Researchers Infiltrate and 'Pollute' Storm Botnet

← Back to Stories (view on slashdot.org)

Researchers Infiltrate and 'Pollute' Storm Botnet

Posted by CmdrTaco on Thursday April 24, 2008 @04:15AM from the i'm-infiltrating-see-yeah dept.

ancientribe writes "Dark Reading reports that a group of European researchers has found a way to disrupt the massive Storm botnet by infiltrating it and injecting "polluted" content into it to disrupt communication among the bots and their controlling hosts. Other researchers have historically shied way from this controversial method because they don't "want to mess with other peoples' PCs by injecting commands," said one botnet expert quoted in the article.

261 comments

It's not Really... by cromar · 2008-04-24 04:18 · Score: 5, Insightful

It's not really messing with other people so much as preventing them from messing with tons of other infected hosts. Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
1. Re:It's not Really... by Charred+Shaman · 2008-04-24 04:21 · Score: 2, Insightful
  
  Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.
2. Re:It's not Really... by moderatorrater · 2008-04-24 04:23 · Score: 5, Insightful
  
  Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea. Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.
  
  It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
3. Re:It's not Really... by InlawBiker · 2008-04-24 04:26 · Score: 1
  
  I agree. If they're unaware the bot is running they'll also be unaware of the anti-bot.
4. Re:It's not Really... by wizardforce · 2008-04-24 04:34 · Score: 5, Insightful
  
  Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user.
  an OS shouldn't allow that, then again it shouldn't allow you to get pwned by visiting malicious web pages or opening emails either. The problem is that you're talking about a hypothetical problem that may or may not exist. Storm is real and doing real damage to the world. sitting back and watching the fireworks just because you're afraid to break something is in my opinion irresponsible.
  
  --
  Sigs are too short to say anything truly profound so read the above post instead.
5. Re:It's not Really... by Oligonicella · 2008-04-24 04:37 · Score: 1
  
  From your point of view, it's more moral. Others might think that allowing known destruction to continue is not. Add to that just how "effective" monitoring, locating computers and helping the owners clean them has been to date and their disagreement isn't baseless.
6. Re:It's not Really... by ChoppedBroccoli · 2008-04-24 04:37 · Score: 4, Insightful
  
  You are right, it isn't necessarily a moral question. Obviously, the researchers are trying to do a good thing, and their good intentions are good and correct.
  
  It is more of a legal/tehcnical question. Are you legally allowed to do this? And the major problem for researchers is that they have no cloak of anonymity like the bad guys do: they are easily linked/traced to all their actions by the mere fact that they publish their work and share their results. If anything goes wrong, or even if an overzealous user just wants to sue/go to court for the sake of suing, then the researchers are SOL.
  
  It IS a gray area, even if you are morally correct.
7. Re:It's not Really... by peachstealingmonkeys · 2008-04-24 04:38 · Score: 2, Informative
  
  Even though I agree with you on the second half of the comment I still think you are spreading FUD with the first part.. 1) "Researchers" don't "just" send the polluted hashes to the bots in hopes of it to disrupt communications. 2) They aren't "fuzzing" the bots looking for a vulnerability, that will disrupt a command channel and possibly crash a bot completely. That would be extremely irresponsible. 3) "Researchers" analyze the bot software localy in order to determine the correct hash strings to figure out the way to disrupt communication 4) obviously the 'attackers' can introduce a back process in to their bot software that would destroy the bot image and OS completely if such control channel disruption is detected, however it's pointless since the bot is out of the commission anyway.
8. Re:It's not Really... by cromar · 2008-04-24 04:38 · Score: 5, Informative
  
  Sure, in general that is a valid concern. However,
  The pollution attack... "overwrites" the P2P botnet's key, an identifier that's used to get command information to the bots. Storm generates keys to find other bots, the researchers noted. So there really isn't a risk, in this case, of executing maleficent code or overwriting large portions of anything. The Storm operators might modify the peers to self-destruct the host or something, though I doubt they will given that Storm needs the host to be at all useful.
9. Re:It's not Really... by kaiser423 · 2008-04-24 04:40 · Score: 5, Informative
  
  If you RTFA, they are not sending any commands to the end computer. They are just disrupting communications between the nodes.
  
  Effectively, fracturing the net into multiple pieces; not taking control o the computers and doing something.
  
  This is not a counter-attack to the infection or anything like that. They're just jamming the comm system that the bots use. They're not actively doing anything to the bot or computer.
10. Re:It's not Really... by el_flynn · 2008-04-24 04:42 · Score: 4, Interesting
  
  Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. True, but who's to say the resident malware isn't already doing that? Although I'm sure the bot manufacturer will take quite strong measures to stop this from happening, as it would really result in a non-productive bot. So the anti-bot programmer would just have to take similar steps I suppose.
  It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. TFA says the researchers "saw between 5,000 and 40,000 machines online at a time."
  Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines? All you IT admins and helpdesk staff are already cringing at the thought of handling tens or hundreds of users -- can you even begin to imagine trying to explain to thousands of clueless users what's happened to their PC, and what steps to take to clean it?
  
  --
  The Wknd Sessions - Malaysian and South East Asia independent music
11. Re:It's not Really... by msimm · 2008-04-24 04:43 · Score: 3, Insightful
  
  Running an infected bot is inherently risky, just like the virus or worm that caused it. Moral concerns should be moderated appropriately.
  
  --
  Quack, quack.
12. Re:It's not Really... by Anonymous Coward · 2008-04-24 04:46 · Score: 0
  
  It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run. The article explains disrupting the communication of the bots, which seems like a good direction toward preventing what these botnets can do destructivly, DoS wise.
  
  "Finding and helping" would not only force you to identify and communicate with infected users / computers, but is in no way practical.
13. Re:It's not Really... by Anonymous Coward · 2008-04-24 04:47 · Score: 0
  
  "It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run."
  
  Of course, everyone's assuming this story is legit. Sounds like a dummy story.
  
  If I were a security consultant seriously interested in messing up Storm, I'd find a friendly lab willing to propagate a FALSE story like this, which will induce the STORM controllers to do something to recheck their communication links to their zombies. Traffic analysis on such a burst of activity would be very useful for analyzing the size of the botnet, or identifying cell controllers, etc.
14. Re:It's not Really... by hilather · 2008-04-24 04:47 · Score: 2, Interesting
  
  You know, wiping out a bot infected computer of any personal information or even all information might actually be doing that person a favour. It is better then having that information falling into the wrong hands. I could go either way on this, its the computer equivalent of vigilantes. But what happens when bot net controllers star to realize identity theft is a pretty lucrative business too?
15. Re:It's not Really... by 0100010001010011 · 2008-04-24 04:48 · Score: 1
  
  Maybe then the end user would be more careful in the future and it would take them off of the bot net.
  
  I guess I've got my Evil bit set because if I had the know how I would send a low level format command out. The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe even install a bootloader to display Apple, Ubuntu, & FreeBSD's websites.
  
  Sure it's not nice, but if it gets people to actually take action then I'm all for it. There will always be more companies trying to profit, new botnets, etc, but if you can actually stop the botnet from starting by educating people, then you win.
16. Re:It's not Really... by Anonymous Coward · 2008-04-24 04:48 · Score: 0
  
  Well, as far as I can gather from TFA, they're only messing up the keys sent around Storm to prevent infected computers from identifying each other. If I understand correctly, this disrupts communication, because the bots stop talking to each other. I can't see how this can do any harm to the victims' computers.
17. Re:It's not Really... by EncryptedSoldier · 2008-04-24 04:53 · Score: 2, Insightful
  
  LAWL! Yeah, that's a great idea. Lets go ringing doorbells! "Hi! Are you Mrs. Smith?" "Yes, I am. And who might you be?" "I'm John, and your computer is infected with a bot-net called Storm. You and millions of other users are infected and are constantly infecting other computers without your knowledge. I can fix your computer for $200, what do you say?" And even if that worked, it won't work for everyone. Too much time needed to fix it, too much money for it to be possible. Poisoning the botnet is the way to go.
18. Re:It's not Really... by shawn(at)fsu · 2008-04-24 04:55 · Score: 1
  
  I was going to add that once your pc is part of a bot net its not really your machine anymore anyway. Its some one else's machine that you pay the electricity for and occasionally it will allow you to use if albeit at degraded performance.
  
  --
  500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
19. Re:It's not Really... by Solandri · 2008-04-24 04:58 · Score: 5, Insightful
  
  Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea.
  Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.
  You're comparing a concentrated loss to a distributed loss. The correct assessment in that case is to sum up the losses on both sides. Say "poisoning" Storm results in 1000 users with wiped hard drives losing $10,000 worth of data and productivity (being very generous here). OTOH say letting Storm continue to operate results in 100 million users losing $1 each worth of productivity (spam) and data (compromised systems). That's a $10 million to $100 million balance in favor of poisoning Storm. Obviously the numbers here are made up and I honestly don't know if poisoning Storm is a good idea. But the point is that you just can't look at the losses on one side and say a course of action is unacceptable due to those losses. You have to compare the losses that might happen if you take action, to what losses will happen if you don't take action.
  It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run.
  Do you maintain any computers for friends or family? No it won't be more effective in the long run. You help them clean their system, and they'll go right back to using it as always. In 6-12 months they'll call you back to help them clean it again. It's just an individual equivalent of a cost of doing business for them. Why should they bother to change their habits when they can pay you a hundred bucks or so every year to clean their system?
  In that light, losing all their data might be just what's needed to get them to take computer security seriously. However, I'd consider it a last resort since it's a punitive action rather than a preventative action. The long-term solution is to accept that casual users are going to run their computers like this, and to come up with mechanisms which blunt or dilute the impact of compromised systems. We're already doing this with anti-virus and anti-spyware software, as well as flaming Microsoft so they fix all the security holes in Windows. But it may or may not also involve poisoning botnets.
  Off the top of my head, I don't think you need to remove the botnet software. It's probably already secured the box against further infection. So all you need to do is scramble its communication and/or encryption so it doesn't/can't contact the bot master again. It could be as simple as changing one bit in an otherwise unused registry key. So "poisoning" a botnet may be much more benign than your worst case scenario.
20. Re:It's not Really... by AlecLyons · 2008-04-24 04:58 · Score: 1
  
  it's more moral and more effective in the long run.
  And it's legal. Let's not forget that.
21. Re:It's not Really... by Anonymous Coward · 2008-04-24 04:59 · Score: 2, Funny
  
  Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. And if I were a botnet author, I'd make absolutely sure that signs of such tampering would result in this (the DISABLE_ZOMBIE command in version 1.00 effects the WIPE_WHOLE_DRIVE command in update 1.01). Watch as the self-appointed saviour destroys the data (bla bla backups) on half a million computers world wide.
  
  The road to Hell...
22. Re:It's not Really... by guruevi · 2008-04-24 04:59 · Score: 4, Funny
  
  Actually, it would be better to wipe their hard drive clean since then they would be directly impacted and see the loss caused by their stupidity. I already heard from users: yeah, I know I have a virus/trojan but it doesn't really do anything bad to my computer and that virus scanner makes my computer slower so I'll leave it there.
  
  Also, it would give us geeks some extra income and we would have the opportunity to load Ubuntu on their machines.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
23. Re:It's not Really... by MagdJTK · 2008-04-24 05:02 · Score: 2, Insightful
  
  I would argue that it is a computer owner's moral responsibility to make sure it's not doing any harm to others.
  If someone leaves their bag unattended at a train station, they should expect it to be destroyed in order to protect the public. If someone doesn't secure their PC and it becomes a hazard to others, shouldn't it be taken out too, by any means?
24. Re:It's not Really... by Toandeaf · 2008-04-24 05:06 · Score: 2, Informative
  
  Mod points are not supposed to be used as "I agree".
25. Re:It's not Really... by ohtani · 2008-04-24 05:07 · Score: 2, Insightful
  
  Since when would saying something along the lines of "del infectedprogram.exe" be the same as "format c:"?
  
  --
  Pancakes. Oh I blew it.
26. Re:It's not Really... by veganboyjosh · 2008-04-24 05:09 · Score: 1
  
  The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe even install a bootloader to display Apple, Ubuntu, & FreeBSD's websites.
  
  One problem i see with this is that the proverbial grandmother, whose infected machine has slowed or stopped working altogether, then associates Apple, Ubuntu, and FreeBSD with the reason why her computer stopped working. To her, and thousands like her, their machine stopped working, and now the people (behind the curtain...) want her to stop using MS? They must be evil, if they'll shut down her computer to get her to use "their" products.
27. Re:It's not Really... by Anonymous Coward · 2008-04-24 05:11 · Score: 0
  
  If this is the same method as the one that was discussed on here a couple of weeks ago, then the researchers aren't sending commands at all.
  
  Storm works on P2P systems, and as such nodes in Storm request work by issuing searches on the P2P network just like you would search for a file name. When another node has a command it replies back to the search with a specific file name, then the requesting node retrieves the file name (command) just like you would retrieve a file on P2P.
  
  The researchers "poison" storm by making lots of nodes that reply back to the search request but don't actually have anything. So the requesting nodes are less able to get a command because they get overloaded with bogus search returns.
  
  In short, the poisoners aren't sending any command, they are preventing others from sending commands.
28. Re:It's not Really... by Anonymous Coward · 2008-04-24 05:14 · Score: 5, Insightful
  
  Is it wrong to do something to an out of control car rolling down a hill on fire towards a school full of people? This is a lot like a computer being part of a botnet. It is possible you could cause some damage to the car which is not yours by directing it out of the way, but if you don't something bad will certainly happen.
29. Re:It's not Really... by bryce4president · 2008-04-24 05:15 · Score: 1
  
  So you have a botnet, its running amock causing unknown amounts of damage to people's property and putting even more people in harms way. And you really think its a bad idea for a few experts to scramble a hash on their computer "because it might wipe out their HDD". You have to have a better argument than that! I want to see an example of how you can scramble the hash and cause this. Has anyone proved that it can even be done? Until I see proof that there is a high risk that these guys could accidentally erase someone's HDD I say go get the bastards. That's like saying you we shouldn't have attacked Germany in WWII because someone innocent might die. Yeah, its war, innocent people die in war. The goal, however, is to keep that number as small as possible. The proportion of people saved in WWII heavily outnumbered the possible innocent lives that would be lost, and maybe I'm stretching the analogy a bit here, but I think that the number of HDD's that would be negatively affected is far lower than the amount of good that would come out of this. my $.02
30. Re:It's not Really... by Anonymous Coward · 2008-04-24 05:15 · Score: 0
  
  Nah, I'd just automate the process. Send some sort of message to each person who is infected, letting them know that you will fix their computer for $200. Of course, to figure out who is infected, maybe you could put a program of some kind on an infected person's computer, which then puts this program onto the computer of everyone near them, etc. Then we can just send a message to all these people, letting them know that they're infected and asking for money!
  
  We'll call the program the Storm Penetrating Automated Messanger, or SPAM for short.
31. Re:It's not Really... by 0100010001010011 · 2008-04-24 05:19 · Score: 4, Funny
  
  "Your version of Microsoft XP has expired. Please buy a version of Microsoft Vista at your nearest authorized Microsoft dealer. If your computer does not support Vista you will be required to upgrade your computer.
  
  Thank you for supporting Microsoft".
  
  How's that?
32. Re:It's not Really... by graphicsguy · 2008-04-24 05:19 · Score: 3, Interesting
  
  Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines? If it's easy to detect the traffic to/from a botnet computer, they should be cut off by their ISP. The ISP can then offer them both instructions and to sell them PC cleaning as a service before allowing them to re-activate their connection.
33. Re:It's not Really... by rocketPack · 2008-04-24 05:19 · Score: 2, Insightful
  
  Should I not be held (somewhat) responsible if my unprotected gun is used in a crime? A computer with an internet connection has inherent risks, it's the users responsibility to secure and protect their own goods against damage, as well as malicious uses.
  
  If your computer is damaged in an effort to mitigate a large-scale botnet causing massive infrastructure problems and costing people money, then perhaps you could at least learn something from the process.
  
  I don't feel sympathy for their (speculated, potential) loss/damage, I feel pity for their ignorance. My dad always told me not to use tools without understanding how to use them properly and safely, there's no reason this logic can't apply to computers.
34. Re:It's not Really... by geekoid · 2008-04-24 05:22 · Score: 1
  
  Well, maybe your family are a bunch of idiots, but my family, and others I have dealt with have learned and developed better computer habits.
  
  I hate that excuse so much. It's no different then any excuse any a fascist uses to 'fix' a problem.
  
  This is an OS problem, and should be fixed as such.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
35. Re:It's not Really... by idontgno · 2008-04-24 05:27 · Score: 5, Insightful
  
  Yeah, It's the botnet equivalent of counter-espionage. Really one for the good guys here.
  Well, possibly, but I think the moral conundrum isn't about attacking the botnet itself, but about the owners of the computers the botnet is unwittingly hosted on. All this "poisoning" activity affects the zombied PCs, after all.
  To use a (non-car) analogy: Germany invaded Belgium in WWII. That was morally bad. Later, the allies counter-invaded Belgium. That was morally good. But the battles involved in both invasions weren't particularly great for Belgians.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
36. Re:It's not Really... by street+struttin' · 2008-04-24 05:34 · Score: 0, Redundant
  
  Wait, if you what? What does RTFA mean?
37. Re:It's not Really... by sabt-pestnu · 2008-04-24 05:37 · Score: 1
  
  if I had the know how I would send a low level format command out. Leaving aside the issue of "they'll just do it again", your strategy fails in that by doing this, you take out one node at a time. Much like a virus that is "too successful" and kills its host before it reproduces.
  
  I think you would get better results by passing your 'counterinfection' on for a bit before de-botting completely.
38. Re:It's not Really... by Moridineas · 2008-04-24 05:39 · Score: 1, Interesting
  
  Well, if you agree, you probably feel that point is "+1 Insightful" or "+1 Interesting" whatever.
  
  I do agree that the system of moderating on slashdot is HIGHLY overused by those who use them for their opinions. I've been guilty of this at times too, though I try not to.
  
  Maybe we do need a "+1 I agree, good thinking!" and a "-1 I disagree, that's stupid!" that count as a different class of points. Dunno.
39. Re:It's not Really... by Cro+Magnon · 2008-04-24 05:40 · Score: 3, Funny
  
  And, can you picture the reaction of a Christian grandmother when her computer flashes the BSD devil at her?
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
40. Re:It's not Really... by Anonymous Coward · 2008-04-24 05:44 · Score: 0
  
  And common sense is not supposed to be used at "slashdot".
41. Re:It's not Really... by Anonymous Coward · 2008-04-24 05:45 · Score: 0
  
  If someone's pet dog is rabid do you not have the right to shoot it?
42. Re:It's not Really... by Esc7 · 2008-04-24 05:49 · Score: 2, Insightful
  
  I think the wording here should be that poisoning the botnet would be the MORAL thing to do (Stopping the botnet is a good thing for all!) But it would not be the ETHICAL thing to do (Respecting people's privacy is the rule that we hold to).
  
  And in all dilemmas between morals and ethics the "right" thing to do must be weighed very carefully, there are no hard and fast rules that can be applied carte-blanche.
43. Re:It's not Really... by hostyle · 2008-04-24 05:57 · Score: 1
  
  your sig sucks.~
  
  --
  Caesar si viveret, ad remum dareris.
44. Re:It's not Really... by SanityInAnarchy · 2008-04-24 05:58 · Score: 1
  
  Seriously, this is no moral question. "Poisoning" Storm is nothing but a good idea. Unless there's a problem with the command you send out and it completely wipes the end users hard drive and all their personal data or does something else destructive to the infected user. Which the original bot might easily have done.
  
  By the time a user is participating in a botnet, they are a lost cause. If you want to help them, fine, but do it before they get infected.
  
  And anyone who doesn't do backups WILL lose data, it's only a question of when.
  
  --
  Don't thank God, thank a doctor!
45. Re:It's not Really... by Anonymous Coward · 2008-04-24 05:59 · Score: 0
  
  I don't know, a friend of the family recently opted to handle a severe malware infection by calling Dell support. Dell support directed her to use the hidden recovery partition, which promptly fdisked, formatted, and reinstalled Windows. Either way stupidity gets its proper reward.
46. Re:It's not Really... by flibuste · 2008-04-24 06:09 · Score: 1, Informative
  
  Since your ./ ID is over the million, you must be new here and, in a grand welcoming gesture of mine, I will share this Slashdot secret with you. RTFA=Read The Fucking Article.
47. Re:It's not Really... by bigstrat2003 · 2008-04-24 06:11 · Score: 4, Insightful
  
  It's not particularly illegitimate to use them in that fashion, though. It's a matter of allocating limited resources, really. While I'll mod up posts I disagree with, but are insightful, if there are no posts I agree with available... I'd rather spend those mod points giving karma to people I agree with. Is it fair? Not entirely, but with only 5 or 10 points, there's only so much good you can do.
  
  The real moderation bias which is a cause for concern is modding with negative mods as a substitute for "disagree". That's bullshit, and there's no excuse for it.
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
48. Re:It's not Really... by ultranova · 2008-04-24 06:13 · Score: 1
  
  And anyone who doesn't do backups WILL lose data, it's only a question of when.
  
  Just out of curiosity: how the heck do you backup a 500 GB hard disk ?
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
49. Re:It's not Really... by Anonymous Coward · 2008-04-24 06:15 · Score: 2, Insightful
  
  Due to technical realities actively commanding a person's PC without permission may be the only way to counter these bot nets. If you fail to secure your system properly and ISPs are unwilling to block these comprimised systems then the law should allow it. If you suffer data loss then that was no different then damage caused by fire fighters trying to stop a fire from spreading.
50. Re:It's not Really... by Mister+Whirly · 2008-04-24 06:17 · Score: 1
  
  What is the difference between you remotely controlling someone's PC in an unauthorized manner, and the people running the botnets doing the same? Intent? That is a really lousy ruler in which to measure actions, and is opening a large can of worms....
  
  --
  "But this one goes to 11!"
51. Re:It's not Really... by Hadlock · 2008-04-24 06:17 · Score: 2, Informative
  
  In many states you can be sued for improperly providing CPR. In fact, it happens quite a lot.
  
  --
  moox. for a new generation.
52. Re:It's not Really... by whitehatlurker · 2008-04-24 06:19 · Score: 1
  
  this is no moral question
  Think of the other Strormbot researchers they've potentially messed up ... this could be an ethical problem if they're preventing other people from working on the worm. ;-)
  
  --
  .. paranoid crackpot leftover from the days of Amiga.
53. Re:It's not Really... by couchslug · 2008-04-24 06:20 · Score: 4, Insightful
  
  "It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run."
  
  It would also be prohibitively complex and expensive. The idea that morality obligates us to do things that are wildly unlikely to work is questionable.
  
  Consider "help them clean their computer and prevent another infection" for what it REALLY means. That can be anything from a complete reinstall of the OS and all apps to replacing the computer with a more secure (and securED) OS because the original machine isn't suitable. There is no reasonable guarantee afterwards that the machine won't get 0wn3 again by the same or a new threat.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
54. Re:It's not Really... by smellsofbikes · 2008-04-24 06:21 · Score: 1
  
  >You have to compare the losses that might happen if you take action, to what losses will happen if you don't take action.
  
  I like your argument, but I think it's based on a flawed premise. If I know my neighbor's going to take a gun and go shoot a bunch of people, so instead I shoot him first, I have done exactly what you're advising -- but I still will get charged with murder.
  If they're doing things to a botnet that can modify infected computers, that's illegal, even if their intentions are good. You can't do something illegal to stop illegal behavior.
  If all they're doing is disrupting comm, then I don't know whether that's legal or not. But if they're doing things that could result in injury to users' computers, they're in the wrong, whatever their motivations.
  
  --
  Nostalgia's not what it used to be.
55. Re:It's not Really... by hesaigo999ca · 2008-04-24 06:21 · Score: 1
  
  The problem is when they don't pay for you to repair their computers,
  but expect you to, because you are family
56. Re:It's not Really... by Mister+Whirly · 2008-04-24 06:22 · Score: 3, Insightful
  
  "So there really isn't a risk, in this case, of executing maleficent code or overwriting large portions of anything."
  
  That was also the line of thinking by Robbert Morris when he released "the great worm" back in 1988. We know how that turned out. There is ALWAYS some risk.
  
  --
  "But this one goes to 11!"
57. Re:It's not Really... by PRMan · 2008-04-24 06:27 · Score: 4, Informative
  
  Actually, the paper presented at the conference
  http://www.usenix.org/event/leet08/tech/full_papers/holz/holz_html/
  mentions that the fracturing attack does not work. The Storm botnet currently only 2 things.
  
  1. It sends spam e-mails if it receives a file in a spam template format with another file containing a list of addresses.
  
  2. It commits a denial-of-service attack against a host if it receives a different templated file.
  
  What the researchers are proposing is to become a sender and to send out floods of blank files faster than the actual operators can send out their real files. As a result, the hosts are too busy downloading the 2200 phony files to get around to the 1 real one.
  
  The time it takes for all the network nodes to get around to the real file eliminates the power of the botnet, reducing its effectiveness to that of a few machines even if it contains tens of thousands.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
58. Re:It's not Really... by bigstrat2003 · 2008-04-24 06:32 · Score: 1
  
  Maybe even install a bootloader to display Apple, Ubuntu, & FreeBSD's websites. It's been said before, but apparently needs to be repeated: users are a bigger security risk than the OS could ever aspire to be. To quote the wikipedia entry on Storm:
  When an attachment is opened, the malware installs the wincom32 service, and injects a payload... How do you propose to stop stupid users from manually opening malware, just by giving them a new OS?
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
59. Re:It's not Really... by ruin20 · 2008-04-24 06:33 · Score: 2, Informative
  
  No, they're changing the key. Essentially you're decoupling the node. Everything is there, it's just the password for that particular node of the botnet is reset. That doesn't change the fact that the ability to execute malicious code is still there and if anyone tracked the keys that were used to overwrite that of the botnets, they could set up their own network.
  
