Slashdot Mirror
Botnets As "eWMDs"
John Kelly writes "The current issue of Policy Review has a paper by an American computer scientist and the recent Permanent Undersecretary of Defense for Estonia. Drawing on the Estonian cyber attacks a year and a half ago, as well as other recent examples, they argue that botnets are the major problem. They propose that botnets should be designated as 'eWMDs' — electronic weapons of mass destruction. The paper also proposes a list of reforms that would help to limit the scale and impact of future botnet attacks, beginning with defining and outlawing spam, internationally." Many of the proposed solutions are common-sensical and won't be news to this audience, but it is interesting to see the botnet threat painted in such stark terms for readers of the Hoover Institution's Policy Review. For a more comprehensive overview of cyber-security threats, listen to NPR's interview with security experts on the occasion of the release of a new report, "Securing Cyberspace for the 44th Presidency," which recommends creating a cyber-security czar reporting to the President.
Subject says it all.
This is... ridiculous.
And anything destroyed by them SHOULD be able to be restored from backup.
WMD isn't about the actual history of attack. There hasn't been a nuke detonated in an offensive capacity since World War II, but that hasn't stopped them from being a preoccupation of defense strategy since then. It's about the fear. And the concept of hundreds of thousands of zombie computers attacking an institution without the proper defenses could be devastating, especially if that institution is critical to the public health/safety.
I bet this is a way to sneak in some more "general purpose" legislation on the net. There is going to be a strong push for that coming from the EU in the next months unfortunately.
I can see it now. Newlines in the papers as Iran is found harboring WMDs along with Syria and Pakistan. Equating NBC weapons with botnets is retarded on an incredible amount of levels.
Perhaps we should compare some WMD's
An atomic bomb detonated over a dense population center: millions die
An eWMD shuts down water supply: people have to resort to bottled water and, in a worst case scenario, boil rain water; for a few weeks
Perhaps eWMD is a better name for an EMP because that actually DESTROYS something that can not be brought back from the dead using backups
They destroyed my inbox! It's now a mass of about 2GB and it's either all junk mail or I have won about a thousand lifetime supplies of male enhancement pills and a nice gentleman with poor english skills is very persistent in expressing his wishes to "undergo a business transaction" involving millions of dollars!
Now, I can't take the chance that it's ALL junk, so I am saving it just to be sure.
Wait and see nanbotnets!
gtkaml.org
Sadly, I'm always stumped by how far a language can be warped so that things are labeled in a desirable way by the authorities.
This has been happening since the ancient times and we haven't grown out of it. The athenian hegemony was named the athenian alliance, the enslavement of foreign countries by the Romans was called Pax Romana, and even now, he american goverment classifies botnets as eWMD's, every country in the world dubs their Ministry of Military as Ministry of Defence, and War will always be Peace in the Ministry of Love.
WMDs used to refer to nukes. Nuclear weapons destroy mass. That's why it's weapons of mass destruction and not weapons of massive destruction.
http://en.wikipedia.org/wiki/Weapons_of_mass_destruction#Evolution_of_its_use
Anyone remember that (joke ...oh god i hope it is an onion style joke) article about "HACKERS CAN REMOTELY CAUSE YOUR COMPUTER TO EXPLODE AND INJURE OR EVEN KILL YOU OR YOUR FAMILY" ? (non graphical/slightly less sensational copy here: http://www.theregister.co.uk/2000/07/04/hackers_can_make_your_pc/ )
This so called paper by the so called scientist (nice cover for a security consultant i am guessing) reminds me of that article.
Fear mongering with intent to profit.
It's all so clear to me now, because subverting somebody's computer and causing them inconvenience or financial damage is almost uncannily similar to heating their component molecules to thousands of degrees Kelvin and scattering them over a several mile radius. The threat from having a few computers go wrong is on almost exactly the same scale as the threat from thousands of multi-megaton nuclear warheads raining death on our cities from orbit. Thank you so much for clearing that up for us Mr. John J. Kelly, your genius will not be forgotten.
Use terrorism laws to take down botnets!?! Seriously if a botnet is considered a weapon, infact elevated to the status of weapon of mass destruction this gives terrific power to law enforcers... too much power. Concerning. However I concede this is maybe necessary considering the failure of our lawmakers so far.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Would then, the sum total of Windows PCs connected to the intraweb be considered a WMD?
