Right as I am about to wind down for the night, ISN rolls in, filling the inbox of most people before they wake. One of the last articles caught my attention and I read the first few paragraphs.
This article (full GCN article) was disturbing to say the least. A couple of academia researchers, cut-off from the real world, out of touch with reality and how the 'world' works, decide they need to control a bot net. Not a 10k node botnet, not a 100k node botnet.. but a 1 million node botnet. In case you haven't read lately, the threat of a botnet is serious. Some men are charged in botnet related crimes, and the threat of a million-pc botnet is a threat to consumers. (Still don't believe? Google 'botnet threat').
From the article:
Starting in October, a huge botnet will be run not by nefarious underground figures but by the Energy Department's Sandia National Laboratories.
"If you want to take a look at what is really threatening the Internet, we have to talk about the scale of the network we are working with," Rudish said. "One million gets us pretty close to understanding these botnets."
If someone takes over or controls 1,000,000 machines, they are a threat or at least a concern to the U.S. As said in the article, "Anything that scales to a million, it is impossible to watch any single thing," Minnich said.. The FBI has aggressively pursued and prosecuted people in control of a 1 million node botnet. When the people in control admit "it is impossible to watch any single thing", and cannot fully control it, they should be worried. You should be more worried.
I replied to the ISN post challenging the researchers, questioning if they don't understand the power after controlling 10,000 or 100,000 nodes, how will they really learn anything by controlling 1,000,000 nodes? This kind of power with any type of net connectivity is dangerous. What if a bad guy gets ahold of THEIR botnet? They already admittedly don't understand the power of a 1 million node botnet. Anyone that cannot learn from 10k or 100k machines, cannot learn from 1 million machines. If they can learn, they can also be tempted by the criminal nature of what they're doing. The line between 100k and 1 million is amazingly blurry.
The Sandia researchers go on to talk about 'study in the wild' and imply that studying in the lab doesn't suffice. If you can't replicate this environment in the lab, then you fail as junior 101 collegiate researchers. If you argue, then see above, you are criminals waiting to happen and we'll see you on ISN in a year or two. In the rare case we don't, we'll see your limp research paper buried in academia, as 'academics' that couldn't figure out "real life 101".
While ranting about this to ISN, it occurred to me that this 'test' screams of 'threat to national security'. Anyone who runs a million node botnet that couldn't learn from 100k nodes should not be running it. Worse, the last twelve months of threats to the U.S. centered around 'distributed denial of service' attacks and botnets are exactly what we're seeing here. As a responsible U.S. citizen, how do I report this crime-waiting-to-happen?
A quick search took me to https://tips.fbi.gov/ where they ask me:
Please use this website to report suspected terrorism or criminal activity. Your information will be reviewed promptly by an FBI special agent or a professional staff member. Due to the high volume of information that we receive, we are unable to reply to every submission; however, we appreciate the information that you have provided.
Your First Name
Your Middle Name
Your Last Name
Your Phone
Your Email
Your Street 1
Your Street 2
Your Suite/Apt/Mail Stop
Your City
Your State
Your Country
Your Zip Code / Route
Please enter your information:
In order to complete your tip submission, please enter the 5 digits listed below.
[Clear] [Submit]
Really? To 'tip' the government off on a threat to national security, you want that information with an open text box where I describe the crime, using no mandatory fields on 'who', 'where' or 'when'? But hey, at least you have a CAPTCHA in place to stop spam.
Not wanting to go through that.. as a responsible citizen, reading about "a huge botnet" being controlled by Ron Minnich and Don Rudish, I have to be very concerned.
Per my searches, I need to contact my local FBI office at (303) 629-7171 and warn them.
"If you want to take a look at what is really threatening the Internet, we have to talk about the scale of the network we are working with," Rudish said. "One million gets us pretty close to understanding these botnets."
"Anything that scales to a million, it is impossible to watch any single thing," Minnich said. "So you need to have this be a highly automated self-maintaining system."
