US Shows Interest In Zombie Quarantine Code 195
bennyboy64 writes "Barack Obama's cyber-security coordinator has shown interest in an e-security code of practice developed in Australia that aims to quarantine Internet users infected by malware, also known as zombie computers. He reportedly said it would be a useful role model for the US to adopt. One suggestion within the code is to put infected users into a 'walled garden,' which limits Internet access to prevent further security problems until quarantined. Another is to throttle the speed of an infected users' Internet connection until their computer fixed. The code is also being considered by other Asia-Pacific countries, ZDNet reports."
Principle and practice (Score:5, Insightful)
I'm thinking mostly about false positives - I've had a Mac identified as running some Windows virus, at the time I presumed due to NAT somewhere at the ISP level. Getting that sorted out was a matter of waiting half an hour or so, but I can imagine that becoming a more serious issue if this is 'by law'.
The other thing worrying would be forced steps to remove things. I could go with an "ensure you're clean rule", but would be against a "ensure you're running this particular security measure" rule.
Cheers,
Ian
Monitoring... (Score:3, Insightful)
Some are forgetting the obvious that this would require the monitoring of traffic.
Information control is the goal. (Score:3, Insightful)
I'm guessing that the new paradigm the government is following in regard to the internet is total information control. It started with total information awareness. The original goal was to monitor all the information on the internet to see and prevent terrorism. Most of us agreed with that idea, and now that the internet is fully monitored the next step is to gain complete control over it. This way if a powerful person doesn't like what is being said on a specific website or by a specific computer, they can quarantine it. This word "quarantine" gives an indication about how the government sees unfavorable information. They see it as a "virus", or "mind virus", which is otherwise known as a meme. The only way to stop the spread of a meme is by quarantining it.
Once again this is about information control, not security. If it's about stopping zombie infectious malware as the article claims they could use many technical solutions to do this and put the control in the hands of the user. The user could set up their system to handle it and the government has no reason to get involved. Or the government could promote corporations such as Google to develop an improved version of Linux or the Linux kernel to have a feature to allow this much in the same way the NSA developed SELinux. To make it a political issue and to use Australia of all places as the example is exactly the wrong way to go about it. We all know that Australia has a completely censored internet with a list of sites people cannot go to because the government does not like the information on these sites.
This might fool individuals who don't understand technology. Saying it's to secure the internet while you throttle their broadband speed might make sense to the 16 year old kid downloading mp3s or using bit torrent. It might make sense to the adult who works in an unrelated industry with little to no knowledge about network neutrality or what is at stake when internet speeds and information is regulated in a centralized manner. To individuals who understand the technology and how to use the internet the idea of controlling the information flowing through the pipes defeats the purpose of the internet itself. I cannot imagine any programmer, hacker, script kiddie, gamer, or serious user supporting this idea. Most of us would rather risk being infected by malware than have our broadband speed throttled.
And let's be honest, child pornography is probably the worst kind of virus you can be infected with. And the only reason it's so horrible is because the laws related to possession of it are unreasonable. So before we go and fundamentally try to alter the code of the internet and create millions of unintended consequences we should debate what we want the internet to be and what it's purpose is. Does the internet exist as a weapon of war or is it something more fundamental? Should the government control the internet or should the market control the internet?
If the government wants to have this much control over it, maybe they should make it free. That's my opinion. But to bait and switch like this is unfair to individuals who have paid for internet access for over a decade, who have created most of the content on the WWW, who have made the internet what it is.
This is not their job. (Score:5, Insightful)
In contrasting this with the president's ability to declare a cyber attack and disable internet access in the United States, I'd say this seems like a reasoned approach that would hopefully be considered an alternative to the former where applicable.
My only real concern is that of privacy. How exactly do they go about telling you're a zombie? Well written malware isn't exactly going to advertise infection, and even hosts which may be participating in a denial of service attack can't definitively be proven to be infected unless they're obvious (like sending a TCP packet with an invalid combination of flags, for instance). Scarier would be using the 'zombie' excuse to monitor net traffic on a connection for 'investigative' purposes. So it may just turn out pointless or it may be a ruse for a different kind of control. Anyone have any articles as to the effects of this or some cases where it was actually used in AU?