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
That would make botnets weapons of mass accumulation, not mass destruction. The quality might not be up to par but you can not complain about the quantity...
--frank[at]unternet.org
If we think of mass-energy conversion in nuke plants, I would argue that some mass was destroyed (er, converted) to generate a portion of the electricity consumed in botnet attacks. Touche.
More generally, reread the article. They are trying to address a real, asymmetric threat. Some jack-off (or group of jack-offs) can cause measurable harm (counted in your favorite currency if nothing else) via DDoS attacks. That is a demonstrated fact. Estonia argues that their financial sector was largely off-line for three weeks due to (purportedly) coordinated DDoS attacks. If their assertion is correct (a point about which I am neutral), then that DDoS attack was as effective (arguably more effective) on the Estonian financial industry as the 9/11 attacks were on the U.S banking system. Think back to how crazy people were that Wall St. was essentially off-line.
In any case, it is hardly unreasonable to argue that DDoS attacks pose an effective asymmetric threat to certain industries. On the other hand, I am less than convinced that there are Evil Hackers out there capable of and planning to shut down water systems and power distribution. However, should it be possible and occur, think about how short a time it took for New Orleans civil society to disintegrate.
As critical to public safety as, say, a city?
Botnets are serious stuff, but let's be honest here, they're not really on a level with a thermonuclear warhead or VX.
"eWMD" is simply disingenuous.
Great fear. Terror even. Terrorism! Danger! Danger! Threat level orange! All good citizens must immediately surrender their rights! We'll start by outlawing spam. But how can we enforce it? We need to verify all e-mail legitimacy! We'll do it with technology. What is needed is a massive database of all e-mails sent, which will be filtered to assure that no 1,000 of them are the same. After that we'll send it to the intended recipient. Of course we'll have to keep logs...
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
I am less than convinced that there are Evil Hackers out there capable of and planning to shut down water systems and power distribution. However, should it be possible and occur, think about how short a time it took for New Orleans civil society to disintegrate.
New Orleans civil society didn't disintegrate because they couldn't conduct financial transactions, and the power was out. Also, I would bet my family jewels that there are indeed evil hackers out there planning to do evil things. Billions of dollars are spent on information security every year to prevent successful attacks, and decentralized security is the only real security.
When you hear words like terror, fear, public infrastructure, mass destruction, and attack, know that they are coming for your freedom.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
Am I the only one that had to read the "itsanebomb" tag multiple times before properly comprehending?
a) it sane bomb?
b) it's ane bomb?
c) it's a nebomb?
d) Oooohhhh... it's an e-bomb!
Please read my post. I don't suggest that New Orleans civil society came apart due to a financial mess. Rather, people resorted to looting grocery stores for food and water when the tap stopped working and the refrigerator could no longer keep food from spoiling. Of course, there were other contributing factors (like the lack of law enforcement) but desperate people will do what it takes to survive. If the hypothetical Evil Hackers manage to cut water and/or power to a large, urban population, they will create desperation.
clearly somebody is going to make money from all of this hype. Let's follow the money trail...
The goal of more expensive, more powerful government (e.g. a more lucrative business to control for those at the top of the power pyramid) is best achieved through marketing. You shoot high, even claiming the ridiculous as we see here, and then you "back down" into a slightly less outrageous expansion of government, but a significant expansion of the business nonetheless.
Ironically, these crooks are taking a page straight out of the US government's book.
Are trolls eTerrorists?
Don't have any special expertise? No matter: you ask for grants so you can hire the people with the real expertise, so you can focus on the schmoozing. Unfortunately these guys are a little late; the Hoover Institution's connections are mostly with the Republicans, so they should have cashed in last year.
Yes, "cyberwar" and bot nets haven't killed anyone, but you're looking at it the wrong way. They are analogous to WMD's in that they are equalizers between small and big powers. Botnets give criminal organizations etc. the same level of computing power and bandwidth as government agencies, companies, and universities. What we're talking about isn't destruction so much as proliferation.
Pretty soon we're going to need a czar czar to keep track of all the czars we've been willing into existence lately.
A lot of the power of botnets would be gone if critical networks actually had their own network instead of depending on the global internet. It is very popular to do the "VPN" thing and get a private network for near zero startup cost. But if the VPN is mission critical, then you should actually have your own wires or spectrum. Then if a botnet attacks, you just shut off the global internet at the firewall, and the mission critical stuff keeps going.
Thankfully that article was printed in the tongue-in-cheek tabloid Weekly World News. Honestly though, comparing botnets to WMDs is just about as outrageous.
Agreed. Wouldn't "Weapons of Mass Disruption" make it more accurate?
...when does Apple come out with the iWMD?
0x73db07
Limina.Log
Can we bomb Redmond yet?
you had me at #!
These people advocating calling botnets eWMDs should be designated fearmongers before being sacked and then totally ignored.
Yes botnets are a problem. Conflating them with real-life WMDs is just as bad as crying wolf like Dubya did.
any and all computers owned by private citizens may only be kept in a locked case separate from the power cable. Further, in Washington DC, it must be kept disassembled, and also, the government has the right at any time to examine the contents of your computer without a search warrant...wait...
The stories and info posted here are artistic works of fiction and falsehood.
Only fools would take it as fact.
This clearly means that Windows supports terror. If you buy windows, you might too.
The stories and info posted here are artistic works of fiction and falsehood.
Only fools would take it as fact.
We need "Star Wars" for these botnets.
Using modified HARM missile that tracks bots to take out a bot controllers would take care the problem until another idiot comes to take over that botnet and send another HARM that them until they all stop.
"And the concept of hundreds of thousands of zombie computers attacking an institution without the proper defenses could be devastating, especially if that institution is critical to the public health/safety."
Which is why C4I and other important systems should simply never be connected to the internet, and anyone who compromises them by doing so punched in the throat for being stupid.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Yeah, maybe not a city, but think about what would happen if they took WoW offline for more than an hour. Oh the horror!
precisely so. Equating botnets with WMD is an insult to everyone who ever died of poison gas or nuclear bombs.
10.0.0.0/8 needs to be invaded. We suspect the subnet has eWMDs. We have been in contact with 10.0.0.0/8 but are not getting *any* reply to our demands that they hand over their records. In fact... we are not event receiving replies to pings.
This subnet is obviously hiding something, and they are being just rude.
Can we stop it with the "czaring" already? It's a nausiating term. I, like history, like my czars corrupt, incompetant, out of touch, with sociopathic tendencies.
The czar I'd like to see: Blagojevich the government transparency and accountability Czar.
Now that's a czar I can believe in!
Don't you have to destroy rather than spam?
Don't you have to destruct rather than grow?
If you prick my botnet, does it not fill your email box with advertisements to make your prick bigger, and thus make you part of the problem when it takes over your computer?
If you take down the botnet's IRC server, does it not feel?
I propose that botnets be protected as intelligent life. It should then be illegal to remove windows from a system that has been infected. Just as it is wrong to terminate pregnancy, should it not be wrong to terminate a process... For what is a process, but the basis for a higher construct? If that construct can communicate much faster than a human, should it then be feared? If that process can hide itself as a measure of self preservation, should it then be hunted? How far will this witch hunt continue, and as well, how long before we are the witches?
It's an easy solution ... on paper.
If not, coining it as WMD just creates more fud and hysteria.
Good Lord, "people looting grocery stores for food and water" is more just efficient use of national resources than anything else. More law enforcement wouldn't have helped: it would have compounded the problem. What would have helped is rapid national disaster response. So, some shops lost a few bottles of water and diapers - that's what insurance is for.
I've walked 1/2 the length of Manhattan twice: once on 9/11 and once for the big blackout. Both times I was offered a bunch of free stuff (water, food, tissues for improvised masks, and even beer as the cooling failed.) Just small businesses and their employees behaving decently.
If someone wants to lock down their basic supplies super-store in the midst of a week-long emergency, I'll be there with a saws-all and spend my day handing out bottled water.
The quality might not be up to par but you can not complain about the quantity...
No, I'm pretty sure that is what he's complaining about.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Maybe Skynet. For now, it's just a series of tubes.
How is taking down a single hospital the work of a Weapon of Mass Destruction?
