Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Strike-back

By wiredog in Internet
Wed Jan 15, 2003 at 10:00:58 PM EST
Tags: Security (all tags)
Security

The overall problem is not that worms, trojans, and other automated attacks are continually occurring, the problem is that known attacks against known vulnerabilities are occurring months and years after they have become known. These continuing attacks consume limited resources of time and money. Sysadmins cost money to employ, bandwidth costs money, and attacks use the time of the system administrator and the bandwidth of the system being attacked. The current solution is to attempt to contact the administrator of a compromised system and get them to fix the problem, to block the attack at the router or firewall, and to go after the attacker with the law. But those solutions don't work.


Attempts to contact the administrator of a compromised system often fail. When that administrator is contacted, they often take no corrective action. Simply blocking incoming packets from the compromised system, at the router or firewall, doesn't do anything to reduce the bandwidth load. There often is no reasonable legal recourse against the attacker, who may be in another jurisdiction, assuming the attacker can even be found.

Strike-back is a proposal from security researcher Timothy M. Mullen for system administrators to counterattack, in self defense, when their systems are attacked by known worms, such as Code Red and Nimda. The counterattack would be directed against the process, rather than the entire server, and would be intended to stop only that process. The proposed system would require a database of known attacks and counterattacks, and also a standards body which would determine:

  • What is an attack?
  • What sort of attack would justify, or be vulnerable to, a counterattack?
  • How do you identify and neutralize an attacking process?
  • Who maintains the database of attacks and counterattacks?

Bruce Schneier describes this as a form of vigilantism, and states his belief that using the law against the originator of the attack is the proper solution. However, several of his readers, including Mr. Mullen, point out some problems both with his assumption that this is vigilantism, and with his solution to the problem.

The primary problem with assuming that this sort of counterattack is vigilantism, rather than self-defense, is that vigilantism is when you hunt somebody down after the fact whereas self-defense is when you stop somebody during the act.

The problem with assuming that the law can be used to stop attacks is that there is no effective law. If you're being attacked, who do you call? The local police? The FBI? MI5? Can they respond while the attack is underway? Can they find, arrest, and prosecute the attacker? Legal systems are limited by borders. IP packets are not.

But is Mr. Schneier talking purely about criminal law, or can there be a solution in civil law?

Civil law. Which is to say, lawsuits. Against two targets. The first targets would be those people who negligently fail to apply available patches against known vulnerabilities. Keep in mind that, in this first case, we are talking about available patches. What would be the effect? Well, if the SysAdmin of SmallCorp fails to keep her system up to date, her employer gets sued the first time it gets 0wn3d and used in a DDoS attack. When they are found negligent what will they do? They will call their insurance company. The insurance company will want to reduce its exposure, so it will mandate some sort of "best practices". Not just applying patches, but using the most secure software. "Most secure software" will probably be listed, and the rates will vary depending on which software is used. This will provide an incentive for software manufacturers to provide the most secure software they can.

There is another incentive for software manufacturers to provide secure software. They could be hit with product liability lawsuits if they produce insecure software. Since the insurance companies would be paying claims resulting from those suits, they would structure their rates to reflect the security of the products being produced.

But what about the independent developer? Well, you don't see many independent producers of automobiles these days. On the other hand, there are many independent engineers. An engineer is required to be licensed, after passing a test, and is usually required to be bonded or insured. Since writing software is closer to engineering than to building an automobile, you would probably see the same thing in the software field. Yes, this would mean that the 16 Year Old Self-taught Programmer who Writes an App that Changes the World would become a thing of the past. But this isn't 1981 anymore.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Best solution
o Self-defense 36%
o Vigilantism 9%
o Lawsuits and Insurance 10%
o Set Rusty and his Legions of Doom upon them! 12%
o It's Not a Problem 10%
o Intarweb? Is that, like, AOL? 20%

Votes: 74
Results | Other Polls

Related Links
o Strike-bac k
o describes
o point out
o Also by wiredog


Display: Sort:
Strike-back | 61 comments (61 topical, editorial, 0 hidden)
Solution in search of a problem (4.11 / 9) (#1)
by lorcha on Wed Jan 15, 2003 at 02:59:09 PM EST

If some machine on the network out there is spewing garbage at one of my hosts, I can easily perform two actions:
  1. Drop all packets from the infected machine
  2. Inform the infected machine's network pipe that they have a customer whose machine is spewing garbage, and could they please cut the thing off until the customer fixes the machine?
Legalized counterattacks are unnecessary and just asking for trouble for all of the reasons that you mentioned. We currently have all the necessary tools to deal with this type of situation.

--
צדק--אין ערבים, אין פיגועים

Congratulations (2.75 / 4) (#4)
by jayhawk88 on Wed Jan 15, 2003 at 03:35:49 PM EST

On being the first to comment on this story without reading past the introduction.

Hell, come to think of it you didn't even read the introduction did you? wiredog clearly states that dropping packets does not solve the overall problem of bandwidth drain; he also goes on to mention that contacting the system admin is often difficult, as well as unproductive, as the admins often do not take steps to correct the problem.

Why, then, should we grant government the Orwellian capability to listen at will and in real time to our communications across the Web? -- John Ashcroft
[ Parent ]
Congrats back at'cha! (3.71 / 7) (#5)
by lorcha on Wed Jan 15, 2003 at 03:53:20 PM EST

For not reading point 2. Or at least not very well. I didn't say to contact that admin of the box that is DDoSing you. Of course that's futile. If he cared, he would have secured his box to begin with. I said to contact whomever is providing the offending machine with bandwidth (the ISP, colo facility, telco, or whatever) to report the problem. These folks tend to have competent staff who can pull the plug on the offending customer machine until the customer can fix the issue.

I think this "solves overall problem of bandwidth drain", don't you?

