Slashdot Mirror
Killing Others' Malicious Processes
Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."
yet again under another pretense.
This will be abused like all the other technology laws.
You should not interact with other's machines :
Let them fix their worm problems themselves or they may not appreciate it.
It is normal and nice to tell them they have a problem but your work stops here !
Trolling using another account since 2005.
Exactly who decides what constitutes "relentlessly attacking your network"?
A simple NMAP scan? What about Netbios scans? @Home scans for open NNTP servers... etc etc..
Trolling is a art,
The only problem with this strikeback thing is what if the machine which is infected is business-critical?
If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what "strikeback" or "fixing" could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?
There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: "I only broke into this machine to fix it, I swear, gov'nor!"
I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be "fixed", and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way...
Daniel
Carpe Diem
At least they can act to contain the spread of a virus, but not by killing processes on customer PCs. they can, however, disable service, whether it be a cable, *dsl, or dialup modem account. Shutting off service and forcing customers to take measures to clean their infected computers is allows by the acceptable use, terms of service, and other policies which protect the ISPs rights to take action.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
This is an interesting point, because it shows the essential flaw in this logic. In all of these examples, who is acting? "The authorities", namely, the government. In this absurb "strikeback" proposal, who is acting? Vigilante sysadmins. If anything, his examples prove that we need a national cybersecurity enforcement agency, which is responsible for taking machines offline when they get virus-infected. Clearly, this is a bad idea, and that's why strikeback will never work.
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.
That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.
Best Slashdot Co
I think this guy lives in the world of theory, where everything works "in theory".
I don't want some idiot out in the world thinking he knows more about my system than I do going in and thinking he's doing everyone a favor -- when he's actually doing damage to my system. Intentions don't mean a crock of dog doo.
If my system is spewing garbage, then it should be the right of the ISP to pull the plug until I get it fixed. That's the way these things should work.
But there's no way I want fools poking into my computer, no matter what.
Sometimes it's best to just let stupid people be stupid.
I read this the other day when it was posted on "The Register" and I didn't like it then and I don't like it now.
Why?
Well it all boils down to an attempt to legitimise hacking. If it was allowed that we could "strikeback" ( which is just a cute word for hack ) and disable the attacking process, then where do we draw the line. I think we can all agree on the extremes, but lets consider another example.
What if a website was posted on slashdot, would all of the rampaging geeks be classed as attacking processes and therefore be liable to be struckback and eliminated. I am certain that the website administrator would consider the massive increase in traffic to be an "attack" as their poor server disappears in smoke.
Personally if you are likely to be attacked get better security. You can't enter somebody's house just to close an open window.
Patriotism is the opium of the masses
There are two independent issues:One is a ethical issue. Is it morally right to attack (it is attacking, irrespective of defensive or offensive reasons) somebody else's machine?
The second one is a legal issue. Does the attacked person(both sides) has any legal recourse? Do they have any credible claims for damage?
Vigilante justice, at best is stupid and at worst, can lead to a more dangerous society than one without.
What we have here is no accountability and no responsibility. A ship's Master (Captian) is responsible and accountable for the ship in his charge and the actions of his crew. The owners, or administrators should also be responsible and accountable for the machines network in their charge. Hold them to account for their malicous machines - otherwise the problem will just get worse. Who then determines a malicious process on my network? The RIAA and other large political contributors? Remember, in the U.S. at least, money controls everything. Those with it get what they want and those without it suffer.
if you're that "good" and can kill a process on someone else's network, how about you use that excellent knowledge and contact the owner of the machine?
hacking (don't paint it any other way, you're breaking into someone's system) someone else's machine is not the answer. the system is not any more secure after you've killed it's process, it is still wormed, and the most important thing is that the admin of that machine hasn't learned a thing!
but then what do i know, i'm not a security expert...
I'm sure some people could draw a vague parallel with protecting your home using lethal force here... but i don't buy it. I certainly believe if a hacker is inside your system you have every right to st0mp his ass out of there by whatever means necessary, but if your neighbor is coming round ten times a day knocking on your door you call the cops and get a restraining order taken out - you don't go over there and shoot him.
