Slashdot Mirror
Microsoft's Vigilante Investigation of Zombies
Morgalyn writes "According to an article at Information Week, Microsoft has decided to fight zombie-launched spam in their own way. In conjunction with the FTC and consumer rights groups, Microsoft set up a clean computer and then infected it. They monitored the 'zombie' over the course of 20 days - 'In those 20 days, this one computer received 5 million connection requests from spammers, and sent 18 million spam messages'. This whole operation has led to the (partial) identification of 13 different spamming groups, some of which reside in the US and may be prosecuted under the CAN-SPAM act."
Since when is setting up a honeypot considered "Vigilante"?
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
If they are working with the FCC, why would it be considered 'vigilante'?
That's like a considering a car company working with a police forensics department to determine why a car did what it did 'vigilante'.
It takes 20 days to collect data which may be used to convict the scumbags, but it takes years for Microsoft to realize there was a problem and do something about it. To be fair, this should be law enforcement, but someone has to file those John Does in a complaint.
"At the same press conference, Dan Salsburg, the assistant director of the FTC's Bureau of Consumer Protection, urged all computer users to do their part to stymie zombies. "The FTC is taking aggressive steps to stop zombies and protect consumers, but consumers also need to insure that zombies aren't on their computers," Salsburg said."
I'm sure they're shuffling paper like they've never quite shuffled before.
I just don't want to see, a couple years from now, Microsoft being awarded patents on the invention of the Honeypot.
A feeling of having made the same mistake before: Deja Foobar
>let the 18 million spams get sent!
So can't they be fined for knowingly allowing this machine to send spam?
---- There are 10 types of people in the world. Those that understand binary and those that don't
So MS sends 18 million spam messages (presumably to you and I) and that is called research?
Something that intrigues me is: Why hasn't anyone in law enforcement done this? If they already have, why is anyone listening to MS? Why is this news?
If law enforcement agencies are not doing this, I want them fired... well, that might be a knee-jerk reaction, but hellsbells, this is just plain common sense?
Support NYCountryLawyer RIAA vs People
some of which reside in the US and may be prosecuted under the CAN-SPAM act.
I'd think there were more serious charges. Did the e-mail have forged headers? Does that make it wire fraud? Is unauthorized use of one's computers not a major crime?
Zombies are entirely different from a company putting you on its mailing list without your consent. These people aren't annoying marketers, they're criminals.
________________________________________________
suwain_2
... rather than the honeynet project who have better tools, and far more experience at this sort of thing?
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
I haven't seen anywhere in the anti-spam laws that says you have a positive duty to stop spam. There doesn't seem to be any criminal culpability for getting a system hacked. The person doing the hacking and spamming is in trouble, but not the person that it happened to.
If I'm incorrect on this, please point out the relivant part of the law.
So I would presume that they had all this ok'ed ahead of time and will not be fined.
"In the game of life, someone always has to lose. To me, if life were fair, that someone would always be Oklahoma." -DKR
Or we could, I suppose, get mad at the people who developed SMTP, a system so insecure in and as of itself that anyone can pretend to be anyone else and get away with it.
Of course, that was done in a kinder, gentler time when "spam" was unknown, so I guess they can be forgiven. Then again, much of the Windows code was created long before the terms "DoS" or "buffer overflow attack" came into existence.
Naw. Much easier to hate MS. Somehow, they should have known better...
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
let's try a working analogy:
If there were people roaming the streets by the millions carrying around grenade launchers, would you sue ford if someone hit you with it and the car stopped functioning? Sure, there's a few companies out there who will sell you a car/tank that will take a hit from a grenade launcher, but it's not really feasible for 99% of the market.
BTW, those IDC's were taking an unpatched base install of the first iteration of XP. Not exactly a fair comparison considering all the patches since it was released... That's like ford offering free armor plating, and you not installing it and whining that it's not as good as one with armor plating.
Microsoft is going through the courts and the criminal justice system. In neither case is there vigilantism involved, just vigilance.
Time is Nature's way of keeping everything from happening at once... the bitch.
This will happen with nearly any O/S. I've heard the same story about any unpatched O/S whether it be RH, SUSE, OS/2 yadda yadda.
Putting any unpatched system on the net is dumb. This is not unique to MS software
I've seen some other posters mention car analogies. I think a good analogy for my point is: Would you drive a car that has had 26 factory recalls on it ?
I know for a fact that SQL Server can handle 18 million records easily, it's the transactions per a day that kills a server.
That amount of data was impossible to analyze, so Microsoft focused on the three most-active spamming days, when 470,00 connection requests were made of the PC, and about 1.8 million messages were sent through it.
How nice: they allowed 18M junk messages to go through, but could be bothered to look at only 10% of the data. Unbelievable.
Do you want the job of analyzing all 18 million messages? If they are only analyzing 10% its probably because they figure that the other 90% probably have the same source. Even if the other 90% don't, sure you would want them to start somewhere, than put off affirmative action for a few years? One way of confirming whether the 90% do come from the same source is prosecuting the spammers responsible for the 10% and then dealing with the reduced amount of spam in the next cycle.
Jumpstart the tartan drive.
I'd be amazed if it lasted 30 seconds.
:P.
When you get right down to it, cars are shitty in reliability compared to software. Off the top of my head, here are some major problems my car has, at least when looked at from a software standpoint:
1) My car is very venurable to break ins. You can smash a window, jimmy the locks and so on. It's easy, requries no knowledge to do.
