Sometimes there are discussions that take too much effort, space and time and make no other sense than to derail discussion and attention. The same discussion as about the first of april non-outbreak is now taking place between researchers who all claim to have an idea about how many computers and networks are infected by the Conficker worm.
First of all it is not important if it are 1 million, 2 million or even 100 thousand. None of this makes the worm more or less worrying. Is the net a safer place if only 30.000 computers are infected. No, because if each of them goes to a website to ddos it every second, the website will go down, period. It is not the number of infected computers that is important, it is the use and the future possibilities of the worm that are important.
We know that the new versions will be more difficult to find for vulnerability checkers (false lookalike patch), network traffic analyzers (P2P segmented traffic) and that anlyzing the code of the worm itself becomes harder each time. These are the things we should research and think about. How do we make sure that vulnerability checkers can still make the right decision about the patch in a matter of seconds (or should we ask ourselves that we should let the audit take longer ?). How can we make sure that traffic analyzers in our networks can still track and locate this traffic and which tools have to be upgraded to be able to do so ? How do we make sure that the analyzers can still decode and analyse the code of the worm, even if it will mean that over time the best of the world will have to work together to be able to find every information one may need.
We know a new version will be launched after the third of may. And we have no clue about what to expect.
There are other more important questions to ask ourselves and the ITsecurity community with regard to conficker - which seems to be a very powerful team to be up against.
* Who are those guys and why can't we locate them and why can't the law enforcement agencies of the world that are able to arrest hundreds of pedos worldwide not invest the same resources in getting or stopping this guys.
* The basic problem is that in some countries there are more pirated windows versions than legal ones and that those pirated ones aren't patched. The consequence is that millions of such computers can be easily hacked and connected to a botnet. This makes the internet far less secure for any (legal) user of a windows package. THe question for Microsoft (I am sure they are not going to like this one :)) is basically this
Do I let everybody have access to the securitypatches and do I make sure that everybody can use them so that the internet is a safer place (because you can install a Network Access Policy saying that you need to have patches and antivirus installed) and do I look for other ways to encourage people to use legal versions of my OS. (through service packs that have nothing to do with security) or do I let this situation continue ?
* Another question is what the roles of the ISP's and network administrators are. Shouldn't they help with the distribution and promotion of the patches ? Shouldn't they distribute free antivirus and securitypackages to their users (just as your car comes with brakes and all kinds of included security stuff). It is a good thing to read that Mdm Dyson (one of the leading ladies of the internet) and the readers of the Clickx computer magazine think so.... All we need is the political will or the strategic commercial choice. As an ISP with free securitypackages for your clients you will have less problems on your networks, less helpdesk problems and you can offer a more secure hosting and transaction environment based upon network access policies.
These are the things one should talk about, not about the numbers. Whatever the numbers, they will always be too big for such a powerful and ever enhancing malware and botnet network to not worry about the eventual consequences if someone uses that power.