Port 80

A little over a year ago, there was a brief furor among the internet security community when a company called Symbiot announced plans to develop a “counterstrike” security system which would combine traditional network defense measures — firewalls, intrusion detection systems, patching, and the like — with offensive countermeasures against network attacks. The use of offensive systems is, at the risk of understating matters, highly controversial among the security community. Some harbor ethical objections to the concept of offensive action, some feel that offensive systems represent a potential legal minefield (an accurate assessment), and some have argued that legitimizing offensive systems would lower the threshold between legal and illegal use of the Internet. At the time, my opinion was that offensive systems, love them or loathe them, were here to stay. Nation-states cannot leverage their monopoly on physical force into a monopoly on control of the Internet, necessitating the involvement of private entities in fighting malicious Internet activity.

Over the past few weeks, however, I have become increasingly convinced that this analysis — and all analyses I have seen — have neglected a critical portion of the problem. The traditional assumption about the use of a counterstrike system is that it will be slow, deliberate, and carefully controlled: purely defensive measures are applied first, followed by blacklisting, finally followed by offensive countermeasures. Furthermore, these offensive countermeasures are always described as being under the control of human operators. To date, discussion of these systems has been implicitly based on the assumption that counterstrike is a last resort and that a human will always be “in the loop.” Unfortunately, I’m not certain that any system which obeys either of these rules will be able to deal effectively with real-world Internet threats. The current state of the Internet may demand software that operates in seconds, not hours, and which may not be able to wait on human approval for its actions.

(more…)

Lycos "spokesperson" Malte Pollmann is a strong contender for the 2004 Mohammed Saeed al-Sahaf awards with this comment on the "Make Love, Not Spam" screensaver:

Contrary to some reports, the service never launched a ‘distributed denial of service attack’. Rather, a centralized database ensured all known spammers’ sites were left with at least 5% of bandwidth. The idea was simply to slow spammers’ sites and this was achieved by the campaign.

With all due respect, Malte, the use of the screensavers was distributed, and the stated goal was to deny the spammers the ability to effectively offer their services on the web. If this isn’t a Distributed Denial of Service Attack, then what on Earth is?

The possibility of electronic counterstrike systems deserves serious consideration - it may very well be an idea whose time has come. However, it is becoming clear that Lycos failed to give the possible consequences of their DDoS campaign even the most cursory evalation.

Consider Symbiot, a company that made headlines by launching a counterstrike security system. Symbiot’s page discussing the possible counterstrike options available to customers is filled with cautions on the legal ramifications of deploying such systems. Other links on their website will take you to extensive white papers discussing the subject. The legal and ethical questions accompanying counterstrike systems are unresolved, and Symbiot recognizes this fact. (Although, as a vendor of such systems, they do have a well-established viewpoint.)

Lycos, on the other hand, doesn’t even appear to have prepared a coherent argument to defend their decision to launch a massive, multinational DDoS. Instead, we get this:

The aim of the campaign was to ignite a debate about anti-spam measures. We feel that we have achieved this through our activity and will now continue that debate with others in the email industry. We hope that this will lead to further new and innovative solutions to the problem of spam.

Igniting the debate on solving the problem of spam would involve writing a provocative whitepaper on the possibilties of an anti-spammer DDoS attack. What Lycos actually did is akin to "igniting a debate" on gun control by handing out free revolvers on a city sidewalk.

I previously wondered what case law might emerge from this Lycos campaign, and I hoped that this case law might help better define the legal liabilities of counterstrike systems. At this point, I’m mostly wondering what heads will roll at Lycos for this fiasco.

I now inform you that you are too far from reality. — Mohammed Saeed al-Sahaf, Iraqi Information Minister (Retired)

I had planned to spend my free time this upcoming weekend writing follow-ups to several of the posts I had put up recently. Instead, if I’m lucky, I’m going to be moving Port 80 from its current home at NeoPages to a new server.

The reason, ladies and gentlemen, is the work of those fine gentlemen at the “Q8Cracker Crew” (That’s Kuwait Cracker Crew, for those less experienced in deciphering hacker lingo) who, over the past few days, cracked the NeoPages web server and defaced dozens of the sites hosted here. No real damage was done to the server - most of the websites were quickly repaired.

However, the same is not true for our benevolent overlord and system administrator, Roy, who has finally had enough. As a result, the free hosting he has offered here will be ending no later than December 11th. Many thanks to him for all he has provided to date.

The upshot of this is threefold:

• I am on the hunt for a new host. I’ve got a few possibilities in mind, and I’ll post a URL here when I know where I’m ending up.

• I have a new personal policy on the philosophy of “hactivism.” Whenever someone attempts to explain to me exactly how web site defacement is a valid act of political speech, I will render him unconscious with a sharp blow to the head, and write a political slogan on his face with a felt-tip marker. When he comes to, I will proceed to explain to him how this temporary, largely harmless, defacement was a valid expression of my political beliefs.

• My policy towards those I meet who are self-styled “h4x0rs” is much the same as the above, but with less emphasis on felt-tip markers and more emphasis on sharp blows to the head. I’ve always thought crackers were basically a motley collection of antisocial teen vandals and organized crime syndicates, but that was purely an academic evaluation. Now, it’s personal.

  Furthermore, given the nature of their defacements, the fine gentlemen of Q8Crackers appear also to be hard-line Islamists, making them members of another group of people I just adore. (To top it off, these “hackers” write their HTML with FrontPage.)

I’m signing off for now, hopefully to return shortly. Check back before December 11th for a new URL.

Don’t you just hate them? Don’t you just wanna break their ribs, cut their backs open and pull their lungs out from behind? — Ina Faye-Lund, on script kiddies

I’ve previously written at length about the evolution of counterstrike security systems on the Internet. Now, through the Internet Censorship Explorer project of the University of Toronto’s CitizenLab, there’s word of a different form of counterstrike system. (William Gibson fans will appreciate the acronym of the Internet Censorship Explorer project, which I assume was deliberately chosen.)

While my article on counterstrike systems suggested that major corporations might use their bandwidth to attack malicious internet users, Lycos has taken a different approach and constructed a “reverse botnet.” Lycos has begun distributing a screensaver across Europe which uses a home computer’s idle CPU cycles and bandwidth to attack webservers associated with spammers. Although the Lycos website for this campaign uses the tagline “Make Love, not Spam,” what Lycos is actually making is a white-hat DDoS attack.

The legal implications of this system could prove to be interesting: In my previous post, I assumed that major corporations would have the legal clout to survive court challenges to corporate-owned counterstrike systems relatively unscathed. Likewise, Lycos may be too big a target for spammers to sue. However, the individual users who download the Lycos screensaver and participate in this campaign may not be. Furthermore, the disclaimer on the download page makes it very clear that in the event of a lawsuit, users are on their own: “The use of the screensaver and its function is the responsibility of the user. Lycos or the developer shall not be responsible for any loss or damage, of any kind, direct or indirect.”

It is important to note that while most users who participate in DDoS’s are victims of worms and virii, those who downloaded this screensaver knowingly chose to participate in a DDoS. This distinction will prove critical if any user are taken to court by hosting providers, as court rulings on this system may set a new precedent for establishing the limits and extent of the legal liability of those who participate in a DDoS attack. Are individual members of a DDoS network liable for all of the expenses incurred by the target, or just their portion of it? Do members of a DDoS network have to actively choose to participate in the DDoS in order to be held liable, or is failure to exercise due diligence enough to establish culpability for the consequences of the attack? Since the targets for the DDoS are provided by Lycos, can the users be held responsible for the DDoS of a specific target at all? The possibility of getting legal answers to these questions is reason enough to watch the progress of this experiment closely.

Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions. — Sun Tzu, The Art of War

The web is surely a wonderful thing. A simple Google search can bring you information on almost any topic. Such as, oh, nitrogen tire inflation.

If you choose to scroll down the list of Google results for nitrogen tire inflation far enough, you’ll find a link to a previous weblog entry I wrote about the state of science education in the United States. (Nota Bene: This may not be true since the server change in December 2004. My argument still stands.) The gist of my point went something like this: Isn’t it depressing that tire stores run commercials advertising that it’s safe to mix air with nitrogen, given that anyone old enough to drive should know that air is 78% nitrogen?

However, Google doesn’t understand subtlety or the use of examples to make a point. All it understands is that the words “nitrogen tire inflation” had appeared in that post a fair number of times, and therefore that my post should be returned as a result whenever someone searches on those terms. For some combinations of search terms, I have been informed that my post is the first result returned by Google.

(more…)

It’s housekeeping time at Port 80: My last few posts need a few updates, and I’m going to take care of them all at once.

The War on Terrorism: “Surprise, Surprise, Surprise”

In “Surprise, Surprise, Surprise,” I promised to discuss why I felt that Jihadist terrorists could not be appeased or negotiated with. As I worked on this post, it began to involve into a general discussion of causes and roots of the War on Terror. However, this is a subject that many others in the blogosphere have already covered excellently. Thus, rather than reinvent the wheel, I’ve chosen to present a small selection of essays which I think best explain the current global situation.

