|The FBI is working with computer industry partners, including the Carnegie Mellon University's Computer Emergency Response Team, to notify botnet victims, but officials stress that they will not be able to contact everyone whose computer was affected. |
Since the zombie PC's can be controlled remotely, I would think it would be fairly easy for authorities to mass-install just one more piece of software with the sole purpose of presenting relevant information to the owners. Naturally this would raise some problems, but it might be the most effective way to notify the vast majority of the owners.
Or, since authorities should now have pretty full knowledge of the exploits used and installed, might it be a good idea to install software to clean up the PC's, then delete itself? (And would that be legal or ethical?)
After all, even with these botnets shut down, these million computers still have all the garbage in place for another one to come along and start using them again. It wouldn't be the first time hackers have used stuff left behind by other infections.
The article seems to imply that these people were not the ones who actually created or directly controlled botnets. If that's the case then I guess that there's someone the authorities have a lot on but can't touch due to his location, so they are left with going after his clients and contacts in the US.
|Since the zombie PC's can be controlled remotely, I would think it would be fairly easy for authorities to mass-install just one more piece of software with the sole purpose of presenting relevant information to the owners. |
It might be technically the best solution, but legally would run into some serious problems. A law enforcement officer (LAO) cannot commit a crime to fix/expose an other crime.
For example, in most cases of child pornography, LAOs do not look at the images, but hash of the images, and compare them to a known hash.
It is interesting how this ties into the substitute teacher Julie Amero's case.
Wonder how many non-federal cases where a botnet victim is prosecuted?
Also, what are the civil suit possibilities? One can argue that a computer owner should take reasonable precautions to protect their systems. By not doing so, are the potentially liable in a civil case?
[edited by: Tapolyai at 1:50 pm (utc) on June 14, 2007]
Slightly OT ...
|For example, in most cases of child pornography, LAOs do not look at the images, but hash of the images, and compare them to a known hash. |
As the IT guy for a large criminal defense firm that handles lots of these cases, I can say that that's only the first winnowing step. Cops absolutely look at the images, and leave it to defense counsel to argue whether an image represents a child and whether there is something 'pornographic' about an image.
As far as the botnet goes, a case might be made that the owned systems are no longer under the control of their owners, and so there is no illegal infringement when/if control of their systems is returned to them by the act of destroying the bot elements.
Kind of along the lines of an idling, unattended car that has slipped out of park and is cruising around a parking lot, smashing into things. A cop is allowed to jump into the car without the owner's permission, and without having done anything illegal, and stop it from doing further damage.
Or perhaps more appropriately (although I like the 'smashing' analogy ;) ), when the cops bust a large car theft ring that had been using the stolen cars to commit other crimes. The cops can do things with the cars, once recovered, that they wouldn't have been able to do had the owners maintained control of them. Once they are finished with their forensics and whatnot, they return the cars to the owners.
[edited by: StupidScript at 6:10 pm (utc) on June 14, 2007]
I stand corrected on generalization of LAOs looking at such material.
Let me rephrase - LAOs I have worked with in the last 5 years, on such topics do not look at the images but only the hashes.
I am not sure your comparison is valid regarding a loose vehicle and a computer zombie.
[edited by: Tapolyai at 3:20 pm (utc) on June 15, 2007]
You have to understand the distinction between a loose car and a zombie machine - the reason that a LAO has the right and authority to stop the car is because it poses a reasonable threat to the lives/welfare of people in the surrounding areas. Regardless of that, it is still an infringement on the rights to both privacy and property for the cop to enter the vehicle.
Under these particular circumstances, it would be a gross violation of the computer owner's right to privacy for the computers to be taken over by LAO's for any reason, unless your computer is out on the street killing people.
In my opinion, the FBI or any other LAO, should not be allowed to 'force' a program onto a computer. It is both unethical and a violation of privacy and property rights.
How about the car theft ring analogy? A personal possession was appropriated for evil purposes by a group of criminals. The cops certainly have the right to retain the vehicles for evidenciary purposes, at least until all evidence can be obtained from them. I argue that the cops have the right to fix the systems of those who are unwilling/unable to do it, themselves.
These computers are not under the control of those who purchased them (as opposed to their "owners", who are actually the botherders) ... they are rogue elements that their purchasers do not know are being used by organized crime. If the purchaser had any idea how to protect the community they are involved with (the Internet), they haven't demonstrated that and have, in fact demonstrated that they are unwilling/unable to protect the community using their own resources.
