Botnets As "eWMDs" 172
John Kelly writes "The current issue of Policy Review has a paper by an American computer scientist and the recent Permanent Undersecretary of Defense for Estonia. Drawing on the Estonian cyber attacks a year and a half ago, as well as other recent examples, they argue that botnets are the major problem. They propose that botnets should be designated as 'eWMDs' — electronic weapons of mass destruction. The paper also proposes a list of reforms that would help to limit the scale and impact of future botnet attacks, beginning with defining and outlawing spam, internationally." Many of the proposed solutions are common-sensical and won't be news to this audience, but it is interesting to see the botnet threat painted in such stark terms for readers of the Hoover Institution's Policy Review. For a more comprehensive overview of cyber-security threats, listen to NPR's interview with security experts on the occasion of the release of a new report, "Securing Cyberspace for the 44th Presidency," which recommends creating a cyber-security czar reporting to the President.
What masses, specifically, have botnets destroyed? (Score:5, Insightful)
Subject says it all.
This is... ridiculous.
Even though no one dies from them. (Score:4, Insightful)
And anything destroyed by them SHOULD be able to be restored from backup.
Re:What masses, specifically, have botnets destroy (Score:5, Insightful)
Sneaky (Score:5, Insightful)
I bet this is a way to sneak in some more "general purpose" legislation on the net. There is going to be a strong push for that coming from the EU in the next months unfortunately.
I can see it now. Newlines in the papers as Iran is found harboring WMDs along with Syria and Pakistan. Equating NBC weapons with botnets is retarded on an incredible amount of levels.
Re:What masses, specifically, have botnets destroy (Score:3, Insightful)
They destroyed my inbox! It's now a mass of about 2GB and it's either all junk mail or I have won about a thousand lifetime supplies of male enhancement pills and a nice gentleman with poor english skills is very persistent in expressing his wishes to "undergo a business transaction" involving millions of dollars!
Now, I can't take the chance that it's ALL junk, so I am saving it just to be sure.
eWMDs? (Score:3, Insightful)
Creative use of language for propaganda (Score:5, Insightful)
This has been happening since the ancient times and we haven't grown out of it. The athenian hegemony was named the athenian alliance, the enslavement of foreign countries by the Romans was called Pax Romana, and even now, he american goverment classifies botnets as eWMD's, every country in the world dubs their Ministry of Military as Ministry of Defence, and War will always be Peace in the Ministry of Love.
Re:What masses, specifically, have botnets destroy (Score:5, Insightful)
If we think of mass-energy conversion in nuke plants, I would argue that some mass was destroyed (er, converted) to generate a portion of the electricity consumed in botnet attacks. Touche.
More generally, reread the article. They are trying to address a real, asymmetric threat. Some jack-off (or group of jack-offs) can cause measurable harm (counted in your favorite currency if nothing else) via DDoS attacks. That is a demonstrated fact. Estonia argues that their financial sector was largely off-line for three weeks due to (purportedly) coordinated DDoS attacks. If their assertion is correct (a point about which I am neutral), then that DDoS attack was as effective (arguably more effective) on the Estonian financial industry as the 9/11 attacks were on the U.S banking system. Think back to how crazy people were that Wall St. was essentially off-line.
In any case, it is hardly unreasonable to argue that DDoS attacks pose an effective asymmetric threat to certain industries. On the other hand, I am less than convinced that there are Evil Hackers out there capable of and planning to shut down water systems and power distribution. However, should it be possible and occur, think about how short a time it took for New Orleans civil society to disintegrate.
Re:What masses, specifically, have botnets destroy (Score:1, Insightful)
As critical to public safety as, say, a city?
Botnets are serious stuff, but let's be honest here, they're not really on a level with a thermonuclear warhead or VX.
"eWMD" is simply disingenuous.
Fear (Score:5, Insightful)
Re:Even though no one dies from them. (Score:1, Insightful)
It's not about the immediate destruction. Think of how much time and money could be lost by some key website or system on the internet that was taken down by a botnet.
Re:What masses, specifically, have botnets destroy (Score:3, Insightful)
Please read my post. I don't suggest that New Orleans civil society came apart due to a financial mess. Rather, people resorted to looting grocery stores for food and water when the tap stopped working and the refrigerator could no longer keep food from spoiling. Of course, there were other contributing factors (like the lack of law enforcement) but desperate people will do what it takes to survive. If the hypothetical Evil Hackers manage to cut water and/or power to a large, urban population, they will create desperation.
