BlueSecurity Fall-Out Reveals Larger Problem 366
mdrebelx writes "For anyone following the BlueSecurity story, sadly the anti-spam crusader has raised the white flag. Brian Krebs with the Washington Post is reporting that after BlueSecurity's announcement, Prolexic and UltraDNS, which were both linked with BlueSecurity through business relations came under a DNS amplification attack that brought down thousands of sites.
While much of the focus about the BlueSecurity story has been centered on the question of what can be done about spam, I think a bigger question has been raised - is the Internet really that fragile? What has been going on is essentially cyber-terrorism and from what has been reported so far the terrorist clearly have the upper hand."
interesting question about fragile (Score:5, Insightful)
There have been other outages, major, which have had significant impact. It's a good question: is the internet that fragile?
In many ways it probably is. At the same time, the infrastructure seems resilient enough. The world so far hasn't laced up life-and-death critical systems to the internet such that a failure could cause loss of life. Well, that is, if you don't include:
Oh, wait, I guess people have started doing that.
What mechanisms exist for more than resiliency, i.e., instant self-healing? Could terrorists with a little knowledge and a few well-placed EMP generators disable major segments of the internet?
Unlike phones and the phone networks which were built with lots of oversight and regulation (Universal Service was a big driver for this (aside: now that everything is profit driven, don't expect phone service at that farm house at the end of that long country road anymore... noone HAS to provide it)), I'm not aware of what safeguards back up the internet. In my entire lifetime, I've not one time experienced a phone outage, not once! Power outages, etc., the phone companies have backups to backups to ensure service (though there is the occasional and hard to manage for ditch digging incident).
While large pieces of the internet are built upon the phone companies' infrastructure, other pieces aren't, and there are significant additional layers of complexity not in the phone companies' purview (switches, routers, coax cable from cable companies).
That question, "is the internet that fragile?", is probably the biggest reason I've never opted to switch my phone service to VOIP yet. I'd hate to be the one (tiny chance, I know) who needs to make that one 911 call and not be able to do so because the internet is unavailable (which happens occasionally here, which is also too often).
motivation (Score:2, Insightful)
Of Course (Score:3, Insightful)
Terrorism too strong a word (Score:3, Insightful)
weakest link (Score:5, Insightful)
None of those attacks (DOS) could have been done without the use of thousands of zombie machines.
I guess the only way of stoping the attakers is by taking their weapons (zombies) from them and thats left as an excersise for the survivors.
Re:interesting question about fragile (Score:3, Insightful)
The only kind of people a terrorist would terrorize by taking down the internet temporarily are people on slashdot.
Terrorists are interested in killing people to get their message across, not inconveniencing them.
Re:Terrorism too strong a word (Score:5, Insightful)
The use of force (taking down servers) by a group (spammers) against people/property (blue & others) with the intention of intimidating socieities (blues users) for ideological (financial too) reasons.
To get in front.. (Score:3, Insightful)
#1. Don't blame Windows. Most botnets spread through software downloaded installs. 99.999% of computer installs today are vulnurable. The exception, of course, is the LiveCD type OS run directly from a CD in a read-only format. Your choice of OS is no protection. If you run malicious software, your computer is a zombie. Period.
#2. The problem is E-mail. Don't want spam? Don't use e-mail. That seems harsh, but it's true. E-mail is an open protocol, and as such, is ripe for such abuses. It's about time to come up with a new type of server based messaging. I'm not saying let the spammers win. What I'm saying is remove their audience.
Be wary with the label "terrorism" (Score:4, Insightful)
While I do agree that this definitly shows the threat spammers really pose to the internet, I fear at least as much handing government the card blanche to monitoring all and any internet traffic for the sake of "saving us from spam".
No, I'm aware that this won't help a single bit in an attempt to quench spam. But did any anti-terror activity actually work against the alleged threat?
