Monday, May 18, 2009


Can zombies live again?

Some UCSB researchers managed to infiltrate the command-and-control system of a botnet, and got lots of information out of it, which they wrote up in a paper.

Their results are interesting to read. But, really, I’m not at all surprised that lots of people continue to get their computers infected, that so many use bad passwords, or that so many use the same password on many web sites. It’s always nice to get specific data on all that, but it’s something we’re well aware of.

What I find especially troubling is this part:

Interestingly, a large number of the financial institutions that had been breached required “monumental effort” in order to notify the victims, according to the report. In fact, financial institutions weren’t the only ones—interacting with registrars, hosting facilities, and law enforcement were all “rather complicated,” indicating that there’s a long way to go in order to make notifying botnet victims easier.
Unfortunately, the reporter got the “monumental” sense completely wrong; they did not say that a large number of the institutions required monumental effort, but that “the large number of institutions that had been breached made notifying all of the interested parties a monumental effort.” That’s not the same thing.

Still, there’s a problem, so let’s say that again, taking it from the paper itself:

Another insight obtained from the experience of taking over the botnet was that interacting with registrars, hosting facilities, victim institutions, and law enforcement is a rather complicated process. In some cases, simply identifying the point of contact for one of the registrars involved required several days of frustrating attempts. We are sure that we have not been the first to experience this type of confusion and lack of coordination among the many pieces of the botnet puzzle.
They suggest that U.S. law could make this significantly better by imposing “simple rules of behavior,” not on the criminals, but on the entities that one has to involve in reining the criminals in.

I’m skeptical of that. Perhaps it’s true in theory, but experience shows that laws help little in this area, and, in fact, a poorly crafted law can actually make things worse, when parties are forced to adhere to the letter, rather than to the spirit.

What would work better, at least on the U.S. side, is the designation of an organization responsible for sorting through the pieces — I suggest the Federal Trade Commission, which is already responsible for dealing with many aspects of the spam problem. I’m not surprised that the researchers had trouble getting through all of this: the organizations involved each had to confirm, to their own satisfaction, that the story they were being given was true, and that they weren’t dealing with yet another set of “bad guys” who were trying to hack the system. And in cases where legal devices (such as search warrants) might be needed, the researchers were likely unfamiliar with the law, and not used to dealing with those requirements. A department in the FTC would be properly equipped to pursue this sort of thing much more efficiently and effectively.

No comments: