this is about one hour and ten minutes. [applause] >> we are going to do this in several parts cannot and do a very brief introduction and then mark is going to talk and do a brief reading and then we will have a q&a and then i think the cards are going to come out and we will try to make this as inclusive as possible. the discussion tonight mark is a journalist to of course you probably all know is the author also of black cart down and you probably also know it was based on the 2001 movie directed by ridley scott. mark was a journalist first from

1979 to 2003 at the philadelphia inquirer and for three seasons he covered football is that right? over the years he's written for the new yorker and the atlantic, sports illustrated, rolling stone, and i have to mention that wikipedia notes he was inspired to embark on the journalistic career reading tom will's but the electric kool-aid. [laughter] emission to mark we have one of the characters from his new book to my mind is as close as you can get to a digital sherlock holmes. the investigations of microsoft digital crime unit just give me a great sticker maybe that is an extra one and he has many things to tell.

before mark talks i just want to talk a little bit about our subject the subject of the worm, the term probably most of you are familiar with but just let me put it out, originally it came from a really wonderful fiction novel written by john in 1975 in which he had something called the tapeworm and the wonderful thing about that book in particular with respect to conficker is that he sets of an authoritarian regime that controlled their society through basically an omnipresent at work and the rebels tapeworm, the regime to take on the net and lost control conficker i'm sure we also probably all know that

the first real programs were experimented with in 1981 by the researchers john shock but are either of them here tonight? i was looking at your paper i fought with is the difference between a worm and a virus we go back and forth on that because the terms reasonably both came from science fiction novels and so they are terms like but in the original shock paper the worm is designed simply defined a computation that lives on one more more machines. we can go from there and may be distributed computing. but also in addition to the sort of routes of the distributed computing i wanted to talk about the computer crime and don parker is not here by any chance this he? of course. if we want to know i'm sure it

is in the 1950's or 1960's i was thinking about the roots of network prime crime. to the best of my knowledge i'm willing to be contradicted or corrected but someone who is at the stanford lab who has a great deal of authority who believes the first computer crime was a drug deal done on the net in the 1960's between mit students and stamford sales students. [laughter] i would love that to be true. why don't you take over? >> thank you. i'm delighted to be on the stage with the two guys who actually know what they are talking about. i am an old newspaper reporter as john mentioned and about 30

years ago a fellow who was the managing editor of the philadelphia inquirer overnight named me the science writer and this was terrific for me because i was working in a suburban bureau and then i got to come down and work in the main office and particularly during the 1970's it was one of the preeminent by the newspapers in america so overnight i was one of the preeminent science writers in america all of which was completely unmerited. it turned out that jim looking for the new science writer for the newspaper was going through the resume of everyone on the staff and the scientific americans. [laughter] the truth of the matter is i was an english major in college and started to subscribing to the

because i knew nothing about science and i thought so much of the modern will depends on science and technology about to make an effort to understand these things. that magazine has gotten a lot better but 20 or 30 years ago we couldn't read any of those articles. they always had a little like in the perlstein intro that i could understand what the actual article started i was locked. the had been building up in my closet for about three or four years and little did i know that they would launch me to the american journalism. but i discovered that in covering science in the years i did for the enquirer the ignorance was actually very useful because i was writing stories for them on experts and a deterrent enough to ask the truly ignorant questions that needed to be asked so if i was interviewing a physicist at the

university of pennsylvania i would ask what is an electron more exactly and became effective for me to be a kind of philosophy of journalism so whether i'm writing about pro football or a battle in somalia or the iran hostage crisis or in this case a piece of middleware -- malware i began at around zero and if he were to look at the initial interviews that i did in preparation for this book, you would laugh because i have to stop the people i'm talking to literally every sentence to ask what they're talking about. questions like what is a router, with a server, what is an honest pete? it is completely foreign. over the months that i reported

in worm there is an intellectual struggle going on between very high level computer security experts and some extraordinarily sophisticated authors of malware the conficker as john mentioned popped up in november of 2008 and rapidly began assembling one of the largest botanists in the world and what was especially fascinating about this is that the ad hoc group of the volunteers who started working together to colonel conficker they made moves to try to sense this in and the creators of the worm would make countermoves and this went on over a period of four or five months. so i'm going to read you a little passage and set it up just by the countermoves.

this wonderful south african who emigrated to the united states years ago and has become the head of security for news star which is a big telecommunications and internet company in washington he became the sort of the facto head of the couple as they call themselves, the conficker working group and as they continue to grow and those who were battling at impose a unique threat to the internet. rot meek went to washington to try to enlist the support of the federal government in fighting this thing and so rot -- rodney got invited to the department of commerce because you star manages the .us top-level domain for the government said he was a contractor and was invited in and gave them his power point presentation which he had put

together in his hotel room the night before about the conficker worm and this was an alarm to folks in the room who much less to rot me's chaka for the most part not even heard conficker and started getting invited over the next couple of days to give the same presentation to various other places so this passage when going to read you is like two or three days after he had made his initial presentation. the following day he was asked to brief the stuff on the senate select committee on intelligence. because the committee offices off-limits to those without a high security clearance the staff arranged to meet with rot me in the visitors' center and the capitol building in the cafeteria. they met in the middle of the altar. the cafeteria was quiet and mostly empty. the corner of a portion of the room with portable the fighters

sat on a long table. before he got started, one of the staffers come a young woman interrupted him just so you know, we know a lot more can be done about conficker than you do a classified briefing the woman says, so there's probably not much more you can tell about that. of brought me had a head full of sarcasm and by now knew without a doubt how clueless the establishment was. the woman's teeth of arrogance anoint him and he started collecting his notes. since he had matters completely under control he says there's no reason for me to be wasting any of your time. as he stood there was a chorus namaste one of the protesters said we want to hear it, said another. so rot he sat back down. he took out copies of the power point presentation which had been printed up on the new star stationery.

