>> he handed them out around the table. the woman who had addressed him looked through her copy and pronounce, yeah, this is the same presentation we saw the

classified white house briefing yesterday. [laughter] the meeting dissolved into laughter when the staffers realized that they had taken rodney's briefing and presented it at the white house as their own work. and classified it to boot. [laughter] rodney later confirmed with his wife -- white house contact. they just gave yours as their own, he said. so much for bond did federal cyber. thank you. [laughter] [applause] that's actually a terrifying know to start on, when i think about it. >> is in its? >> their certain analogies that appear in your book at various times. early on, i think him at a certain point you gave the sense of the internet is the wild west, stretching out in

cyberspace forever. that analogy to my mind sort of brings up the possibility or the definition of the vigilantes. and i was wondering, one, if the vigilante turned works, is it correct? and then the follow-on question is, since the feds are not doing very well, are the vigilante sort of the last best defense for cyberspace? >> they certainly were in this case, and i think actually tj was one of them, can verify this. were a little uncomfortable with the designation kobold when someone looked up and realized -- [inaudible] someone realized the actual definition implies an illicit or illegal activity. so they subsequent to themselves the conficker working group. but it's just like if your the fat kid on the playground and people start calling in skinny, there's just no way you're ever going to get rid of that. so they continue to be even

amongst themselves they call themselves that. >> do take issue with an notion of vigilante? >> i think vigilante is not the writer but i think microsoft has been told vigilante and some the operation that we've done despite the fact that we've gone to court and gotten legal authorization to do what would you. i think is more kind of an awareness for most of us that there's a growing communities with the professionals around the world that were sent. we can do something or because at some level the internet is operated by the good guys. the bad guys are dwelling in our domain. so really it was more of an assertion of the right that we have to protect our own system. i think vigilante is one of those lightning rod terms that working in legal and corporate affairs of microsoft. why do they call us the vigilantes? >> but it is true in the sense it was an ad hoc estimate for the most part volunteers who spent a lot of time and energy trying to mount an effort to protect the internet from this

threat. and there was no formal organization. how hard was it for you to break down, when you started your book, did you get their cooperation easily come with difficulty? did it depend on -- >> everyone fairly eager to help. i think they were appalled at my level of ignorance. but i have to say they were extremely patient and most of the folks who i worked with went out of their way to help me understand, to read drafts of the story as i was writing it and to correct my mistakes, to help me better understand the story, to tell because i think they felt this is an important historic. >> i wanted to ask both of you early on for your, i guess mark, what have you been saying about the state of security affairs in cyberspace as you go on your book tour. and i want to get your gauge. what was conficker indication of

in terms of where we are, in terms of having cyberspace be secured? are we entirely out of control? where are we? >> tj can answer probably better than i, but my impression is and i was really surprised to learn it, how vulnerable the internet itself was to a threat, the botnet of this size. and it seemed to me as though of the very nature of the internet, which grew out of sort of the late '60s, early '70s utopian spirit of freely sharing data, and at the time primarily by academic researchers and scientists, failed to really adequately consider how the very openness of the internet which is such a boon to the will can also be a tremendous a vulnerability in that there were people who would take advantage of it. i think the fact that the federal government in the instance of conficker was really clueless about what was happening and what to do about it was really shocking to me. my impression is that, in fact,

present obama in 2009 when he gave his speech about cybersecurity, he specifically cited conficker as a case that demonstrated how ill-prepared federal government was to protect even its own networks, and i think so things have improved. that's my impression. you've seen a number of formal moves have been made by the federal government last two or three years that have been publicized and read about. so clearly the government is more aware today than they were just two or three years ago. but there remains an enormous problem because it's a global issue. there is no such thing as a global police force. there is no such thing as international law governing something like this. it poses tremendous challenges. >> i think the openness is both its greatest strength and its greatest weakness. it's tough to really kind of managed usability security on the same level. so really the fact that the

internet is open doesn't make it vulnerable to these types of sinners but it was invented in different time from a different there. i think the conficker incident was an awakening, and i will speak from microsoft's perspective, and you would think about how do we address these types of issues. but thinking about how is it that all these great technology companies were sitting in like to see the technology right now, how can we not be more aware of what's going on at how can we play bigger role as industry to try to tackle some of these problems, and honestly when rick called up with a couple of my colleagues on the phone and said hey, what is microsoft doing about this can we were honestly like welcome we have released a patch for that. [laughter] you become so read are sitting there looking at it, we're having meetings with the folks that do all the patching for our technologies. we said we can do something more here. we should be able to do