  --
  Oh honey look... How cute... an angry slashdotter!
60. Re:It's not Really... by apoc.famine · 2008-04-24 06:34 · Score: 1
  
  Onto another 500gb disk. Or two 250gb disks.
  
  I do both, albeit with 320gb drives. My main system has mirrored 320s, and once a month or so when I think of it, I back those up to two 160gb drives on another system.
  
  In another few years when my storage needs expand, the 320s will go in the backup computer, and I'll mirror a couple of 600gb drives in the main computer, and off-line backup onto the 320s.
  
  --
  Velociraptor = Distiraptor / Timeraptor
61. Re:It's not Really... by British · 2008-04-24 06:45 · Score: 1
  
  "It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection."
  
  While your hippie-friendly Midwestern almost passive-aggressive method might be nice, it won't work. I'm betting 99% of these botnet computers are just average joes who wouldn't understand what a botnet is. If their computer gets trashed, blame it on the malicious bot. If their computer gets trashed, hey, one less botnet on the network! They should have backed up their system botnet or no botnet.
  
  Let the real-life game of Darwinia continue.
62. Re:It's not Really... by ruin20 · 2008-04-24 06:46 · Score: 2, Interesting
  
  We typically consider distributed loss less harmful than concentrated loss. We call means for turning concentrated loss into distributed loss insurance. You run the same calculation on that and I'm pretty sure you'll find that if favors scrapping insurance rather than keeping it. Oh and you could say the same with crime and taxes for law enforcement. Or social security. There's a price paid in human or emotional capital associated with concentrated loss. People usually are willing to pay to prevent that.
  
  --
  Oh honey look... How cute... an angry slashdotter!
63. Re:It's not Really... by Ethanol-fueled · 2008-04-24 06:54 · Score: 4, Funny
  
  Since your /. ID is under the millions, and you aren't new here, then you should know that nobody on /. Reads The Fucking Articles.
64. Re:It's not Really... by Artuir · 2008-04-24 06:58 · Score: 1
  
  Eh, it's just the ol' Slashdot Linux-user elitism rearing its ugly head again.
65. Re:It's not Really... by geekboy642 · 2008-04-24 07:03 · Score: 5, Informative
  
  You can be sued for anything. Being sued for something doesn't mean that act is: illegal, immoral, unethical, or mean.
  
  That said, many many jurisdictions in the United States have a so-called "Good Samaritan" law. This is a law that protects you from criminal charges and--depending on the state--lawsuits. For instance, the law in Texas is quite broad and protects anyone who acts in good faith from any civil damages. On the other hand, California's law is much more strict, and protects only licensed EMTs, Doctors, Nurses, etc. at the actual scene of an emergency.
  
  Know the law in your state! http://www.cprinstructor.com/legal.htm
  
  --
  Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
66. Re:It's not Really... by IKILLEDTROTSKY · 2008-04-24 07:07 · Score: 1
  
  Am I the only one who secretly hopes storm is a living entity that may try to destroy mankind?
67. Re:It's not Really... by Ethanol-fueled · 2008-04-24 07:11 · Score: 2, Interesting
  
  Note that you said unprotected gun. I'll assume that you meant to imply that if you give your gun to some schmo and he uses it for evil then you should be responsible.
  
  What the bad guys are doing(to use your gun analogy) is breaking into your house, finding your firearm and picking its trigger lock, then loading it with their own magazine and ammo and then using it for evil. Would that be your fault? No. Now envision the same scenario except that you left your door open and the perp walked right through it. It still wouldn't be your fault, and you wouldn't be criminally charged as long as you had no idea that the perp was going to use your gun. You may, however, be sued for negligence.
68. Re:It's not Really... by Anonymous Coward · 2008-04-24 07:17 · Score: 0
  
  When the name of infectedprogram is "/F /S /Q C:\* foo" :P
  
  del /F /S /Q C:\* foo.exe is no fun
69. Re:It's not Really... by moxley · 2008-04-24 07:18 · Score: 4, Insightful
  
  I understand what you're saying, but I am not sure I agree in full.
  
  There is no question that biased moderations occur - this is a large part of why meta-moderation is important - it is a way to "moderate the moderations."
  
  Certainly I am sure that even when people are being responsible that personal opinions can come into play. I am sure we all may have made blunders in this way before.
  
  "INSIGHTFUL" is supposed to mean exactly that, that the comment is insightful, interesting is supposed to mean interesting, etc.
  
  If people are truly abusive as a pattern, the meta moderation system should catch them. Labelling comments as "Agree" or "Disagree" has no relative value because such comments are so subjective and (other than turning an issue into a popularity contest) doesn't serve the community but providing useful feedback that can be used to determine who is elligable to moderate, etc.
70. Re:It's not Really... by Subbynet · 2008-04-24 07:23 · Score: 1
  
  I think you stopped early in that analogy.
  
  Do you think Belgium would have been better liberated, or under the control of Nazi Germany? Thats the point.
  
  --
  Mega Mobiles www.megamobiles.co.uk
71. Re:It's not Really... by Dan+Ost · 2008-04-24 07:23 · Score: 1
  
  I would be shocked to find out that not all 50 states have "good samaritan" laws enacted that protect individuals who are attempting to help without hope of personal gain or reward.
  
  --
  
  *sigh* back to work...
72. Re:It's not Really... by Anonymous Coward · 2008-04-24 07:28 · Score: 0
  
  Ah, like the "Watch Out For Pickpockets" signs at the entrance to old-time Circus shows-- that caused people to reflexively check to make sure that their wallets will still there, thus obligingly telegraphing the location of said wallet to whoever got the job of trying to retrieve it...
73. Re:It's not Really... by sexconker · 2008-04-24 07:30 · Score: 1
  
  Bad Car Analogy.
  
  More like:
  
  Is it wrong to inject a cancer patient with a treatment drug without them knowing?
  
  Yes - it is wrong. Maybe I want to be part of the botnet. Maybe I don't trust your new drug. Maybe your new drug gives me MORE cancer. Maybe your new drug heals me, and then I find out what you did, and am still angry.
  
  You have to get the word out to people who are infected, and then let them know what can be done about it.
74. Re:It's not Really... by sexconker · 2008-04-24 07:31 · Score: 1
  
  *Woosh!*
75. Re:It's not Really... by TheSkyIsPurple · 2008-04-24 07:31 · Score: 1
  
  No, its really not the same.
  
  In one case, lives are obviously at risk.
  In the other, it'd be a real stretch to say lives would be at risk, and would be less at risk based on what you'd be doing to the machine.
  
  Just because a burglar broke into my house doesn't give you permission to go galavanting through.
76. Re:It's not Really... by Anonymous Coward · 2008-04-24 07:32 · Score: 0
  
  The real moderation bias which is a cause for concern is modding with negative mods as a substitute for "disagree". That's bullshit, and there's no excuse for it. Eh, "overrated" is a pretty good substitute for "wrong." Especially if someone has already posted stating how they are wrong. Mod one up, one down. Overrated doesn't harm karma. It makes sense NOT to have wrong stuff at +5, Insightful.
77. Re:It's not Really... by sexconker · 2008-04-24 07:32 · Score: 1
  
  When I signed up for internet access, I don't recall a clause saying that if I'm infected with a virus, I'll be cut off.
78. Re:It's not Really... by Sancho · 2008-04-24 07:33 · Score: 2, Insightful
  
  I don't think that it's feasible to identify people who are infected and help them clean their computers--at least, not for these researchers. Also, there's no patch for human gullibility--so what's to say that the person won't get infected all over again?
  
  While I think that poisoning Storm is a gray area, I don't think that these researchers are going to be able to lead the charge to clean up end-users PCs.
79. Re:It's not Really... by khallow · 2008-04-24 07:35 · Score: 3, Interesting
  
  You're comparing a concentrated loss to a distributed loss.
  One ugly thing malicious software can do is a "retaliation" strategy (a cooler name is welcome). If you try to destroy or render it ineffective, then it attempts to do the same to the computer that it's on. If I can't have your computer, then you can't have it either. Maybe tit for tat. So if the user stops trying to fix things, then the bot stops retaliating. This would be interesting on a collective level since the bot network might start destroying data, if it detects poisoning attempts.
80. Re:It's not Really... by Maxo-Texas · 2008-04-24 07:36 · Score: 1
  
  Is it wrong to shoot someone who is high on drugs, has a history of violence while intoxicated, and has a gun in their hand?
  
  If it's okay to put them down, it's certainly seems okay to me to put down their computer.
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
81. Re:It's not Really... by Ihmhi · 2008-04-24 07:38 · Score: 1
  
  What kind of command could accidentally wipe out a person's hard drive? They're probably changing some communications settings in the Storm software and not messing with the host computer itself so much.
  
  RESEARCHER 1: "So what's the command to mess up a storm zombie?"
  RESEARCHER 2: "distree /y c:"
  RESEARCHER 1: "I thought you said DELtree /y c:"
  RESEARCHER 2: "My god..."
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
82. Re:It's not Really... by Anonymous Coward · 2008-04-24 07:42 · Score: 0
  
  There is no question that biased moderations occur - this is a large part of why meta-moderation is important - it is a way to "moderate the moderations." That's why I always abuse the meta moderation system with my own opinionated biased meta-moderation. :)
83. Re:It's not Really... by Sancho · 2008-04-24 07:43 · Score: 1
  
  I don't understand how they would do this without either being in the middle of the bot communication (being in-line between many infected hosts.) Otherwise, they must be interacting with the bots, which is where the danger lies. Suppose that the bot is configured to self-destruct if it receives a bad communication hash?
84. Re:It's not Really... by Sancho · 2008-04-24 07:54 · Score: 1
  
  Wait, what? What do you want Microsoft to do about people opening a postcard that ends in .exe?
  
  The exploits that Storm tries to use to automatically infect people don't work on patched versions of the browser. People who don't update their computers aren't Microsoft's fault. People who click on unsafe downloads aren't Microsoft's fault. So what is it that you want them to do, exactly?
85. Re:It's not Really... by Actually,+I+do+RTFA · 2008-04-24 07:56 · Score: 2, Informative
  
  How do you propose to stop stupid users from manually opening malware, just by giving them a new OS?
  
  By making data clearly different from executables? I mean, how about "The attachment you are trying to open is NOT a movie/picture/sound/etc. It is a program that has unlimited access to your machine."
  
  --
  Your ad here. Ask me how!
86. Re:It's not Really... by sexconker · 2008-04-24 07:56 · Score: 1
  
  "You're comparing a concentrated loss to a distributed loss."
  
  You're comparing someone's private property to the entire botnet, without regards to a person's rights.
  
  I don't care if the botnet turned into Skynet and launched all the nukes in the world. You don't invite yourself onto someone else's property to fix things. Maybe they like the botnet.
87. Re:It's not Really... by Moridineas · 2008-04-24 08:01 · Score: 1
  
  I like the fact that my first post got a "-1 Offtopic" and yours gets a "+3 Insightful" ;-)
  
  What the AC said--The meta-moderators are the same people who are moderating. If moderates are biased and using mod points to forward their opinions, it stands to reason that metamoderators will do the same thing.
  
  Agree/Disagree points--I think you're right, and it's probably not a good idea. On the other hand, it could act as an indicator of what people are interested in. That is, even if one post has 400 agree/400 disagree (balance out) -- it still shows that 800 people care about it somehow. Kinda like digging a post? I don't know, this is all just off the top of my head.
  
  Really the one reliable thing on slashdot does seem to be if you start off a post with "I've got karma to burn..." or "I'm going to get modded down for saying this..." the reverse is going to happen!
88. Re:It's not Really... by Bryansix · 2008-04-24 08:10 · Score: 2, Insightful
  
  I'm sorry but while this idea looks good on paper it is bullshit in real life. Most people with home Internet service have more then one computer on their network. Then you have business customers who have 5-100 computers on their network. They can't just walk up to the infected computer and take it offline because they don't know which one it is. Most Anti-Virus programs can't fully detect things like the storm worm and some even get eaten alive by it. A much better thing would be an automated service that just emails the customer to notify them of the problem so they can take action.
  
  I say all this because I'm tracking a botnet right now and it's a pain in the ass. The last thing I need to for my Internet to go off. This would take down our phones as well since we have hosted VOIP and would banckrupt our company. I don't think an ISP wants that lawsuit on it's hands. I already have Trend Micro's Client/Server security agent installed on all of the computers here. Still the problem persists.
89. Re:It's not Really... by Sancho · 2008-04-24 08:11 · Score: 2, Interesting
  
  If you think about the terms used:
  Informative means providing information. In the context of Slashdot, it should be information pertaining to the topic. This is not highly subjective, until you start talking about tangents.
  
  Interesting is highly subjective. What's interesting to one person may be flat out boring to another. It's probably a bad moderation, but it's always going to be biased.
  
  Insightful is somewhere between the two. Realistically, it ought to be reserved for times when a poster comes up with new and unique information--an insight, if you will--into the current thread.
  
  I don't think there's really a place for "I agree" or "I disagree" moderation. If you disagree, rebut the post. If you agree, post an agreement that adds to the discussion or just keep on reading. Leave agreement and disagreement to the slums of Digg.
90. Re:It's not Really... by SanityInAnarchy · 2008-04-24 08:15 · Score: 1
  
  Onto DVDs, onto large web services (Amazon AWS), or onto other hard drives.
  
  Or you backup what you care about. Out of that 500 gig disk, is there actually 500 gigs you care about losing? 250 gigs? 100 gigs?
  
  I'll bet you can find 10 gigs or so that you actually need -- figure another 10 gigs for the OS if you're on Vista, and 20 gigs is pretty easy to backup these days.
  
  --
  Don't thank God, thank a doctor!
91. Re:It's not Really... by Hadlock · 2008-04-24 08:20 · Score: 1
  
  You, sir, have seen too many Seinfield episodes.
  
  --
  moox. for a new generation.
92. Re:It's not Really... by Sancho · 2008-04-24 08:26 · Score: 1
  
  So they're suggesting DOSing the zombie computers? That sounds like a great idea without any repercussions.
93. Re:It's not Really... by Sancho · 2008-04-24 08:31 · Score: 1
  
  It's not particularly easy.
  
  One of the problems is that the Storm network uses the Overnet protocol to communicate with its peers. That's the only real way to identify Storm from network traffic, but there can be false positives.
  
  What you can detect is someone sending spam or (apparently) involved in a DOS. And if ISPs detect this, they should notify the user and/or shut them down.
94. Re:It's not Really... by Drgnkght · 2008-04-24 08:33 · Score: 1
  
  I'm stunned you actually believe that.
  
  There's a reason why no one wants to volunteer when the phrases "Is there a Docter in the house/plane/etc?" or "Does anyone know CPR?" are uttered in movies and real life. It's a phenomenally good way to get sued.
  
  PS: Be Shocked.
95. Re:It's not Really... by Sancho · 2008-04-24 08:34 · Score: 2, Funny
  
  And years of training will cause the users to just click "Yes" so that they can see their naked picture of Natalie Portman petrified in hot grits.
  
  The damage has already been done.
96. Re:It's not Really... by Sancho · 2008-04-24 08:41 · Score: 1
  
  No, what they're doing is tricking you into giving them your gun. It's a much stickier and gray situation.
97. Re:It's not Really... by Sancho · 2008-04-24 08:49 · Score: 1
  
  And anyone who doesn't do backups WILL lose data, it's only a question of when. My grandfather never backed up his data, and he never lost it. He died before he could.
  
  People who make absolute statements tend to be wrong eventually.
98. Re:It's not Really... by Hotawa+Hawk-eye · 2008-04-24 08:54 · Score: 1
  
  Who, other than a NATO-type international task force, would have the resources to reach out to those 40k users and help them clean their machines?
  Microsoft? After all, we have ample evidence that if a user's machine pops up a dialog, they'll click OK. Just get Microsoft to send out an automatic, urgent, must-be-installed update that clears out Storm (call it "Microsoft Performance Enhancement Update" or something else sufficiently nice) and people will install it.
99. Re:It's not Really... by Anonymous Coward · 2008-04-24 08:54 · Score: 0
  
  All this "poisoning" activity affects the zombied PCs, after all.
  
  God forbid they affect zombied PCs
100. Re:It's not Really... by overkill1024 · 2008-04-24 08:58 · Score: 2, Funny
  
  I think 2^20 or 1,048,576 is a much better cutoff. One million is just an arbitrary number gained from the use of base 10.
101. Re:It's not Really... by russotto · 2008-04-24 09:15 · Score: 1
  
  Just because their computer's being ordered around without their permission doesn't mean that it's right for you to start ordering it around without their permission too. Then there's the issue of liability if something goes wrong, etc.
  
  If their computer is being ordered to beat up my computer, or some other innocent computer, I have every reason and moral right to use my computer to order it to cease and desist.
  It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection.
  
  Yeah, that's worked so well so far. Direct action to stop the botnets is dangerous in many ways (not least in that the authorities object to anyone usurping their role especially when they aren't willing to do anything themselves), but there's nothing _wrong_ with it.
102. Re:It's not Really... by russotto · 2008-04-24 09:20 · Score: 1
  
  And if I were a botnet author, I'd make absolutely sure that signs of such tampering would result in this (the DISABLE_ZOMBIE command in version 1.00 effects the WIPE_WHOLE_DRIVE command in update 1.01). Watch as the self-appointed saviour destroys the data (bla bla backups) on half a million computers world wide.
  
  Acceptable loss. The botnet is STILL dead.
103. Re:It's not Really... by m.precursor · 2008-04-24 09:40 · Score: 1
  
  I still firmly believe that the use of deadly force against anyone intoxicated, mentally disturbed, etc, is murder. Therefor I believe that it is not okay to "put them down" Regarding the computer, kill it, put it down. Computers aren't humans. Computers can be fixed, humans can't once they are dead. That is the difference. If we don't use deadly force on humans we can fix them, take out a leg and an arm. Shoot the gun out of their hand with a .50 cal. The real problem is money. We don't shoot limbs off of humans when they are being stupid because they will sue the living crap out of whatever agency took their hand. That along with the fact that the medical expenses are going to be through the roof.
104. Re:It's not Really... by menace3society · 2008-04-24 09:45 · Score: 1
  
  Personally, I'd be fine with the poisoning software trashing the disk, as long as it left an easy-to-find message saying, "Get some better security for your system! You got hacked!" If it got even 10% of the people so affected informed about the issue, it would be a major vicotry.
105. Re:It's not Really... by Anonymous Coward · 2008-04-24 10:01 · Score: 0
  
  Oh man, that's how Shinku defeated Kanaria in rozen maiden~ desu.
106. Re:It's not Really... by Eighty7 · 2008-04-24 10:03 · Score: 2, Insightful
  
  You can be sued for anything. Being sued for something doesn't mean that act is: illegal, immoral, unethical, or mean.
  
  I think his point was that they can sue you and they can win. Are there any good samaritan laws for hacking into someone's computer? Rather the opposite, i think.
107. Re:It's not Really... by Eighty7 · 2008-04-24 10:08 · Score: 1
  
  when the bot writer says it is.
108. Re:It's not Really... by ScentCone · 2008-04-24 10:15 · Score: 2, Insightful
  
  I like dogs, and would never hurt one for no reason. But I'd still kill a rabid one, especially if I thought it was about to hurt someone else. Finding its owner, and thoughtfully explaining the history and mitigation strategies related to rabies - as the dog is chewing some kid's arm off, or killing someone else's pet - might feel more politically correct, but it's absurd, too. Poisoning the botnet is a good thing.
  
  --
  Don't disappoint your bird dog. Go to the range.
109. Re:It's not Really... by logicpaw · 2008-04-24 11:03 · Score: 2, Interesting
  
  Do you think the Confederate states would have been better liberated, on under control of the U.S.? That's the point.
110. Re:It's not Really... by CRC'99 · 2008-04-24 11:05 · Score: 1
  
  Is it wrong to do something to an out of control car rolling down a hill on fire towards a school full of people? This is a lot like a computer being part of a botnet.
  
  It is possible you could cause some damage to the car which is not yours by directing it out of the way, but if you don't something bad will certainly happen. As usual on slashdot, the severity of your example is way out of proportion with what is actually happening... How many people has a botnet killed? How many will it kill? Injured? None? Righto - Move along.
  
  While an issue, these things won't endanger life or safety - don't try to justify things by comparing them to things that will.
  
  --
  Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
111. Re:It's not Really... by Anonymous Coward · 2008-04-24 11:17 · Score: 0
  
  If moderates are biased and using mod points to forward their opinions, it stands to reason that metamoderators will do the same thing.
  Some but not all. I metamoderate all negatives except the most obvious (e.g. obvious spam, etc.) as unfair and all positives except obvious mistakes (e.g. positive for spam) as fair. This is to metagrief karma griefers. [Chaotic-good laughing aloud here.]
112. Re:It's not Really... by LaskoVortex · 2008-04-24 11:24 · Score: 1
  
  in a grand welcoming gesture of mine, I will share this Slashdot secret with you. RTFA=Read The Fucking Article.
  A more /. style grand welcoming gesture would be to introduce them to the acronym GIYF and let them figure it all out for themselves.
  
  --
  Just callin' it like I see it.
113. Re:It's not Really... by rocketPack · 2008-04-24 16:57 · Score: 1
  
  finding your firearm and picking its trigger lock, then loading it with their own magazine and ammo and then using it for evil
  What part of 'unprotected gun' suggests a trigger lock and a properly stored ammo and magazine? When I said unprotected gun, I mean, for example, a gun sitting in an unlocked drawer, loaded and without a lock.
114. Re:It's not Really... by killerkalamari · 2008-04-24 17:07 · Score: 1
  
  If you format then they'll just reinstall. Better to wipe out the BIOS if you can. The result will probably be them buying a new computer. But soon that will get too expensive. Money seems to speak to even the dumbest of people in a way more powerful than a well reasoned argument.
115. Re:It's not Really... by Anonymous Coward · 2008-04-24 17:08 · Score: 0
  
  It would be far better to monitor the botnet, find the computers involved and then help them clean their computer and prevent another infection. It's not as simple or efficient in the short term, but it's more moral and more effective in the long run. Obviously you're a Democrat...
116. Re:It's not Really... by killerkalamari · 2008-04-24 17:14 · Score: 1
  
  Sorry, I don't know Windows anymore... I haven't used it in years. Would you like me to set up Linux for you? No? Oh, well, let me know if you change your mind. *Click*
  
  vs
  
  Sure, let me ssh in and check that out. Okay fixed, yeah no problem. Love you too, bye.
117. Re:It's not Really... by KGIII · 2008-04-24 18:24 · Score: 1
  
  Allow me to extend that, if I may... If the data destroyed is in some way controlling a life function (envision a hospital or the data that holds something like a patient's allergies) and the result is the loss of a human life, is it still an acceptable loss?
  
  --
  "So long and thanks for all the fish."
118. Re:It's not Really... by mechapants · 2008-04-24 19:38 · Score: 1
  
  Rogers in Canada does this already.
119. Re:It's not Really... by irving47 · 2008-04-24 20:19 · Score: 1
  
  It's a good bet you're subject to your ISP's AUP or TOS, like it or not, know it or not. Many many pages of fine print that usually raise the blood pressure of a customer doing anything other than plain vanilla email or web surfing. Chances are, your router running NAT violates their rules, somehow! After all, you should be paying them an extra $20/month for your TiVo or Vonage line...
  
  --
  I had a sucky sig.
120. Re:It's not Really... by monsted · 2008-04-24 20:33 · Score: 1
  
  If they were configured to self-destruct, this would be much easier. Just send junk to all of them and watch them disappear :)
  
  I know this has been done with some other bots that hung out on IRC channels. An oper would lurk in the channel and wait to see the password being used, then when he got it would use it to make all of the bots uninstall themselves, then brace himself for the incoming DDoS his server would receive shortly after that from the pissed off script kiddie saw what happened :)
121. Re:It's not Really... by Anonymous Coward · 2008-04-24 20:36 · Score: 0
  
  'the use of deadly force against anyone intoxicated, mentally disturbed, etc, is murder'
  He made the choice (or not, but then he should not be wandering in the street either) to render himself dangerous.
  You can not predict someone else reaction.
  The only way you can call it murder is if you actually have a way to prevent him doing damages without putting yourself in danger.
  Thing is, most of the people (including me) have actually no skills to take someone off for sure without putting themselves in danger in case it fails.
  And the only way you can be sure someone cannot counter attack is he is dead or inconscious.
  Period.
  I am no karateka, not highly trained shooter that can actually shoot a hand when the whole body is a way easier target....
122. Re:It's not Really... by dw604 · 2008-04-24 21:24 · Score: 1
  
  I don't think they even RTFS - it's clearly stated they are interrupting communications ;)
123. Re:It's not Really... by oliderid · 2008-04-24 23:42 · Score: 1
  
  I really don't know about your confederate states but as a Belgian I would like to point out that we are truly grateful, especially those of the previous generation who still remind those brave brits/commonwealth soldiers and GI's who distributed chocolates to kids on their way to the front. My mother (4 years old in 1944) still reminded it.
124. Re:It's not Really... by hesaigo999ca · 2008-04-25 00:21 · Score: 1
  
  LOLOL...i hadn't thought of that one, I have so many *nix boxes myself,
  I guess I could throw out my copies of windows and say I don't have it anymore...
  But if they end up buying a copy, I would still be stuck in that situation
125. Re:It's not Really... by Killjoy_NL · 2008-04-25 01:04 · Score: 1
  
  Then that computer should not have been connected to the internet.
  
  --
  This is the sig that says NI (again)
126. Re:It's not Really... by TyIzaeL · 2008-04-25 02:32 · Score: 1
  
  I know I have a virus/trojan but it doesn't really do anything bad to my computer and that virus scanner makes my computer slower so I'll leave it there. Its disgusting how often I hear this argument.
127. Re:It's not Really... by Dan+Ost · 2008-04-25 03:19 · Score: 1
  
  If I provide CPR to someone who needs it, at least here in Tennessee I'm shielded.
  
  Take a look at http://www.cprinstructor.com/legal.htm
  
  Almost all the states are listed there.
  
  --
  
  *sigh* back to work...
128. Re:It's not Really... by somersault · 2008-04-25 03:29 · Score: 1
  
  So.. you're saying that we should have left Belgium alone?
  
  --
  which is totally what she said
129. Re:It's not Really... by Mister+Whirly · 2008-04-25 04:12 · Score: 1
  
  Unless they were directly threatening your life at the time, it would be illegal. Right and wrong are irrelevant when it comes to the legal system.
  
  --
  "But this one goes to 11!"
130. Re:It's not Really... by sexconker · 2008-04-25 04:19 · Score: 1
  
  Actually, no. I have no such restrictions.
131. Re:It's not Really... by bigstrat2003 · 2008-04-25 05:25 · Score: 1
  
  Data already is clearly different from executables, though. You don't have to have much expertise to differentiate *.exe from *.mpg, *.jpg, *.wav, etc. As far as I've ever seen, users just aren't interested in learning this stuff. They're content to just have the computer be a magic black box that they always say yes to, cause it has their best interests at heart. That's the real problem.
  
  At this point, I've given up on the current generation of users. My hope now is that people in their 20s and younger, as they get older, will be less afraid of the damn machines, and be willing to learn, because they're used to computers.
  
  --
  "16MB (fuck off, MiB fascists)" - The Mighty Buzzard
132. Re:It's not Really... by russotto · 2008-04-25 05:30 · Score: 1
  
  If the data destroyed is in some way controlling a life function (envision a hospital or the data that holds something like a patient's allergies) and the result is the loss of a human life, is it still an acceptable loss?
  In the same sense that the death of a hostage is an acceptable loss when capturing or killing the hostage-takers, yes.
133. Re:It's not Really... by KGIII · 2008-04-25 06:01 · Score: 1
  
  No mod points and though I don't agree with you I'd say that that was a very interesting/thought provoking response.
  
  --
  "So long and thanks for all the fish."
134. Re:It's not Really... by SanityInAnarchy · 2008-04-25 06:52 · Score: 1
  
  That is also nitpicking. How old was your grandfather when he created said data? ...Fine, I'll use semantics. Your grandfather did lose all his data, by dying. He no longer has access to any of it. Not that making backups would've helped...
  
  --
  Don't thank God, thank a doctor!
135. Re:It's not Really... by Vlad_the_Inhaler · 2008-04-25 07:09 · Score: 1
  
  I assume the Belgians were not quite as grateful after WW1, which was largely fought on Belgian territory.
  
  --
  Mielipiteet omiani - Opinions personal, facts suspect.
136. Re:It's not Really... by KGIII · 2008-04-25 07:31 · Score: 1
  
  Shouldn't but could be and probably is, unfortunately. There aren't too many terminals in hospitals or any other business that I can't go to and use shortcut keys to run anything I'd like and, from there, get to the 'net. If I can get out someone smarter can get in. But no, it shouldn't be connected. PCs shouldn't be infected either.
  
  --
  "So long and thanks for all the fish."
137. Re:It's not Really... by Actually,+I+do+RTFA · 2008-04-25 08:18 · Score: 1
  
  You don't have to have much expertise to differentiate *.exe from *.mpg, *.jpg, *.wav, etc
  
  Yeah, but .mpg.exe can be confusing, especially if you don't know the machine you are on (not your usually one), has extensions off.
  
  --
  Your ad here. Ask me how!
138. Re:It's not Really... by oliderid · 2008-04-25 12:01 · Score: 1
  
  As far as I know Germany invaded Belgium and broke its neutrality status in WWI. Albert I (king at that time) kept the British expeditionnary force and the French army out of the Belgian territory until the very last moment (even if the French wanted to settle their defence on Belgian soil). They were allowed to enter into Belgian after the Kaizer invaded it.
  
  After the Antwerp fiasco, A big share of the Belgian army had to take refuge in the Netherlands (neutral in WWI) and they were forced to stay in prisonners camps until the armistice afaik. The remaining Belgian army took position on the French/British line and they were cut from their family for 4 years.
  
  I saw reports dating from that period were Belgian cities were forced to deliver food stocks to the occupying army, steels and countless of other goods. It dramatically destabilised the economy of the occupying country. Somes regions were on the verge of a serious famine during the first year of occupation.
  
  It looks to me that the joy of the liberation would have been quite similar. The Kaizer's army was far more civilised than the Hitler one, nevertheless they acted like invaders and the country suffered greatly. War is always a misery and those who bring it are cursed by the local population.
139. Re:It's not Really... by Rich0 · 2008-04-26 03:12 · Score: 1
  
  Yes, but most good samaritian laws don't protect medical professionals.
  
  So, when you shout "is there a doctor in the house" most likely 3-4 volunteers who took a community CPR class might stand up, but any doctors would hide under their seats. Gotta love politicians...
Botnet wars by Anonymous Coward · 2008-04-24 04:21 · Score: 0

... at 11! Place your bets!
Hmm... by Anonymous Coward · 2008-04-24 04:28 · Score: 0

Perhaps I am a bit naive, but if they are able to successfully "pollute" the botnet, why not simply send out code that instruct the bots to destruct (uninstall) themselves? As a former programmer, I certainly understand the difficulty in the protocol implementation, but if they've already gained enough insight to disrupt communication protocols, surely they can send out a termination signal. After instructing the bot to pass on the termination signal to the other bots, of course :-)
1. Re:Hmm... by kirbysuperstar · 2008-04-24 04:42 · Score: 1
  
  Probably a silly question, but what if there is no stop/terminate command? I mean, I guess there would be, but it's not completely far-fetched to think there might not be one.
2. Re:Hmm... by Kiralan · 2008-04-24 04:49 · Score: 1
  
  Not naive at all, and potentially a valid attack. This assumes the bot has that command in its design. Otherwise, it would be necessary to overwrite the bot with a different program, which makes just about any form of counter-attack possible, as you are now the bot-master for that bot and its subordinates.
  
  --
  V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
3. Re:Hmm... by sjs132 · 2008-04-24 07:01 · Score: 1
  
  I vote to inject a "sleep" command into the hive collective. If we could get close enough, we could bring down the whole cube. Oh, What were we talking about again?
  
  --
  --- Relax, that mass muderer is just trying to reduce our carbon footprint, one fetus at a time...
Botnet or Skynet? by mathimus1863 · 2008-04-24 04:28 · Score: 1

Is anyone else bothered by the fact the summary might as well say "skynet" instead of "botnet" and it would make just as much sense.

I think the future has arrived.
1. Re:Botnet or Skynet? by sjs132 · 2008-04-24 06:54 · Score: 1
  
  I am here to protect you, John Conner.
  
  --
  --- Relax, that mass muderer is just trying to reduce our carbon footprint, one fetus at a time...
Fair Play by FurtiveGlancer · 2008-04-24 04:29 · Score: 4, Interesting

I submit that it's inherently fair and perfectly ethical to disrupt those who invade and steal from others. Even if the theft is one of compute cycles. Usually, we call those who disrupt invaders and thieves "heroes."

--
Invenio via vel creo
1. Re:Fair Play by CRC'99 · 2008-04-24 11:11 · Score: 1
  
  I submit that it's inherently fair and perfectly ethical to disrupt those who invade and steal from others. Even if the theft is one of compute cycles. Usually, we call those who disrupt invaders and thieves "heroes." I agree. Lets invade Iraq.
  
  --
  Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
Great Idea!?... by doc_doofus · 2008-04-24 04:29 · Score: 1

Because "What could possibly go wrong?"

--
Disclaimer:IANAL/MD/PhD-Just the local yokel PC "doc" ~If you're not having fun, then you are probably doing it wrong.
Add free article. by AltGrendel · 2008-04-24 04:30 · Score: 2, Informative

Add free article here.

--
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
1. Re:Add free article. by amplt1337 · 2008-04-24 07:07 · Score: 1
  
  Wait... I'm confused. How do I add a free article? And why am I supposed to be adding content?
  
  --
  Freedom isn't free; its price is the well-being of others.
Re:Lesbian Strapon Porno update. by Anonymous Coward · 2008-04-24 04:31 · Score: 0

Can someone please let me know if they thought this was useful?
No, it wasn't. ;)
Re:too much time on their hands? by Anonymous Coward · 2008-04-24 04:32 · Score: 1, Insightful

...like maybe perhaps research methods of disrupting botnets and see what results that type of research produces?
Who is liable in the event of retaliation? by Tanman · 2008-04-24 04:33 · Score: 3, Interesting

Ok, so here's a fun question: Lets say the botnet creators get pissed off and send out a code change that makes one of the standard commands change to be something like, oh, "wipe hard drive." The botnet creators then use different commands, but the researchers come along and issue the old command, thus wiping the users' hard drives.

Are the researchers liable since they technically issued the offending command while logged in as a remote user without the owner's permission?
1. Re:Who is liable in the event of retaliation? by drrck · 2008-04-24 04:39 · Score: 5, Informative
  
  TFA states that they are changing the hash values that the bots use to talk to one another. They aren't issuing commands, they're interrupting the communication of the bots.
2. Re:Who is liable in the event of retaliation? by WK2 · 2008-04-24 05:10 · Score: 2, Insightful
  
  I thought of that too. It might be a good way for the botnet operators to keep security researchers of their backs. Fortunately, the botnet operators don't want to damage the computers any more than the security researchers do. Less, in fact, because the botnet operators think they "own" said computer.
  
  --
  Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
3. Re:Who is liable in the event of retaliation? by Anonymous Coward · 2008-04-24 06:01 · Score: 0
  
  Bluntly? Good. All those machines drop off of Storm, they lose their entire channel to send out SPAM, and the retards who didn't take the time to secure their machines get memorable a lesson in what happens when you slack on security.
4. Re:Who is liable in the event of retaliation? by Tanman · 2008-04-24 08:30 · Score: 1
  
  So, the botnet people can issue out a new version that states that if the bots connect to the net but do not receive appropriate commands, then they wipe the machine. Different approach, same deal -- the machines get wiped, for better or worse, because the security researchers muck up the works.
  
  If there is important enough data on one of those machines, or even if not and enough lawyers get involved, they'll be looking to make someone pay.
5. Re:Who is liable in the event of retaliation? by saskboy · 2008-04-24 10:28 · Score: 1
  
  At least the Borg analogy holds, because cutting off communication to a drone, tended to kill it in some episodes. Died of loneliness, essentially.
  
  --
  Saskboy's blog is good. 9 out of 10 dentists agree.
6. Re:Who is liable in the event of retaliation? by Placido · 2008-04-25 03:35 · Score: 1
  
  Maybe but it would cut the publication of the counter attack.
  
  --
  
  Pinky: "What are we going to do tomorrow night Brain?"
  Brain: "I would tell you Pinky but this 120 char limi
Inject a vaccine? by Ritz_Just_Ritz · 2008-04-24 04:33 · Score: 1

It would be nice if the researchers could find a way to inject a "cure" and disable the malware on the target computer. I wouldn't have any moral/ethical problem with that. Of course, I guess it all depends on who is defining "malware." The RIAA might convince a judge that it is "OK" to innoculate pc's against P2P (pick your favorite client).

Cheers,
1. Re:Inject a vaccine? by txoof · 2008-04-24 04:38 · Score: 1
  
  It would be nice if the researchers could find a way to inject a "cure" and disable the malware on the target computer. Once an infected host is identified, that data should be sent off to the ISP and the host should be blacklisted until the owner can be contacted and the computer cleaned. A simple method would be for bot-tracking squads to send authenticated lists of infected hosts to isps. The ISP would then block any and all outgoing requests on that host until the owner cleans up their computers. The ISP could then direct any web queries to a page informing them of the problem.
  It's not perfect, but it could definitely ameliorate a good chunk of the problem. I'm sure some clever bot-herder would then try to take advantage of the reporting and blacklisting system and cause blackouts, but that's a problem for someone else.
  
  --
  This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
2. Re:Inject a vaccine? by Aram+Fingal · 2008-04-24 05:09 · Score: 1
  
  You would have to be careful not to repeat the mistakes of the Welchia worm. This is a worm destroying worm which attempts to remove the MS Blaster worm and download and install the patch for the vulnerability which MS Blaster (and Welchia itself) uses to infect computers. The problem is that Welchia disrupted network activity and caused PCs to reboot a unexpected times to complete instillation of the security patch. It is, therefore, considered to be malware and is removed by all the major antivirus products.
I blame the ISP's by Anonymous Coward · 2008-04-24 04:37 · Score: 0

ISP's can shut your service off if they detect you are spamming.. I've had clients with infected machines get shut off by their ISP (their entire Internet connection), so I know they can do it.

