Slashdot Mirror
Kraken Infiltration Revives "Friendly Worm" Debate
Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
" is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"
I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.
What kind of idiot would have a windows box controlling a heart monitor?
Don't tell anyone!!!
All the lawyers in the world will converge on you if you do.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?
Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.
Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.
There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.
Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.
If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.
Support NYCountryLawyer RIAA vs People
There is still the "messing with other people's computer" issue, of course.
Assorted stuff I do sometimes: Lemuria.org
As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.
Botnets also span more than one country so maybe this needs to be international law.
"Because we are not employing at entry level, offshoring will kill our industry stone dead."
There's an easy work around to this, just add a popup window saying "YOUR COMPUTER HAS WORMS PRESS OK TO FIX!" The majority of the people with worms on their computers would not think twice about pressing it.
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
We have this law in my country where if you can help someone who is in danger without risking to harm yourself you may get legal trouble.
I am pretty sure that a good lawyer could twist it enough to sue those researcher because they DID not kill the botnet while they could. Instead they published a report explaining to the botnet creator how to plug the hole. Next time they should just ask for a subversion comiter account a fix it themselves.
I can almost see how the patriot act could apply here. I think those guy could be arrested for helping the terrorist(tm) by the friendly bunch at homeland security.
If you can kill the botnet please do it. Me million other will drop a donation in your paypal account to cover your legal fees.
I do not eat meat, nor do i clean infected boxes; all life is holy...
A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.
Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.
I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.
Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.
Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?
Kevin.
--= Isn't it surprising how badly I spell ?
I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.
I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).
The Official Steve Ballmer Webpage
...and nearly paid for it.
We were on the verge of fall break, and someone on campus had found out a 'catch-all' email address which was aliased to _all_ the university email addresses. So some dickwad started sending a weird email saying something like "Hey joe, where are you?", which everyone got, and everyone replied "Hey, I'm not joe -- who are you?" Which was then sent to everyone else.
The thing basically kept feeding back to itself and was threatening to get out of hand. Literally hundreds of emails started popping up. Of course, this was waaay back then, before the days of spam, so it was 'abnormal', 'weird' and annoying all at once. Since it was a friday evening, and knowing that at the rate it was going everyone's inbox would be flooded when they returned from the week-long holidays, I -- perhaps naively -- thought I'd put a stop to it.
I attached a large binary file to an email and sent it to that catch-all address, hoping that it would jam up the works enough that the network admins would notice.
Notice they did, and eventually I got called up to see the ombudsman -- who promptly said he was considering kicking me out of campus.
So yeah, one can have good intentions -- like what I did -- but the means to achieve that end may not be acceptable to everyone, even though it did get the job done.
My 2 cents anyway.
The Wknd Sessions - Malaysian and South East Asia independent music
If I got a pop-up like that, I would likely think that it was going to either install another virus or that it was a pop-up from a website, trying to sell me something.
There is no way I would think it was legit.
Help! I'm a slashdot refugee.
I would argue, by analogy, that it should be done, ie. the computer participating in a botnet should be patched.
Consider this example: You find that someone robbed your neighbor's apartment (who is on vacation), and left the door opened and broken. Should you fix the neighbor's door, or leave them open for anyone to enter?
The correct answer is: You should fix the door, but with the permission of the police. Therefore, I think, the computers should be patched, but with the approval of legal enforcement (if it's in the your country, patching computer in other country should be supervised by their legal enforcement).
I used to work in a hospital on the IT side and the only 'monitoring' systems I can think of where this would be a problem aren't so much the ones that keep track of vitals but the ones used as the primary method of observation (think cath labs). Even then the vulnerable workstations/machines are used more for archiving and cataloging of imagery and procedure. Any real work is done on an embedded system with that particular piece of equipment. So if you have to get your heart cathed, don't worry as that machine probably isn't exposed to the internet. Those machines do not and should never be exposed to an open network. Some embedded systems ran a version of Linux, others were embedded NT and a couple were actually DOS (This varied by maker and age of equipment).
