Begin forwarded message:

From: Rich Kulawiec <rsk@gsp.org>
Date: February 14, 2010 6:03:09 PM EST
To: synthesis.law.and.technology@gmail.com
Cc: Dave Farber <dave@farber.net>, Lauren Weinstein <lauren@vortex.com>, Valdis.Kletnieks@vt.edu, Paul Ferguson <fergdawgster@gmail.com>
Subject: Re: [IP] re Lauren Weinstein -- Microsoft's Police State Vision? Exec Calls for Internet "Driver's Licenses"

On Tue, Feb 02, 2010 at 04:36:57PM -0500, Dave Farber quoted:
That flag might work temporarily in the US but I suspect there
would be considerably more inertia outside your national
boundaries.  Where it would run into problems would be when
someone points out that this is creating a huge security problem
with the potential for forged credentials.

I think the phrase "potential for" should be replaced with "reality of".

We are sitting on an Internet with *at least* a hundred million
fully-compromised, fully-owned systems.  Personally, I suspect
that the number is closer to double that.  Others have postulated
still higher values.  Whatever that number is, though, it's
(a) big and (b) getting bigger.  And there's no reason, at present,
to suspect that the trend will reverse, because nobody's doing anything that
appears to -- in any significant way -- to be an effective countermeasure.

The new owners of those systems have unfettered access to ANY credentials
present on or used on those systems.  The overwhelming majority
of them are end-user systems, of course, but how many login or email or
other access credentials does the average user have?  A work email
account?  One for home?  A freemail account?  Some number of social
networking accounts?  How about banks?  Utilities?  Shopping sites?
VPN for a client?

I think very conservative estimates might be "5 email accounts"
and "10 web sites".  (In my own case: more like 40 and 200)

All of those now belong (or will soon belong) to any attacker who
wishes to avail themself of them.  Those attackers *can*, if they
wish, turn all of putative/former owners of those systems into
three-strikes-and-you're-out pariahs.  They can disable anti-malware
programs.  They can report every incoming mail message as spam,
or they can send spam.  They can upload child pornography to/from
them, and set up unsuspecting users to be the next Julie Amero -- only
much worse.  They can launch DoS attacks.  They can host DNS and HTTP
services for dubious web sites.  They can do anything they want with
their very large, highly distributed, fault tolerant networks.

And they are.

As Valdis Kletnieks observed on the funsec list:

   Real driver's licenses only work because there aren't 140 million
   joy riders on the road every day, driving around with perfectly
   forged licenses.  Of course, [Craig] Mundie would like to gloss over
   his company's role in that little detail.

And that's the real irony of this: passive OS fingerprinting and other
techniques indicate that almost all of those compromised systems are
running Windows.  As in "all but a handful in a million, and maybe
those too".  The zombie problem is awfully close to a Windows-only problem,
it's most of a decade old, and Microsoft has yet to publicly take
responsibility for it or lift a finger to do anything about it.
Nobody there even wants to be in the same *room* with this problem,
because it's not just a failure, it's THE all-time IT failure, they own it,
and the price tag for fixing it is enormous even by their standards. [1]

But once we get past the irony, here's the reality: if we take the
conservative estimates (above) we arrive at a number of credentials
in the neighborhood of 1.5 billion.  If we use what I think are more
realistic numbers: 5 billion.  If we use some of the higher/outlier
numbers: 10-20 billion.

I suggest that it doesn't matter.  All of those numbers are so enormous
that *any* of them are sufficient to put an instant stop to anything
that presumes (a) end-user systems still belong to the people who
think they own them and (b) email/web/etc. credentials still belong
to the people who think they own them.  And I haven't yet tossed in
estimates for how more fabricated/forged sets of credentials exist:
that is, how many sets have been created on behalf of the former owners
of those compromised systems, either in their names or with fictitious
ones. [2]  There is no practical limit to high how that number could
become -- should The Bad Guys find some reason to make it so.

So I would say to Mundie that *before* we could even consider having
any kind of practical discussion about a "driver's license", before
we even get into the myriad privacy issues and all the reasons why
it might or might not be a good idea, his company needs to fix this
problem.  Because otherwise it's just so much utter nonsense:
the Bad Guys have *already* completely defeated it.

---Rsk

[1] Among many reasons why the price tag is so huge: this problem can't
be fixed remotely, because the fix starts with "boot from known-clean media".

[2] Note that "fictitious ones" can include other owners of compromised
of systems or non-owners.