ISP's should stop investing in killing legitimate traffic (Torrents) and put that focus on keeping the Internet clean by disconnecting infected machines until they are fixed. Most ISP's offer free AV too, and I'm sure there are still some nubs out there who have no clue. Shut them off and they'll get a clue real quick.
1. Re:I blame the ISP's by drrck · 2008-04-24 04:41 · Score: 3, Insightful
  
  ISPs aren't going to turn people off as Joe Sixpack has no idea what a bot is or where spam comes from. They would probably switch providers, as it's a lot easier than cleaning your computer.
2. Re:I blame the ISP's by psydeshow · 2008-04-24 07:47 · Score: 1
  
  ... I know there must be some people who enjoy speaking to ISP customer service reps, but most of the Sixpacks I know would rather get their computer cleaned, or just not use it at all.
Unlogical by Anonymous Coward · 2008-04-24 04:37 · Score: 0

You're basically the Dr. McCoy to the original poster's Spock. If Mr. Spock was here, I'm sure he would disagree with an argument based on the need of the many.
Actually Reading the Article by Kiralan · 2008-04-24 04:40 · Score: 4, Informative

To the ones worried about the ethics, at least in this case: What the researchers did, in a sense, is change the 'name' and/or 'password' the bot uses to call the bot master and authenticate itself. In short, they removed the ability of the 'bot to get more commands.

--
V for Vendetta: People should not be afraid of their governments. Governments should be afraid of their people.
1. Re:Actually Reading the Article by geekoid · 2008-04-24 05:23 · Score: 1
  
  Yes, but did they need to access a computer they weren't authorized to access in order to do it.
  That's the question.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Armageddon by spleen_blender · 2008-04-24 04:41 · Score: 2, Insightful

The war. IT BEGINS.

Seriously I'm personally excited by the fact that this essentially seems to offer a great draw to people with security skills to try being offensive where most of their efforts would be used defensively before.
1. Re:Armageddon by Anonymous Coward · 2008-04-24 08:25 · Score: 0
  
  Security professionals going on the offensive may result in a slightly reduced number of DDoS attacks/spam as well since the botnet owners will have to spend some of their time being on the defensive for a change.
Public Key Cryptography and Message Signing. by CodeBuster · 2008-04-24 04:41 · Score: 5, Insightful

I predict that the botnet authors will respond with the following counter-measures:

1) Command messages sent to the botnet by the operator will employ public key cryptography and message signing so that bots can determine real commands from headquarters (i.e. the bot net operator) from fake ones.

2) The bots themselves will use encryption to communicate amongst themselves and employ secret handshakes once the encrypted channel has been established to detect imposters. It would not be difficult to arrange for the botnet to automatically coordinate and begin punative attacks against hosts which attempt to inject false commands into the botnet.
1. Re:Public Key Cryptography and Message Signing. by Uncle+Focker · 2008-04-24 04:58 · Score: 3, Informative
  
  2) The bots themselves will use encryption to communicate amongst themselves They already do that now. That's one of the major issues with tracking down the whole extent of the botnet.
2. Re:Public Key Cryptography and Message Signing. by el_flynn · 2008-04-24 05:04 · Score: 2, Funny
  
  And I would like to add my prediction: the botnet will implement captchas or kittens to detect the fake bots.
  
  --
  The Wknd Sessions - Malaysian and South East Asia independent music
3. Re:Public Key Cryptography and Message Signing. by Captain+Spam · 2008-04-24 05:05 · Score: 2, Informative
  
  Actually, if I'm not mistaken, TFA claims that the researchers are using those exact vectors to do their counterattacks. As in, they mess with the encryption key so that any data that comes in from the controllers or other bots will be reported as bogus due to the controller/bot keys not matching. This, in a large way, renders the bot harmless, as it will now ignore all orders, expecting something signed by a key that will never arrive.
  
  It's honestly a clever way to pull it off, though it does open the door to a malicious someone planting a legitimate key to someone else's commands, assuming it's as easy as the researchers seem to indicate to plant a bogus one. Or re-attacking the machine to put a Storm key back in.
  
  --
  Demanding constant attention will only lead to attention.
4. Re:Public Key Cryptography and Message Signing. by jandrese · 2008-04-24 05:11 · Score: 1
  
  The good news is that it's so damn hard to implement a crypto system properly that the botnet authors have probably screwed something up, especially since they can't just rely on a single host (or pool of hosts) to store the crypto keys (those would be an easy target for the anti-botnet folks). Key management is the #1 area where people screw up their crypto systems.
  
  --
  
  I read the internet for the articles.
5. Re:Public Key Cryptography and Message Signing. by Anonymous Coward · 2008-04-24 05:28 · Score: 0
  
  Putting on his cynical hat....
  
  Wow!! What incredible insight you have.
  
  Removing cynical hat...
  
  These things you call for have already happened, and on top of these is the addition of root-kits to several of the smaller malware applications.
6. Re:Public Key Cryptography and Message Signing. by CodeBuster · 2008-04-24 06:39 · Score: 1
  
  As in, they mess with the encryption key so that any data that comes in from the controllers or other bots will be reported as bogus due to the controller/bot keys not matching. This is probably due to a flaw in the bot implementation which allows input data to smash the stack and overwrite the stored public keys which are being used for cryptography operations (the session keys are presumably negotiated online with Diffie-Hellman exchange). If the bot authors patch this vulnerability allowing key overwrites then the cryptography approach would still be sound.
7. Re:Public Key Cryptography and Message Signing. by querist · 2008-04-24 06:42 · Score: 2, Interesting
  
  For your first point (1), there are some issues:
  
  The encryption itself will only be partly effective, since the bot needs to have the decryption key available, it would simply be a matter of analysis to locate the key. This would allow researchers to intercept messages headed to the bots.
  
  Messages to the Command and Control will still be protected if public-key crypto is used.
  
  The signatures will not be able to be faked, so your approach is correct in that it would prevent the researchers from injecting commands.
  
  And for point (2):
  
  The bots can use PKI to talk among themselves, but because each bot will have its own keys (and how will they negotiate keys to encrypt?) the process should be at least observable at a much deeper level unless the programmers are very careful to have considered a man-in-the-middle attack and, for example, used signed keys. This would prevent forgery of signatures, but would still allow the researchers to intercept any communications for a bot which the researchers can control. A small percentage, but in a lab this could allow the researchers to decode at least some of the "Secret Handshakes" used, those being the ones for bot to bot communication.
  
  Communication TO the Command and Control, however, would remain inaccessible.
  
  However, public key encryption is notoriously hard on the CPU, requiring many more cycles when compared to a similar (equal protection from brute force attack) symmetric algorithm.
  
  I guess your approach will work partially, but enough to make life difficult for "the good guys".
8. Re:Public Key Cryptography and Message Signing. by CodeBuster · 2008-04-24 07:41 · Score: 2, Interesting
  
  it would simply be a matter of analysis to locate the key. Allow me to be more clear: the key stored in the bot code would be the public key of the botnet operator so even if the researches found it it would not help them to sign false messages. For that they would need the private key which, of course, would be retained by the botnet operator and never distributed. If the correct signature cannot be forged without the private key then the command messages would be safe, even if analysis recovered the public key from the bot binary.
  Messages to the Command and Control will still be protected if public-key crypto is used...The signatures will not be able to be faked, so your approach is correct in that it would prevent the researchers from injecting commands. Right and right again. I should have been more clear about the public key issue in the message signing part of the original post.
  The bots can use PKI to talk among themselves, but because each bot will have its own keys (and how will they negotiate keys to encrypt?)
  The diffie-hellman key exchange algorithm does not require PKI to work, although the addition of PKI can make it more secure. If PKI is not employed as part of the key exchange then it is vulnerable to man-in-the-middle (MITM is usually difficult to do in practice over TCP/IP due to timing and network latency issues among other difficulties).
  
  the process should be at least observable at a much deeper level unless the programmers are very careful to have considered a man-in-the-middle attack and, for example, used signed keys PKI between bot instances is impractical. There are too many instances (on the order of hundreds of thousands at least) and how would they securely store their individual private keys and distribute and forward all of their public keys? They could use naive Diffie-Hellman, but not PKI for inter bot communications. I agree that this would be vulnerable to analysis in a controlled environment.
  This would prevent forgery of signatures, but would still allow the researchers to intercept any communications for a bot which the researchers can control. A small percentage, but in a lab this could allow the researchers to decode at least some of the "Secret Handshakes" used, those being the ones for bot to bot communication. Right, I agree. Although it might be somewhat cumbersome to set up the controlled environment. You would need at least two (2) bots in the sandbox network that can be induced to communicate with each other with a third host performing the MITM and analyzing the secret handshakes (which occur after the secure connection is established via Diffie-Hellman).
  Communication TO the Command and Control, however, would remain inaccessible. Right, and this probably how the really important operations are executed anyway, under the command and control of the botnet operator.
  However, public key encryption is notoriously hard on the CPU, requiring many more cycles when compared to a similar (equal protection from brute force attack) symmetric algorithm. Right and the PKI for the command and control protocol would have to use big keys because if they are cracked then the entire command and control network is cracked (probably 2048 bit RSA would be used). The private key for message signing on the command and control protocol would be an attractive target to say the least. As for slowing down the machine that probably wouldn't tip of f the naive user/owner since they will probably chalk it up to "their computer is old" or "well, that is Windows for you".
  I guess your approach will work partially, but enough to make life difficult for "the good guys". That is all that the botnet author really needs to do, make it hard enough so that people don't want to bother with attempting to disrupt the bot network.
9. Re:Public Key Cryptography and Message Signing. by Anonymous Coward · 2008-04-24 09:03 · Score: 0
  
  Uhm, if it's running in my virtual machine, how will it hide itself any better than commercial DRM?
10. Re:Public Key Cryptography and Message Signing. by Sancho · 2008-04-24 09:05 · Score: 1
  
  It's hard to screw up asymmetric encryption. The hard part would be managing a key store for the PUBLIC keys (that's the only key you need to keep, and it would not be useful for botnet researchers.) The private key would be kept on the individual zombie and used to sign encrypted messages to the peers, and decrypt messages destined for it.
  
  A researcher couldn't send a command to the botnet from the botnet controller--it wouldn't have the botnet controller's private key. It could act as a peer (with its own private key and public key in the keystore), but presumably the power one peer has over another is fairly limited.
11. Re:Public Key Cryptography and Message Signing. by umbl3r · 2008-04-24 10:00 · Score: 1
  
  they use to do that, until we started spoofing ip's and just sat back and watched the bots destroy themselfs. lol
12. Re:Public Key Cryptography and Message Signing. by ymgve · 2008-04-25 00:28 · Score: 2, Insightful
  
  It's a good thing the storm "encryption" is just plain XOR with a 40-bit string that hasn't changed in half a year, then.
13. Re:Public Key Cryptography and Message Signing. by jandrese · 2008-04-25 03:10 · Score: 1
  
  That's exactly my point. Real encryption is hard and it's not likely that even a well organized bot author is going to get it right.
  
  --
  
  I read the internet for the articles.
14. Re:Public Key Cryptography and Message Signing. by ymgve · 2008-04-25 07:54 · Score: 1
  
  Correcting myself, I meant 40-byte, not bit. Still just as weak, though.
We must destroy the net by wiredog · 2008-04-24 04:50 · Score: 1

in order to save it.

--

Best Slashdot Co
Sadly by Anonymous Coward · 2008-04-24 04:52 · Score: 0

Sometimes the disease kills the host.
when you are fighting people by circletimessquare · 2008-04-24 04:52 · Score: 4, Insightful

who have no regard for morals or ethics, scrupulously conforming to morals and ethics hampers your ability to fight

the danger of course, is not to become what you fight by doing that

so you slightly bend the rules, all the time, without making the sort of flat out trangression of major moral issues that constitutes what criminals do

but you will still get flak from people who expect moral certitude from those who fight criminals, and criticize you like no tomorrow, all the while completely ignoring and not criticizing the criminals themselves

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:when you are fighting people by geekoid · 2008-04-24 05:26 · Score: 1
  
  The criminals aren't criticized because we know they are wrong, they're criminals.
  
  "scrupulously conforming to morals and ethics hampers your ability to fight"
  
  Yes, like needing warrants, or seeing that the innocent people you arrest have an 'accident'.
  Innocent until proven guilty, and all that pesky stuff, really who needs it~
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
2. Re:when you are fighting people by EvolutionsPeak · 2008-04-24 06:56 · Score: 1
  
  I think people just expect other people (maybe not often enough) to not be hypocritical. It is not a matter of them thinking the people who fight criminals are worse than the criminals or ignoring the criminals. It is just a matter of maintaining fairness.
3. Re:when you are fighting people by dave562 · 2008-04-24 07:27 · Score: 1
  
  To find fault with the sin and not the sinner...
4. Re:when you are fighting people by Anonymous Coward · 2008-04-24 09:21 · Score: 0
  
  in this case, if we stopped using a really dumb/simple email protocol, the criminals would have a much tougher time of it.
Reaction to this paper? by el_flynn · 2008-04-24 05:01 · Score: 2, Insightful

Since the researchers have already published their work on the infiltration process, I'm sure by the time you read this piece of news the botnet owners and/or authors have already put an action plan in place to mitigate, or at least lessen, the effect.

Plus, if you read their published work, they readily admit that they are always one step behind the worm, and have to react whenever the attacker changes his tactics. The work mentions that "the attacker can easily change [a function of the Stormnet communication technique]... and then we need to analyze [our] binary again."

Criminals usually work faster than the good guys because they have more to lose.

--
The Wknd Sessions - Malaysian and South East Asia independent music
The terminology is confused by Yurka · 2008-04-24 05:04 · Score: 5, Insightful

Computers in a botnet are not "peoples' PCs" anymore. They are not under control of the owner. This needs to be clarified again and again. When you see a Borg drone, you (try to) kill it. And Picard was right - you'll be doing it a favor.

--
I can assure you, the best way to get rid of dragons is to have one of your own.
1. Re:The terminology is confused by Anonymous Coward · 2008-04-24 05:20 · Score: 0
  
  +1 insightful comment
  -1 not a car analogy
2. Re:The terminology is confused by geekoid · 2008-04-24 05:27 · Score: 2, Funny
  
  Of course they are, don't be stupid.
  There is a program running on their computer.
  You also assume they don't want it there.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
3. Re:The terminology is confused by hacker · 2008-04-24 08:42 · Score: 1
  
  Actually, that's not a bad idea. Well, killing them is a bit harsh, but stopping them from procreating has a lot of advantages.
  We're actually polluting our own evolution, by letting people with genetic predispositions to incurable disease continue to breed and have children, thus passing on those genes.
  What happens in 300 years, when EVERYONE on the planet has a dominant or recessive gene for say... diabetes? cancer? liver failure? alzheimers? What then?
4. Re:The terminology is confused by mrv20 · 2008-04-26 13:58 · Score: 1
  
  Guess what? It's already too late. We are ALL born with genes that guarantee our bodies and minds will give out, just like every human who ever lived.
  
  By attempting your plan to breed out genes predisposing someone to a certain group of diseases you run straight into the next set of natural weaknesses, at best gaining a minor increase in life expectancy that can easily be negated by smoking, drinking, eating red meat or simply a driver looking the wrong way at an intersection (and any number of other activities that people engage in on a daily basis - would you ban these too?)
  
  What if a particular race was less genetically disposed to the diseases you list - does this mean every other ethnic group is unfit to procreate? It's entirely possible you have genes that would predispose your children to certain diseases - would you stand behind your idea and keep it in your pants for the good of future generations?
  
  This is all before addressing the moral repugnance of forcing your eugenic standards on the rest of the population. If you want to choose your partner based on the results of genetic screening, have at it - I hope you and your master race of offspring are very happy. However, who are you to choose whether I or anyone else are permitted to procreate based on ANY criterion, let alone something as nebulous as having a gene that may increase the chance of possibly contracting a particular disease one day, assuming that all the research is infallible?
  
  --
  "Algebraical symbols are used when you don't know what you are talking about" - BCS
How active is storm currently? by damn_registrars · 2008-04-24 05:19 · Score: 2, Interesting

I've seen previous allegations that Leo Kuvayev has ties to the storm botnet. It of course is known that Mr. Kuvayev is a prolific spammer.

However, there hasn't been as much spam from Mr. Kuvayev - either in my own boxes, or mentioned recently on line. This leaves me to wonder if perhaps he isn't utilizing it as much as he used to?

While certainly the botnet has been used for more than just spam propagation, and Kuvayev has sent spam to a lot more people that just me, I still can't help but wonder if it either isn't as large or as active as it once was.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:How active is storm currently? by ahabswhale · 2008-04-24 05:34 · Score: 2, Interesting
  
  It's a shadow of its former self. Microsoft actually took them out, believe it or not. The Msft malicious software removal tool has taken care of it and the maintainers of the storm botnet got tired of dealing with it and let it go. See here for more info: http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx
  
  So it's great that they came up with this but too bad it's pointless, at least for Storm. However, I'm sure they'll continue patting themselves on the back for fixing something that was already fixed.
  
  --
  Are agnostics skeptical of unicorns too?
SPY v. (nothing) by xkr · 2008-04-24 05:19 · Score: 1

Suppose it is the 1920's. Some cars have locks on the doors, some don't. There are no license plates. Organized crime is stealing cars, using them to commit bank robberies, then abandoning the cars. This is a huge problem, with hundreds of robberies per day.
Might it be appropriate to pass a law requiring all cars to have locks on the doors?
IMHO, technology people are so adverse to gov't regulation (OK, with good reason) that they are not willing to recognize that SOME regulation can be a good thing in an economic community.
If all PCs were required to have anti-virus software, and all ISPs were required to verify this, or to disconnect the customer, I suggest that the number of bots out there might drop 90%.
Yes, I realize that neither of these requirements are perfect, and there will always be SPY v. SPY competition. But right now we have SPY v. (nothing). No competition for the bad guys at all, and so we have 100 billion spams a day.

--
I will create a sig when innovation restarts in the U.S.
1. Re:SPY v. (nothing) by witherstaff · 2008-04-24 05:33 · Score: 3, Insightful
  
  bad bad idea
  
  I'd love to be required to have antivirus software on my linux/FreeBSD/Solaris machines. If you don't have a locked down box those systems can be just as bad as a botnet windows machine.
  
  Or requiring comcast to have a rootkit on every machine you have to ensure that it's not infected. Sony computers would love that!
2. Re:SPY v. (nothing) by Anonymous Coward · 2008-04-24 05:36 · Score: 0
  
  >If all PCs were required to have anti-virus software, and all ISPs were required to verify this, or to disconnect the customer, I suggest that the number of bots out there might drop 90%.
  
  And this is why gov't regulation sucks. What about OSes that either don't need, or can't have anti-virus? Imagine a phone with all functions in ROM, that offers internet access. Now we need to include AV software that monitors... ???
  
  Same thing with locks on cars. Imagine a car that uses an RF transmission from a key to start. You could have no locks on this car, the only problem left would be that the owner might find bums sleeping in it, but it resolves the major issue (crime).
  
  Instead, you should put the problem on the owner of the item. Computers that infect other people should have owners that are fined. Cars that commit crimes should have owners that are fined. Judges would sort out the fringe cases (cars with locks that are defeated, AV software that is bypassed).
3. Re:SPY v. (nothing) by HikingStick · 2008-04-24 05:40 · Score: 2, Insightful
  
  Just because they put locks on car doors doesn't mean everyone uses them. Then there's the issue of thos little magentic key holders in the driver's side wheel well...
  
  --
  I use irony whenever I can, but my shirts are still wrinkled...
4. Re:SPY v. (nothing) by Anonymous Coward · 2008-04-24 07:56 · Score: 0
  
  Suppose it is the 1920's. Some cars have locks on the doors, some don't. There are no license plates. Organized crime is stealing cars, using them to commit bank robberies, then abandoning the cars. This is a huge problem, with hundreds of robberies per day. Great, so let's pass legislation for all cars to have locks on the doors. So how do you prevent anyone from stealing my 1927 Ford Model T? That's right, the one one without the windows.
Fools! by Kingrames · 2008-04-24 05:25 · Score: 3, Funny

Nuke the sites from orbit, it's the only way to be sure!

--
If you can read this, I forgot to post anonymously.
1. Re:Fools! by overkill1024 · 2008-04-24 12:24 · Score: 1
  
  Skynet tried that on itself, didn't work.
  
  Seriously though, thy played the 'skynet has no central core' monologue over the image of skynet nuking everything.
This was already covered, and more... by bugnuts · 2008-04-24 05:33 · Score: 1

... at the Usenix leet conference covered by slashdot.

Go look through the articles... some of them rock. The technical knowledge of these guys, how they dismantled storm, etc is amazing.
"help them clean" by unity100 · 2008-04-24 05:39 · Score: 1

its a pain to provide technical support for even uninfected computers, and you are telling us to help people clean their infected computers.

--
Read radical news here
It's a Trap... er, Dupe! by sabt-pestnu · 2008-04-24 05:41 · Score: 1

This story merely repackages this one.
Wow, Godwin in 2 posts... by PRMan · 2008-04-24 05:41 · Score: 5, Funny

That's got to be some sort of record...

--
Peter predicted that you would "deliberately forget" creation 2000 years ago...
1. Re:Wow, Godwin in 2 posts... by Daimanta · 2008-04-24 05:48 · Score: 2, Funny
  
  Scrap an I in WWII and youa re all set for a non Godwin post ;)
  
  --
  Knowledge is power. Knowledge shared is power lost.
2. Re:Wow, Godwin in 2 posts... by bornyesterday · 2008-04-24 07:57 · Score: 1
  
  That's got to be some sort of record... To be fair, he didn't actually mention either Hitler or Nazis, thought it was an obvious implication.
3. Re:Wow, Godwin in 2 posts... by Anonymous Coward · 2008-04-25 01:52 · Score: 0
  
  My client pleads "not guilty", as his post was not a violation of the Godwin Act. The Act only covers analogies that specifically mention Hitler and/or Nazis.
  
  Analogies that refer to the actions of a country (even if the government consists of Hitler and Nazis), are not subject to the Godwin Act unless Hitler and the Nazis are specifically mentioned. There is no such thing as "conspiracy to Godwinate", "indirect Godwinization", etc.
  
  Along the same lines, this post is Godwin-exempt because the only direct reference to Hitler and/or alleged Nazis is in the context of discussing the Godin Act itself.
It was morally "good" -- from our perspective... by CFD339 · 2008-04-24 05:49 · Score: 4, Insightful

..because we won. History is written by the victors of course. Don't misunderstand me -- nothing could make me defend the German army's actions (or those of many of its citizens at the time). I'm only saying that had we lost that war, a different history might look upon the "re-invasion" of Belgium as a war crime.

--
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Ain't their job. by Zadaz · 2008-04-24 05:52 · Score: 1

And by "other peoples' PCs" they of course mean the people who control Storm. The physical possessors of the computers have already given up ownership.

It's a real shame that this is being done by researchers and not security forces. The researchers are correct, it ain't their job. It should be done by people who we have already given the authority to trespass with cause.

Not going to happen. Sadly. I live in a place where violent crime is incredibly rare, but property crime is common. The most valuable things I own are the information on my computers, and yet there is no one that I can call if I'm attacked there.* Law enforcement has the technology of Wyatt Erp while the criminals have F22 with laser guided bombs and depleted uranium ammo.

I hope the researchers don't get brought up on charges, it would set a bad precedent. Since law enforcement will never get caught up, I'd like to see a law passed that gives immunity to this kind of action. If The Law is unwilling or unable to deal with a threat, they have to deputize citizens. Too bad The Law is unwilling to admit weakness or failure.

* Even if they steal my physical laptop there's only a minuscule chance that the police will do anything but take a report and notify me "if it turns up". Insurance will cover the physical loss, but not the potential repercussions of the loss (ID theft, proprietary business info, down time, etc.**)

** Yes, I encrypt but security is not an absolute.
1. Re:Ain't their job. by ZenDragon · 2008-04-24 06:22 · Score: 1
  
  Who would bring charges against them? The botnet operators?? We could only hope. Even if their methods were illegal, Im not sure anybody would or could press charges for illegally interfering with an already illegal activity.
  
  After reading the article I dont think they did anything illegal. Some might consider it unethical, but certainly not illegal. From the looks of it, all they are doing is poisoning BotNet traffic, even if one of the "bots" is a bank computer or something, their methods are in no way compromising that machine any further than it already is.
Wouldn't surprise me. by SanityInAnarchy · 2008-04-24 06:01 · Score: 1

How much money do you really need?

If I was doing illegal botnets, I'd make a cool billion dollars or so, then retire to a tropical island.

--
Don't thank God, thank a doctor!
1. Re:Wouldn't surprise me. by damn_registrars · 2008-04-24 06:19 · Score: 1
  
  If I was doing illegal botnets, I'd make a cool billion dollars or so, then retire to a tropical island.
  Interesting idea, with an interesting correlation to Kuvayev. I've seen him alternate between claiming his residence to be in either Finland or Tahiti. Perhaps he's entered a state of semi-retirement?
  
  --
  Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Re:Welchia was poorly designed by Anonymous Coward · 2008-04-24 06:02 · Score: 0

The problem with the Welchia worm is that it actively scanned for vulnerable systems and fixed them, rather than waiting for a probe and responding to the attack. It was the proactive scanning that caused all the problems, a purely reactive system would be much better.
Polluting? by gmuslera · 2008-04-24 06:15 · Score: 1

Cant be used the botnet itself to do something more useful, like self destruct, uninstall self or display a warning to the zombie pc user?

