Microsoft Readying Massive Real Time Threat Intelligence Feed

chicksdaddy wrote in with a link to a story about a Microsoft project that will share security information in real time with customers and law enforcement. The article reads "Microsoft has proven that it can take down huge, global botnets like Kelihos, Rustock and Waldec. Now the company is ready to start making the data it acquires in those busts available to governments, law enforcement and customers as a real time threat intelligence feed. Representatives from the Redmond, Washington software maker told an audience at the International Conference on Cyber Security (ICCS) here that it was testing a new service to distribute threat data from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations."

Re:

[Synerg1y]

They certainly didn't handle their anti-trust case in such a way.

Re:This was suggested on Slashdot

[poetmatt]

wow, you sure posted a positive comment about microsoft as a first post again, huh! We know about you and will call you out every time you shit up a thread. [slashdot.org]

Not to sideline the reality of this being very questionable, or how this has nothing to do with botnet owners right? Please stop the shillposts and work for someone other than MS. even having you on enemy isn't enough.

Re:

[DCTech]

You really cannot see sarcastic comment thrown at you, can you? And how it relates to botnets, well gee, maybe read the summary

Microsoft has proven that it can take down huge, global botnets like Kelihos, Rustock and Waldec.

Re:

[poetmatt]

do you understand the difference between botnets and *botnet owners?* I didn't say botnets.

The one I mention actually matters, the other (having botnet data by itself) doesn't mean much unless you have a script kiddie maintaining the botnet who doesn't know what they're doing.

Re:

[DCTech]

For a long time Slashdotters have suggested cutting off internet for anyone who has botnet or malware on their computer. Why are you resisting?

Re:

[g0bshiTe]

Define cutting off internet.

With multiple devices in ones home connected to the net, be it several home computers, ipods/pads, dvd or blue ray players, game consoles. I think you should define cutting off internet. Are we talking your ISP blocking your connection, or are you talking about the one device infected being killed remotely by some entity other than the owner of the machine.

I'd much rather not see a kill flip for some poor schlup that has botnetware running on their system, I think a better appr

Re:

[AK Marc]

If your connection is the source of "mal" it should be cut off. Whether a home user, business, or small ISP, the upstream ISP should notify you of all the data they have (IP, times, etc) and cut you off. If you have 20 computers/devices at your home and are spreading malware, why should anyone care it's your phone that was rooted and compromised, rather than your Linux server or Windows gaming rig? You got infected, you got cut off.

I think a better approach would be mandatory computer security classes.

They'd work as well as mandatory driver's education classes. People woul

Re:

[EdIII]

I agree with you entirely.

I'll be honest. I don't give a fucking shit about the poor bastard at home with 20 infected computers spitting out malware.

That's life, and life can be hard, not fair, and not forgiving either. There are costs associated with life, and every so often you need to pay out your ass to fix your truck, go to the doctor, or any other disaster you did not prepare for, or could not prepare for.

I already use Spamhaus for their lists, and if MS offers their list service for a decent price,

Re:

[Hamsterdan]

The ISP provides you with an internet connection (thus the SP part). If the ISP doesn't take action, what do you think happens? The *other* costumers might be prevented from using some services (as in unable to send email to @somedomain because my ISP's mail servers are blackholed or throttled).

If you're not able to reach the costumer, you flip the switch to prevent the problem from spreading.

Re:

[forkfail]

Why are you resisting?

After all, Resistance Is Futile (tm).

Re:

[Alien Being]

MS leaves thousands of gates and windows open and then struts around like Barney Fife when it catches a few kids sneaking through. Are you as clueless as you seem or are you just messin' with us?

Bad idea

[Anonymous Coward]

sounds like a violation of the users' privacy

just because my computer is part of a botnet doesn't mean I have agreed to have my IP and other info sent to government agencies, especially foreign governments

Re:Bad idea

[Bananatree3]

Son - you've got other problems if you're on a bot net.

Re:Bad idea

[bstag]

99 problems but a bot net ain't one.

Re:

[Anonymous Coward]

Yeah, and if your car is stolen and used for a bank robbery, that doesn't mean you've agreed to have your plate and description of your car distributed to Government agencies!

Re:

[viperidaenz]

I think you nearly got the car analogy right.
If someone steals your car for a bank robbery, is [americas most wanted/other tv or news show] allowed to say the police are looking for a car with a licence plate xyz1234. I would hope so.
you don't own your ip address, like you don't own your license plate number

Re:

[g0bshiTe]

For the average citizen it's much harder to get my personal info from my license plate number than from my IP address.

You can not continue to probing my house from knowing my plate number, but you can probe my home network with my IP.

Re:

[viperidaenz]

You don't know whos home you're probing with an IP address. You also don't know if the ISP as allocated the IP to another address since it was published. In most cases its not your IP. A few dollars will get any citizen your full name and registered address from a license plate number.

