Tuesday, October 21, 2008

Botnets are still a serious issue for home and small business users; major International Botnet Task Force conference held

The Business Day Section (p B1) of the Oct. 21 New York Times features an alarming report about Internet botnets by John Markoff. The title of the story is “Beware the Digital Zombies: A robot network is seeking to enlist your computer,” link here.

The story relates the reality that botnets are becoming an increasing peril to everyday Internet commerce and perhaps even self-expression. The story gives some general discussion of Microsoft’s plan to fight them, including cooperation with many overseas governments and inserting moles or sensors into “bot-herders” and pretend to do malicious things without actually doing them. It is common for crime rings to expect newcomers to carry out assignments to prove they are not informants.

The story says that now an unprotected early XP computer will get infected within five minutes, sometimes in only thirty seconds, when connected to the Internet by broadband. Presumably service packs 2 and now 3 are supposed to make this much less likely. And Vista is supposed to be safer (that is a controversial topic). Even so, a purchaser of a new Windows computer should probably complete as much anti-virus installation as possible before connecting to the Internet, and then download all the applicable security updates from Microsoft and from the anti-virus company (like McAfee), and run a batch full scan, before using heavily. Since these downloads and installs take time, it’s possible that with such a process a new computer purchaser will detect some problems. The story indicated that the best security software does not discuss all vulnerabilities.

The news story refers to a group called the Shadowserver Foundation. Worldwide, it appears that at least 300000 computers are silently infected by botnets.

An organization called the International Botnet Task Force is supposed to convene today in Arlington VA. I could not find a web url for them, but Microsoft mentions the group in its white paper “Bots, Botnets and Zombies” here. Microsoft says it has deployed Sender-ID as part of the solution for spam since 2003. Would a microcharge for each sent email also be an effective way to fight spam?

The NY Times doesn’t discuss the speculative topic of possible home user liability. There have been a few cases where home users have been disconnected by broadband ISPs for too much activity. ABC News reports at least one case (discussed here Feb 2007) where a teenager faced child pornography charges for material that he claimed could have been placed by a hacker (those charges, in Arizona, would be dropped). There has been loose talk of an “Internet driver’s license” to include demonstration of knowledge of how to use security products, and there is talk that it should be presented in public schools (you have to find the teachers first, however). The concept of conceivable home or small business user liability is a potentially very sensitive one for public policy makers, who would have to remain very wary of unintended consequences and chilling effects.

No comments: