This is excellent news indeed. I wonder if there can be a claim of eminent domain (or similar http://en.wikipedia.org/wiki/Eminent_domain ) that would allow a government to protect a group deploying this defense from legal claims. It's interesting to me if the concept can be applied to a distributed network.
The use of eminent domain in the realm of the digital space is interesting to be sure. My first thought about killing the botnet is to do it asap. But we easily start slipping into grey areas. If individuals do it, they are potentially breaking laws that otherwise normally provide protections to us against intrusion by corporate and government entities. If governments authorize it under the idea of public safety or eminent domain, that provides another legal gateway for governments to intrude on the privacy of your own data. For example, India has laws that give their police the power to "police" personal computers for pornography. We don't have that problem here in the US, but imagine that at some point in the future a conservative Congress allows the FCC to scan your computers and websites for porn like they regulate curse words and imagery on TV. It's all for the public good, is the argument. While most of us agree that botnets being run by criminals is bad, the traditional methods of police protecting us from gangs don't easily map to the internet and our personal data. We also run into problems because these botnets are worldwide. If the US government authorizes an entity to break up botnets, what about when some of the drone computers are property of foreign governments? If France decided to "fix" computers run by the DoD because the dumb desk jockey installed spyware on his work computer, there are a lot of people that would consider that a foreign attack on US government computers. I think the best way to handle this problem is via the OS vendors themselves. Because Microsoft/Apple make their operating systems, all users worldwide are basically agreeing to their EULAs when we turn the machines on. If the companies team up with these reseachers, then I believe they are perfectly within their rights to initiate this kind of operation. They are choosing to do security updates to their products. This then can work worldwide and not put us in danger of having government interference if our personal digital spaces and data.
They are choosing to do security updates to their products.
The article notes that since the virus was added to the list of malware removed by Microsoft's Malicious Software Removal Tool, the numbers of computers infected by it have shrunk significantly. This suggests that the computers will are still infected are those which are not choosing to apply security updates.
Regardless of whether Microsoft would be "within its rights" to start something like this, it would still be liable for any damage caused to computers which became broken by the cleaning (see the next to last paragraph of the article).
Your point about the government taking advantage of a slippery slope is excellent. The OS vendors may be too powerful of a group (investor pressure can make them do things that wouldn't be considered benevolent). Perhaps third-party providers would be a better solution. At least then there would be a chance of responding to market pressure to be good.
We would need some way to verify that our computers were "clean." Without this certificate (or whatever), we wouldn't be allowed access to web pages or http ports. But we would be free to get the cert from any vendor we could.
Even with this method, there is a vulnerability to spoofing the certificate.
The key question here is: why don't they release the code under open source, or public domain, and let the internet take care of itself?
The only threat from this situation would be the botnet evolving in unforeseen ways, thus rendering the code useless. However, the vulnerability described in the article seems not a coded, but rather a conceptual one: even if storm starts to use a new protocol, they -or somebody else using the insights in the source- could repeat the disassembly process, and re-run the cleaning method.
The need to break the law to stop a criminal is interesting. It seems like that is well established in physical confrontations. The police can shoot people threatening others, and you can kill someone in self defense.
Surely researchers fighting a botnet should be covered under the same logic. The patch they force on 3rd parties should remove windows or force the use of Firefox.
In a jurisdiction with Anglo-American legal principles, prosecutorial discretion could let someone do the cleanup, but it's hard to know in advance if prosecutorial discretion would be exercised that way. The continental legal tradition in Germany makes a cleanup from Germany more risky.
This is interesting. They claim they cannot unleash their cleaning program at large - because it would change the infected machines in an unsolicited way. The infected machines are used as a tool for criminal actions - isn't it an obligation of anyone, capable of doing that, to stop them? Maybe they could gather evidence from spam blockers and only clean the computers that were reported as spam tools?
That's what I was thinking when I made my "eminent domain" comment. At what point can the government legally step in and say, "in the interest of the public welfare, we're going to let this happen?"
The government (most of them anyway) can do this almost immedeately as nearly all of them have some clause allowing action in the event of known criminal activity (whether they will after this goes through all the beaucracy is a different matter). The question with the parent is would private citizens be within their rights to do something like that. To that, the answer is, for the most part, no. I do not know of any countries (except palestine) which condone vigilantee justice.
Surely the botnet operators and the authors of the original infection program knew about the risks of not using any authentication for communication between clients and servers? If anything, they are probably surprised they got away with that flaw for so long.
Maybe the people writing botnet apps have the same pressures as legitimate companies, where the "bizdev" guys tells the techies to ship unfinished garbage just to have the next version out the door, and the bugs and security holes be damned. :)
