Comments on: Links for August 24 http://rc3.org/2009/08/24/links-for-august-24/ Rafe Colburn on software development (and other topics) Wed, 23 May 2012 22:44:11 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Rafe http://rc3.org/2009/08/24/links-for-august-24/comment-page-1/#comment-6415 Rafe Tue, 25 Aug 2009 19:58:45 +0000 http://rc3.org/?p=9942#comment-6415 <p>Yesterday I started writing up how I'd communicate with a botnet if it were up to me, but then I realized that only bad could come from posting it. Still, it's an interesting problem to think about as a design exercise.</p> Yesterday I started writing up how I’d communicate with a botnet if it were up to me, but then I realized that only bad could come from posting it. Still, it’s an interesting problem to think about as a design exercise.

]]> By: Jacob Davies http://rc3.org/2009/08/24/links-for-august-24/comment-page-1/#comment-6414 Jacob Davies Tue, 25 Aug 2009 19:55:14 +0000 http://rc3.org/?p=9942#comment-6414 <p>I'm reluctant to give anyone any ideas, but there are ways to ensure that only messages from the original source are accepted as valid, which would help prevent hijacking. The major problem would seem to be the ability of administrators to block the addresses that the botnet attempts to connect to.</p> <p>The use of Google prevents blocking any single source of the control messages, since nobody wants to block Google. You're essentially using Google as a name resolver, where the resolution to a particular site is not under anyone's control at Google. Definitely a problem when dealing with low-pagerank results (e.g. based on spurious combinations of words) where it's easy to get into the index.</p> I’m reluctant to give anyone any ideas, but there are ways to ensure that only messages from the original source are accepted as valid, which would help prevent hijacking. The major problem would seem to be the ability of administrators to block the addresses that the botnet attempts to connect to.

The use of Google prevents blocking any single source of the control messages, since nobody wants to block Google. You’re essentially using Google as a name resolver, where the resolution to a particular site is not under anyone’s control at Google. Definitely a problem when dealing with low-pagerank results (e.g. based on spurious combinations of words) where it’s easy to get into the index.

]]> By: John http://rc3.org/2009/08/24/links-for-august-24/comment-page-1/#comment-6412 John Tue, 25 Aug 2009 06:39:32 +0000 http://rc3.org/?p=9942#comment-6412 <p>An RSS feed is only one way. Using Twitter it can be many to many, allowing the botnet to avoid being disabled via a single point of failure.</p> An RSS feed is only one way. Using Twitter it can be many to many, allowing the botnet to avoid being disabled via a single point of failure.

]]> By: Rafe http://rc3.org/2009/08/24/links-for-august-24/comment-page-1/#comment-6410 Rafe Tue, 25 Aug 2009 02:16:51 +0000 http://rc3.org/?p=9942#comment-6410 <p>I can think of some ways to make the RSS feed approach more secure and robust, for sure.</p> I can think of some ways to make the RSS feed approach more secure and robust, for sure.

]]> By: Dan Lyke http://rc3.org/2009/08/24/links-for-august-24/comment-page-1/#comment-6408 Dan Lyke Tue, 25 Aug 2009 02:00:02 +0000 http://rc3.org/?p=9942#comment-6408 <p>Re the Botnets: except that you want to keep the botnet control mechanism non-obvious and distributed so it can't merely be overridden by, say, Blogspot taking control of that account. Avoid single points of failure.</p> <p>As a simple first pass, having the botnet do a search for some cryptographically difficult to anticipate string that appears only on web pages that exist on free hosting sites, that may actually be interspersed with legitimate content, and use control codes then embedded in those pages, means both that Google has to anticipate those strings (or shut down non-dictionary words, which is fraught with problems, and the bot makers can then escalate to non-dictionary phrases), and that all the pages on which those strings appear have to be controlled.</p> <p>The war has escalated far beyond "subscribe to an RSS feed and wait for commands".</p> Re the Botnets: except that you want to keep the botnet control mechanism non-obvious and distributed so it can’t merely be overridden by, say, Blogspot taking control of that account. Avoid single points of failure.

As a simple first pass, having the botnet do a search for some cryptographically difficult to anticipate string that appears only on web pages that exist on free hosting sites, that may actually be interspersed with legitimate content, and use control codes then embedded in those pages, means both that Google has to anticipate those strings (or shut down non-dictionary words, which is fraught with problems, and the bot makers can then escalate to non-dictionary phrases), and that all the pages on which those strings appear have to be controlled.

The war has escalated far beyond “subscribe to an RSS feed and wait for commands”.

]]>