Botnet

[John3]

I do not think it means what you think it means.

Re:Bad idea

[CanHasDIY]

If you've failed to secure your computer then you've waived your right to privacy

Uh, no.

According to your "logic," or in this case lack thereof, if you leave the doors to your home or car unlocked, you've 'waived your right to privacy,' i.e. government agents are free to ransack your belongings, place surveillance devices in and around your home/car, take what they like, et. al. Fortunately for all Americans (even the stupid ones), we have a number of Constitutional rights and amendments that protect us from that sort of mentality.

Not only is that an ignorant way to view the world, it's incredibly dangerous to those of us who actually value our privacy, but don't want to live in a constant state of paranoid escalation, in which the only way to have even a modicum of privacy is to continually waste money on bigger and better locks. That's the sort of shit thought process that results in people getting sued by peeping toms for walking around the privacy of their own homes nude.

Re:

[lennier]

According to your "logic," or in this case lack thereof, if you leave the doors to your home or car unlocked, you've 'waived your right to privacy,' i.e. government agents are free to ransack your belongings, place surveillance devices in and around your home/car, take what they like, et. al.

Replace "house" with "car" and yes, that's pretty much exactly what happen at the moment. If you leave your car doors unlocked and someone steals it and uses it to commit crime, do you really have an expectation of a hard-cre "right to privacy" that would prevent the police from stopping searching that car - even using deadly force against it?

A non-networked computer is like a house, yes. A networked computer is much more like a car, because it "travels" and interacts with other computers and can break into

Re:

[CanHasDIY]

Replace "house" with "car" and yes, that's pretty much exactly what happen at the moment. If you leave your car doors unlocked and someone steals it and uses it to commit crime, do you really have an expectation of a hard-cre "right to privacy" that would prevent the police from stopping searching that car - even using deadly force against it?

Except that doesn't really work as an analogy, as in the case of botnets, no one is physically stealing your computer and using it for crime; they're stealing a portion of your resources. A more accurate analogy (yet still a very poor one) would be if you left your car doors unlocked, and someone used that as an opportunity to steal your tires, then committed a crime using said tires. Does that mean that law enforcement has a right to search your car, because the tires that came off it were used by someone else, who does not own them or the vehicle, in a crime?

Of course, upon reading what I just wrote, even I'm having trouble making heads or tails of it... precisely why I fucking hate car analogies in regards to cybercrime. Until the day comes that we have cars with their own remote repair drones ala The Phantom Menace Pod Racers, They just wont mesh up.

A non-networked computer is like a house, yes. A networked computer is much more like a car, because it "travels" and interacts with other computers and can break into and destroy them. You really need to know what you're doing when you own one.

No; a networked computer would be like a car, if cars had the capability to transport stuff without ever actually moving.

Re:

[AK Marc]

A more accurate analogy (yet still a very poor one) would be if you left your car doors unlocked, and someone used that as an opportunity to steal your tires, then committed a crime using said tires. Does that mean that law enforcement has a right to search your car, because the tires that came off it were used by someone else, who does not own them or the vehicle, in a crime?

You are in possession of the computer and actively using it while the crime is committed. I'd be much more like someone breaking in to your car at home, planting drugs, and then later that day, breaking in to your car again and taking them out, making you an unwitting drug mule. Now, if you were caught driving around with the drugs planted on the outside of your car (under the trunk), what do you think the cops would do? I think they'd search the inside of the car. But your assertion is that since you di

Re:

[AK Marc]

mens rea isn't required for most laws, despite what you learned from watching Legally Blonde. Or, mens rea is required, but statutorily defined (possession of more than XX grams means there was intent to distribute, even if there was no mens rea for the possession in the first place - it's not required).

To many people a computer is a black box that works most of the time and really pisses them off sometimes. They would have no clue, other than that the computer was slow or something was popping up...

I would claim that there was negligence in using an unprotected computer. Much like it's illegal to leave an unattended car running in many places (some claim because of environmental reasons, and others

Re:

[AK Marc]

If you have over 20 years representing yourself in court, then you have serious problems understanding law. Those of us who have even a passing understanding of how things really work manage much less legal experience. Perhaps you have not only a fool for a client, but a fool for a lawyer as well.

Further in your example, one has to establish "possession", i.e. "control over". If one has it kiestered, well obviously one is caught flagrante delicto. But if it sits in the trunk of the car, reasonable doubt is easier to establish.

Guns in glove boxes are "in possession of" the driver. A gun in a trunk is not "in possession" for gun laws. However, there is vast case law establishing that a person is "in possession of" drugs in the trunk.

Re:

[AK Marc]

Guild Member, I get things accomplished in my neck of the woods. Like getting judges corrupt judges removed. Ever hear of Tim Masters in Fort Collins? But it's not about me, it's about those last words of the Pledge: "... and justice for all".

