to ten years to get over and if you have a mortgage component, it tends to push it out towards 10 years. we should be trying to beat that clock. we can't do it -- i'm for the president's jobs plan. i think there's a lot of good ideas in there. but -- and they'll give us 1.5, 2 million according to the economic analyses but if you want to turn to a full employment economy and start having 240,000 jobs a month, what i think we average 227,000 a month for eight years -- if you want that, you got to this debt and get bank lending going again. and so kenneth at harvard recommends that since some people say, well, but if we lower the mortgage rates, if we bring the mortgage down to the value of the house, then the people who hold the mortgages will lose money, who's going to compensate them? and what's it going to be?

it was suggested that the banks are the people who ultimately hold the mortgages. instead of writing them down, just cut them in half by taking an ownership position in the house. so that when the house is ultimately sold, the people who issued the mortgage or own their mortgage will share in the profit and you get the same practical result. you no longer have a bad debt on the books and the homeowners got a mortgage that he or she can pay. and i said in the book, i know this will work because in -- when i was governor in the late '70s and early '80s and other farmers got in trouble we had then hundreds of small state chartered banks who did not want to foreclose on the farmers. they knew they were having a couple bad years and they couldn't pay their farm loans off and they didn't want these farms and so we allowed the banks -- we changed the law and

allowed the banks to take an ownership position of the farms and gave the farmer an absolute buyback right at that take his farm back at a full title once they could pay off the farm loan. >> you can watch this and other books online. and now mark bowden talks about conficker that affected computers in 2008/2009. this is about an hour 10 minutes. [applause] >> thank you, john. >> we're going to do this in several parts. i'm going to do a very brief introduction and then mark is going to talk and do a brief reading and then we're going to have a q & a and then i think

cards are going to come up and we'll try to make this as inclusive as possible. for our discussion tonight, mark bowden is a journalist who, of course, you probably all know is the author also of black hawk down and you also know it was the basis for a 2001 movie directed by ridley scott. mark was a journalist first from 1979 and 2003. he was at the "philadelphia enquirer" and for three seasons he covered football; is that right? >> that's correct. >> over the years he's written for the new yorker, for the men's journal atlantic, "sports illustrated," rolling stone and i have to mention that wikileaks that he was inspired to embark on a journalistic approach by reading tom wolfe's book the electric kool-aid acid test. i was inspired by the test as well but not to become a journalist. [laughter]

>> and in addition to mark, we have one of the characters from his new book, t.j. campana, to my mind as close as you can get to a digital sherlock holmes. he's a senior officer at microsoft's crime unit and he has many tales to tell. before mark talks, i want to just talk a little bit about our subject. so the history of the worm -- the term probably most of you are familiar with but let me just set it out. it originally came from a really wonderful science fiction novel written by john brenner in 1975 in which he posited something called the tapeworm. and the wonderful about that book especially in terms of conficker he sketched out an

authoritarian regime that controlled their society through basically an omni present network. and the rebels used tapeworm and the only way the regime could get rid of the worm was to take down the net and thus they lost control so that will bring up conficker, i'm sure. we also probably all know the first real worm programs were experiment with at xerox park in 1981 by two researchers there. are either of them here tonight? is john shock here? ah, yes, good. so i was looking at your paper in preparation for this and i thought it was -- you know, so what's the difference between a worm and a virus and we go back and forth all the time because these terms originally both came from science fiction novels so they're terms of art. but in the original paper, a worm is designed -- a worm is

simply -- is defined is a worm is simply a computation that lives on one or more machines. so we can go from there. maybe get into distributed computing but also in addition to the sort of roots of distributed computing being here i wanted to talk about the roots of computer crime. don parker is not here by any chance, is he? of course, so if you really want to learn of the roots of computer crime in the 1960s and 1970s and i was thinking of the roots of network crime and to the best of my knowledge, and i certainly am willing to be contradicted or corrected but someone who was at the stanford a.i. lab who has a great deal of authority told me that he believed that the first computer crime was a drug deal done on the arpa net between mit students and stanford sales

students and i would love that to be true. >> so that's as much as i lay out. >> thank you, john. >> yeah. well, thank you for coming. i'm particularly delighted to be on a stage with two guys who actually know what they're talking about. i'm an old newspaper reporter as john mentioned. and about 30 years ago, a fellow named jim naughton who was the managing editor of the "philadelphia enquirer" overnight named me the science writer. and this was a terrific thing for me because i was working in a suburban pure and it meant i got to come down and work in the main office and particularly during the 1970s, the enquirer was really one of the preeminent newspapers in america. so overnight i was one of the preimminent science writers in america all of which is completely unmerited.

it turned out that jim in looking for a new science writer for the newspaper was going through the resumes of everyone on the staff and he noticed that i subscribed to the scientific american. [laughter] >> and that's how i became a science writer. [laughter] >> and the truth of the matter is, that i was an english major in college and i had started subscribing to the scientific american precisely because i knew nothing about science. and i thought, well, hell, so much of the modern world depends on science and technology, i ought to make an effort to understand these things. i think that magazine has gotten a lot better, but 20, 30 years ago i couldn't read any of those articles. they always had like a little i-tallized intro that i could understand but as soon as the actual articles started, i was lost. so they had been building up in my closet for about three or four years and little did i know they would launch me to the heights of american journalism.

[laughter] >> but i discovered, though, that in covering science in the years that i did it for the enquirer that my ignorance was actually very useful because i was writing stories for nonexperts, and i was ignorant enough to ask the truly ignorant questions that needed to be asked so if i was interviewing a physicist at the university of pennsylvania i would ask a question, well, what is an electron exactly. and it became -- it was so effective for me that it became kind of a philosophy of journalism. so whether i'm writing about profootball or a battle in somalia or the iran hostage crisis or in this case, a piece of malware, i really began at ground zero. and if you were to actually listen to some of the initial interviews that i did in preparation for this book, you

would laugh because i have to stop the people i'm talking to literally every sentence to ask what they're talking about. questions like, what's a router? you know, what's a server. what's an isp? i mean, it was all completely foreign to me. what gripped me about the story, though, was that over the months that i record in worm, there's this fascinating intellectual struggle going on between very high level computer security experts and some extraordinarily sophisticated authors of malware, the conficker as john mentioned popped up in november of 2008 and rapidly began assembling one of the largest botnets in the world. and what was especially fascinating about this is that this ad hoc group of volunteers who started working together to try to corral conficker, as they

made moves to try and fence this thing in, the creators of the worm would make counter-moves. and this went on move, counter-move over a period of four or five months. so i'm going to read you -- at john's invitation a little passage from worm. and i'll set it up just by explaining that after several of these moves and counter-moves, rodney joppy, who's this wonderful burly south african who emigrated to the united states years ago and who has become the head of security for new star, which is a big telecommunication and internet-based company in washington -- he became the sort of de facto head of the cabal as the conficker working group. and as the conficker continued to grow and those that began to realized that it posed a unique threat to the internet itself, rodney went to washington have

to try and enlist the support of the federal government in fighting the thing. and so rodney got invited to give a presentation at the department of commerce because new star manages the dot us top level domain for the government so he was a contractor and he was invited in and he gave them his powerpoint presentation which he had put together in his hotel room the night before about the conficker worm. and this alarmed the folks in the room who much to rodney's shock had for the most part not even heard of conficker. and he started getting invited over the next couple days to give the same presentation to various other places so this passage i'm going to read you is like two or three days after rodney has made his initial presentation at the department of commerce. the following day he was asked to brief the staff of the senate -- excuse me, the senate

select committee on intelligence. because the committee's offices were off limits to those without a high security clearance, the staff arranged to meet with rodney in the visitors center in the capitol building in the cafeteria. about a dozen staffers met him there in the middle of the afternoon. the cafeteria was quiet and mostly empty. they cordoned off part of the room and sat around a long table. before rodney got started one of the staffers, a young woman, interrupted him. just so you know, she said, we probably know a whole lot more about conficker than you do. we received a classified briefing yesterday afternoon, the woman said. so there's probably not much more you can tell us about it. that's really good news said rodney his voice heavy with sarcasm. by now he knew without a doubt how clueless the establishment

was. since he said it completely under control then there's no more of a reason to be wasting your time. as he stood there was a chorus of no's, stay proposed one of the staffers. no we want to hear it said another. so rodney sat back down. he took out copies of his power point presentation which had been printed up on new star stationary. he handed them out around the table. the woman who had addressed him flipped through her copy and pronounced, yep, this is the same presentation we saw at the classified white house briefing yesterday. >> the meeting dissolved into laughter when the staffers realize that us-cert had simply taken rodney's briefing and presented it as their own work and classified it to boot. [laughter] >> rodney later confirmed it with his white house contact who had attended all three of the sessions. they just gave yours as their

own, he said. so much for cyberdefenses. thank you. [applause] >> that's actually a terrifying note to start on now that i think about it. >> isn't it? isn't it? >> so there's certain analogies that appear in your book at various times. and early on, i think at a certain point you gave the sense the internet is wild west versus some sense of that territory stretching out in cyberspace in forever. and that by analogy to my mind sort of brings up the possibility or the sort of definition of the cabal were vigilante. does it work. is it correct? it's a question i'm asking of both of you. and then the follow-on question is, you know, since the feds aren't doing very well, is -- are the vigilantes sort of the last best defense in cyberspace?

>> well, they certainly were in this case. and i think actually the guys and t.j. was one of them can verify this a little uncomfortable with the designation cabal when someone looked it up -- someone realized that the actual definition implies a kind of illicit or illegal activity and so they subsequently dubbed themselves the conficker working group. but it's just eyeballing if you're the fat kid on the playground and people start calling you skinny, there's just no way that you're ever going to get rid of that. and they continue to amongst themselves the cabal. >> t.j. would you take issue with the notion of vigilante? >> i think vigilante is not the right term. i think -- microsoft has been called vigilante in some of the operations we've done despite the fact we've gone to court to get legal authorization to do what we do. i think it was more of kind of an awareness for most of us that there's a growing community of securities professionals from around the world that were saying, hey, we can take this

back. and we can do something here because at some level the internet is operated by the good guys. the bad guys are really dwelling in our domain but it's an assertion of the rights to protect our own system. and i think vigilante is kind of like lightning rod terms, you know, working in legal and corporate affairs at most of the, they are calling us vigilantes. >> but it is true in the sense it was an ad hoc assembly for the most part volunteers who spent a lot of time and energy trying to mount an effort to protect the internet from this threat. and, you know, there was no formal organization leading to it >> how hard was it to break down their -- post this when you started your book? did you get their cooperation easily with difficulty? did it depend on who? >> everyone was fairly eager to help. i think they were appalled at my level of ignorance but i have to say they were extremely patient

and most of the folks who i worked with went out of their way to help me understand, to read drafts of the story as i was writing it to correct my faekz, to help me better understand the story to tell because i felt it was important to the story. >> i wanted to ask you for your, i guess -- mark, what have you been saying about the state of -- the state of security affairs in cyberspace as you go on your book tour and i want to get your gauge. what was conficker an indication of in terms of where we are in terms of having cyberspace be secured in are we entirely out of control? where are we? >> i think tj can answer probably better than i. but my impression was and i was really surprised to learn it, how vulnerable the internet itself was to a threat of a botnet of this size. and it seemed to me that the very nature of the internet which grew out of sort of the late '60s, early '70s utopian

spirit of freely sharing data and at the time, you know, primarily by academic researchers and scientists failed to really adequately consider how the very openness of the internet which is such a boon to the world could also be a tremendous vulnerability and that there would be people who would take advantage of it. i think the fact that the federal government in the instance of conficker was really clueless was really shocking to me. my impression is and, in fact, president obama in 2009 when he gave his speech on cybersecurity he specifically cited conficker as a case that demonstrated how ill-prepared the federal government was to protect even its own networks. and i think -- so things have improved. that's my impression. you've seen a number of -- a formal moves that have been made by the government in the last two or three years that have been publicized and written

about so clearly the government is more aware today than they were just two or three years ago. but there remains an enormous problem because it's a global issue. there's no such thing as a global police force. there really is no such thing as international law governing something like this and so it poses tremendous challenges. >> i think the openness of the openness of the internet. it's greatest strength and greatest weaknesses. it's difficult to maintain both on the same level and so really that the fact that the internet is so open does make it vulnerable to these types of scenarios. it was invented in a different time and era, i think conficker incident was really kind of an awakening and i'll speak for most of the most of the's perspective a definitely new way of thinking about how can we address these types of issues? but thinking around how is it that all of these great technology companies were sitting in the seed of technology right now -- how can we not be more aware of what's

going on and how can we play a bigger role as industry to try to tackle some of these problems? and honestly when rick westin called up with a couple of my colleagues on the phone and said, hey, what is microsoft doing about this? we were honestly like well, we released a patch for that. [laughter] >> you know, so we're sitting there looking at it and we were having meetings obviously with trustworthy computing and the folks that do all the patchy for our technologies and we said, we can do something more here. we should be able to do something more here and that was kind of an awakening for microsoft in particular and you've seen kind of our mars program explode in all these different ways of thinking about cybercrime and the way people are using the internet and microsoft technologies. >> before we get too far, mark, could you give us kind of an epidemiology for people who about what i not sort of know the blow by blow of conficker? you did talk about it showing --

i guess it was john who talked about it showing up but just sort of describe the beast here? >> well, the worm itself popped up at sri's honey pot, his honey net actually and it was on his monitor and one of the -- what happens is when a new piece of malware drifts into his space, a line will pop up on his monitor and there's all these readouts sort of defining what this is. one of which is a column which indicates how well recognized this virus is to the major antivirus industry, into the vendors and this one was recognized by none. that's the first thing that got his attention and then the -- the next thing that happened was it was replicating so rapidly that within 24 hours, it was shoving every other piece of malware on his honey pot. the only words on his screen was conficker, conficker, conficker.

i really had nothing else to work and what it was was a very sophisticated of malware. it was highly encrypted. one of the things it did which is kind of curious which is to check the computer was about to infect -- add ukrainian keyboard and it would self-destruct if it did. but what a worm like this does it penetrates to the core your operating system and replicate itself and send out and infect every other computer on your network. and also begin calling home to a remote controller. the remote controller -- the way that you would ordinarily kill a botnet you would chop off its het. if you can intercept the communication you can effectively kill the botnet and the worm had an algorithm that generated 250 new domains every day. so that the bot master had to be

behind only 1 of 250 doors on a given day. in other words, if you wanted to cut this thing off, you would have to shut down all 250 domains every single day forever. and so that was, you know, one example of the cunning nature of the thing and rick westin who may be here tonight, tj mentioned him a moment ago he began buying them on those domain and put them on a credit card which give us you a sense of how ad hoc this thing was to try to stop it. >> before we go farther down the path of the worm's evolution, i just wanted to get back to that question of, you know, what kind of straits they were in. a question for tj, i have a very old email address, and i have a filter in front of it. >> what's that? >> and since most malware is

distributed by botnets and in the form of -- well, the level of spam is some rough correlation out there in the world at the level of malware infections. so i remember about a year ago a large botnet was taken down and for a while spam fell off. but i have to say that if i look historically at the number of spam messages it looks like 10 or 20% worse than it was before that happened. am i a good indicator of the state of -- >> it's a perspective situation, right? so the operation you're referring to is operation b103 the botnet takedown and we laugh at some of the reports that were coming in. you know, one of them was zero impact on spam. one of them was 5%. one of them was 10% and one of them was 30%. so we kind of looked well,

what's the real number? and we kind of determined it was a perspective thing so we called our friends at hot mail, well, did we do anything good for you guys? and they said well, we see a drop-off of spam of .07%. i was hoping for a bigger number. the problem is, is that they have a lot of the web mail providers have systems in place that prevent sending of spam from nonknown mtas so really they had been blocking a lot of the spam that was hitting already so we had a small impact with hot mail. with some other organizations, particularly, private companies, they saw a huge drop-off because the big spam runners weren't sending mail to hot mail because they knew we were blocking and yahoo! and gmail and we talked to our hot mail folks they largely managed the spam issue but the thing we were watching when we watched our honey pot to send spam out it was sending it out to a whole bunch of

different domains so we definitely saw hot mail spam leave but that spam would never make it into an inbox because of the filtering on our side. i don't know what the real number is. i know when we start to look at these things and going back to your original question, i look at how many millions of my customers are being impacted by this malware. if it's running ruth stock on there it's running something else just based on our testing. so we looked at it a little different. spam gives us is cause to say they are harming us but how many customers are being impacted. when we started to look at it in particular, the analysis showed that it would actually reach out to a piece of our infrastructure that we could track so it downloaded a patch so we were able to fingerprint that so we knew how many of the machines -- how many machines we were dealing with. so one of the criteria case and in the conficker case, how many of my companies are being negatively impacted by this

malware? i think the state is not great on the internet. but i really -- the past couple of years have really seen a surge in internet service providers, technology companies taking more of an interest knowing that private companies can do more to protect folks. so i think -- i think the dark days are behind us -- [laughter] >> i need some type of wood. [laughter] >> i think we're getting that awareness. so i think as we start to really understand that there's more things that we can do, we're kind of coming out of that. so at our last conference we had about two weeks ago, we've been doing conferences for like 10 years now. >> this is your digital crimes consortiums >> on the heels of the internet botnet task force we're starting to see more people talk about how can we be more operational? how can my company help and take down somebody else? i would love to see each spam go away as a distribution mechanism but i think from a perspective -- there's a certain perspective that shows that that might be the case.