he handed them up around the table. the woman who had addressed them flopped to the copy and pronounced this is the same presentation we saw in the classified white house briefing yesterday. [laughter] the meeting dissolves into laughter when they realized it had simply taken rot me's briefing and presented to the white house as their own work. and they classified it to boost. [laughter] rodney later confirmed it with all three of the sessions and they just gave them their own so much for the cyber defenses. [laughter] [applause] >> that's a terrible note to start on now but i think about it. >> isn't it? >> there is certain the analogies that appear in your book at various times.

early on i think that a certain point you get a sense that the internet is there is some sense of that territory speech indeed to stretching out. that analogy to my mind sort of brings up the possibility through the definition of the vigilantes' and i was wondering if the vigilante term worked, is it correct, the question i'm asking of both of you and then the follow-on is the vigilantes' are the last best defense in cyberspace. >> t.j. was one of them who can verify this were a little uncomfortable with the designation when someone walked up and realized. they subsequently got themselves

the conficker working group but if you are the fastest kid on the playground then people start calling you skinny. there is no way that you are going to get rid of that so they continue to be even among themselves they call themselves the trouble. >> would you take issue with the vigilante? >> it is not the right term. microsoft has been called this in some of the operations despite its on the court and got the legal authorization to do what we do. i think it was more kind of awareness for most of us that there is a growing community of professionals from our of the world that we can take respect and do something year because at some level the internet is operated by the good guys. the bad guys are dwelling in our demand so freely it was more of an assertion of the rights we have to protect our own systems so vigilante is one of those lightning rod terms that working in the legal and corporate affairs and microsoft, what do they call them vigilantes'?

>> they've spent a lot of time and energy trying to amount to protect the internet from the threat >> how hard is it for you to break down this when you started the book did you get their cooperation easily, did they depend -- >> everyone was eager. they were appalled at my level but i have to say they were extremely patient and most of the folks who work with went out of their way to help me understand to read drafts and the story as i was writing it to correct my mistakes to better help me understand the story because they felt it was an important story.

>> at at time, primarily, academic researchers and scientists failed to really adequately consider how the very openness of the internet, such a boom to the world, could also be a tremendous vulnerability in that there would be people who would take advantage of it. i think the fact that the federal government was really

clueless about what was happening and what to do about it was really shocking to me. my impression is that, in fact, president obama in 2009, when he gave his speech about cybersecurity, he specifically cited it as a case that demonstrated how ill-prepared the federal government was to protect even its own network, and i think so things have improved. that's my impression. you've seen a number of formal moves made by the federal government in the last two or three years that have been publicize and written about so clearly the government is more aware today than they were just two or three years ago, but there remains an enormous problem because it's a global issue. there is no such thing as a global police force. there really is no such thing as international law governing something like this, so, you know, it poses tremendous challenges. >> i think the openness of the internet is both its greatness strength and greatness

weakness. it's tough to manage usability, security on the same level, so really the fact that the internet is so open doesn't make it vulnerable to these scenarios. it was invented in a different time and era. the incident was an awakening, and i'll speak from microsoft's perspective, definitely a new way of thinking how to address these types of issues, but thinking about how is it that all of these great technology companies, sitting in the seed of technology right now, how can we not be more aware of what's going on, and how can we play a bigger role as industry to try to tackle some of these problems, and really, honestly, when rick weston called up my colleagues on the phone saying, hey, what are you doing about this? we were like, well, we released a patch for that -- [laughter] and, you know, so we're looking at it, having meetings with

trustworthy computing and the folks who do the patching for our technologies, and we said, you know, we can do something more here. we should be able to do something more here. it was an awakening for microsoft in particular, and you saw the mars program explode into ways of thinking about cyber crime and the way people use the internet and microsoft technologies. >> before we get too far, mark, could you give us kind of an epidemiology of people who don't know the blow-by-blow? the first half about how you did talk about it showing up in i think, i guess it was john talking about it, but just sort of describe the beast here. >> well, the worm itself, it popped up on sris honey pot, honey net, actually, on his monitor, and one of the -- what happens is when a new pace of malware drifts into the space, a line pops up on the monitor with readouts defining what this is. one of which is a column that

indicates how well recognized this virus is to the major anti-virus industry and the vendors, and this was recognized by none. that's the first thing that got his attention. the next thing that happened is it was replicating so rapidly by 24 hours it was shoving every other piece of malware out of the honey pot. he said i literally had nothing else to work on at that point. what they discovered at sri when they began to dissect it was that it was very, very sophisticated piece of malware, highly encrypted. one of the things it did, kind of curious, was check to see if it was about to infect, had a ukraine yankee board and would self-destruct if the compute did, but what a worm like this does is penetrate to the core of your operating system and

replicate itself, send out and infect every other compute on your network and begin calling how home to a remote controller. the remote controller, how you ordinarily kill this is chop off its head if you intercept the communication, you can kill it, so to prevent that, the worm had an algorithm that generated randomly 250 new domains every day, so that the bot master was behind just one of the 250 doors on a given day whereas if you wanted to cult it off, you would have to shut down all 250 domains every single day forever, and so that was, you know, one example of the coming nature of the thing and rick weston who may be here tonight, t.j. mentioned him a moment ago, bought the doe mapses on his credit card giving you a sense

