Schneier on Security
A blog covering security and security technology.
« Lessons in Key Management |
| Hacking U.S. Military Satellites »
April 23, 2009
Conficker's April Fool's joke -- the huge, menacing build-up and then nothing -- is a good case study on how we think about risks, one whose lessons are applicable far outside computer security. Generally, our brains aren't very good at probability and risk analysis. We tend to use cognitive shortcuts instead of thoughtful analysis. This worked fine for the simple risks we encountered for most of our species's existence, but it's less effective against the complex risks society forces us to face today.
We tend to judge the probability of something happening on how easily we can bring examples to mind. It's why people tend to buy earthquake insurance after an earthquake, when the risk is lowest. It's why those of us who have been the victims of a crime tend to fear crime more than those who haven't. And it's why we fear a repeat of 9/11 more than other types of terrorism.
We fear being murdered, kidnapped, raped and assaulted by strangers, when friends and relatives are far more likely to do those things to us. We worry about plane crashes instead of car crashes, which are far more common. We tend to exaggerate spectacular, strange, and rare events, and downplay more ordinary, familiar, and common ones.
We also respond more to stories than to data. If I show you statistics on crime in New York, you'll probably shrug and continue your vacation planning. But if a close friend gets mugged there, you're more likely to cancel your trip.
And specific stories are more convincing than general ones. That is why we buy more insurance against plane accidents than against travel accidents, or accidents in general. Or why, when surveyed, we are willing to pay more for air travel insurance covering "terrorist acts" than "all possible causes". That is why, in experiments, people judge specific scenarios more likely than more general ones, even if the general ones include the specific.
Conficker's 1 April deadline was precisely the sort of event humans tend to overreact to. It's a specific threat, which convinces us that it's credible. It's a specific date, which focuses our fear. Our natural tendency to exaggerate makes it more spectacular, which further increases our fear. Its repetition by the media makes it even easier to bring to mind. As the story becomes more vivid, it becomes more convincing.
The New York Times called it an "unthinkable disaster", the television news show 60 Minutes said it could "disrupt the entire internet" and we at the Guardian warned that it might be a "deadly threat". Naysayers were few, and drowned out.
The first of April passed without incident, but Conficker is no less dangerous today. About 2.2m computers worldwide, are still infected with Conficker.A and B, and about 1.3m more are infected with the nastier Conficker.C. It's true that on 1 April Conficker.C tried a new trick to update itself, but its authors could have updated the worm using another mechanism any day. In fact, they updated it on 8 April, and can do so again.
And Conficker is just one of many, many dangerous worms being run by criminal organisations. It came with a date and got a lot of press -- that 1 April date was more hype than reality -- but it's not particularly special. In short, there are many criminal organisations on the internet using worms and other forms of malware to infect computers. They then use those computers to send spam, commit fraud, and infect more computers. The risks are real and serious. Luckily, keeping your anti-virus software up-to-date and not clicking on strange attachments can keep you pretty secure. Conficker spreads through a Windows vulnerability that was patched in October. You do have automatic update turned on, right?
But people being people, it takes a specific story for us to protect ourselves.
This essay previously appeared in The Guardian.
Posted on April 23, 2009 at 5:50 AM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
--You do have automatic update turned on, right?
Either you already did, you can't turn it on anymore: you have Conficker already :-)
"In fact, they updated it on May 8th, and can do so again."
typo? the update was April 8th,
Is anybody else seeing weird unicode characters on here instead of apostrophes?
People need to realize that the news is covering events that rarely happen or aren't a commen occurance and aren't likely to happen to most people.
and yes, I see the unicode.
Mojibake! Mojibake! Everyone loves Mojibake!
The behaviour described is not a bad heuristic. Especially considering that we have limited RAM.
"We fear being murdered, kidnapped, raped, and assaulted by strangers, when friends and relatives are far more likely to do those things to us."
Excuse me, but that depends on your friends and relatives. None of my friends or relatives are in the least likely to do any of those things to me.