2) My car doesn't deal with faulty input. If I set it in neutral and floor it, the engine will overheat and seize up. There's no system to deal with faulty operation like that.
3) My car has problems with user error. If I drive it in to a wall on accident, it'll stop functioning. Same if a user of another car makes a mistake and hits it.
Worse yet, the manufacturer will not fix ANY of these faults, even for a price. Even worse they KNEW about ALL of them when they sold the car.
Now compare that to software where we expect that it be essentially faultless and when a fault is found, that it be fixed quickly and for free.
Something tells me that if someone put a brick through your window, it would be them that you wanted busted, not the maker of your car. Yet if someone hacks your OS, you are mad at the OS maker, not that hacker.
Only on Slashdot
Oh. They setup a computer and watched how it could be exploited and went after the people doing the exploiting. Now that seems like a smart way to handle the problem. If it was my product then I would consider actually closing the holes that allow spammers to exploit Windows to be the best solution. But hell, what do I know?
9/11: Never forget it was a false-flag operation
Do you want the job of analyzing all 18 million messages? If they are only analyzing 10% its probably because they figure that the other 90% probably have the same source.
Fair enough, but if they are doing the analysis manually then they have already lost.
I want to drag this out as long as possible. Bring me my protractor.
I love this... I've read through the first few pages of comments and this is my observation:
Microsoft takes a pro-active step toward curbing spam, something that we universally hate, and for some reason MS is taking insult left and right.
If you're going to deride them at least do it when it's appropriate... not when they're taking a legit step toward finding a solution.
Yeah, but that's not the kicker, the kicker is that these asswipes let the 18 million spams get sent! Totally irresponsible!
Yes but sent to where? Maybe all outgoing emails from this machine were re-directed to a local dummy mail server configured to just blindly accept these mails as a function of both evidence collection and prevention of actually sending SPAM to the intended recipients.
These stories are usually light on those sorts of details.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
I am somewhat antimicrosoft, but I fail to see why this is called "vigilante". Microsoft is working openly with the FTC. They set up their own computer, it got infected and they are investigating unauthorized connections to it. As a security professional I applaud their efforts. This is no different than anyone of you making a honeypot and checking the damage.
Yay MS! Now, make Stevie B kill them (as other posters suggested:-)
Most drivers are required to take a test to determine their competency. Drivers Ed is available across the US and required for minors in most if not all states.
It would be interesting to see the same for computers. Everyone seems to know that a car needs an oil change every x miles but too few seem to know that you need anti-virus and anti-spyware installed on your computer for safe operation. Perhaps seatbelts would be a better analogy.
While I think it's generally agreed that software could be safer, I think it goes just as well to say that users could be generally more educated. The problem is that software venders advertise their products as being safe all in-one products and come decorated with a "no experience necessary" sticker on the box. I think software venders could do more to educate the masses. Cars come with an owner's manual; computers come with a user agreement.
I want this account deleted.
Something tells me that if someone put a brick through your window, it would be them that you wanted busted, not the maker of your car. Yet if someone hacks your OS, you are mad at the OS maker, not that hacker.
A delightful analogy but totally and absolutely bogus.
Just activate your cerebrum for a few minutes.
Is it reasonable to expect a car to be resistant to efforts to break into it with a brick? Clearly not, for your typical family vehicle. No reasonable person would think so.
Is it reasonable to expect a computer to be connected to the Internet, and for its user to perform simple tasks such as surfing the net, without being infected? Clearly it is, and any reasonable person who is not an apologist for the patheticly lacking security of MS (and quite a few other) products would think so.
It is just stupid to lay all the blame on the people who do the hacking. Sure they're bozos and criminals. But how in god's name does the world's largest software company, with virtually unlimited resources, get away for so long with producing software so flakey that infection is just a matter of time if you dare to connect your machine to the Internet?
Anyone with knowledge of computer systems outside the MS world should be aware that it is possible to create software that is highly resistant to attack via the network. Its hard - very hard - to make it 100% follproof, but its easy - very easy - to do one hell of a lot better than MS has done.
The people at MS are as smart as anyone but the total focus on making things easy over making them safe ties their hands. As a result millions of people have become trained to think that it is actually reasonable to pay hundreds of dollars out on anti-virus and other "security" software
[x] auto-moderate all posts by this user as insightful
It's like having a major car manufacturer build cars without locks on the doors, or with locks on the doors that don't "really lock it".
And putting the windows computer on the internet is like bringing said car to New York city, where everyone knows that this particular manufacturer doesn't put real locks on its cars.
The Internet is like Baghdad for computers but 10000 times more intense.
that analogy is in poor taste. i am in baghdad right now. people are dying here every day. your computer getting pwn3d is in no way similar; although i do understand you were merely trying to give an idea of the likelihood for danger. no harm, no foul. please be more considerate in the future.
I agree that microsoft it partially responsible (does rpc really need to be accessible by default?) - but on the other hand, until very recently your average linux install didn't take long to get 0wn3d either.
partially responsible? not a chance. they are 100% responsible until they "allow" us to control our own computers. i can not turn off several services nor can i make them listen only on the loopback. why are these services necessary for HOME users? why can't enterprise admins turn them off if they are not needed/wanted?
i do not think microsoft is wholly responsible for the drive-by IE hijackings; although even there, the fact that the same libraries and processes are used by the local filesystem indicates that they should hold the majority of the blame. let there be no doubt that they are to be held completely responsible for the remote attacks though.
strike
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen