Port 80

I don’t frequently refer to documents with terms like “critical” and “must read,” but Symbiot Security’s recent whitepaper (PDF) on the rules of engagement of information warfare is such a document. Symbiot has recently gotten a fair bit press coverage in the IT world for their decision to release a security system designed to launch counterattacks against crackers targeting corporate networks. (Full disclosure: I previously blogged on the subject.)

However, despite the fact that this document has garnered the most attention from IT professionals, this document should be read by every single Internet user, because it heralds a fundamental change in the way security on the Internet will work. In this case, Symbiot’s marketing slogan that “the rules of engagement for information warfare will change forever” is not so far off the mark. Symbiot is crossing a very large line with their new product: For the first time, home and business computer users may be the targets of major attacks from security professionals. The whitepaper explains how Symbiot plans to implement their technology and some of the justification behind it, but the overall impact of that technology requires a deeper analysis. Internet users everywhere are in for a wild ride, and it’s important that we look at why.

Background: Attack of the Zombies

Note: The next few paragraphs will be old news for those who are familiar with the use of worms to create networks of zombie machines.

To understand why Symbiot’s announcement is such a major event for every home computer user, it is necessary to understand the phenomenon of zombie machines, the recent preferred tactic of hackers. The concept behind a zombie machine is simple enough to comprehend: a hacker, by using a virus or worm, can take over a large number of computers and use them to execute any commands he or she wishes. This has been the strategy behind the MyDoom and Sobig worms, which were designed expressly to take over as many computers as possible on the network, especially home computers on broadband connections. These computers are then used as the infrastructure for any of the members of the Internet’s Unholy Trinity: as mail servers for spammers, as hosts for illegal content (such as child pornography), or as attacking computers in denial of service attacks aimed at major websites. In military terms, the ability to control zombie machines is a literal force multiplier: A single hacker with one computer can take control of tens of thousands of computers, and use them without their owner’s knowledge. This makes it possible to carry out massive attacks or spamming schemes at little cost to the hacker or spammer.

The absolute favorite targets of those who wish to create zombie machines are home users of Microsoft Windows on a broadband connection. In fact, if your computer is running Windows on a high-speed connection, and you have not patched it regularly (weekly or more often) or do not run a firewall, it is a virtual certainty that your computer has been turned into a zombie machine.

The current popularity of this type of attack is explained in a single word: anonymity. The truly nasty effect of a zombie network is that it is almost impossible to find the individual who created it in the first place, since the owners of the zombie machines will frequently have no idea that their computers are being used for ill purposes. Just as cryptography uses Alice and Bob as the archetypal message senders, so has the security community started using Grandma for zombie machines. Grandma is a sweet old lady who uses the computer to write e-mails to her grandchildren, store her recipes, and read a knitting website. Unfortunately, Grandma is also “computer illiterate,” and doesn’t know how to patch her machine or run a firewall. Thanks to this, Grandma’s computer has been infected with every worm known to Man, and is busily using Grandma’s cable connection to send out spam for pornographic websites or to attack the Bank of America’s main web server. What’s more, if the Bank of America tries to trace back the source of the attack on their servers, the only culprit they will find is Grandma’s computer. The real hacker is probably hundreds of miles away, and is scrupulously avoiding attacking anyone himself.

This leads to a profound dilemma for security professionals: How do you deal the constant attacks Grandma’s computer, when the user of that computer isn’t deliberately attacking you? More to the point, how do you deal with 10,000 Grandmas?

Weapons as Entertainment

The existence of the archetypal Grandma and her worm-ridden computer can be blamed on many things: Microsoft’s insecure design of Windows, the clever antics of hackers, and the minimal computer proficiency of most computer users worldwide. However, the deeper cause for the tens of thousands of Grandmas worldwide runs deeper: Most home computer users treat their computer as an entertainment appliance, not a tool. Accordingly, home users expect their computer to behave like their television: You turn it on when you want to use it; you turn it off when you’re done. There’s no maintenance necessary, and if it breaks, you just buy a new one.