I don't think it's ever right to trespass, whether it's for the "common good" or not. If it's not yours, stay clear. If a worm is hammering your system, call the offending ISP. If they don't reply call their upstream provider. If they don't reply call your ISP and tell them to block it before it gets to you. If they don't reply - tough shit, get a new ISP. It's the same thing as the spam blacklists - ISPs will never learn to provide better service if people don't start voting with their wallets.
I got a sig so you would remember me.
I also find out that what people think is "if you know someone hacked into my server, then it must have been you that hacked my server". And this brings up the next point, if you start hacking people's computers to stop the worms, they are going to think that it was you who unleashed the worm, it is logical, they just don't know better.
What must happen is not System Administrators "hacking" every computer in the internet infected by code red or nimbda. What must happen is legislation that makes every person running a computer personably responsible for the security of that same computer. If people don't secure their server they must be penalized, instead of letting us fix the problem... even if they want us to.
rm -rf /home/leia
This guy wants to give the power to kill remote processes to everybody. Everybody includes the people that he's saying can't secure their systems to begin with. Do you want them touching your box? Didn't think so.
How do you get counter attack software and whose to say that software is safe?
... the attack itself.
What if the counterattack software has its own buffer overflow? Then we get a cat and mouse game of one machine simulating an attack and when the counter attack is made the attacker could send a response to force a buffer overflow making the counter attack
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
In your country perhaps, but where I live not all of those suppositions are true. And here one sees an inherent problem that such a system would create - you may be operating within the legal framework of (for instance) the US, but does that give you the rights to close down a process on a machine in Iraq, or North Korea, or any other country for that mattter?
A little planning goes a long way...
"Logic dictates that anyone who opposes a bill allowing corporate entities to attack our systems should support a technique to stop worm-ridden systems from doing the same."
This is flawed logic. The correct logic flows like so: Anyone who opposes a bill allowing corporate entities to attack our systems should oppose any technique that allows any other organization or individual to do the same.
Mr. Mullen's proposal is almost identical to the proposal made by the RIAA: let someone legally crack into a computer that is being used to do inconvenient things.
While I sympathize with Mr. Mullen's intent, this approach was wrong when suggested by the RIAA and it is wrong when suggested by Mr. Mullen.
Unfortunately, the best approach I can suggest that both contains the problem (eventually) and protects everyone's privacy to the largest possible extent is to isolate the offending computer from the rest of the Internet (possibly shutting down the user's outgoing Internet feed) until that user fixes the problematic system.
Of course, the details are the killer. How is something like this accomplished quickly enough to minimize the damage done to systems receiving the barrage of data? And does a Slashdotting result in Slashdot's Internet feed being cut?
This type of problem definitely needs a solution, but vigilante attacks are not the solution.
Becideds the blaten privicy issues etc. Lets assume computer A is attacking computer B with Worm1 which uses uses application X as its transport. The person who sees the worm attack his system he imeadeatly thinks it is work2 which uses application Y as its transport. So he gaines access of computer A and kills application Y. So he hasent killed the worm and he also killed an inocent application that may have been dooing something very important.
It is stupid to think a random person will be able to properly fix your system. Even if he is "Skilled" enough to break in he may not undertand what the system is for or what it is used for. Just because he thinks he is smart it dosent nessarly mean he is.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
First secure your own machine (which seems to be the primary concern for wanting to allow something like this)... Then, send the infected machine a note with instructions on how they can fix the problem.
Just because my car makes a funny klunking noise, doesn't mean I want Joe Mechanic sticking his head under my head when I'm in the grocery store.
Scott
The only problem with this, and it was in the article, is that it wastes bandwidth. For some people with low speed links, virus attacks can take out their whole link. Blocking it at the router is no use, and it still has to get to their router in the first place for it to be dropped. The bandwidth damage is already done.
Curiosity was framed; ignorance killed the cat. -- Author unknown
Seems to solve 99% of my problems
Yours, yes. Lots of people, and almost all companies, pay for their internet access, often by traffic. Blocking the crap at the firewall doesn't take care of that problem. In many cases, it makes it worse (due to retries).
Assorted stuff I do sometimes: Lemuria.org
Here's an analogy:
A guy in the apartment above you has left his door unlocked and then gone away. A malicous child walks in and turns the tap on for a laugh and then leaves. A while later the apartment is flooded and water is pouring though the ceiling into your property. Do you have the right to walk in though his unlocked door and turn off the tap?
