Response to "How Microsoft Appointed Itself Sheriff of the Internet" (Part 1)

This blog post is a response to the Wired article of Oct 14, 2014, "How Microsoft Appointed Itself Sheriff of the Internet." [McM14] I find some problems with this article that raise questions about the depth of research into some elements of the story, and an appearance of bias in how "unintended consequences" are presented.

For example:

  • The URL for the story on the Wired web site contains the term, "microsoft-pinkerton", as if Microsoft is acting like the Pinkerton Agency in the "wild west" days. This analogy is completely inapt. A company who is hired by victims of computer intrusion to go after those intruders and seek some form of extra-judicial retribution would be the analog to the Pinkerton Agency (who was hired by banks and railroad companies to go after train robbers when local law enforcement was incapable of doing so). Nor is the term "Sheriff" appropriate, since a Sheriff is an officer of government enforcing criminal statutes, while Microsoft is exercising their rights under the United States legal system to seek civil remedies by pleading their case in front of a civil court of law. I have addressed this issue of civil vs. criminal legal avenues in the past when the even less appropriate term "vigilante" was used. [Dit12a] Going so far as to say, "acting as a kind of all-powerful internet sheriff," overstates what is happening and does not accurately depict criminal powers and police authorities vs. civil legal remedies adjudicated by courts.
  • The article suggests that use of civil legal process to protect trademarks under the Lanham Act to seize assets is, "a power that typically lies within the purview of law enforcement, not private companies." This is simply not the case. If this was true, why is it easy to find a document on a law firm web site that includes a section entitled, "Seeking and Obtaining an Ex Parte Seizure Order," suggesting that not only is it possible for private sector entities to use this legal mechanism, but essentially encourages it? "Trademark owners face serious risks in failing to aggressively pursue counterfeiters. They can protect their interests by asserting the counterfeiting provisions of the Lanham Act. Owners may seize the offending goods, recover monetary damages, deny defendants their profits, and obtain injunctive relief against future counterfeiting. Obviously, trademark owners must also be aware of the costs involved in seeking relief. By asserting their rights in court, however, trademark owners can create a financially oppressive marketplace for counterfeiters, making their activities unprofitable and unattractive." [Som99] This is exactly why botnet takedowns are done using civil legal process instead of solely using technical means: to "create a financially oppressive marketplace" for cyber crime, a common goal.
  • The article's final point is about "collateral damage," which is reported from the perspective of No-IP. The criticism is about unintended collateral damage, and the charge is leveled at Microsoft for such harm. The representative from No-IP quoted in the article claims to have been involved in the Mariposa takedown and cites that as a success, while that botnet takedown itself involved unintended collateral damage. This raises the issue of a double standard. While not precisely the same situation -- one involves harm resulting from active participation of the malicious actors, while the other did not -- if the primary issue is that unintended harm to innocent third parties occured in relation to a botnet takedown, the involvement of the malicious actor is orthogonal.

I want to dig in on this final point, since it is crucial to understanding why I believe the computer security research and operations community needs to come together to work towards common goals, not engage in internecine fighting through attack pieces in the popular press.

Fighting back

The history of DoS attacks, going back to the mid 1990s, is one of fighting for control. [MDDR04] The very first DDoS attacks [Dit99], [Dit00] were an attempt by a small group to use a new client/server architecture for DoS attacks to overwhelm a larger group using older manual methods. Researchers who studied the Storm botnet without taking precautions found themselves subjected to DDoS retaliation. [Gau07] Anyone who studies DDoS knows that there is a credible risk of retaliation, should the person operating the DDoS network feel threatened. Experts in DDoS and botnets, who have studied the issue deeply and thoroughly, are aware that this is a realistic and credible threat that faces anyone going directly after control of DDoS botnets. Anyone wishing to engage in an aggressive takedown of a DDoS botnet had better not only be an expert, but exhibit that expertise in their actions.

