!

        • What worries me is I was reading an article today calling on President Obama to create a new office to "protect cyberspace" and I noticed this little nugget from the report recommending Obama act "It proposed online "data warrants," for example, rather than traditional search warrants, which it said "may be increasingly impracticable in the online environment." Now I don't know about you, but after all that Fisa crap i trust their little "data warrants" about as far as I can throw a Cray.

          If you would like to read the article it is here [myway.com] but after the last pile of bull we were fed about WMDs the second I hear anything to do with them I start looking for the shovel. And let us be honest here: how many data breaches have we seen in the last few years of both government and private networks that were due to plain old stupidity? Maybe they should do a top to bottom audit of their networks to ensure that best security practices are being used and THEN they can start talking about eWMDs. But until then I will automatically think "power grab" when crap like this hits the news.

          • by hey! (33014)

            Well, do you think that investigators will simply refuse to look at private data because ... there is no system that that limits their ability to do so?

            I think there are perfectly legitimately reasons to look at privately held data, but once somebody gets that power, either officially or simply by taking it secretly, that power has to be regulated and its use made accountable.

            Consider torture. Alan Dershowitz suggested after 9/11 that there should be a "torture warrant". Now I think that torture has no l

      • Fear (Score:5, Insightful)

        by Iamthecheese (1264298) on Tuesday December 09, 2008 @08:56PM (#26054107)
        Great fear. Terror even. Terrorism! Danger! Danger! Threat level orange! All good citizens must immediately surrender their rights! We'll start by outlawing spam. But how can we enforce it? We need to verify all e-mail legitimacy! We'll do it with technology. What is needed is a massive database of all e-mails sent, which will be filtered to assure that no 1,000 of them are the same. After that we'll send it to the intended recipient. Of course we'll have to keep logs...
        • Re: (Score:3, Insightful)

          by Anachragnome (1008495)

          Bingo.

          Sounds like an attempt to put all the new, nifty "Terrorism Mitigation" laws into use for something they were never intended to be used for.

          Well, maybe I am wrong about the intent thing....

      • by couchslug (175151)

        "And the concept of hundreds of thousands of zombie computers attacking an institution without the proper defenses could be devastating, especially if that institution is critical to the public health/safety."

        Which is why C4I and other important systems should simply never be connected to the internet, and anyone who compromises them by doing so punched in the throat for being stupid.

      • Re: (Score:2, Interesting)

        by TimSSG (1068536)
        The USA policy is that we will respond with Nukes if WMDs are used against us. If botnets are WMDs who are we going to bomb with an Nuke! We are going to bomb no one; therefor they are NOT WMDs. Any sane person who thinks they are WMDs should be fired or put in jail. Because they are inciting the use of Nukes on the nation attacking the US. Tim S
        • AOL users of course.
          From orbit.

        • by Fred_A (10934)

          We are going to bomb no one; therefor they are NOT WMDs. Any sane person who thinks they are WMDs should be fired or put in jail. Because they are inciting the use of Nukes on the nation attacking the US. Tim S

          Most botnets *are* Wired Malfeasant Desktops. I don't see what your issue is.
          Bombing all of them wouldn't be very easy though.

      • by Duckie01 (10586)

        It's about the fear. And the concept of hundreds of thousands of zombie computers attacking an institution without the proper defenses could be devastating, especially if that institution is critical to the public health/safety.

        I've heard that before. I'd hope that such critical institutions, especially those affecting public health/safety have enough common sense to not hook up their critical systems to the internet. DUH!

    • Re: (Score:3, Insightful)

      by jeffmeden (135043)

      They destroyed my inbox! It's now a mass of about 2GB and it's either all junk mail or I have won about a thousand lifetime supplies of male enhancement pills and a nice gentleman with poor english skills is very persistent in expressing his wishes to "undergo a business transaction" involving millions of dollars!

      Now, I can't take the chance that it's ALL junk, so I am saving it just to be sure.