--
צדק--אין ערבים, אין פיגועים
[ Parent ]

Yeah, that'll do it (2.75 / 4) (#6)
by jayhawk88 on Wed Jan 15, 2003 at 04:09:40 PM EST

I'll just ring up the sys admin over at Cox.net and tell him one of his users in Illinois has gone and got himself infected with a zombie. I'm sure he'll be all over that; at least when he gets the work order for it three weeks later.

If ISP's cared that much about how their bandwidth was being put to use, we wouldn't have these problems in the first place.

Why, then, should we grant government the Orwellian capability to listen at will and in real time to our communications across the Web? -- John Ashcroft
[ Parent ]
Bad example, my friend (4.28 / 7) (#7)
by lorcha on Wed Jan 15, 2003 at 04:21:25 PM EST

I'll just ring up the sys admin over at Cox.net and tell him one of his users in Illinois has gone and got himself infected with a zombie
I'm a cox subscriber and cox was one of the first to put the kabosh on all Code Red-related traffic at the switch level. They may take way more subscribers than they have capacity for, but their network team does pretty well for being so big and having to deal with so many clueless residential customers.

Anyhow, I see your point, but I don't think I agree with it. I'm willing to bet that if I called up Rackspace or whatever colo provider and told them that they have a customer whose box is r00t3|) and disrupting not only my network, but probably other networks all over the world, they'd pull the plug on that box right quick.

--
צדק--אין ערבים, אין פיגועים
[ Parent ]

Then step it up (4.50 / 2) (#19)
by CaptainSuperBoy on Wed Jan 15, 2003 at 08:52:12 PM EST

As lorcha said, domestic cable ISPs are a bad example, they are pretty quick about cutting off malicious users. That's beside the point though. Take an ISP who doesn't care about their network. This deserves the same approach as a spam blackhole list. First, try to educate them. Then try to warn them. Then cut them off from a large part of the Internet. You'll get their attention pretty quickly after that.

--
jimmysquid.com - I take pictures.
[ Parent ]
Yea, maybe (4.00 / 3) (#2)
by imrdkl on Wed Jan 15, 2003 at 03:14:00 PM EST

But I'm not sure that the military-minded approach is the best way to go about it. Neither a virus nor a worm is a direct form of "attack". It's perhaps an "affront", and occasionally might even be a "slur", and possibly even an "insult". Viruses and worms (so far anyways) haven't been much more than that.

Coordinated DDOS otoh, kind of irks me. But it's completely unclear at this point whether DDOS can be defended, once it's clear that something is amiss. The concise timing of the DNS attack awhile back is sobering, for example.

The DDOS's and coordinated attacks of the future wouldn't necessarily be stopped by applying countermeasures to the act of spreading the virus, either. Only by cleaning it, or being immune. This is the nature of all disease, is it not?

The independent programmer is desperately needed (5.00 / 9) (#3)
by kphrak on Wed Jan 15, 2003 at 03:22:44 PM EST

What I read from the last paragraph sounds like this: "Cars are produced by large companies, not by individuals, because they require a lot of testing, permits, etc. Software is potentially life-threatening. It needs to be regulated too, and when it does, only large groups and major corporations will be able to produce it. The age of a hobbyist who writes a good program is over."

I hope you weren't trying to say that, because comparing cars with software is not the best comparison you could make. If somebody roots my Apache server because I was stupid and didn't patch, I would be upset, but believe me, I would be much more upset if I was cruising at 60 mph and my left front wheel came off. Software is non-life-threatening in almost all cases except for a few exceptions. Usually, it's just irritating and/or costs a company using it money. In addition, cars have never been made by an independent producer. Ever tried to build a go-cart? That's moderately difficult, and you haven't even built the engine. It's just too difficult and costly to an individual to build a car (now watch, right after I say this, news will come out about some crazy geek who built his own car from scrap metal, chewing gum, rubber bands, and a 386 running RedHat). Software, by contrast, needs a computer. If you were oldschool, you wouldn't even need a compiler and assembler; just a hex editor. Comparing computer software with automobiles is a mistake.

Most of the good open-source projects begin with a single hobbyist. More people may end up contributing to the code, but often any changes need to go through the founder, who may alter contributed code to his liking. The loss of the independent hobbyist, frightened away from coding for others by the chilling effect of lawsuits (and a good lawyer would probably be able to invalidate any IN CAPS disclaimers one put in his documentation), would be a terrible blow to the world of computer software, and a big victory for <fill in favorate closed source software megacorps here> who can afford the threat of a class action suit and can drag it on for years, eventually settling it to about $2.00 per injured party.


Describe yourself in your sig!
American computer programmer, living in Portland, OR.


flawed analogy? don't think so (none / 0) (#39)
by richteas on Thu Jan 16, 2003 at 12:06:04 PM EST

Check out what the Internet Public Library has to say about early car manufacturers consolidation:

Most of the small car making companies couldn't survive very well. It was not efficient to make cars one at a time. Before long, the designs and working parts of the car became more complicated. Car manufacturing required a lot of costly machinery and highly skilled workers to run the machines. Mr. Billy Durant had run a successful carriage making factory in Flint and then began making cars. He thought that some of the small companies should combine forces to make the manufacturing process more efficient and to compete with Henry Ford, who had developed an assembly line for manufacturing Ford automobiles. In 1908, the same year Henry Ford starting making the famous Model T Ford, Billy Durant established the General Motors Corporation (GM) in Flint. Within two years, GM had bought 30 smaller car companies, including Buick Motor Co., Cadillac Motor Co., Olds Motor Works, Champion Ignition Company. You can recognize the names of some of the cars still made by GM today-- Cadillac, Buick and Oldsmobile.

It seems to me that it was sheer market force that brought smaller garage style companies to merge. One of the forces was the need for skilled workers.

Consider that a car design today requires a lot of knowledge that is usually gained in two ways: education and experience. Still there is not a single person alive that would be able to create a car design up to par with today's standards all by himself - it is much too complex.