I called my local FBI office, told them I wanted to report a 'botnet' capable of DDOS attacks. The nice agent old me that I should report all tips through ic3.gov, which I typed into my browser:
http://www.ic3.gov/default.aspx
Welcome to IC3
The Internet Crime Complaint Center (IC3) is a partnership between the Federal Bureau of Investigation (FBI), the National White Collar Crime Center (NW3C), and the Bureau of Justice Assistance (BJA).
[..]
Filing a Complaint with IC3
IC3 accepts online Internet crime complaints from either the person who believes they were defrauded or from a third party to the complainant. We can best process your complaint if we receive accurate and complete information from you. Therefore, we request that you provide the following information when filing a complaint:
* Your name
* Your mailing address
* Your telephone number
* The name, address, telephone number, and Web address, if available, of the individual or organization you believe defrauded you.
* Specific details on how, why, and when you believe you were defrauded.
* Any other relevant information you believe is necessary to support your complaint.
File a Complaint >>
Hrm. So I click on 'File a Complaint':
http://www.ic3.gov/complaint/default.aspx
If you think your life is in danger, please contact your local and/or state police immediately!
File a Complaint
Prior to filing a complaint with the Internet Crime Complaint Center (IC3), please read the following information regarding terms and conditions. Should you have additional questions prior to filing your complaint, view FAQ for more information on inquiries such as:
* What details will I be asked to include in my complaint?
* What happens after I file a complaint?
* How are complaints resolved?
* Should I retain evidence related to my complaint?
The information I've provided on this form is correct to the best of my knowledge. I understand that providing false information could make me subject to fine, imprisonment, or both. (Title 18, U.S. Code, Section 1001)
The IC3 is co-sponsored by the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Complaints filed via this website are processed and may be referred to federal, state, local or international law enforcement or regulatory agencies for possible investigation. I understand any investigation opened on any complaint I file on this website is initiated at the discretion of the law enforcement and/or regulatory agency receiving the complaint information.
Filing a complaint with IC3 in no way serves as notification to my credit card company that I am disputing unauthorized charges placed on my card or that my credit card number may have been compromised. I should contact my credit card company directly to notify them of my specific concerns. Advisory:
You are about to file a complaint with the Internet Crime Complaint Center. The confidentiality of the information you provide may be affected by differing state law. As such, we cannot guarantee that your complaint will remain confidential. The complaint information you submit to this site is encrypted via secure socket layer (SSL) encryption. Please see the Privacy Policy for further information.
We thank you for your cooperation.
[I accept]
Uh, really? "Terms and conditions"? I actually have to agree to all of this about "notification to my credit card company" and any complaint is "initiated at the discretion of the law enforcement and/or regulatory agency receiving the complaint information"? In short, there is a "click-wrap" license invoked on reporting a threat to national security that may relate to my credit, and that law enforcement MAY initiate an investigation. If I call 911, they initiate an investigation even if it's a hangup. Yet telling the FBI about a threat to national security MAY initiate an investiation?
I told the kind agent "I really don't want to agree to those terms." She
told me I could come down to the local office at:
1961 Stout Street
Denver, CO 80294
Or I could fax in a complaint to: 303-629-7171
Which is the same number I called, but 'would recognize faxes'.
Not even two minutes later, it sticks in my head. Wait.. I call back to confirm, talk to the same nice agent who confirms I must make a complaint during business hours.
Again, really?! You have a click-wrap license for reporting potential TERRORISM to the FBI, or you make them fax something to the same glorified receptionist who told you that you must show up in person during business hours to report a threat to national security should you not trust the IC3 web site. You wonder why people are numb to any threats around them?
Before you write this off, remember; the FBI goes after criminals based on intent, not necessarily action.
Jesus H. Christ on a pogo-stick, we're doomed.
- security curmudgeon
p.s. select * from database where job like "FBI agent" and fbi_office like "denver" and orientation like "bi" and gun_status like "CCW" and relationship_status like "single" and first_name not like "dieter";
p.p.s cute sounding FBI agent answering the phone at 3:45a MST. i can offer you guinea pigs, kinky sex and more money than the FBI will offer you. call me, i know you have my number!