I would start with “Out of Context” by Anticipatory Retaliation, which does a brilliant job of explaining the difference between what has been termed “September 10th thinking” and “September 12th thinking.” If you cannot comprehend the reasoning of those who prattle on and on about the War on Terror (or if you cannot comprehend the reasoning of those who don’t), this post is vital reading.

The quickest summary of the current situation and what must be done to deal with it is provided by Eric S. Raymond in his short “Anti-Idiotarian Manifesto.” On the other end of the brevity spectrum, there is Stephen den Beste’s “Strategic Overview.” While I don’t totally agree with all of den Beste’s arguments (notably as to the exact root cause of the current war), his work makes for a fascinating and thought-provoking read.

Lastly, I would be remiss if I did not mention “Three Conjectures” by Wretchard of the Belmont Club, who explores just how ugly the War on Terrorism could get. den Beste’s follow-up essay is also worth reading. However, don’t start on either of these if you plan on sleeping anytime soon.

Computer Security: “The Future of the Internet”

“The Future of the Internet” is the single post on this website that has gotten the most interesting responses. I’ve gotten e-mails from individuals in the computer security industry about the work, and have seen links to it reposted to other forums on the web. (I’ve also seen one individual try to repost the entire text - but trying to fit a 4000 word essay into a text box on a web page proved to be a bit too much.)

Now, however, the print media have picked up the article. The July 12th issue of New Scientist magazine briefly quoted the post in an article (”Vigilantes on the net,” by Barbara Moran) discussing the impact of counterstrike systems on computer security:

As web pundit Zachary Heaton of Dayton, Ohio, wrote online earlier this month, “Internet users everywhere are in for a wild ride.”

If you’re interested, the full article is available through the New Scientist archives, which you can get a guest pass for from the New Scientist website. (The exact issue is Volume 182, Issue 2451.) The focus of the article is far more on the short-range effects of counterstrike systems than the long-range effects I focused on, but it’s a worthwhile read.

While I don’t know about the claims of some that weblogs are “the new media,” it’s nice to see the “old media” taking notice of them. How else does an unknown self-published essayist get quoted in the same article as the network administrator of MIT, the head of the FBI’s Criminal Computer Intrusion unit, and miscellaneous other notable security experts, computer scientists, and attorneys?

I don’t frequently refer to documents with terms like “critical” and “must read,” but Symbiot Security’s recent whitepaper (PDF) on the rules of engagement of information warfare is such a document. Symbiot has recently gotten a fair bit press coverage in the IT world for their decision to release a security system designed to launch counterattacks against crackers targeting corporate networks. (Full disclosure: I previously blogged on the subject.)

However, despite the fact that this document has garnered the most attention from IT professionals, this document should be read by every single Internet user, because it heralds a fundamental change in the way security on the Internet will work. In this case, Symbiot’s marketing slogan that “the rules of engagement for information warfare will change forever” is not so far off the mark. Symbiot is crossing a very large line with their new product: For the first time, home and business computer users may be the targets of major attacks from security professionals. The whitepaper explains how Symbiot plans to implement their technology and some of the justification behind it, but the overall impact of that technology requires a deeper analysis. Internet users everywhere are in for a wild ride, and it’s important that we look at why.

(more…)

In Neuromancer, William Gibson wrote about “black ice” - offensive computer security systems. ZDNet is running an article suggesting that this concept is one step closer to becoming reality.

Although the article is filled with misgivings about the system, I think that it’s a concept whose time is rapidly coming. The problem with the Internet as present is that is an anarchistic system, but is not recognized by most of its users as such. As a result, there is a large amount of outright negligence among those Internet users with regards to security. Countless help desk technicians and sysadmins have tried to spread the message over the last few years that security is everyone’s responsibility, but this message has been getting lost. Perhaps it’s time to apply some consequences for running an insecure system which is then hijacked and used for DDoS attacks, spamming, or hosting of illegal content.

The article makes much of precisely these hijacked users as a reason who this system is a bad idea, painting a picture of havoc unleashed upon hapless bystanders: “You may be taking out grandma’s computer in Birmingham that has got a 100-year-old cookie recipe that has not been backed up.” However, if Grandma has let her system go unpatched and un-firewalled for the last few months, opened unsolicited attachments, and generally been lax in security, the fact of the matter is that Grandma has been grossly negligent with her system’s security.

The best analogy is one of a car: If Grandma has left her Oldsmobile unlocked on the street with the keys in the ignition for the last three months, and it is taken for a joyride down Main street by a pair of teenagers, Grandma doesn’t have much of a right to complain if the police dent the car in the process of stopping it. By failing to apply basic due diligence, Grandma has left herself open to the risk of incurring damage if others hijack what she has failed to secure.

This particular issue — the ethics of negligence in computer security — is one that I have been mulling over for a few days. I hope to write a longer post, or perhaps a paper, on the subject next week in an attempt to do it justice. As more and more critical infrastructure is connected to the Internet, and as the Internet becomes more and more critical to financial transactions, it’s time to take a long, hard look about the consequences of irresponsibility on the Internet.

There is one major difference between Gibson’s “black ice” and the computer security issues we are faced with today - “black ice” was a lethal defensive system. We haven’t yet seen the first fatality from a computer virus. However, this may just be a matter of time.

The last time I blogged (which was entirely too long ago), I wrote about the possibilities of a Chinese-EU partnership in the GALILEO satellite navigation system. None of the possibilities have been good, but with China’s recent demonstration of its space-launch capability, a substantially worse possibility has appeared: The destruction of the GPS system in the event of conflict between the US and the PRC.

The problem with GPS is that, although it’s a wonderful system, there are only 24 satellites in orbit. While this is a relatively large number, it is still a finite number, and vulnerable to ASAT [Anti-satellite weaponry] programs, which China is pursuing. (Astute readers will note that the linked article estimated the earliest Chinese manned spaceflight as occurring in 2005. Adjust your estimates of ASAT availability accordingly.) Furthermore, China (or any other aggressor) would not have to kill every GPS satellite to greatly impede US military operations. The GPS system requires multiple satellites overhead to give a position reading to a user. By simply bringing down a sizable portion of the GPS network, China could create “outages” in the GPS system - temporary holes in satellite coverage over particular regions.

While the US could probably fight a war without GPS, it would be a sharply different kind of war than we have become accustomed to over the past several years. The JDAM precision bombs that have seen so much use in Iraq and Afghanistan are guided by GPS signals, and would become unusable during periods of GPS outages. While laser-guided weapons are still an option, they are more limited than the JDAM in that their target must be illuminated by a laser designator - a difficult task through cloud cover or smoke. Weapons aside, the loss of GPS makes navigation - for aircraft, ground units, and naval vessels - a serious issue. It is entirely possible to navigate without GPS (contrary to the beliefs of some outdoorsmen), but the task becomes more difficult and less accurate.

Prior to the advent of GALILEO, the vulnerabilities of GPS were something of a moot point - while China might be able to destroy the GPS system, China would be handicapped by its destruction along with the United States, if not to the same degree. However, if China uses the GALILEO system for satellite navigation, the destruction of GPS would have no impact on Chinese operational capability. This is especially true if the current plans to make GALILEO interoperable with GPS fall through - the result would be a Chinese military using GALILEO-only receivers, and a US military using GPS-only receivers.

Europe’s participation in GALILEO makes an attack on GPS especially tricky, as the United States cannot simply attack the GALILEO network in retaliation. To do so would not only cut off Chinese access to satellite navigation, but also the access of the European Union, some of whom may be our allies in a conflict with China. Even if they are not, the diplomatic ramifications of destroying GALILEO would be exceedingly high, as the European Union will not simply “write off” multiple billions of dollars in satellites and launches.

What’s especially worrying is that this sort of tactic - dividing it’s technological base from the United States - is seeing increasing popularity in China today. In computers, China is sponsoring an Asian form of Linux at the same time that they are gaining access to the source code of Windows. (Bear in mind that Microsoft officials have stated under oath that releasing the source code to Windows could compromise national security.) China has even extended this approach to processors, giving the up the x86 base common to Western computer users in favor of a homegrown V-Dragon CPU. Which is, incidentally, designed to run Linux, not Windows.

Taken together, these incidents paint a clear pattern: China is actively working to separate its technological base from that of the US. Whether this policy arises from concerns about economic dependance, or a goal of strategic independence, remains to be seen. Either way, however, this trend bears watching. China is clearly not happy with its current place in the world. Let’s hope it only asserts itself by launching taikonauts into orbit.

And people wonder why I don’t particularly care for Microsoft. I mean, buffer overflows I can understand, but resetting passwords by setting the option “emailpwdreset”? Why not just set it to “hackmeplease” and save everyone a little bit of trouble?

Update: For comparison, 2.2 trillion is about the same as the entire United States budget. Don’t hold your breath waiting for Microsoft to write a check for this one.

That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage! — Dark Helmet, Spaceballs

That’s amazing! I’ve got the same combination on my luggage! — President Skroob, Spaceballs