Consider further that car design has come a long way since 1908 and that computer/software design is still at an early stage compared to that time frame. Given the complexity of some of modern software concepts, isn't it likely that there is/will be a moment when the lone programmer or the small independent team will no longer be capable of creating something that complex based on self-taught knowledge and garage tinkering?

Its not just the legal situation. Its what engineering is about - standing on the shoulders of giants.

I am afraid that there will be a need for some "software regulation" - be it just higher standards, which most likely will be more complex than the current state. And we need higher standards, otherwise we wouldn't be talking about security flaws and how to handle them...

[ Parent ]

Why software won't be complex (5.00 / 1) (#43)
by kphrak on Thu Jan 16, 2003 at 01:48:18 PM EST

Given the complexity of some of modern software concepts, isn't it likely that there is/will be a moment when the lone programmer or the small independent team will no longer be capable of creating something that complex based on self-taught knowledge and garage tinkering?

I doubt it. At the base of it all, software is still going to follow Turing's model of computer operations. Algorithms are hard to come up with (well, good ones are), but simple for the developer to follow. Components can be reused -- indeed, it's considered efficient to do so. And more free software/components appear every day.

All the programs we use today are built off the Turing model. Unless a computer changes into something that I cannot envision, I predict that the amateur, who understands that a program is a list of things to do, will always have the chance to properly construct a program. Indeed, you are right that programmers will stand on the shoulders of giants, but as things stand right now, I envision that process as programmers using published algorithms or downloading free/paid-for libraries -- not as groups coming together to make a process more efficient. Cars are physical items that require material things, things that must be moved and produced -- data can be copied infinitely and immediately upon creation.

Programs are getting more complex, but that just makes it easier for newbies to program than ever. People who were forced to remember garbage collection in C/C++ can now happily ignore that in Java. Sandboxes and virtual machines are making programming environments safer. I think we'll always have to be careful when writing programs (something's got to talk to the bare system, after all), but my point is that small-time programming is getting easier and more secure than ever for the novice, not harder.

Higher standards are necessary, but consider that so far, almost every computer-related law put into effect by the government has been useless, dangerous to free speech or privacy, flawed, out of date, based on media-fomented hysteria, based on misunderstandings about computers, and the like. Do we really want the government to put in a "building code" (permits, regulations, bureaus, inspectors, etc) for software?

The claims that it's for our protection, for our own safety, should make us examine the possible pros and cons of licensing/quality control laws even more closely. That's what they said when they asked for anti-terrorism measures, which so many people have complained about. If there are to be measures, they should be decided by common consensus among the programming community, not put into place by people who were elected on the basis of what they said they'd do about the economy.


Describe yourself in your sig!
American computer programmer, living in Portland, OR.


[ Parent ]
Software is easily mass-produced. (4.00 / 1) (#55)
by nstenz on Sat Jan 18, 2003 at 05:01:22 PM EST

It was not efficient to make cars one at a time.
No, it wasn't. However, you only make software once, and then you can copy it as many times as necessary. You're using a flawed analogy.

The only argument you could make about selling software being difficult is packaging and distribution costs money. With most computer users having Internet access these days, distribution is no longer a huge concern, and you only need to make a web page once. After that, you just need bandwidth. If you're selling a product, you should be able to spend some money on bandwidth.

If Internet distribution is not your thing, you can always do it by hand and burn it to CD for pennies on the dollar. Take your pick.

[ Parent ]

Good-bye free software (5.00 / 6) (#8)
by phliar on Wed Jan 15, 2003 at 04:46:03 PM EST

What are the odds that insurance companies will approve "hobbyist" and "amateur" systems like the free unixes? Without anyone to pay for "certification" of *BSD/Linux no one will approve it. Hell, it's hard enough to convince companies to use free software when there's no downside to doing it. And I don't want my ISP to tell me that I must some Micros**t OS on my machines at home.

Very little free software is written by the "16 Year Old Self-taught Programmer" (I'm "38 Year Old With PhD in CS" and I write a lot of free software). Also, I'm much happier with the state of the software I use than with automobiles.

Faster, faster, until the thrill of...

what are the alternatives? (none / 0) (#48)
by Bnonn on Thu Jan 16, 2003 at 08:36:36 PM EST

If a company claims insurance after getting sued because of security breaches, the insurance company is going to evaluate which software it is which is consistently causing them to have to fork out money. No guesses as to which software that's going to be. They will then commission investigations to find secure alternatives. The fact that Linux is free, or that Apache is non-profit, has nothing to do with it. If Microsoft software is costing them money, and *n?x software isn't, then *n?x software is going to go onto their "most trusted" list.

Think about it. I mean, am I missing something here? It seems pretty clear to me. Incidentally, it's a bit unfair to characterise Linux as "hobbyist" any more; it's widely used in many businesses, and is marketed well by several companies (SuSE, Redhat, Mandrake). Simply because amateur hackers can play with its source doesn't make it amateurish. To be honest, I think you're being overly cynical.

[ Parent ]

oh i dont know... (3.00 / 3) (#9)
by Work on Wed Jan 15, 2003 at 05:22:56 PM EST

I think licensed software developers is coming, and its a good thing.

But I don't see the death of the independent programmer. People still build their own storage sheds. They tinker in their garage. They work on their cars.

Now if they suddenly find themselves in a position of success, and start a business around it, then yes, they usually get a licensed engineer to check things out.

I don't see software going any different. And I disagree the whole '16 year old changes the world days end'. First of all, no program a 16 year old has written changed the world. You cannot simply write something, and expect it to go out there and people to say 'hoo hah this is great i'll use it'.

I'm assuming you're likely referring to napster. Shawn Fanning had a clever relative who knew how to start a business and hired people. Shawn may have written the original version of napster, but it was professionals who wrote the version everyone came to use. That kind of exposure requires a business, a marketing department, and a large team of people - including professional engineers.

Man (4.00 / 1) (#18)
by CaptainSuperBoy on Wed Jan 15, 2003 at 08:47:21 PM EST

You cannot simply write something, and expect it to go out there and people to say 'hoo hah this is great i'll use it'.

Due to its absolute nature, this argument only requires one counter-example, Bill Gates and Paul Allen. No doubt you're thinking of saying something like "they muscled their way into IBM" - but that's not what I'm talking about. They wrote BASIC for the MITS Altair after dropping out of Harvard. An old example, sure, but it's far from unique.

Licensing software developers is simply an awful idea, based on a flawed analogy between software development and 'hard' engineering.

--
jimmysquid.com - I take pictures.
[ Parent ]

And a port of BASIC changed the world???? (none / 0) (#41)
by ceallach on Thu Jan 16, 2003 at 01:20:44 PM EST

BASIC was originally written by John G. Kemeny, who was the chairman of the Department of Mathematics at Dartmouth, and Professor Thomas Kurtz ... http://www.digitalcentury.com/encyclo/update/BASIC.html

--
More smoke! The mirrors aren't working!!!
[ Parent ]

Well yeah, it did. (none / 0) (#44)
by CaptainSuperBoy on Thu Jan 16, 2003 at 03:08:41 PM EST

By your logic, programming languages were originally invented by Ada Lovelace, so those jokers didn't change the world either.

Shoulders of giants, buddy.

--
jimmysquid.com - I take pictures.
[ Parent ]

professional engineer != engineer with degree (none / 0) (#54)
by subversion on Fri Jan 17, 2003 at 01:38:07 PM EST

Don't confuse an engineer with a degree with a professional engineer - the latter is a very specific certification, somewhat like getting a MCSE (but quite a bit more difficult), requiring about 5 years of work past school.

It's also something most engineers don't get, as they don't need it.

If you disagree, reply, don't moderate.
[ Parent ]

What about liability for the "vigilante" (5.00 / 1) (#10)
by Ken Arromdee on Wed Jan 15, 2003 at 05:57:50 PM EST

It seems to me that one of the differences (though not the only difference) between a vigilante and someone acting in self-defense in a situation like this is the question of who is responsible if the actor makes a mistake or hurts an innocent bystander.

"I was acting in self-defense" isn't an excuse if I attack the wrong person, or if I kill someone for 'defense' against a much lesser crime (shoot them for trespassing on my lawn, for instance).

What happens if the counterattacker in this scenario makes a mistake? Are there procedures that insure that if he gets the wrong person, or if he does more damage than he's supposed to, he'll have to pay for it--whether in money or in some other form of punishment that gives counterattackers an incentive to not do it?

(In most cases, you probably couldn't even prove that the counterattacker did any collateral damage, let alone punish him for it.)

What about kit car manufacturers? (and "Guild (5.00 / 1) (#11)
by idiot boy on Wed Jan 15, 2003 at 05:59:27 PM EST

Certainly in the UK there are plenty of kit car manufacturers (Caterham etc.). I imagine that similar numbers exist in the US. It's up to the person who puts the car together to get it checked for road worthiness.

The same goes (I believe) for home built kit aeroplanes. You build it yourself and the FAA approves it (did noone see scrapheap challenge with the planes - wow! - Go Brits - hehe.).

The point of this is that the people designing the things don't necessarily have to be accredited anything.

There is nothing therefore about accreditation and licensing that necessarily stops the indie from producing product. What it does do though, is marginalise the indie and tend to "ghettoise" them to some extent. On the other hand, they help to deal with the market failure which is the "cowboy" (UK colloquialism meaning a crap tradesperson) by enforcing common and minimum standards.

Once way or another, "guilds" for that is the root of the "Chartered Accountant", the "Lawyer-Barrister-Soliciter", the "Chartered Electronic Engineer" or whatever, serve as a "barrier to entry". They stop some people from working in those professions and help to perpetuate elitism.

I actually don't know what I think about all this at the moment. I'm honestly not sure if "Licenced Software Developers" are a good idea or not just as I'm not sure whether knocking out processes is vigilantism or self defence. I've been thinking about these subjects for a while now but remain unsure. Hopefully, a debate here will crystalise things a little.

+1.


--
Science is a way of trying not to fool yourself

It would be rather interesting (5.00 / 1) (#14)
by Galion on Wed Jan 15, 2003 at 07:51:10 PM EST

if the same case-by-case basis was used for judging OSS for it's security.

As others have pointed out, if you needed to pay to get your software given the seal of approval, who would pay for BSD/Linux? This might be a solution, where insurance companies or who ever send someone round to test your installation, to see if it had been done my competent people (of course using a certified engineer would be necessary, but an extra test just in case).

Any thoughts?

[ Parent ]

Accreditation doesn't work & who'd check OSS.. (5.00 / 1) (#31)
by idiot boy on Thu Jan 16, 2003 at 06:15:30 AM EST

The problem with accreditation (be it by an insurance company or a licensed whatever) is that it is a point in time proof.

As someone very interesting said, "Security is a journey, not a destination". The point here being that your insurance company actually requires proof of process rather than a known configuration at a given point in time.

That's why the security biz puts so much emphasis on writing procedures etc.

As for who'd check OSS for "compliance". Try IBM, RedHat, Caldera-SCO, Oracle and anyone else who'se got a hard on for knocking MS.

--
Science is a way of trying not to fool yourself
[ Parent ]

Home-built airplanes (3.00 / 2) (#25)
by phliar on Thu Jan 16, 2003 at 12:58:52 AM EST

As far as homebuilt (amateur-built) airplanes are concerned, there are rules: if you perform over 51% of the work, you can go into the "Experimental - Homebuilt" category. This requires the design and each step of construction to be approved by the FAA. If you buy a kit, then there are arrangements that organizations like the EAA - Experimental Aircraft Association have for their members: basically, they will assign you an expert, and the FAA will take this expert's word on most of the approval process.

The "from scratch" design and construction of a homebuilt is anything but simple where the FAA is concerned. (In Europe, substitute "JAA" for "FAA" everywhere.)