Someone pointed out fetal monitoring systems, I installed one last year a the hospital I worked at and the set up as as follows:
Server - (1x) Win2k3
Polling - (2x) DOS 6.22 (these boxes only relayed mesgs)
Monitoring Stations - (24x) WinXP Pro
The server itself was in a datacenter and the two polling machines were in a networking closet (easier to run lines from the actual monitoring hardware this way). The Workstations were XP and had internet access. They were locked down enough such that net access was allowed for research. Every so often one got infected (research apparently means games too I guess). It was pulled and one of the already staged spares was put into it's place until the infected machine had a chance to go through restaging. Through all this time, the nurses had MULTIPLE workstations, including two huge ass monitors (nice Dell 24inch flat screens with an 89' view angle) at the nurse's desk from which to view the babies. And they had manual procedures if the system went down. Which it was for two days during the initial move from testing into production. If there are no 'manual procedures' in place for when a system goes down the hospital is just ASKING for trouble. Granted in this case manual involved getting more nurses on the floor in that section, but they had it covered in case of a catastrophic event with that system.
While the monitoring systems may be vulernable, any decent hospital will not have it set up so the actual work horses doing the procedures are not exposed and have manual procedure in place should the machines go down.
"Quote me as saying I was mis-quoted." -Groucho Marx
For those who are advocating that an anti-bot be released (or whatever you want to call it) so as to disable this pest, I have a question for you: how is someone going to be able to tell the difference between these:
1.) A user who creates and releases an anti-bot, but through an error (design, programming, whatever) inadvertently causes "harm" to the system.
2.) A user who creates and releases an anti-bot that appears to try to block the worm, but is in fact designed to cause "harm" to the system.
Recall that the Morris worm was not intended to bring down the internet:
ANDSee also A Tour of the Worm for a more detailed account of how it unfolded.
The intention may have been good, but the implementation had an unintended consequence that led to a major disruption of the internet. I remember full well the confusion at the time as the details unfolded. I was working at a major computer manufacturer that dropped its connection to the net to protect itself. Ultimately, none of our systems were hit (wrong OS), but the sheer volume of packets on the net led, effectively, to a DDOS'ing of the uninfected systems, too.
So, in a nutshell, how can one objectively tell the difference between an attempt to kill the worm that causes problems, and an attempt to cause problems that looks like it is trying to kill the worm? In a non-static environment. With our limited ability to write bullet-proof, error-free code. Besides, someone else could capture and re-purpose the good code to cause more problems.
"Kill them all. God will know His own."
"Ain't no right way to do a wrong thing."
Why?
Because there is no law enforcement for these matters on the net today. Sometimes, in frontier situations, a form of mob or vigilante type justice becomes necessary. In this case, it would be an expression of popular democracy when a group in a frontier setting decides that sometime of order enforcement is necessary in order for society to function. These spam bots qualify as a level of threat that would justify a defense of this kind because, in our current environment, these bots can't be stopped by other means.
There is also a discernible right to self-defense. Here is my analogy. If an ignorant neighbor has permitted some nut to put a machine gun on his front lawn that periodically shoots bullets at my front door, then taking action to disable that machine gun is a justifiable form of self-defense even though the form of the self-defensive act is an offensive act against the machine gun. Any collateral damage from the self-defensive act doesn't necessarily invalidate taking the action.
That means if the incredibly rare case that isn't going to happen of the disabling of a heart monitor does occur, the self defensive act is still justified.
Now, spam is not an imminent danger in the way bullets are, but they are a danger. For example, I do not want my 11 year old exposed to hard core porn often promoted in much of this spam. If there is no effective law enforcement, then self-defense and perhaps a group sanctioned vigilante enforcement, even if the means are offensive in some sense, is justifiable. Note, it is not justifiable if law enforcement is available to deal with the problems, but in this case no such remedies are available.
Now -- is it legal? IANAL, so I don't know, but I think a legal defense is possible -- and -- how many juries actually go after these guys anyway?