Schneier predicts May 8th because:
a) Bruce controls Conflicker (proof on May 8)
b) Bruce has achieved Internet Security Nirvana and can predict its future
c) Typographical error (April 8)
Since the simplest explanation tends to be correct, I'm going with ... (b) because there is no way he could have made a typo.
Quote: The New York Times called it an "unthinkable disaster," the television news show 60 Minutes said the worm could "disrupt the entire Internet," and we at The Guardian warned that it might be a "deadly threat." Naysayers were few, and drowned out. Who wouldn't be scared, after all that?
Are you confusing general risk analysis with sensationalistic journalism intended to get viewers to tune back in after the commerical?
Summation--Ignorance breeds fear, and most people do not understand the world around them enough to sleep well at night.
This is a curious situation. People buy a system knowing that it is inherently insecure, even though security is a major concern. So to them it is broken, but instead of switching to a working system or trying to persuade the manufacturer to fix it, they botch it up with another commercial product, thereby creating a market that relies on the fact that the first product is broken. Even more, the av industry needs people to be scared, because what they sell is basically a feeling of security.
Bottom line is: People are paying a lot of money to firms that have a commercial interest to keep their systems unsafe and them scared. And now I begin to wonder who exactly those criminals are that keep writing virii, worms and trojans.
@ "You do have automatic update turned on, right?"
You do use a non-Windows operating system, right?
Basically all you've really done is demonstrate how the media (enterprises seeking profit) have no problem using fear to promote buying their newspaper or watching their show.
The 60 minutes segment was filled with so many misstatements that it was obvious no attempt was made to conduct journalism. It was merely a way to pounce on a mythical event and sell some ads for it.
That doesn't change how people feel about it.
I work at a software firm. We're people who use computers everyday. No one really cared. No one was scared. No one stopped working or succumbed to fear. The IT folks had already taken all the appropriate actions.
It was a non-event.
This is where I disagree with the premise sometimes put forth that people run around scared. I actually think that generally they don't. Generally no one is anywhere as fearful as they were a few days after 9/11. People were on guard, thinking about the safety of going to school or the mall. No one even gives that a second thought anymore.
That's a tangent though. I honestly think the abuse on Conficker by the media was just to make money. No one really cared and no one was scared.
What Patrick said. Part of people understanding their risks is to fully inform them. One of my pet peeves is when the media reports "computer danger" instead of "Windows danger". Even you did it a little more than I'd like in this story, Bruce.
Bruce Schneier doesn't make typos. He makes the future.
Conficker is not the problem. People are the problem...
For Conficker my team goes thru our systems and verifies all is well...we are 100%
For giggles we attempt to log into some systems we depend on, but should not have access to. Low and behold not only are we Full Admin, but NO patches have been applied to these systems in a year.
Fake virus scares are GOOD. They make people check their processes and go the extra mile to check the guy in the next cube.
""We fear being murdered, kidnapped, raped, and assaulted by strangers, when friends and relatives are far more likely to do those things to us."
Excuse me, but that depends on your friends and relatives. None of my friends or relatives are in the least likely to do any of those things to me."
If you look at the statistics, the numbers show that those doing the type of attacks listed above are usually more familiar with the mark than a random stranger on the street.
Nitpick from a geology minor: If there's only one fault near you capable of causing a major earthquake, and the section nearest you has that earthquake, and then you buy insurance, then yes, you're getting it right at the moment when it's least needed. However, if you live in an area with more than one fault capable of doing serious damage (which most people in California do), a major quake on one may actually *increase* the chances of a quake on one of the others nearby, depending on how the stress is redistributed.
"Excuse me, but that depends on your friends and relatives. None of my friends or relatives are in the least likely to do any of those things to me."
Likely as not that is what most of the victims thought as well! That is why those people are in "positions of trust".
I am not sure I agree with the statements about relatives and airplanes. I am not disagreeing with the statistics, just the reasoning. Isn't the fact that people feel safer around friends and relatives a matter of trust, not the inability to calculate probability of complex situations? Also, isn't the fact that people feel safer in a car rather than an airplane a matter of control, not the inability to calculate probability of complex situations?