    • by shogarth (668598) on Tuesday December 09, 2008 @08:52PM (#26054075)

      If we think of mass-energy conversion in nuke plants, I would argue that some mass was destroyed (er, converted) to generate a portion of the electricity consumed in botnet attacks. Touche.

      More generally, reread the article. They are trying to address a real, asymmetric threat. Some jack-off (or group of jack-offs) can cause measurable harm (counted in your favorite currency if nothing else) via DDoS attacks. That is a demonstrated fact. Estonia argues that their financial sector was largely off-line for three weeks due to (purportedly) coordinated DDoS attacks. If their assertion is correct (a point about which I am neutral), then that DDoS attack was as effective (arguably more effective) on the Estonian financial industry as the 9/11 attacks were on the U.S banking system. Think back to how crazy people were that Wall St. was essentially off-line.

      In any case, it is hardly unreasonable to argue that DDoS attacks pose an effective asymmetric threat to certain industries. On the other hand, I am less than convinced that there are Evil Hackers out there capable of and planning to shut down water systems and power distribution. However, should it be possible and occur, think about how short a time it took for New Orleans civil society to disintegrate.

      • I am less than convinced that there are Evil Hackers out there capable of and planning to shut down water systems and power distribution. However, should it be possible and occur, think about how short a time it took for New Orleans civil society to disintegrate.

        New Orleans civil society didn't disintegrate because they couldn't conduct financial transactions, and the power was out. Also, I would bet my family jewels that there are indeed evil hackers out there planning to do evil things. Billions of doll
        • Re: (Score:3, Insightful)

          by shogarth (668598)

          Please read my post. I don't suggest that New Orleans civil society came apart due to a financial mess. Rather, people resorted to looting grocery stores for food and water when the tap stopped working and the refrigerator could no longer keep food from spoiling. Of course, there were other contributing factors (like the lack of law enforcement) but desperate people will do what it takes to survive. If the hypothetical Evil Hackers manage to cut water and/or power to a large, urban population, they will

          • by Gorobei (127755) on Tuesday December 09, 2008 @10:38PM (#26054777)

            Good Lord, "people looting grocery stores for food and water" is more just efficient use of national resources than anything else. More law enforcement wouldn't have helped: it would have compounded the problem. What would have helped is rapid national disaster response. So, some shops lost a few bottles of water and diapers - that's what insurance is for.

            I've walked 1/2 the length of Manhattan twice: once on 9/11 and once for the big blackout. Both times I was offered a bunch of free stuff (water, food, tissues for improvised masks, and even beer as the cooling failed.) Just small businesses and their employees behaving decently.

            If someone wants to lock down their basic supplies super-store in the midst of a week-long emergency, I'll be there with a saws-all and spend my day handing out bottled water.

          • by TapeCutter (624760) on Wednesday December 10, 2008 @01:21AM (#26055905) Journal
            New Orleans was 10 feet underwater from Katrina which is a tad more serious than no power or tap water. Outside the west many cities don't have running water to any but the weathiest of thier residents, let alone fridges in every kitchen. "Law enforcement" would have been much better served if the enforcers were handing out bottled water.

            Basic adult minimums: Breath once a minute, drink once a day, eat once a week.
      • by msormune (808119)
        In the Estonian case, it is rumored they used DDOS attack as an excuse to shut down the exchange market for a few days to stop selling stock short a few months ago during great stock fluctuations
      • by jafac (1449)

        The current financial crisis can even be traced back to 9/11.

        9/11 => 2001-2002 recession => 2003 interest rate OVERCORRECTION => 2004-2006 Housing Market BOOM and fraudulent overinvestment (and underwriting) in MBS's => 2007 Housing Market decline => 2008 Financial Market IMPLOSION.

        True: Greenspan's flawed religious ideology for the God of the Invisible Hand was probably much more harmful than the physical terror attack that happened on 9/11 - but Greenspan's rate cut was a predictable over-

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The goal of more expensive, more powerful government (e.g. a more lucrative business to control for those at the top of the power pyramid) is best achieved through marketing. You shoot high, even claiming the ridiculous as we see here, and then you "back down" into a slightly less outrageous expansion of government, but a significant expansion of the business nonetheless.

      Ironically, these crooks are taking a page straight out of the US government's book.

    • Agreed. Wouldn't "Weapons of Mass Disruption" make it more accurate?

      ...when does Apple come out with the iWMD?

      0x73db07
    • precisely so. Equating botnets with WMD is an insult to everyone who ever died of poison gas or nuclear bombs.
    • by Dan541 (1032000)

      I want to shoot people who put the letter e on front of everything.

      Email is ok, but e-waste?, e-WMDs.

      If you have to invent new words in order to communicate you probably shouldn't be doing it.

  • by khasim (1285) <brandioch.conner@gmail.com> on Tuesday December 09, 2008 @08:23PM (#26053817)

    And anything destroyed by them SHOULD be able to be restored from backup.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      It's not about the immediate destruction. Think of how much time and money could be lost by some key website or system on the internet that was taken down by a botnet.

    • by FranTaylor (164577) on Tuesday December 09, 2008 @08:59PM (#26054141)

      What if a hospital's infrastructure was taken down by a botnet immediately after a natural disaster?

      • by Abreu (173023)

        Actually, an attack consisting of several simultaneous bombs in several areas of a city, combined with a systematic botnet attack of the major hospitals of the same city sounds quite evil...

        • by _ivy_ivy_ (1081273) on Tuesday December 09, 2008 @10:33PM (#26054737)

          Actually, an attack consisting of several simultaneous bombs in several areas of a city, combined with a systematic botnet attack of the major hospitals of the same city sounds quite evil...

          ..all of those doctors would be unable to properly bill for their services. Oh, the humanity!

        • by fuzzyfuzzyfungus (1223518) on Wednesday December 10, 2008 @12:45AM (#26055693) Journal
          Probably not as evil as you might expect. Most moment-to-moment computer controlled medical stuff(drug computers, life support widgets, etc.) is deep embedded stuff, and subject to FDA scrutiny, so no something that you can just bodge onto a commodity internet connected server. Patient charts, insurance, etc, etc. would be affected; but fairly large scale acute casualty incidents are perhaps the situation where you can most easily dispense with that. If your hospital goes down because they can't access insurance records and they must access insurance records before treating the pile o' bomb victims in the hall, then your society is fairly deep in "too sick to survive" territory.

          The stuff that would be more likely to be problematic are some of the emerging remote medicine toys. If the MRI is here but the radiologist is over at Bangalore Radiology Inc, then you aren't going to be getting any results back during a DDOS.
      • by quanticle (843097)

        First, if a hospital has its critical infrastructure exposed on the Internet, I'd be blaming the hospital, not the hacker. Second, how is the hacker even going to access the hospital's systems if they've been "involuntarily airgapped" by the natural disaster?

      • A just a hospital? (Score:3, Insightful)

        by Valdrax (32670)

        How is taking down a single hospital the work of a Weapon of Mass Destruction?

        Taking down a single hospital is nothing that you can't do with a simple truck bomb or even a smaller bomb on the backup generator's fuel supply. People need to remember that not EVERYTHING a terrorist can use to screw someone over is a WMD. Otherwise, most major cities have a WMD depot more commonly called an "airport."

        The WMD thing is just buzzword use to try to trigger a hysterical over-response. I mean, when has a botnet do

        • by Fred_A (10934)

          How is taking down a single hospital the work of a Weapon of Mass Destruction?

          It could be a massive hospital in Massachusetts ?

    • I don't think bot nets physically destroy things directly, but they still can cost a lot of money as more and more of our economies depend on the internet.

      I think it may be possible to take small countries off the internet, which can be quite damaging. I thought this happened with Estonia, but the details I find are a little sketchy.