Taking down a single hospital is nothing that you can't do with a simple truck bomb or even a smaller bomb on the backup generator's fuel supply. People need to remember that not EVERYTHING a terrorist can use to screw someone over is a WMD. Otherwise, most major cities have a WMD depot more commonly called an "airport."
The WMD thing is just buzzword use to try to trigger a hysterical over-response. I mean, when has a botnet does *mass* damage instead of just taking down a few servers belonging to an individual business or organization? It's not like it isn't a threat at all, but it isn't like botnets are something that can cause more than localized damage either.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Microsoft's most widely deployed platform and applications have not been secured.
The XP platform has still has 32 unpatched vulnerabilities,
The latest version of Internet Explorer still has 9 unpatched vulnerabilities,
and Outlook 2003 ( the most widely deployed business version of Outlook ) still has one outstanding unpatched vulnerability ( known since 2004-07-12 ).
Microsoft Office 2003, still the most widely deployed version of Office, has four outstanding vulnerabilities which put the desktop at high risk of being infected.
Even Microsoft's flagship product Vista has Six unpatched vulnerabilities.
These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.
In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats..At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora ), and currently deployable ( Writing policy for confined SELinux users ) to provide a locked down secured environment for Linux desktop users inside an organization.
Also from a more abstract point of view, read Increased security through open source.
If your using the Microsoft platform, then your abetting the people deploying botnets.
Weapons of Mass Effect is a broader term that encompasses bio/chem warfare, EMPS, dirty (radioactive) bombs, large conventional explosives, planes flying into buildings, etc.
And WME would also include things like botnets and malicious worms.
Meh. What defines a mass effect? If we reduce the term to just the effects it has on society, then anything could be a so-called WME.
If I shook hands with the President-elect, and then while I had a good grip on him grabbed a fork form the nearest table and jabbed it in his eye, then you bet your sweet butt that I would have just used a "weapon of mass effect." But should the country immediately rise up into a hysteria about banning forks?
Really, that's what this paper is about -- trying to stir up the same level of interest in preventing botnets as we have in preventing nukes. But all that serves to do is water down the attention given to nukes instead. No one is going to think the threat of a botnet is equal to a nuclear explosion, and shame on them for trying.
The fear of WMDs is about mass loss of life. Oh, sure, you can concoct some crazy scenario in which a botnet *could* *somehow* be used to cause loss of life, but not on anywhere near the same level, and all these scenarios are just as unrealistic fantasyland material as the ticking time bomb scenario used to justify torture. All botnets do is economic damage, and that's bad but frankly not worth near the same level of attention and worry.
So, no. Let's not redefine WMD to be all encompassing of every possible threat to someone somewhere by something. I'll keep my dinner forks, thanks.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
What all you anti-fear peddlers miss is that botnets CAN disrupt lives in serious ways. Out of the vast universe of possible scenarios, I'll give you two examples:
1. A botnet could infiltrate a nuclear power plant office computer which runs Windows and has a web browser that is attacked through a javascript payload. The botnet controller installs an invisible keylogger... over a period of weeks the botnet controller slowly gathers passwords and other information necessary to control SCADA systems and could theoretically do immense damage to the power plant and its surroundings.
2. The US military plans to take out a dictator, but unbenownst to them, the rogue nation in question has botted key military computers and accessed/keylogged important information about attack logistics. Said dictator thwarts the attack, maintains control and kills thousands of civilians in a show of power.
After all, we know how successful we were when we defined and outlawed
Murder, Adultery, Religion, Atheism, Drugs, Booze, Theft, Downloading Music, . . .
What worries me is I was reading an article today calling on President Obama to create a new office to "protect cyberspace" and I noticed this little nugget from the report recommending Obama act "It proposed online "data warrants," for example, rather than traditional search warrants, which it said "may be increasingly impracticable in the online environment." Now I don't know about you, but after all that Fisa crap i trust their little "data warrants" about as far as I can throw a Cray.
If you would like to read the article it is here but after the last pile of bull we were fed about WMDs the second I hear anything to do with them I start looking for the shovel. And let us be honest here: how many data breaches have we seen in the last few years of both government and private networks that were due to plain old stupidity? Maybe they should do a top to bottom audit of their networks to ensure that best security practices are being used and THEN they can start talking about eWMDs. But until then I will automatically think "power grab" when crap like this hits the news.