Of course it is easier to commit a crime against someone you trust. That's the point of trust - you lower your guard to that person. But it's very hard to have a friendship with someone you don't trust -- not to mention the anxiety that one would have in that scenario.
As far as airplanes versus cars.. I'm more afraid of flying (which I am not "afraid of") not because the news publicizes crashes or because of control -- it's because the odds of surviving a plane crash are a lot lower than a car crash.
It's not just a matter of trust for the strangers vs. friends/family crimes. It's not even just a matter of increased access to the victim. It's a matter of motivation as well. Friends and family are a lot more likely to have personal motivations for the acts they are going to commit. And people who would normally never think of committing crimes will do all sorts of things once personal motivations get involved.
For the most obvious example, by far the most common perpetrator of child abduction is one of the parents, in particular the parent who didn't get the child after a divorce.
The April 1st "let down" was a media event and not based on actual analysis of the malware. Also commonly misreported, the botnet will not shut down on May 3, but rather one component will disable leave the rest behind. But, Bruce correctly points out that the malware can be updated and change any predictions that are made.
To see if you are infected with Conficker, please visit http://www.baylor.edu/its/security/conficker/ .
"You do have automatic update turned on, right?"
No, actually I don't - and for precisely the reasons this article is about.
Windows doing automatic updates sometimes does an equally automatic reboot. And when it does that (in those circumstances), it forces the closure of all open files without saving their content. So the real threat to my data comes most immediately from the supposedly trustworthy OS. That has done me real harm in the past; manually updating the system as updates are available may leave a theoretical window of vulnerability, but not one in practice where the risk is anything like the popularly perceived threat or which has caused me any actual problems.
The analogy with being assaulted by people you know more often than by people you don't seems particularly apt.
Another book for your pile
Dread: How Fear and Fantasy have Fueled Epidemics from the Black Death to the Avian Flu by Philip Alcabes
Ah, I remember that. Got me on my soapbox, preaching the name of Linux to a suddenly interested crowd. There's some small, irredeemably evil part of me that wishes it had gone off so I could've run around saying "ya should've gone Linux, suckas!" Kinda hypocritical, since I have a dual-boot system for gaming...
I do not trust most of my friends. Mostly I am only friends with them because my lifestyle requires that I be around them so it is easier to smile and act friendly than it is to tell them how I really feel. Besides, it is not as though they are bad people, it is just annoying the pressure they put on you to understand subtle hints and pretend to be happy all the time no matter how miserable you really are. Well, maybe some of them are bad people, but who can really tell, with everyone smiling and acting friendly.
As for relatives, I definitely did not pick them.
My best friend is probably my Pentium III computer, which is much more reliable than my newer computer.
"It's why those of us who have been the victims of a crime tend to fear crime more than those who haven't."
On the other hand: People in rural areas with few foreigners tend to be more xenophobic.
@Kaukomieli. Hence Al Queda and the Taliban. The "War on Terror" is actually the "War vs xenophobic country folk".
I've been waiting for you to write this.
Bruce, what's up with the softpedalling of the design failures? The statement, "You do have automatic update turned on, right?", is inexcusable given, first your background and, second, that an upgrade to Ubuntu or OS X would stop the worm, and subsequent worms, in their tracks. Granted OS X, Linux and even BSD could do better to implement W^X partitions, but the current state is still light years ahead of that amateur 1980's goo called Windows.
You remember Spaf, right? He pointed out, "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." Every year since then, people get stupider (or more corrupt) in turning a blind eye to the *source* of the problems and pretending selective amnesia.
Basically at this date, any advice other than "stop using MS products" is being an accessory to the damage. And with the involvement of organized crime, it is helping enable the criminals.
Moral and ethical considerations aside, there are pressing economic reasons: Getting rid of MS products, across the board, would save billions per year. The difference could be used to hire any number of programming teams to fill in any software which might be missing or fill out any that could be improved.