So bring this problem to the attention of your senators, your governors, your congressmen or whoever has some power in your country. This is a very, very serious problem, the criminals are getting the upper hand in this turf, and the internet is a resource I don't want to see depending on the goodwill of the spam mafia.
But for all that we hold dear, avoid the word terrorism. Legislators have been using that word before as the excuse for every kind of restrictive laws that did JACK to solve the problem and only created more. Try to find a word that makes them actually realize the problem and realize that this problem is serious. Not only to the worthless humans using it, but also to precious commerce.
Not fragile, just vulnerable (Score:5, Insightful)
No, the Internet isn't that fragile. It's suprisingly robust, in fact. About the only thing that can really do any significant damage is sheer volume, enough traffic from enough distinct sources to overwhelm the target server or swamp it's network connections. No matter what, anything is always going to be vulnerable to that. You can only have finite bandwidth and server horsepower, and if an opponent's willing and able to throw enough resources at you he can simply overwhelm you. It's often referred to as "the Slashdot effect".
The only thing that's happened is that, because of the inherent insecurity of Windows machines and the increasing number of them with broadband connections, the bad guys now have access to orders of magnitude more bandwidth and horsepower than any single server can have. In military terms it's like facing an enemy who outnumbers you by ten thousand to one. Distributing your DNS won't help, redundant pipes won't help, distributing your servers won't help, if you can deal with 99% of his assault he's still got a hundred times what you can absorb left.
The only thing that can help is cutting off the supply of ownable machines the bad guys can take over and use in their attacks. If they're limited to their own machines they can't do much harm.
Meh ... (Score:4, Insightful)
Re:interesting question about fragile (Score:3, Insightful)
Re:To get in front.. (Score:4, Insightful)
1)Its free- you only pay for bandwidth
2)Its universal, anyone can get an account
3)Its open, no company can block a user from email
4)Its possible to send email to anyone, even someone you don't know, if you have their email address.
All of these are extremely important and make email the useful tool it is today. Take any away, and the usefulness plummets. Spam is annoying, but the benefits of the four above points far outweigh it.
Re:To get in front.. (Score:1, Insightful)
1) The incredibly nondiverse OS environment environment at the moment means that only Windows executables are distributed, by and large, and affect something like 95% of computers. If the OS market were split evenly between, let's say, OSX, Linux, Windows, and, um, BeOS, any given executable would only run on one platform, so people would be vulnerable to only 1/4 as many attacks (assuming that 1/4 of attacks are targeted at Windows, 1/4 at OSX, etc). The lack of diversity is Microsoft's fault to a degree - although they aren't to blame for being dominant per se, their unethical techniques with regard to OEMs and leveraging their monopoly to make it as hard as possible to switch away from Windows (not to mention the whole stabbing-IBM-in-the-back thing) have contributed greatly to the current state of affairs.
2) Windows' security, as of right now, works under the "the user wouldn't run anything they didn't want ot have full admin privileges" model, as opposed to the far more secure "make sure the user wants to install a rootkit and delete all their files" model that other OSes do. Under Vista, it seems that it will be replaced by a "pester them with popups often enough that they are ignored and it ends up the same as doing anything the executable wants" model.
Terrurizem (Score:4, Insightful)
Haxors commanding botnets to DDOS servers : Cyber-terrorists.
Big corporations doing aggressive take-overs : Corporate terrorists.
Mass producers dumping products below cost overseas : Market terrorists.
Politicians sketching doom scenarios during campaigns to woo scared voters over to their party : Political (party) terrorists.
C'mon cut it out will ya, soon they will brand humans multiplying without limits sucking up resources and scaring other animals away and out of existence : Biosphere terrorists?
You know, according to some theory, black holes will eventually suck up most of the available matter in the universe, leaving it a dark cold desolate place with only some Hawking radiation to warm your soul. Should we call those : Universal Terrorists then?
Re:Terrorism too strong a word (Score:4, Insightful)
Gotcha - of course by that definition:
al quaeda = terrorists
pro-life protestors = terrorists
school bullies = terrorists
NSA = terrorists
George W. Bush = terrorist
FBI = terrorists
PETA = terrorists
Greenpeace = terrorists
Patent trolls = terrorists
China = terrorists
Microsoft = terrorists
UN = terrorists
MPAA/RIAA = terrorists
Re:What isn't prohibited, is required. (Score:1, Insightful)
According to the Wired article you linked, Eran Reshef is Blue Security's CEO. I guess you could argue he was spamming PharmaMaster.
Is the nonstop 24/7 Internet fragile? (Score:3, Insightful)
Re:interesting question about fragile (Score:5, Insightful)
Re:motivation (Score:5, Insightful)
I don't know where you got the idea that NSA's activities have done anything to "impose structure and law" on the Internet.
If anything, the NSA has been actively participating in the chaos by going ahead and doing their own thing with no regard to the law.
Phone outages (Score:3, Insightful)
You are lucky! I've had several phone outages. I had a few outages caused by water in the cable ducts in my street after heavy rains. I had one in the old days (~25 years ago) of analog hardware that took them several days to fix. I've had an outage caused by a truck hitting a utility pole, in a neighborhood where the cables were overhead.
Although telephone stations are more robust than the internet, because they are very specialized and have lots of redundancy, the last mile is susceptibel to outages. Of course, internet connections use the same last mile, so they are also vulnerable. I agree, the phone service is more reliable than the internet, but this does not mean it cannot fail.
Re:Terrorism too strong a word (Score:4, Insightful)
Re:To get in front.. (Score:3, Insightful)
As the parent poster stated "if you run malicious software, then your computer is a zombie." I won't hazard to state the proportions but last I checked the number of Apache servers hacked in a given year outnumber IIS hacks. Of course there are far more Apache servers out there so that's really not saying that much.
As for email, I don't think it is near as broken as people seem to think. It's amazing how people just want to throw the whole thing out when something as simple as DKIM and SPF can stop it all pretty much cold. Of course both are depending on DNS so that will need to be secured before the email issue can be put to rest. A further move towards secure updates needs to be pushed for DNS and amplifications attacks need to be stopped. It seems as though we need a DNS server registration process much like that of domain names with the exception that you actually do need to verify your identity before your server it declared a valid DNS server. That seems a lot more likely than replacing DNS with something completely new.Re:interesting question about fragile (Score:4, Insightful)
Re:Fragile Internet? No... (Score:2, Insightful)
You're right on the first part, wrong on the second.
It's true that if there weren't zombie machines out there to take part in botnets, that DDoSing would be much less of an issue, if one at all.
However, suggesting that Microsoft could be legally liable is right out. Just because I leave all of my car doors open and the keys in the ignition doesn't mean someone has the right to steal my car. I may be stupid, yes, but I am not legally liable for the crime, and I'd be able to make the insurance claim, too (unless there's a clause in my policy that says I need to adhere to certain standards of vigilance in order to qualify for reimbursement).
Suggesting that Microsoft is at fault for the botnets is the same as suggesting that BlueSecurity is at fault for the 'collateral damage' outages.
The people responsible for the mayhem - at least in a legal sense - are those who have perpetrated it.
(Oh yeah, IANAL, but I watch Cops on TV all the time. Cops set out 'bait' to catch thieves all the time. Expensive mountain bike unguarded and unlocked; someone walks off with it, cops swoop in and make the arrest. Same concept here.)
Re:weakest link (Score:4, Insightful)
Re:Fragile Internet? No... (Score:2, Insightful)
But spammers don't want to take it down (Score:2, Insightful)
Re:Fragile Internet? No... (Score:2, Insightful)
That way if a home user is compromised, there's no guesswork to track them down.
