Schneier on Security
A blog covering security and security technology.
« Changing Passwords |
| Camouflaging Test Cars »
November 11, 2010
Bulletproof Service Providers
From Brian Krebs:
Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called "bulletproof hosting" providers, mini-ISPs that specialize in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies.
Posted on November 11, 2010 at 12:45 PM
• 19 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm not concerned about spammers and hackers - governments are the biggest problem these days. With sites like WikiLeaks being attacked, we need these supposed bulletproof hosts to become more available and cheap. It wouldn't hurt if they were considered more legitimate too. In fact, the linked article could be seen by conspiracy theorists as an attempt to make these hosting providers look less legitimate.
I see it as simple market economics that is where ther is a demand there will shortly there after be a supply.
The way to deal with spaming DDoS Phing and other such sites is not by attaking their sites it's fairly well doomed to fail for more than a day or so as just about every study has shown.
Like any other "for profit" crime the way you stop it is to take the profit out of it.
The question is how you go about it.
However there is a hiden problem which is one of the principles of low hanging fruit. That is you learn to climb the tree when the ripe fruit is just out of reach.
What we are doing with these "tickling the edges" solutions to phishing etc is evolving the enemy not staving them to death.
It's a point I've been making for some time now that if we are going to raise the bar we don't do it little by little in a piecemeal fashion. We raise it a lot and we do it as best we can everywhere, otherwise we only get a small tempory relief.
However we might already be to late, the level of crime involved sugests that they may well now have sufficient reserves to sit out a war of attrition.
You're right about the goal of removing profit. How do we get around the problems caused by the incentives of the "good-guys"?
Take the fake anti-virus market. The credit card companies could view the "fake anti-viruses" as fraud and therefore prevent payment. However, the CC companies get paid for these transactions, and too few consumers realize they've been duped attempt to reverse the charges to make it worth the expense of the CC company trying to block all the fake AVs.
Alternatively, eliminating the need for the "legitimate" anti-virus market would fix the same issue. Of course, the major AV players fight this tooth-and-nail...
In a digital world we need Bulletproof Service Providers; without them freedom of speech would be dead.
@ Nash Equilibrium,
"You're right about the goal of removing profit How do we get around the problems caused by the incentives of the "good-guys""
A good question to which I suspect there is no free market answer.
Even a "by legislation" is not going to work very well either.
The question hinges on "prior knowledge" by the organisation. That is should the credit card company accept another order by a company it would have reason to believe was less than reputable in it's dealings.
Ignoring for the moment the time lag between a user realising they have been had and reporting it to the credit card company.
What if the CC company chose to alert the user would the CC company then be liable to either party. The way US litigation sometimes apears to work it might well be both parties.
I can thus see a reason for the CC company to say nothing even if it was aware of problems, not to make a few cents extra profit but to avoide large litigation costs.
I'm still stuck at the start when he says
"the only activities that are prohibited are sending spam and hosting any type of porn"
"For extra coin each month, one can rent a bulletproof server...that automates the registration of new Web forum accounts and the spamming of links on those forums"
So you can send not-spam spam, but not spam?
Why do they prohibit spam anyway if they are bullet*proof*? Could it be a kink in the armor?
I believe what they mean by "sending spam" is that they prohibit the sending of email spam (SMTP, or by exploiting broken remailer web forms). They seem to be okay with "spamming" forums, as this isn't email.
I would venture that they prohibit transmitting email spam because this gets their IP addresses added to distributed blacklists (DNSBL/RBL/etc). Forum spamming is unlikely to result in being added to shared blacklists, just being blocked by individual forums/hosting providers.
Getting the the profit out of Spam and Nigerian scams is conceptually easy as there is only a single option:
Penalize those who transfer money to spammers and scammers.
But I think it cannot be done. Not so much for technical reasons. But as the "war on drugs" has shown recently, and the oldest trade has shown throughout history, you cannot destroy demand by law.
"Getting the the profit out of Spam and Nigerian scams is conceptually easy as there is only a single option Penalize those who transfer money to spammer and scammers."
Does the penalty have to be a punishment post transfer?
How about a cooling off period for transactions of certain types.
So if you want to transfer money to an extra jurisdictional entity you have not transfered money to in the past there is a 14day cooling off period put in by the transfering organisation and require a secondary authorization possibly in person.
It would make one off emergancy money transfers by individuals to places abroad problematical but that is not the main use of funds transfer systems.
Let's look at the "bulletproof" concept itself, in the most literal sense. NOTHING is "bulletproof" IF you use the right bullet.
And, no, I'm NOT referring to higher tech (e.g., teflon-coated "copkillers"), either. Take the same "bulletproof" vest that will stop a .357 or a .44 magnum, and the "obsolete" (and incredibly underpowered) .30 Carbine round will give you a through-and-through every time with virtually no expansion whatsoever.
If you want to through-and-through a "bullet-proof" HOST, there's probably an incredibly simple solution that is quite similar.
@ clive, you say where there is demand a supply will be produced, but I have a challenge for you,
There is a demand for a solution to the telephone "hold" button so that the hapless victim does not have to wait listening to muzak while the person with the hold button takes a break, holds a conversation and just expects the victim to hold a muzak thing to their ear.
a way to get them to call back when they are ready to talk or a buzzer that calls you to the phone when the wait is over.
demand, demand, demand, OK now supply me.
@ im you,
Yes there is a demand and in some places there is a solution called "call back".
What you do is hit the break key, redial and when you get the engaged tone hit the break key again and select the callback option from the voice menu. When the called party hangs up the central office switch calls you and the called party back and reconects you both (and you end up paying for two calls).
Unfortunatly this appears to only work with single numbers from a central office, not with PABX's even with direct dial lines.
Now I know that when it's done from the central office you end up paying for two calls so the telco has an incentive to offer the service. And it is the telco that the customer has a relationship with.
However if implemented from a PABX the company would end up paying for the call which might well be a disincentive for the company.
So the question then arises is there any demand from companies to the organisations who supply the PABX to the buying/leasing company for this cost incuring service? (and I could understand if there was not).
Thus where there is demand (from customers) in some places a solution has been offered by the telco. However where there is not demand (from the company) the PABX manufactures have either not supplied it or if they have (the company has) not enabled it.
Sometimes you have to work out where relationships don't exist to understand why a demand is not satisfied with a supply.
@Winter: There is a penalty for those who give money to Nigerian and fake anti-virus scams: they lose money, and get nothing in return. This isn't like the War on Drugs: the transaction between dealer and user is a win-win transaction from the economics point of view, as each gets something they consider more valuable than what they give.
@Clive: Many of the victims in these scams are insistent on sending the money, and don't listen to good advice, so requiring an in-person visit would be only marginally effective. Moreover, a fourteen-day waiting period would affect any small shop trying to sell outside their national borders, and impede global markets for specialty items, as well as making it impossible to send emergency money to family or friends. If there was a way around those restrictions, the scammers would ask their victims to use it, coming up with plausible-sounding reasons why entangling regulations require it.
Moreover, while this might hinder anti-virus scammers, it won't stop Nigerians. The idea behind the usual Nigerian scam is to get hooks into the individual victim, and if money is in transit an extra two weeks they'll use that to string the victim along another two weeks. The scams that involve clearing out the victim's bank account will be handled by transferring the money to a local bank account set up, and laundering from there.
This is going to be a tough problem to solve.
@ auntie pode
That I'm aware of, the only bulletproof hosts are applications running on large botnets backed by reputable people. Freenet is pretty good for certain services, with I2P hoping to prove itself over time.
I'm actually concerned about the attention that malware authors, spammers and especially child pornographers bring to bulletproof hosting. I've recommended these hosts to many people over the years to protect them from unjustified legal assault. These criminals' activity usually results in legal interventions that undermine any laws protecting liberty. Any mention of child pornography almost always overturns protections, so that group concerns me especially.
I fear if the crooks use these services enough we will loose them as a means to protect against government retaliation.
Minor off topic correction, the "cop killer" term for teflon coated bullets was an interesting lie. The teflon was to reduce barrel wear on the gun. The armor piercing part of the bullet was a steel or tungsten core.
@Clive: this is a war that cannot be won. As long as people are allowed to communicate at all, criminals, pedophiles and megalomaniacs in government shoes will be prepared to do evil.
I'm not saying that you don't fight - you just have to accept that you're not ever going to win. So in light of that, how to you combat it without destroying privacy and rights of the rest of us?
@ Anti-Spam Cadre #1
Thanks, I see what you mean. I think I'd call them slimy or gooey providers, not bulletproof -- they slither and slide around whatever you throw at them.
Spam should be treated as spam. That's what troubles me. There is a forum spam list. Take an obvious example:
You can see the abuse pattern is clear as they rotate email addresses, usernames, etc. while they try to fill logs using this attack:
Here is the same but easier to read:
A lack of automation with blacklists leaves the slimy providers a way to escape take-down; manual take-down notices will be ignored but automated ones must have some effect on them. I assume that is why they say "no spam allowed" -- the slime can't get out through the email "hole" as much anymore. But email spam has not exactly stopped either.
You're absolutely correct. I elected not to elucidate further in the interest of brevity, as the simplicity of the .30 Carbine was the main point.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.