Using MS products is harming the US worse economically than even smoking ever could. In context, if any other group, militia, party, organization or country decided to do or enable $10 billion of damage to the US economy, you can bet that SF would be sent in to scope out the ring leaders and "deal with" some of the henchmen. And once it was determined when and where the ringleaders could be found at the same time and same place, the air strikes and naval bombardment would begin until ground zero was a smoking pile of slag. At that point, the Marines would be sent in to destroy any pockets of resistence while the Army came in to establish holding and interrogation centers.
On the business side, that would be concurrent with freezing and confiscating assets.
Since I don't have any computers that run Windows, I'm immune.
The only operating system that is vulnerable in this way is Windows. Microsoft should be forced to pay for the damage that their bad programming practices cause.
Of course with the number of lobbyists they employ, this is really unlikely. Still I can dream...
If you think that the conficker was another malicious program desinged to exploit your computer then you are wrong and you have been a victim of the planned and manipulated media content.\
conficker was basically a program designed by the underground hackers to expose that fact that there are many loopholes which are intelligently [may intentionally] placed in the operatins systems so that when THEY want they can take control of the entire world since the world only depends on the information technology and most of the IT is based on the windows operating systems.
It is a program which can be used to take control of all the computers that it has infected using the loopholes that are built in or hidden in by the microsoft into their operating systems so that they can do their dirty job whenever they want.
when they realised that someone already knows about this, the next thing was the cure, yes all 3 major security service providers, symantec, kaspersky and macafee came up with a cure. how amazing and suprising. It was almost like some one gave them the cure so that they can use it in theis operating systems.
Ni child is going to believe that microsoft was not aware of such loopholes in their operating systems.
i hope there are atleast some people who knows what i am saying.
Nitpick #2: Two severe earthquakes in a row is quite possible, and no less likely than independent-events probability would suggest. This is one case in which it actually does make sense to buy insurance.
Why this is true: faults don't release all of their energy. It could release a small part of it, almost all, or half, unpredictably. It was previously believed (probably including when the geology minor went to school) that most or all of the energy was released during a quake, but this was recently (less than 5 years) found to be false.
"We fear being murdered, kidnapped, raped and assaulted by strangers,
when friends and relatives are far more likely to do those things to us."
There is something *so* wrong about this statement. If a man rapes his daughter, does that make every man "more likely" to rape his own daughter?
"If a man rapes his daughter, does that make every man "more likely" to rape his own daughter?"
The set of men that have daughters can be divided into to mutualy exclusive sub sets of those that have and those that have not raped their daughter.
By the process of performing the act of rape for the first time the man moves from one set to the other therfore the ratio between the two sets has changed.
On the human side of it than yes I would side with your feelings that the behaviour of one aberant person does not of necesisty reflect on all the other people in society.
@ Clive Robinson
I appreciate your response. But if I may paraphrase your answer to my question, it would be: "No." And that was exactly my point. Translating a statistical calculation into a meaningful interpretation is perilous work. It may be perfectly rationale to fear strangers more than your own family -- or maybe not -- but depends on who your family is, not on a statistical treatment of everyone else's.
To turn this same fallacy on our good host, a man who certainly has the capability to create and distribute all sorts of nasty viruses: as the incidence of viruses increases it becomes ever more likely that our computers will be attacked by one of his.
Yes I tend to agree with your point.
The problem is a mathmatical model is just that, a model, it is not reality and unless quite sophisticated has no way to take "means / motive / opportunity" into account.
Also it there is the preditermanisum aspect of it. The Free will to do or not do an action means that in general we are like the molecules in a hot cup of tea. We move around franticaly on individualy random paths, it is only on mass that it can be seen that the most frenetic movment is at the top of the tea in the center.
At some point all macro models will cease to have meaning on a smaller scale the question is when and in what way.
Sometimes we have to stand back from our models and sanity check them, else we err and build unfounded hypothosis on unfounded hypothosis. And due to our own limitations take it as a pedictor of "fact" not "probability".
There's no mention of -->MICROSOFT
Why bother doing anything? There will just be some other problem come up, so let’s just get it over with. Ruin everyone’s computers, just like they did our 401ks and our home values. Let’s forget the internet and concentrate on nukes in suitcases or super resistant bugs.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.