I just came across an interesting, if not entirely surprising, article on eWeek, which describes how botnets are getting more sophisticated, with more distributed architectures that are harder to track down. So let's think a bit about where this is all going.
(Grounding for those who haven't been following this particular horror: in a nutshell, botnets are where many of the Internet's serious woes come from nowadays. The bad guys who are sending spam, attacking sites, and other such anti-social behaviour, mostly don't do so from their own computers any more, because it's easy for everyone else to track them down and cut them off. Instead, they find computers of ordinary Internet users who aren't keeping their anti-virus software up to date, and subvert them. They install "botnet" software on those computers, so that they can, at the flick of a switch, get all those innocent computers sending out their spam for them. In general, the ordinary users in question don't even realize they're part of a botnet, but they and tens of thousands of others are the ones doing the damage.)
The botnet controllers are getting smarter, with distributed P2P architectures that aren't as susceptible to simply shutting down a few key nodes. The article talks about the fact that the botnet software isn't too hard to find because it uses poor encryption, but I would say that's just a matter of time: just as their architectures have been getting better, the encryption is bound to do so as well. There are limits to how well you can do (when the keys are installed on the subverted machines, it's always possible to break the encryption eventually), but they can get a lot better than they are now.
So here's a question for speculation: what next? One can handwave that the botnet problem would go away if everyone simply kept their anti-virus software up to date, but that seems unrealistic unless it's actually enforced in some fashion. Are we looking at an environment where it eventually becomes illegal to be a *participant* in a botnet? (That is, those unknowing people wind up getting fined for their carelessness.) That seems hard to credit, but I can imagine it happening if a botnet were found to have caused some serious public harm -- you should never underestimate what kinds of laws can get passed in the name of "national security".
OTOH, that doesn't seem likely to actually solve the problem, precisely because it's so hard to figure out who the participating machines are. So perhaps the likelier outcome is the growth of "antigen nets" -- semi-formal networks designed specifically to figure out which machines are participating in the botnets and shut them down. Say you got hundreds of thousands of computers, working together in a distributed network (has to be distributed, or the black-hats will take it down), sharing information about which IP addresses are participating in the problem; this could serve as the basis for a distributed blacklist against those machines. If some major sites became consumers of such a blacklist, it could provide the necessary pressure for people to clean up their acts -- if you find that Amazon locks you out, giving you a message that you need to update your anti-virus before you'll be allowed back in, that provides a rather good incentive.
Of course, this glosses over a *host* of problems with building such a system. The blackhats would surely try to subvert it, planting false positives and trying to remove the true positives, so it would have to be large and powerful enough to statistically resist the bad data. It's not clear whether enough major sites could be made to play along, to provide the necessary incentive for people to fix their systems. Heck, it's probably susceptible to a pile of fascinating legal challenges. But all that said, I don't know what other alternatives there are.
So there's one possible future, maybe 5-8 years out, with the Internet in the middle of a very quiet but serious war between armies of cooperating computers trying to shut each other down. What other possibilities are there? Do you think that the botnet problem is overblown, or is going to gradually eat the entire Internet? Ideas and opinions are solicited...
Vulnerabilities are like Vampires these days, they have to be invited into the system by some willing action on the users part.
Many people *don't* have the NAT firewalls, and turn off their firewalls. Some are even using old enough computers that they don't have a firewall installed. And given the willingness of people to open unknown attachments, open and read spam, and install all sorts of strange stuff inadvertently, that's going to be the biggest part of the problem, as it always was. People are the elast secure part of any network.
Permitting firewalls
Re: Permitting firewalls
Re: Permitting firewalls
It was common to discourage/forbid home *routers* for a number of years, and that's a bit more understandable -- they wanted to sell you three connections, instead of one connection with a router. But even that's mostly gone by now: the fact is, most homes that are even remotely serious are running internal WiFi routers, and even the Comcasts have largely given up fighting that. Besides, it's for their own good: homes with NATs catch far fewer infections, which means they're less likely to be clogging up the network...
The RIAA theory
* Vendors of Operating Systems that are slow to patch known problems, leave open security holes, and penalise people who publicise vulnerabilities.
* Mono-culture architectures, where 95% of desktop machines run one OS (which is known for problems).
* ISPs who refuse to support end users (Cable, DSL) that use hardware firewalls. Some refuse explicitly; lack of a firewall increases your chances of being cracked to a near-certainty within an hour of being connected to a cable-modem.
* Users who don't take care with their home systems - firewalls, anti-virus protection, and of course clicking on attachments and links that do not come from trusted sources.
* Localities and countries without strong laws agains computer-based terrorism encourage crackers, script kiddies and other malefactors to locate within their *virtual) demesne.
Solutions? What is the solution against grass-roots terrorism? Sure, encouraging the fixing of the problems above will help. Education will help. In the end, it *may* avoid the all-out cyber-war that you're predicting. We probably already have some government investment into cracking our enemies' computers; continued investment in how defense may be possible would sure help. I do like the private industry approach you mention, but wonder how it could be implemented without an invasion of the privacy of millions of computer users. Sure, if someone like Amazon does it it may actually have some chance - but what would they do and how?
Unless people have some sort of Amazon single-sign-on on their machines, which would be ripe for the picking on an infected computer, or unless they turned it into a huge publicity "we're supporting responsible computing" initiative, I don't see how it would work.