To the reading audience, when somebody uses the words "Perhaps you have not only a fool for a client, but a fool for a lawyer as well.", you're probably talking to a member of the Guild that has made a business of justice in America. Whatever, y'all don't win often with me, LOL!

I have four points for you Guild Member, to correct the perpetrations of the "Guild" in my local community.

What is this guild of which you speak? Sounds like you are talking about the Bar Association. Tim Masters had a lawyer (probably many of them, David Lane probably the last he'll ever use in that matter), and it doesn't appear that there were any judges or police removed, but I didn't follow the case as it happened, and just did a little googling just now to read up on your rant.

Why don't you rant about how you would help people with their legal troubles, but you are banned from it by law by "the Guild".

Re:

[vux984]

Replace "house" with "car" and yes, that's pretty much exactly what happen at the moment. If you leave your car doors unlocked and someone steals it and uses it to commit crime, do you really have an expectation of a hard-cre "right to privacy" that would prevent the police from stopping searching that car - even using deadly force against it?

This is nonsense. What if you DID lock the car? What you took the wheels off too, locked it in a parking garage, and then chained it to a support pillar.

And then someo

Re:

[hedwards]

I value privacy which is why I keep my machines free of malware, tracking cookies and things of that nature. Anybody that genuinely values their privacy has already gone to lengths to ensure that their machines aren't infected with malware.

This is very much like leaving your car unlocked with an envelop marked incredibly important industrial secret and being surprised when somebody steals it. Sure they shouldn't have done it, but it's hardly reasonable to assume that nobody's going to steal something that's

Re:

[CanHasDIY]

I value privacy which is why I keep my machines free of malware, tracking cookies and things of that nature. Anybody that genuinely values their privacy has already gone to lengths to ensure that their machines aren't infected with malware.

Security =/= privacy; I keep my money in a (small, locally-owned) bank, not because I don't want anyone to know how much I have, but because it's a hell of a lot safer there than buried in mason jars in the yard (which, while insecure, would be much more private). Besides, how do you know you're not infected? If the malware producer has done their job right, you won't know until the jack-booted Stasi thugs are kicking in your door and hauling you off to GTMO indefinitely for aiding and abetting known crimin

Re:

[AK Marc]

If the malware producer has done their job right, you won't know until the jack-booted Stasi thugs are kicking in your door and hauling you off to GTMO indefinitely for aiding and abetting known criminals.

Most botnets are run off "known" malware detected by every major detection engine. They don't do their job "right" they do it profitably. There's a difference.

Maybe it's because I'm likely one of a small handful of /.'ers who actually understand how cars work, but damn I hate nonsense car analogies!

This isn't a question of "car" but law. You drive from home to work. Someone knows people generally work in the downtown area, so they attach drugs to the underside of your car, then follow you to work, take them off there. They repeat this, now no longer following you, as they know where you work and where you park there. If you are pulled over

Re:

[hedwards]

It's a fair analogy. You failed to secure your premises and you left something attractive to the would be criminal and ultimately you got burned. It's illegal in both cases and in both cases it would be your own damned fault for not securing your property.

Security isn't privacy, but it is in effect one of the things that you're going to find makes things a lot easier to maintain privacy with. If you don't close your drapes ever you'll find that your next door neighbors can see everything that you're doing.

Re:

[AK Marc]

According to your "logic," or in this case lack thereof, if you leave the doors to your home or car unlocked, you've 'waived your right to privacy,' i.e. government agents are free to ransack your belongings, place surveillance devices in and around your home/car, take what they like, et. al.

No, but when you've left your car unlocked and the keys in it and someone steals your car and uses it in a robbery, you should expect to have your information handed over to the authorities and hear your license number announced on the radio and images of your car shown on TV related to the crime.

If you are in a botnet, you negligently allowed your computer to commit crimes. You didn't waive all rights to privacy, but criminal actions by a possession of yours is sufficient to get you under different scru

Re:

[epyT-R]

who decides what belongs on the shame list? authority uses this game all the time to badger people it considers a threat to its power. if everyone got a chance at that list, we'd have no rights at all.

Re:

[hedwards]

That's not really a complicated matter, just make it a three strikes and you're outed thing and the ISP would be the party that would know about it. The ISPs already have a fair idea as to who is and isn't infected on their network, letting them shame people that repeated refuse to secure their machines would benefit everybody.

Found a direct link

[symbolset]

Internet Storm Center [sans.org]. Apparently it has been up for quite a while. What bright lights of wonder Microsoft hides under their bushel! I wonder what else there is.

Re:

[Larryish]

"Microsoft Readying Massive Real Time Threat Intelligence Feed"

Meh.

In reality MS just sends the .gov a map of Internet-connected Windows installs.

Thin end of the wedge, and all that.

data from captured botnets....

