windows virus bad

2007-09-09 01:13:23

Re:How do you explain this to the average joe?

(Score:5, Insightful)

by garompeta (1068578) on Saturday September 08, @01:24PM (#20521693)

You are underestimating how valuable and powerful distributed computing is, my

friend.

It has been used as a distributed MD5 crackers, collisions in SHA-1, and search

for extraterrestrial life... (eer... yeah)

Having a gigantic botnet of at least 100,000 computers to unimaginable millions

of infected computers that we'll probably ignoring or we are unable to detect,

this gives a tremendous asset to a malicious hacker.

It is a very fat milking cow:

1) Crack passwords that it is not considered crackeable in a reasonable amount

of time

2) Botnets to attack whoever he wants (at a reasonable price or for a

reasonable cause)

3) Millions of Passwords, logins accounts, paypal, amazon, credit card,

identity, whatever, stolen.

4) Millions of proxies to hop on and chain hiding the source of a real

meticulous attack. 5) Millions of illegal distributed server to host for

illegal materials (eg: virii, worms, child pornography)

Etc...

I told my oldest son about this botnet yesterday, mentioning that with between

2 million and 20 million CPU's working at any one time, and even that larger

figure likely representing only a fraction of the botnet's total capacity, it

collectively represented the most powerful supercomputer ever built... and it

was effectively under the control of a small group of people with criminal

intent - the author, or authors, of the worm. My son responded to me with a

great deal of scepticism, first saying that none of these security experts

which have made this analysis have any way to estimate what sort of computing

power military organizations might have, so saying that it represented the most

powerful supercomputer ever was actually a completely meaningless claim, and

also, he proclaimed that the story was most probably just hype and over

exaggerated. He said that the claim of the most powerful supercomputer ever

being controlled by criminals was simply too much to be believable, like the

headlines one might see on the front page of the Weekly World News tabloid. He

also said that it was ludicrous to see how sending people "penis extension ads"

(which is about all he figures a botnet can do) can actually seriously harm

anything or anyone.

So this got me to wondering... how much of this actually _is_ something that is

of any real concern, and if it really is, how could it be explained to people

in such a way that it's not going to sound like some claim from a conspiracy

theorist?

You could also introduce him to the theory behind Bittorrent [wikipedia.org],

which is a good demonstration of how many computers each doing a small task,

given modest bandwidth, can add up to massive distribution and publication

power in short order.

Now, what if some distributed network decided to siphon a gig of illegal or

embarrassing materials onto a compromised target machine. Perhaps a politician

that is voting the wrong way?

Then ask him, not if the entire banking industry is safe, but if an

individual's information (SHA hash collision or private key, but that's not

"average Joe" speak) could be subject to a distributed brute force attack

[wikipedia.org].

With the growing power of computers making tiny pieces of malware harder and

harder to notice (that 1% of processor time is more and more powerful), and

malware being able to literally hide files from the user until such time that

it chooses to reveal them, it seems like it's only a matter of time before

someone with a large enough botnet, and enough imagination, could start

attacking individuals and/or siphoning off their money. How you do this is not

something I care to discuss, but the black hats (both the actual criminals and

the security experts, as an exercise) already have ideas and are working on it.

That's why you'll see them periodically calling for stronger encryption (more

bits in the keys). If there was no possible threat, they wouldn't be creating

and suggesting longer keys. Rootkits [microsoft.com] would not be a concern, if

files hidden from the user were always benign (most are).

But all it takes is the wrong person to have the right idea, a breakthrough

that changes the assumptions, especially in cryptography. Show him the movie

"Sneakers [imdb.com]" if you want to fuel some imagination regarding that. It's

crap, but it's also fun and sizes the problem for the average Joe. Assuming

that only ethical people work in cryptography is somewhat naive. Assuming that

unethical people are not watching the progress of ethical individuals in the

field is stupid.

There's nothing to say such solutions and attacks haven't occurred already, but

it seems, as your son suggests, unlikely. You can bet if a criminal has figured

it out, a little bit of money siphoned off here and there would be almost

impossible to detect, especially in an environment where people are unwilling

to believe it's even possible. Believe me, if the idea has hit Hollywood

[imdb.com], it's old hat. That's exactly how such a criminal would proceed if

they had found a way to leverage such distributed computing applications. They

would target a distributed network of accounts, one by one, in a way that

looked like banking errors (which are numerous and automatically corrected by

the bank) and slowly siphon money from the banking industry itself, through

compromised individual accounts. No individual would suffer, because of

correction processes in the banks, the world's capital reserves would.

Then ask what that money could buy in terms of influence, weapons, elections?

Any compromised machine is a liability to its user. Botnets are a menace to

society, and we're lucky all they're (hopefully) being used for is "penis

enlargement" ads and DDoS attacks. That's barely scraping the surface of their

potential.

If he wants to go on believing that his safety and security are a given,

without any effort on his own part, there's little you can do, but anyone with

any imagination, who is not in flat out denial, can demonstrate that

distributed computing applications have a great deal of power, and that basic

security is everyone's concern. It is definitely not good that these networks

exist and are in the hands of people bent on harm.