Slashdot Mirror
Killing Others' Malicious Processes
Roland Piquepaille writes "This opinion is not mine, but the one of Tim Mullen, from SecurityFocus Online. In this story, he expresses some strong ideas regarding systems infected by worms. "I believe you should have the right to neutralize a worm process running on someone else's infected system, if it's relentlessly attacking your network. I've even written code to demonstrate the process. Though the initial news coverage of the concept was grossly inaccurate in conveying my ideas, it has stirred up a constructive dialog. I knew my idea was controversial, but I was wrong about something -- I figured everyone in the security biz would "get it" and that the hard part would be convincing everyone else that if they can't or won't secure their machines, we as the defenders would have the right to terminate the process attacking us. It has turned out to be the opposite." The author then looks at the criticisms about this strikeback idea raised by some security experts -- to dismiss them of course. Check this column for a summary or read the original story for more details."
RIAA : Great. Now, who's running Kazaa ?
yet again under another pretense.
This will be abused like all the other technology laws.
You should not interact with other's machines :
Let them fix their worm problems themselves or they may not appreciate it.
It is normal and nice to tell them they have a problem but your work stops here !
Trolling using another account since 2005.
Exactly who decides what constitutes "relentlessly attacking your network"?
A simple NMAP scan? What about Netbios scans? @Home scans for open NNTP servers... etc etc..
Trolling is a art,
There is a good justification in Mullen's letter as to why this proposal is different from the RIAA's proposed attacks on computers that they suspect of hosting unauthorised copyrighted material.
I seem to remember such a thing for unix/linux systems a while back, a search on google would probably find it.
I'm pretty sure no one liked it.(I think the creator got bashed for it actually.) Mainly for the reason that changing something to fix a worm might break another process running on your machine if not done the correct way.
If you are so worried about another machine trying to break into your own, I'd be securing yours better so you wouldn't have to worry...
The only problem with this strikeback thing is what if the machine which is infected is business-critical?
If you're going to take it on yourself to fix other people's machines, what if this causes them loss of business? And there's also varying definitions of what "strikeback" or "fixing" could mean. What if someone decides to "fix" your database server by shutting it down? Shouldn't they be held liable for the damages caused, just as someone who does that maliciously can be held liable?
There's just too many holes in this strikeback philosophy. It opens the door to tons of abuse too: "I only broke into this machine to fix it, I swear, gov'nor!"
I think it would also result in pretty dire situations when a machine equipped for strikeback mistakenly decides another machine (also strike-back-enabled) needs to be "fixed", and starts attempting to hack into it - and then the other one detects it as well, and they start concurrently trying to hack into each other... probably saturating the network with crap on the way...
Daniel
Carpe Diem
At least they can act to contain the spread of a virus, but not by killing processes on customer PCs. they can, however, disable service, whether it be a cable, *dsl, or dialup modem account. Shutting off service and forcing customers to take measures to clean their infected computers is allows by the acceptable use, terms of service, and other policies which protect the ISPs rights to take action.
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
This is an interesting point, because it shows the essential flaw in this logic. In all of these examples, who is acting? "The authorities", namely, the government. In this absurb "strikeback" proposal, who is acting? Vigilante sysadmins. If anything, his examples prove that we need a national cybersecurity enforcement agency, which is responsible for taking machines offline when they get virus-infected. Clearly, this is a bad idea, and that's why strikeback will never work.
Next you will be telling us that it's ok for government A to overthrow government B if it thinks B is destabilizing to it.
HHOS
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
So, if they have no rights to the process, there is no infringement against them when we neutralize it. If someone wants to claim that their rights were violated by our taking out the attacking process, then they should be held accountable for the actions of the process from its inception. They can't have it both ways.
That, I think, is a good point. The solution, however, is not to make the counterattack legal, thus continuing to absolve people of responsibility, but to make the owners of the systems legally responsible for their failure to secure their systems. If your system is 0wn3d and used to launch a DDoS attack on AOL (or Slashdot, Kuro5hin, whoever), then AOL should have the right to sue you for damages. Your incompetence caused their loss.
You say you can't afford to pay? Tough. Should have thought of that before you put your insecure system online. You say it's the fault of the manufacturer for selling the insecure system in the first place? Take them to court. Too expensive? Well, if their system is too expensive to use, then people won't use it.
Best Slashdot Co
In his Dec 15th Cryptogram Bruce Schneier provides his argument against counter-attack, and there are some interesting reader responses to this in today's issue.
Can't you see that everyone is buying station wagons?
I think this guy lives in the world of theory, where everything works "in theory".
I don't want some idiot out in the world thinking he knows more about my system than I do going in and thinking he's doing everyone a favor -- when he's actually doing damage to my system. Intentions don't mean a crock of dog doo.
If my system is spewing garbage, then it should be the right of the ISP to pull the plug until I get it fixed. That's the way these things should work.
But there's no way I want fools poking into my computer, no matter what.
Sometimes it's best to just let stupid people be stupid.
I read this the other day when it was posted on "The Register" and I didn't like it then and I don't like it now.
Why?
Well it all boils down to an attempt to legitimise hacking. If it was allowed that we could "strikeback" ( which is just a cute word for hack ) and disable the attacking process, then where do we draw the line. I think we can all agree on the extremes, but lets consider another example.
What if a website was posted on slashdot, would all of the rampaging geeks be classed as attacking processes and therefore be liable to be struckback and eliminated. I am certain that the website administrator would consider the massive increase in traffic to be an "attack" as their poor server disappears in smoke.
Personally if you are likely to be attacked get better security. You can't enter somebody's house just to close an open window.
Patriotism is the opium of the masses
Read about it here, including a nice set of pros and cons here
There are two independent issues:One is a ethical issue. Is it morally right to attack (it is attacking, irrespective of defensive or offensive reasons) somebody else's machine?
The second one is a legal issue. Does the attacked person(both sides) has any legal recourse? Do they have any credible claims for damage?
Vigilante justice, at best is stupid and at worst, can lead to a more dangerous society than one without.
What we have here is no accountability and no responsibility. A ship's Master (Captian) is responsible and accountable for the ship in his charge and the actions of his crew. The owners, or administrators should also be responsible and accountable for the machines network in their charge. Hold them to account for their malicous machines - otherwise the problem will just get worse. Who then determines a malicious process on my network? The RIAA and other large political contributors? Remember, in the U.S. at least, money controls everything. Those with it get what they want and those without it suffer.
I had a botnet using my irc server as their jumping off point. I wasn't too happy with it cause I saw an attack happen. So I went through and removed them all. I wrote up the story here if anyone wants to know how to take down a subseven network.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I also find out that what people think is "if you know someone hacked into my server, then it must have been you that hacked my server". And this brings up the next point, if you start hacking people's computers to stop the worms, they are going to think that it was you who unleashed the worm, it is logical, they just don't know better.
What must happen is not System Administrators "hacking" every computer in the internet infected by code red or nimbda. What must happen is legislation that makes every person running a computer personably responsible for the security of that same computer. If people don't secure their server they must be penalized, instead of letting us fix the problem... even if they want us to.
rm -rf /home/leia
This guy wants to give the power to kill remote processes to everybody. Everybody includes the people that he's saying can't secure their systems to begin with. Do you want them touching your box? Didn't think so.
How do you get counter attack software and whose to say that software is safe?
... the attack itself.
What if the counterattack software has its own buffer overflow? Then we get a cat and mouse game of one machine simulating an attack and when the counter attack is made the attacker could send a response to force a buffer overflow making the counter attack
If parents don't vaccinate their children, the state takes them out of school. If a dog consistently attacks people, the authorities put it down. If someone commits three felonies, they are put away for life. This is because the rights of the many outweigh the rights of the one.
In your country perhaps, but where I live not all of those suppositions are true. And here one sees an inherent problem that such a system would create - you may be operating within the legal framework of (for instance) the US, but does that give you the rights to close down a process on a machine in Iraq, or North Korea, or any other country for that mattter?
A little planning goes a long way...
"Logic dictates that anyone who opposes a bill allowing corporate entities to attack our systems should support a technique to stop worm-ridden systems from doing the same."
This is flawed logic. The correct logic flows like so: Anyone who opposes a bill allowing corporate entities to attack our systems should oppose any technique that allows any other organization or individual to do the same.
Mr. Mullen's proposal is almost identical to the proposal made by the RIAA: let someone legally crack into a computer that is being used to do inconvenient things.
While I sympathize with Mr. Mullen's intent, this approach was wrong when suggested by the RIAA and it is wrong when suggested by Mr. Mullen.
Unfortunately, the best approach I can suggest that both contains the problem (eventually) and protects everyone's privacy to the largest possible extent is to isolate the offending computer from the rest of the Internet (possibly shutting down the user's outgoing Internet feed) until that user fixes the problematic system.
Of course, the details are the killer. How is something like this accomplished quickly enough to minimize the damage done to systems receiving the barrage of data? And does a Slashdotting result in Slashdot's Internet feed being cut?
This type of problem definitely needs a solution, but vigilante attacks are not the solution.
Becideds the blaten privicy issues etc. Lets assume computer A is attacking computer B with Worm1 which uses uses application X as its transport. The person who sees the worm attack his system he imeadeatly thinks it is work2 which uses application Y as its transport. So he gaines access of computer A and kills application Y. So he hasent killed the worm and he also killed an inocent application that may have been dooing something very important.
It is stupid to think a random person will be able to properly fix your system. Even if he is "Skilled" enough to break in he may not undertand what the system is for or what it is used for. Just because he thinks he is smart it dosent nessarly mean he is.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
who's competence is at stake did you say?
:
I'm sorry but my brain comes with a EULA
This brain is supplied "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose and the accuracy of the information contained within it
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
This is just a guy out looking for kicks and fun. If someone is "probing/attacking" your network thanks to a worm and you can't contact them, the solution is simple:
You simply block off their traffic.
Close your blinds, your door, or whatever real world analogy you would like to try and apply. You have the right to send the same traffic back to them, monkeyseemonkeydo, but in no way is it possible to justify altering the running of their machine. Doing so, is no better than the malicious process already causing the damage.
--- I do not moderate.
The only problem with this, and it was in the article, is that it wastes bandwidth. For some people with low speed links, virus attacks can take out their whole link. Blocking it at the router is no use, and it still has to get to their router in the first place for it to be dropped. The bandwidth damage is already done.
Curiosity was framed; ignorance killed the cat. -- Author unknown
I can't remember the name of the company, but last year I had just installed IIS, then ran to the store. By the time I got back, around 45min later, I had already been hit by CodeRed. There was a message on my screen saying 'You have been infected by CodeRed. We did not infect you. Your server is trying to infect us. Please look on your hard drive to prove how open your system is. You can click here for more help. Again, we did not infect you.' (something like that anyway.) They left a small folder in my WINNT/system folder that had a link to them. Once I clicked their link they had other links on how to remove it, you could download the script they wrote so you to could load it and detect other people infecting you. And they had stats on how many servers had tried to infect them already (around 2000), and they explained more how they were only trying inform those that were attempting to infect them to be more aware about codered. I have the link and script at home, not with me here. Sorry.
Yes, and.. one point I haven't seen made yet: The government can't vaccinate your children without your permission. They can kick them out of school, isolate them and make your life pretty miserable, but they can't invade their bodies without due process of law, which is missing in this equation.
And now DUCK, because here comes the straw man:
I think the main reason for the knee-jerk criticism from the likes of Schultz is that they work largely in a theoretical rose-colored world of security, where all problems are solved after a cup of coffee and a bit of pontification
While it's valid to argue that Shultz is responding knee-jerkedly (somebody have a better adverb?) It's not valid to attack him by virtue of the fact that he's an academic and to denigrate him with the cheap-shot coffee comment.
Academics study things like unintended consequences, the big picture, etc.. These are things most geeks can't be bothered to consider. While stupid academics tend to rise to the top in the media, very few are actually addle-headed theoretical bloviators. These smart people can contribute a lot to our discussions.
As for the actual argument about killing others' rogue processes, I don't have anything original to say, but in the "real world" it would be called vigilantism and trespassing.
Yes, it's a blog. Sorry if that offends you.
This concept relates to self-defense, and deadly force. Follow along with me...
If a person is in public, and is threatened, that person must make every reasonable effort to avoid the use of deadly force as a means of self defense, prior to useing such force. He must attempt to leave the scene, etc. In short, there is a Duty to Retreat.
If, however, that person is in his home, his own property, that person may use deadly force as a means of self defense without having to exhaust every means of escape or avoidance. On his own property, a person has No Duty to Retreat.
How is the scenario for Cyber-attack any different? Unlike most of the people commenting on this article, I believe you do have the right to take active measures in protecting your property.
Obviously, we're not talking about deadly force... We're simply talking about electronic countermeasures.
If an unsecured system on the Internet has been infected by a malicious program, and is now launching it's own attack against your system, your property, denying you the use of bandwidth or resources that you are paying for, I think you're perfectly within your rights to put the attack down, and if necessary, the offending system.
A person utilizing the Internet has a certain responsibility not to cause harm, either through action, or inaction. Most people on the Internet today seem tragically unaware of this. Without this, the Internet is ripe for a tragedy of the commons situation.
Is it wrong to still believe that with Rights come Responsibilities, or that with Priviledge comes Obligation?
Your rights to swing your arms around recklessly ends at the tip of your fingers, and at the beginning of my nose.
