Shutting down, isolating, or disabling Command and Control (C&C) servers is an ineffective approach. Others have pointed out that shutting down a part of the C&C server network will likely only result in the next update push including a new C&C server list. Even if you succeed in shutting down the entire C&C server network, the botnet operator can simply point one of the C&C server hostnames to a new server, on a new provider, and push a new server list. You can jail the perpetrator, and the network continues to operate - probably under the control of one of the previous botnet operator's associates. You can pull all of his domain names, and he will still probably have a few C&C servers that are addressed by IP address. You can completely stop all traffic to these servers, yank his domain names, and throw him in jail - and what you now have is a "sleeper" botnet, that comes to life as soon as someone figures out that it's there, registers one of the domain names, and sets up a C&C server on the appropriate hostname - and don't think for a second that someone won't try it. The news story serves as an advertisement for a free, in-place botnet, looking for an operator. Being the suspicious sort, I'd expect some shadowy governmental entity from some shadowy nation, to absorb such a resource, perhaps for later use in some sort of cyberwarfare. Or maybe one of these shadowy "security intelligence firms" that someone mentioned... :) The only effective way to make a real dent in a botnet, is to shut down, disable, or isolate the bots themselves. And the solution requires some permanence. I like the cluster-bomb idea, but I suspect that the collateral damage might serve as a deterrent to that sort of action. Perhaps a better approach would have been to take control of the botnet, and then instruct it to remove itself. If not that, then perhaps a C&C server list update, containing no servers? A directive to stop trying to contact servers, or to make a contact attempt only once every hundred years? Law enforcement would probably be prohibited from such action, on the premise that it is invasive in the same manner as the original intrusion, and might therefore constitute a violation of law. But a nice shadowy "security intelligence firm" is probably under no such constraints... :)

Interesting factoid... NSA Wally and I recently visited an FAA remote air traffic monitoring location which was secured by an ancient cylinder lock and alarm system with a poorly hidden override switch.

Once inside the facility, network access was frame-relay, and traffic interception appeared trivial. Authentication controls were antiquated and simplistic, and firewall/IDS countermeasures were useless when physical security was that lax, and most facilities were unmanned.

One hopes that the systems involved are non-essential - and not connected to essential systems or accessed using the same authentication credentials. It is disturbing enough to know that many facilities use the same physical keys and hidden alarm override mechanisms, for the convenience of the maintenance and repair staff.

Seriously - if I were a terrorist looking to disable FAA air traffic control or communications systems, it would be much too easy to collect intelligence from these facilities, and then use that intelligence to disable them at key locations and times. So easy, in fact, as to appear almost intentionally so.

I think that true.com ought to have to run credit checks. I don't want some asshole telling my daughter he's a millionaire, and have her falling for him, only to find out that he's penniless.

And this woman I'm dating; I can't tell whether or not she's a gold-digger. She rides the bus to her job as a cashier, but she only dates guys who drive $30,000+ cars. And she is always putting her hands in my pants, but instead of pulling out my penis, she keeps going for my wallet...

Honestly. Sure, there are lots of things we'd like to know about a dating partner before we get involved - and lots of things we'd rather not reveal, until after our dating partner is involved enough that we won't lose them over it. Worse, there are dozens of self-perceptions that would be horribly thrown awry, if we had to face the truth of our own dating scorecards. You ain't all that. You can't get all that, based upon thinking that you're all that. Get over it, and try learning to love someone for who they are - good and bad - and not who you want them to be. Because you can bet that even if you genuinely believe that you're who they want you to be - you ain't. The things you think make you a stud are entirely likely to mean nothing at all, to your dating partner - and the things that they love you for, you are equally likely to be completely oblivious to, about yourself.

The Wiley CyberKitty