Unfortunately, a computer is not simply an entertainment device. Let’s not forget that the first mechanical and digital computers were used for purposes far removed from entertainment: cracking military codes, determining trajectory tables for artillery shells, and calculating the design of atomic weapons. The ability to crunch large amounts of numbers is a powerful one, made more powerful when computers are hooked up to high-speed networks and given the ability to interact with millions of other computers. The better comparison for a computer, rather than a television set, is a car: It may be useful, but it is an innately powerful tool. It requires maintenance and repair to keep functioning properly. If this maintenance is not provided, it has the potential to do a substantial amount of damage to its users and to those around it.

What we are faced with today is a vast population of computer users who treat cars as television sets: They don’t do maintenance, they don’t worry about repairing it, and they frequently drive it just to see how fast they can go or how exciting they can make the ride. When they’re done, they park it on the street with the windows rolled down and the keys in the ignition; because it never occurs to them that any harm could come from their cars. We don’t have a population of computer users: We have a population of computer joyriders. A potential weapon has become widely viewed as a form of entertainment.

This is the reason that the phrase “computer illiterate” has crept into our culture: Computers are not widely viewed as something a user should attempt to understand or take responsibility for. By contrast, when was the last time that you heard a driver argue they shouldn’t be responsible for an accident because they are “automobile illiterate?” If a driver said to an investigating police officer that they just had a hard time keeping all the technical bits and pieces of their car straight, and that they couldn’t be bothered to keep track of all of those “gear and brake and gasoline thingies,” and that they just called the dealer when they had a question about how to work the brakes, they wouldn’t be thought of as “normal.” The police officer in question would start looking for an excuse to impound their car on the spot. While no one cares if an individual doesn’t know how to set the clock on their VCR, everyone cars that a driver knows how to operate their car, because everyone recognizes the danger that cars can present. Why isn’t this danger recognized by computer users and those around them?

Pain is a Good Teacher

This is where the Symbiot white paper enters the picture. Most computer users simply don’t recognize the danger that computer viruses pose, simply because they are not the main targets of those viruses. Virus writers typically attempt to design worms in such a way as to create a zombie network with the minimum possible disruption for a home user, so that a home user doesn’t even know that their machine has been “0wn3d.” The pinch is felt by corporate security professionals and ISPs, who have to deal with the attacks launched by zombie machines and the crunch on bandwidth created by tens of thousands of zombie machines simultaneously launching a denial of service attack. The loss to system administrators may be time, money, or possibly the functioning of critical infrastructure elements such as the 911 system or instrumentation at nuclear power plants.

This naturally creates a difference in motivation between virus writers and security experts. Virus writers want to do as little damage as possible to home computers to create a zombie network “under the radar.” However, security professionals don’t have the same goal. Their objective will to be to shut down a zombie network as rapidly as possible, and ideally to encourage home users to secure their systems to prevent repeat attacks. The only limiting factor for security professionals will be what the law prohibits and what impact their response will have on their company’s image. Thus, security professionals will want to cause as much disruption for home users as they think they can get away with. While a virus writer may just slow down Grandma’s computer a little, a counterstrike from a security firm may crash Grandma’s computer and reboot it with the Internet connection disabled.

As a worst-case response, Symbiot describes the possibility of “destructive, non-recoverable” counterstrikes. While it is unlikely that these strikes would be used against random members of a zombie network, the possibility remains for these strikes if a computer is a particularly high-value target. During the Sobig virus outbreak, 20 computers worldwide were used to distribute instructions to computers infected with the virus. In most cases, these machines were zombies, themselves on home broadband connections. At the time, security professionals tried to hunt down these machines and bring them offline by contacting ISPs, resulting in a down-to-the wire search that cut off 19 of the 20 computers. However, if this tactic was used by a virus writer in the era of Symbiot’s counterstrike system, it would be awfully tempting to security professionals to simply destroy those machines that could not be cut off by their ISPs. In the calculus between a possible major cyberattack by tens of thousands of computers and the irrevocable destruction of one or two home systems, security professionals are very likely to decide that taking down the computers in question is worth the possible costs. If Grandma owns one of the lucky computers, she may suddenly find out why everyone emphasizes keeping good backups.

Again, an analogy to cars is appropriate: The deepest reason that people pay attention to how their cars run is that they don’t particularly want to die. Pain, or the possibility of pain, is a good teacher. When Symbiot’s counterstrike system is released, home users may begin to learn the hard way that computer security does matter.