ACs don't waste your time replying, your posts are never seen by me.
After reading the CSIS report, I can't help but get the feeling that they are confusing 'securing their networks' with 'securing cyberspace'. It reads as if they think they can legislate security for private networks, not just the government's own.
Newsflash: 'cyberspace' (whatever that means) doesn't need to be regulated. There are plenty of mechanisms in place to deal with security issues, their report is a solution in search of a problem.
They are looking to play a cat and mouse game that they cannot win. For every network you legislate, malicious hackers will find a new vector of attack. It's a much better (and cheaper) idea to regulate the crap out of the network you control, and do your best to stop any attack at the border.
Sweaty cheeto-encrusted basement-zombies wandering the streets with their laptops and home-made directional wifi antennas... "GAAAAAAAAAAAAAMMMMEESSSS"
*shudder*
The USA policy is that we will respond with Nukes if WMDs are used against us. If botnets are WMDs who are we going to bomb with an Nuke! We are going to bomb no one; therefor they are NOT WMDs. Any sane person who thinks they are WMDs should be fired or put in jail. Because they are inciting the use of Nukes on the nation attacking the US. Tim S
Simple solution, check outgoing packets. If you're an ISP and the packet doesn't show that it originated from within your network, drop it. No, I'm not talking about backbone providers, but the zombie windows boxes won't be able to forge the from headers on packets. That doesn't necessarily stop a botnet, but it makes each infected machine extremely easy to track down during an attack, and easy to filter out at the victim's end. ... or am I missing something obvious here?
-Restil
Play with my webcams and lights here
Let's all say it once more loudly: WMD!
I love the word! It's so patriotic! All those Iraqi WMDs!!
New Orleans was 10 feet underwater from Katrina which is a tad more serious than no power or tap water. Outside the west many cities don't have running water to any but the weathiest of thier residents, let alone fridges in every kitchen. "Law enforcement" would have been much better served if the enforcers were handing out bottled water.
Basic adult minimums: Breath once a minute, drink once a day, eat once a week.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
I propose a volunteer civilian militia botnet weapon of mass destruction. Whoever is up to the task can volunteer their computer to be part of grid for the purpose of paralyzing the internal network of a hostile or rogue foreign force or government.
Count me in.
(From the archives. Don't know who the original author is...)
Microsoft Conducts Nuclear Testing
REDMOND (BNN)--World leaders reacted with stunned silence as Microsoft Corp. (MSFT) conducted an underground nuclear test at a secret facility in eastern Washington state. The device, exploded at 9:22 am PDT (1622 GMT/12:22 pm EDT) today, was timed to coincide with talks between Microsoft and the US Department of Justice over possible antitrust action.
"Microsoft is going to defend its right to market its products by any and all necessary means," said Microsoft CEO Bill Gates. "Not that I'm anti-government" he continued, "but there would be few tears shed in the computer industry if Washington were engulfed in a bath of nuclear fire."
Scientists pegged the explosion at around 100 kilotons. "I nearly dropped my latte when I saw the seismometer" explained University of Washington geophysicist Dr. Whoops Blammover, "At first I thought it was Mt. Rainier, and I was thinking, damn, there goes the mountain bike vacation."
In Washington, President Clinton announced the US Government would boycott all Microsoft products indefinitely. Minutes later, the President reversed his decision. "We've tried sanctions since lunchtime, and they don't work," said the President. Instead, the administration will initiate a policy of "constructive engagement" with Microsoft.
Microsoft's Chief Technology Officer Nathan Myrhvold said the test justified Microsoft's recent acquisition of the Hanford Nuclear Reservation from the US Government. Not only did Microsoft acquire "kilograms of weapons grade plutonium" in the deal, said Myrhvold, "but we've finally found a place to dump those millions of unsold copies of Microsoft Bob." Myrhvold warned users not to replace Microsoft NT products with rival operating systems. "I can neither confirm nor deny the existence of a radioisotope thermoelectric generator inside of every Pentium II microprocessor," said Myrhvold, "but anyone who installs an OS written by a bunch of long-hairs on the Internet is going to get what they deserve."