of how ad hoc the effort was to stop it. >> before we go further down the path of the worm's evolution, i just wanted to get back to the question of, you know, what kind of strains -- a question for t.j.. i have a very old e-mail address, and i have a filter in front of it -- >> what? [laughter] i think most of the people here know my e-mail, and since most malware is distributed by baht -- baut nets, and there's the level of malware infections, and so i remember about a year ago, a large net was taken down, and for awhile spam fell off, but i have to say that if i look historically at the number of

spam messages every day, it looks like it's probably 10%-20% worse than it was before that happened. am i a good indicator of the state of -- >> it's a perspective situation; right? you referring to roost 107, the take down, so we sit back and laugh at the reports coming in. one was zero impact on spam, one was 5%, another 10%, and 30%. we looked and said what's the real number? it's a perspective thing. we called the friends at hotmail and said, well, did we do anything good for you? there's a dropoff of spam by .07%. i was hoping for a bigger number. the problem is that they have a lot of the web mail providers have systems in place that prevent sending of pam from

non-known mtas. they blockedded the spam hitting already, so we had a small impact with hotmail. with other organizations, particularly private companies, they saw a huge dropoff because the big spammers would not be sending e-mail to hot mail because they knew we were blocking, and g-mail has similar countermeasures in there, and hotmail largely managed the spam issue, but the thing we saw when we watched our honey pot send spam out, it sent it out to a whole bunch of different domains, so we saw hotmail spam leave, but it never made it into the inbox because of the filters on our side. i don't know what the real number is. i know when we start to look at these things and back to your original question, i look at how many millions of my customers are impacted by the malware. if it's running stock on that, it's running something else based on testing. we look at it differently.

spam gives us cause to sit in a courtroom say they're harming us, but i look at how many of my customers are being impacted. when we looked at this in particular, the analysis showed it reached out to a piece of infrastructure we could track. it attempted to down load a patch from our center in a sophisticated way. we could fingerprint that and knew how many machines we were dealing with. it was a big bot net, and how many of my customers are impacted by this? i think it's -- i think the state is not great on the internet, but i really -- the past couple years have seen a serge in interpret service providers and technology companies taking an interest knowing that private companies can do more to protect folks so i think -- i think the dark days are behind us. [laughter] i need some type of wood.

i think we're getting there. i think as we start to really understand that there's more things that we can do, we are coming out of that. at the last conference two weeks ago, we have been doing conferences for ten years now, but we're starting to see more people talking about how can we be more operational? how can my company help? i would love to see spam go away as a distribution mechanism, but i think from the perspective, there's a certain view that shows that that might be the case, that there might not be any change, but we're still in the infancy so we don't know. >> so, this book is a who done it, except i still feel that we don't know who done it, and i just want to check in with you guys to see, you know, where we are. your bookended at a certain point. there's been a couple things that happened, and take me through where the law enforcement aspect of the worm is, and do you guys feel that

you have conclusive sense of who the authors were or are? >> my suspicion is, and i have no certainty, that the authorities do know who was behind it, and i suspect that the difficulty in apprehending them has more to do with diplomacy, dealing with a foreign government, dealing with foreign laws, and police agencies than it does with actually finding them. what we do know about the authors of the worm, without having caught them yet, is that they are tremendously sophisticated programmers, and the reason i use the plural is that it's almost certainly not just one person because the worm demonstrated such a high level of proficiency in so many different areas that it's literally impossible to imagine that one person would have that level of ability and that level of knowledge in so many different areas at the same time, so the likely culprit is a

group, well-funds, probably funded by an organized crime sipped cat, who -- syndicate, who is used as a platform for all money of mischief, a money making platform. >> if you look at the early indications of how the infection was leveraged, strong tied to fake anti-virus, strong ties to some type of affiliate program, and it -- the keyboard, the keyboard check is really interesting because nobody wants to be arrested by local authorities for compromising machines in their country. we, you know, really looking forward eastern europe to find out what that looks like, but it's a really interesting -- i'd agree -- we refer the case to the fbi early on. they've been working the case for quite some time. i know they are working hard on it, but i don't this -- i

can't -- i don't have a picture of the guy. >> maybe i enjoy the mystery too much. can you rule out the possibility of a head fake? if you wanted to point to the ukraine, what more obvious way than putting in a keyboard -- >> oh, that's definitely a possibility. you know, i think it's entirely plausible someone would create something like the botnet as a money making tool because it can be used for virtually anything. the group in europe arrested this year used it for a scam to drain $72 million from american bank accounts just by leasing a portion of this botnet. >> was that the one time it was used or used several times? >> t.j., you know the answer. >> it was driving traffic in the early days to trafficconverts.biz, linked to an affiliate program. they were monetizing on it in the early stages, but used again later on to distribute malware through the channel. >> they went through the stages,

five versions, up through -- >> i think there were, some argue whether some strains are represent an entirely new one or not -- >> read all the e-mails, didn't you? >> three strains, a, b, and c, c being the most sophisticated. i mentioned earlier the worm generated 250 domains every day randomly, and when rick weston got arms around corralling all 250, the c variant generated 50,000 domains every day. it's almost like, well, you know, you're willing to spend this amount of money, time, and effort to stop us, but are you willing to make an expo enissue leap? there's another step beyond that. >> that's right. >> in fact, you know, they actually managed to recruit the

