Jan 172008

In the last year or two, I’ve become very interested in cyberflexing. Because I’m a member of a National Academy of Sciences study (in progress) on the subject of “Ethical and Political Implications of Offensive Information Operations,” I must mention that what I’m saying here are personal opinions on many of the issues and not conclusions of the study group.

Some of the bigger unsolved issues in these areas include:

  • The botnet problem

Why can botnets be so easily assembled? Mainly because there are bazillions of unpatched Windows machines on always-on connections, and everyone with a clue disclaims responsibility for them. “Unpatched” means they have known, exploitable security vulnerabilities and can be abused by kiddies running scripts prepared by their more intelligent peers.

Many of those machines can never be patched because Microsoft has walked away from fixing flaws in old versions of Windows and has not opened up this unwanted business opportunity to others (say, allowing partners to produce patches). Microsoft has also so far managed to dodge the product liability issue. Microsoft’s purported solution to this problem is the product Windows Vista Starter, which is sold only in emerging markets. (In their defense, many of these machines are running bootleg copies of Windows.) Those attractive nuisances will be with us until their hard drives fail (the first time I can recall bemoaning the high reliability of disks).

The ISPs, who are in the best position to find and contain the problem, have neither a business model nor legal responsibility to contain these nuisance machines, even when they are made aware of a problem. Mostly, they hunker down into self-serving “carrier mentality,” pretending to allow all machines to send any packets to all machines on the Internet when it’s in their business interest to do so. (They have mandatory responsibilities only after becoming aware of child pornography and intellectual property infringement.) In some cases, they do worse than turn a blind eye: they create the problem by putting equipment at each customer site with weak security, such as routers with default passwords; this allows the routers to be reconfigured so evil (or unwanted) traffic can be directed through the routers to targets and will thus be more difficult for the target to filter out.

When we were in junior high school, and our Bart Simpson-esque friends thought making prank phone calls was hilariously funny, their parents would eventually get a call from the Nuisance Call Bureau at the Phone Company, threatening to turn off their service if it didn’t stop. If only there were such a thing for Internet nuisances. It’s like the automotive age before emission controls, when machines could spew black smoke in unlimited quantities and there was no framework to address the issue: Nobody to complain to, nobody who can issue a “fix-it” ticket ordering the machine “off the road” until it’s fixed. No registration of the machines (except the Windows Genuine Advantage stickers, which do not generally benefit society; in some repressive regimes, communications devices are registered). No licensing for drivers; they don’t need to know anything about safety and responsibility to operate these nuisances. No insurance to repair the damage the machines cause to others.

And then there’s:

  • The attribution problem: just because a denial-of-service attack is coming from Chinese IP addresses doesn’t mean it’s the Chinese government attacking.

It might be “patriotic hackers,” who are tolerated or supported in many countries. But it might be two teenagers in Romania, who have assembled a giant botnet out of weak machines, many of which happen to be in Chinese IP space, using easily available kits. Maybe striking back won’t hit your true attacker, but some other victim, maybe a university or a hospital.

It’s the Wild West, but there’s not even a sheriff who’s going to clean up the town. Law enforcement is (overall) technologically challenged and points to jurisdictional problems (many of the attackers are in those emerging markets). Pick up the phone, dial 911, and say, “Man with a gun at location X,” and the SWAT team shows up in 10 minutes. But if you say, “Million site botnet at <list of IP addresses>,” you get a much different response.

So when are we (personally; on the enterprise level) permitted to strike back when hit? Unfortunately, the answer seems to somewhere between “it depends” and “unclear.” There’s nobody of whom to ask permission, so you may be relying on prosecutorial discretion.

Much of the relevant self-defense case law involves situations where women are threatened by abusive partners and defend themselves. Some of the traditions in computer abuse law treat offenses as “trespass” rather than “nuisance.” When you ask a lawyer for advice (and you should), they are very likely to advise you (if they even understand the question) that taking many actions might be risky.

In conclusion, I’ll just say it would be safe to predict that the coming year will be some combination of “The Year of Living Dangerously” and “The Year of Being Pecked to Death by Ducks.”


Mark Seiden

Mark Seiden is a Senior Consultant with Cutter's Business Technology Strategies practice. He has consults in the areas of security, network, and software engineering to companies and nonprofits worldwide.


 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>