February 22nd, 2006

Brad @ Burning Man

Our Cyberpunk Present: Script-Kiddie Botnets = Gangster Supercomputers (conclusion)

According to the latest statistics I've seen, since the last major revision to the virus construction toolkits, every day the gangster botnets infect or re-infect a quarter of a million computers per day, and their operators use that computer power to send about two billion spams per month. And that's above and beyond any of the other, more poorly tracked organized criminal activities that a supercomputer that size can and are being used for. Whatever it is that we're doing, it's obviously not working.

We used to think that we knew what to do about this. Don't open any attachments to emails from people you don't know. Stay away from obviously dangerous web pages. Don't run downloaded or emailed software without running it through a virus checker. And if your computer has an always-on Internet connection, use a firewall. And get the heck off of Internet Explorer, and maybe Windows itself, and get onto Firefox and maybe MacOS or Linux. Well, guess what? Emails don't have to have attachments to connect you to a botnet. Modern botnet AIs are learning to do much better jobs of simulating plausible emails, anyway; we're not far from one that can pass the Turing Test for a couple of paragraphs, anyway. Parts of the operating system that don't seem to have anything to do with file downloads have turned out to have the same stupid security vulnerability; two have shown up just in the last year in the parts of the Windows operating system that render graphics on the screen. And firewalls and virus scanners are software written by programmers no smarter or more careful than the operating system programmers themselves; adding them to your system is almost as likely to add vulnerabilities to your system as to block them. Besides, by the time your virus checker even has a patch to detect a new incoming botnet attack, the botnet's already infected tens of thousands of computers. Those infected computers will soon, if they don't already, know how to defend themselves by preventing your anti-virus software from operating correctly, thanks in no small part to Sony's accidental publicizing of a way to bypass the virus checker on all current Windows operating systems. (I will point out, in passing, that Sony's hack didn't even require any executable programs of any kind, so far as the PC user knew; it was built into what were falsely sold as plain old-fashioned audio CDs.)

Firefox, MacOS, and Linux all have just as many instances of the same stupid "buffer overflow attack" software vulnerability; the only reason you don't see as many viruses and trojan horses taking advantage of them is that botnet authors are currently too lazy to target them. And there are so many machines without virus checkers and firewalls that the same laziness provides some temporary security to their users. If you have to use Windows and Internet Explorer, and sooner or later nearly all of us do, you can try to keep them up to date with the latest anti-hacker patches. Good luck downloading those patches, though. Any Windows computer that doesn't have all of the current patches, and I mean all of them through the day they're installed, will not survive uninfected long enough to finish downloading the first patch. Not might not, any more; the gangster botnets have enough network bandwidth and processor time to throw at the problem that it is now will not. You can use a currently trusted machine to download those patches, burn them to CD, and install them before plugging the new computer in. If you have a trusted machine. And the download process isn't currently hosting some known-to-hackers vulnerability. And you can figure out how to off-line install all of the Windows service packs, which hardly anybody can. None of these solutions will worth squat for very much longer, though, although in the short run they're better than nothing. Nor will they do anything to actually stop the problem. They might help you, but they won't do anything to stop the gangsters from finding millions of other, less technically savvy people whose computers to attack, including your boss and your parents and your kids.

Trusted Computing, the latest scam from the software companies, is never going to be adopted and wouldn't work even if it were. It'll never be adopted because the companies pushing for it all have a history of acting in bad faith, of using any innovation they promote first and foremost to lock customers into expensive mandatory annual upgrades to software that can only be bought from them as a monopoly provider, and only incidentally after that constraint is met to provide any actual benefit to the customer. (Consider, for example, Microsoft's refusal to provide free security upgrades to pirated copies of or upgrades to their operating system. Or that in Windows Vista, they're only going to "trust" video drivers for cards from the miniority of companies that have a business relationship with Microsoft. And, of course, Trusted Computing is technologically and financially incompatible with Open Source software, and isn't that just convenient for Microsoft.) And even if it would work, it depends on your ability to trust the sender of the software to be who they say they are and uninfected themselves, which is irrational to believe in a world where software installation CDs have shown up with viruses pre-installed, both accidentally and on purpose, and in a world where US law enforcement lobbies hard to prevent any encryption scheme they can't crack but the gangsters have more powerful encryption-cracking supercomputers than the feds do.

But, look. Phones can be used for many of the same crimes. We don't solve that problem by requiring all telephones to have, oh, I don't know, voice stress recognition software and keyword recognition so they can prevent confidence scammers from talking on the phone. The stock exchanges are used for fraudulent insider trading almost every day. We don't solve this problem by requiring all stock trades to go through a Trusted Authority who digitally signs each trade order after verifying that no insider information or other scams were involved. Organized crime has inserted itself into capitalist markets for as long as there have been capitalist markets. In the earliest days of western industrial capitalism, from around 1880 to 1970, gangster abuse of the markets was almost one of the defining characteristics of western capitalism, just as it is now in Russia at the same stage of economic and political development that we were then. We didn't bring the problem down to the point where ordinary people can feel reasonable confidence in the marketplace by adding layers of technological complication that were, themselves, only going to create less transparency and therefore more opportunities for gangsters to insert themselves into the transaction process. How did we solve it? By going after the money.

For example, every day statistical analysts at the US Securities and Exchange Commission use their secretive methods (and I'd bet money that not all of them are 100% legal) to spot illegal insider trading and other abuses of the market that previously were the province of the Mafia. They then take a couple of weeks to build 100% rock-solid guaranteed-win cases against as many of them as they can. Fortunately, that's enough that they can let the others slide without attracting much attention to the fact that they do so. They then confront the criminals with the evidence, and offer a plea deal. They hardly ever bother to put them in jail, because the terms of the plea deal are sufficient to discourage the crime. What's more important to them than putting felons in jail? Guaranteeing that it appears that no felon ever gets to keep the money. They calculate exactly how much money you earned from the crime, and they demand that you pay back every penny of it, or at the very least every penny you have that they can find. If they can figure out who the victims were, they return the money; if they can't or if the victimization was too widespread and diffuse to refund the money, they funnel the money back into their own pockets to fund further enforcement. It's a model that works.

So I take heart in the fact that we have a few examples that this technique can be used against cyberpunks in the organized crime world, now. Just last month, one of the botnet managers was sentenced to cough up the estimated $58,000 that he earned. Unfortunately, the track record is mixed, so far. When they caught practically the only higher-level gangster they've convicted so far, to my vast disgust they let him keep at least 80% of his criminal earnings. What's more, none of the governmental agencies, either here in the USA or in the rest of the world, are making sufficient use of the resources available to them. It has apparently not yet penetrated their consciousness, their consensus, that they're no longer up against individual mal-adjusted teenagers, that the individual mal-adjusted teenagers are now subcontractors in vast networks run by international mafiosi.

If they made it a priority, they'd find that tracking the individual mafiosi and their earnings is easier than you might expect. With other mobster crime waves, the tips that broke the mobs' backs came from neighbors, from ex-members, from bankers and accountants, and even more importantly to our current example, from angry victims and relatives or friends of victims who refused to lay down and shut up. The classic gumshoe of 1940s and 1950s hard-boiled fiction and film noir is a stock character specifically because when the mafiosi weren't being sufficiently fought by the government, private citizens put up their own money, collectively through their insurance companies, collectively through citizens' groups, and individually from well-off people who'd had enough of that garbage, to hire non-governmental, civilian investigators to build the cases and drop them in ready-to-prosecute bundles into the cops' and the district attorneys' laps, and then into the reporters' hands where the government was too corrupt or too weak or too inept to do the job.

In the cyberpunk present, that niche is best being filled at the moment by The Spamhaus Project. Yes, the mobsters are wealthy. Yes, that wealth enables them to hire some pretty competent hackers, and a huge network of script kiddie foot soldiers to do the boring, easy parts for them and to take the fall as necessary. But there are more honest, angry citizens than there are gangsters, and may the Gods so grant that it always remain so (as, it must be said, it nearly always has been). And some of those honest, angry citizens have just as many technical skills as the mercenaries that work for the gangsters, and put in more hours with more determination than any paid sociopath ever will. Consequently, they've found out that it's actually not very hard to follow the money trail all the way to Mister Big in each of these operations. They've pooled their volunteer efforts and maintain a two-level Register Of Known Spam Operators. The ROKSO 200 list gives the actual, real names of the gangster bosses of the operations responsible for 80% of the cybercrime on the Internet. And on the off chance that the police lack the resources, skill, determination, or honesty to track them down even given their real names like back in the bad old days of gangster capitalism, they maintain a subset of that list. The ROKSO Top Ten gangster bosses are singled out for the most determined tracking. For nearly all of them, The Spamhaus Project has put together a dossier that's already good enough to go straight to indictment. Some of them are so thoroughly counter-hacked that the volunteers have put together prosecution-ready cases, with photographs, known aliases, Internet packet traces, financial accounting information, and home and work and hideout addresses. Unsurprisingly, mobster bosses want to live in places where their ill-gotten wealth lets them live comfortably; nearly all of them live in countries where the laws are in place to let those cases go to grand juries or the local equivalent this month, if the governmental willpower existed. If it doesn't, well, that's what we're supposed to have a free press for. Keep rolling them up, and prioritizing sucking the money out of them, 10 at at time, and in less time than it took to break the mafia's back we could have our Internet back.

(P.S. If you want to keep track of this, the best coverage right now is coming out of SpamDailyNews.com, which I just set up so that you can also add to your LiveJournal friends page by subscribing to spamdailynews.)