that this might not be any change. but we're still in the infancy. so we don't know. >> so this book is a who done it except i still feel that we don't know who done it. i just want to check in with you guys to see, you know, where we are. the book ended at a certain point. there's been a couple things that happened and sort of take me through where the law enforcement aspect of the worm is and you guys feel that you have conclusive sense of who the authors were or are? >> my suspicion is -- and i can't say with any certainty that the authorities do know who was behind it. and i expect -- i suspect that the difficulty in apprehending them has more to do with diplomacy dealing with a foreign government, dealing with gorn laws and police agencies than it does with actually finding them. but we do know about the authors of the worm without having caught them yet is that they are

tremendously sophisticated programmers. and the reason i use the pleural is that it's almost certainly not one person because the worm conficker demonstrated such a high level of proficiency in so many different areas that it's literally impossible to imagine that one person would have that level of ability and that level of knowledge in so many different areas at the same time. so the likely culprit is a group, well funded, probably funded by an organized crime syndicate who set out to set out a very large, very stable botnet which could be used as a platform for all manner of mischief, a money-making platform. >> and if you look -- if you look at the early indications of how conficker -- the infection was being leveraged, strong ties to fake antivirus, strong ties to some affiliate program, the

keyboard -- the keyboard check is really interesting because fob wants to be arrested by local authorities for compromising machines in their country. you know, really looking towards eastern europe to find out what that looks like, but it's one of those really interesting -- i agree, we've referred the case to the fbi early on. they've been working on the case for quite some time. i know that that they're working hard on it but i don't have any -- i can't -- a lot of a picture of the guy. >> maybe i'm enjoying the mystery too much but can you rule out you the possibility of a head fake if you wanted to point to the ukraine, what better and obvious way to put in a keyboard. >> that's definitely a possibility. it's entirely plausible that somebody would create something like the conficker botnet as a money-making tool because it can be used for anything. this group who was arrested earlier this year used it for a scam to drain $72 million from

american bank accounts. they did that by lease ago portion of this botnet >> was that the one time it was used? >> tj, you know the answer. in the early days it was driving traffic from traffic dot net bis they were definitely monetizing on the earlier stages but then it was used again later on to establish wall odeck malware which was distributed through the channel. >> so they went through these stages. was it five versions? >> i think there was some quarterly over whether some strains represent an entirely new one or not. >> you did read all those emails. >> three strains, a, b, and c. c being the most sophisticated. i mentioned earlier the worm was generating 250 domains every day randomly and when rick westin and the cabal got their arms around corralling all 250, the c

variant generated 50,000 domains every day. so it's almost like well, you know, you're willing to spend this amount of money and time and effort to stop us. are you willing to make a leap. >> and then they went one more step beyond that. they went to a peer to peer communication. >> that's right. that's right. you know, the cabal actually managed to recruit the cooperation of every top level country domain in the world, all 110 of them and got their arms around 50,000 a day only have to the worm introduce peer-to-peer communication so they didn't even need it. >> and so do you think the authors were doing this on the fly? that they were seeing what the cabal was doing and they were responding and saying -- >> without a doubt, you know, and they would put little clues in that they were monitoring the traffic on the listserv that the cabal maintained. they were tapping into sris

system to check on, you know, with others doing. >> without giving away their identity. >> you know, one of the interesting things they did the communication from the word to the bought master was encrypted with shaw 2 initially which is the highest level of public encryption method in the world and right now there's actually a competition going on to develop shaw 3 which when it's complete will introduce the new highest level of public encryption. well, conficker a had shaw 2 as its method of encryption. conficker b used a proposal for shaw 3 which came from ron at mit who has been the author of the previous two shaws and then he had a minor flaw in his proposal so he withdrew it and corrected it and conficker c had

the corrected proposal from ron so my personal theory it might be ron. [laughter] >> so when they went through the peer-to-peer system, the cabal was never to see the peer-to-peer conficker mechanism. >> you can still see into the peer-to-peer network so one of the big kind of issues that we face is that, you know, we don't want to make smarter criminals, rights. so when we start doing our actions we want to make sure we're doing what we're supposed to to be doing and we're always putting the enemy at the disadvantage and the fact they didn't know it would make them visible. we could kind of track to a limited degree if we had enough sensors out there in the peer-to-peer network we could likely map a significant portion of it. i know the guys at sri were working diligently as well as others to do that. what they were able to do they were actually able to sneak a domain in that we had missed

because we were trying to figure out how do we -- how do we stop 50,500 domains per day so they snuck a domain in. they only updated a bought 2 that peer-to-peer mechanism which is traditionally noisy ait's not as relegalable as the straight expand and control. it's more resilient to attack but as you saw in the operation 79 and walladeck 9 and there are flaws in the peer-to-peer so we were able oftentimes analyze the malware and the traffic flow enough to be able to impact that. >> somebody -- how many infected machines are there -- are out there. 10 million? >> no. and they were using the q value the unique strain that was seen in the update pieces of the code. what we think is, i think, the latest numbers from shadow servers about 4.5 million conficker ab nodes and around

