US Shows Interest In Zombie Quarantine Code

← Back to Stories (view on slashdot.org)

US Shows Interest In Zombie Quarantine Code

Posted by timothy on Friday June 25, 2010 @06:00PM from the aussies-please-weigh-in dept.

bennyboy64 writes "Barack Obama's cyber-security coordinator has shown interest in an e-security code of practice developed in Australia that aims to quarantine Internet users infected by malware, also known as zombie computers. He reportedly said it would be a useful role model for the US to adopt. One suggestion within the code is to put infected users into a 'walled garden,' which limits Internet access to prevent further security problems until quarantined. Another is to throttle the speed of an infected users' Internet connection until their computer fixed. The code is also being considered by other Asia-Pacific countries, ZDNet reports."

13 of 195 comments (clear)

Yet another dream quashed. by retech · 2010-06-25 18:03 · Score: 5, Funny

This is so NOT the story I was hoping it was going to be.

Like a baby Harp seal on the open ice, my dream has just been dashed.
1. Re:Yet another dream quashed. by DeadPixels · 2010-06-25 18:24 · Score: 4, Funny
  
  Maybe it's the fact that it's 3AM here, or perhaps the fact that I've just finished a long study session for upcoming final exams, but my gullibility is much higher than usual. I actually thought this would be related to zombies. I am massively disappointed.
Seems reasonable by Rijnzael · 2010-06-25 18:13 · Score: 4, Interesting

In contrasting this with the president's ability to declare a cyber attack and disable internet access in the United States, I'd say this seems like a reasoned approach that would hopefully be considered an alternative to the former where applicable.

My only real concern is that of privacy. How exactly do they go about telling you're a zombie? Well written malware isn't exactly going to advertise infection, and even hosts which may be participating in a denial of service attack can't definitively be proven to be infected unless they're obvious (like sending a TCP packet with an invalid combination of flags, for instance). Scarier would be using the 'zombie' excuse to monitor net traffic on a connection for 'investigative' purposes. So it may just turn out pointless or it may be a ruse for a different kind of control. Anyone have any articles as to the effects of this or some cases where it was actually used in AU?
1. Re:Seems reasonable by erroneus · 2010-06-26 01:11 · Score: 5, Insightful
  
  I think you misunderstand. I have never had a compromised machine. Not once in the 25+ years I've owned machines.
  What I am concerned about is what is required to support such actions. In order to support a law that requires machines get cut off the net perhaps only an IP address would need to be listed and issue to an ISP. What if that IP address was spoofed? What if something had changed? What if that IP address was hosted by a wireless network that was either compromised or on the network of someone trying to diagnose a problem before it was realized that it was infected? There are too many ways something could be mistaken in that regard. And what of the requirements for "proof"? Does the ISP receive more than the request or will complete forensic details be presented to the ISP? Will the user(s) ever see the complaint?
  I do have some personal experience with how government actions can be made too easily and in error at the same time. I was once about to have my pay garnished for child support by the State of California while I was living in Texas. There was something wrong with that though... *I* had the children, not the mother! She filed false reports to welfare agencies. So based on those false reports, she collected money and my pay was to have my pay garnished? And what proof was offered? None! Just a letter ordering the State of Texas to do so. And while I insisted that I had the children with me, Texas wouldn't stop the action. I asked them to check the local school where I had them enrolled. They didn't want to bother. I ended up pulling them out of school with a copy of their enrolment and attendance records in hand and brought the children to the office in Texas personally as PROOF that I have the children with me and that the garnishment order was in error. In the end my pay was not garnished but it did require the loss of a day's pay to prevent it.
  So in summary, this story shows that false reports/data/information can be part of a government order for some action and that report may have little or no proof supporting it. But the victim of such mistakes, the falsely accused, may have to go through ALL MANNER of trouble to prove they were innocent or otherwise not responsible.
  Take for example that in my home, I run mostly Linux with occasional Mac OSX usage and an occasional Windows guest. If something were to happen resulting in my network getting limited in some way, what would be required of me to have it restored? Will the asshats at the government agency be required to inspect my home network and its inventory?! Will they understand that I run Linux or what to do with it?
  I think you are not thinking this through. This is not fear of the unknown. I know quite personally how government can be when it comes to applying process and procedures for laws like these. I used the DMCA example because there is a fairly low cost of starting a claim under the DMCA and little if no evidence it required in making a claim. What's more, there are no punitive actions required in the event of a false claim. Meanwhile, the person who was claimed against suffers down time, emotional stress from dealing with the false claim and required to do a lot of work in order to restore things once removed. The burden is too often placed on the victim under laws like the DMCA.
I don't want to give information away by MichaelSmith · 2010-06-25 18:13 · Score: 4, Interesting

Currently my network looks like a single netbsd box from the perspective of my ISP. The original Australian proposal could have been interpreted to mean I would have to tell the ISP what OSs I was running and what software they had installed.
So if I had windows here they would want to know how it was firewalled, etc. So yeah I can tell them three ubuntu laptops, one mac laptop with windows running inside vmware. Two servers running netbsd and the ISP are going to get dollar signs lighting up in their eyes. They will want me to pay for a "business" connection now, because of the nodes I have running. Not good for me.

--
http://michaelsmith.id.au
Principle and practice by mccalli · 2010-06-25 18:28 · Score: 4, Insightful

I like this idea in principle, but concerned about the details. The article says it's "formalising an existing code of practice" so perhaps Australians here can let us know how it currently works?