Faster, faster, until the thrill of...
[ Parent ]

Already done (4.50 / 2) (#12)
by salimma on Wed Jan 15, 2003 at 07:11:59 PM EST

AFAIK insurers already charge different rates depending on the OS running (higher on NT than on Linux too), but this is for the cost of patching up the system, not yet the cost of lawsuits...
- Michel
Orthodoxy means not thinking--not needing to think. Orthodoxy is unconsciousness.
Eric Blair

DDOS? BFD. (3.50 / 2) (#13)
by opendna on Wed Jan 15, 2003 at 07:27:49 PM EST

Some server gets knocked off the web for a couple hours. So what? The loss of revenue often reported is entirely hypothetical and no real damage is done. A DDOS on the net certainly isn't a life-threatening situation.

It's more like your toilet overflowed than the local river washed away your home: it'll take some time to clean up but it's not a big deal.

Or am I completely wrong? It's entirely possible I don't know what I'm talking about here. "...open to corrections..."



So what? (4.00 / 1) (#20)
by Kal on Wed Jan 15, 2003 at 09:16:59 PM EST

Does it matter when a server gets knocked off the net? That depends entirely on the server in question. Wasn't there a story on here, or perhaps slashdot or newsforge where an inadvertent DOS knocked out a hospital network? That would seem to be fairly important.

[ Parent ]
What if it's the root servers? (none / 0) (#33)
by wiredog on Thu Jan 16, 2003 at 07:34:27 AM EST

All of them? Came close to happening a few weeks ago.

The greatest contribution of the internet to society is that it makes it possible for anyone of any age to become a grumpy old fart.
Parent ]
Oh, please... (4.57 / 7) (#15)
by trhurler on Wed Jan 15, 2003 at 07:55:01 PM EST

First of all, the law in most US states today makes "striking back" illegal, and has no provision for "self defense." That's enough to shut down that idea without further consideration, but there's more.

Second, any attempt to create a law allowing this sort of behavior necessarily will either not be used by anyone or else will put the burden of proof on the accused initiator. I can easily fake up logs that will make it look like you attacked me, and now you have to go hunting around to find proof that you didn't. Until you do, my attack on you will go unprosecuted, and you will be prosecuted! Even if you're found innocent, that won't mean I get prosecuted for my actions. I don't think you really want that.

Third, if you make software makers liable legally for security, then either Windows will cost $50,000 a license or else you won't even be able to buy it anymore. Linux will be an ex-product. Is this what you want?

Legally mandating patches is not viable either. Often, patches introduce new problems. There are good reasons why responsible companies often wait a few months before applying any patch that isn't considered absolutely vital, and there's no way that anyone can say what is "vital" in your environment without considering the environment itself as part of the decision.

As for licensing software developers, have you ever written any real code? Professionals make mistakes too. Even a moderately complex program is far more complicated than any mechanical device ever built or even dreamed up. Nobody would insure anyone against mistakes in real programs, because it'd be a one way ticket to bankruptcy.

Finally, the idea of lawsuits against anyone due to computer intrusion is pretty bad. Juries don't understand the issues, and judges don't either. This would literally be a case of "whoever can pay the best lawyer wins." Do you really want the results of that?

The truth is, most people should not be using computers. Most people are not competent to use computers. The ability to operate a GUI does not mean you are competent to use a computer. If you don't understand the machine and its interactions with the world around it, you should be using appliances - not computers. Why? Because you're a danger to yourself and everyone else who uses a computer!

But of course, that view is not ever going to take root because it screws over most people in a way they don't want. So, nothing will be done, or else whatever is done will merely make a bad situation worse. Sometimes life is like that.

--
'God dammit, your posts make me hard.' --LilDebbie

self defense (4.00 / 1) (#35)
by wiredog on Thu Jan 16, 2003 at 07:47:45 AM EST

Self defense is acceptable in every state in the US. It's part of the Common Law. A question to ask is, can it be extended to cyberspace?

Nothing will be done? No. Something Bad will happen, like the root servers going down for a week or so, and then people will decide that the net is Too Important to be unregulated.

We need to discuss this before Something Bad happens.

And, yes, all those in the article are non-optimal solutions. But maybe there isn't an optimal solution.

The greatest contribution of the internet to society is that it makes it possible for anyone of any age to become a grumpy old fart.
Parent ]

No... (none / 0) (#45)
by trhurler on Thu Jan 16, 2003 at 04:06:39 PM EST

There are explicit laws in most states regarding unlawful access to a computer, and they do not allow "self defense." Statutes override common law, regardless of the creativity of application of the latter. If you do this, and you do it to someone with any substantial legal resources, then "self defense" will be no argument as your ass ends up in the slammer.

--
'God dammit, your posts make me hard.' --LilDebbie

[ Parent ]
mechanical devices (none / 0) (#51)
by Polverone on Fri Jan 17, 2003 at 05:14:17 AM EST

Even a moderately complex program is far more complicated than any mechanical device ever built or even dreamed up.

Can we determine complexity by the amount of information needed to reconstruct something? Are the complete CAD files for a Boeing 767 more compact (even after compression) than the iMovie source code (again, after compression)? I'm not sure.

I'm pretty sure that one misplaced rivet can't sink a ship, though, unlike one misplaced bracket in a program. That's the real trouble with making software as durable as purely mechanical creations.
--
It's not a just, good idea; it's the law.
[ Parent ]

Licensing programmers (4.20 / 5) (#16)
by ucblockhead on Wed Jan 15, 2003 at 08:15:44 PM EST

One of the chief reasons why licensing software engineers will not work is that the technology changes so fast to make worthwhile testing nearly impossible. It takes five years to create the tests used to license mechanical engineers.
-----------------------
This is k5. We're all tools - duxup
"Software Engineer" is like "Enviro (none / 0) (#50)
by drsmithy on Thu Jan 16, 2003 at 10:39:42 PM EST

The field isn't mature enough yet to be deemed a form of "engineering". It's still very much black magic and counter-productive IP wrangling. IMHO, programmers shouldn't really call themselves "engineers".