250,000 conficker c nodes that are out there. >> it hasn't done anything for note for how long? is >> a long time. >> it's just out there beating -- >> but let me go back to your question earlier, john, about the head faint, with the ukraine, i mean, the most logical explanation for a botnet like this as it says is a platform for criminal activity but if it is sophisticated and faint, you know, something like a botnet of this size is also a very powerful tool and if you wanted to launch a cyberattack it's certainly capable of overwhelming the root servers of the internet itself. now, if a nation state was behind it, you wouldn't necessarily use that weapon right away. you would wait until you wanted to use it. so there have been folks who read this book and they're kind of disappointed that the real world doesn't offer a clean dramatic ending to a story. so it is true that the authors of the conficker button that

have not tried to destroyed the internet with it but i don't know about you, the idea that some guy could wake up on the wrong side of the bed kiev and wipe out telephones in northern america i find kind of disturbing. [laughter] >> there's been some arrests in the ukraine but your bet is that they haven't gotten the conficker authors? >> correct. >> okay. okay. so, you know, there's a spectrum of possibilities and motive here. one is the most obvious is just malware distribution or selling off lease time. but i discovered in your book that i thought was just fascinating and you found an explanation which midline another explanation that in one of the generations of the worm, the nodes reported how connected they were. >> right. >> the authors were thinking of the social graph and there were some guys -- i don't know if you ever ran into these guys at mit

were wondering whether conficker wasn't some gigantic sensor net that somebody was building basically a surveillance tool rather than a theft tool or -- did either of you run into that possibility? that somebody instrumented the net -- >> there's robust discussion within the conficker working group of what the actual cause or use of the botnet was. you know, everything ranging from, you know, state-sponsored piece of malware that got out of some secret lab somewhere to, you know, the prevailing theory right now that's being used for -- was being used to monetize scare ware, you know, certainly it could be. it's just too chatty. so if you look at the malware threat out there they are not generating 250 domains and being that chatty. this was not designed to be a stealth piece of malware. >> so how long have you been in this business? when did you start sort of

forensics and -- >> i went to florida state university in the better part of the '90s. mr. bowden is the uncle -- well, used to be the coach of the florida state seminoles so it was really nice to see that. every since i was in grad school really starting -- my undergrad is criminology and i have a master in science and when you go through college you do a lot of stuff really looking at network administration that's how i put myself through undergrad and i had an acumen for it so i began to really start looking at those things, you know, in the early to mid-'90s at academic institutions really the wild wild west was a good description of what those networks were like. typically fragmented administration. public university couldn't block anything at the edge. i hear that's still the case. so we would see some amazing, you know, traffic patterns and

it was really kind of an open -- open honey pot the entire network was so really understanding how machines were getting compromised that's when it really started to pique my interest. >> do you have trouble keeping your spirits up. this is kind of like rolling a big ball uphill, i feel. >> i love it. i love it. my wife are you going to come to bed, come on. you experience that the five minutes turns into the five hours and the sun is coming up. i don't think -- and we were discussing this earlier on in the green room, i don't think i could wake up every day and do the same thing and that's what kind of this thing allows us to do. >> and i found that true of not just tj but all those involved with the cabal well, if they weren't get paid to this and tj has a job and some were doing it out of the goodness of their hearts and why were they doing it? and maybe the right answer is it's fun. it's fascinating. it's, you know, like these people think they're smarter than we are. i don't think so. >> they are sometimes.

>> sometimes they are. and sometimes never. >> no, they're never smart. the good guys will always win. you've seen all the cowboys movies. >> how many cabal is here. is rick and paul? anybody else. just two of you. >> are we also have a dying breed. nobody can make it out. >> so what's your take on this white hat culture. what did you come away with meeting this group of people who are negligenced in this struggle? >> well, i think you could make an argument that that conficker is not -- it's tremendously interesting and sophisticated. it might not be the most dangerous worm ever. the botnet might not be the largest room ever but for my purposes it's a wonderful case study and it gave me an opportunity to sort of walk around in a subculture in this case the culture of computer security geeks, uber geeks i

call them. >> we're just nerds. that's okay. >> and i think for me that's the fun of reporting in writing is learning about aspects of the world and modern life that i otherwise would never encounter. so for me, i think that this is a unique subculture because the internet is a relatively new phenomenon. it's grown so rapidly that you find that the folks who are at the sort of vanguard in the field are -- there are very few of them. it isn't like you can go to -- well, nowadays you probably could but when phil pooris went to stanford in the 1980s, i'm probably making him older than he is, maybe 1990s, he actually had to shop around for a college professor who could teach him something because he had grown up playing with computer network and systems and it was such a new thing that he had developed a very high level of proficiency

on his own, and it was really difficult to find someone who could tell him or teach him anything and i think that level of skill has continued. and it's developed in different individuals for different reasons. but that's how i see it. >> it's interesting to kind of see that when you talk to andre de men o, andre ludwig some of those guys who are basically, you know, self-taught. >> yeah, andre, yeah, i think he went to a community college and he was, you know, running a security -- he was i.t. security guy for a small company in new jersey and he discovered that somebody over the weekend had broken into his network and used it to stash a lot of pirated music and movies and he was able to clean it out and, you know, secure his network and his bosses said, okay, end of problem. but andre thought, wow, i and he went back and checked the system and people were rattling his doorknob all the time to do this

kind of thing and is that someone in eastern europe is trying to deposit a lot of illicit material in his office in new jersey intrigued him so much that he set himself on a course where he's become one of the leading authorities on botnets of the world. >> did you spend a lot of time with the shadow server group -- talk a little bit -- what is shadow server? >> primarily, i spent time with andre and i also talked to richard is one of the originators of it. essentially, they again the essence of a volunteer organization, they began monitoring botnets, dissecting the malware that creates bought neither and killing them. they consider themselves to be botnet killers. ..

