Monoculture Reloaded

I used to think I had a handle on the state of spam and malware. I chuckled at the obfuscated spam content, marvelled at the botnets, and secretly admired the general ingenuity of those skript kidz and their r00tkits.

But I didn’t know the half of it until I read this (670K PDF – thanks to Francois for sending it to me)

“Professional Paranoid” Peter Gutmann, of the Department of Computer Science in Auckland, lists a deluge of flat-out evil business models and techniques in use by spammers and online criminals. This assessment of the current (but fast-moving) state of the industry fairly leaves me quaking.

The fact that I run Linux makes me feel hardly any better when I read things like “Stolen personal information is so easily available that the best protection is that crooks simply can’t use it all”

Some of what you read in the summary is develish in its obscurity, yet some of it head-slappingly obvious. For example, the practice of hoovering up legitimate mail accounts and other logins simply by dropping spam lists on the password-retrival pages of Gmail, Yahoo, Facebook, etc. Add to that things that I’ve always suspected like worms using 10-15 stage attacks to deliver their payload, and I’m starting to feel distinctly ill.

This makes the loss of the Revenue’s Child Benefit data look irrelevant (hey – I’m “happier” now!). The Microsoft Monopoly has a lot to answer for and the message in the end is the only defence we really have – “monoculture reloaded: use unpopular software.”

  • Assume MSIE has 80% market share, Firefox has 20% market share
  • Assume successful exploit probability in MSIE is 3 out of 4 (75%), in Firefox is one in ten (10%)
  • Do you want a 75% chance at 80% of the market (60% return) or a 10% chance at 20% of the market (2% return)?

Commercial attackers will expend effort to get the biggest market share, not short-lived bragging rights.