All the Perl that's Practical to Extract and Report

Spammers? Kill em all

johnseq on 2003-11-12T05:34:38

I attended the New Scientist salon on spam last night (also attended by Gregor. It was actually hosted by Simson Garfinkle and Paul Graham. Simson's claimed that only about 200 people accounted for the world's supply of spam. His (yes, facetious) theory was that only extrajuditial means would solve the spam problem -- meaning hunting down and killing a number of spammers sufficient to deter the remainder, like John Travolta at the end of Operation Swordfish. Since spammers have both teamed up with and provided a profit motive for previously harmless crackers, we now have armies of compromised machines which will make future attempts at micro-payments and digital signatures (and other end-user dependent schemes) pointless.

I do not think they're pointless, but they probably won't fly on their own. I remember reading about a simulation of a internet super-worm -- a virus that spreads via several vectors at once and aggressively scams for and propagates itself to other machines. The authors of the study determined that it could spread to all vulnerable net-connected hosts in 15 minutes BUT if machines had an extremely simple limit on outbound IP connections it could not even spread fast enough to be a threat.

Generalizing this super-simple virus-fighting behavior a bit, I think our machines should establish baselines for things like outbound IP connections and the amount of email we send out. For the average user on a machine with a consistent usage profile, it should require some time of user intervention to perform network scans oustide the baseline. This is the equivalent of the credit card fraud division calling you up when they notice your recent purchases of Snoop Dogg in a Tiajuana Record store. Is this fantasy technology that we're years away from having available? Well, I talked to a company named Okena that was writing this software for Windows and Linux a couple years ago. They instrumented and rolled up the behavior of desktop applications to a central server, so that they could define deviant behavior by comparing a machine with it's peers. They could then stop behavior as it emerge, instead of retroactively looking for infected file signatures.

Microsoft recently floated a trial balloon about enabling firewalls by default and implementing some sort of behavior profiling in the OS. While I'm realistic that this is more about escalation than an end-game, it will be interesting to see what kind of traction it gets with MS's money (and, at this point, desperation) behind it.

Happy Fun Big Brother!

schwern on 2003-11-12T06:55:49

The problem with this approach seems to be one of having a central, trusted authority looking at your computer use trends. For credit cards this is your credit card company examining your credit transactions for strange usage trends. This is ok since, in the end, all your transactions have to go through the credit card company anyway. They're the obvious authority to be keeping an eye on your money. They're the one's lending you the money. They already have your transaction data. They have clear incentive to stop credit card fraud: its costs them lots of money. Its cheaper to monitor your transactions for discrepancies than to pay for fraudulent charges.

But desktop applications don't have to dial home to work. No record of their use is necessary to operate. Any authority watching your usage trends has no other reason to be collecting this data.
So now you have usage data for your computer going off to a 3rd party. Abuse of power? You bet! And this information is sent over the Internet. Security holes? You bet!

Furthermore, from an economic standpoint, they have no direct incentive to stop fraud. Especially if its a 3rd party (ie. not your OS vendor who might have some insentive in stopping large viruses). An artificial one must be created. Subscription fees is one. But just how tempted would a company be to start making a little money on the side. Here's aaaaalll this usage data pouring in. Information about what applications they use, what web sites they visit, what machines they make network connections to, how much data they transmit. A marketing gold mine.

The idea that the solution to the virus problem is to monitor usage and limit connections goes directly against the grain of computing. We don't want more monitoring, and we certainly don't want performance limits.

Finally, and here's the defeat of any anti-virus scheme that requires user action, unless this service ships with the OS and is on by default its not going to make a difference. The machines that are spreading the viruses are the ones that aren't well maintained. Patches aren't applied, software isn't upgraded, dangerous services not turned off. The owners of these machines aren't suddenly going to install an anti-virus monitoring service. They probably don't even realize they're infected.

Re:Happy Fun Big Brother!

johnseq on 2003-11-12T16:49:35

I don't think the data comprising a valid behavior baseline needs to be rolled up to a central internet presence to be useful. I happily use MyNetWatchman on my gateway, an perl IDS which
does just that, but I don't have real privacy problems sending Windows virus attack data to someone who might help do something about it. My desktop behavior is different.

Lets look at the home user's desktop system. Emily checks email, sends a few a day, sometimes with photos, and surfs a bit. Emily does not run apps that scan for nearby IP addresses at a rate of hundreds of connections per second. Nor does she run outbound SMTP services, send lots of Windows Messaging messages, host FTP servers or run P2P apps. All these behaviors could be historically distinguished from normal ones without comparing them to a central source. No AI or big brother needed.

One way to think of it is greylisting at the OS behavior level. This type of system will work differently for the lone user than it will in a huge company LAN (Okena's market), where rolling behavior up and doing metrics on aggregate behavior is no worse from a big brother perspective than what they're already doing for IDS and virus and spam fighting.

As far as the legacy problem -- yep, that's a problem I don't know the answer to. I suspect liability issues or simple cost issues prevent ISPs from detecting and unplugging infected computers. But the cost of dealing with that problem is fixed, the cost of inaction continues to grow.

 

a better solution

drhyde on 2003-11-12T13:21:28

A better solution would be to imprison those people who allow their computers to be compromised by crackers and spammers. If your computer sends a virus or a spam email, you become Bubba's Fucktoy in prison. Taking reasonable precautions such as using a basic firewall and anti-virus software, and not using Lookout, would be an acceptable defence. Ignorance, however, would not be.