[ Parent ]
Everything is a bad idea (4.75 / 8) (#17)
by CaptainSuperBoy on Wed Jan 15, 2003 at 08:30:10 PM EST

My solution: Deal with it at the ISP level, first with education, then with threats, and finally with blacklisting.

The problem here is that all the proposed solutions have major drawbacks. I have to say that I think civil litigation and the concept of software liability are about the worst things that could happen to the industry. Think about it, it's the whole tools vs. acts debate. Do we restrict tools, or restrict the actions that people can take using these tools? The door to banning software that does certain things has been opened a little bit by the DMCA. Open it much more and it has the potential to strangle innovation in the software industry. Just look at all the unintended ways the DMCA has been used to stifle software and research. Add to this the high costs of liability insurance, and the fear of getting sued. So who gets rich from this? The lawyers. It's always the lawyers.

Now imagine a law being crafted where all the special interests get a crack at defining the word 'insecure.' Am I taking this too far? I don't think I am. I think any legislation that defines standards for secure software is bound to look a lot like the CBDTPA.

Software developer certification is also a perennial idea that is often brought up by those with a weak grasp of analogy. There are three flaws in the argument that software should be like other products that are engineered. One, the blame is being misplaced. The problem isn't the people who make the software, it's the people who implement the system. Software is sold strictly on an as-is, caveat emptor basis. This is necessary in order to keep up with the pace of advancement of computer science and hardware. It is up to the consumer to implement reasonably secure systems, not up to the supplier to craft perfect tools. Two, safety isn't the issue. We already have regulation of mission-critical software, e.g. medical, nuclear, and air traffic control. Anything else is taken care of by the market, as it should be. Safety isn't the issue, lost revenue is the issue. When safety ceases to be the issue, the law should cease to be involved. Is Microsoft's release of buggy software an argument for certification? No, the market has shown that it will tolerate a small amount of security issues in return for a whole lot of interoperable software. Three, software engineering is only remotely related to engineering in other fields. Clearly rigorous specification, proof, and testing are essential to constructing a building, but these processes have specific advantages and drawbacks when it comes to constructing software. Are we willing to give up low cost and fast-paced development for software that is moderately more secure?

And yes, this WOULD get rid of the 16 year old genius creating revolutionary software. I don't see how you can say this, without realizing it would be a terrible idea to certify software developers! Sure it's not 1981, but it's downright naive to think that all of the 'eureka' software inventions have already been made. I don't see one decent reason for certification, and this repercussion alone makes it a colossally bad idea.

Well I said, everything is a bad idea. Strike-back is also a bad idea, but not for the reasons Schnier mentions. As was pointed out, it has elements of self-defense as well as revenge. I also think Schnier was focusing more on DOS attacks and virus attacks that can be traced to a specific, malicious source. These should of course be harshly punished by the law, but I think a bigger problem is insecure systems passing worms such as code red and nimda. The solution, folks, is the same as spam. Deal with it at the ISP level, first with education, then with threats, and finally with blacklisting. Even with the fact that blocking doesn't reduce the bandwidth load, it would be hypocritical to condone some forms of retaliation while rejecting others. Sure, you can demonstrate damages in the form of lost bandwidth. Well the movie industry can demonstrate damages in the form of lost sales, let's not use this logic to justify them breaking into PCs. Schnier is right on that point.

Unlike spam, cutting off the perpetrator is not going to stop the worm from propagating. Once it's already in the wild, there's not much you can do to contain it. Because of this, as well as for the sake of research, there is no reason to ban the creation of worms, virii, and other malware. There's definitely unethical software, but there should be no such thing as illegal software.

--
jimmysquid.com - I take pictures.

tools vs. acts (none / 0) (#34)
by wiredog on Thu Jan 16, 2003 at 07:44:02 AM EST

Yes. That's why we have to be licensed in order to drive a car. User licenses? Have to be 16 to get behind the keyboard? Not going to happen.

I think a bigger problem is insecure systems passing worms such as code red and nimda.
Code Red and Nimda are the specific examples that the author of the strike-back piece used.

The greatest contribution of the internet to society is that it makes it possible for anyone of any age to become a grumpy old fart.
Parent ]

Code red (none / 0) (#37)
by CaptainSuperBoy on Thu Jan 16, 2003 at 09:02:08 AM EST

I was referring more to Schneier's article, which seemed to be referring more to single attacks than worms. Worms are much more of a threat, though. And the response to a system that has a worm due to negligense should be different than the response to a system that is maliciously attacking you.

--
jimmysquid.com - I take pictures.
[ Parent ]
I for one would applaud this if they got my server (4.00 / 2) (#21)
by StephenThompson on Wed Jan 15, 2003 at 09:38:32 PM EST

If my server got Nimda, I would be THANKFUL somebody shut it down. Preferably with a big message telling me I had a worm. Heck, it can even call me names if it wants to.

Hmm (4.00 / 1) (#22)
by zealtrix on Wed Jan 15, 2003 at 10:26:53 PM EST

If somebody with a cold is walking around, sneezing on everybody, and you can't talk to them for a day or more, what should you do? Stuff tissue paper up their nose? Inject a vaccine into their arm? Manually remove them from the room? Wait to tell them? Kill them?

If legal, you bet. (none / 0) (#24)
by pla on Thu Jan 16, 2003 at 12:51:53 AM EST

Humans have rights. Computers do not.

If I had the right to, I'd carry around inflatable plastic bubbles to put over every sick person I encounter (and yes, I would gladly accept my week in a bubble when I got sick myself).

Sound stupid? Guess what - With computers, we CAN do that, quite easily. Personally, I don't see the need for a database, or centralized "permission", or any such crap. Just DDOS the offending machines until the administrator does something about it. This wouldn't even take any user intervention on the part of the participants to start or stop - whenever a machine sends a virally-produced packet, respond with a thousand. Any worm that hopes to spread would very quickly auto-DDOS itself.


[ Parent ]
Yup (4.50 / 2) (#32)
by cyberdruid on Thu Jan 16, 2003 at 07:06:25 AM EST

And then the worm knows that your machine is on auto-DDOS and starts sending you spoofed packets from another machine that is on auto-DDOS and suddenly the two stalwart vigilante machines try to kill each other, leaving the worm-infected computer to happily seek out other victims. You must never forget about spoofing.

[ Parent ]
You can't kill them! (3.00 / 2) (#26)
by phliar on Thu Jan 16, 2003 at 01:04:23 AM EST

No, you just put a plastic bag over their heads and cinch it around their neck. You don't want to kill them, just stop the virus from escaping. If they happen to die... too bad.

Faster, faster, until the thrill of...
[ Parent ]

Is it a cold? (none / 0) (#36)
by wiredog on Thu Jan 16, 2003 at 07:50:10 AM EST

Or tuberculosis? Forcible treatment has long been done, legally, in the US for TB.

The greatest contribution of the internet to society is that it makes it possible for anyone of any age to become a grumpy old fart.
Parent ]
hahaha (4.00 / 1) (#42)
by mattw on Thu Jan 16, 2003 at 01:23:47 PM EST

Are they sneezing on a hundred people a second, just trying to get someone sick? If they sneeze on someone and get them sick, will that person subsequently automatically start sneezing on a hundred people a second, trying to get them sick, until everyone who hasn't gotten a special vaccine that most people don't know about is sick?

The whole analogy is just absurd.


[Scrapbooking Supplies]
[ Parent ]
Hammer of God ... (none / 0) (#23)
by ukryule on Thu Jan 16, 2003 at 12:49:11 AM EST

Is anyone else worried about someone advocating attacking other peoples computers (for their own good of course) who has published his article on a website called 'Hammer of God'?

Is this someone who's carefully thought through all the implications of his actions, or just someone whose itching to use his 'big hammer' on a bunch of annoying little mortals?

Ok. I'm not totally serious, but if my options are either letting some Norse god hack into my machine, letting some faceless 'standards' body hack into my machine, or putting up with the minor annoyance of the odd virus every now and then, I know which one i'd take ...

A (semi-legal) solution already exists... (4.62 / 8) (#27)
by pla on Thu Jan 16, 2003 at 01:13:44 AM EST

A perfectly viable (and legal) way of dealing with traffic due to worms already exists.

Check out LaBrea, which the authors call a "sticky" honeypot.

It basically accepts connections to nonexistant IPs, then just sits on them, forcing the remote end to tie up a socket until it times out. This effectively drops a worm's scan rate from a few dozen tries per second per socket, to a few dozen tries per hour per socket. Even if a next-gen worm had the intelligence not to wait on a connection for the full default timeout, they need to wait at least 5 seconds or so to give the other side a fair chance to respond. That would still drop the scan rate by a factor of 10 or more.

And, since this ONLY happens when the remote end INITIATES the connection, any lawsuit-happy moron with an infected machine would have one hell of a time trying to prove *you* attacked *him*.

As a bonus, this even provides an easy way of logging and recognizing attempted port-scans... Though an expert would know the difference, some legit traffic looks a lot like a random-order port scan. If you see more than one or two attempts to connect to a nonexistant machine, it leaves even an utter newbie very little doubt about the intent of the remote machine.

Put simply, *everyone* should run this (or something similar). If even a *tenth* of broadband-connected users ran such a program, you'd see congestion from worms grind to a dead halt.


Um. (4.00 / 1) (#28)
by Verinos on Thu Jan 16, 2003 at 01:28:58 AM EST

No. Legal liability for software is a bad idea. Why? Simplest reason: you can't prove a program to be secure, because you'd basically have to prove it's correct. Since you can't do that, forcing people to write secure programs or go to jail (or pay lots of money) probably isn't such a great idea.

In theory i agree (none / 0) (#29)
by CaptainZapp on Thu Jan 16, 2003 at 03:34:21 AM EST

No. Legal liability for software is a bad idea.

But that shouldn't be an easy way out for software manufacturers gross negligance or ignorance.

You can't expect certain software manufacturers (to be fair, there are others) to have a patch ready within minutes after getting notified about a severe security hole. But you can expect (and should hold them liable) that they don't treat a security hole as a public relations problem instead of a severe bug, which they did excessively often until full disclosure caught on.

On the other hand: If an administrator is too dumb to read the installation manual and doesn't change the administrators default password for an enterprise database engine, then it's certainly not the manufacturers fault. Even though the readership in in another fine forum seems to think so, provided that said database has originated from Redmond.

[ Parent ]

Legal system accepts ambiguities (5.00 / 3) (#46)
by tudlio on Thu Jan 16, 2003 at 06:12:18 PM EST

The U.S. legal system is quite familiar with the concept of "reasonable" precautions. Courts are capable of setting precedents for deciding what's reasonable to expect by way of security from manufacturers. Companies putting out software can then benchmark their own precautions against the legal precedent.

Happens all the time in other industries.




insert self-deprecatory humor here
[ Parent ]
Ha ha (5.00 / 2) (#30)
by DJBongHit on Thu Jan 16, 2003 at 04:20:12 AM EST

Legal or no, I took this approach 2 summers back when that big worm was going around which basically put a copy of cmd.exe where the web server could run it as a CGI (the name escapes me at the moment). I was sick of all my bandwidth being wasted by that fucking worm (I was on dialup, but had a static IP and was running a private web server off it), so I wrote a Perl script which basically sat there waiting for an attack. Upon noticing one, it used the worm's "exploit" to throw up an alert dialog on the machine telling whoever may be looking that they're an idiot, and then shut down the IIS service. I experimented with several variations on this theme, like rebooting the offending box, but this particular one seemed to work the best for stopping the onslaught.