I'm thinking mostly about false positives - I've had a Mac identified as running some Windows virus, at the time I presumed due to NAT somewhere at the ISP level. Getting that sorted out was a matter of waiting half an hour or so, but I can imagine that becoming a more serious issue if this is 'by law'.

The other thing worrying would be forced steps to remove things. I could go with an "ensure you're clean rule", but would be against a "ensure you're running this particular security measure" rule.

Cheers,
Ian
1. Re:Principle and practice by the_raptor · 2010-06-25 21:39 · Score: 5, Interesting
  
  I am an Australian on Exetel. I have had the quarantine kick in twice due to my house mates getting infected. Both times it was a spam relay, so it was presumably easy to detect the massive jump in port 25 traffic. Once you are quarantined all ports but 80 are blocked and port 80 only serves up a page telling you that you are quarantined, what you need to do to remove the quarantine (clean your system then click a link to tell the automated system to check your outgoing traffic), and links to ISP mirrors of malware removal tools. Both times it took about 15-30 minutes to clean the infections and get the quarantine removed.
  I think schemes like this are best practice and the only way the Internet is going to be usable with the rise in online crime. Even if you have a secure local OS nothing stops users downloading trojans.
  
  --
  
  ========
  CINC, 4th Penguin Legion
This is not their job. by elucido · 2010-06-25 18:42 · Score: 4, Insightful

In contrasting this with the president's ability to declare a cyber attack and disable internet access in the United States, I'd say this seems like a reasoned approach that would hopefully be considered an alternative to the former where applicable.
My only real concern is that of privacy. How exactly do they go about telling you're a zombie? Well written malware isn't exactly going to advertise infection, and even hosts which may be participating in a denial of service attack can't definitively be proven to be infected unless they're obvious (like sending a TCP packet with an invalid combination of flags, for instance). Scarier would be using the 'zombie' excuse to monitor net traffic on a connection for 'investigative' purposes. So it may just turn out pointless or it may be a ruse for a different kind of control. Anyone have any articles as to the effects of this or some cases where it was actually used in AU?
It's not reasonable for the government to do anything more than monitor the internet. To start telling people how to run their nodes, what websites they can and can't visit, how they can or can't surf the web and at what speeds, is authoritarianism on the web. The internet was not designed for authoritarianism, it was designed to be an anti-authoritarian technology, it was designed to be decentralized, it was designed in this way because authoritarian centralized systems usually have a single point of failure. These overly centralized systems are more likely to fall or collapse.
The internet as it is designed now is already more advanced than the design of most other systems. To centralize and control it down to the byte flowing through each wire, inspecting every package, analyzing every bit, and controlling which bits to quarantine and which bits not, is just a stealth mechanism which can be used either to destroy the internet or weaponize it. This along with the new behavioral advertising schemes allows for specific centralized entities to feed specific information to specific computers, and now they want to be able to quarantine specific computers to block them from receiving specific information from other computers.
How can this be good for the internet as a whole? How can this be good for the flow of information from a mathematics/physics point of view? How can it be ethical if the objective is to reduce ignorance and preserve freedom of speech? It can only be ethical if the objective is to control, weaponize, and win at any cost.
1. Re:This is not their job. by Hognoxious · 2010-06-25 19:31 · Score: 4, Insightful
  
  The internet was not designed for authoritarianism, it was designed to be an anti-authoritarian technology,
  It was designed for the military. You don't get much more authoritarian than that.
  
  it was designed to be decentralized, it was designed in this way because authoritarian centralized systems usually have a single point of failure.
  It was also designed on the assumption that those using it would know what they were doing.
  Why do you keep using a political description as if it were a technical one?
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
2. Re:This is not their job. by TheRaven64 · 2010-06-25 20:37 · Score: 4, Informative
  
  It was designed for the military. You don't get much more authoritarian than that.
  It may have been designed for the military, but it was designed by a bunch of hippies at Berkeley (and elsewhere)...
  
  --
  I am TheRaven on Soylent News
Bad editors! by GuruBuckaroo · 2010-06-25 18:44 · Score: 4, Insightful

This Headline wrote a check that the story couldn't cash. Bad editors, no cookie.

--
Poor means hoping the toothache goes away.
File sharing programs = Malware. by elucido · 2010-06-25 18:47 · Score: 4, Insightful

So if you run bit torrent and they decide it's malware, now they can throttle your internet speed and quarantine you. Or if you download legal but tasteless pornography this could be determined to be malware and your speed can be throttled.
This idea is as bad as the kill switch idea.
knee-jerk reactions without reading by reiisi · 2010-06-25 19:48 · Score: 4, Interesting

Is it just me, or is the first onslaught of posts unusually full of people who seem to want to judge government first and read/think later? I mean, beyond the usual level here.
I mean, something has to be done. We are well over 50% of the internet's capacity being used to send people junk mail, most of it both offensive and fraudulent, far too much of it containing executable payloads that harm the internet itself, etc.
If the ISPs don't take voluntary action at a level of minimum intrusion, some excited parents' group is going to hold a referendum and hand their government the right to intrude in every living room.
Sure, this proposal goes too far in places, misses the boat technically in others. It's not perfect. But it's better than legalizing deep inspection to be adminitered and performed by the agency of the UN/international courts.
If we want better than this, we need to come up with counter-proposals of our own, get out, educate people. (And get ourselves off the OS that is the primary medium of abuse.)

--
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.