Maybe that borg^H^Htnet have some sort of "sleep" command to make it inactive in most part.
Fire that shotgun by parvin · 2008-04-24 06:22 · Score: 1

That's not your neighbor anymore. Just another stinkin' zombie.
Why on earth garbage? Why not... by hAckz0r · 2008-04-24 06:35 · Score: 1

Just have it do:

> net send <logged in username> "your machine is infected with the Storm rootkit, go here for the fix URL:..."
and scare them into fixing it! Just a little tough love and education is what is needed, not hosing up their machine. Anything that has the potential to damage the machine is a very bad idea, but the owner really needs to know its hacked, and then how to fix it.
no, you got it wrong by circletimessquare · 2008-04-24 06:45 · Score: 1

those are examples of breaking the rules, of becoming what you are fighting

those are not examples of bending the rules, such as with these botnet inflitrators

so you are not correctly identifying what i am talking about

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Easy fix? by daveywest · 2008-04-24 07:28 · Score: 1

Why don't they order the infected machines to pop up with a window that says, "This computer is infected by the Stormbot. Please report this message to your IT administrator." and include a url to a webpage with some cleaning instructions.
1. Re:Easy fix? by Anonymous Coward · 2008-04-24 08:43 · Score: 0
  
  Because every website seeking to infect you with malware, already does generate that same popup
2. Re:Easy fix? by Phroggy · 2008-04-24 10:53 · Score: 1
  
  Please report this message to your IT administrator. Who are you expecting that to be, exactly? If they had an IT administrator, chances are they wouldn't be infected to begin with. They don't.
  
  And, like the other poster said, malware already pops up exactly that message; it's a scam to get you to buy malware-removal software that doesn't actually work. Fortunately, few people are gullible enough to fall for such messages.
  
  --
  $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
  $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
3. Re:Easy fix? by daveywest · 2008-04-25 03:21 · Score: 1
  
  1. Everyone has someone they can ask for help -- maybe its even just their teenage neighbor.
  2. Malware asks you to install something for a fee from a commercial website, but it never hurts to ask them to check out a website for more info. The entire advertising industry (along with every spammer in the world) uses this strategy pretty effectively.
  3. If so few people were gullible, we wouldn't have the problem in the first place.
Mod parent down!! by Anonymous Coward · 2008-04-24 07:31 · Score: 1, Funny

It's not particularly illegitimate to use them in that fashion, though. It's a matter of allocating limited resources, really. While I'll mod up posts I disagree with, but are insightful, if there are no posts I agree with available... I'd rather spend those mod points giving karma to people I agree with. Is it fair? Not entirely, but with only 5 or 10 points, there's only so much good you can do.

The real moderation bias which is a cause for concern is modding with negative mods as a substitute for "disagree". That's bullshit, and there's no excuse for it.
I couldn't agree with you more. Well said!! Mod parent down!!
Did you know... by chriscoolc · 2008-04-24 07:33 · Score: 1

Thanks to Godwin's Law, Nazi Germany never fielded a successful internet discussion board.
no, its lack of perspective by circletimessquare · 2008-04-24 07:38 · Score: 1

if your neighbor is making a lot of noise attempting to repair a leaking dam, and you stick your head out the window and tell him to keep the noise down, you aren't keeping your mind trained on the larger picture

same with those who criticize the cops and have nothing to say about criminals

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
1. Re:no, its lack of perspective by freedom_india · 2008-04-24 23:17 · Score: 1
  
  making a lot of noise attempting to repair a leaking dam, I would send a SWAT team to his house by "mistake" and enjoy the sweet cries of pain he makes...
  
  --
  "Doing what i can, with what i have." ~ Burt Gummer
Illegal is Illegal by Anonymous Coward · 2008-04-24 07:41 · Score: 0

Unauthorized use of another's computer is illegal. The law applies equally to "hackers" and "researchers". Oh, and "Two Wrongs don't make a right".

It's pretty simple really, we don't even need a car analogy. Oh, what the heck.... just because the "hackers" likes to take your car out for a joyride in the middle of the night doesn't mean that the "reasearchers" get to do the same thing. Heck, the "researchers" are even using the slimjim that the "hackers" left behind.

P.S. We lost the hacker vs. cracker debate over a decade ago, get over it.
The war will continue by fluxburn · 2008-04-24 08:38 · Score: 1

The best part about spam, malware and viruses, exploits and the so called, "criminal activity" of these users, is they present a challenge to protect against them. This creates a competitive environment which benefits society, creating more diverse technology. These activities need to continue, if the world ever becomes so secure we loose are freedom, technologies those employed by storm and others would allow us protection. Likewise, without criminal activity in cyberspace, half of us would loose our jobs.
legal angle by habusnake · 2008-04-24 08:49 · Score: 2, Interesting

http://www.yjolt.org/7/ A little old, but this is an article I wrote on related legal issues-- legality of striking back including at zombies.
The key is in the last sentence... by Presence1 · 2008-04-24 08:57 · Score: 1

"In future work, we plan to analyze in detail the second-tier computers and try to find ways to identify the operators of the Storm Worm"

Don't kill the PCs like the Borg drones, and don't kill the botnet.

Instead, let it run, infected and reporting back, so as to track down the operators. At that point, they can be killed, arrested, or whatever consequence requires the least paperwork (depending on the country from which the sucm are operating).
Re:Welchia was poorly designed by Sancho · 2008-04-24 08:58 · Score: 1

The problem with this is that malware sometimes patches the flaw in order to prevent competing malware from getting onto the machine. Welchia's approach was to pro-actively patch vulnerable machines and delete Blaster if it found it.
Nice sig by eimsand · 2008-04-24 09:23 · Score: 1

Having just completed a PhD, I have to say that your signature is the most accurate assessment of higher education that I've ever seen. Cheers!
Bad analogy guy by Anonymous Coward · 2008-04-24 09:33 · Score: 0

riiiight... So what you're saying is:

Spam KILLS! Think of the children!

Just a wee-bit dramatic, innit? A flaming, out-of-control car, rushing down-hill to crush a bunch of innocent kids, or a bunch of unsolicited email for herbal v14gr4...
Why is this marked funny? MOD PARENT INSIGHTFUL by Anonymous Coward · 2008-04-24 09:51 · Score: 0

And bonus points for being a car analogy.
Researchers' university to be DDoS-ed surely by Anonymous Coward · 2008-04-24 09:52 · Score: 0

> The researchers, from the University of Mannheim and the Institut Eurecom

The problem is, you can do it only once. Next time, the botmasters will retaliate with a DDoS so huge, the university IT infrastructure will melt like scrap iron in a blast furnace.

When servers are unaccessible for three days in a row and university students are unable to sign up for exams, professors cannot publish online, the deacon will surely those pesky researchers to find a new campus for their little cat-and-mouse game.

Otherwise, most bot people are russians, mostly from Saint-Petersburg and the american Secure Computing Corp. plainly said they have proof those online ruffians are protected by Putin's inner circle (the judo dwarf was top honcho in Leningrad back in those gool ol' KGB days).

Question: Dear researcher, do you want to receive Polonium-210 in mail? On-line crime is a huge business and the mafia will not lose some 150 million dollars a year just because of two silly scientists. They will suffer a regrettable accident, if history is any indication of what follows next.
What about the EULA? by ehaggis · 2008-04-24 09:53 · Score: 1

Doesn't this violate the EULA and copyright protection of the Botnet software? How do you know I don't want to be part of a Botnet? Who are you to tell me I can't participate in large scale attacks on other networks or send out massive amounts of email that has not been requested?!?!

Now please, let me decide what software I want to unwittingly run on my computer!

--
One ring to bind them - should probably have more fiber and less rings in their diet.
How about this by Anonymous Coward · 2008-04-24 09:56 · Score: 0

Isn't that the same idea as "Google Turns Over Data on Suspected Pedophiles In Brazil"? http://tech.slashdot.org/tech/08/04/24/138227.shtml

Breaking rights for a good cause? Damn sure you are right!
All critical functions are protected . . . by pugugly · 2008-04-24 10:06 · Score: 1

Oh Oh - I seen this one - the command was simply "Sleep"!

Then the borg cube blew up!

Pug

--
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
6 degrees of Godwin by HappyEngineer · 2008-04-24 10:12 · Score: 1

So now mentioning WWII is Godwinning? Is there a website somewhere that tells me what I'm allowed to talk about without being subject to a Godwinattack?

Seriously though, I've actually modified the way I talk as a result. If I feel like referring to Hitler, I substitute Bush or Saddam or Mussolini to avoid a Godwinattack (although Mussolini is a little risky). If I want to refer to concentration camps I instead refer to Gitmo.

I can't tell whether that makes Godwinazis happy or not.

--
Cow Cube
1. Re:6 degrees of Godwin by darkpixel2k · 2008-04-24 17:56 · Score: 1
  
  If I feel like referring to Hitler, I substitute Bush or Saddam or Mussolini to avoid a Godwinattack (although Mussolini is a little risky)
  
  WTF? Ok--Saddam because he brutally killed and tortured his own people, he gassed the Kurds, etc... Mussolini I'm only familiar with in passing--so I can't comment there...but Bush? Really?
  
  How can you compare Hitler murdering an estimated 6 million people to Bush?
  
  I don't like some of the stuff Bush has done--but get real. When was the last time Bush ordered his "men in black" to drag you and your family out of your home into the dark of night to put a bullet in your head, rape your wife, torture your daughter, and force your son to throw your body into a pit of other bodies--then shoot him in the head? Are you insane?
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
2. Re:6 degrees of Godwin by HappyEngineer · 2008-04-24 18:21 · Score: 1
  
  See, this is why the concept of Godwinning was invented in the first place. People just go nuts with it.
  
  But, since I brought it up I guess I'll continue it by saying that the comparison to Hitler is not meant to be literal. It's not a one-for-one comparison. It's a statement of hatred. Hitler is dead. There is no point in hating him to a great degree. I hate Bush more than I hate Hitler. Hitler is just a placeholder for [insert someone that deserves to be hated].
  
  Anyway, my original comment did not compare Bush to Hitler. I simply referred to Bush as one of the people that I use instead of Hitler when I need to compare someone to a detestable person.
  
  If it makes you feel better, if Hitler was still alive today and he was the US president then I'd hate him more than Bush. Does that help? *smile*
  
  --
  Cow Cube
3. Re:6 degrees of Godwin by darkpixel2k · 2008-04-25 03:04 · Score: 1
  
  But, since I brought it up I guess I'll continue it by saying that the comparison to Hitler is not meant to be literal. It's not a one-for-one comparison. It's a statement of hatred. Hitler is dead. There is no point in hating him to a great degree. I hate Bush more than I hate Hitler. Hitler is just a placeholder for [insert someone that deserves to be hated].
  
  My jokeometer is busted--I can't tell if you are trying to make a joke or not.
  
  I consider myself a conservative--but I'm no fan of Bush either. I think he's made some boneheaded decisions, but I'm still hung up on the 'hate Bush' statement. I dislike some of the things he's done--but how can you possibly put him on the level of Hitler, Mussolini, Saddam, etc... The thing in common with the three bad guys being that they murdered innocent people (Hitler tops the list).
  
  How is our president in any way like them? Bush is weak on the border. That doesn't compare to genocide. He's passing some odd environmental laws. Doesn't compare to gassing entire villages of Kurds.
  
  You either have a very broad range of 'hate' or I missed the news story where Bush dropped the nuke on California.
  
  --
  There's no place like ::1 (I've completed my transition to IPv6)
4. Re:6 degrees of Godwin by Anonymous Coward · 2008-05-01 15:05 · Score: 0
  
  When was the last time Bush ordered his "men in black" to drag you and your family out of your home into the dark of night to put a bullet in your head, rape your wife, torture your daughter, and force your son to throw your body into a pit of other bodies--then shoot him in the head?
  
  Hitler never ordered anyone's wife to be raped. It may have happened (probably happened), but he didn't order it. Let's not exaggerate here. Also, I think that it was Himmler, not Hitler, who signed off on the "bodies in a pit" thing (at least, until he came up with the "burn them in ovens" thing).
"sleep...." by RJBeery · 2008-04-24 10:55 · Score: 1

Troi: OH MY GOD, HE'S EXHAUSTED!

Data: That may be true, counselor, but I think he's suggesting a command to inject into the hive mind...

Yes I botched the hell out of the quote. I'm too lazy to go look it up.
tit for tat by AgentPhunk · 2008-04-24 14:29 · Score: 2, Funny

What is this 'tat' that you refer to, and where can I exchange it for this first thing?
1. Re:tit for tat by khallow · 2008-04-24 23:37 · Score: 2, Funny
  
  If you don't know, then you're too young to find out. ;-)
Kill the Zombies!!! by Anonymous Coward · 2008-04-24 15:06 · Score: 0

Hell, I look at it like the real world. Would I not fight back against a zombie trying to eat me simply because "he doesn't know what he's doing"? Hell no! I would fill his zombie ass fulla lead! The same thinking applies here. Sorry buddy but your zombie ass is toast!
thank you thank you thank you by Anonymous Coward · 2008-04-26 03:07 · Score: 0

i guess this will never be seen by the world, since it will probably get a score of 0 (uninformative, pandering) but just wanted to say thank you to the people who are doing this.

i am not a techie type at all, but my brother plays one on tv (oops, i mean he is a software engineer) and i asked him if there was something "wrong" with my computer, because my spam had dropped off from several hundred messages a day, to a half dozen or so.

he told me the white hat(?) hackers were fed up and staging an attack on the worst of the spammers.

i love it.

thank you, and keep up the great and necessary and good work