Peter Christy

For years I've been railing about the lack of real joint industry progress on Spam control and saying we're "fiddling while Rome burns." I'm starting to wonder if that was an understatement. It's been an interesting month or so for security. First a San Jose (CA) hoster was shut down because of investigative reporting by the Washington Post and the result was a dramatic drop in Spam (more than 50%) apparently because this site hosted much of the payment system used by the bad guys (the infrastructure under renting a bot net for example). The good news was the unexpected magnitude of the impact; the bad news was the fact that a newspaper was the driver. Then a couple of weeks later John Markoff wrote a pessimistic piece in the NYT suggesting that economics of malware were now so robust that the bad guys were outspending the good guys (follow the money!). And then this week Microsoft went to heroic overtime after an attack was found in the wild that was used for "drive by" infection (just visit a bad site) that was able to do anything the unfortunate browser user could do (ANYTHING). Within just a couple of days Microsoft had patched the problem. Before you start dumping on Microsoft read the Secure Development Lifecycle (SDL) blog entry Michael Howard just posted. SDL is generally accepted by experts as the state-of-the-art in trying to develop secure software; Michael's entry explains why it wasn't enough in this case. Sure feels like we're fiddling while Rome burns (we never really do much to mitigate bot attacks because that requires complex industry technical and financial cooperation). This is all very scary!