  • Sneaky (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 09, 2008 @08:32PM (#26053889)

    I bet this is a way to sneak in some more "general purpose" legislation on the net. There is going to be a strong push for that coming from the EU in the next months unfortunately.

    I can see it now. Newlines in the papers as Iran is found harboring WMDs along with Syria and Pakistan. Equating NBC weapons with botnets is retarded on an incredible amount of levels.

  • wmd comparison (Score:5, Informative)

    by sveard (1076275) * on Tuesday December 09, 2008 @08:34PM (#26053903) Homepage

    Perhaps we should compare some WMD's

    An atomic bomb detonated over a dense population center: millions die
    An eWMD shuts down water supply: people have to resort to bottled water and, in a worst case scenario, boil rain water; for a few weeks

    Perhaps eWMD is a better name for an EMP because that actually DESTROYS something that can not be brought back from the dead using backups

    • by Entropius (188861)

      Could a botnet shut down a water supply?

      Not if the people managing the water supply have done their homework. How are you going to DDoS a water treatment plant?

      I mean, I know we use the metaphor "clogging the pipes", but it's just a metaphor...

    • How about taking over the systems that regulate the generators at a power plant? One could blow out the entire plant and every piece of electrical gear downstream.

      • by wytcld (179112)

        Thank you. Do you have other excellent creative conceptual contributions? Because as we know, box cutters are WMDs - when used with the right brilliant scheme. There must be ten thousand glorious ways to harness ten million zombie computers in unison for nefariousness.

        If only the botnets had been employed against Wall Street before Wall Street's computer-enabled credit swaps crippled the economy of the West! Surely the West will rise again. But that it had never fallen. If only the botnet lords had saved us

      • Re: (Score:3, Insightful)

        by cromar (1103585)
        Anyone who has that kind of equipment connected to the internet in anyway that would allow a DDoS attack deserves what they get. There is no reason to have that kind of equipment connected to a public network. Period.

        It does a disservice to lump together the weapons that have cruelly and inhumanely killed millions of people to something like a botnet which has no physically destructive potential.
        • Re: (Score:3, Interesting)

          by evanbd (210358)

          There is no reason to have that kind of equipment connected to a public network. Period.

          People say that all the time, but it's simply not true. Coordinating a variety of utilities and their major consumers makes sense. Having the wind farm aware of the local weather predictions, the hydro plant aware of the seasonal rainfall expectations, and the nearby aluminum refinery aware of both of their likely outputs has real value. Your options are then to either build some alternate network and then move data on and off it in some kludgey fashion that isn't 100% secure (there's no rule that says y

          • by cromar (1103585)
            It's reasonable to assume that it will be necessary to move information to and from various utilities, sure. However, having a non-public, single point of entry between the internet and a closed network certainly removes the risk of a DDoS, yes? (Not to mention numerous other attacks.)Plus it will be easier to tell who and what was involved in the attack using a non-public interface. There's no reason it has to be a kludgey system, either. I don't see how a closed network between the relevant public in
            • by evanbd (210358)

              Now, I happen to agree that these networks should remain separate, with the best barriers between them we can manage

              So don't call me naive/disingenuous ;) We agree for Pete's sake!

              The same reasons that make it useful to move data back and forth make it useful to do so in a low-latency and automated fashion. Which makes it useful to connect them to a network... "No reason" is not an accurate description of the situation.

              It seems my choice of words was unfortunate; I seem to have neglected the possibility of unfortunate word choice. My apologies.

          • by Gordonjcp (186804)

            There is no reason to have that kind of equipment connected to a public network. Period.

            People say that all the time, but it's simply not true. Coordinating a variety of utilities and their major consumers makes sense. Having the wind farm aware of the local weather predictions, the hydro plant aware of the seasonal rainfall expectations, and the nearby aluminum refinery aware of both of their likely outputs has real value.