[nurb432]

And of course any files they happen to find along the way. "IP address x.x.x.x has a copy of the Communist Manifesto"

Re:

[The Grim Reefer]

And of course any files they happen to find along the way. "IP address x.x.x.x has a copy of the Communist Manifesto"

Joe McCarthy has been dead for over 50 years. I think you're safe owning the Communist Manifesto. Searches in your browser history for al-Qaeda might be a different matter.

Re:

[nurb432]

He may be long gone, but his legacy of paranoia has not.

Re:

[The Grim Reefer]

He may be long gone, but his legacy of paranoia has not.

Nor his epic stupidity. You need look no further than the TSA to find that.

Sounds kinda like...

[betterunixthanunix]

...the full-disclosure list:

http://seclists.org/fulldisclosure/ [seclists.org]

What would you do?

[Anonymous Coward]

IBM would turn it into a product.

Google would integrate this in Chrome and their DNS.

MS gives it away and wonders why their stockholders are not happy...

Re:

[benedictaddis]

Since Microsoft began their Trustworthy Computing programme, they have had a reasonably healthy attitude to security. To say as you do that they 'probably' use security holes in their own products to take over botnets is plainly silly.

Microsoft have in fact been quite clever in taking down Waledac and other large botnets. The mechanism was not technical but legal: they filed a civil complaint against a number of John Does, which resulted in the judge granting a restraining order. This handed Microsoft co

Re:

[AK Marc]

Would you like there to be a pop up from the OS stating "you may be infected, click here to download a free scanning tool." I've seen those messages before, and I think they are the cause of, not fix for the problem.

Re:

[Dog-Cow]

They know exactly how. Why do you think Windows Phone 7 uses a curated app store, and why do you think they are pushing to do the same for Windows 8? Copying Apple is only part of the story. Ultimately, even a mainframe is vulnerable if the user is allowed to install anything they want.

Re:

[AK Marc]

Depends on "install". A mainframe is not very vulnerable. A program is run in protected space, then all traces are purged before the next program is run. If you sandbox every program and give nothing root access, nothing is vulnerable. Windows requires "root" access to release/renew IPs and so many other common tasks, it's inherently unsafe. Most programs are installed as "root" as well, and some even require "root" to run. Sandbox everything, protect the kernel, and the malware wouldn't be able to bu

good idea?

[viperidaenz]

Just wait till those running the botnets use this real time information as a tool to avoid detection/capture.

wouldn't it be advantageous if they can tell what botnet behaviours are picked up by the detection tools in real time?

Re:

[schlachter]

it will always be a game of cat and mouse....no reason not to keep innovating..

Skynet?

[Joe_Dragon]

Skynet is growing

insert here...

[CohibaVancouver]

[Insert tired "but Windows is the biggest virus there is!" post here.]

What?

[Georules]

MS proved they can take down botnets largely comprised of systems they wrote the software for? Good work.

Re:

[AK Marc]

Didn't you read the EULA?

Cart before the horse

[Detaer]

It would probably be better if the focused their energy on closing security holes and doing their best to stop their consumer operating systems from being the low hanging fruit for botnet makers. I have heard than an ounce of prevention is better than a massive security project to remove the ass of a tick or something to that effect.

So let me get this straight

[giorgist]

1. Some "criminal" bot net grabs my private data.
2. Microsoft infiltrates bot net.
3. Microsoft hands the data to government in real time. They are not responsible on what the data contains.
4. Government has my data legally ?

Does this not sound like the police getting criminals to do their dirty work ?
What would be the intensive to bring down the bot ?
How do I know who set up the original bot ?
Should I trust Microsoft ?
Should I trust the government ?

Re:

[Bacon Bits]

You'd rather trust the bot net operator?

Yes, I understand (and agree with) your reservations and concerns about what the government would do with such data, but it's really not like the alternative is demonstratively better. Yes, the government *could* abuse this type of information, but a bot net operator can abuse his bots, too. What's to stop a bot from installing a key logger and browser history scraper? Or from scanning your personal files? Or from turning on your webcam?

Additionally, owners of sys

Lets make a list!

[haltline]

"Trust us. No one on that list is there because of a mistake or because they are a business competitior or because they have views we don't like or because they have an ugly pet. Once we have enough people using our list we'll establish control over the flow of information and...er... I mean we'll stamp out that pesky varmit infected computers.... yessiree"

To state the obvious, this is the Information Age. Information is of increasing value, therefore, the control to it's access is of great interest

Good move there!

[hesaigo999ca]

I applaud their wit and strategy, although it is THEIR software that is causing all this in the first place....I know they can not go backwards,
or change their OS methodology, so instead they do the next best thing, make all the info available to those law enforcements, to catch the ones that
would use these vulnerabilities to exploit the people using Windows..... great! so today the big evil corp we know as MS, has done a good deed indeed!
First step on the road to redemption....