Monday, May 22, 2006

Don Spamleone

Fact: the company called "Blue Security" gave in to spammers and hackers and shut down their anti-spam service. I think this is the first time spammers achieved victory of this kind.

Story (as far as I got it from various sources): Blue Security came up with a controversial method of fighting spam. Basically, its software called "Blue frog" was installed on the users' computers and was flooding websites of spammers with opt-out messages, thus performing a typical DDoS attack. Then, some (allegedly, Russian) spammer/hacker PharmaMaster declared a war on Blue Securityand staged a real DDoS attack on their servers, disabling their site completely. Blue Security attempted to evade the attack by redirecting the users to its TypePad-hosted blog, but then PharmaMaster stroke Six Apart (the company which hosts TypePad), causing a lot of additional damage along the way. As a result, the company's co-founder Eran Reshef stated (according to "Washington Times") that "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start..."- and the service was shut down.

This story is a sorry and disturbing one. Speaking frankly, I don't feel any real sympathy towards Blue Security: fighting crime with criminal methods is not such a great idea. Besides that, their floding caused unnecessary load on the servers and communication channels, and thus was not much better than the spam itself. There is a russian proverb which seems to perfectly describe this conflict: "A thug stole a club from another thug" (my translation is not perfect, but it shows the idea). By the way, there are some attempts to recreate Blue Frog in a P2P way - and I think these attempts are extremely foolish and dangerous, because it definitely will lead to a full-scale cyberwar.

I am also worried by the fact that, as I discovered from some articles, Blue Security got several million dollars from its investors - which menas that, besides some hard-core anti-spam extremists, there are some people with money who support the idea of fighting criminals with their own methods. Basically, this is equivalent to investing money in weapons for guerrillas and rebels. We all know too well where this policy leads to.

And I am disturbed - and enraged - by the fact that one outlaw hacker was able to declare a war on a legitimate company, which resides in a civilized country, and had won the war without anybody being able to protect the victim. This is really scary, because it means that a person with some knowledge of cyber underground, and some money is able to bring down any legitimate company. Some mesures definitely should be taken to protect people and companies from such fate - but, I am afraid, those measures most probably will turn out to be more harmful to Internet that spammers and hackers together.

Technorati tags: , , ,


Dmitriy Kropivnitskiy said...

Well, generally, even though a particular hacker declares an attack, it is not carried out by him and him alone. Generally there is an underground group or even a alliance of multiple undeground groups. Theoretically (and this has been done in practice on a few ocasions, but this is not a common occurence) it is possible to orchestrate something like this alone, but this takes a lot of preparation. In any case, DDOS is a real problem and there is not much one can do to defend oneself if it is executed correctly. As to the fighting cybercrime with cybercriminal methods, there is another issue besides the moral aspect. All the plans of "fighting back" I have seen rely on some sort of automatic response scripts or programs. This approach lacks the dedication of the attacker. I mean even though the modern attacker uses zombie networks to orchestrate an attack, still he takes care to program the zombies, monitor targets etc. A proper retaliation is actually more difficult then the attack, since in case of attack you already know your target where in case of retaliation you have to investigate to get to the attacker. Otherwise you are just attacking some shmuck's zombified PC or an innocent 0wnzored server. A dedicated attacker will monitor his zombie net and his target and will aquire new zombies and adapt to target's defences where a half-ass automated retaliation script will most probably just create a lot of traffic and raw nerves without actually harming the attacker.

Aleksey Linetskiy said...

I agree - automated "fight-back" plans cause more trouble to the network in general than to the "target". Actually, I think that in cases like this the only right way to harm the attacker is to jail him (or her).

And as for DDoS - I think there are two problems with these attacks. First - the Internet architecture was created without much thoughts of security. I do not want to blame the creators, but it seems like it's time to do some architectural changes.

And second problem is, as usual, users. People keeping their computers undefended, with no antivirus/firewall, and with no knowledge about security. Sometimes I think - though I know, that it's not the right solution - that users should be made responsible for hackers using their machines and connections. Something like "If a hacker used your machine to cause harm, you will be held responsible unless you can prove that the computer was adequately protected". Yes, yes, it sounds bad...