The existence of an RTG in each Pentium II microprocessor would explain why the microprocessors, made by the Intel Corporation, run so hot. The Intel chips "put out more heat than they draw in electrical power" said Prof. E. Thymes of MIT. "This should finally dispell those stories about cold fusion."
Rumors suggest a second weapons development project is underway in California, headed by Microsoft rival Sun Microsystems. "They're doing all of the development work in Java," said one source close to the project. The development of a delivery system is said to be holding up progress. "Write once, bomb anywhere is still a dream at the moment."
Meanwhile, in Cupertino, California, Apple interim-CEO Steve Jobs was rumored to be in discussion with Oracle CEO Larry Ellison about deploying Apple's Newton technology against Microsoft. "Newton was the biggest bomb the Valley has developed in years," said one hardware engineer. "I'd hate to be around when they drop that product a second time."
This is the kind of nonsense that you can expect from eDiots.
Perhaps they'd be better called WMeDs.
Believing something doesn't make it true. Not believing something doesn't make it false.
What a fucking joke. Hey-- lets throw a bunch of cliches' together...
Cyber-whatever, e-whatever, cabinet-level....
czar.... CZAR?
This is the FUCKING UNITED STATES. You want a fucking Czar? Go to fucking Russia (about 90 years ago).
Fuck you ignorant mass media...
And the horse you rode in on.
What we really need is more of these czars...
In Vista, for example, that include SIX unpatched vulnerabilities that include information disclosure, denial of service and escalation of privilege ( the latter disclosed just under seven months ago 2008-04-18 ).
AOL users of course.
From orbit.
I want to shoot people who put the letter e on front of everything.
Email is ok, but e-waste?, e-WMDs.
If you have to invent new words in order to communicate you probably shouldn't be doing it.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Botnets don't kill people. It would be completly inappropriate to call them Weapon of Mass Destruction. A DDOS attack doesn't destroy anything.
Even if an electronic attack was to kill some people, it would only be as collateral damages, absolutly not a direct consequence of the attack.
In Vista, for example, that include SIX unpatched vulnerabilities that include information disclosure, denial of service and escalation of privilege ( the latter disclosed just under seven months ago 2008-04-18 ).
...all of which were given "less critical" ratings as the highest by the very site you linked, for good reason should you look into the vulnerabilities mention.
Now for pure numbers of vulnerabilities found, Vista does pretty well; according to Secunia, less than Ubuntu in fact. Well under half in fact.
I appreciate this whole subject is a "can of worms" and a grey area, which is why throwing plain stats around claiming "Look at this empirical evidence that $OS_NAME is the most secure ever!" is pretty pointless (from both angles), and frankly, comparing Windows users to terrorist is plain stupid.
throw new NoSignatureException();
It's about the fear. And the concept of hundreds of thousands of zombie computers attacking an institution without the proper defenses could be devastating, especially if that institution is critical to the public health/safety.
I've heard that before. I'd hope that such critical institutions, especially those affecting public health/safety have enough common sense to not hook up their critical systems to the internet. DUH!
Vista:SIX Unpatched which for Microsoft means ONLY the operating system, If ,like Ubuntu, you included Microsoft's Office suite , Browser (IE7 has 6 Unpatched ), Email, servers ( SQL Server 7 has two Unpatched ) and other software vulnerabilities it would be a lot more.
And while The most severe unpatched Secunia advisory affecting Microsoft Windows Vista, with all vendor patches applied, is rated Less critical The most severe unpatched Secunia advisory affecting Microsoft Internet Explorer 7.x, with all vendor patches applied, is rated Moderately critical and The most severe unpatched Secunia advisory affecting Microsoft SQL Server 7, with all vendor patches applied, is rated Highly critical.
Some day someone *will* need another excuse to go to WAR you know. Last time it was WMD... next time eWMD.
Remember that Ubuntu stats include the ALL the applications and servers in the Ubuntu repository.
Except that the most severe vulnerability in Vista is an MSDTC/COM+ hole for IIS7 apps - hardly "only the operating system" seeing as IIS isn't even available in all versions of Vista, and for versions it is it's not installed by default. Bear in mind too of course, IIS7 doesn't permit even asp.net to run by default either, let alone COM+/ISAPI code to run, so it takes someone that knows what they're doing to even get such an app to work at all, let alone allow exploit code to run.