            But a DDOS shouldn't shut down your wind farm *anyway* - why would it? By the same

    • Re: (Score:3, Interesting)

      by TubeSteak (669689)

      Perhaps we should stop calling them "Weapons of Mass Destruction".

      Weapons of Mass Effect is a broader term that encompasses bio/chem warfare, EMPS, dirty (radioactive) bombs, large conventional explosives, planes flying into buildings, etc.

      And WME would also include things like botnets and malicious worms.

      An eWMD shuts down water supply: people have to resort to bottled water and, in a worst case scenario, boil rain water; for a few weeks

      It would literally be impossible to truck in enough potable water to sustain even a relatively small population center. In a city of millions, the only solution would be mass relocations. Even if the popul

      • Weapons of Mass Effect is a broader term that encompasses bio/chem warfare, EMPS, dirty (radioactive) bombs, large conventional explosives, planes flying into buildings, etc.

        And WME would also include things like botnets and malicious worms.

        Meh. What defines a mass effect? If we reduce the term to just the effects it has on society, then anything could be a so-called WME.

        If I shook hands with the President-elect, and then while I had a good grip on him grabbed a fork form the nearest table and jabbed it in his eye, then you bet your sweet butt that I would have just used a "weapon of mass effect." But should the country immediately rise up into a hysteria about banning forks?

        Really, that's what this paper is about -- trying to stir up the s

      • by Lavene (1025400)

        An eWMD shuts down water supply: people have to resort to bottled water and, in a worst case scenario, boil rain water; for a few weeks

        It would literally be impossible to truck in enough potable water to sustain even a relatively small population center. In a city of millions, the only solution would be mass relocations.

        This is of course true when a facility is permanently destroyed. But a 'botnet attack' is not exactly the same as blowing up things. I guess it could interrupt the water supply for a short period of time but what kind of water distribution system could be permanently destroyed over the internet?

        "Oh no! We need to reboot this server! Damn those WMDs!"
        Fear mongering is popular these days but come on...

    • Re: (Score:3, Funny)

      by Arancaytar (966377)

      An atomic bomb detonated over a dense population center: millions die
      An eWMD shuts down water supply: people have to resort to bottled water and, in a worst case scenario, boil rain water; for a few weeks

      An eWMD breaches security and launches actual WMD: Priceless.

  • eWMDs? (Score:3, Insightful)

    by b100dian (771163) on Tuesday December 09, 2008 @08:35PM (#26053925) Homepage Journal
    Wait and see nanbotnets!
  • by pm_rat_poison (1295589) on Tuesday December 09, 2008 @08:36PM (#26053927)
    Sadly, I'm always stumped by how far a language can be warped so that things are labeled in a desirable way by the authorities.
    This has been happening since the ancient times and we haven't grown out of it. The athenian hegemony was named the athenian alliance, the enslavement of foreign countries by the Romans was called Pax Romana, and even now, he american goverment classifies botnets as eWMD's, every country in the world dubs their Ministry of Military as Ministry of Defence, and War will always be Peace in the Ministry of Love.
    • by Petrushka (815171)

      Sadly, I'm always stumped by how far a language can be warped so that things are labeled in a desirable way by the authorities. This has been happening since the ancient times and we haven't grown out of it. The athenian hegemony was named the athenian alliance, the enslavement of foreign countries by the Romans was called Pax Romana,

      If it's any comfort, the terms used to refer to the Athenian alliance (the usual term is actually the "Delian League") are expressions invented by modern writers. No conventional name for it is attested by ancient sources. Almost the same story with pax Romana -- the only ancient writer to use the phrase in its modern meaning was a satirist, Martial.

      Small comfort, I know.

  • by Anonymous Coward

    WMDs used to refer to nukes. Nuclear weapons destroy mass. That's why it's weapons of mass destruction and not weapons of massive destruction.

    http://en.wikipedia.org/wiki/Weapons_of_mass_destruction#Evolution_of_its_use

    • Re: (Score:3, Interesting)

      I've had a quick read of that link, and I can't find anything that suggests mass was ever meant as mass in the physical sense, rather than just a shortened version of massive. Perhaps I missed something?

  • Anyone remember that (joke ...oh god i hope it is an onion style joke) article about "HACKERS CAN REMOTELY CAUSE YOUR COMPUTER TO EXPLODE AND INJURE OR EVEN KILL YOU OR YOUR FAMILY" ? (non graphical/slightly less sensational copy here: http://www.theregister.co.uk/2000/07/04/hackers_can_make_your_pc/ [theregister.co.uk] )

    This so called paper by the so called scientist (nice cover for a security consultant i am guessing) reminds me of that article.

    Fear mongering with intent to profit.

  • It's all so clear to me now, because subverting somebody's computer and causing them inconvenience or financial damage is almost uncannily similar to heating their component molecules to thousands of degrees Kelvin and scattering them over a several mile radius. The threat from having a few computers go wrong is on almost exactly the same scale as the threat from thousands of multi-megaton nuclear warheads raining death on our cities from orbit. Thank you so much for clearing that up for us Mr. John J. Kell

  • Use terrorism laws to take down botnets!?! Seriously if a botnet is considered a weapon, infact elevated to the status of weapon of mass destruction this gives terrific power to law enforcers... too much power. Concerning. However I concede this is maybe necessary considering the failure of our lawmakers so far.
  • Would then, the sum total of Windows PCs connected to the intraweb be considered a WMD?
  • by Anonymous Coward

    Am I the only one that had to read the "itsanebomb" tag multiple times before properly comprehending?

    a) it sane bomb?
    b) it's ane bomb?
    c) it's a nebomb?
    d) Oooohhhh... it's an e-bomb!

  • clearly somebody is going to make money from all of this hype. Let's follow the money trail...

    • If you can position something as a serious threat, and convince people with a large budget (like the US DoD) that it's a large threat, and that you have special expertise, you can get the money train flowing, so you get a substantial income for writing papers, going to conferences, and schmoozing with the powerful.

      Don't have any special expertise? No matter: you ask for grants so you can hire the people with the real expertise, so you can focus on the schmoozing. Unfortunately these guys are a little lat

  • Yes, "cyberwar" and bot nets haven't killed anyone, but you're looking at it the wrong way. They are analogous to WMD's in that they are equalizers between small and big powers. Botnets give criminal organizations etc. the same level of computing power and bandwidth as government agencies, companies, and universities. What we're talking about isn't destruction so much as proliferation.
  • by GXTi (635121) <gxti@partiallystapled.com> on Tuesday December 09, 2008 @09:15PM (#26054245) Homepage
    Pretty soon we're going to need a czar czar to keep track of all the czars we've been willing into existence lately.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      All hail the newly appointed Czar Czar, Mr. Binks.

  • A lot of the power of botnets would be gone if critical networks actually had their own network instead of depending on the global internet. It is very popular to do the "VPN" thing and get a private network for near zero startup cost. But if the VPN is mission critical, then you should actually have your own wires or spectrum. Then if a botnet attacks, you just shut off the global internet at the firewall, and the mission critical stuff keeps going.

  • Can we bomb Redmond yet?

  • Monitoring for copyrighted material, spam, bots, child porn, etc.

    It's an easy solution ... on paper.

  • If not, coining it as WMD just creates more fud and hysteria.

  • by isny (681711)
    Maybe Skynet. For now, it's just a series of tubes.
  • by NZheretic (23872) on Tuesday December 09, 2008 @10:58PM (#26054931) Homepage Journal
    Only 1.91% of all [Microsoft Desktop] PCs are fully patched! [secunia.com]
    Microsoft's most widely deployed platform and applications have not been secured.
    The XP platform has still has 32 unpatched vulnerabilities [secunia.com],
    The latest version of Internet Explorer still has 9 unpatched vulnerabilities,
    and Outlook 2003 ( the most widely deployed business version of Outlook ) still has one outstanding unpatched vulnerability [secunia.com] ( known since 2004-07-12 ).
    Microsoft Office 2003, still the most widely deployed version of Office, has four outstanding vulnerabilities [secunia.com] which put the desktop at high risk of being infected.