I know what I'd do. It might not be legal, but I don't think anyone would stop me or arrest me and I don't think the owner would mind that much either.
Nick...
I agree that this 'strikeback' capability could be abused. But I've seen a lot of questions people have posed:
(1) What if the machine you attack back is running some critical process and you disable it?
(2) What if the machine you attack back is also hosting other, innocent clients?
and various arguments along the line of 'What if your strikeback also affects X, who doesn't deserve to be affected?'.
My response to this is: What if? Let them be collateral damage. It wouldn't have happened at all if you'd SECURED YOUR SYSTEM. I saw an analogy about someone stealing your car and trying to run over someone else. What if that someone else shoots out your tires? You left your car unlocked, you pay the price.
Another common one is 'just block their IP on your firewall'. I find that response so stupid it's bewildering; people who respond with that have never seen a real ATTACK. I (normally) chat on an IRC network named DALNet. For the past few weeks, all 31 servers have been completely offline, because of a few thousand idiots on cable and DSL, infected with a trojan. If you have a 1.54mbps pipe and you are being sent 3 megs a second from compromised hosts, a firewall won't do $#!t. Nothing. And do you think the ISPs giving access to those people are going to shut off access? No way! DALNet is a free service, it has no budget to sue anybody, why would an ISP bother cutting off paying customers?
So many people here talk out their @$$es it's not even funny.
How do so many people get infected? By running unpatched copies of IE and visiting malicious webpages. Who sets up these webpages? Why, GeoCities! Geocities will NOT shut down any of these malicious sites, since their AUP doesn't say anything about viruses. The only way to get a Geocities page shut down is if it has nude photos on it.
So -- what to do then?
Treating computer processes and network connections as extensions of human being ignores the great complexity of computer systems and the irreducible nuances to responsibility, origin, and intent such machines introduce.
Translating your argument into the world of atoms, that would be like holding someone responsible for a vandal who goes into someone's unlocked car, releases the emergency brake, and lets the car go careering into a crowd of innocent bystanders. Just because computers seem to "act" does not mean that their actions are always the fault of their owners, secure systems or no.
The key is to hold those who crack systems accountable for their actions and to educate victims about how to better secure their systems. Those users unwilling or unable to secure their systems should pay third parties to secure their systems for them.
Even the best secured system is not uncrackable. Would you hold the best sysadmin in the world responsible for a script kiddie's lucky guess?
Your post says you would.
blog
Once you start doing that, eventually you get to a point where you don't block certain IP's but you start only allowing certain ones. And that's where the fun begins.. When I'm on a machine not explicitly allowed through my home firewall I sometimes have to hop through 2-3 machines to get to a machine that my home network knows and allows.
Then there is the fact that not most networks don't have the freedom to go to a whitelist from a blacklist.
*utopian vision* a world without script kiddies *utopian vision*
his idea is a hell of a lot more invasive and more "wrong" than simply noting an attack, blacklisting the source and sending the ISP an email notifying them of the situation.
I realize that it's frustrating as a sysadmin to see attacks from the same place, by the same virus/worm all the time, but the answer isn't a counter strike. it's to simply contain the virus and let the people that are infected unfuck themselves and learn from their mistakes.
besides, even if it weren't morally and ethically wrong, just who would control such a program? would sysadmins have to be federally or state liscensed, much like concealed weapons holders? who would be there to ensure that the vigilante sysadmins weren't abusing their abilities and crushing boxes left and right, then claiming that they were being attacked.
no, a knee jerk reaction of "wtf! this mother fucker's infected and trying spread it on to me! fuck him! I'll fuck his box up for that shit! stupid dumbass n00b!" isn't going to advance the Internet community, sysadmins or users anywhere. just stick to blacklisting IPs and domains. it works.
The World's Worst Webcomic!
Agreed.
It says two things: first, that you're worried your systems won't withstand an onslaught, and second, that you're immature enough to resort to vigilanteism when blocking sources could've been good.
Quite what a tool to do this sort of thing for you would accomplish is beyond me. The potential for auto-DoS (read: shooting yourself in the head) is quite high. The likelihood of contributing to the problem (increased traffic over an inadequate link, for example) is all the higher for it.
Read up on iptables -m limit, and see what happens.
~Tim
--
Rushing on down to the circle of the turn
You hit the nail right on the head.
