Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-21 Thread Paul Hoffman
At 6:34 PM + 5/20/07, John Levine wrote: I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're talking workstations on non-classified nets, are in fact 0wn3d at this point. Well, here's an anecdote: at last year's CEAS conference,

Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-21 Thread dan
A while ago, I did a rough calculation that made me state that 15-30% of all machines are no longer under the sole control of their owner. In the intervening months, I got some hate mail on this, but in those same intervening months Vint Cerf said 40%, Microsoft said 2/3rds, and IDC said

Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-20 Thread Anne Lynn Wheeler
Ivan Krstić wrote: I think it's anything but surprising. There's only so much you can do to significantly improve systems security if you're unwilling to break backwards compatibility -- many of the fundamental premises of desktop security are fatally flawed, chief among them the idea that all

Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-20 Thread John Levine
I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're talking workstations on non-classified nets, are in fact 0wn3d at this point. Well, here's an anecdote: at last year's CEAS conference, Rob Thomas of Team Cymru gave the keynote on the

0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-19 Thread Perry E. Metzger
Trei, Peter [EMAIL PROTECTED] writes: 1. Do you have any particular evidence that any significant number of US .gov machines are bots? They may well be, just I haven't heard this. I've heard nothing formal, but my strong understanding is a lot of US government machines, at least if we're

Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-19 Thread Adam Shostack
On Sat, May 19, 2007 at 05:01:03PM -0400, Perry E. Metzger wrote: | | Trei, Peter [EMAIL PROTECTED] writes: | 1. Do you have any particular evidence that any significant | number of US .gov machines are bots? They may well be, just | I haven't heard this. | | I've heard nothing formal, but

Re: 0wned .gov machines (was Re: Russian cyberwar against Estonia?)

2007-05-19 Thread Ivan Krstić
Perry E. Metzger wrote: What is interesting to me is that, even though things have nearly gotten as bad as they could possibly get, we still have seen very little real effort made to improve systems security (at least in comparison with what is necessary to make a big dent). I think it's

Re: 0wned .gov machines

2007-05-19 Thread Perry E. Metzger
Adam Shostack [EMAIL PROTECTED] writes: On Sat, May 19, 2007 at 05:01:03PM -0400, Perry E. Metzger wrote: | | Trei, Peter [EMAIL PROTECTED] writes: | 1. Do you have any particular evidence that any significant | number of US .gov machines are bots? They may well be, just | I haven't