    Even Microsoft's flagship product Vista has Six unpatched vulnerabilities. [secunia.com]

    These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.

    In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats. [livejournal.com].At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora [awe.com] ), and currently deployable ( Writing policy for confined SELinux users [redhatmagazine.com] ) to provide a locked down secured environment for Linux desktop users inside an organization.

    Also from a more abstract point of view, read Increased security through open source [arxiv.org].

    If your using the Microsoft platform, then your abetting the people deploying botnets.

    • There's lies, damned lies, then using statistics to prop up the notion that your favourite OS is the most secure [technet.com]

      Now where does that leave us?

      • In Vista, for example [secunia.com], that include SIX unpatched vulnerabilities that include information disclosure, denial of service and escalation of privilege ( the latter disclosed just under seven months ago 2008-04-18 ).
        • In Vista, for example [secunia.com], that include SIX unpatched vulnerabilities that include information disclosure, denial of service and escalation of privilege ( the latter disclosed just under seven months ago 2008-04-18 ).

          ...all of which were given "less critical" ratings as the highest by the very site you linked, for good reason should you look into the vulnerabilities mention.

          Now for pure numbers of vulnerabilities found, Vista [secunia.com] does pretty well; according to Secunia, less than Ubuntu [secunia.com] in fact. Well under half in fact.

          I appreciate this whole subject is a "can of worms" and a grey area, which is why throwing plain stats around claiming "Look at this empirical evidence that $OS_NAME is the most secure ever!" is pretty pointle

          • Ubuntu: There are no unpatched Secunia advisories [secunia.com] affecting this product, when all vendor patches are applied. Remember that Ubuntu stats include the ALL the applications and servers in the Ubuntu repository.

            Vista:SIX Unpatched [secunia.com] which for Microsoft means ONLY the operating system, If ,like Ubuntu, you included Microsoft's Office suite , Browser (IE7 has 6 Unpatched ), Email, servers ( SQL Server 7 has two Unpatched ) and other software vulnerabilities it would be a lot more.

            And while The most severe u

            • Remember that Ubuntu stats include the ALL the applications and servers in the Ubuntu repository.

              Except that the most severe vulnerability in Vista is an MSDTC/COM+ hole for IIS7 apps - hardly "only the operating system" seeing as IIS isn't even available in all versions of Vista, and for versions it is it's not installed by default. Bear in mind too of course, IIS7 doesn't permit even asp.net to run by default either, let alone COM+/ISAPI code to run, so it takes someone that knows what they're doing to even get such an app to work at all, let alone allow exploit code to run.

              There quite possibly is op

  • Simple solution, check outgoing packets. If you're an ISP and the packet doesn't show that it originated from within your network, drop it. No, I'm not talking about backbone providers, but the zombie windows boxes won't be able to forge the from headers on packets. That doesn't necessarily stop a botnet, but it makes each infected machine extremely easy to track down during an attack, and easy to filter out at the victim's end. ... or am I missing something obvious here?

    -Restil

  • This is the kind of nonsense that you can expect from eDiots.

  • Very few computers that are part of a botnet are known by their owners to be part of a botnet. If people weren't idiots this wouldn't be a problem.

  • Even the term "WMD" vastly overstates their destructiveness.

    There is no comparison to the effect of a blast from a modern thermonuclear device.

    Chemical weapons are scary to be sure. But there is no good way to effectively distribute them over a wide range without using a massive barrage, like hundreds of artillery pieces, or several squadrons of bombers.

    Yes - lots and lots of people would die, and assets (buildings/land) will be contaminated - invoking a costly cleanup effort, or lingering hazards, but thi

This is a good time to punt work.

Working...