corroboration of every top level country domain in the world, all 110 of them, and got their arms around 50,000 a day, only to have the worm introduce peer-to-peer communication, so they didn't even nude #* need it. >> do you think they were doing it on the fly? seeing and responding? >> without a doubt. and they put little clues in that they were monitoring, you know, the traffic on the list serve that they maintained, and they were tapping into sris system just to check on, you know, how porous and what others -- >> without giving away identity? >> no, they didn't. one of the interesting things they did is the communication from the worm to the master was encrypted which is the highest level of public encryption method in the world, and right now, there's actually a competition going on to develop

shaw iii, which when it's complete, will introduce the new highest level of public encryption. well, a had shaw ii as the method of encryption, and b used a proposal for shaw iii which came from ron at mitt, the author of the previous two shaw's, and then there was a minor flaw in the proposal so he withdrew it, and he corrected it, and the c had the corrected proposal, so my personal theory is it might be ron. [laughter] when they went to the peer-to-peer mechanism, they were never able to see into the peer-to-peer mechanism. were you able to see the traffic that went between -- >> you can still see the peer-to-peer network. one of the issues we face is we

don't want to make smarter criminals; right? when we start actions, we have to observe it, do what we're supposed to be doing, and put the enemy at a disadvantage. the fact they went to peer-to-peer mechanism did not make them invisible. we knew they were communicating. we could track to a limited degree with censors out there and map a significant portion of it. the guys are working diligently as others to do that, but when they were able to do it is they were able to sneak a domain in we missed because we were still trying to figure out how do we stop 50,000 domains per day? they snuck a domain in. the update hand, just the peer-to-peer mechanism that's is traditionally noisy, not as reliable, resilient to attack, but as you saw in the operation 79 and b49, there are

vulnerabilities in most of the peer-to-peer pieces out there and we are oftentimes able to monitor the traffic flow and track that. >> how many infected machines are there out in the world still? >> i hear 10 million. too big a number? >> that was the initial number early on using the q value. what we think is the latest number from shadow service is 4.5 million a, b nodes and around 250,000c nodes that are out there. >> it has not done anything as of note for how long? >> a long time, yeah. >> still beating? >> you know, -- >> let me go back to the question earlier, john, about the head thing with ukraine. the most logical explanation for this is a platform for criminal activity, but if it is

sophisticated saint, you know, something like a botnet of this size is also a very powerful tool, and if you want to launch a cyberattack, it's capable of going into the root system of the internet itself. if a nation state is behind it, you wouldn't use that weapon right away, but wait until you wanted to use it, so, i mean, there are folks who read the book disappointed that the real world doesn't always offer a clean dramatic ending to a story, so it is true that the authors of the botnet have not destroyed the internet with it, but like you, i don't know if a guy could just wipe out telecommunications in north america, i find that a little bit disturbing. [laughter] >> is your bet that there's been arrests in the ukraine, but your bet is they have not gotten the authors? >> correct. >> okay. okay. so, you know, there's a spectrum of possibilities and motive

one. one most obvious is just malware distribution or selling off lease time. there's, you know, cyberwar tool, but what i discovered in your book that's fascinating, and you had an explanation, and that the -- one of the generations of the worm, the nodes reported how connected they were. >> right. >> the method that the authors were thinking about the structure of the social graph, and there were guys, i don't know if you ran into them at mit, wondering if it was not some huge censor net building a surveillance tool than a theft tool. did either of you run into that possibility? that somebody instrumented the net -- >> so there's robust discussion within the network about what the actual cause or use of the botnet was. you know, everything ranging from, you know, state-sponsored

piece of malware that got out of a secret lab somewhere to, you know, the per -- prevailing theory now of monetizing malware. it's just too chatty. if you look at the modern advance persistent threat malware there now, they are not generating 250,000 a day and being chatty. this was not designed to be a stealth piece of malware. >> how long have you been in this business? when did you start sort of doing this? >> i went to florida state university in the better part of the 1990s, so i got, you know, his uncle -- used to be the coach of florida state seminal, so nice to see that, so, ever since i was in grad school. my undergrad's in criminology and interested in information of security, but, you know, just put yourself through college, you do many things; right?

really looking at network administration. that's how i put myself through undergrad, and i had an accommodated hitler acumen for it, and i looked at those things, and in the early to mid-90s, institutions, really the wild, wild west was a good descriptions of what the networks are like, typically fragmented administration, public university, couldn't block anything at the edge. i hear that's still the case, so, we saw some amazing traffic patterns, and it was really kind of an open -- an open, you know, honey pot, the entire network was, so really understanding how machines were getting compromised, that's when it peaked my interests. >> do you have trouble keeping spirits up? it's like rolling a ball uphill. >> i love it. i love it. i love it every day. my wife is like, are you coming to bed? i'm like, hold on. five minutes turn into five

hour, and the sun's coming up. no, we discussed this earlier on in the green room, i couldn't wake up every day and do the same thing, and this type of thing allows us to do -- >> people ask me, if not getting paid to do this, some of these folks doing it out of the goodness of their heart, why were they doing it? i think, you know, maybe the right answer is it's fun, fascinating. these people think they are smarter than we are? i don't think so. >> they are sometimes -- >> times they are, sometimes they are not. >> no, never. you've seen the cowboy movies; right? they always win. >> is paul here? anybody else? just two of you. >> [inaudible] >> so what's your take on this white hat culture? what did you come away from with meeting this group of people

engaged in this struggle? >> well, you know, i think you could make an argument that, you know, that it is not -- it's tremendously interesting and sophisticated. it might not be the most dangerous worm ever, the botnet might not be the large e-worm ever, but for my purposes, it's a wonderful case study, and it gave me an opportunity to sort of walk around in a subculture, in this case, a culture of cybergeeks -- >> use nerds, that's okay. >> okay. i think for me, that's the fun of reporting and writing is learning about aspects of the world and modern life that i otherwise would never encounter, and so for me, you know, i think that this is a unique subculture because the internet is a

relatively new phenomena. it's grown so rapidly that you find the folks at the sort of van jr. -- vanguard at the few, there's so few of them. it's not like -- well, nowadays wow probably could, but when phil went to stanford back in, i guess, the 1980s, maybe the 1990s, he had to shop around for a college professor to teach him something. he grew up playing with computer networking systems, and it was such a new things, he had a high level of proefficiency on his own, and it was difficult to find someone to teach him anything, and i think that level of skill has continued, and it's developed in different individuals and different reasons, but that is how i see them. >> interesting to look at that, too, if you talk to andre, you know, back in jersey, andre ludwig, some of those guys are

self-taught. >> andre went to a community college running a security -- i.t. security guy for a small company in new jersey, and he discovered that somebody over the weekend had broken into his network and used it to stash a lot of pirated music and muse -- movies, and he was able to clean it out and secure the network, and boss said, okay, end of problem, but an [audience boos] andre and the idea of the office park in new jersey, you know, this intrigued him that he set himself on a course where he's become one of the leading authorities on botnets in the world. >> did you spend a lot of time if the shadow server grume or -- what is that? >> primarily spent time with andre and talked with richard, one of the originators of it,

and essentially, they, again, the essence of a volunteer organization, they began monitoring botnets, dissecting the malware that credits botnets, and killing them. they consider themselves to be botnet killers, and they would inform networks, just out of the blue call a network, security guy, and they'd say, oh, we're calling, you know, from burgeon county new jersey to inform you your network has been hijacked by someone. they were routinely dismissed by someone pranking on them or someone showing off, but in time, people realized they were right, and they were offering this information for free, so andre's philosophy is if it's kind of like if you see someone's house is on fire, do you charge them to inform them that their house is on fire? he thinks not, so he knocks on

the door saying, hey, your house is on fire, and he does this from the goodness of hiss heart. >> andre and i and richard talk a lot about that model saying, hey, what's the right thing to do, and they strongly, shadow server aligns with the dcu and at the end of the day, we do take downs, and the ghoul is to -- goal is to reach out to the end customer and clean them up saying there's things you have to do to be a good internet citizen. >> a couple times you talked about the take downs, but 1 your group engaged in -- is your group engaged in wide scale disinfection? you suggest you wrote code that goes out and takes infections off machines. is that routinely done? >> i'll be clear, yeah. on what -- >> on what scale have you done that? >> the removal tool, runs at 700 million computers each month, so that's one of the tools we use as part of the automatic update

process. that only gets the machines that have the box checked, yes, so we also develop tools called the enhanced mrt, and we have a disk called system sweeper that boots to a windows pe image with the full signature set. we engage with isps around the world and all operations to get them information from our sink holes so they can go out and carry the message into their countries, so that was the first time we had the remediation in place. it's slow going, rough, ugly, who wanted the data, who did not, were they able to use it? we learned lessons from that and took a year to get 90% clean. when we did the operation be 107, we had a 50% reduction in the first 45 days, so we are getting better. is that a long term solution? no. we need to figure out what is the longer term solution that we can really have more impact, but

we kind of come up against the -- we're the good guys, we can't push code to that machine like the bad guys. what other mechanisms are available in we have robust debates. >> one of the things mark did that was so good and compelling to me in describing your patching process, and when that patch went out, you being prepared realizing there was an instruction manual given to the black hats out there and you alerted them to a vulnerable. to me, how do you get around that as a structural problem? >> the guys at microsoft sent e they weigh on that heavily, so understanding if there's a as a rule nebility in the os or any of the components actively exploited, we weigh that. there's a lot of people dedicated at that 6789 we know as soon as we issue the patch, a bunch of people say, okay, what did they change. here's the dols, and there's the hex editors and changed bits.

they can look at what as a rule nebility was -- vulnerability was passed. that's something that goes into the equation. at the international botnet task force meeting in virginia in 2008 when we announced the patch m0s87, i still remember the number, we said, hey, guys, let's look at this. we had security researchers from 45 countries in the room. we got rid in the last session, spent an hour natch with everybody. folks from the msrc in the room with us. we had stamps of malware and the exploit codes, and we started to shift it around, but we knew, you know, it was definitely a warnble vulnerability, need the patch out there, and there were people in the room patching their machines over the wifi at the coordination center. we probably should have planned ahead for that, but, i mean, it was one of those things you can't avoid. people who are curious look at,

you know, what did they update? i have friends that do that. >> six weeks later? >> it was a really short amount of time, but i have friends that do -- mob their cars, and first thing they do is take a picture of the os in the car, take it to the dealership, get the update, and tweak, you know, it's curiosity. these guys use that curiosity for nefarious activity, though. >> you paint a really good picture -- i mean, a compelling picture of the white hat culture. did you look at all of the black hat culture? did you spend any time on the other side of the fence? >> no, i honestly -- i did look at -- there are websites where some of these purveyors are openly celebrating their success. i watched online a company party that won of these groups was having raffling off cars to people, and there was a rock