Re:Creative use of language for propaganda (Score:2, Insightful)
Re:What masses, specifically, have botnets destroy (Score:3, Insightful)
0x73db07
Re:wmd comparison (Score:3, Insightful)
It does a disservice to lump together the weapons that have cruelly and inhumanely killed millions of people to something like a botnet which has no physically destructive potential.
Re:Fear (Score:3, Insightful)
Bingo.
Sounds like an attempt to put all the new, nifty "Terrorism Mitigation" laws into use for something they were never intended to be used for.
Well, maybe I am wrong about the intent thing....
Re:What masses, specifically, have botnets destroy (Score:4, Insightful)
Good Lord, "people looting grocery stores for food and water" is more just efficient use of national resources than anything else. More law enforcement wouldn't have helped: it would have compounded the problem. What would have helped is rapid national disaster response. So, some shops lost a few bottles of water and diapers - that's what insurance is for.
I've walked 1/2 the length of Manhattan twice: once on 9/11 and once for the big blackout. Both times I was offered a bunch of free stuff (water, food, tissues for improvised masks, and even beer as the cooling failed.) Just small businesses and their employees behaving decently.
If someone wants to lock down their basic supplies super-store in the midst of a week-long emergency, I'll be there with a saws-all and spend my day handing out bottled water.
A just a hospital? (Score:3, Insightful)
How is taking down a single hospital the work of a Weapon of Mass Destruction?
Taking down a single hospital is nothing that you can't do with a simple truck bomb or even a smaller bomb on the backup generator's fuel supply. People need to remember that not EVERYTHING a terrorist can use to screw someone over is a WMD. Otherwise, most major cities have a WMD depot more commonly called an "airport."
The WMD thing is just buzzword use to try to trigger a hysterical over-response. I mean, when has a botnet does *mass* damage instead of just taking down a few servers belonging to an individual business or organization? It's not like it isn't a threat at all, but it isn't like botnets are something that can cause more than localized damage either.
Microsoft desktop == Abetting Terrorists? (Score:3, Insightful)
Microsoft's most widely deployed platform and applications have not been secured.
The XP platform has still has 32 unpatched vulnerabilities [secunia.com],
The latest version of Internet Explorer still has 9 unpatched vulnerabilities,
and Outlook 2003 ( the most widely deployed business version of Outlook ) still has one outstanding unpatched vulnerability [secunia.com] ( known since 2004-07-12 ).
Microsoft Office 2003, still the most widely deployed version of Office, has four outstanding vulnerabilities [secunia.com] which put the desktop at high risk of being infected.
Even Microsoft's flagship product Vista has Six unpatched vulnerabilities. [secunia.com]
These are all unpatched widely known vulnerabilities, and are only the ones in Microsoft's own product. Consider all the third party vulnerabilities, in downloadable codecs for example, that the design of Microsoft's platforms makes it so easy for crackers to exploit.
In comparison, all of the major Linux based distros have an excellent record of closing known vulnerabilities within days if not hours, before the holes get a chance to be exploited. Also SELinux is becoming more widely deployed to secure applications against such threats. [livejournal.com].At least with Linux there are existing concrete mechanisms in place ( Vulnerability and threat mitigation features in Red Hat Enterprise Linux and Fedora [awe.com] ), and currently deployable ( Writing policy for confined SELinux users [redhatmagazine.com] ) to provide a locked down secured environment for Linux desktop users inside an organization.
Also from a more abstract point of view, read Increased security through open source [arxiv.org].
If your using the Microsoft platform, then your abetting the people deploying botnets.
Comment removed (Score:5, Insightful)
Re:Fear (Score:5, Insightful)
Re:Even though no one dies from them. (Score:5, Insightful)
The stuff that would be more likely to be problematic are some of the emerging remote medicine toys. If the MRI is here but the radiologist is over at Bangalore Radiology Inc, then you aren't going to be getting any results back during a DDOS.
Re:What masses, specifically, have botnets destroy (Score:4, Insightful)
Basic adult minimums: Breath once a minute, drink once a day, eat once a week.