The week before last the FBI announced that they had taken down the Coreflood bot-net of perhaps 2 million systems by taking over the command-and-control system.
This was a major event. It demonstrated that we do not simply have to tolerate the existence of hostile networks of compromised systems. It also demonstrated that law enforcement can be effective in the Internet.
Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch, Shawn Henry. said, “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”Communications.
Although most people were happy to see the Coreflood bot-net go, some have expressed concern about the tactics used in its recent take-down. They are concerned that these may be seen to legitimize behavior that, after decades of debate, have finally been seen to be illegitimate.
Federal prosecutors obtained a temporary restraining order allowing them to replace several identified Coreflood command-and-control (C&C) servers with their own servers, which were then used to send shutdown commands to the Coreflood malware.
One colleague responded by saying "Remote administration without permission is 'hacking.'" I will grant him his semantics without granting him his point.
The first time I said that, and I may well have been the first to do so, I said it in response to the clever child who had created an "anti-virus virus." Of course, the same things are wrong with the idea of an anti-virus virus as with any other virus. First, like any virus, the anti-virus would not have the permission or knowledge of the target system owner.
The real problem is that, independent of the intent or motive of the author, he cannot know enough about the network to predict how his virus will behave. It is difficult enough for him to predict the behavior of his program in a single system that he controls. It is almost impossible to predict its behavior in a population of hundreds of thousands of systems connected in an arbitrary network.
The Electronic Frontier Foundation technology director, Chris Palmer, said the method "is not a safe way to go about [disabling malware] and it's divergent with standard practice."
The "standard practice" that he defends is to simply take down the command-and-control servers, while leaving the bots active. This non-standard practice may not meet Mr.Palmer's test for "safe" but it meets mine for "effective."
We rightly fear the awesome power of government. The preservation of Liberty requires constant vigilance against the abuse of that power. Our colleagues who have questioned this action are right to do so. However, the existence of the question does not imply, nor should we infer, the obvious answer.
Note that in this case, the FBI did not initiate communication with arbitrary systems. It waited until the compromised systems came to it. It did not send a program. It simply sent a command in response to a request. It sent the most conservative command, that is, "shut-down," do nothing.
It is this act which offends my friends, the purists. They are offended, in part, because the executive branch has not been explicitly authorized by the legislature to so act. However, one suspects that if the executive had asked the legislature for this authority, the same, or other, "purists" would have opposed it.
Public Safety, like information security, often involves difficult ethical choices, the lesser of evils. Sometimes it even involves the use of coercion or force. Note that government is the only institution in our society that is empowered to use force.
In this instance the executive did not act unilaterally; the FBI did get a court order. These are not vigilantes. Moreover, if they can be entrusted to use force, they can be entrusted to act in the Internet in ways that are forbidden to the ordinary citizen. That the police do something does not give the citizen license to do the same thing.
I invite my anxious colleagues to rest easy. The Internet is safer and the FBI has not gone rogue.
A final word of caution. One should not infer that all bot-nets can be brought down by the same method. Those networks that use the same collaborative protocols that are used by the file sharing programs (e.g., bitTorrrent) and do not rely on out-of-band command and control will not yield to this method.
Those charged with protecting public safety and those protecting the information infrastructure will continue to be confronted with difficult ethical choices. That is why we are both called professionals and are paid the big bucks.