2007-09-09 01:13:23
Re:How do you explain this to the average joe?
(Score:5, Insightful)
by garompeta (1068578) on Saturday September 08, @01:24PM (#20521693)
You are underestimating how valuable and powerful distributed computing is, my
friend.
It has been used as a distributed MD5 crackers, collisions in SHA-1, and search
for extraterrestrial life... (eer... yeah)
Having a gigantic botnet of at least 100,000 computers to unimaginable millions
of infected computers that we'll probably ignoring or we are unable to detect,
this gives a tremendous asset to a malicious hacker.
It is a very fat milking cow:
1) Crack passwords that it is not considered crackeable in a reasonable amount
of time
2) Botnets to attack whoever he wants (at a reasonable price or for a
reasonable cause)
3) Millions of Passwords, logins accounts, paypal, amazon, credit card,
identity, whatever, stolen.
4) Millions of proxies to hop on and chain hiding the source of a real
meticulous attack. 5) Millions of illegal distributed server to host for
illegal materials (eg: virii, worms, child pornography)
Etc...
I told my oldest son about this botnet yesterday, mentioning that with between
2 million and 20 million CPU's working at any one time, and even that larger
figure likely representing only a fraction of the botnet's total capacity, it
collectively represented the most powerful supercomputer ever built... and it
was effectively under the control of a small group of people with criminal
intent - the author, or authors, of the worm. My son responded to me with a
great deal of scepticism, first saying that none of these security experts
which have made this analysis have any way to estimate what sort of computing
power military organizations might have, so saying that it represented the most
powerful supercomputer ever was actually a completely meaningless claim, and
also, he proclaimed that the story was most probably just hype and over
exaggerated. He said that the claim of the most powerful supercomputer ever
being controlled by criminals was simply too much to be believable, like the
headlines one might see on the front page of the Weekly World News tabloid. He
also said that it was ludicrous to see how sending people "penis extension ads"
(which is about all he figures a botnet can do) can actually seriously harm
anything or anyone.
So this got me to wondering... how much of this actually _is_ something that is
of any real concern, and if it really is, how could it be explained to people
in such a way that it's not going to sound like some claim from a conspiracy
theorist?
You could also introduce him to the theory behind Bittorrent [wikipedia.org],
which is a good demonstration of how many computers each doing a small task,
given modest bandwidth, can add up to massive distribution and publication
power in short order.
Now, what if some distributed network decided to siphon a gig of illegal or
embarrassing materials onto a compromised target machine. Perhaps a politician
that is voting the wrong way?
Then ask him, not if the entire banking industry is safe, but if an
individual's information (SHA hash collision or private key, but that's not
"average Joe" speak) could be subject to a distributed brute force attack
[wikipedia.org].
With the growing power of computers making tiny pieces of malware harder and
harder to notice (that 1% of processor time is more and more powerful), and
malware being able to literally hide files from the user until such time that
it chooses to reveal them, it seems like it's only a matter of time before
someone with a large enough botnet, and enough imagination, could start
attacking individuals and/or siphoning off their money. How you do this is not
something I care to discuss, but the black hats (both the actual criminals and
the security experts, as an exercise) already have ideas and are working on it.
That's why you'll see them periodically calling for stronger encryption (more
bits in the keys). If there was no possible threat, they wouldn't be creating
and suggesting longer keys. Rootkits [microsoft.com] would not be a concern, if
files hidden from the user were always benign (most are).
But all it takes is the wrong person to have the right idea, a breakthrough
that changes the assumptions, especially in cryptography. Show him the movie
"Sneakers [imdb.com]" if you want to fuel some imagination regarding that. It's
crap, but it's also fun and sizes the problem for the average Joe. Assuming
that only ethical people work in cryptography is somewhat naive. Assuming that
unethical people are not watching the progress of ethical individuals in the
field is stupid.
There's nothing to say such solutions and attacks haven't occurred already, but
it seems, as your son suggests, unlikely. You can bet if a criminal has figured
it out, a little bit of money siphoned off here and there would be almost
impossible to detect, especially in an environment where people are unwilling
to believe it's even possible. Believe me, if the idea has hit Hollywood
[imdb.com], it's old hat. That's exactly how such a criminal would proceed if
they had found a way to leverage such distributed computing applications. They
would target a distributed network of accounts, one by one, in a way that
looked like banking errors (which are numerous and automatically corrected by
the bank) and slowly siphon money from the banking industry itself, through
compromised individual accounts. No individual would suffer, because of
correction processes in the banks, the world's capital reserves would.
Then ask what that money could buy in terms of influence, weapons, elections?
Any compromised machine is a liability to its user. Botnets are a menace to
society, and we're lucky all they're (hopefully) being used for is "penis
enlargement" ads and DDoS attacks. That's barely scraping the surface of their
potential.
If he wants to go on believing that his safety and security are a given,
without any effort on his own part, there's little you can do, but anyone with
any imagination, who is not in flat out denial, can demonstrate that
distributed computing applications have a great deal of power, and that basic
security is everyone's concern. It is definitely not good that these networks
exist and are in the hands of people bent on harm.