U.S./Russia Cyber Arms Control Talks

Now this is interesting:

The United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace.

[...]

The Russians have held that the increasing challenges posed by military activities to civilian computer networks can be best dealt with by an international treaty, similar to treaties that have limited the spread of nuclear, chemical and biological weapons. The United States had resisted, arguing that it was impossible to draw a line between the commercial and military uses of software and hardware.

[...]

A State Department official, who was not authorized to speak about the talks and requested anonymity, disputed the Russian characterization of the American position. While the Russians have continued to focus on treaties that may restrict weapons development, the United States is hoping to use the talks to increase international cooperation in opposing Internet crime. Strengthening defenses against Internet criminals would also strengthen defenses against any military-directed cyberattacks, the United States maintains.

[...]

The American interest in reopening discussions shows that the Obama administration, even in absence of a designated Internet security chief, is breaking with the Bush administration, which declined to talk with Russia about issues related to military attacks using the Internet.

I'm not sure what can be achieved here, but talking is always good.

I just posted about cyberwar policy.

Posted on December 14, 2009 at 6:46 AM • 33 Comments

Comments

Brandioch ConnerDecember 14, 2009 7:28 AM

"Officials familiar with the talks said the Obama administration realized that more nations were developing cyberweapons and that a new approach was needed to blunt an international arms race."

And what would those "cyberweapons" be?

"They include “logic bombs” that can be hidden in computers to halt them at crucial times or damage circuitry; “botnets” that can disable or spy on Web sites and networks; or microwave radiation devices that can burn out computer circuits miles away."

?

To me, that reads like someone threw in all the terms they could find in the hope that SOMETHING would sound scary.

Identifying botnets is simple. Yet our government won't do anything about them here.

BF SkinnerDecember 14, 2009 7:39 AM

@Brandioch "Identifying botnets is simple. Yet our government won't do anything about them here."

No it's not and fast flux networks are even tougher. It takes time, skill and luck for the breaks we've gotten.

And in the anarchic international world we live in just what would you have our government do? Direct action. Kinetic kills against another countries hardware and buildings. extraordinary rendition of the suspected operators. Cyber attacks against routers and dns?

without the cooperation of other countries we can't take the fight into their domain space. Under current lack of law and treaty it could be easily interpreted by hostile nations as espionage or provocative act of war.

Brandioch ConnerDecember 14, 2009 8:05 AM

@BF Skinner
"No it's not and fast flux networks are even tougher. It takes time, skill and luck for the breaks we've gotten."

And yet it is done, repeatedly, by people researching those botnets.

It's also done every single day by email admins trying to cut down on spam.

SpamAssassin even has a plug-in for it.

"And in the anarchic international world we live in just what would you have our government do?"

How about the "clean up your own house first" method?

Who cares about a botnet in another country when it is possible to filter all of the traffic from that country?

Clive RobinsonDecember 14, 2009 9:02 AM

@ BF Skinner,

"No it's not and fast flux networks are even tougher. It takes time, skill and luck for the breaks we've gotten."

Yup and as far as I'm aware the only "botnets" that are "simple to detect" are those that advertise their presence on way or another.

And that appears to boil down to detecting very overt "unexpected output" or attempts to connect to a "control host".

For a "cyber weapon" it's likley that the "botnet" will be very covert not blatantly overt, and it will try to hide talking to a control host that can be identified and taken down.

And yes I know how to quite easily do the covert control with little difficulty.

I've had this discussion over on Lightbluetouchpaper already if people want the gory details.

HJohnDecember 14, 2009 9:38 AM

@: "talking is always good."
_________

If both sides are willing to play by the rules, yes. If one side isn't, then they gain an advantage by putting the other in a box (with an awareness of the constraints of that box) while not constraining themselves.

jgrecoDecember 14, 2009 10:06 AM

@Brandioch Conner

What I believe BF Skinner means, and what I agree with, is that actually researching and infiltrating botnets is very hard work. Identifying emails as spam from a botnet is a relatively trivial task, but that is completely besides the point.

To actually shut down botnets you need to identify the points of control, and find a weakness in its design. (or alternatively find the people running it in the real world and physically arrest them). Neither of these are easy to begin with, and actual prosecution of botnet controllers is certainly hampered by the lack of international cooperation.

Modern botnets are nothing to sneeze at, generally distributed to obscure command servers, and often employing public key cryptography to verify the authenticity of commands.