There quite possibly is open holes in SQL Server 7. I'm not even sure it's supported anymore; it having now being superseeded by SQL Server 2000, 2005, and 2008. If you could at least use examples for software written in this millennia, it would make your case look a bit more credible.
throw new NoSignatureException();
http://en.wikipedia.org/wiki/Weapons_of_mass_destruction#Evolution_of_its_use
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
In the Estonian case, it is rumored they used DDOS attack as an excuse to shut down the exchange market for a few days to stop selling stock short a few months ago during great stock fluctuations
We are going to bomb no one; therefor they are NOT WMDs. Any sane person who thinks they are WMDs should be fired or put in jail. Because they are inciting the use of Nukes on the nation attacking the US. Tim S
Most botnets *are* Wired Malfeasant Desktops. I don't see what your issue is.
Bombing all of them wouldn't be very easy though.
May contain traces of nut.
Made from the freshest electrons.
This internet they speak of must be stopped, we must send troops and invade this internet.
Well, do you think that investigators will simply refuse to look at private data because ... there is no system that that limits their ability to do so?
I think there are perfectly legitimately reasons to look at privately held data, but once somebody gets that power, either officially or simply by taking it secretly, that power has to be regulated and its use made accountable.
Consider torture. Alan Dershowitz suggested after 9/11 that there should be a "torture warrant". Now I think that torture has no legitimate use, however I think the idea of a "torture warrant" has its merits. The reason is that many, probably most people think it would be morally allowable to apply torture in a "ticking time bomb" scenario. For that reason, they will tend to look the other way when torture happens. When people are in the habit of looking the other way at torture, then the limits of the "allowable" scenarios are blurred, and extended by frequent practice.
If there were official rules defining the limits of the "ticking time bomb" scenario, those rules would reduce the actual use of torture. Where it was used, its utility could be held up to objective scrutiny.
I think the same goes for the less extreme case of searching. There is no doubt in my mind that people will poke around in private data, even if the rules say they can't. The existence of a legally proper avenue means that there will be more robust compliance measures.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
One day, in the spirit of patriotism, you'll all be installing rootkit bot's on your machines.
All your bandwidth/processor cycles are belong to U.S.
WMD talk makes me very cynical, government trying to set up police state.
BUT, imagine a huge botnet dedicated to nothing except discreetly hacking passwords and exploring security on bank, defense, utility networks. At the right moment your rogue state or Bin Laden sets the botnet to causing chaos instead.
Does seem to be roughly what happened in Estonia and Georgia and I suppose CIA and Pentagon are paid to think about these things. As somebody said tho', one hopes their thoughts include exterminating the dreaded admin/admin duo.
Very few computers that are part of a botnet are known by their owners to be part of a botnet. If people weren't idiots this wouldn't be a problem.
So... a WMA? Perhaps this it all a giant conspiracy that's somehow tied to music files. The DRM, it's behind it all!
So clearly... the RIAA is attempting to become overlord of earth. I think we may have hit upon something HUGE! I should probably go into hiding now... after having posted this, they've likely already broken into my apartment, stole my computer, and have a car-bomb wired to my ignition!
Weapons of Mass Denial?
New slashdot layout sucks.
Even the term "WMD" vastly overstates their destructiveness.
There is no comparison to the effect of a blast from a modern thermonuclear device.
Chemical weapons are scary to be sure. But there is no good way to effectively distribute them over a wide range without using a massive barrage, like hundreds of artillery pieces, or several squadrons of bombers.
Yes - lots and lots of people would die, and assets (buildings/land) will be contaminated - invoking a costly cleanup effort, or lingering hazards, but this is NOTHING compared to the widespread devastation of a thermonuclear blast.
Biological weapons are similarly very difficult to actually use, in practice - with anthrax being the only (known) variant that presents a lingering, persistent hazard (those spores are HARD to eliminate). Again; distribution becomes a very difficult problem to solve without a large-scale deployment effort. Deaths are easily mitigated via medical treatment in the case of anthrax. Some of the more exotic ones pose a hazard to the attackers (smallpox, etc.)
In any case - again, we're talking orders of magnitude of difference in impact versus thermonuclear weapons.
