Response to "How Microsoft Appointed Itself Sheriff of the Internet" (Part 2)

In the first part of this two part blog post, the issue of anticipating retaliation during an aggressive battle to wrest control of a DDoS botnet was examined. In this part, the issues of dual standards, taking responsibility, and learning lessons to make positive change over time are examined.

Irony

Recall that these blog posts concern an article from Wired [McM14] that ends with a paragraph about irony, in which a member of the Mariposa Working Group is portrayed as an example of being the victim of "collateral damage" from actions taken by Microsoft. I found that paragraph to itself be ironic, given that the Mariposa Working Group's own actions resulted in unintended collateral damage to innocent third parties. The Mariposa Working Group has been repeatedly brought up as an example of a successful botnet takedown in articles critical of Microsoft for failing to fully take down botnets or causing collateral damage. Very few people know what really happened in the Mariposa case, because those involved don't want to (or some have argued privately that due to secrecy requirements can't) mention the collateral damage in public statements. Yet they do want to publicly and privately brag about the arrest of Netkairo that lead to the arrest, and years later the conviction, of a Slovenian co-conspirator as if the ends justify the means. It should be noted that the author of this Wired article also wrote one of the articles on Mariposa that mentions the DDoS attack. [McM10]

One academic paper that holds up Mariposa as an example of a successful takedown, while at the same time criticizing Microsoft for an "incomplete" takedown and "stepping on other researchers' toes", [NAP+14] has two fundamental problems that I can see, both resulting from an apparent dual standard. (I don't see any problems with the science, but science is not everything when you are talking about engaging in activities like botnet takedowns, and the conference peer review process does not always address issues beyond the science, such as ethics. [DBD11])

First, [NAP+14] completely glosses over the collateral damage in this opaque statement: "Interestingly, Mariposa's botmasters were able to evade a full takedown by bribing a registrar to return domain control to the malicious operators [10], underscoring the fact that barriers to successful takedowns are not only technical ones." You have to go to the effort of looking up and reading the referenced article [reference 10 in [NAP+14] is the same article cited above, [Kre10]] to learn the facts laid out above. Calling it "interesting" and putting one level of indirection between the reader and the facts may be necessary to fit into tight page limits in a complex academic paper submission, but is this transparency and honesty regarding the unintended consequences that resulted in harm to innocent third parties, or does it in any way help future takedown actors know how to avoid the same fate? I do not believe so.

Second, the paper and a blog post by their company in promoting the paper, criticizes Microsoft's actions for being "ad-hoc", "haphazard," and incomplete. I will address this latter point in a moment.

Why am I raising this issue of collateral damage? The point of this response to the Wired article is not to claim (as some have suggested to me) that I believe the Mariposa Working Group's takedown effort was a complete failure. I never said that. To suggest that is a straw-man logical fallacy, intended to dismiss my criticism as being overblown, rather than address the actual point I am raising, which has to do with hypocrisy. If, as the Wired article suggests, the fact of collateral damage is the basis for attacking Microsoft, then those who join this attack (and who themselves have been involved in takedown actions that resulted in collateral damage) must either admit their own responsibility for similar past collateral damage, or accept that they can be shown to be employing a dual standard in their biased argument.

Instead, let's take a fair and balanced look at the situation and acknowledge that taking greater and greater risks in countering computer crime brings with it a concomitant increased potential for harm to innocent third parties, or "collateral damage," as the article puts it. We can then examine any botnet takedown to learn lessons of what to do (and what not to do) in future actions, and help promote these lessons being learned and heeded. The result can be a set of "best current practices" to minimize any potential collateral damage, and maximize the ability to see justice served for computer crimes within the constructs of legal systems around the globe.

The second problem shows up in marketing materials that attack Microsoft as part of a sales pitch, rather than with the goal of improving the global response to cybercrime. We can see this by closely examining two blog posts from the same entity. Here is an excerpt from the blog post that came out in the wake of [NAP+14]:

https://blog.damballa.com/archives/2195

"There's been a lot of press coverage lately about botnet takedowns, especially those by Microsoft and Symantec. While we at Damballa are all for reducing the risk of infection on the Web, the fact of the matter is, these takedowns don't often achieve that goal. It makes me wonder if these efforts are for the sole purpose of garnering press, because they certainly don't have any lasting impact on end user safety. Here are three reasons why recent botnet takedowns have been largely ineffective.

The organizations performing botnet takedowns do so in a haphazard manner. To start, they grab only a small percentage of command-and-control domains that make up the botnet's critical infrastructure. Taking down 24% of the botnet still leaves 76% of it active. The attacker still has a strong foothold and can easily recover."

The link to "Microsoft" in this blog post is for their takedown of Citadel, a descendant of Zeus. Less than a year earlier, however, the same corporate blog said this:

https://blog.damballa.com/archives/290

"You'll note that I started this blog with the term botnet malware, rather than botnets. There's a reason for that -- and it's explained in the whitepaper I published recently concerning the many-to-many botnet relationship. The stats posted by NetworkWorld group multiple botnets together under each major bot agent type (and ideally their most common malware name) -- but do not necessarily represent a single botnet or even a single malware version. For example, sitting in first place is Zeus. Zeus variants are more than plentiful -- being custom created using the popular Zeus [do it yourself (DIY)] creator kit and the 3.6 million hosts infected with it are distributed amongst multiple independent botnets (i.e. operated by different bot masters)."

This is a marketing blog post, so technical accuracy may be missing. Even the 2014 Verizon Data Breach Investigation Report makes a similar error when describing Zeus [Ver14]:

"Zeus (sometimes called 'Zbot') is sort of the cockroach of malware. It has managed to survive and even thrive despite many attempts to eradicate it. [...] Despite the efforts of many, it has continued to elude the good guys that are trying to shut it down."

So either Damballa's argument is weakened because it is based on a technically inaccurate understanding of how Zeus/Citadel work, or a dual standard is being applied (i.e., when advantageous for marketing purposes, point out that it is impossible to take down "Zeus" because there is no single "Zeus botnet," but when it is advantageous for marketing purposes to do otherwise and criticize Microsoft for a "haphazard" result and for not fully taking down a botnet like Zeus and Citadel). Since Verizon made the same mistake, it seems more likely that the Damballa blog is just wrong on this point.

The word "haphazard" has another definition, though, which raises another more important dual standard: "by mere chance" or "by accident." This blog post cites [NAP+14], highlighting the Mariposa Working Group as a counter-example to Microsoft's takedown of Citadel. As we have already seen above, the arrests and conviction in the Mariposa case resulted by the accidental operational security lapse by Netkairo, after he took back control of the Mariposa botnet and used it to attack Mariposa Working Group members, resulting in the collateral damage. It was this mistake by Netkairo during the fight for control of the botnet that resulted in his arrest, which lead to the arrest of his Slovenian co-conspirator, whose punishment was set based in part of the harm caused by the DDoS attack. That chain of events was a complete accident, unplanned, and by mere chance. In other words, this was by definition a haphazard result. How is it fair or honest to be part of a haphazard response that involves collateral damage, then attack someone else for the exact same thing?

Admitting Responsibility and Changing for the Better

David Finn, the Executive Director of Microsoft's Digital Crimes Unit (DCU), has publicly admitted the problem with the No-IP takedown and apologized. [Kir14] Beyond the statement of Chris Davis quoted above, I have not seen anything similar from those in the Mariposa Working Group who have been bashing Microsoft. I would be happy to learn of such a statement, if anyone can point one out to me. Unless and until I am aware of such a statement, I find it hard to accept the criticism of anyone involved with Mariposa as anything other than biased attacks for personal gain, and view the Wired article as a biased attack piece, not a very well-researched piece of journalism.

What happened in the Mariposa takedown was a pretty big OPSEC failure, yet almost nobody is learning from that failure. Those who did the Kelihos.B sinkhole, on the other hand, used an isolated network block that was on a high-bandwidth, lightly used network segment, which could be null-routed on a moment's notice if there was a DDoS counterstrike and nobody else would be affected. They didn't make this public, so no lessons from Mariposa about what NOT TO DO, and no lessons from the Kelihos sinkholing about what TO DO. This is why outside review, transparency, and accountability matter.

Damballa deserves credit for developing capabilities that can monitor DNS activity in a way that can provide useful metrics in a botnet takedown operation. But they don't have standing in a court, which is necessary to seek civil legal remedies the way Microsoft does. So they (and other similar companies who are not the victims themselves, or have the same contractual relationships that Microsoft has with its customers) want to suggest that takedowns using only technical means are the way to go, while trying to stop Microsoft from using a mechanism they cannot themselves use. Microsoft has a track record of successfully using civil legal process in conjunction with technical means. Many, including those in the Wired article, suggest that the technical aspects need improvement. If we accept that critique, it seems to me that there is no single working group, or any single company, who has the perfect solution and can successfully handle any botnet takedown (with criminal or civil penalties for the botmasters) by themselves. Everyone has something to learn and something to contribute at the same time. The best results will come from combining strengths and advancing the collective capacity for effective actions, while avoiding doing things that have been found to risk potential collateral damage. And from avoiding splitting the community for what looks like nothing more than wanting to selfishly score points.

In Summary

Making a detailed critique as I have here risks those who are mentioned feeling attacked and causing hard feelings and division of this community. Some believe that directly calling people out for harms resulting from errors of commission or omission in activities they have been involved in is not productive. On the other hand, those who are being called out here are themselves calling others out and attacking them, similarly resulting in hard feelings and division of this community. Why should part of the community unilaterally abstain from confronting those who chose to confront others? Why don't more of us in the computer security community voice criticism (in private, if not in public) for acts that violate trust, or appear to be self-serving and divisive of this community? Why should we continue to accept violations of trust, hypocritical attacks, or actions that benefit the actor far more than they benefit society at large or advance the cause of bringing computer criminals to justice?

As someone at M3AAWG recently asked in a town hall meeting on botnet takedowns, "Do we need to 'blow up the old system' in which we have been operating and replace it with something new?" Perhaps a system that that is more just, more fair, more professional, and more responsible to not only this community, but also to the internet user population that we all claim are the ones we are trying to serve by doing what we do? If so, what is that we should do next?

I think that we either develop standards that apply equally to everyone, hold everyone to account for harms for which they bear some responsibility and encourage them to own up and apologize when that happens, or we risk being seen by the public as hypocritical or reckless. I don't like hypocrisy and I rarely hesitate pointing it out when I see it. The definition of "integrity" that I like to use is that of Stephen Carter, [Car96] which is knowing right from wrong, acting on your understanding of right and wrong, even at personal cost, and being able to clearly articulate how you came to decide on your actions. Sometimes people don't like to hear what I have to say, which I understand (and do my best to remain civil and professional in my critical analysis). I also acknowledge that we are all humans, and humans make mistakes and oversights, so I'm even open to allowing people to use that an excuse (when applied equally and fairly, not just when it serves as a convenient way to attack someone else). Chris Davis has publicly acknowledged there was a problem with Mariposa and that he wouldn't do things the same way again. So has David Finn. This is one of the reasons that I believe an unbiased group who can evaluate and guide those wishing to do aggressive botnet takedowns needs to exist. Nobody else should duplicate mistakes of the past, so if Mariposa is going to be held up as the ideal case study, I think honesty, transparency, accountability, and integrity call for telling the whole story.

Katherine Carpenter and I recently presented at CyCon in Estonia. [DC14] In the conclusion of the talk, we laid out the elements of an ethical framework for aggressive responses to cybercrime. This framework:

  • Should handle deconfliction, or impacting other crime-fighting actions in what is sometimes called "blue on blue" effects.
  • Should provide before- and after-action review, to learn lessons of works and what causes negative consequences.
  • Should favor government over private sector action at the extreme end of the Active Response Continuum. [DH05]
  • Should favor civil/criminal process over extra-judicial private sector action.
  • Should follow virtue ethics (Integrity + "Right Action" justification) for aggressive actions against systems outside of the actor's zone of authority and without the owners' knowledge or cooperation.

