Talk:Lecture 12

From CyberSecurity
Revision as of 00:00, 18 November 2005 by Wjasonfisher (talk | contribs) (Lecture 12 Comments & Questions)

Jump to: navigation, search

Liability in Honeypots

Chris Fleizach - Here's my idea to prevent liability issues in honeypots. What you want is your infected computer to communicate with the master (and issue IRC commands for example) so it appears to be an active bot, but you don't want it to participate in infection and DDoS attacks. So when data comes in, it's allowed to infect a computer. Any further data that it produces gets sent to a buddy computer and a gateway. The gateway holds up the data. The buddy computers runs network services in sandboxes that allow it to examine what happens to the system. If surreptitious files are created or modified, sockets opened or memory changed in unpredictable ways, then we assume the data coming from the infected bot is malicious, so we tell the gateway to discard that output. If nothing happens (ie an IRC command is sent), then the buddy computer notifies the gateway and allows it to proceed. The same idea applies for a DDoS, but it should be easier to identify since a dramatic increase in bandwidth can be noticed quickly. One issue that this doesn't address immediately is what if an infected bot then sends out exploits that affect other OS's (ie. Win 2000 or WinXP SP2 and the buddy is running SP1). So the buddy computer won't get infected and allow it to proceed, possibly causing problems. The immediate solution is to multiplex your buddy to run various versions of OS's, which shouldn't be that difficult with virtual machine software (VMware, Xen), but could raise complications if you need to model various patch states.

Daryl Sterling Jr - What if a bot were created that "phoned home" and downloaded the latest version of Adaware and ran in on the "infected" computer, then deleted itself then slowly distributed itself to other machines? And it ONLY did cleaning when the machine was idle and only spread itself when the network had low usage? Also, to get around legalities, before it installed itself, it ASKED to user to click "Yes" or "Ok"...because we all know how well that works for spyware, why wouldn't it work for good stuff?

Lecture 12 Comments & Questions

Mr. Varian, in the news recently, there has been some discussion of anti-piracy software that Sony included on some of its newer CDs and DVDs that automatically and unbeknownst to the owner of the PC, uploaded itself when the CDs/DVDs were placed into the PC's drive. It turns out that the software is riddled with exploits that can and have been utilized by persons to add malware or turn PCs into Zombies --the software is also extremely difficult, impossible for most common users -- to remove once it has uploaded itself. Do you have any thoughts on the legal implications for Sony here? Have similar cases been brought, if so, what have courts determined -- is there a common law standard developing? The series of cases that are being or will likely be brought as a result of the Sony debacle seem to provide a great place for the courts to come in and place liability -- be it least cost avoider or due care. Might you have any thoughts on the matter?

Mr. Varian, it seems to me that the call for a private representative organization or regulatory body to step in and set cyber security standards is a pretty good idea -- which agencies do you envision doing this, is there one or more with the statutory authority to do so or would Congress have to pass new legislation authorizing such authority?

Mr. Varian, it also seems, at this point, that cyber crime isn't affecting most consumers/citizens -- we here about it but with the exception of those in the field or those that are hit with something particular damaging, I don't think it comes across to people as pressing; I think many people, so long as being a zombie doesn't disrupt their use of their computer, don't see the connection enough to care -- do you think that is really is what is responsible for the lack of this issue being addressed by regulators or private industry? After all, it is going to impose some sort of extra cost on those participants, industry/regulators. Maybe the critical mass of public understanding just isn't there yet. A bit of education and PR then would seem to be in order, some directed at Joe Public.

Mr. Varian, do you think there is any place for introducing strict liability or a product liability type regime into the cyber security world? Should manufacturers of software have to prove they have used the best technology possible to avoid liability?

Mr. Varian, just out of curiosity what imposes the greatest overall societal cost, a part from distribution, the American or UK model with respect to ATMs?

Mr. Varian, are there any statistics on how many individuals/companies are purchasing cyber attack insurance?

Professor Savage, if 99% or viruses are zoos just put out to prove a point, does that demonstrate that the criminal penalties should be greatly increased -- if that's the case and the problem is largely coming from an intellectual exercise it seems like deterrence here would be fairly easy to impose effectively. Any thoughts?

From a real cynical point of view, it seems almost like you have two groups within an already very small segment of society who understand enough to either attempt to do good or bad within the cyber world -- like the two are just battling eachother and that that battle actually provides money, jobs, etc. to the narrow segment -- ensures employment. Should that factor into how we go about fighting the problem or dealing with cyber issues?

Regarding liability concerns brought about by traking worms, it seems ot me that if it was clear that the set up was designed to further security and was diagnostic, that regulators would be willing to issue some sort of waiver of liability -- is that where we are heading or is that not even on the radar yet? I just have trouble believing that liability concerns are really that much of an issue here -- from an equity, legislative, regulation, public good standpoint it seems clear that liability concerns shouldn't stand in the way. Is somebody working on appropriate legislation or regulation here -- specific interest groups and/or politicians?

Professor Paxson, can you provide me with a list of countries/states that either do not allow the recording or monitoring of any personal info (I think those are going to be mostly Euro, right?)and those that don't care what is monitored/recorded at all (I am guessing China and ...)? Thanks.

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Talk:Lecture_12&oldid=2826"