I say to the cops, "Just do it!" Protect the community from hapless network node operators. Protect individuals and businesses around the world by reigning in these rogue machines. Let the lawsuits happen, and use any number of precedents set in pre-Internet times to justify your actions.
This isn't about property rights ... it's about policing the community and doing what is necessary to protect the public at large from a known threat. The cops certainly do not need to collect any information from any system, except perhaps a boolean return indicating a successful/failed cleanup. They have the bots addresses ... send out a highly-targeted worm to kill the bugs and move on.
If any of the zombie systems are adversely affected, too damn bad. And shame on the computer purchaser for not caring enough about the community to take the necessary steps to protect us. And count yourself lucky we're not suing you for being part of the criminal enterprise through your inaction. If a murder occurs during a robbery, even the getaway driver gets charged with the killing, even if they had no idea their compatriots were armed.
I ran this post by a couple of the defense attorneys, here in the office, and they agree that the above action would be entirely defensible. But one never knows until you're standing in front of a judge ...
[edited by: StupidScript at 5:45 pm (utc) on June 15, 2007]
Your ideas of 'policing the community' and giving LAO's the authority to take private property from it's owner against the will of the owner for a non-lethal crime is reminiscent of a police state and would be a complete violation of privacy rights. If I have my own computer, anything I put on that machine is on it with a reasonable expectation of privacy. If the police seize that machine my confidential information is no longer private, something that normally is only allowed to happen in the presence of a warrant or subpoena. In this case, you give the LAO's the authority to claim that a machine is a 'zombie' machine in order to seize it for other evidenciary purposes.
And as far as the owner being unwilling to take action, that is almost never the case. Owners simply don't know that their machine is infected. If they were told, and were given instructions on how to rectify the problem, I'm sure all of them would be more than happy to do so themselves. Law enforcement action is simply unnecessary. All that is needed is the spread of information.
And regarding your getaway driver analogy - the getaway driver participates in the crime willingly and knowingly, whereas the owner of a zombie system has no idea that his/her system is being remotely controlled. Any pursuit of legal action wouldn't even make it through the courtroom door.
Interesting. I guess we'll see, what with all of the wiretapping, email interception and finance freezing in under the "Homeland Security", who knows what might constitute an invasion of privacy in the cause of protecting the community at large.
And please keep in mind that I am NOT advocating any type of seizures or invasion of personal privacy. The worm suggestion can be accomplished without any intervention on the part of the ignorant computer purchaser, just like the botnet invasion was. The tools for allowing deep access are already on their system. In fact, given the clueless nature of the purchasers, they probably would never know that their system had been part of an international crime ring and had just been silently, unobtrusively repaired for them ... ready for them to get infected again (because they wouldn't have learned anything.)
Re: The getaway driver ... anyone and everyone who purchases a Windows machine is fully aware that that particular operating system is both a huge target and has been historically inept at keeping the barbarians from the gate. If they are not aware of that, then they have been living under a rock. The least we can do is protect ourselves by doing for them what responsible computer users do: Protect their system so it doesn't become a threat to the entire network through their ignorance.
How about we just kill their network connection? Comparable to the gas company shutting off service in an empty house where a gas leak has been detected.
At least the cops could post the list of zombie IPs, maybe in the form of a blacklist, so those of us who give a darn can protect ourselves from these corrupted machines.
>At least the cops could post the list of zombie IPs, maybe
>in the form of a blacklist, so those of us who give a darn
>can protect ourselves from these corrupted machines.
Huh? There are way too many false positive here. One 0wned machine in a class C dynamic IP network can poison the reputation of over 250 other non-corrupted machines.
I agree that posting is appropriate if there is sufficient information to allow precise targeting of exactly which machines have been taken over.
An ISP could use an IP list augmented with timestamp to identify specific customers.
|I would think it would be fairly easy for authorities to mass-install just one more piece of software with the sole purpose of presenting relevant information to the owners. |
That would be an excellent idea. It could also include a notice pointing out that, if they did not fix their machine, they would then become liable for knowingly allowing their machine to attack other systems. What excellent education for the individuals involved.
|might it be a good idea to install software to clean up the PC's, then delete itself? |
I recall a chap some time ago that wrote software to do that exact act. He was arrested and jailed (sorry, cannot give details).