I can't find a link to it right now, but there was an article around I think a year ago that detailed a botnet that would, upon detecting researchers probing it, launch DDoS attacks to defend itself.

jgrecoDecember 14, 2009 10:15 AM

@Brandioch Conner

"Who cares about a botnet in another country when it is possible to filter all of the traffic from that country?"

I think that is a very naive position to take. A botnet may be owned by the Russian mafia, rented by American spammers, and consist of mainly unpatched pirated windows installations in China. There is very little concept of boarders when it comes to the internet and you can't just "filter all traffic coming from other countries"*.

*Well, as the chinese have proven, you certainly can, but you would never be able to effectively choke out botnets without seriously damaging your network in general.

Brandioch ConnerDecember 14, 2009 10:19 AM

@jgreco
"What I believe BF Skinner means, and what I agree with, is that actually researching and infiltrating botnets is very hard work."

And yet it is done many times by many different people. As evidenced in the article I posted and the article that it references.

"To actually shut down botnets you need to identify the points of control, and find a weakness in its design."

No. If you control the wire, you can see everything that crosses that wire. So all you need is an infected box.

That will give you the ip addresses of the control servers.

Again, as shown in the article I posted.

The only problem has been getting any legal action taken against the company hosting the control servers.

Again, as shown in the article I posted.

jgrecoDecember 14, 2009 11:07 AM

@Brandioch Conner

I'm quiet familar with the article which you linked and what you need to understand is that is _not_ a typical case. Do yourself a favor and look up the technical details of more advanced botnets such as Conflicker.

Identifying control servers is not a trivial task when any infected machine can be used to control any other infected machine. They need not be heavy duty rack machines with professional hosting, they can be that old windows 98 machine that one of your relatives has sitting, half forgotten, in their living room.

Furthermore, even if the botnet _does_ happen to be controlled by a central server with professional hosting, knocking it offline and going after the owners will by no means garantee a kill. A few days ago there was a slashdot article about a botnet being controlled from rented out Amazon servers. Of course the botnet controller was not stupid enought to rent out the servers himself, he comprimized someone elses.

Even simply knocking controlling servers offline often won't get you far. Conflicker for example had a relatively complex system in place for backup servers.

Mark RDecember 14, 2009 11:16 AM

@Brandioch:

I'm sure there are still botnets that work that way (all the endpoints contact central C&C servers), but the smart ones have switched to a peer-to-peer model. Storm worm is a widespread example.

http://honeyblog.org/junkyard/paper/...

This makes it much less simple to find the root control points by observing the infected machines.

Clive RobinsonDecember 14, 2009 11:25 AM

@ jgreco,

"To actually shut down botnets you need to identify the points of control, and find a weakness in its design."

Unfortunatly there is a fairly simple way around identifing the control points using peoples blogs ans a search engine like google.

All you do is work out a fairly simplistic system where by you as the controler make a post to a popular blog like this one.

You encode the binary control string in to the message using say spaces before and after punctuation marks.

Thus the blog posting is actually directly relevant to the blog page you post to (people will ignore the punctuation stego).

At some point a search engine bot will copy it into the search engine cache.

The botnet machines make appropriate searches on one or more search engines and pull the page from the cache not the blog page.

The blog operator sees nothing untoward, the search from a bot net member is not likley to raise an alarm either on it's local network or at the search engine.

And the controler can use a different blog for each and every control message.

It's not impossible to spot or stop but for a covert botnet used for cyberwarfare it would be virtualy impossible to deal with...

BF SkinnerDecember 14, 2009 11:35 AM

@jgreco
Has my meaning rightly sussed.

@Brandioch Conner
I'm not saying it can't be done. That it has been is evidence of the hard work, skill and luck of the researchers. But you do need more than a single endpoint.

Clive's, as usual disoncerting, point that the bot networks taken down were noisy is spot on. Spam and DDos networks.
Heirarchy has been top down command and control and that's changing to peer to peeer.

That's what's been taken down. The intent of the network designer is what makes it perceivable let alone attackable.
I can think of a couple reasons to set up quiet networks (quite apart from state sponsored espionage).

Your point "getting any legal action taken" is well made. The international "system" is anarchic. There are few, if any--opinions vary, superior governing authorities that can compel soverign nation-states.

Cooperation all depends on bi-lateral and multilateral agreements made between nation-states. Leave aside enforceability for the time, getting that agreement isn't easy. Witness the copenhagen climate talks or any given day at the UN.

And getting that agreement is the point of the article isn't it? It's also the likely response to your observation "our government won't do anything." If they can establish rules (like the ITU does for the frequency spectrum) then they'll have done a lot.

Regarding your proposal to "filter all of the traffic from that country"

Are you advocating (as jgreco notes) a series of chinese great firewall at each national border?

Or a reverse firewall like a series of pens staked around rouge countries?

Or the US intercepting all the world's internet traffic and dropping sessions it doesn't like. It would likely take something like this and even if it's doable is it avisable?

I don't believe unilateral filtering (for so I understand your point) is an action the US could technically even take. Again it would take nations agreeing to enforce the filters on all access points to ensure no one allowed the traffic to be allowed altroute through their physical and network space.

If it could even so it could be difficult to enforce. I once saw a traceroute from Dubai to Hong Kong skip over the pacific to the US and skip back before it reached it's target host in China.

Clive RobinsonDecember 14, 2009 12:04 PM

A couple of links people might want to have a look at,

http://searchsecurity.techtarget.com/tip/...

http://www.csoonline.com/article/print/509739

The first is a fairly upto date overview of concerns about botnets.

The second is a view about problems with the PCI issues. However towards the end the author raises the point about "trust" and PCs on the Internt.

Although I don't agree with the "death of the Internet" I do agree with the National Security isues.

BF SkinnerDecember 14, 2009 12:30 PM

"No system that seeks to blame victims for unprovoked attacks can long survive"

Not sure about this I hear. "She was askin' for it." in too many assault cases"

"now draining hundreds of millions from corporate accounts"
One excuse banks have given for not providing token solutions for their online banking was the device cost (and end user training and help desk support I know, I know bundle it in one cost).

Do banks think at this point it is or isn't worth the expense.

LesDecember 14, 2009 12:45 PM

"Who cares about a botnet in another country when it is possible to filter all of the traffic from that country?"

I love this idea, it's the ultimate denial of service attack.
If this type of thing were actually implemented, I could kick an entire country off of the internet simply by spoofing a botnet! It's easier than a real botnet, because you only need to keep it alive long enough to get noticed.

The real consequence, of course, is that the US would lock-out every other country within seconds of implementing this rule, thereby ironically cutting only itself off. That'll show 'em!

Brandioch ConnerDecember 14, 2009 12:53 PM

@BF Skinner
"I'm not saying it can't be done."

So we are in agreement at that point.

"That it has been is evidence of the hard work, skill and luck of the researchers."

Luck has nothing to do with it. Which is why so many people can duplicate that work. Like I said, SpamAssassin even has a plug-in for it.

"The international "system" is anarchic."

And totally irrelevent to this discussion. The two examples I referenced were 100% USofA.

100%

jgrecoDecember 14, 2009 2:18 PM

@Brandioch Conner

"SpamAssassin even has a plug-in for it."

I think you are completely misunderstanding what this conversation is about. Seeing as you are completely avoiding the other points we've made, I'd suspect this is even a case of willful ignorance.

"Luck has nothing to do with it. Which is why so many people can duplicate that work."

Discoveries can initially rely heavily on luck, but once made, be easily reproducable. This is how a great deal of science works. What you seem to be suggesting is there is some sort of standard procedure that you can follow to discover, examine and catagorize, then take down, any botnet.

This of course is patently absurd, for reasons already pointed out.

"And totally irrelevent to this discussion."

'This discussion' is about "U.S./Russia Cyber Arms Control Talks". Mentioning that the current international system is anarchic is _anything_ but irrelevent.

ModeratorDecember 14, 2009 2:23 PM

Brandioch, I notice some improvement in your tone and I appreciate that, but you are still arguing by endlessly repeating the same few points while simply ignoring most of the counterarguments. If you want to continue commenting here, you need to start paying attention to what others are saying and participating in a real dialogue, with some actual give and take.

Brandioch ConnerDecember 14, 2009 2:35 PM

@jgreco
"What you seem to be suggesting is there is some sort of standard procedure that you can follow to discover, examine and catagorize, then take down, any botnet."

Yes, it is called "Computer Science". Zombies are all about software being installed on machines.

"This of course is patently absurd, for reasons already pointed out."

