Internet vigilantism

The latest issue of Bruce Schneier's Crypto-gram has an interesting section entitled "Counterattack", in which he enumerates many reasons why automatic responses to attacks on information systems are a bad idea. He specifically calls out the MPAA's and RIAA's desire for legislation that would give them the legal right to hack into computers that they accuse of violating copyright law (without a trial or even a burden of proof, naturally). So, if someone's got digital security implemented on their computer to protect their own copyrighted material and they are suspected of sharing songs on a p2p network, the RIAA gets to combat a possible DMCA violation by... commiting a definite DMCA violation? Hmmm - that hardly seems equitable.

I am not a lawyer, but it seems to me that any law that would give law enforcement powers to a private individual or group without a trial is somewhat akin to anarchy. What's next - does Disney get an army to invade countries that pirate its intellectual property?

While Bruce focuses on the moral and legal reasons why he believes counterattacks are wrong, there are also some very solid technical reasons not to have autonomic security responses. He touches on this danger by succinctly stating, "Vigilantism is wrong because the vigilante could be wrong."

Spoofing prevents accurate identification of one-way attacks. Anything from a distributed denial-of-service (DDoS) attack to a spam e-mail message could be considered a "violation" of my system (depending on my conditions of use and security policies), but if that DDoS packet is crafted to look like it comes from one of AOL's proxy servers or that unsolicited e-mail is forged to look like it was sent by root@nsa.gov, I'm pretty sure that an automated counterattack is not in my best interest.

In fact, autonomic responses to threats are themselves fantastic weapons - imagine if Microsoft automatically collapsed routes (i.e. simply stopped routing traffic) or even severely rate-limited traffic to/from IP addresses that it felt was attacking it. Maliciously spoofing IP header information to make it look like attack traffic was being generated by a targetted IP address or address range and subsequently directing it at Microsoft would be disasterous for the target. Assuming the target was a Microsoft shop, it would seriously hinder that target's ability to get technical support (or, more deviously, to acquire patches for security holes that the spoofer plans to exploit). What about tricking two systems into counterattacking each other? Or what if a compromised system is used to launch an attack, thereby receiving the brunt of a counterattack without knowingly doing anything wrong? The possibilities for abuse are endless.

There are also real costs in addition to the indirect costs of attacking your users (and perhaps breaking the law in the process). Bandwidth, storage, processing power, and all of the other fixed computing resources that get consumed have to come from somewhere - either you've borne the up-front capital and on-going labor costs to have devices dedicated to counterattacking, or you're relying on your existing infrastructure to perform this counterattack, which in turn is diminishing your infrastructure's ability to do its "normal" work. It's a "pay me now or pay me later" scenario.

Autonomic computing is in its infancy, and it requires a great deal of trust and control over what is essentially a closed system to work properly. Emulating the human body's auto-immune system to fight off attacks - particularly in an open system like the Internet - is an autonomic computing challenge that will take more time, technology, and thoughtfulness (not to mention a sense of fairness akin to what Bruce suggests) to achieve.

Posted by Dan on January 06, 2003 at 04:05 PM | TrackBack