The Mariposa Working Group members either knew, or should have known, that the Mariposa botnet was used for DDoS attacks. The fact that it had been used for DDoS attacks was mentioned in stories about the reason the group was formed in the first place. "The criminals used Mariposa for typical cyberscams: They stole banking credentials and launched distributed denial-of-service (DDoS) attacks." [McM10] That fact should lead those who are knowledgeable about DDoS attacks to conclude that there is a risk of the botnet being turned against anyone known to be "attacking" the botnet's C&C.

It is not a great surprise, then, that when something went wrong during the Mariposa takedown, the botnet was turned against the Mariposa Working Group members who were battling for control of the botnet using only cooperative technical means. [Dit12b], [Dit13] "One of those DDoS attacks was directed at Defense Intelligence's computers in Ottawa. Angered by the company's efforts to defeat them, the hackers sent data to the company's servers at the rate of 900M bits per second after they briefly regained control of the botnet on Jan. 25." [McM10]

Unintended Consequences

What went wrong? The Mariposa Working Group was using solely cooperative technical means to perform the takedown. There was no civil action, filed under seal, where a court has authority to punish anyone who breaches secrecy of the court's seal, or violates an order of the court. "According to Defence Intelligence CEO Christopher Davis, a few days later, the alleged ringleader of the Mariposa botnet gang who goes by the hacker alias 'Netkairo,' bribed an employee at a Spanish domain name registrar that the gang had been using to register Web site names that helped them control the botnet. Armed with those domains, Netkairo was able to rebuild the botnet, as the individual PCs previously enslaved by the Mariposa botnet were still programmed to regularly connect to those sites and download new marching orders." [Kre10] There is no way of predicting that someone will accept a bribe to return assets used by a criminal, but if accepting money from a criminal is not a crime, there is also no disincentives or penalty. Had the MWG used civil legal process, on the other hand, perhaps the person who accepted the bribe would have thought twice about violating a court order or otherwise being legally culpable.

And who suffered? "Davis said that on [Jan. 22, 2010], the hacker launched a distributed denial of service attack against Defense Intelligence's Web site, using more than a million PCs the gang had managed to corral back into the Mariposa botnet. That assault, which forced the infected PCs to flood the company's site with junk Web traffic, not only knocked Defence Intelligence offline, but took out networks of several other organizations that were using the same Internet service provider, including a local university and a few government agencies in Ottawa." [Kre10]

In the next installment, the issues of hypocrisy and taking responsibility are examined.


[Dit99]David Dittrich. The DoS Project's trinoo distributed denial of service attack tool., October 1999.
[Dit00]David Dittrich. The Stacheldraht distributed denial of service attack tool, January 2000. Available at
[Dit12a]David Dittrich. Thoughts on the Microsoft's "Operation b71" (Zeus botnet civil legal action)., March 2012.
[Dit12b]David Dittrich. So You Want to Take Over a Botnet... In LEET'12: Fifth USENIX Workshop on Large-Scale Exploits and Emergent Threats, April 2012.
[Dit13]David Dittrich. So You Want to Take Over a Botnet..., February 2013. Presentation to Microsoft Digital Crimes Consortium 2013 meeting.
[Kre10](1, 2) Brian Krebs. 'Mariposa' Botnet Authors May Avoid Jail Time., March 2010.
[Gau07]Sharon Gaudin. Storm Botnet Puts Up Defenses And Starts Attacking Back., August 2007.
[MDDR04]Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher. Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall PTR, 2004.
[McM10](1, 2) Robert McMillan. Spanish Police Take Down Massive Mariposa Botnet., March 2010.
[McM14]Robert McMillan. How Microsoft Appointed Itself Sheriff of the Internet., October 2014.
[Som99]Mark Sommers. Taking an Aggressive Stance Against Counterfeiters: An Overview of Trademark Counterfeiting Litigation under the Lanham Act., September 1999.


comments powered by Disqus