And what if we don't have a trusted group for guiding computer crime response, or use an ethical framework like the one just mentioned? There are growing calls for the right to "hack back" (euphemistically called "active defense" to conceal the full range of risky and potentially illegal actions that may be taken). What if everyone continues planning more and more aggressive actions in secrecy, in isolation, and without any external review before taking action? What if we accept that competition is the norm, and dual-standard based on narrow self-interest are a given? To that end, this quote comes to mind:

"No set of social norms, however desirable, will succeed if its substantive commands are widely and systematically disregarded, which will happen unless they are accepted as legitimate (even if not ideal) by large segments of the population. Even if most individuals are what we should self-consciously call law-abiding, any large population is sure to contain a few outliers who are eager to take advantage of any perceived gaps within the social or legal system. Their unilateral decisions will in turn embolden others to follow the same course. At some point, even those individuals who prefer to respect the rights of others will have no choice but to fend for themselves as the entire system unravels. The outliers will, if left unchecked, dictate the social agenda as others follow suit." [Eps05]

The good news is that in the near future we are likely to see a group of experts along the lines mentioned above who share in the belief that common goals, "best practice" guidance, and collaborative outreach efforts can improve the global capacity to effectively and safely respond to cybercrime.

References

[Car96]Stephen L. Carter. Integrity. BasicBooks - A division of Harper Collins Publishers, 1996. ISBN 0-465-03466-7, http://www.stephencarterbooks.com/books/nonfiction/integrity.
[DBD11]David Dittrich, Michael Bailey, and Sven Dietrich. Building An Active Computer Security Ethics Community. Security Privacy, IEEE, 9(4):32--40, July/August 2011. https://staff.washington.edu/dittrich/papers/ieee-snp-ethics-2011.pdf.
[DC14]David Dittrich and Katherine Carpenter. Protecting Property in Cyberspace using "Force": Legal and Ethical Justifications. http://staff.washington.edu/dittrich/talks/CyCon-2014-DittrichCarpenter.pdf, June 2014. Presentation to the NATO CCDCOE Cyber Conflict 2014 conference, Strategy and Law track. http://www.ccdcoe.org/cycon/2014/app.html
[DH05]David Dittrich and Kenneth E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://ssrn.com/abstract=790585.
[Eps05]Richard Epstein. The Theory and Practice of Self-Help. 1 J.L. Econ. & Pol'y, pages 1-31, December 2005.
[Kir14]Jeremy Kirk. Microsoft admits technical error in IP takeover, but No-IP still down. http://www.computerworld.com/s/article/9249509/Microsoft_admits_technical_error_in_IP_takeover_but_No_IP_still_down, July 2014.
[Kre10]Brian Krebs. 'Mariposa' Botnet Authors May Avoid Jail Time. http://krebsonsecurity.com/2010/03/mariposa-botnet-authors-may-avoid-jail-time/, March 2010.
[McM10]Robert McMillan. Spanish Police Take Down Massive Mariposa Botnet. http://www.pcworld.com/businesscenter/article/190634/spanish_police_take_down_massive_mariposa_botnet.html, March 2010.
[McM14]Robert McMillan. How Microsoft Appointed Itself Sheriff of the Internet. http://www.wired.com/2014/10/microsoft-pinkerton/, October 2014.
[NAP+14](1, 2, 3, 4, 5) Yacin Nadji, Manos Antonakakis, Roberto Perdisci, David Dagon, and Wenke Lee. Beheading Hydras: Performing Effective Botnet Takedowns. 2014.
[Ver14]Verizon. 2014 Data Breach Investigations Report. http://www.verizonenterprise.com/DBIR/2014/reports/rp_Verizon-DBIR-2014_en_xg.pdf, April 2014.

Comments

comments powered by Disqus