

Computer Experts Unite to Hunt Worm - pierrealexandre
http://www.nytimes.com/2009/03/19/technology/19worm.html

======
tptacek
Let's take some of the piss out of this story.

The "computer experts" who have "united" to take on Conficker:

* Rick Wesson, a DARPA malware researcher affiliated with ICANN. Due respect, but I've never heard of him, nor can I find advisories by him; he's a "researcher", but the #1 Scholar hit for him is a Markoff NYT story.

* Phil Porras, who I have heard of, because I worked with him on an academic intrusion detection project in the late '90s. You may not have heard of him, because he's an academic security person parked at SRI.

* Jose Nazario, who I know well, and who is the official Arbor Networks designated talking head on malware and worms; without making any comments about Jose, we can safely assume someone at Arbor made their quarterly MBO by getting him placed in the NYT.

The article's money quote:

 _“I walked up to a three-star general on Wednesday and asked him if he could
help me deal with a million-node botnet,” said Rick Wesson, a computer
security researcher involved in combating Conficker. “I didn’t get an
answer.”_

How you know a NYT story is unhinged from the reality of computer security: it
makes a money quote out of the reaction of a "three-star general".

Here's another choice quote:

 _The researchers, noting that the Conficker authors were using the most
advanced computer security techniques, said the original version of the
program contained a recent security feature developed by an M.I.T. computer
scientist, Ron Rivest, that had been made public only weeks before. And when a
revision was issued by Dr. Rivest’s group to correct a flaw, the Conficker
authors revised their program to add the correction._

Presumably this translates to: the Conficker authors, being total fucking
amateurs, chose to use the NIST competition MD6 sample code instead of SHA-1,
which sounds less cool. The MD6 sample code had an overflow, because it is
sample code, not production crypto code. When Fortify's PR story about the MD6
overflow was plastered all over Slashdot, the Conficker authors noticed.

And yet you should care about this story. Here is why:

 _The inability of the world’s best computer security technologists to gain
the upper hand against anonymous but determined cybercriminals is viewed by a
growing number of those involved in the fight as evidence of a fundamental
security weakness in the global network._

First: No it isn't.

Second: The expert opinion this graf is based on appears to consist of third-
stringers affiliated with research organizations.

Third: If there really was a growing movement to address the "fundamental
weaknesses" of the end to end principle, Markoff wouldn't have to weasel-word
this graf with "a growing number of" unnamed experts.

You can safely assume that any "redesign" of the fundamental protocols of the
Internet will _not work in your favor_ , and you should be hostile to any
story that attempts to build an argument about the necessity of considering
those kinds of changes. Unless you want to "start up" a business unit at a
telco instead of your own company.

~~~
biohacker42
Sir, I would pay good money to have you kick the piss out of articles like
this.

Now all we need is a tptacek equivalent for all other topics journalists fudge
up. (That's the vast majority of topics they cover.)

------
lssndrdn
"I walked up to a neurosurgeon and asked him about a million-node botnet, and
never got an answer".

I guess the NYT has to water stuff down for the masses to an extent when they
treat technical matters, but I never suspected that they could be so far
off...

------
dextrocardia
See, this is why we can't have nice things. Some jackass has to go and build
the excuse that government will use in the future to erase the freedom of the
net.

Also, WTF is this supposed to mean: "'I walked up to a three-star general on
Wednesday and asked him if he could help me deal with a million-node botnet,'
said Rick Wesson, a computer security researcher involved in combating
Conficker. 'I didn’t get an answer.'"

~~~
pierrealexandre
Yes, I don't get this quote neither. I honestly am not sure how to interpret
it. Does his lack of answer show that he has no clue about this million-node
botnet thing ? Or that he does not want to talk about such a sensitive matter
?

Moreover, is any 3* general supposed to know what this is all about ? Are we
talking about a specific general well versed in these matters ?

I submitted this story though, because I have not heard about this worm before
and I found the speculations about the final goal of this attack rather
surprising.

~~~
tptacek
At Arbor, the people that were involved in FedGov sales heard a little
anecdote about John Casciano, a retired Air Force Major General who advised
the company. What we were told is, despite the fact that he retired in 1999,
and despite the fact that he walked into the building in plainclothes looking
like any business guy off the street, _every uniformed person he passed
saluted him_. That's a 2-star, retired.

The idea that anyone in the military would have up-to-the-minute intel about
malware doesn't ring true to me. My sense of it is, from talking to people
who've worked there, the NSA deserves the reputation it has. The rest of the
government is a backwater.

The idea that a Lt. General --- in command of 50,000+ unforms, roughly the
equivalent of a Fortune 200 company _plus rifles and tanks_ \--- would have an
opinion about Conficker seems even less likely.

(I never met Casciano, but I did get to go to the Pentagon a couple times ---
it feels like the largest public high school you've ever been in, except that
people brandishing automatic weapons stare at you when you come through the
door. Apparently unless you're a ret. 2-star, in which case they salute.)

------
mynameishere
_Spam in turn is the basis for shady commercial promotions including schemes
that frequently involve directing unwary users to Web sites..._

Does anyone here know why investigators don't just follow the money trail? I
mean, at some point money is being moved into and out of CC or bank accounts
that can be traced to a person.

~~~
wmf
That's easier said than done:
<http://cs.auckland.ac.nz/~pgut001/pubs/malware_biz.pdf>