>> the goal is to reach out to that end customer and try to clean them up and let them know there's something she need to be doing in order to be a good internet system. >> a couple times you talked about takedowns, issuer group engaged in widescale disinfection? you mentioned some things a

suggestion of written code that goes out and takes infections off machines. is that routinely done? >> i'll be clear. spent on what scale have you done the? >> it runs about 700 million computers each month. that's one of the tools we use as part of the automatic update process. >> that only hits the machines -- >> yes. then we also develop tools called the enhanced mrt. we have a disc called systems sweeper that boot to a window in the. so they can go and carry that message into their countries. so while the first time at the remediation peace in place, it's slow going. if it was rough, it was ugly. who wanted the data, who didn't want the data.

were they able to use the data. we learned a lot of lessons. it took us about here to get about 90% clean. when we did the other operation we had a 50% reduction in the first 45 days or something like that. we are getting better. >> is that a long-term solution? >> no. we need to forget what is the longer-term solution we can have more impact. will we come up against -- we're the good guys. we can't push code through that machine like bad guys. what other mechanisms are available. we have robust debate. >> one of the things market was so good, compelling to me, in describing your patching process and when that patch went out, sort of you being prepared realizing there was instruction manual you given the black cats out there and you had a loaded into a vulnerability. to me, how do you get around that, a structural problem you're facing?

>> the microsoft security resource center that way on the tablet. understanding if there's a vulnerability in the os or any of our components is being exploited, we way that. there's a lot of people that are dedicated to the. we know as soon as week issued a patch a bunch of people is going to say okay, what did they change? they are put in the pits. a pits. yvette cooper start to look at what vulnerability was patched. that's something it does go into the equation. at the international botnet task force meeting in virginia in 2008 when we announced the patch, i started member the number, we said hey, let's start looking at this. we have the advantage of having security researchers from 45 countries in the room. so we have to get rid of the last session, we spent about an hour have with everybody, but folks in the room with us. with samples of malware and some of the exploit code.

we started shifting it around. but we knew, it was a more mobile vulnerability. we need to get the patch out there. there were people in the room patching their machines like over the wi-fi at the coordination center. should've probably planned ahead for the. but it was one of those things. you can't afford. you're going to fix something, people that are curious are going to look at what did the update. >> it was six weeks later? >> yeah, is a really short amount of time. i have friends that mop their cars pics for the first thing they do is they take a snapshot of of the os that is running in the car, they take it to the dealership, they get the update, bring it back, what did they tweak? its curiosity. these guys are using that curiosity for nefarious activities though. >> you paint a really good picture, a compelling picture. did you look at all of the blackout culture qwikster you've been anytime on the other side of the fence?

>> no. obviously i did look at, there are websites where some of these purveyors, openly celebrating their success. i watched online a company party that one of these groups as having where they were rather than off cars to people. and there was a rock band and everything else. this was in russia. >> very funny. >> yeah, it was fun. but it showed the level of involvement and openness with which people are engaged in this in certain parts of the world. the scope of this book, i delivered a chose to narrow it to the struggle against conficker. and since i didn't know, i was hopeful to be honest that they would catch these guys before finished writing this book. if they had it would have, i would've tried to go wherever it is there from from the ukraine, and would've tried to add that peace to the story, but, unfortunately, it didn't happen

in time. >> we have $250,000 out right now. anyone lead to the successful arrest and conviction everyone knows anything, i think mark would want to know about that. >> dupree wore to work you? >> we issued i think for a warts at this point. the first were not so much, the second one yes. we have some good tips, the conficker? and most recently issued the reward for the restock? pixel can't talk to me details about that. it's ongoing but it has been referred to the fbi. $250,000. i would love to $250,000. >> do you have a favorite success, either because -- i do you success as i have favorite things that happened. not necessarily all successful. more from failing than successes. so i would think early on when we started to kind of come

played the microsoft active response strategy, and kind of realize what the challenges to consider going i have budget, why can't i just buy all these demands all my corporate apex. my mentors and you want to charge $35,000? that's not going to work. just figuring out that there's things we can do, buying the domain is not a long-term solution but as a stopgap it would have worked. i think frisbee is one of those things, i think it motivated me and a lot of guys i work with on it to say okay when i going to let that happen again. spent a couple more questions for mark and i will turn to you for new questions. >> could you contract reporting this world reporting of the "black hawk down" world? >> not that different to be honest. you know, i made a joke about, and it's true, how i had to literally stop folks every

sentence to ask what it is they were talking about. that was also to west are working on "black hawk down." soldiers spoke in a jargon for two weapons systems common as they speak their own language. i was in the beginning really stopping people all the time saying i remember you are often mistaken as an expert for the field, in the future just written about. and i was talking about "black hawk down" at the army war college in carlisle. and a colonel in the back of the races and and he said, asked me if i thought a bradley armored vehicle should have been part of the protection package in mogadishu. i said before you're not have an opinion about a bradley armored vehicle you need to know what one was. [laughter] still reporting is reporting. back when i used to cover football this portrait was a how can you go from covering science, you're covering politics, or covering

transportation and writing about sports. and i would tell them into a transportable skew. the whole idea is that you go in to a world you don't understand, you find people can educate you, you ask questions until you arrive at your own level of understanding and to write the story. that in a nutshell is what i do. >> one last question. i think, were you deeply engaged in conficker when it came on the scene? as a writer can you tell them one them one star and there is another story that sort of come the great thing about conficker is it was one story. cometic gasket that, did you feel like conflicted because there's another big -- >> not much to be on. i the kind of this inclination to be writing the same store that everybody else is writing. i have no doubt that stuxnet would attract a lot of attention. i'm sure be a book or two, maybe a writing one. >> i am not.