Sure, we want to defend ourselves against malicious attacks. But does that mean going out and destroying the the attacker? Only in a war!
So if the RIAA feels it has to 'defend' itself against something like KAZAA (which is NOT attacking RIAA directly, just it's mass-manufactured, over-hyped, over-priced monopolist property), then RIAA can come into our machines and wipe out KAZAA.
And I don't like where that is going....
Folks, the current state of the Internet and the Web reminds me of the Wild West. Good people and outlaws all over the place. Things got better when the sheriff came to town. Maybe what we need is a sheriff; one that will honor the privacy and uphold the security of each honorable individual; but with the right to gun down the outlaws (or send them to the judge).
So the I think the power to neutralize processes on other peoples machines should be entrusted to those individuals that are in a position of authority; using people that we can actually trust. The RIAA and other corporations are NOT the answer. Is the government? That remains to be seen.
It may come to that. Let's just hope we don't end up with a 'Big Brother' Internet.
whatever happened to hosts.allow and hosts.deny on a firewall??? simple answers to simple problems.
On a legal level this should be peachy. If your server is being attacked, you should be able to respond. On a systems security level, this is NOT OK. Giving access to other companies/entities to shutdown proccess on machines which they are not entitled access, is more of a security hazard than what it intents to fix.
what we need is a sheriff; one that will honor the privacy and uphold the security of each honorable individual; but with the right to gun down the outlaws
I would never support such a thing. An internet "sheriff" would end up under the thumb of people like the RIAA, FBI and MPAA. The internet sheriff would probably more resemble the 1990's era LAPD than the good guy on the white horse.
We don't need MORE AUTHORITY, what we need is LESS AUTHORITY.
>There is a concept in law called "No Duty to Retreat," and I see no reason why it cannot be applied in much the same way to cases like this.
In most countries, it is not allowed to kill someone anywhere (on your property or not) for any reason whatsoever, apart from imminent death or a handful of other reasons (none of which relate to computers, such as "battered wife syndrome").
Unless that other computer is someone able to pose a real and imminent threat to your life (no, being told "I will kill you" is not a defence to murder in most countries) you have no excuse to attack.
Just thought I'd mention that, since the internet does expand beyond your country (which, since you didn't mention it, I won't assume which one it is, but your interpretation of the law does narrow it down quite a bit...)
Yes, this means that unless I want to restrict the exit of a burglar, I'd have to sit there and watch. It's a small price to pay to ensure they can be brought to justice.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
--That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.--
What about the software companies that make their software so easy to exploit? I doesn't seem fair that the user should have to keep up with this 24/7.
This policy would be irresponsible to both the owner of the system and the vigilante cracker.
System owners get in trouble because suddenly someone has another reason to mess with their machine. It's not clear-cut for even an expert- You might say that it's criminal negligence to leave a system unsecured. Actually, no. We don't have the legal definition for these things yet. Furthermore, there's already an incentive for system owners to secure their own machines- the integrity of their own services and data.
Vigilantes are also on thin ice because it's easy to do more than you intended when "defending the law", and even the cops are in danger when they fuck up. What will you do when you accidentally cause collateral damage in the commission of your act of citizen policing? What if you just have the totally wrong machine? You don't have the authority of a uniform and a department to back you up.
All in all, this is a thoughtless proposal that should never be accepted by any legal authority worthy of the name.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
But the situation is not exactly analogous. Imagine two neighbors, each armed with guns. A theif breaks into neighbor 1's house, and the theif and neighbor 1, start shooting at each other. The theif shoots a bullet that travels into your house. Thinking that you are under attack in your own house, you start shootin at neighbor 1's house. Maybe, you even relise that there is a theif in neighbor 1's house and you are trying to shoot the theif, but instead you shoot neighbor 1, killing neighbor 1. I don't think that you can claim self defense in the murder of neighbor 1.
This situation is a much closer analogy.
The Economics of Website Security
I'm guessing that one will be allowed and one won't. You can guess which one....
http://www.rootstrikers.org/
Jokes about the RIAA aside, which has indeed asked for laws to allow it to do exactly what you deem jokeworthy, the fact is that most people consider their PCs their own property but not their own responsibility. The view appears to be that it's ok for someone to leave a machine on the Internet available for anyone to take over, that the person who puts it there has no responsibility, and that anyone who complains, tries to get it fixed, etc, is in the wrong.