band and everything else. this was in russia. >> it was very funny. >> yeah, it was funny, but it showed the level of involvement and openness with which people are engaged in this in certain parts of the world. the scope of this book i deliberately chose to narrow it to the struggles, and i was hopeful, to be honest, they would catch the guys before i finished writing the book. if they had, it would have -- i would have tried to go to wherever it is they are from to add that piece to the story, but unfortunately, that didn't happen in time. >> $250,000 out to anyone leading to the successful arrest and conviction, if anyone knows anything, i think mark would want to know about that too. >> yeah, absolutely. >> do rewards work for you? get tips? >> yes. we issued, i think, four rewards at this point, the first one, not so much, the second one, yes. we got good tips on the case, and then most recently, we

issued the reward for the roost case, and so we can't talk too many details about that because it's ongoing, but it's been referred to the fbi, and $250,000 -- i'd love to have $250,000. well, they are making millions, and well, there's an additional $250,000. we'll see. >> do you have a favorite success that either because, you know -- >> i don't mean to use success as -- i have favorite things that happened, not necessarily all successful. i think i learned more from failing than successes, so i think early on when we started to kind of contemplate dns and the microsoft active response strategy and looking at the guys from fire eye, you know, i kind of realize what the challenge is going, oh, i have budget, why can't i just buy all the domains on the corporate, and my manager's going, you're going to charge very $35,000?

that's not going to work. figuring out there's things we can do. buying the domains is not the long term solution, but as a stopgap, it would have worked. i think it's one of those things that it mote valeted me and the -- motivated me and the guys i worked on it with to not let that happen again. >> a couple more questions from mark, and then other good questions here. can you track reporting in this world to reporting in the black hawk down world? >> not that different to be honest. i made a jock about it, and it's -- joke about it, and it's true. i had to literally stop folks every sentence to ask what it is they were talking about, and that's true of black hawk down. soldiers talked in a jargon, referring to weapon systems, speaking their own language, and i was, in the beginning, really stopping people all the time saying, well, i remember once you're often mistaken as an

expert in the field you've just written about, and i was talking about black hawk down at the army war college, and a colonel in the back of the room raised his hand saying ask me if i've fought? a bradley vehicle should have been part of the package. i said, before you have an opinion about a bradley armored vehicle, you need to know what one was. [laughter] at the very least, drive one. reporting is reporting. back when i covered football, the sports writers said how can you go from covering science and covering politics or covering transportation to writing about sports? i'd tell them, it's a transportable skill. the whole idea is you go into a world you don't understand, find the people to educate you, ask questions until you arrive at your own level of understanding, and you write the story. that's in a nutshell what i do and why i like doing it. >> so, one last question. you know, i think -- were you

deeply engaged in this when the net came on to the scene? did -- how, as a writer, telling a story, and there's another story that -- the great thing is it's one story, and you had a cast. that's sort of -- did you feel, like, conflict the because there was -- conflicted because there was another big -- >> not much to be honest. i have a disinclination to be writing the same story that everybody else is writing, and i had no doubt that stuck net would attract a lot of attention, and there will be a book or two before -- maybe you're writing one, i don't know, but i have no desire to compete with those folks. i want a story no one else is telling, and to me, i mean, when i wrote about -- i wrote a book about the philadelphia eagles 1992 season and remember the sports writers saying they didn't win the super bowl. well, didn't make a difference to me. it was an opportunity to write about that world and those people, and so to me, that's

what this story is, and the fact that there might be a sexier story that comes down the line is almost guaranteed, but it doesn't really influence me. >> let me get the audience involved and do it by way of cards because there's interesting questions. this is two-part. one is a question and one's a comment for mark. the question is what is the units environment? >> what's units? [laughter] >> well, let me ask this question. so, you know, there's an operating system called macro-s, like that environment, and why do you think you have such a larger problem than the macintosh world appears to aside from the fact that they have 10% or 7% market share? anything else that's different? >> i think we can hang that on a number of things.

market share being one that's been beaten to death; right? also the fact that there's not that much money in it. if you think about what the problem is, it's a cybercrime problem. they don't do this for giggles like we did back in college; right? i can make people's computers do funny things. they are about money, so what's the biggest net that they can cast? a really big net on windows. i think the apple guys are seeing more of it. i think they are, you know, it's going to be their turn to have their windows xp server ii moment, but right now, it's one of those things that has not hit yet. >> i remember a youth net paper years ago making the argument, the question of scale. make the argument, and then estimate what the percentage of market share is they would have to reach to get to that point. it's also, you know, smart -- criminals are smart, they are

lazy, which is why they are criminals and smart, too. does that have something to say about the social economic status of the people doing it? they might write banking trojans for ma crow-s and another spam program for windows machines. we'll see more of that happening, but at the end of the day, it's cybercrime. i don't care if i need a car, and i'm a car thief, i don't care what car you drive. i need a car. i'm going to steal a car. really bring it back, you know, there's not security ramifications, you know, windows 7 more secure than vista, more secure than xp, and my cro soft learning that as we go, but there's also that other element of cybercrime. you know, the criminals go where the money is. >> just a comment to mark. some of us have been involved in networks, ect., since the 1980s, always scared by "con jficker

instances" and how to attack them without killing the networks. >> okay. >> do you think the worm foundation was funded by a terrorist group like al-qaeda? >> no. i think because we've never seen that level of sophistication from terrorist organizations, and also the way that it's been used. there's nothing to stop the authors of the botnet from launching a massive cyberattack on april 1, 2009, other than i think they don't want to take down the internet. they probably want to use that to make money. if it was a terrorist organization, you would probably know by now. >> it was a terrorist organization, it would be quieter; right? it comes back to how noisy the threat is. >> to t.j., what is microsoft doing to prevent worms and viruses in the improvements?

os operations and like uniex. >> there's a lot of developments, the security life cycle, trying to get folks to code in a manner making it more difficult to attack. windows, 7, you know, having things like address randomization, things like that, and we obviously have the trustworthy computing contingent, arms of individuals from across the company working to triage as a result necialts and have timely patches, automatic updates, a division of the company called the microsoft malware protection offering free anti-virus. at the end of the day, there's a shift from attacks on windows to attacks on third party add-ins and social engineering. we're making huge strides on the security front as far as os vulnerabilities and working hard

with partners to secure applications. one of the tools i regularly deploy on our systems a in our fusion center is the enhanced mitigation tool kit allowing us -- it's a free download, allows you to put controls around specific applications within the windows environment so you can have application layer aslr, and application layer debt on the machine. we're learning by being forged in the fire; right? for the past ten years, we've really been under the scrutiny of the security community, and i think we've stepped up to the challenge. at the end of the day if granny wants to install the dancing pigs screen saver that she just has to have and it's trojanized, we try to make it so folks have an informed decision of what they are installing on windows, and then there's teams like the digital crimes unit, and if it's out of control, we bring it to bear on the problem and protect the customers in a new and, quite frankly, a unique way for

the industry. >> if you go all the way back to the worm, it was a buffer overflow vulnerability used in part as the infection mechanism, and that was true here too. what is it about buffer overflows that's so hard to find? >> there's lots of buffers. [laughter] >> you got automated stuff. >> yeah, so we put a lot of our -- we put a lot of our code through the sdl, so really that's one of the attempts to try to attack that. then there's debt and sdlr. it's making it difficult to guess and hop to different parts of the os. they are sharp. we'll close it, and they come up with something else. >> it's a k4r5szic arms race -- classic arms race. >> yeah. >> every time in history, they defend the castle, the attackers breach the defense, and this is just happening in an intellectual realm.

>> yeah. does this estimate include pirates software? what do you estimate the actual worldwide number infections to be? >> so the infection estimate numbers are based on sink hole data not distinguished between pirated copy or legitimate copy. it's a true number, and it's flawed in all of its ways. we just -- we took the kind of the academic argument out of it saying, all right, how many unique ip addresses do we see a day? there's dacp, address renewals, all stuff that will muddy the numbers, but if you take into effect people behind corporate and dhcp, we think there's a 20% reduction in the number, so i think 4.5 million is a the most accurate number knowing all the flaws, so that's, you know, that's the best number we have. to speak to, i think, one of the other sub questions that was going to be asked, and i'll take the time to answer it.

microsoft does issue patches to pirated versions of windows. if it's a critical patch, we issue that. you have to be at the right level in order to receive that patch, but we absolutely issue it. if it's a critical nature, and you have a pirated version and you connect to the windows site, you can install that automatically. >> how hard would it be for a nation state to create a botnet bigger and more stable than this one? >> not hard at all i wouldn't think. >> depends on the nation state. >> it does. [laughter] >> i mean, if you are -- if you're aware of a as a rule inert and can ex-- vulnerability and you can exploit it, something like that can spread very, very rapidly. >> i think it's simpler than that. some of the new technologies now, now attack vectors through the ad exchange, for example,

and browsing espn.com and hit, those are some of the things that we're looking at is ways to do mass compromise and get -- >> the term appears to be away from that, doesn't it? for a long time it was creating massive botnets, and now the trend is these advanced threats where you have a very carefully sculpted exploit for specific reasons. >> yeah, that's what you see as the purpose. so if i want to make a lot of money quick, i'll compromise a lot of machines knowing that i have like a six day window for the anti-virus to update and go. if i want to be on the machine for a long time, i used a persistent threat. you are seeing a fourth type of approach, an advanced malware in the space, and new innovative techniques to get in the box for the criminal enterprise. you're absolutely right.

>> i think a couple years ago the fbi stated something like 100 countries had offensive cyber warfare programs. is that a plausible number to you? any way to -- >> yes. [laughter] i don't know where they came up with the number. >> i would think that there's probably most -- >> yeah, i mean, in the modern world, so much of -- we increasingly lean on the internet for so much that anyone who is thinking about going to war who has a military would incorporate cyber warfare into their package. we saw it when russia invaded georgia. we saw it in the invasion ofest tone ya, and any country with a major military or defense department is developing capabilities, not only to defend themselves, but to attack their enemies. >> are we going to -- or have we already entered a stage like the period of nuclear testing where, you know, countries developing

nuclear weapons were testing them in the atmosphere. are we at the cyber equivalent stage where -- it do you think we've seen tests? >> you see it in espionage. you know, there's mounting numbers of instances where a lot of it is traced back to china, whether correctly or not, you know, where -- so supposedly they are secure, american networks are being scanned for data and uploaded, and data uploaded from them and spy ware and keystroke logging, and, you know, this kind of stuff has just become fairly common place. >> yep. >> with the ever-growing residency of mobile platforms on the internet, are there any botnets targeting mobile devices specifically? >> so, we definitely see an