>> i would rather find a store that no one else is telling. and to me, i knew what i wrote, wrote a book about the field of eagles 1992 season under all sports are saying to me why i'm writing about the season? they didn't win the super bowl. it did make any difference to me that they didn't win the super bowl. it was an opportunity to write about that world and those people, and so to me that's what the story is. and the fact that there might be a sexier story that comes down the line is almost guaranteed but it doesn't really influence me. >> let me get the audience involved, do by way of cards because there's some interesting questions. to part. one is a question and one is a comment for mark. the question is, what is the conficker -- were not a question for any of you guys -- [inaudible] [laughter] let me ask this question. there's this operating system, a lot like a unix environment.

why do you think you have such a larger problem than the macintosh appears to, aside from the fact that they of 10% or 7% market share? anything else that is different? >> i think we can hang that on a number of things. market share being kind of one that is been beaten to death. also the fact that there's not that much money in. if you think about what the problem is, it's a cybercrime product they don't do this for giggles. like what i did back in college, right? i can make people's computer do funny things. they are about money. so what's the biggest net they can cast that they can cast a really big net on windows. i think the applicants are screened to see a little bit more of it. i think it's going to be their turn to kind of have their windows xp service pack two moment, but i mean as i said, it's one of those things it hasn't hit yet. >> i remember this paper some

years ago basically making your argument that the question is discovered to make that argument and you can try to estimate what percentage of market should have to reach to be at that point. and i think is like 19.7% market share. >> but it's also, you know, criminals are smart. they are lazy. that's why they're criminals that they are smart. they realize that an apple computer cost this much more than a normal pc, does that have something to say about the socioeconomic status of the people that are doing it? they might write banking trojans and a different type or windows. we're going to start seeing more of that happening. but at the end of the day it's cybercrime. i don't care, if i need a car and a mccarthy, i don't care what kind of car you drive. i need a car. i'm going to go steal a car. so bring it back, there's security ramifications. window seven be more secure than

visiting more secure than windows xp, microsoft soft learning that as ago. but there's also the other element of cybercrime. rummells are going to go with the money is. >> just a comment to mark. some of us have been involved in fashion in the 1980s have always been scared by quote conficker instances and how to attack them without killing the network. another question. do you think the worm creation might have been funded by a terrorist group like al qaeda? >> no. and i think because we've never seen that level of sophistication from terrorist organizations, and also the way that it has been used, there's nothing to stop the authors of the conficker botnet from launching a massive cyber attack on april 12009. other than you think you probably don't want to take down the internet.

they probably want to use the internet to make money. so it was a terrorist organization we would probably know by now. >> and it was a tears organization it would probably be quieter. it comes back to how noisy the threat is. >> this is to tj, what is microsoft doing to prevent worms slashed virus in the first place? like unix. [laughter] >> so have a number of programs be the security of a lifecycle time to get folks to code in a manner that makes it more difficult to attack. window seven having things like address space layout randomization, things like that. we have the trustworthy computing contingent, an arm of individuals from across the company that worked to triaged vulnerabilities and have time to patch the grant automatic updates. river division of our company called the malware protection

center so we offer free antivirus. we have seen a shift from attacks against windows to a shift in attacks against third party add-ins, in social engineering tricks with the end of the day i think we're making huge strides on the security front, as far as os vulnerability. that we are working really hard with partners to find out ways in which we can use some of those applications. one of the tools i put on all of our systems in our fusion centers is enhanced mitigation extreme to. what it allows us to do it, a free download, unless you to put some of those controls for specific applications within the windows environment so you can have application layer depth on the machines. so we are learning by being forced to the five picks over the past 10 years we have really been under the scrutiny of the security community. i think we stepped up to that challenge but at the end of the

day, if granny wants to install the dancing pig a screensaver that she just has to have, has been trojan eyes, we try to make it so that folks have an informed decision of what they are installing on windows but do we have teams like the digital crimes unit that if something does get out of control we take our legal and bring to bear on the problem and we try to protect our customers in a new and quite frankly a neat way for all industry. >> all the way back, it was overkill of vulnerability. that was true here. so what is it about overflows that are so hard to find? >> there's lots of buffers. [laughter] but you've automated stuff. we put a lot of our code through. so really that's what the attempt to try to attack the. then there's death and a slr. so make it more difficult for the attacker to get to the top to different parts of the os. but there sure. we will close buffer overflows

and all that stuff and don't come up with something else. >> is a classic arms race. every time in history someone is, but with a way defending the capital, the attackers find a way to breach the defense. this is just happening in intellectual realm. >> a question here. you have statistics on the number of infections but does this include pirated software? if not, what do you estimate the actual worldwide number of infected infections to be? >> the infection number estimates are based on single day. we don't distinguish between pirated copy or legitimate copy. so that's it should number. and it's in all of its ways. accounting, so we just took the kind of academic argument out of it and we said how many unique ip addresses to see a day? there's all kinds of stuff that will muddy those numbers, but if you take and affect people that are kind of corporate, we think

there's a 20% reduction in the number, so i think 4.5 knitting is supposed i action network that we can come to knowing all the flaws. so that's the best number that we have. to speak i think one of the other sub question that was going to be asked, i'll take the time to answer it, microsoft is issue patches prior to windows. windows. if it's a critical patch would issue the project be at the right patch level in order to receive that patch, but we actually do issue. if it's a critical nature for the os and you're running a pirated version of windows and you connect to update site you can install it automatically. >> how hard would it be for a nation states to a persistent botnet bigger and more stable than conficker? >> not hard at all, i wouldn't think. depends on the nationstate. >> i mean, if you are, if you're