I think Tim Mullen is 100% correct, and I'm surprised there aren't more people that agree with him.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Seems to solve 99% of my problems
Yours, yes. Lots of people, and almost all companies, pay for their internet access, often by traffic. Blocking the crap at the firewall doesn't take care of that problem. In many cases, it makes it worse (due to retries).
Assorted stuff I do sometimes: Lemuria.org
Here's an analogy:
A guy in the apartment above you has left his door unlocked and then gone away. A malicous child walks in and turns the tap on for a laugh and then leaves. A while later the apartment is flooded and water is pouring though the ceiling into your property. Do you have the right to walk in though his unlocked door and turn off the tap?
I know what I'd do. It might not be legal, but I don't think anyone would stop me or arrest me and I don't think the owner would mind that much either.
Nick...
The idea of writing "strikeback" scripts, as you describe, has been tossed around before. I recall reading a quick-and-dirty script for Apache posted on slashdot some time ago that would detect attacks from machines infected with Code Red, and would then exploit the security holes Code Red had opened on those machines to clean them. I used to support this idea, but I'm afraid after some thought, I've changed my mind.
I'd agree that if a worm is running on someone's machine without their knowledge, then the owner of that machine has no rights to that process (the obvious exception being the person who is spreading the worm, who runs it intentionally on his or her own machine, but we'll ignore him or her for now). In order for you to terminate that process, however, you have to break into their machine, and run your own process. You are, in effect, creating your own worm. Your worm may only run for a short while, and may be "for the greater good", but that doesn't change the fact that you are running code on other poeple's machines without their consent.
Even if we opt to ignore the ethics and look at this from a more practical angle, can you guarantee that your strikeback process is not going to adversely affect the machines it cleanses? What if your strikeback process causes a machine gathering scientific data to reboot, or kills the wrong task? This has the potential to set someone back by several days in their work. What if it reboots a machine monitoring medical equipment? You could end up killing more than just a process, if you catch my meaning, however unlikely that may be.
Since you are intentionally running a process on someone else's machine, you are accountable for it's results. If you cause damage to a machine, or cause data to be lost, even if it is inadvertant, you open yourself up to litigation from the owners of those machines.
Treating computer processes and network connections as extensions of human being ignores the great complexity of computer systems and the irreducible nuances to responsibility, origin, and intent such machines introduce.
Translating your argument into the world of atoms, that would be like holding someone responsible for a vandal who goes into someone's unlocked car, releases the emergency brake, and lets the car go careering into a crowd of innocent bystanders. Just because computers seem to "act" does not mean that their actions are always the fault of their owners, secure systems or no.
The key is to hold those who crack systems accountable for their actions and to educate victims about how to better secure their systems. Those users unwilling or unable to secure their systems should pay third parties to secure their systems for them.
Even the best secured system is not uncrackable. Would you hold the best sysadmin in the world responsible for a script kiddie's lucky guess?
Your post says you would.
blog
Code that will neutralize South Korea!?
Insanity is the last line of defence for the master diplomat. But you have to lay the groundwork early.
Stealing someone else's insightful post.
Best Slashdot Co
Computers don't have rights or responsibilities. Processes don't have rights or responsibilities. If computer A attacks computer B (via a worm or whatever else.) and computer B "strikes back", self-defense is a fair metaphor, but it isn't a relevant legal or ethical argument, because the computer don't have rights.
Computers are property. More specifically, my computer is my property. I have a right to keep my property, and you have a responsibility to keep your hands off my property, and if you don't keep your end of that agreement, you've broken the law and I can bring the government into it.
Yes, your property rights are violated if my computer has a worm that attacks yours. Maybe the government will acknowledge that and step in, and maybe it won't. If you don't like the way the government handles this, elect somebody who will change it, write a letter to your legislators. But the government's refusal to step in doesn't mean, as Mullen asserts, that the owner of the attacking computer has no responsibility. It just means that the government has opted not to hold him responsible. The only way to fix that is democratically.
But suppose Mullen is right about that, and this person has no responsibility. He says "no responsibility means no rights". Wrong. The constitution says that no person shall be deprived of life, liberty or property without due process of law. In practice, that limits the action of government, not offended sysadmins. But the principle here is that my rights are my rights, and nothing I do, however, bad, foreits them automatically. Maybe, after a fair legal process, society (i.e. government) may decide to take away some of my rights (i.e. lock me up, fine me, whatever). But not before. That's a fundamental part of the social contract which makes us civilized.
Then Mullen makes a different argument: the rights of the many outweight the rights of the few. (Thank you, Spock.) Maybe. But the same principle applies. My rights are my rights. Maybe you can get a court order to require me to donate blood, if it will save 100 lives. But if you take my blood without getting the court order, you have still violated my rights and broken the law.
Now, if the guy who took my blood is a real hero, and believes what he did was right and necessary, then he'll say that going to jail is a small price to pay for saving 100 lives. Good for him. If Mullen really believes this is a case where the law runs contrary to ethics and morality, he can wear a grey hat and illegally hack systems for the greater good. But unless he's willing to wear a black hat, he'd better admit what he's doing it illegal, and a violation of rights, and be prepared to take the punishment when he does it.
IANAL, yadda.
his idea is a hell of a lot more invasive and more "wrong" than simply noting an attack, blacklisting the source and sending the ISP an email notifying them of the situation.
I realize that it's frustrating as a sysadmin to see attacks from the same place, by the same virus/worm all the time, but the answer isn't a counter strike. it's to simply contain the virus and let the people that are infected unfuck themselves and learn from their mistakes.
besides, even if it weren't morally and ethically wrong, just who would control such a program? would sysadmins have to be federally or state liscensed, much like concealed weapons holders? who would be there to ensure that the vigilante sysadmins weren't abusing their abilities and crushing boxes left and right, then claiming that they were being attacked.
no, a knee jerk reaction of "wtf! this mother fucker's infected and trying spread it on to me! fuck him! I'll fuck his box up for that shit! stupid dumbass n00b!" isn't going to advance the Internet community, sysadmins or users anywhere. just stick to blacklisting IPs and domains. it works.
The World's Worst Webcomic!
Agreed.
It says two things: first, that you're worried your systems won't withstand an onslaught, and second, that you're immature enough to resort to vigilanteism when blocking sources could've been good.
Quite what a tool to do this sort of thing for you would accomplish is beyond me. The potential for auto-DoS (read: shooting yourself in the head) is quite high. The likelihood of contributing to the problem (increased traffic over an inadequate link, for example) is all the higher for it.
Read up on iptables -m limit, and see what happens.
~Tim
--
Rushing on down to the circle of the turn
This policy would be irresponsible to both the owner of the system and the vigilante cracker.
System owners get in trouble because suddenly someone has another reason to mess with their machine. It's not clear-cut for even an expert- You might say that it's criminal negligence to leave a system unsecured. Actually, no. We don't have the legal definition for these things yet. Furthermore, there's already an incentive for system owners to secure their own machines- the integrity of their own services and data.
Vigilantes are also on thin ice because it's easy to do more than you intended when "defending the law", and even the cops are in danger when they fuck up. What will you do when you accidentally cause collateral damage in the commission of your act of citizen policing? What if you just have the totally wrong machine? You don't have the authority of a uniform and a department to back you up.
All in all, this is a thoughtless proposal that should never be accepted by any legal authority worthy of the name.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
with Mr. Mullen's proposal, is this.
He sees the world this way: 1. People are negligent, and allow machines to become compromised, which allows harm to come your way. 2. Therefore, if people will not defend their own machines, you should be able to defend yours by disabling theirs.
This is a little like the following: 1. People are negligent, and allow their cars to get stolen, which allows hit-and-run drivers to take you out with them. 2. Therefore, if people will not defend their own cars, you should be able to defend yours by being given a rocket launcher to disable theirs.
The second example sounds kinda weird, doesn't it?
I've watched "World's Scariest Police Chases" and suchwhat. If a driver's acting like a maniac, the police bust out these cars with large ramming devices on them, and beat the crap out of the offending vehicle. If someone is driving recklessly on the highway, I can't just take my SUV and ram them off the road myself.
While I may have justification for doing so -- after all, that driver is endangering me and those around me -- I do not have authority. There is a reason that only police are given the power of arrest and other various things they have. (Just try walking around with a pistol in broad daylight in Philadelphia, for example.)
Mullen would have us all issued shotguns, to defend ourselves from any would-be vandals and thieves who enter our homes. While it is justifiable for us to use these weapons against those who would cause us harm, is it really wise to give everyone a shotgun? There are most certainly those who would use them improperly. The obvious solution, of course, is to give everyone some sort of shield, that prevents them from being hit by a shotgun shell, to protect us from bad users of shotguns. But, uhm, then shotguns don't work against the vandals, because they have shields too. So a perpetual arms race against ourselves would develop.
There's a reason weapons aren't issued to us for our own defense -- collectively, we are not responsible enough to operate that way. Only special agencies are given the Authority to administer Justice; justice itself does not belong to the rest of us. Unfortunately, we don't have an "internet police force", nor would one even be desirable.
But ISPs can still pull the plug on users who aren't operating "correctly," and University and other networks can block down a MAC address if it's causing trouble. And that's about as close as we really should want.