It's not reasonable for the government to do anything more than monitor the internet. To start telling people how to run their nodes, what websites they can and can't visit, how they can or can't surf the web and at what speeds, is authoritarianism on the web. The internet was not designed for authoritarianism, it was designed to be an anti-authoritarian technology, it was designed to be decentralized, it was designed in this way because authoritarian centralized systems usually have a single point of failure. These overly centralized systems are more likely to fall or collapse.
The internet as it is designed now is already more advanced than the design of most other systems. To centralize and control it down to the byte flowing through each wire, inspecting every package, analyzing every bit, and controlling which bits to quarantine and which bits not, is just a stealth mechanism which can be used either to destroy the internet or weaponize it. This along with the new behavioral advertising schemes allows for specific centralized entities to feed specific information to specific computers, and now they want to be able to quarantine specific computers to block them from receiving specific information from other computers.
How can this be good for the internet as a whole? How can this be good for the flow of information from a mathematics/physics point of view? How can it be ethical if the objective is to reduce ignorance and preserve freedom of speech? It can only be ethical if the objective is to control, weaponize, and win at any cost.
Bad editors! (Score:5, Insightful)
File sharing programs = Malware. (Score:5, Insightful)
So if you run bit torrent and they decide it's malware, now they can throttle your internet speed and quarantine you. Or if you download legal but tasteless pornography this could be determined to be malware and your speed can be throttled.
This idea is as bad as the kill switch idea.
Re:File sharing programs = Malware. (Score:3, Insightful)
Then your ISP is given the 'option' to inspect packets to cut down on false positives.
Next they have to report anything suspicious in plain text that they might notice - just the really bad stuff.
Then its all p2p use of interest under Anti-Counterfeiting Trade Agreement (ACTA) and the "voluntary" for ISPs to adopt is dropped.
Re:Principle and practice (Score:1, Insightful)
I like this idea in principle, but concerned about the details.
I DON'T like this idea in principle, AND I am concerned about the details. Like any other POLITICAL legislation to control people (and their machines), their is a lot of leeway into the POLITICAL process of defining what "malware" is. I'm sure for example, that the RIAA would define most P2P programs like bittorrent as malware, and would lobby for having user's computers disconnected from the Internet because P2P programs can spread viruses.
I can also see almost ANY program that is a "bot" (i.e. does things automatically on the Internet) as being defined as "malware" by the ignorant and politically sensational. For example, a program that searches for open proxies is (or has been) used by viruses, but this negates the legitimate uses for average citizens and businesses to search for open proxies to use as privacy tools.
Programs that act as servers can also be considered malware. In fact many ISPs don't even want you to run a Web server, because (I would presume) it can increase bandwidth for their "unlimited" accounts and nullify their own Web hosting businesses. On the FUD-based side, IRC servers could easily be defined by lobbyists and political advocates as malware. For example, many IRC bots are used (OK, this was more fashionable a few years ago) as command and control centres for bot-nets, as well as such "malware" distribution centres like child pornography, RIAA music sharing, MPAA movie sharing, etc and so on.
There is also the nanny-state mentality that is inherent in any such rules, however "voluntary" these rules may be. Any measure to "protect" the public will ultimately be abused (as it was in the past, as it is in the present, and as it shall be in the future. Amen). It is known that the crime rate in Russia was at its lowest during the period of martial law of the attempted coup d'état during Boris Yeltsin's reign. It's nice for some people to live without crime (prostitution, sharing videos, smoking marijuana, watering a lawn during a rain storm, home schooling [illegal in Germany], etc), but I would rather be a deviant living in freedom and at risk for a computer virus attack; than being controlled, monitored and (potentially) punished because of some political ideology.
And, no doubt, politically dubious speech will ultimately come under this banner of "malware". Just like messages that instruct users to delete important system files from their computers is considered part of the malware process, so too will many security sites and legitimate security software be considered malware if used by non-police or military forces. The U.S. government even considered encryption technology to be malware [wikipedia.org].
It's just another excuse to control people for the excuse of helping people. The nanny state is here, and it is getting more patriarchal.
Re:This is not their job. (Score:5, Insightful)
It was designed for the military. You don't get much more authoritarian than that.
It was also designed on the assumption that those using it would know what they were doing.
Why do you keep using a political description as if it were a technical one?
it is partly their job (Score:4, Insightful)
It's not reasonable for the government to do anything more than monitor the internet. To start telling people how to run their nodes
In a competitive world, businesses WILL NOT prepare for disaster unless the executives see that it affects the stock price. Preparing for disaster is expensive, and it seldom pays off. (see also: car industry, banking industry, airlines, BP, failure to protect against natural disasters...)
If we want the internet to keep running, without collapsing during a cyberwar, then we do need to insist on some things. It's like requiring that banks keep some reserve, requiring that oil companies have a means to stop a leak, or requiring that an airline not skimp on maintenance when the competition gets fierce.
Re:Seems reasonable (Score:4, Insightful)
"I would like to see compromised PCs neutered or otherwise stopped. I would like my rights and freedoms not to be tampered with"
You do not have the right to shit in my yard.
And that's what the botnets do. They shit in *everyone's* yard.
--
BMO
Re:This is not their job. (Score:4, Insightful)
It was designed for the military. You don't get much more authoritarian than that.
http://en.wikipedia.org/wiki/ARPANET [wikipedia.org] Arpanet was designed for the military. The Internet/World Wide Web was designed for civilians. The Arpanet even though it was designed for the military it was not designed to be an authoritarian tool or an information weapon. I also disagree with your opinion of the military being authoritarian. The military is only as authoritarian as the Constitution says it is. If the military fights to defend the Constitution, even if the ends justify the means the ends (the Constitution) are still just. We only have a problem when we have civilian leadership that subjectively interprets the Constitution so that free speech doesn't really mean completely free and that there are exceptions here and there. This muddles the waters and authoritarianism can rise up during the confusion but the Constitution itself is not an authoritarian document.
It was also designed on the assumption that those using it would know what they were doing.
The military's role is to protect and defend the Constitution with their lives if necessary. They all swear to protect that. So the soldiers actually use authoritarian means to protect the anti authoritarian interpretation of the Constitution. The problems arise when the Constitution is interpreted as authoritarian. Now gun control is acceptable, and now the Constitution can even be suspended. This is the source of the confusion, individuals no longer have a clear answer as to what they are fighting for or what the laws are, only the lawyers and judges know, only the President knows.
I'd like it to be a technical situation but it's as political as it is technical. When you have one group who says gun control is Constitutional and another group saying they can spy on everybody, and another group saying gay marriage should be banned as a Constitutional amendment, and another group saying free speech isn't free, you have a fundamental disconnect between factions.
You have the faction that believes the way to win the war is to control and micromanage every living thing on the planet. They believe that power is the most important principle because absolute power wins all wars. This point of view makes perfect sense when fighting for your existence such as during World War 3 or something like that. The enemy is going to exterminate you if you lose so you fight to win, I get it.
I also understand that if we have to give up all liberty to win the war then after the war is won it's very unlikely that we'd ever get liberty back. Quality of life will be diminished and most people aren't living to protect the Constitution or living to defeat an enemy, most people are living to achieve quality of life/the American dream/pursuit of happiness. So this basically is a situation where the American populace has to sacrifice happiness for security. After a certain point it becomes a prison without walls, what is the point?
So you have the consequentalist warrior argument from the far right military industrial complex. They want to win the war even if they have to sacrifice themselves to do it. Then you have the majority of civilians (especially the young) who haven't lived life yet and don't like the idea of sacrificing happiness and the American dream to achieve victory in a war they have nothing to do with.
To the youth having liberty/happiness is more important than anything else. The reason is the youth will have to live in this miserable society for the next 40-50 years with no rights and no liberty, living in a prison without walls to fight wars to maintain US superpower status.
I understand both sides. It requires sacrifice to maintain US national security and US superpower status. What I don't like is the misinformation about the US fighting to spread freedom and democracy, or pretending to care about human rights. The youth don't know an
Re:Seems reasonable (Score:4, Insightful)
Take off the tinfoil.
This should have been done years ago when the botnets really started going full bore.
You think you're the sole victim if you're running an infected machine? You're not. I have no sympathy at all. Getting ISPs to boot compromised machines has been impossible when done from the private sector. I know. I've tried. You know how many machines I know that I've gotten shut down?
One. That's right, one machine, and that took writing email personally to someone higher in the chain of command than the help desk.
ISPs don't want to quarantine customers. Customers give them money. Whether they are good neighbors or not doesn't matter. What it says in the TOS doesn't matter. All that does is simply cover the ISP's butt legally if the ISP has a case of elbow syndrome.
This is not installing secret software on your computer to send out to the Three Letter Agencies to spy on you and take away your rights. This is so people can be stopped from being bad neitzens. Your computer is part of a botnet that is blackmailing a .com or attacking a .gov site like the IRS? Sorry, but you're disconnected until it's cleaned up.
So don't give me your "help help I'm being repressed" BS.
If you're going to shit on my lawn, I'm going to call a cop.
--
BMO
Re:knee-jerk reactions without reading (Score:1, Insightful)
Is it just me, or is the first onslaught of posts unusually full of people who seem to want to judge government first and read/think later? I mean, beyond the usual level here.
The problem occurs when it becomes a government mandate.
Like most things, education is often better than propaganda or legislation. Let's face it, spam email is (primarily) a nuisance, and not much more, and it primarily affects people who have done something to initiate spam email (like sign up to a Yahoo or Google email account). It is better for most people to receive a half hour of education, telling them not to open email attachments from unknown people and to turn off Web-browser abilities, including scripting functions in their email clients than to control them.
You said,
...read/think later? I mean, beyond the usual level here.
Many people have called me stupid. Mostly Right-Wing people, religious people, and people who believe in "UFOs". I guess I can't change my genetics.
We are well over 50% of the internet's capacity being used to send people junk mail, most of it both offensive and fraudulent, far too much of it containing executable payloads that harm the internet itself, etc.
Guess what? I WILL EDUCATE YOU! ISPs do block known spam outlets. ISPs do already cut off Internet users who are known (or highly suspected) of having viruses. Again, this is about government mandates and not about ISPs being responsible or irresponsible.
If the ISPs don't take voluntary action at a level of minimum intrusion, some excited parents' group is going to hold a referendum and hand their government the right to intrude in every living room.
Here's where you sound like a shill for the Internet control lobbyists. ISPs need to have a ZERO level of INTRUSION to run an ISP responsibly. If they get complaints or see HUGE amounts of data going through their servers on email ports (of their non-business customer accounts) then they will investigate or be black-holed from the Internet (just like at one time China was once blacklisted because it had so many malicious things coming out of the country). I've even heard that some ISPs banned Yahoo email, because ANYBODY could sign up for a free email account, and they often did, to abuse the system. Nothing new needs to be done here.
Sure, this proposal goes too far in places, misses the boat technically in others. It's not perfect. But it's better than legalizing deep inspection to be adminitered and performed by the agency of the UN/international courts.
What do you think this whole business is about? This whole security FUD business is about legitimated (the arguments) of deep-packet-inspection, among other things.
If we want better than this, we need to come up with counter-proposals of our own, get out, educate people. (And get ourselves off the OS that is the primary medium of abuse.)
I sense a Flamebait here. You should take your own advice and think before posting.
Well, for me, since...
It's been 1 hour, 33 minutes since you last successfully posted a comment
I've noticed that your thoughtless and uneducated comments have been up-moderated to +5 Insightful. YOU are obviously a part of the status quo and have nothing to worry about. So there is no need to preach, because normal people think the exact same way as YOU. You can be happy in the knowledge that most people believe in your idea that ISPs should have "a level of minimum intrusion" to violate their customers privacy.
MODERATORS:
Feel free to moderate me Flamebait, because I would never have the arrogance to say something as popular and status quo as the parent:
Is it just me, or is the first onslaught of posts unusually full of people who seem to want to judge government first and read/think late
The answer is not that difficult. (Score:2, Insightful)
I don't mind... (Score:2, Insightful)
Scary...would be abused... (Score:3, Insightful)
The bottom line is that these oligarchs want total control over information, they're threatened by the openness of the internet, the ability for people to bypass mainstream media outlets, the ability for people to share news and information worldwide without censorship or government/corporations (almost the same thing now in the US) putting everything into their own context, the dislike the ability for people to organize.....One way or they other they are going to try to destroy all that is good about the internet.
Malware is a problem, and people who don't patch or have proper security are stupid, but he model we have, where everyone takes responsibility for their own systems works fine, despite the rhetoric, and giving the corporate/government empire more control for any reason is a bad, bad idea.
Re:Seems reasonable (Score:5, Insightful)
I think you misunderstand. I have never had a compromised machine. Not once in the 25+ years I've owned machines.
What I am concerned about is what is required to support such actions. In order to support a law that requires machines get cut off the net perhaps only an IP address would need to be listed and issue to an ISP. What if that IP address was spoofed? What if something had changed? What if that IP address was hosted by a wireless network that was either compromised or on the network of someone trying to diagnose a problem before it was realized that it was infected? There are too many ways something could be mistaken in that regard. And what of the requirements for "proof"? Does the ISP receive more than the request or will complete forensic details be presented to the ISP? Will the user(s) ever see the complaint?
I do have some personal experience with how government actions can be made too easily and in error at the same time. I was once about to have my pay garnished for child support by the State of California while I was living in Texas. There was something wrong with that though... *I* had the children, not the mother! She filed false reports to welfare agencies. So based on those false reports, she collected money and my pay was to have my pay garnished? And what proof was offered? None! Just a letter ordering the State of Texas to do so. And while I insisted that I had the children with me, Texas wouldn't stop the action. I asked them to check the local school where I had them enrolled. They didn't want to bother. I ended up pulling them out of school with a copy of their enrolment and attendance records in hand and brought the children to the office in Texas personally as PROOF that I have the children with me and that the garnishment order was in error. In the end my pay was not garnished but it did require the loss of a day's pay to prevent it.
So in summary, this story shows that false reports/data/information can be part of a government order for some action and that report may have little or no proof supporting it. But the victim of such mistakes, the falsely accused, may have to go through ALL MANNER of trouble to prove they were innocent or otherwise not responsible.
Take for example that in my home, I run mostly Linux with occasional Mac OSX usage and an occasional Windows guest. If something were to happen resulting in my network getting limited in some way, what would be required of me to have it restored? Will the asshats at the government agency be required to inspect my home network and its inventory?! Will they understand that I run Linux or what to do with it?
I think you are not thinking this through. This is not fear of the unknown. I know quite personally how government can be when it comes to applying process and procedures for laws like these. I used the DMCA example because there is a fairly low cost of starting a claim under the DMCA and little if no evidence it required in making a claim. What's more, there are no punitive actions required in the event of a false claim. Meanwhile, the person who was claimed against suffers down time, emotional stress from dealing with the false claim and required to do a lot of work in order to restore things once removed. The burden is too often placed on the victim under laws like the DMCA.
Re:This is not their job. (Score:3, Insightful)
If the government doesn't, who will? The only other group I can think of is the ISPs, and I trust them significantly less than I trust the government. Personally, my preference would either be throttling or putting some sort of a letter of some sort on them. Perhaps a shade of red, that way people will know to stay away.
Re:File sharing programs = Malware. (Score:3, Insightful)