To hang the "WMD" label on botnets is a complete FARCE. Can the technique be a very effective prelude to a physical attack by disrupting Command and Control function of the target? Yes it can. Could a botnet paralyze a defender's economy, causing a domestic distraction from external defense activities (ie. riot suppression, etc.) making the defender more vulnerable to a physical attack? Sure. Can a botnet kill anybody? Not directly - no.
Note: Corrupt lying politicians have always, and continue to be a far greater threat than any tool of destruction ever devised.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
My gods man! It would be patch day, EVERY DAY!
If you can read this, I forgot to post anonymously.
Mass here is used as an ajdective, not a noun.
Sure, but the solution to that problem is to not connect computers that contain important data or that can connect to computers with important data to the Internet. It's really not that difficult.
No existe.
The current financial crisis can even be traced back to 9/11.
9/11 => 2001-2002 recession => 2003 interest rate OVERCORRECTION => 2004-2006 Housing Market BOOM and fraudulent overinvestment (and underwriting) in MBS's => 2007 Housing Market decline => 2008 Financial Market IMPLOSION.
True: Greenspan's flawed religious ideology for the God of the Invisible Hand was probably much more harmful than the physical terror attack that happened on 9/11 - but Greenspan's rate cut was a predictable over-reaction to the economic hiccup caused by 9/11. Guess who has a degree in economics? Osama bin Laden. Guess what his stated goal was in the attack (as a public goal - prior to the 9/11 attack being carried out)? It was to carry out a large-scale terror attack, knock the US economy off balance, cause us to overreact, toppling the entire system.
Not bad, eh?
Of course, those of us who were paying attention at the time looked at what Greenspan was doing, (not to mention that the rate cuts were also abused to finance the war. . . all borrowed money, btw) - and saying: "duh!".
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
I recently had a conversation with a former government official who now works at the same multinational contractor that I do. He said that US companies have probably lost (and I have no way of verifying this) trillions of dollars in IP to security compromises. I am no expert but not sure that this has anything to do with botnets or DDOS attacks. I'd gather from what he said that this is about getting into networks with very sophisticated tools. The whole eWMD thing is a way to try to get people to notice the "silent explosions." People don't like to admit their networks were compromised. So if some government agency is screwed for a couple of weeks because of compromises, or if some company goes down, we don't really see it, unless it happens to be Amazon or Google. And those who aren't seen aren't going to talk about it. Cyber security is a hard sell. Gee, my machine's slow. Well, I expect that from Microsoft. But, gee, my daughter comes over and says, Mom, you're sending information to China and we have to reimage your machine. What does Mom know? Another thing this expert told me was that a) there are plenty of counterfeit Cisco routers out there, and what's to say, that, like the cute little picture frame your kids got you for xmas or the flash drives that apparently shut down Afghanistan, your foreign-manufactured router doesn't come preinstalled with malware. Be afraid. Be very afraid. I know I am.
eWMDs? Won't someone please think of the scriptkiddies!
I can't believe that they are just discussing this NOW? I was discussing this back in '06 after the first round of attacks in my Master's IA course. The damage done in that case was tremendous. Estonia basically dropped off the face of the earth for a week. Transportation stopped, Banks stopped, Phones stopped, Web traffic stopped. The damage was tremendous. I started thinking about BotNet as a military weapon, and the thought chilled me. After all, what does an invading force do first when attacking an opponent? You take out command and control, communications. Normally this is done with bombs. Now, with a botnet, it can be done without firing a singe shot. Imagine what would happen in this country if the rail stopped moving, the phones and internet went down, and the banks closed overnight. Imagine that even news agencies came to a standstill. Imagine the panic that would ensue! Now imagine that same problem also in the military. Chaos! I am very saddened that they are just beginning to work on this now. It has been apparent to me for a long time that BotNets are a very capable poor man's WMD. The problem about issuing warrants against a BotNet though, is that most people participating are innocent. You would need to trace it back to the owner, and that can be very hard if they are any good. I mean, who is going to coordinate all this from their own system? I heard online that the DoD is working on being able to make a physical retaliatory strike against an online threat, but you better make damn sure that you are attacking the bad guy and not some dupe whose computer they have taken over!
Open Source: Eroding the Digital Divide