aware of the vulnerability and you can exploit it, you know, something like that can spread very, very rapidly. >> i think it's also even simpler than that. some of the technology that we are seeing now, new attack vectors to like the ad exchange, for example, browsing espn.com and getting advertising 33rd party advertiser. those are some of the things we're looking at as ways to do mass compromise. >> the trend appears to be away from that though, doesn't it be? for longtime it was equating massive bot nets and now the trend seems to be more these a chance france we have a very carefully sculpted exploit for a specific reason. >> that's what you see. it's kind of the first. ever want to make a lot of money really quick, i'm going to compromise a lot the machines

known i have like a six-day window with an antivirus to update and go pick up i want to be a machine for longtime then that means which are seeing is a forced type of approach. new innovative techniques for more of a criminal enterprises. >> a couple of years ago the fbi stated something like 100 countries had off into the cyberwarfare programs. you're out there in the real world. does that seem like a possible number to you? >> yes. [laughter] >> i don't know where they came up with another. i would think that there's probably most -- >> in the modern world, so much, we increasingly lean on the internet for so much that anyone who's thinking about going to war who has a military would incorporate cyber warfare into the package. we saw it when russia invaded georgia.

we sought in the nation of estonia. besought with stuxnet. certainly any kind with a major military or defense department is developing capability, not on to defend themselves but to attack their enemies spent are we going to run into or have we already entered a stage like a period of nuclear testing where, you know, countries that were developing nuclear weapons were testing in the atmosphere. are we at the cyber equipment stage? stuxnet wasn't a test. stuxnet wasn't active for. but we think we've seen tests speak which are certainly seeing it in espionage. there are mounting numbers of instances where a lot of it is -- china, whether crackly or not, you know, where supposedly secure american networks are being scanned for data and uploaded, data is being uploaded from them, spyware is being

installed, keystroke logging. this kind of stuff has just become a fairly common. >> with the ever-growing residency of mobile platforms on the internet, on any bot nets targeting mobile devices currently? >> so, we deficit increasing amount of mao where, and impacting the mobile platform as our devices get smarter, and more, always on, always connected to the internet, that's a logical place to at the most what we've seen on the windows phone side, exposing of the handset hardware support to the marketplace. i can't speak for other companies in the valley that might be experiencing different things, but you going to see. you're going to see on the tablets that are out there people are walking around with tablets and a mobile device. it's just clear the bad guys are going to go where the money is. >> in terms of your new mobile platform forms, new

windows-based mobile platforms, are the interfaces, in any way common vulnerabilities? and if so will you have a windows phone, how much does it look to an attacker like a windows pc? >> it doesn't look like it. it's part of our code so it's partially based on the windows mobile operators system but it's almost a complete rewrite. as we can go from windows seven the windowsill and eight it's going to be a little bit different. >> and interns, microsoft says, and any applications that run on your mobile platforms, how will they be similar or different in terms of trying to keep the universe close? we be closed and we are closer to apple? >> i don't know the answer to that question but i'll see that windows is going to have an app store. windows mobile has an extra. we see a lot of the benefits of

having some of that in a club if you think about how microsoft is positioning our technologies it's kind of that three screens division were my experience with windows aid should be the same on any device dialogue into but i should be able to get those applications that want on demand. for the way we are looking at it is how do we that those applications in the market place before they ever make it down to the device. >> this will take a little bit of explanation. is the project with untraceable routing a sensible idea, or lunacy? >> i like it. i didn't rita kempley but there was a paper on tour that suggested a new set of vulnerability. do you think, i mean, how, then, how much can you trust your anonymity with tour? >> i think it comes back to that same question. software is written by humans. humans are fallible. nobody will write the perfect code. maybe it's been written by some in this room and we don't know

that. it's one of those things that if you poke and prod enough about, add any piece of software you're going to find new interesting ways. what's interesting is come you alluded to earlier, most of the vulnerabilities that were looking at our overruns. memory type modifications. what's next? that's what i'm thinking about. so we're trying to figure this out but what is my kid going to use to compromise the refrigerator and let the beer out? the flying cars, so yeah, i think you have, if you going, you could use these to commit to understand that what software you're using. i think most people don't get that. i get that from my sister-in-law. she's buying something on amazon like if you can accomplish right now, who's fault is it, she points at me. [laughter] >> i had nothing to do with this

transaction. but that's the impression that i think anybody in the room kind of feels a certain part of that. it's our fault. to figure out a way in which we can manage that as well is kind of difficult, sometimes heated debate in my house. >> our efforts to be made to block indications between the botnet community is? if so, how long will it be possible? >> so, so right now we are in year two and half or three. i think if rick is in the room, we just had the latest 2012 lists come out, so we're working on with a high level to block those. on the countryside, a little more difficult. some of those folks have fallen off wanting to block it for much longer. so i know that the big deals are still participate in. they represent the bulk of the infection. really the a and b. infection, a

smaller group so they have been amazingly open to continue the effort as long as we produce the list are able to go in there and have the process kind of automated. >> the individual nodes themselves present a signature, don't they? could you use that -- what are the intricacies of taking off a machine that is running an old version of windows that may not have any protection at all? is that a workable strategy? >> absolutely. >> you've done some of that? >> microsoft has developed a number of tools as had a number of antivirus companies to make it pretty easy to get off a machine pick it up in the world which at the box, go to automatic updates, they would be clean. but kind of working through some of the mechanisms there that people that are infected are basically people that don't have the minimum protections but they're not running updated antivirus. the bad guys have stop developing code. the vulnerabilities, the better

part of the use of these are folks were kind of in limbo. not doing what they need to be doing. >> we are through -- one or two other questions because we are done. >> that's greater please join me in thanking the panel tonight, ladies and gentlemen. [applause] >> you're watching the tv on c-span2. 48 hours of nonfiction authors and books every weekend. >> visit booktv.org to watch any of the programs you see here online. type the author or book title in the search bar on the upper left side of the page and click search. you can also share anything you see on booktv.org easily by clicking share on the upper left side of the page and selecting the format. booktv streams live onliner