I don't think you're quite getting the idea. I'm not suggesting the idea of going and infecting lots of people with this "antigen virus" -- as is mentioned later in the thread, that's already been found to be illegal, and I think it's clearly unethical.
But it ought to be possible to get a large enough critical mass of people *voluntarily* doing this. It requires giving folks an appropriate incentive, but in a world where Bittorrent accounts for most of the traffic on the Net, it's clear that people can voluntarily play together for a good cause.
Basically, the notion is somewhat similar to the one that Blue Frog tried, but fully decentralized so that it can't be brought down the way Blue Frog was -- P2P in structure, and spread all over. A small number of people doing it don't have a chance, but with tens of thousands of machines involved (a number that is entirely plausible), it might be able to collectively start puzzling out the topology of the botnets.
(And yes, the above is full of handwaves. This is a high concept, not a design.)
Sure, if someone like Amazon does it it may actually have some chance - but what would they do and how?
Companies like Amazon might be participants in the antigen net, but more importantly they would be *consumers* of it. The point of the antigen net is to figure out which IP addresses have been tainted. Given that information, it then falls to the sites that people *want* to go to to tell them to clean up their act.
This is, without a doubt, the hardest part of the whole thing: convincing the big players to forego a small amount of short-term revenue (by turning away some customers) in the interest of the long-term benefit of the Net. I'm sure many wouldn't play along. But I'd bet that you could get enough of them to do it to make a big difference. Hell, getting Google alone on board would be huge, and I can see them doing it...
If I understand the Blue Frog concept correctly, you're looking for a distributed database. In this case, you'd list infected computers? I'd be interested in hearing more about such a proposal before I tried to comment; I can see a number of problems with it but don't want to ask about them until I know what you're thinking. I know it's not a design, but I'd like to see the shape your hands are making, regardless.
Ah -- not really what I was thinking of. I had more in mind paying collective attention to the IP addresses that are doing malicious outbound attacks and probing, and recording them. That's far from a complete solution -- it only works for attacks and probes that require giving away your real IP address (which I believe is true in most but not all cases), and has problems with the impermanent IP addresses of many big ISPs. But it seems like a useful piece of the puzzle, especially if you could get those ISPs involved in the project.
If I understand the Blue Frog concept correctly, you're looking for a distributed database. In this case, you'd list infected computers?
Correct and correct. The problem with Blue Frog was that it wasn't sufficiently distributed -- there was still a central node that could be shut down to take the whole plan out, and the way they were attacked indicates that the spammers *will* get very aggressive if they can find such a central node. But there are architectures (eg, Freenet) that are truly distributed, and extremely difficult to track and attack by design. Indeed, that's exactly what the black-hats are themselves starting to do, for much the same reason.
So the high concept here is having large numbers of machines, working together to build up a distributed DB that creates a statistical picture of which IP addresses are infected. It has to be highly distributed and highly redundant, because the black-hats will definitely try to inject bad data into the mix. And yes, there are *lots* of practical problems with this -- there isn't much beyond high concept here. But in principle, it seems plausible that, if one had many more machines than the bad guys do, one should be able to build up a profile of which ones are causing the problem...
What I find interesting is that a number of large cable ISPs block traffic on specific ports (for example, port 80) ostensibly to block the virus traffic. Realistically, they don't want you to have a server on your machine for fear of actually using your allotted bandwidth, but that's another rant. They don't, though, seem to block much of the *real* problem traffic. Some of this can be dealt with by traffic analysis and management, but they don't want to do that. It may also jeopardise their common carrier status.
This is true. Another possibility I've been thinking about is that, instead of blocking the infected addresses, you just *tell* them. My guess is that the vast majority of botnet machines have no idea they are infected.
So one option, with low negative consequences but possibly a reasonably strong upside, is to simply get some major sites giving warnings. If you go to Amazon, Google and eBay, and they all tell you that their records indicate that your machine is virus-infected, that will probably shock a lot of people out of their complacency. Not everyone, but a lot. And if someone remains on the list for a *long* time, they might ratchet up the response gradually.
There are lots of possible options here. I'm under no illusion that any of this is simple or straightforward -- I'm just playing around with this germ of an idea...
Realistically, they don't want you to have a server on your machine for fear of actually using your allotted bandwidth, but that's another rant.
Oh, I'm *well* familiar with this one. Comcast shut down my server ostensibly due to Red Alert, but it's pretty clear that they just don't want me running one. Damned annoying -- I'd far rather run my own system than have to deal with ISPs, at least for my experimental work...
Vernor Vinge's latest novel _Rainbows End_ (highly recommended by the by) posits a future where Trusted Computing Platforms are mandated by law, and old-fashioned universal turing machines are considered dangerous contraband by Homeland Security. It's not the main focus of the novel, but it is an important plot element.
Also in Drakon
That said, has there been any case where the introduction/evolution of technology has not led to some prognostication of an anarchic wasteland of some sort, be it real, social, or virtual? I don't see the Internet being consumed. I might see the rise of more parallel private networks (a lá Internet2) for safety and/or ensured bandwidth reasons.
So think of this posting as precisely that: a suggestion of one possible coping mechanism. Might work, might not, but the pressure to find a solution of some kind is only going to grow...
A Practical Question
Re: A Practical Question
There are various ways that one discovers that one *is* infected, often having to do with strange processes running, or unexpected network connections happening frequently. But the problem of finding infections is complex, which is why anti-virus software is having to constantly update itself...