Why is everyone overlooking the obvious solution ? (Score:3, Insightful)
Isn't it in the TOS of the ISPs to require the end user to keep his/her computer safe from viruses and malware, crippling the provider's network ? If so, why the ISPs shut those zombie machines' network connectivity down ? Yeah, there will be few bystanders who may get nabbed but most of these bystanders will be the geeks who are pushing their broadband connections to the limit and they will contact the ISP and get their connections re-instated. The clueless users, whoch have been own3d by the hacker will have to find someone to clean up their pc's caoghing up some dough which will make them a little more carefull about listening to people when they were told not to open attachments to see the cute dog pictures or accept free product offers from inscrupulous websites.
If you do not hold the ignorant users' feet to the fire, this zombie issue will not come to an end. Yes, we al know that, Redmond's finest operating system is no more than a joke when it comes to security, but if one is buying this crap, they should be ready to keep it safe and secure or find some other platform, let it be mac or linux or what have you.
I for one, am sick and tired of seeing the spammers to go unnoticed while the solution, regardless how brutal it is to the end user, goes unnoticed. Enough is enough !
Re:Terrorism too strong a word (Score:2, Insightful)
Terrorism, however, is when you commit apparently random illegal acts against 'supporters' of something, in hopes they will influence it to stop. The key is that you cannot possibly harm everyone, or even enough people to change anything...instead, you are hoping they will become so afraid of you in that they will demand the changes you request are made, or at the very least stop supporting the entities you dislike.
Attacking a single antispammer can't and won't do anything. However, it will make people hesitant to support them, it will make hosting companies hestitant to host them, and it has the undertones 'And maybe if you oppose us, we'll come after you next'.
This is the defination of terrorism. This is the lynching of one black man who voted, this is the beating of one man who didn't pay off his bookie, this is trashing one store that refused to pay protection money, this is the blowing up of one building, this is the sniper picking off one collaberator. The act alone is almost completely negligable, but the intent is to scare people into not doing or supporting what that entity did. Terrorism.
Re:Terrorism too strong a word (Score:4, Insightful)
Terrorism's gotten a rather bad rap these days. It's just a tactic. It's used 'legitimately' against occupying armies, for example.(1) Don't try to wipe them out...just scare people into not supporting them by killing a few people who do. And don't go after the soldiers...go after the policy makers and leaders. They can always get more soldiers, but if you kill every single person who occupies a certain position, soon no one will want to do that.
1) Depending, of course, on whether or not you think the occupying is legitimate or not.
Re:motivation (Score:5, Insightful)
I would further submit that America was far less chaotic in the good old days when big government wasn't so big, wasn't so invasive and tended to leave its citizens alone. It isn't necessary to have a government that restricts and monitors its citizens to the degree that ours is doing for the purpose of achieving a stable society. In fact, the imposition of excessive control, coupled with erratic enforcement, creates instability! This is variously called "political unrest" or "social protest" or, when carried to the logical extreme, "rebellion". Furthermore, it is the kind of thing Americans do when they're pushed too far. At least, I hope it's still the kind of thing we do. It's about the only hope we have left. The way things are in D.C. nowadays, it's pretty obvious that while the lights are still on there's nobody home.
The Wild West aspect of the Internet, which seems to disturb you to some degree, is precisely what makes the Internet the greatest advance since the invention of fire, the wheel and air conditioning! The economic, scientific and cultural benefits of the Internet, as it is today, far far outweigh the dark side. Reducing the Internet experienced by ordinary people to a bland, "civilized" mix of email and heavily-filtered browsing would take away the power, freedom and utility so many people have come to expect and enjoy. It would also largely eliminate innovation and the development of new technologies, as no-one would be allowed to do anything not approved by the powers-that-be. Huh
Yes, but it's more than that. (Score:3, Insightful)
The backbone providers are unlikely to care that much - it impacts a little business, but most make money off their inter-corporate and inter-Governmental lines. The more the Internet degrades, the more high-priced services the major vendors can sell and the more copper/fiber the telecos can charge for. I don't see much of a motive to fix things here.
