There was a lot of press and blog posts about our recent WGA outage. If you are interested in the root cause and what actually happened, read So what happened?

Roger

Since quite some time as Chief Security Advisor, I am working to support Law Enforcement. We are supplying training, giving technical support as needed and are staying in close contact as well as soon as we decide to file a criminal complaint. This happens especially if we are phished (we being Hotmail) or some other criminal activity happen towards Microsoft or our customers.

This lead me to the point where I started to think whether the work I am doing in this area is actually targeted enough (meaning, do we actually make the Internet a safer place) or is it just "operational hectic" – Am I just helping the person shouting the loudest.

Let's take a moment and think about it:

There is an old model of 10:80:10 (no, not the 80:20 rule J):

• 10% of the population would never commit a crime, no matter what.
• 80% of the population is opportunistic, meaning that if the value behind the crime is high enough and the risk of being caught low, they would commit a crime. Having this said, it is completely clear that the value and the risk are subjective an often different for different people.
• 10% of the population would always commit crime, no matter what.

I leave it now up to you to decide to which group you belong to but based on statistics I would assume that most of us are in the middle tier – depending on the stakes that are at risk.

Now, I said that the middle group would weight value vs. risk, s let's look at this a little bit closer. I recently discovered a formula on this subject:

M_b + P_b > O_cp + O_cmP_aP_c

Where:

• M_b: Monetary benefit for the attacker
• P_b: Psychological benefit for the attacker
• O_cp: Cost of committing the crime
• O_cm: Monetary cost of conviction for the attacker
• P_a: Probability of being apprehended and arrested
• P_c: Probability of conviction for the attacker

This formula was published 1995 by Clark and Davies and in my opinion did not lose its significance in the time of the Internet.

Thinking about this, it probably helps us to understand how we can work with the middle 80% to keep them away from crime and additionally try to make it harder to the ultimate 10% to commit crime. This leads now back to my question above: Am I doing the right thing? Or better, what can I actually do efficiently? To answer these questions, let's have a look at the different parameters in the equation:

• M_b: From a Microsoft perspective, I probably cannot change the monetary benefit for the attacker. Can you (depending in which segment you are working)? I doubt. Today's systems store business-critical data and have to store business-critical data. This will not change.
• P_b: Do we have an influence on the psychological benefit for the attacker? I doubt as well as this is a personal feeling and the feeling of being "the one that hacked company a" will never go away. However, we could work on the right hand side of the equation to make it harder to be able to brag about a success and with this measure lower the psychological benefit as well. Remember the guy who wrote Sasser: He went to school bragging about having written Sasser and a "colleague" of him then actually blew the whistle on him.
• O_cp: The cost of committing the crime is probably the area where we can have the single biggest direct impact – but not working with Law Enforcement. This can be influenced by different activities where we work to make products that are harder to attack as the Security Development Lifecycle, Defense in Depth and many additional things. Additionally we can work with you, with our customers to improve further on architecture and processes to make the networks more resilient against attacks.
• O_cm - P_a - P_c: The final part is now all about Law Enforcement. How probable is it that I get caught and what are the consequences. It drives me crazy to see that sometimes people who commit crimes on the Internet even get well-paid jobs in the security industry after being convicted. So, we all fight against the criminals and finally they even get rewarded. This is one sight. But on the other side, working with Law Enforcement to increase their ability to get the bad guys is probably what we have to do. Do not get me wrong. There are a lot of excellent people out there working for Law Enforcement. But helping all the Officers to understand the latest technology and help them to increase the probability to catch the bad guys is what we should do. Finally I think that we all have to work with the Policy Makers to help to drive laws where needed that make activities that are illegal in the real world illegal in the Cyberworld as well. The Council of Europe made a first significant step to try to lay a framework for laws. But this has to be implemented across the Globe. There you can help and drive P_c and P_a.

This is the first time ever I have a call to action for you:

Whenever you are attacked, involve Law Enforcement and make sure that they start an investigation. This is the only way to make it riskier for the criminals to commit crime. If we just fight the attackers and closer vulnerabilities – what is the risk for the middle 80% in relation to the value? We have to change this equation and we have to do it together.

As my conclusion, I will continue my work with Law Enforcement to support their fight against the criminals I hope you join in

Roger

This has definitely nothing to do with security. But anyway, I thought it worthwhile, to write to blog post about that. I found that today: an absolutely cool new search engine based on our latest development called Silverlight.

Simply have a look at it and give it a try. It is definitely worth it: http://www.tafiti.com

The only "drawback" is that you have to install the beta version of Silverlight.

Roger

This is interesting: Imagine the scenario where a huge amount of Windows computers all boot at the same time. What would happen? Well, probably quite some online services would get into troubles with the load they all of a sudden get as the rebooted machines would want to logon all more or less at the same time. Fortunately this scenario is not too likely – or am I wrong? What happens after a Security Update release on the second Tuesday of a month? The machines having Automatic Update switched on will some when install the updates and then, if the use agrees, reboot. Fortunately we have a lot of different time zones across the globe, the computers are sometimes switched off and often the user does not want to reboot now but in a few hours. So, the reboots will be distributed over time, will there?

Hmm, you probably already know where I am heading to: The recent discussions around the Skype outage. It is very interesting to see how the story spins. If a service like Skype goes down, even for a short period of time and even worse for two days, the rumors start to spread from technical problems to hacking attacks to terrorist to worms to Microsoft to whatever (I have not seen the aliens this time J).

Skype posted a blog What happened on August 16^th to explain. What is interesting is the statement The high number of restarts [because of customers having patched Windows and booted] affected Skype's network resources which I can technically understand but in the meantime we know that there was nothing different compared to any other Update Tuesday. Skype admitted that the outage finally was caused by a bug in their software.

However, ABC published an article with the title Skype Outage Caused by Microsoft Update J - interesting, isn't it?

Just to let you know, Microsoft Security Response Center posted as well: Questions about last Tuesday's Release and Skype

Roger

I just read an interesting article BBC News. There seems to be a study by the UK government about e-crime and the fears of the citizens. The report cited a government survey that suggested more Britons feared internet crime than burglary.

Times changed. Five years ago – being helpless and not really understanding the problem – everybody blamed anybody. And to be fair, five years ago we fought vandalism. Today the economy of crime has changed and the organized crime is making a huge amount of money on the internet by fraud. What I do not get in these kind of articles: They always leave the feeling with me that everybody is trying to argue that the others have to act upon e-crime: There are calls for new legislation, for more responsibility with the user, for liability calls, for better law enforcement, for …, for …, for …, for……

I stated it several times: In my opinion, the only way to having a significant impact on e-crime is to work closely together in completely new ways. We have to share information where we never did before between consumers, enterprises, vendors, providers, law enforcement, and policy makers. There have to be new coalitions that trust each other to use the legal framework we have in place and add upon it. There are excellent approaches like the Council of Europe where steps are made to harmonize legislation – but we have to act much faster and we have to act together without looking into how to move responsibility over to other parties as the only winner of this is the organized crime.

If you want to read the article above: Government 'must act on e-crime'

Roger