Worked pretty well... once I started using the script, I rarely got multiple attacks from the same host anymore. I'm surprised more people didn't take this approach - that particular worm made is SO EASY to exploit an infected box (all you had to do was pretty much shoe-horn commands to cmd.exe into CGI parameters).

~DJBongHit

--
GNU GPL: Free as in herpes.

Code Red (none / 0) (#47)
by CaptainSuperBoy on Thu Jan 16, 2003 at 06:54:57 PM EST

I believe this was Code Red and you can't place all the blame on the admins of compromised servers. To this day, if you install IIS off the Windows 2000 CD, and your machine has an unfirewalled connection to the net, you may get Code Red or Nimda before you can patch your machine. In an ideal world all admins would patch their IIS before ever connecting their machine to the net, but in an ideal world we wouldn't have the URL buffer overflow in the first place.

--
jimmysquid.com - I take pictures.
[ Parent ]
Do you still have it ? (none / 0) (#49)
by drsmithy on Thu Jan 16, 2003 at 10:36:09 PM EST

I'd be interested in that script if you still have it. Due to verious political wrnglings where I work we are unable to implement any workable policies wrt to get infected machines taken off the air, so they just sit there pumping out more infection, usually without the end user even knowing.

[ Parent ]
Quis custodiet and all that jazz (4.50 / 2) (#38)
by El Volio on Thu Jan 16, 2003 at 10:04:49 AM EST

A fundamental problem here would be trustworthiness. Who will trust this agent on their systems? Further, what assurances do I have that it will be used properly? That's partly due to wondering about this "independent body", and partly concerns over whether the agents themselves are vulnerable. This is a blackhat's wet dream. In the organization where I work, such an effort would raise so many red flags that it simply wouldn't be workable.

Certificate is not everything (5.00 / 4) (#40)
by marckris on Thu Jan 16, 2003 at 01:17:17 PM EST

It just might be that the "16 Year Old Self-taught Programmer who Writes an App that Changes the World" is more qualified than those glory graduates in giant coroporations who keep flooding the web with their idiocracies. Preventing people from educating themselves and exercise what they have learned is plain dumb.

We do it with engineers (none / 0) (#52)
by wiredog on Fri Jan 17, 2003 at 07:27:59 AM EST

It's quite possible to be self taught in engineering, but it still requires licensing.

Wilford Brimley scares my chickens.
Phil the Canuck

[ Parent ]
Only for civil engineers, and a few others. (4.00 / 1) (#53)
by subversion on Fri Jan 17, 2003 at 01:34:33 PM EST

Only for very, very limited subsets of engineering.

You only need a PE certification in the US if you have to sign off on documents; most engineers will never need one (civil engineers being the massive exception to this rule, as almost all of their work requires a PE).

If you're speaking of getting a degree in it, well, you can work as an engineer without a degree, its just much harder to find a job.

If you disagree, reply, don't moderate.
[ Parent ]

Exactly what we don't need (4.00 / 3) (#56)
by pyro9 on Sun Jan 19, 2003 at 06:17:33 PM EST

More certification is EXACTLY what we don't need. PEs and aircraft manufacturors etc are certified because failure is likely to cost human life.

As soon as we start treating the net as a life critical service, we will see both hardware and software costs skyrocket until they are in line with the hospital's $8.00 aspirin tablets.

The lawyers will love it, the rest of us will suffer, and the attacks will continue to rain down from other countries.

Holding someone liable for what happens when their server gets hijacked is exactly like holding a person responsable if their car is stolen and then used in a crime.

Active self defense has more merit, but protocols will need to be carefully crafted to avoid colateral damage and prevent both 'excessively proactive' self defense and meritless claims of self defense.

What would be useful would be an authenticated way to propogate filters upstream from your router much like bgp routes do.

So, DOS comes in from x. I tell my router I want the packets throttled, it tells the upstream router the same (perhaps aggregating the destination addresses of anyone else being attacked. Eventually, it'll propogate back to the source's router and the flood bothers nobody but the source of the attack.

Ideally, a net admin seeing all of the throttle demands would realise the problem and terminate the attack. I think throttling would be preferable to a total block so that the various net admins can realise when the attack is terminated. The catch is current hardware is more likely to be able to implement a total block. A reasonable compromise would be limited time blocks (which can be re-applied as needed)

Note that rogue networks that don't honor the throttle request are irrelevant, the throttle would be enforced upstream.


The future isn't what it used to be
Bad analogy (3.00 / 1) (#57)
by wiredog on Mon Jan 20, 2003 at 12:07:03 PM EST

Holding someone liable for what happens when their server gets hijacked is exactly like holding a person responsable if their car is stolen and then used in a crime.
Except that if your server gets hijacked it is still in your possession. Or is there some hack out there that disables pulling the power plug?

Wilford Brimley scares my chickens.
Phil the Canuck

[ Parent ]
Carjacked (none / 0) (#58)
by pyro9 on Mon Jan 20, 2003 at 10:02:31 PM EST

Perhaps carjacking would be a better analogy. You're still in the car, but you're not driving.

I think negligence and liability starts when you are notified of the problem and still do nothing about it. It's important to keep in mind that many DDOS zombies are people on DSL connections who aren't even aware that they have a server (IIS running by default for example)


The future isn't what it used to be
[ Parent ]
IIS (none / 0) (#59)
by wiredog on Tue Jan 21, 2003 at 07:37:46 AM EST

Well, that would be cause for action against the producer of the software. You have two cases, a fault of the software producer, who makes insecure software, and a fault of the end user, who is negligent in securing their end.

Wilford Brimley scares my chickens.
Phil the Canuck

[ Parent ]
A better analogy (none / 0) (#60)
by Zer0 on Tue Jan 21, 2003 at 03:37:46 PM EST

If you owned a pool with no fence and a child drowns in it.

Doh, delete this or something :P (none / 0) (#61)
by Zer0 on Tue Jan 21, 2003 at 03:39:42 PM EST

should be attached as a reply to: Exactly what we don't need

[ Parent ]
Strike-back | 61 comments (61 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!