And yet I have posted a reference article that shows just that. And that article even references a second article that shows just that.

Do you want a third article?
http://mtc.sri.com/Conficker/

As I've stated before, this has been done so many times that SpamAssassin even has a plug-in for it.

jgrecoDecember 14, 2009 2:45 PM

@Brandioch Conner

There are two issues here. The first is discovering infections of known botnets. This is generally very easy. The second is discovering and analyzing previously unknown botnets. This is generally very challenging.

You seem unable or unwilling to understand the difference between these two concept, for whatever reason. I don't know how to explain it any more clearly than this.

"As I've stated before, this has been done so many times that SpamAssassin even has a plug-in for it."

Yes, I think we are obviously done here...

Brandioch ConnerDecember 14, 2009 2:56 PM

@jgreco
"You seem unable or unwilling to understand the difference between these two concept, for whatever reason."

The only difference is whether research has been started on them.

All of the "known botnets" at one time were "unknown botnets".

Once they are discovered (through whatever means) researchers apply the principles of Computer Science to dissect the software.

There is no security without physical security. And the researchers have physical access to infected machines.

jgrecoDecember 14, 2009 3:05 PM

"The only difference is whether research has been started on them."

Exactly. The point we are trying to make is that research tends to be very hard, and is potentially almost impossible for practical purposes.

Furthermore, even once you understand how a botnet operates, you have no garentee that you can effectively counter it. Clive Robinson's comment at December 14, 2009 11:25 AM goes more into this, I won't rehash it.

Think of it this way: The way RSA works is well understood, but that doesn't make it easy to break.

Brandioch ConnerDecember 14, 2009 3:16 PM

@jgreco
"Exactly. The point we are trying to make is that research tends to be very hard, and is potentially almost impossible for practical purposes."

And I have presented 3 articles that contradict that.

One of them had very exacting details.

"Furthermore, even once you understand how a botnet operates, you have no garentee that you can effectively counter it."

Seeing as how it is software, how would it be impossible to remove it?

The only limitation being what is legally allowable on machines that you do not own.

Which I covered in my first post:
"Identifying botnets is simple. Yet our government won't do anything about them here."

Then I provided two examples showing what the government could do in such cases.

jgrecoDecember 14, 2009 4:11 PM

@Brandioch Conner

I believe that most security researchers would quickly disagree with your assertion that their work is easy. The fact that it can and has been done is no indication that it is, or always is, easy.

"Seeing as how it is software, how would it be impossible to remove it?"

I'm glad you bring this up. Remember that this conversation is in the context of botnets being used in so called "cyberwars". There is no reason to believe that any particular government would have access to the bulk of the machines that are part of a botnet. Furthermore, ideally it should be impossible to remotely uninstall software from a computer (and don't count on the machine being comprimised the first time to make this task easier, worms/botnets have long been in the habit of closing the door after themselves).

Really, the assumption that the botnet in question is formed of unknowing infected computers is a bad one too. It is quite possible that the attacking botnet is formed of nodes willingly signed up by their owners, out of some sort of sense of patriotic duty. (this has been documented as happening before, during the Russia/Georgia event).

Ignoring the entire cyberwar pretext, botnets are not limited to geographic areas, and, barring international reform, there is often nothing individual governments can do to combat them. Incredibly primitive botnets are of course a possible exception, that is an exception, not a rule.

It should also be noted that explaining to a willing public how to remove malware is, in practice, and incredibly difficult task. Ask anyone who has ever worked in tech support. Alternative ways of neutralizing a botnet (such as using the botnet's existing communication mechanisms to disable it) can be both illegal (which you mention), and in some cases practically impossible (if for example, the botnet uses public key encryption to verify the authenticity of the commands it receives).

If you are trying to allude to the physical seizure of infected machines by the government, I would counter by pointing out that such an act would likely be on very shaky legal grounds. If you want to define "unwilling to break the law" as "won't" then go ahead, but personally I catagorize that as "cannot".


"Identifying botnets is simple. Yet our government won't do anything about them here."

I believe a more accurate statement would be something such as: "Identifying botnets is often challenging, and our government is unable to do anything about them."

Seth BreidbartDecember 14, 2009 4:30 PM

Brandon, where is the SpamAssassin plugin that takes down botnets?

Determining from external behavior whether a computer is part of a botnet is Turing-complete.