Friends, I know that we all consider those who crack computers to be the ultimate culprits in any situation where a computer is damaged, but that doesn't mean that people shouldn't take responsibility their own parts in allowing this to happen. Someone who quite blatently leaves his or her keys in their car and parks outside bars would not be viewed by most people as completely blameless in the event that a drunk staggers out, takes the car, and drives it into a shop window.
Leaving a machine unsecured and unmonitored on the Internet is a sure-fire way of ensuring it is hacked and used to attack other machines. We know this. Yet people continue to do it. They do not secure their machines once hacked, and they allow their own machines to attack others once hacked. This is negligence, pure and simple.
This quagmire of negligent sysadmins not securing their machines, not allowing their machines to be shut down by victims yet not willing to consider the consequences of their failure to secure their machines and to turn off machines that attack others will not disappear by itself. Unless people are prepared to actually act, not just talk about it on Slashdot, nothing will ever get done. Apathy is not an option.
You can help by getting off your rear and writing to your congressman or senator. Tell them that negligent sysadmins who are happy to keep their computers connected to the Internet all of the time but aren't willing to take basic, simple, security precautions to ensure they play with others are a danger to the security of the Internet, a menace to other 'net users, and cause billions of dollars of damage every year. Tell them that you appreciate the work being done by groups like Security Focus, BugTraq, and even the efforts made by Microsoft to secure their systems and provide easy ways of keeping their products secure, but that if those responsible for computers that are on the Internet do not make use of the tools and features made available to them, you will be forced to use less and less secure and intelligently designed alternatives. Let them know that SMP may make or break whether you can efficiently deploy OpenBSD on your workstations and servers. Explain the concerns you have about freedom, openness, and choice, and how incompetent system administration harms all three. Let them know that this is an issue that effects YOU directly, that YOU vote, and that your vote will be influenced, indeed dependent, on whether or not they are willing to propose laws that provide proper deterents to poor system administratorship and allow those attacked by poorly managed machines to fight back.
You CAN make a difference. Don't treat voting as a right, treat it as a duty. Keep informed, keep your political representatives informed on how you feel. And, most importantly of all, vote.
KMSMA (WWBD?)
No, I don't really think you want to go out shooting anyone that pings your system. I do think most people that want this law want to have their systems running reliably, and don't really care what damage they have to cause to other people's systems for that to happen.
:)
Your comparison of Nimda to a brake recall on a car is actually rather interesting. It allows us to consider a lot of things that might actually make sense here, and some that don't make much sense.
First, your comparison to a brake recall would make more sense if the people driving the vehicle didn't know their vehicle *had* brakes. Many (not most, I believe, but a large minority) of the people that were running non-patched systems when Nimda became a problem didn't know they were running IIS. This is one of the reasons MS switched to services off by default.
Second, the manufacturer found the problem, but didn't actually send out notices, just put a note on a web site somewhere where most people don't even know to look. Unless you make a specific effort to become aware of security issues, you won't know. You either join a mailing list and wade through way too much traffic for people that have real work to do also, or regularly visit a website and, again, read through too much traffic. Yes, I'm assuming these are not dedicated sysadmins, which is the case for most small and medium-sized businesses and homes.
Third, for people that get regular service done at a dealer service center, the driver may not know or care about recall work, the dealer does it for them. That's supposed to be one of the reasons you get regular maintenance done by the dealer. Not just because you like paying horrible prices for an oil change.
This is actually worth thinking about from the point of view of computer services companies. If IBM Global Services has a support contract with your company to maintain computers, and doesn't supply a patch, they are probably negligent. If IGS doesn't do it, is the company that owns the computers negligent, if they though IGS would? (No, I don't work for IBM, they are just a convenient example.)
Does a home user have a requirement to have their computer serviced regularly by a professional? How about a small business owner?
If a small business buys a microwave oven for the break room and that microwave is subject to a recall because it causes fires... If the business never hears about this (never sent in their warranty card so they don't get notices, and they don't check an online recall site) and doesn't replace it, if someone dies in a fire caused by that microwave oven, is the business liable for not exercising due dilligence?
Frankly, I don't know. I just know this is more complicated than we'd like to pretend it is. I'm looking for a quote here, something along the lines of "For every complicated problem, there is a solution that is simple, easy, and wrong."
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?