Slashdot

" is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

What kind of idiot would have a windows box controlling a heart monitor?

For goodness sakes.

Don't tell anyone!!!

All the lawyers in the world will converge on you if you do.

If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?

Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.

Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.

There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.

Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.

If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.

That's not a small difference! Pushing an update to a known list of hosts is a vastly different thing from starting a self-replicating autonomous agent.

There is still the "messing with other people's computer" issue, of course.

As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.

Botnets also span more than one country so maybe this needs to be international law.

I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.

Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.

I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.

Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.

Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?

Kevin.

I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.

I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).

...and nearly paid for it.

We were on the verge of fall break, and someone on campus had found out a 'catch-all' email address which was aliased to _all_ the university email addresses. So some dickwad started sending a weird email saying something like "Hey joe, where are you?", which everyone got, and everyone replied "Hey, I'm not joe -- who are you?" Which was then sent to everyone else.

The thing basically kept feeding back to itself and was threatening to get out of hand. Literally hundreds of emails started popping up. Of course, this was waaay back then, before the days of spam, so it was 'abnormal', 'weird' and annoying all at once. Since it was a friday evening, and knowing that at the rate it was going everyone's inbox would be flooded when they returned from the week-long holidays, I -- perhaps naively -- thought I'd put a stop to it.

I attached a large binary file to an email and sent it to that catch-all address, hoping that it would jam up the works enough that the network admins would notice.

Notice they did, and eventually I got called up to see the ombudsman -- who promptly said he was considering kicking me out of campus.

So yeah, one can have good intentions -- like what I did -- but the means to achieve that end may not be acceptable to everyone, even though it did get the job done.

My 2 cents anyway.

For those who are advocating that an anti-bot be released (or whatever you want to call it) so as to disable this pest, I have a question for you: how is someone going to be able to tell the difference between these:

1.) A user who creates and releases an anti-bot, but through an error (design, programming, whatever) inadvertently causes "harm" to the system.

2.) A user who creates and releases an anti-bot that appears to try to block the worm, but is in fact designed to cause "harm" to the system.

Recall that the Morris worm [wikipedia.org] was not intended to bring down the internet:

According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. An unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable.

AND

The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether or not to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times [3]. This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Rabin remarked when he heard of the mistake, that he "should have tried it on a simulator first."

See also A Tour of the Worm [std.com] for a more detailed account of how it unfolded.

The intention may have been good, but the implementation had an unintended consequence that led to a major disruption of the internet. I remember full well the confusion at the time as the details unfolded. I was working at a major computer manufacturer that dropped its connection to the net to protect itself. Ultimately, none of our systems were hit (wrong OS), but the sheer volume of packets on the net led, effectively, to a DDOS'ing of the uninfected systems, too.

So, in a nutshell, how can one objectively tell the difference between an attempt to kill the worm that causes problems, and an attempt to cause problems that looks like it is trying to kill the worm? In a non-static environment. With our limited ability to write bullet-proof, error-free code. Besides, someone else could capture and re-purpose the good code to cause more problems.

"Kill them all. God will know His own."

Why?

Because there is no law enforcement for these matters on the net today. Sometimes, in frontier situations, a form of mob or vigilante type justice becomes necessary. In this case, it would be an expression of popular democracy when a group in a frontier setting decides that sometime of order enforcement is necessary in order for society to function. These spam bots qualify as a level of threat that would justify a defense of this kind because, in our current environment, these bots can't be stopped by other means.

There is also a discernible right to self-defense. Here is my analogy. If an ignorant neighbor has permitted some nut to put a machine gun on his front lawn that periodically shoots bullets at my front door, then taking action to disable that machine gun is a justifiable form of self-defense even though the form of the self-defensive act is an offensive act against the machine gun. Any collateral damage from the self-defensive act doesn't necessarily invalidate taking the action.

That means if the incredibly rare case that isn't going to happen of the disabling of a heart monitor does occur, the self defensive act is still justified.

Now, spam is not an imminent danger in the way bullets are, but they are a danger. For example, I do not want my 11 year old exposed to hard core porn often promoted in much of this spam. If there is no effective law enforcement, then self-defense and perhaps a group sanctioned vigilante enforcement, even if the means are offensive in some sense, is justifiable. Note, it is not justifiable if law enforcement is available to deal with the problems, but in this case no such remedies are available.

Now -- is it legal? IANAL, so I don't know, but I think a legal defense is possible -- and -- how many juries actually go after these guys anyway?