increase in the amount of malware impacting the mobile platform as our devices get smarter and more -- always on, always connected to the internet, that's a logical place. i think most of what we've seen on the windows phone site have been exploits in the hand set hardware itself or through the market place. i can't speak of other companies in the valley that might be experiences other things, but you're going to see it. you're going to see it on the tablets that are out. you know, people walk around with tablets and a mobile device. it's just clear that the bad guys go where the money is. >> yeah. in terms of the new mobile platforms, the various new windows mobile platforms, are the interfaces common in any way they are common vulnerabilities? so you have a windows phone there. how much does it look to an attacker like a windows pc ?rks >> so it doesn't look like it. it's a fourth part of the code. it's partially based on the

windows mobile operating system, but it's almost a complete rewrite. going from windows phone 7 to 8, it's going to be a little bit different. >> and in terms of -- is microsoft said in your, in the application to a run on, how similar or different would your strategy be to apples in terms of cure rating? closer to android or closer to apple? >> i don't know the answer to that question, but i'll say windows 8 has an app store, windows mobile has an app store, and we see the benefits of having that in the cloud, so if you think how microsoft positions our technology, it's the three screens vision where my experience in windows 8 should be the same on any device i log into and get applications i want on demand. the way we look at it is how do we get them in the market place before they make it down to the device? >> yeah, okay. >> this will take a little bit

of explanation. is the tort project with untraceable routeing a sensible idea or tin hat paranoid lud ludiacy? >> there's a new set of as a result inerts. i mean, do you think -- i mean, how, you know, how much can you trust your anonymity? do you have any sense? >> i think it's coming back to the same question. software's written by humans, and humans are foul l. no one will write the perfect code. maybe we don't know about it. i have business cards if you have one, and i have a job for you. [laughter] it's one of those things if you poke and prod at, any piece of software, you find new and interesting ways, and what's interesting is you talked about it earlier in the conversation is most of the vulnerabilities are buffer overruns, memory type modifications. well, what's next?

that's what i'm thinking about is, okay, we're trying to figure this out, but what is my kid going to use to compromise my refrigerator to let the beer out? you know, when we live in the year of the flying cars, so i think you have -- if you're going to go on the internet, you use the resources, you use the tools, you have to understand that what software you're using. i think most people don't get that. i get that from my sister-in-law buying something on amazon. if you get compromised, whose fault is it? she points at me. [laughter] i had nothing to do with this transaction, but, you know, that's the impression. i think everybody in the room feels a certain part of that. it's our fault. if they get owned, it's our fault. figuring out how to manage that as well is kind of a difficult, heated debate in my house. [laughter] >> are efforts still being made to block communications between

botnet and its creators, and if so, how long will that be sustainable? >> now we're in year two and a half or three. i think if rick's in the room, we just had the latest 2012 list come out, so we're working on that with the high level tlds to block those. on the country side, it's more difficult. some of those folks have fallen off, wanting to block it for much longer. i know that the big tlds are still doing a couple, and they represent the bulk of the infection, really the a and b infection. it's in a smaller grip. they have been amazingly open to continuing the effort as long as we produce the list, they are able to go there, and they have the process kind of automated. >> the individual nodes themself produce a signature, don't they? what are the intracay sighs of taking it off of a machine

running an old version of windows without the protection at all? is that a workable strategy? >> absolutely, absolutely. >> you've done some of that? >> yes, yes. shadow servers does a great job of producing reports from around the world, and there's a number of companies to make it pretty easy to get it off your machine. if everybody in the world checks the box of automatic updates # # they'd be clean, but working through the mechanisms there, and the people infected are people that don't have the minimum protections. they are not running updated anti-virus, and this code is detectable for the better part of three years. the as a vulnerability's been patched for three years, and these are folks in limbo not doing what they need to be doing. >> we are through all of the -- do you have one or two more questions? >> no, we're done. all right. that's great. please join me in thanking the panel today, ladies and gentlemen.

[applause] >> on your screen at the national press club, and here's ann coulter, and for the first time ever, you're wearing a white dress. >> yeah, we wanted to shake things up a bit. i used the black dress, and we take photos, and sometimes the dress i was wearing in the photo was green, but it just -- the design people, the art people back at the publishing house, just looked better to have me in black because i look like i'm a letter. anyway, they often recolored the dress i was wearing black, and i was always in paver of it

because me on the cover of me in a black cocktail dress drove liberals mad, and i enjoy doing this. >> this is the most recent, demonic, out for six or seven months now? >> not that long. >> are you working on another book at this point? >> oh no, no, no, no. this was a lot of work this book. it took a lot of research. i mean, the whole -- i knew about the french revolution, but like most americans, i didn't know a lot about it, and it was just so much research and so little talking to other humans, that, no, i think it's going to be about a year now. i mean, these are not fun to think about what the next seem of the book is, but also i'm just tired. >> long book tour? >> yes. the book tour ended up being fun. i usually hate the first two weeks because i'm forced to get

up early. that's all i hate about it, but then i outsmart her by going to california, a enhe's not going to get me up at four in the morning, and i stay on east coast time so it's like i'm sleeping in. >> in two sentences, what is "demonic" about? >> "demonic" is about the mob men tamty -- mentality, and how it's a part of the liberalism and i explain 200 years of the history of liberalism basically, how they rely on mobs, use mobs, and what you see at occupy wall street. it's stunningly consistent with what i talk about in this book. >> your boy, kris christie endorsed mitt romney? >> yes, and i hold on to everything christie says, so i'm a romney girl. i am. i think it's going to be romney. i'll wroi about that this -- write about this week in the column. he's not roomed