Digital Anarchy by Design

This is about the point in the post that most home computer users should be growing exceedingly indignant, and wondering why security corporations might be allowed to do this to them, and why there isn’t a law preventing this sort of thing. The fact of the matter is that there is. However, the concept of law on the Internet is so thoroughly distorted that, although it may be legally possible to prevent counterstrikes by security professionals, it may not be a good idea. The problem with law on the Internet is that laws require two things to be effective: A police force capable of enforcing them, and a jurisdiction in which they are enforced. Both of these are effectively nonexistent on the Internet.

In the physical world, the question of enforcement by the state is simple. Laws are backed by the threat of violence, and the state has the ability to enforce laws because it outguns every non-state actor in existence. As vicious as they may be, no criminal or gang of criminals has the ability to resist the power of the state. It is for this reason that Mafia leaders are arrested and tried bloodlessly, rather than holding the police at bay with automatic weapons. The firepower of a modern nation-state is so overwhelming that resistance is literally futile.

On the Internet, however, governments have no such overwhelming power. The Internet is a private venture, with the cables and servers that make it possible owned by private companies. The Internet Health Report, which shows response times between major nodes in the Internet, does not list the response times from France to the United States to the Peoples’ Republic of China. Instead, it lists response times between companies, or more specifically the section of the Internet they own and control. With the exception of states that directly control their telecom industries, the only way that a government can enforce its will on the Internet is either to persuade a corporation to do so, or to launch a direct hack attack itself.

For this reason, jurisdiction has become critical in government intervention in the Internet. Servers hosted in the United States are subject to law in the United States, for the simple reason that within the bounds of the US the government can use its monopoly on real-world law enforcement to coerce the owners and operators of the servers into obeying US law. However, the simple solution to this problem is provided by the global nature of the Internet: If you don’t like the laws in the United States, host your website from Bermuda, or from India. The hosting company HavenCo has already taken the ultimate step in attempting to escape national jurisdiction by locating its servers in the Principality of Sealand, a WWII antiaircraft platform which was turned into a home by a British family and which declared its independence from Britain in 1967. (SeaLand was just outside Britain’s territorial waters when it was established, and the nation exists in a sort of legal limbo. Although it is not recognized by any government, the British courts have ruled in favor of the ruling family several times, and by and large British law enforcement does not trouble them.)

Zombie attacks make the problem of jurisdiction even worse. The Symbiot whitepaper offers an excellent demonstration of the problems of legal jurisdiction:

For example, a firm in Europe may operate through a shell corporation located in the Caribbean to fund hostile network operations through an ISP located in Beijing, ultimately targeting a competitor in North America. Even with a complex attack such as this, the response in most cases must be determined and executed within seconds; which begs the question: what legal jurisdictions, if any, apply?

The question is not mere sophistry, but raises a valid point. Under what set of laws can a hacker be prosecuted if he routes his attacks through three different countries? In all likelihood, the country where the hacker lives is not the target of the attack, has weak cyber-crime laws (a major reason for the surge in hacking in Eastern Europe), and has little reason to prosecute him. Internet worms spread in a matter of hours, whereas extradition attempts take months or years to negotiate - assuming that local ISPs cooperate in finding the hacker in question. By the time that an investigation starts to descend on a hacker, he may have simply moved to another jurisdiction, or the ISP log files needed to pinpoint his exact identity may have been erased. This issue of jurisdiction compounds the enforcement problem which governments face. In reality, nation-states have a sharply limited power to enforce laws on the Internet. The Internet may be mostly American by usage and language, but it belongs to no nation.

Shiver me Bandwidth

Let us now drop our analogy of cars, which we have surely beaten into the ground, and to take up another: The high seas. The Internet in its current state emulates the sea lanes of the era of sail in several important ways. First, it is the route for valuable cargo, although the cargo has changed from silks to financial transactions. Secondly, it is a large region which is controlled by no single entity. Finally, the power of private organizations is comparable to the power of nation-states. For a government with weak naval resources, such as the United States in the War of 1812, the key to maintaining control of the high seas was not formal military action, but the legalization of privateering.

The analogies between the position of privateers and the position of major industries employing a Symbiot-modeled counterstrike security system are remarkable. Both have a substantial financial incentive to use offensive measures. Both have the capability to successfully implement offensive measures. And in both cases, the only thing holding them back is whatever respect they have for a legal order which the government is not capable of enforcing on its own.

