Whilst it seems the Internet enjoys a good Microsoft Vista bashing (see previous post on topic) research today came out suggesting Windows 2000, an eight year old operating system that recently entered long term support phase by Microsoft, is more ’secure’ than Windows Vista. (Cue fanboy and antiboy posts.)

But this is rather misleading, let us not forget, Windows 2000 was released in February 2000, a dark era where firewalls, security software and Windows Update were treated with suspicion previously reserved for black magic. Ok, so maybe I am exaggerating slightly, but back then the average PC had either a Pentium 2 or 3 processor between 600Mhz - 1.2Ghz, between 32-128Mb of RAM and a 20Gb hard disk and was aimed at the business market not consumers who had the privilege of running Windows ME (let the justified ME bashing commence.) But we are still missing the point here, now the only users that run Windows 2000 (which accounted for about 2% of all Internet traffic in March 2008 ) are those who are comfortable power users (like Steve Gibson) or those with old hardware (e.g. Third world etc.) As such, it is not worth the malware authors’ time to target such a small percentage of the userbase when they are more likely to snare the vulnerable XP or Vista users.

Worse still, serious doubts have been raised over the validity of this study given PC Tools did not scientifically determine the states of key security within the operating like Windows Vista’s UAC or even which service packs were installed on the computers. As noted by Ars technica, often the first action by typical malware is to download the target package(s) onto a system immediately after it has been compromised with the usually relatively small initial exploit. This could mean that their numbers are greatly misleading when three or four ‘infections’ could actually be a single instance of malware.

The only way to scientifically conduct such a test, would be with three virtual machines, one running Windows 2000, one with Windows XP and finally one with Vista each running a with a comparable set of security tools and the latest patches. That way, after each exposure, the virtual machine could be examined to determine if the exploit was successful and if so, the degree to which the target machine was compromised. At the end of the experiment, the virtual machine is ’switched off’ without writing the changes to it’s virtual disk and restarted to test the next exploit. Using this methodology, all exploits can be tested equally and methodically and various configurational permutations can also be tried (e.g. Operating systems with only default security measures etc.)

Let us also not forget, there is no way to tell whether these threats are serious silent drive by download style exploits (which would constitute a serious threat) or as a result of user ignorance which even the most secure operating systems and security applications can not guard against. Playing Devil’s advocate, I can see a case that unscientific tests like these better represent real world conditions, however it can not be used to judge to reliability or security of Operating Systems nor the users using them as no conditions nor variables have been made constant. As such, unfortunately, these results have no validity as far as I am concerned.

A company called Procera today announced the availability of a 12u rack system that can perform deep packet inspection on 80Gbps of data in real time with 96% accuracy. In a world where Internet bandwidth increases daily, ISPs are embracing technologies such as DPI as they potentially offer an answer to this and other challenges the ISPs face such as Copyright and Intellectual property protection.

But what is deep packet inspection? It a process that allows for the identification and characterisation of packets (internet traffic) by content and purpose. It can distinguish between innocuous HTTP, FTP, VoIP and slightly less liked high bandwidth traffic like Bittorrent (and other P2P protocols) as well as streaming. Armed with this information, ISPs or Internet backbones could then opt to throttle bandwidth to services or users in real time based on time of the day, the services they are using or simply how much they are paying.

Whilst throttling high bandwidth services such as file sharing and movie streaming might seem like a good idea, this brings us to the idea of net neutrality. Net neutrality is a principle in which ISPs and Top Tier providers can opt to slow or block specific services or websites based on their bandwidth usage or any criterion of their choosing. Take for example Skype, if an ISP decided Skype was taking up too much bandwidth, or worse, was competing with their telephony services with its VoIP serice, it could opt to slow the traffic an end user (you or I) has with Skype’s service. This could restrict the application or usability of Skype to a point where it might no longer be functionally or financially viable. The ISP or provider could then ask Skype to pay a premium for it’s bandwidth to be restored. It works the other way as well, lets say there was another VoIP company who decided it wanted to have the fastest bandwidth / lowest latency (compared to other VoIP providers) to an ISP’s users, it could pay the ISP to prioritise it’s packets over others. As you can see the scales of services / content on the Internet, once promoted as a source for free and equal speech and services, becomes tipped in the favour of corporations stifling both creativity and innovation.

Throttling is not the answer to the long term (or even short term) bandwidth explosion the Internet has seen in recent years (thank you youtube ) and at $800,000 per machine, I can’t help wondering if the money would be better spent upgrading existing capacities.

UPDATE: I just read another related article which touched on something I had not considered. Privacy. Whilst most information about a packet can be gleaned from the routing header, there is nothing to stop this technology literally parsing Gbps of traffic for any (and all) information at all which could be store for later examination. The only limitation would be hard drive space, 80Gbps is 10Gb of data every second which would fill up a Petabyte (Pb) of storage every 28 hours. The only limit would be the computational power and storage available to the ISP/backbone operator.