Removing software is easy, if you have physical access to the computer and know what you're doing and all about the software you want to remove. There are individual infections for which good removal tools take months to appear (and the malware is evolved to beat them).

Brandioch ConnerDecember 14, 2009 5:20 PM

@jgreco
"I believe that most security researchers would quickly disagree with your assertion that their work is easy."

What I said was:
"Identifying botnets is simple."
That is what I said.

"Furthermore, ideally it should be impossible to remotely uninstall software from a computer (and don't count on the machine being comprimised the first time to make this task easier, worms/botnets have long been in the habit of closing the door after themselves)."

Why "ideally"? I'm talking about real-world zombie machines.

"Really, the assumption that the botnet in question is formed of unknowing infected computers is a bad one too."

http://en.wikipedia.org/wiki/Botnet
"While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed via drive-by downloads exploiting Web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure."

"Ignoring the entire cyberwar pretext, botnets are not limited to geographic areas, and, barring international reform, there is often nothing individual governments can do to combat them."

Nor have I made any of those claims EXCEPT that it is possible to a government to be more proactive in addressing the zombie issue on networks that are under their jurisdiction.

"It should also be noted that explaining to a willing public how to remove malware is, in practice, and incredibly difficult task."

Nor have I said that.

"Alternative ways of neutralizing a botnet (such as using the botnet's existing communication mechanisms to disable it) can be both illegal (which you mention), and in some cases practically impossible (if for example, the botnet uses public key encryption to verify the authenticity of the commands it receives)."

Yes, that is what I have said. And the government (which I referenced earlier) is what passes the laws determining what is legal.

"If you are trying to allude to the physical seizure of infected machines by the government, I would counter by pointing out that such an act would likely be on very shaky legal grounds."

No, I have not alluded to that.
And, again, the government is what determines what is legal. So even if I had alluded to that, all the government would have to do would be to pass a law saying that it was legal to do so.

"I believe a more accurate statement would be something such as: "Identifying botnets is often challenging, and our government is unable to do anything about them.""

And we disagree on both portions of that statement and I have provided 3 articles illustrating exactly why.

ModeratorDecember 14, 2009 8:00 PM

Brandioch, that's enough. Do not comment on this thread again.

I would be sorry to ban you from the blog completely, because you do sometimes make good points, but you have got to break this habit of argument by endless repetition. If you can't do it any other way, then I suggest you limit yourself to one or two comments per thread in the future. You seem to think that your initial comments on any given thread say everything necessary to win the argument, anyway.

Ctrl-Alt-DelDecember 14, 2009 8:10 PM

@Brandioch Conner:

"the government is what determines what is legal. So even if I had alluded to that, all the government would have to do would be to pass a law saying that it was legal to do so."

Define "the government". Are you pointing at the executive, the bureaucracy, the legislature, the courts? The whole thing? Some parts of "the government" are deliberately designed to be antagonistic to each other. Each part is denied powers intended to be wielded by only other parts.

The executive can make decrees but these can be voted down by the legislature. Legislative assemblies can pass laws, but these can be struck down by the courts or vetoed by the executive. Courts can decide what is and is not legal but executive and legilature can simply make new decrees or pass new laws.

Some governments do have the powers you would apparently like "the government" to possess. But you probably wouldn't want to live in those countries.

HughDecember 15, 2009 12:02 AM

Is it not the job cyber chief to make recommendations on policies to Congress and current administation which will ultimately determine what is legal based on current situation, If those recommendations are taken seriously.
It pretty hard to be a leader in cyberspace without a cyberchief.

AdamDecember 15, 2009 10:29 AM

When talking about cyberwar be sure mention Ossentia and the Georgia Conflict as it has been the only Hot Cyberwar to date. It would seem for now defacements and DDoS attacks are the the only weapons that can be mustered in short notice.

boxleyFebruary 16, 2010 8:42 PM

Moderator I apologize for breaking in. Brandioch is correct in this thread from my perspective as an fellow who spends his working day at a largish ISP directly addressing this particular issue. As for his posting style, he sticks to his points, expands and defends them in a coherent manner which may be annoying but unless you can prove his points wrong a lot of twaddling around them will not change his position which he will defend. In fact since posting online since the compuserve era I have ever only admitted an error once, in an epic thread with brandioch that went over several hundred posts. Let him run, its always amusing
thanx,
Bill

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..