The solution, in the era of privateering, was to issue letters of marque and thus transform potential loose cannons into agents of the government. While some privateers overstepped their bounds into the realm of piracy, others did not, and provided valuable service to the government.

It is time to consider issuing letters of marque for computer security organizations to attack, and if necessary destroy, perpetrators of hacking attacks and network disruptions. This action will have advantages for both governments and corporations. The government will gain an ally in fighting issues of cybercrime, and it is an ally they can rein in with the threat of legal action against the corporation’s physical assets should the company overstep its bounds. Likewise, companies concerned with computer security get a legal shield to undertake offensive computer security measures that they were about to adopt irrespective of legal consequences. Since the dawn of offensive corporate cyberwarfare may be a fait accompli in under a week, it appears that companies have already decided that the current legal limits on use of the Internet are more easily circumvented than obeyed. The creation of cyberprivateering would help redefine the government’s role in maintaining the order of cyberspace, even if that role is only an open acknowledgment that the state is not an omnipotent actor in the electronic realm.

This is not to suggest that the creation of cyberprivateering will restore balance and order to the Internet. Far from it: The establishment of cyberprivateering, if it comes, will be an acknowledgment that the fundamental order of the Internet has changed. Cyberprivateering will let corporations better protect critical infrastructure and financial data. (And before anyone begins to criticize the excesses of big business, remember who is responsible for running the phone lines, managing stock exchanges and mutual funds, and protecting your credit card number. There is an amazing amount of critical corporate infrastructure that needs to be protected from electronic attack not only for the corporate good but for the public good.) What cyberprivateering will not do is in any way safeguard the home computer user. In fact, for the reasons discussed earlier, security professionals may be more likely to damage home computers than virus writers. With a legal license to hack, the only limit placed on security professionals will be that of maintaining corporate image. Technologically and legally, they will be given near-total freedom to act against threats to their networks, and home users will have little recourse to stop them.

Grandma Got Run Over By a Rootkit

Grandma’s electronic life is about to get much more complicated. The key to survival in a new age of cyberprivateering and counterstrike security systems will not be relying to the goodwill of virus writers and hoping that one’s system does not get damaged, for whatever goodwill a virus writer has, a sysadmin will surely lack. Instead, the key to survival on the Internet of tomorrow will be staying out of the line of fire by securing one’s system against infection and takeover, and thus keeping it out of the sights of corporate counterstrike systems.

This is complicated by several factors. The recent Witty worm is a particularly troubling indicator of viruses to come in the future. The Witty worm exploited a software vulnerability to great effect just one day after the vulnerability was announced. Given that few users patch their systems daily, this means that very few users who even bothered to apply patches to their software were protected when the worm hit. Furthermore, the Witty worm signals the approach of the first feared “0 Day Exploit:” a worm released less than 24 hours after the vulnerability it attacks is announced. When this information is combined with the lightning spread times of modern Internet worms, it becomes clear that a 0-day worm may achieve worldwide infection before most users are aware that a vulnerability exists, let alone apply a patch.

Grandma’s only solution to this problem is to assume that her computer is under attack constantly, since the difference between a normal day of network traffic and the near-collapse of the Internet under viruses and worms may only be measured in hours, faster than any patch can be applied to fix a new problem. Grandma will need to start locking her computer down with a good firewall, ideally using a hardware and software firewall in concert. Grandma may also want to consider not using high-risk software, such as Outlook, Internet Explorer, or the entire Windows operating system. (However, one of the other lessons of Witty is that a worm can spread rapidly even when only a small number of hosts are vulnerable. In short, if a hacker writes a virus for Linux or Macintosh, it will spread just as quickly as a virus for Windows. Moving to Linux doesn’t give anyone a free pass on this issue.) Finally, Grandma will have to learn to think defensively on the Internet: Don’t click on pop-up ads. Don’t respond to e-mails asking for your password or account numbers. Encrypt sensitive information. And never, but never, open an e-mail attachment from someone you don’t trust.

Fortunately, for all of those out there who are reading the list above and fretting about having to start learning good computer security practices, there is still a little time until this brave new network becomes a reality. After all, the first corporate counterstrike system isn’t being released until Wednesday.

The future is here. It’s just not evenly distributed yet. — William Gibson