The vendors further up the chain don't need to care much, either. The companies on the Internet can't gain by switching ISP, because it's the backbone that's broken and they'll have to go through it to reach the peasents - err, home users anyway. The corporations that sell over the Internet don't lose any sales, as a person who is going to buy from an online store is likely to be doing other stuff and won't go out to the stores, so they'll be back. Home users, for the most part, are ignorant enough to think AOL and MSN are really neat ideas, have no clue what the Internet involves, what needs fixing or why, and is likely to pass it off as someone else's problem anyway. And those who ARE smart enough are Libertarian enough that they won't Unionize and DEMAND the fixes that damn well should be made.
(IT users and IT professionals should stop with the "unions are evil" crap - no organization is any more evil than the people in it - and collectively insist that the defects be fixed. No ifs, no buts, no maybes, no excuses, no delays - these kinds of attacks SHOULD be impossible and COULD - very cheaply - be made impossible. But nobody is going to even take the cheap option without a fight, if there's an even cheaper option of apathy open to them.)
Re:interesting question about fragile (Score:2, Insightful)
But that "definition" is useless. If you use that then pretty much all violent crime is "terrorism". If I threaten to hit you on the nose unless you hand over your wallet, I'm clearly trying to coerce you by threathening use of unlawful force.
That's not congruent with the common use of the word. That definition of "terrorism" migth be convenient to the dept of defence, because it means that they can label pretty much anyone who oppose them a "terrorist".
I would argue that a necesary condition for labeling something terrorism, is that the action is intended to and suitable for inducing terror in groups of people. Dumping plutonium in the water-supply qualifies. Crashing a jet into a skyscraper qualifies. Smuggling a nuke into the superbowl qualifies.
Threathening to hit you on the nose, however, does qualify as a mugging. But not as terrorism.
Unique IP != Unique PC (Score:2, Insightful)
Re:interesting question about fragile (Score:1, Insightful)
Re:interesting question about fragile (Score:3, Insightful)
DNS is only fragile if the people running the authoratative servers are lacking in the clue department.
There are a lot of root nameservers and many of them are anycast addresses (so there are actually a lot more than there appear to be at first glance) - so the root nameservers are pretty robust, you'd struggle to take all of them out.
So then we come down to the TLD nameservers (e.g. the ones authoratative for
The bigger problem is the people running the nameservers for the individual domains - too many people only have the mandatory minimum number of nameservers (2), and in many cases both of these servers are connected to the same piece of ethernet cable so it's not a great stretch of the imagination to imagine them both becoming unreachable. This problem is solvable - simply put in more, geographically spaced name servers. DNS was designed to allow this. Of course it costs a bit more money, but resilliance always does.
Re:motivation (Score:3, Insightful)
Not entirely. Back in the "lawlessness of the wild west" anyone caught doing anything like this would be strung up by the neck. Now when someone tries to do something about these sorts of attacks (like Lyco's screensaver) there is an uproar about stooping to the same low and "maybe" breaking some laws while doing so.
If years and years and years of war have taught us nothing, it is that nothing is free and fire must be fought with fire. Unless we go after those attacking us with the same tactics, we're powerless against them and BlueSecurity like closings will continue as cyber-terrorism continues unabated.
The fact that these guys won this battle will only embolden them to continue along the same path, and we all suffer.
It's anagolous to if we had sat on our hands and not declared war on Japan after Pearl Harbor. Stop bowing down and declare war already. They have, why won't we?
How to solve the problem? (Score:2, Insightful)
If someone abuses the telephone service, it's not real difficult to have the phone company take action (and depending upon the abuse, have the offender arrested). ISPs must be forced to take the same responsibility.
The only way to stem the tide of cyber-terrorism (or whatever you'd like to call it), is to make ISPs take the responsibility to mitigate it.
PGA
ISPs should do egress filtering (Score:2, Insightful)