something more here. i was kind of an awakening for microsoft in particular. you seem our mars program explode into all these ways of thinking about cybercrime and the way people using the internet and the microsoft acknowledges he may be we go too far, could you give us an epidemiology for people who may not sort of know the blow by blow of conficker? just the first half about how do you do talk about it showing up in honeywell, i guess john talked, but just sort of described the beast here. >> the word itself popped up, honey pot, it's hunting that actually and it was on his monitor. one of the what happened was when a new piece of mall where drifted into his space, a line will pop up on his mother and there's all these read-out sort of defining what this is. one of which is a column which indicates how well recognize this virus is to the major

antivirus industry, in the finish. this one was recognized by none. that's the first thing that got his attention to the next thing that happened was it was replicating so rapidly that within 24 hours it was shoving every other piece of malware out of this honey pot that the only readouts on the screen were conficker, conficker, conficker, conficker. he said i literally had nothing else to work on at that point. what they discovered at sri when they begin to dissect it was that it was very, very sophisticated piece of malware. it was highly encrypted. one of the things that he did which is kind of curious is checked to see if the computer it was about to infect have a ukrainian keyboard, and it would self-destruct if the computer did. but basically of course what a worm like this does is penetrate to the core of your operating system, and replicate itself, send out and inspect every other computer on your network. and also begin calling home to a

remote controller. the remote control, the way you would ordinarily kill a botnet is your job opportunity, if you could intercept that communication. you can effectively kill the botnet. so to prevent that, the worm had an algorithm that generated randomly 250 new domains every day. the botnet had to be behind only one of those 250 doors on a given day, whereas in order if you want to cut this thing off you would have to shut down all 250 domains every single day forever. and so that was one example of the cunning nature of the thing. and rick i think may be here tonight, tj mentioned a moment ago, began buying up all those and put them on his credit card which take a sense of how ad hoc is ever was to try to stop at. >> before we go farther down the

path of the worms evolution. i just want to get back to that question, what kind of straights we're in. a question for tj. i have a very old e-mail address, and i have a filter in front of it. and -- >> what's that? [laughter] >> i think most of the people here know myself. >> and since most of malware i take it is distributed i botnet, in the form of, well, the level of spam in some rough correlation of in the world, the level of malware infection. so i remember about a year ago, a large botnet was taken down, and for a while spam fell off. but i have to say that if i look a storm at the number of spam messages, and it looks like it's probably 10-20% worse than it

was before that happen. am i a good indicator of the state of -- >> it's a prospective situation. so the operation referring to is -- we kind of sit back and relax at some other ports that were coming in. one of them was zero impact on spam. one of them was 5%. one of them was tempers and one of them was 30%. so kind of look and what's the real number? we kind determined it was a perspective thing so we called our friends at hotmail and said did we do anything good for you guys? they said we see a drop off of span of like .07%. well, i was hoping for a bigger number. they had a lot of the webmail providers have systems in place that prevent sending of spam from non-known mtas. so that they had been blocking a lot of the spam that was hitting already so we had a small impact with hotmail.

some other organizations, particularly private companies, they saw huge drop off because the big spam writers would and would be soon enough to hotmail because they knew that we were blocking, surging up is the same for yahoo! similar countermeasure so we talk your hotmail folks and they said they largely manage the spam issue, but the thing that we saw when we are watching our honey pot attempted since been out it was sending out the whole bunch whole bunch of different domains. so we definitely so hotmail spam leave but that's been whatever it into an inbox because of the filtering on our site. i don't know what the real number is. i know when we start to look at these things going back to the original question, i look at how many millions of my customers are being impacted by this malware. if running with stock on there is running some else just based on a test we look at a little differently. spam gives us cause to sit in a courtroom and say they are harming us. what i look at him also look at how me of mike aspers are being impacted. when we start to look at route

stock i and protected in us shod it to reach out to the server infrastructure that we could we could track so it begins to download a patch or download center in a very specific ways we're able to think of it that so we knew how many machines we were dealing were dealing with. one of the country that we look at and the conficker case it was a big botnet, rootstock was a big botnet to come at my customers are being negatively impacted by this piece of malware but i think the state is not great on the internet. but i really, the past couple of years have really seen a surge in internet service providers and technology companies taking more of an interest knowing that private companies can do more to protect folks. so i think the dark days are behind us. [laughter] >> note, i need some type of wood. i think we're getting that awareness. i think as we start to really understand that there's more things that we can do we're kind

of coming out of the. so in our last conference we had about two weeks ago, we've been to conferences like 10 years now. we are starting to see more people talk about how can we be more operational. have in my company a. how can my company takedown daschle i would let you see spam go away as a distribution mechanism. but from a perspective, there's a certain perspective that shows that that might be the case. that there might not be any change. we are still in infancy so we don't know. >> so, this book is a who done it. except i still feel that we don't know who done it. and i just want to check in with you guys to see where we are. your book ended at a certain point of the have been a couple things that happen so take me to with a law enforcement aspect, the word is, and she's feel you have conclusive sense of who the authors were or are. >> my suspicion is, and i can't

say with any certainty, that the authorities do know he was behind it. and i suspect that the difficulty in apprehending them has more to do with diplomacy, deal with a foreign government, dealing with foreign laws and police abcs than it does with actually find them. but what we do know about the authors of the worm without having caught them yet is that they are tremendously sophisticated programmers, and the reason i use the word, the plural, is it's almost certainly not one person. because the worm conficker demonstrate such a high level of proficiency in so many different areas that it's literally impossible to imagine that one person would have that level of ability and that level of knowledge in summary different areas at the same time. so the likely culprit is a group, well-funded, probably funded by an organized crime

syndicate who set out to create a very large, very stable botnet which could be used as a platform where all manner of mischief. a moneymaking platform. >> if you look at the yearly indications of how conficker would be leveraged, strong ties to take antivirus, strong ties to you sometime of his affiliate program, the keyboard check is really interesting because nobody wants to be arrested by local authorities for compromising machines in their country. looking towards eastern europe to find out what that looks like comment but it's one of those really interesting i agree, we referred the case to the fbi early on. they've been working the case for quite some time. i know that they are working hard on it but i don't have any, i do have a picture of the guy. >> could you rule out the possibility of a headache?

if you want to point to the ukraine to what better way and what more obviously than putting in a keyboard -- >> that's deathly a possibility. i think that it's entirely plausible someone would create something like the conficker botnet as a moneymaking tool. because it can be used for virtually anything. this group in europe that was arrested earlier this year used it for a scam to drink $72 million, american bank account. they did that just by leasing a portion of this botnet. >> was that the one time it was used or was it uses several times? >> it was driving traffic on the early days, driving traffic, and really that was linked to an affiliate program. so they were definitely monetizing it on the early stages. but then it was used again later on to distribute malware to channel the mexican went to the stages, five versions? >> i think, whether some strains

represent an entirely new one or not, but i -- [inaudible] three strains, a, b and c. i mentioned earlier the worm was generating 250 domains every day randomly. and when rick wesson got their arms around grabbing all 250, the sea very generated 50,000 domains every day. so it's almost like if you're willing to spend this amount of money and time and effort to stop us, are you willing to make an exponential leap. >> then they went one more step beyond that. they went to a peer-to-peer communicate and. >> that's right. in fact, the cabal actually managed to recruit the cooperation of every top level country domain in the world, all 110 of them. and got the arms around 80,000 a

day, only to have the worm introduce peer-to-peer communications so they didn't even need. >> do you think the authors were doing this on the fly, that they were sent with the cabal listing and responding? >> without a doubt. they would put little clues in that they were monitoring, you know, the traffic on the list that the cabal maintain. they were tapping into sri's system to check on what they were saying. >> without giving away their identity? >> no, they didn't get one of the interesting things they did, the communication from the worm to the bot master was encrypted, which is the highest level of public encryption method in the world. and right now there's actually a competition going on to develop shaw three, which when it's complete will introduce the new highest level of public

encryption. well, conficker a has transfixed. can't factor be used shot through which came from mit who has been the author of the previous, and then they had a minor flaw in his proposal so he withdrew it and corrected it and conficker c. had the correct proposal so my personal theory is that might be wrong. [laughter] so when they went to the peer-to-peer mechanism, you see the cabal or anyone else was never able to see in the peer-to-peer communicate and. were you able to see the traffic that went between -- >> you can still see into the peer-to-peer network. so one of the big kind of issues that we face if we don't want to make smarter criminals, right? so when we start doing our actual to make sure we are observing, we're doing what

we're supposed return. we are always putting fit in at a disadvantage but the fact they went to peer-to-peer mechanism didn't make it invisible. we knew there was to communicate in. we could still kind of track to a limited degree of lead in of sensors in the peer-to-peer network with likely that a significant portion of the. i know the guys at sri were working diligently as others to do that. what they were able to do is they were able to sneak a domain and that witness because we're still trying to figure out how do we stop 50,500 domains per day? so they snuck a domain in, the update happened at the updated part of that to the peer-to-peer mechanism. the peer-to-peer mechanism is typically noisy. it's not as alive as the straight commit a control. as you saw, the our vulnerabilities in most of the peer-to-peer pieces that are out there so we are able, and oftentimes analyze the malmö and

the traffic flow enough to be able to impact of that. >> how many infected machines on the out there the world still? i hear 10 million come is that too big of a never? >> those were numbers early on but they were using the q. values. what we think is i think the latest number is about four and a half million, conficker aecom of the nodes and i think run 250,000 conficker c. notes that are out there can and hasn't done anything of note for how long? >> a long time. out their still beating? >> let me go back something to question earlier about the head fake with ukraine. i mean, the most logical expedition for botnet like this as i said as a platform for criminal act to be, but is sophisticated faint, something like a botnet of this size is also very powerful too. and if you want to launch a

cyber attack, it is early cable of overwhelming the root servers of the internet itself. if a nation state was behind you would necessarily use that weapon right away. he would wait until you wanted to use it. there have been folks have read this book and the kind of disappointed that the real world sometimes doesn't offer a dramatic ending to a story. so it is true that the authors of the conficker botnet have not tried to destroy the internet with it. but i don't know about you. the idea that some guy could wake up on the wrong side of the bed in kiev and wipeout communication in north america i find a little disturbing. >> is your bed that there's been some arrests in ukraine but your bet is that they haven't gotten the conficker offers? >> correct. >> okay. there's a spectrum of possibilities of motive here. malware distribution or selling off.

there's cyberwar tool, but i discovered a new book that i thought was fascinating to me and should expedition, i thought to be another explanation, one of the generations of the worm, the nodes reported how connected they were. the method the authors were think about the structure of the social graph. there were some guys, i don't know if you ever ran into these guys at mit who were wondering whether conficker wasn't some gigantic center net that someone was trying to build basically a surveillance tool rather than a theft tool. did either of you run into that possibility? >> there's robust discussion within the conficker working group of what the actual cause or use of the botnet was. everything ranging from state-sponsored piece of malware i got out of some secret lab somewhere, to the prevailing theory now that's being used for

monetized scare where. certainly it's too chatty. if you look at some of the moderate advanced malware other now come they're not demeaning -- generating 250 domains a day. how long have you been in this business? when did you start doing forensics? >> i went to florida state university in the better part of the '90s. mr. bowen and is all coal, used to be the coach of the florida state seminoles. so it was nice to see that. so ever since i was in grad school really starting to my undergrad in chronology, i the masters and information suspect i was more interested information security. but to kind of put yourself ecology do many things, right? so really looking at network administration, that's i put myself through undergrad.

i began to really start looking at those things. in the early to mid '90s, academic institutions really a wild, wild west was a good description of what those networks were like. typically fragmented administration. public university we couldn't block anything at the edge. i hear that's still the case. so we would see some amazing traffic patterns. and usually kind of an open honeypot the entire network was. >> so really understand how machines were getting compromise, that's what really struck to pique my interest. >> did you have trouble keeping your spirits of? this is like owning a big ball until i feel. >> i love it. i love it. i love every day. my wife, are you going to come to bed? hold on. five minutes in five hours and then the sun is coming at. we were kind discussing his early on in agreement. i don't think i could wake up everyday and do the same thing

and that's this type of thing allows us to give. >> i found that true not just with tj but all those involved. people asked if they weren't getting paid to do this, tj has a job to do some of these folks are actually doing it out of the goodness of their heart. why were they doing at? and i think maybe the right answer is fun, it's fascinating. it's like these people think they are smarting than we are. i don't think so. >> that are sometimes. >> no, never. [laughter] we have seen all the cowboy movies, right? how many members of the cabal are here. rick is here. is paul here? anybody else? two of you. i we a dying breed? >> so, what's your take on this why counterculture? what did you come away from from the this group of people who are engaged in this struggle? >> i think you could make an argument that conficker is not,

it's tremendously interesting and sophisticated. it might not be the most dangerous worm ever. the botnet might not be the largest one ever. but for my purposes it's a wonderful case study. and it gave me an opportunity to sort of walk around in a subculture. in this case culture of computer security geeks, uber geeks i call them, excuse me. >> nerds, it's okay. >> okay. and i think for me that's the fun of reporting and writing is learning about aspects of the world and modern life that otherwise would never encounter. and so for me, i think that this is a unique subculture because the internet is a relatively new phenomenon. it's grown so rapidly that you find that the folks were at the sort of vanguard in the field,

there are very few of them. it isn't like you can go, nowadays you probably could come but i know that when he went to stanford back in against the 1980s, i'm probably making him older than he is, maybe 1990s, he had to actually shop around for a college professor to teach them something because he had grown up playing with computer networking systems and to such a new thing that he developed a very high level of proficiency on his own. and it was really difficult to find someone who could tell him or teaching anything. and i think that level of skill has continued. and it has developed in different individuals for different reasons. but that's how i see them. it's interesting to look at that if you talk to andre back in jersey, andrew ludwig, some of those guys are basically self-taught. >> entrée, i think he went to community college and he was running a security, he was a

i.t. security every small company in new jersey, and to discover that somebody over the weekend had broken into his network and used it to stash a lot of pirated music and movies. he was able to clean it out and secure his network, and his boss said okay, end of problem. but entrée thought, he went back and check the system and these other people were like rattling his doorknob all the time to do this kind of thing. the idea that someone in eastern europe was trying to deposit a lot of illicit material in his little office park in new jersey, intrigue and so much that he set himself on a course where he has become one of the leading authorities on bot nets in the world. the juice been about time with a shadow server group, or just with, toggle a bit about, what is a shadow server? >> primary at the time with audrey but i also talked to richard, i think was one of the originators of it. essentially they again, the essence of a volunteer organization, they began

monitoring bot nets, dissecting the malware that creates the botnet, and killing it. they consider themselves to be botnet kids. and they would inform networks. they were just out of the blue, they would call a network, security guy and there's a we are calling from bergen county, new jersey, to let you know that your network has been hijacked by some of the and they would routinely be dismissed as someone breaking on them or someone showing off, but in time people realize that they were right. and they were offering this information were free. so andre his philosophy is its gonna like if if you see someone house on fire, do you charge them to inform them that the house is on fire? he thinks not. so he knocks on door and he says hey, your houses on fire. so he does this out of the goodness of his heart.

andre and i and richard talk a lot about that, kind of that model of saying hey, what's the right thing to do. they strong, shadow sturdy -- at the end of day we do these takedowns. the goal is to get can reach out to that end customer and tried to clean them up and let them know hey, there's some things you need to be doing in order to be a good his. >> a couple times you've talked about, the takedowns but is your group engaged in sort of widescale disaffection question mentioned some things that suggest you written code that go out and takes infections operations, is that routinely done? >> i will be clear. >> on what scale have you done the? >> the removal to the comes as part of the windows update package runs at about 700 build computers each month. so that's one of the tools that we use as part of the automatic update process. it but that only gets the machines that have the box

checked. >> yes. we also develop tools called the enhanced, a disc called system sweeper that boots to apd when the image that has a full signature set. we engage around the world on all of our operations to get information from our sinkhole so they can go out and carry that message into their countries. so well that was the first time we have that remediation peace in place, and it's slow going. if it was rough, it was ugly, who didn't want the data, who wanted the data, with a able to actually use the data? we learned a lot of lessons and it took us about a year to get about 90% claimed. when we did the rootstock operation we actually had a 50% reduction in the first like 45 days or something like that. so we are getting better. is that a long-term solution? no. we need to figure out what is the longer-term solution that we can really have more impact, but we kind of come up against we are the good guys, we can't push to to the machine like the bad

guys. what other mechanisms are available? so we have a robust debate is one of thanks market that was so good, at least impelling to make him is in describing your patching process and when that patch without, sort of you being prepared realizing there was an instruction manual you given to the black cats out there and you alerted them to a vulnerability. to me, how do you get around that as a structural problem that you are facing? >> the guys in the trustworthy computing, they way on that heavily. so understanding is if there's a vulnerability in the os or any of our components that is being actively exploited, we way that. there's a lot of people that are dedicated to the. we know as soon as we a whole bunch of people are going to say okay, what did they change? they would put in the editors and change these bits. they can very quickly start to look at what vulnerability was patched.

so that's something that does go into the equation. at the international botnet task force meeting in virginia in 2008 when we announced the patch, we said hey, let's start looking at this. we had the vantage of having security researchers from 45 countries in room. and we got, we spent about an hour and half with everybody we had a folks in a with us. we started to get, shift it around. we knew it was a worm vulnerability we need to get the patch out there. there were people in room patching the machines liked over the wi-fi at the coordination center. should've probably planned ahead for the. but it was one of those things can you can't avoid. you're going to fix something, people will look at what to the update. i know i have friends at what was a, six weeks later conficker appeared?

>> it was a really short amount of time. the first thing to do is they take a snapshot of the os that is run in the carpet the ticket to the dealership. they get the update, they bring back and what did they tweak? its curiosity. these guys use that curiosity for nefarious activity bill. >> you paint a really good picture, a compelling picture of the white hat culture. did you look at all the black hat culture? did you spend anytime on the other side of the fence? >> no, i honestly, i did look at, there are websites where some of these purveyors are openly celebrating their success. i watched online a company party that one of these groups is having with the rattling off cars to people. and it was a rock band and everything else. this was in russia. it was a very funny. >> yeah, it was funny. but it showed the level of

involvement and openness with which people are engaged in this in certain parts of the world. the scope of this book i deliberately chose to narrow it to the struggle against conficker, and since i did know, i was hopeful to be honest that they would catch these guys before i finish writing this book. if they had it would have, i would've tried to go where ever it is they are from, the ukraine, and tried to add that piece to the story, but, unfortunately, that didn't happen in time in equipped to have $50,000 out right now, anyone leading to the successful arrest and conviction and if anyone knows anything, i think mark would want to know about that. >> due rewards work for you? >> we have gotten some tips. >> we issued i think for rewards at this point. the first one not so much, the second one yes, we found some good tips in the conficker case, and most recently reissued issued the reward for the rootstock? pics we can't talk to me details about that.

it's ongoing but it has been referred to the fbi. $250,000, i would love to $250,000. well, there taking millions. there's an additional $250,000. we will see. >> to have a favorite success? either because, you know -- >> i don't use success as i have favorite things that happen. not necessarily all successful. i think i have learned more from failing than successes. so i would think early on when we started to kind of contemplate the microsoft active response strategy, looking at frisbee with the guys from fire i, kind of realize what the challenge is to consider going i have budget, why can't i just but all these are my corporate card, and my manager isn't going to charge $35,000 worth of domains under corporate card? that's not going to work. just digging out those things we can do. obviously buying the debate is not a long-term solution but it

has a stopgap it would've fort dix i think frisbee is one of those things that i think motivated me and a lot of guys i work with autistic a become we're not going to let that happen again. >> a couple more questions for mark and then i will turn over to some good questions. can you contract reporting this world after reporting in the "black hawk down" world? >> not that different to be ours. i made a joke, and it's true, how i had to literally stop every sense to ask what it is they were talking about. and i was also true when i started working on "black hawk down." soldiers spoke in the jargon, refer to weapons systems. you know, they speak their own language and i was come in the beginning, really stopping people all the time saying well, i remember you are often mistaken as an expert for the field, in the field you just written about and i was talking

about "black hawk down" come in the colonel in the back of the room raised his hand and he said he asked me if i thought a bradley armored vehicle should've been part of the force protection package in mogadishu. and i said well i think before you are and have have an opinion about a bradley armored vehicle you need to know what one was a. [laughter] reporting is reporting. back when it used to cover football, sportswriters with a how can you go from covering science in the covering politics, or covering transportation to writing about sports. and i would tell them is a transportable skill. the whole idea is that you go into a world you don't understand, you find the people who can educate you, you ask questions until you arrive at your own level of understanding and write the story. that in a nutshell is what i do and like why i doing it. >> one last question. i think would be deeply engaged in conficker when it came on the scene?

how did you come as a right of your javaone store and there's this other store that is sort of the great thing about conficker is it was one story and you had a gastric did you feel, like conflicted because there's another big -- >> not much, to be honest. i have kind of a disinclination to try, to be running the same story that everyone else is writing. and i've no doubt that stuxnet would have attracted a lot of attention. maybe you're right one, john. >> i am not that i have no desire to compete with those folks i would rather find a store that no one else is telling. and to me, i can when i wrote a book about the death eagles 19 1990s to become of all the sportswriters saying to me, why are you writing about this season? they didn't win the super bowl. well, he did make any difference to me they didn't win the super bowl. it was an opportunity to write about that world and those people. so to me that's what this story is. the fact that there might be a

sexier story that comes down the line is almost guaranteed, but it doesn't really influence me. >> let me get the audience involved highway of cards because there's some interesting questions. this is a two-part. one is a question and one is a comment for mark. the question is, what is the conficker for unix environment? they're probably not a question for me. what unix? [laughter] >> let me ask this question. there's this operating system, a lot like a unix environment. >> very much. >> why do you think you have such a larger problem than the macintosh world at his, aside from the fact that they have 10% or 7% market share? is there anything else different? >> i think we can hang that on a number of things. market share being kind of one that is been beaten to death. also the fact that there's not that much money in a. if you think about what the

problem is, it's a cybercrime problem. they don't do this for giggles, like we probably did back in college, right? i can make peoples computers do funny things. they are about money. they can cast a really big net on windows. i think the appetizers journey see a little bit more of its. i think there's going to be their turn to kind of have their windows xp service pack two moment but right now it's one of those things it hasn't hit yet. >> i remember this newspaper soviet go make your argument is the question of skill. you make that argument and then you estimate what the percentage is market share they would have to reach to be at that point but i think is like 19 points 7% market share in it but it's also, criminals are smart. they are lazy, that's why they are criminals but they are smart, too. they realize and apple computer cost this much more than a normal pc. does that have something to say

about the socioeconomic status of the people that are doing it? they might write banking trojans for macro and then write a different spam trojan for windows machines. we will start to see more of that happening. but at the end of the day it's cybercrime. if i need a car and i make coffee, i don't care what kind of car you drive. i need a car. i'm going to go steal a car. so bring it back, there's security ramifications, windows 70 more secure than visiting more secure than windows xp, microsoft learned that as we go. but there's also that other element of a cybercrime. criminals are going to go where the money is. >> just a comment to mark. some of us have been involved in since the 1980s have always been scared by quote conficker instances and how to attack them without killing the network. another question, do you think

the worm creation might have been funded by a terrorist group like al qaeda and? >> no. and i think because we have never seen that level of sophistication on terrorist organizations, and also the way that it's been used, there's nothing to stop the authors of the conficker botnet from launching a massive cyber attack on april 1 of 2009, other than i think you probably don't want to take down the internet. they probably want to use the internet to make money. so if it was a terrorist organization we would probably know by now. ..

>> things like that, we obviously have the trustworthy computer contingent arm of individuals from across the country that work to triage vulnerabilities and have timely patches, we have automatic updates, we have a division called the microsoft malware protection center, so we offer free antivirus. we've seen a shift from attacks against windows to a shift in attacks against third-party add-ins and social engineering. so at the end of the day we're really, i think we're making huge strides on the security front as far as os vulnerabilities, now we're working really hard with partners to secure those applications. in our fusion center we have emmett, the enhanced mittation

experienced tool kit. it allows you to put some controls around specific applications within the windows environment so you can actually have application layer aslr, application layer depp on the machines. so that's, again, you know, we're learning by being forge inside fire, right? so for the past ten years we've really been under the scrutiny of the security community, and i think we've stepped up to that challenge. at the end of the day, if granny wants to install the dancing pigs screen saver and that's been trojanized, we try to make it so that folks have an informed decision of what they're installing on windows, but then we have teams that if something does get out of control, we take that legal and technical acumen, and we try to protect our customers in a new and, quite frankly, unique way for all of industry. >> wasn't there, i mean, if you go all the way back to the morris worm, it was a

vulnerability used in part as its infection mechanism, what is it about buffalo overflows that are so hard to find? >> there's lots of buffers. [laughter] >> you've got automated stuff. >> yeah. so we put a lot of our code true the asdl. that's one to have attempts to try to attack that. then there's depp and aslr, so really making it more difficult for the hacker to guess to be able to hack parts. but they're sharp. we'll close buffer overflows, and they'll come up with something else. >> it's a classics arms race. >> yeah. >> every time in history someone has come up with a way of defending the castle, the attackers find a way to breach the defenses, and this is just happening in an intellectual realm. >> so a question here. you gave statistics on the number of infections. does this estimate include pirated software? if not, what do you estimate the actual worldwide number of

conficker infections to be? >> so the infection number estimates are based on sink hole data, so we don't distinguish between pirated copy or legitimate copy. so that's a true number, and it's flawed in all of its ways, you know? we just, we took kind of the academic argument out of it, and we said how many unique ip addresses do we see per day? you know, there's address renewals, acp, there's all kinds of stuff that will muddy those numbers, but if you take into be effect people that are behind dacp, we think there's a 20% reduction in the number. 4.5 million is the most accurate number we can come to knowing all the flaws, so that's the best number we have. to speak to one of the other subquestions that was going to be asked andi'll take the time to answer it, microsoft does issue patches to pirated versions of windows. if you, if it's a critical patch, we issue that. you have to be at the right

patch level in order to receive that patch, but absolutely no issue it. if it's a critical nature of the, os and you connect to the windows update site, you'll be able to install that automatically. >> how hard would bit to create a persistent bot net bigger and more stable than con picker? >> not hard at all, i wouldn't think. >> depends on the nation state. >> it does. [laughter] i mean f the you, if you're aware of a vulnerability and you can exploit it, um, you know, something like that can spread very, very rapidly. >> i would think it's also even sitler than that. some of the new technologies we're seeing now, new attack vectors through like the ad exchange, for example, browsing espn.com and getting hit through a third party plug-in on your

windows box, those are things we're looking at to do mass compromise -- >> the trend appears to be away from that, though, doesn't it? for a long time it was creating massive bot nets, and now the trend seems to be more these advanced, persistent threats where you have a very carefully sculpted exploit for a specific reason. >> yeah. that's what you see is kind of the purpose. so if i want to make a lot of money really quick, i'm going to compromise a lot of machines knowing i have a six-day window for the antivirus to update and go. if i want to be on the screen for a long time, what you're seeing is a fourth type of approach. you're seeing really advanced malware and new innovative techniques to get up to the box for more of the criminal enterprise, so you're absolutely right. >> a couple of years ago the fbi stated that something like 100 companies had offensive cyber war fair programs. -- warfare programs. you're out there in the real

world. does that seem like a plausible number to you? any way to -- >> yes. [laughter] >> i don't know where they came up with the number. i would think that there's probably most -- >> yeah. in the modern world, i mean, so much -- we increasingingly lean on the internet for so much that anyone who is thinking about going to war who has a military would incorporate cyber warfare into their package. we saw it in, when russia invaded georgia, we saw it in the invasion of estonia, you saw it with stuxnet. certainly any country with a major military or defense department is developing capabilities not only to defend themselves, but to attack their enemies. >> so are we going to run into, or have we already entered a stage like the period of nuclear testing with, you know, countries that were developing nuclear weapons were testing them in the atmosphere? are we at the cyber equivalent stage where you're, i mean, stuxnet certainly wasn't a test,

stuxnet was an act of cyber war, but do you think we've seen tests of -- >> well, you certainly see it in espionage, you know? there are mounting numbers of instances where a lot of it is traced back to china whether correctly or not, you know, where supposedly secure american networks are being scanned for data and uploaded, data's being uploaded there them and spyware's being installed, key stroke logging and, you know, this kind of stuff has just become fairly common place. >> yeah. >> with the ever-growing rest nonsi of mobile platforms on the internet, are there any bot nets targeting mobile devices specifically? >> so we definitely see an increase in the amount of malware kind of impacting the mobile platform. as our devices get smarter and more -- always on, always

connected to the internet, um, that's a logical place. i think most of what we've seen on the windows phone side have been exploited either in the handset hardware itself or through the marketplace. i can't speak to other companies in the valley that might be experiencing different things, but you're going to see it. you're going to see it on the tablets that are out. people are walking around with tablets and a mobile device. it's just clear, the bad guys are going to go where the money is. >> yeah. in terms of your new mobile platforms, the various new windows-based mobile platforms, are the interfaces common in any way that there'll be common vulnerabilities? >> i didn't -- >> so you have a windows phone there. how much does it look to an attacker like a windows pc? >> so it doesn't look like it. it's a fourth part of our code. it's partially based on the windows mobile operating system, but it's almost a complete rewrite. so as we kind of go from windows phone 7 to windows phone 8, it's going to be a little bit

different. >> and in terms of -- has microsoft said in your, in the applications that run on your mobile platforms, how similar or different will your strategy be to apple's in terms of cure rating and trying to keep the universe closed? will you be closer to android, or will you be closer to apple? >> i don't know the answer to that question, but i'll say windows 8 is going to have an apps store, so we have a lot of benefit of having some of that in the cloud. if you think about how microsoft's positioning our technologies, my experience in windows 8 should be the same on any device that i log into, i should be able to guess those applications that i want on demand. so the way we're looking at it is how do we vet those applications in the marketplace before they ever make it down to the device? >> okay. this'll take a little bit of explanation. is the project with untraceable routeing a sensible idea or

paranoid literacy? >> i like tour. >> i didn't want read it carefully, but there was a pay or on tour that -- paper on tour that suggested a new set of vulnerabilities. do you think, i mean, how, you know, how much can you trust your anonymity with tour? do you have any sense of -- >> i think it comes back to that same question. software's written by humans, humans are inherently fallible. nobody's going to write the perfect code. maybe it's been written in here by someone we don't know about it, if you are, i'd like to hook you up with a job. will[laughter] if you poke and prod at any piece of software, you're going to find new and interesting ways, and you alluded to it earlier in the conversation, most of the vulnerables we're looking at are memory-type modifications. what's next? that's what i'm thinking about. we're trying to forget this out, but what's my kid going to use to compromise my refrigerator

and let the beer out, you know? when we live in the year of the flying cars. so, yeah, i think you have -- if you're going to go out on the internet and use internet resources, use these tools, you have to understand what software you're using. i think most people don't get that. i get that from my substantial. she's buying -- sister-in-law she's buying something on am, if you get exposed to something, who's fault? she points at me. [laughter] if they get owned, it's our fault. so figuring out a way to manage that as well is kind of a difficult, sometimes heated debate in my house. [laughter] >> are efforts still being made to block communications between the bot net and it creators? if so, how long will it be possible to sustain this effort? >> right now we're in year two

and a half or three. if rick is in the room, we just had the latest 2012 list come out, so we're working on with the high level tlds to block those. on the country side, it's a little bit more difficult. some of those folks have fallen off wanting to block it for much longer. so i know that the big tlds are still doing a couple, cctlds are participating, and they represent the bulk of the infection, really the a and b infection is a smaller group. so thai been, they've been amazingly open to continuing the effort as long as we produce a list, they're able to go in, they have the process kind of automated. >> and the individual nodes themself present a signature, don't they? could you use that to -- what are the intricacies of actually taking it off of a a machine that is running an old version of windows and may not have any protection at all, is that a workable strategy? >> absolutely. >> because you've done some of

it? >> yes. >> does a great job of producing parts around the world, microsoft has developed a number of tools to make it pretty easy the get it off of the machine. if everybody in the world would just go to automatic updates, they'd be clean. the people that are infected are, basically, people that don't have the minimum predictions. they're not running updated antivirus, the guys have stopped developing code. this code's been detectable for the better part of three years, the vulnerability's been patched, so these are just folks kind of in limbo not doing what they need to be doing. >> i think we're getting the cane. [laughter] >> do you have one or two more questions? >> no, we're done, okay? >> all right. >> that's great. please, join me in thanking the panel tonight, ladies and gentlemen. [applause] >> you can watch this and other programs online at booktv.org.