The FTC, ISPs, and zombies

| Comments (30) | TrackBacks (6) |
The FTC has launched Operation Spam Zombie in an attempt to control spam. Here are the five recommendations they sent in their letter to 3000 ISPs:
  • block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers.
  • apply rate-limiting controls for email relays
  • identify computers that are sending atypical amounts of email, and take steps to determine if the computer is acting as a spam zombie. When necessary, quarantine the affected computer until the source of the problem is removed.
  • give your customers plain-language advice on how to prevent their computers from being infected by worms, trojans, or other malware that turn PCs into spam zombies, and provide the appropriate tools and assistance.
  • provide, or point your customers to, easy-to-use tools to remove zombie code if their computers have been infected, and provide the appropriate assistance.

These actually seem like fairly sensible recommendations, with the possible exceptions of the first point. A lot of ISPs already implement port 25 blocking, but I'm not sure it really makes that much sense. After all, it's not like it's really that hard for a zombie program to connect to the ISP's SMTP server (get that information from the user's legitimate mail program), and I understand that some malware already does this. The chief benefit of blocking is that it provides a central control point, which makes rate limiting easier. But you could do much the same thing with either passive monitoring or transparent interception and gatewaying. (Phil Karn raises the same point here)

Most of the public attention has focused on the fourth point: that ISPs should actively shut off people's zombied PCs. Response has generally been fairly positive (see the NANOG thread here) and my intuition is that this is a good idea. To a great extent, spam is enabled by poor end-user system security and since the cost to the end-user of being a spam zombie is comparatively low, we have a classic public good sitution, with the public good, in this case being systems security, being underproduced. Giving users a reason to keep their systems secure (in order to keep being able to send mail) helps give them the proper incentives.

6 TrackBacks

Listed below are links to blogs that reference this entry: The FTC, ISPs, and zombies.

TrackBack URL for this entry: http://www.educatedguesswork.org/cgi-bin/mt/mt-tb.cgi/272

fraternity porno film from dadula.slife.com on July 24, 2005 6:14 PM

situs porno gratis what are some good porno movies japenese porno movie clips www video porno fr com behind the scenes porno movie free harcore porno videos angelica sin porno movies fotos porno de roxana diaz descarga de videos porno totalmente gratis... Read More

Mom son sex sister rap from Mom and son fucking tgp on October 22, 2005 12:40 PM

Young teen girl porno photo ru Old womans sex movies Hornyanalrape Free rape sex videos to watch Read More

Free preview movies of moms and daughters from Free mature women with boys videos on November 7, 2005 5:24 PM

Mom vs boy sex movie Mature women movie index Sister masturbation pics Free porno family Read More

voyeurs brother sister voyer galleries of teen models Read More

30 Comments

It seems like you are using a neoclassical economic model for this assessment, and that the model assumes you have a competitive market for consumer & business solutions for security.

I am curious why you think providing incentives will help consumers. Since the consumer operating system market is a monopoly, neoclassical theory tells us that consumers will bear the brunt of the increase in cost while not necessarily causing a shift in supplier behavior.

If it were a competitive market then consumers would shift to lower cost solutions. But the switching costs in the computing world are still high, the number of options are extremely limited, and a single supplier has monopoly control of the supply chain. Or do you believe the market will right itself out of the monopoly situation over the next 50 or 100 years?

Cutting off consumer zombie PCs is going to be a bloody mess. With the vast majority of computer users having no idea what to do when their system is removed from the network. When they are removed from the network, they will probably endure predatory sales practices when attempting to get themselves reconnected.

In this case, the public good might be better served by thinking about what people want to accomplish instead of attempting to force every person to police computer crime. The public wants to have unencumbered Internet access yet very few people want to troubleshoot it on a daily basis. If you told most consumers that they had troubleshoot their water supply or telephone connection on a daily basis, they would laugh at you.

Steve, your reasoning is totally flawed because you've somehow intertwined security and the dekstop OS markets.

As far as I know, there's quite a competitive market for desktop _security_ solutions like McAfee, Pc-Cillin, etc. If you buy one of these and turn on your OS's automatic updates, your zombie risk is very low.

That's still not good enough? Great. Sign up with AOL and they'll sell you a complete solution and take over the whole security problem for you.

Seems like the market's working here.

The main reason why blocking 25/TCP makes sense is that the local ISP mail servers have a natural rate limit which is difficult (and expensive) to increase past a certain point. However, I'm not sure how many people who deploy the filters realize this. 8-)

Unfortunately, most local ISPs have absolutely abysmal mail servers. After several years of delayed and lost mail through @Home, AT&T, and Cox, I eventually gave up on the concept entirely. There isn't enough competition in the high speed connection market to endorse giving ISPs a blanket monopoly on all e-mail services to their area.

I don't see this as giving local ISPs a monopoly. I have DSL and I use a small independent ISP with great service. Presumably he would be subject to the same cut-off obligations as a larger ISP.

Kevin, for you to be correct, the entire premise of Eric's post must be wrong.

Operation Spam Zombie (cited in the original post) is based on a report which states (in the executive summary), "Spammers use home computers to send bulk emails by the millions. They take advantage of security weaknesses to install hidden software that turns consumer computers into mail or proxy servers."

Desktop security is a vendor problem. And despite the market for desktop security solutions, the problem is still rampant. If the market was working then we wouldn't need Operation Spam Zombie to correct the problem with desktop zombies.

Rate-limiting the connections is mostly pointless. The primary way that these spam zombies will be detected is that someone will finally track down some of the spam back to them. So typically they get discovered after perhaps 10000 messages (if you believe Goodman & Rounthwaite, EC-04). If you rate-limit the connection, the zombie software will just send at the lower rate, get discovered later, and send the same total number of messages.

So rate-limiting doesn't anything to solve this problem.

Steve, I think you've mixed up the markets we're talking about.

(1) Eric says the market for securing network nodes is failing because of mismatched incentives

(2) You say that fixing the incentives won't work because the market for desktop security solutions is a monopoloy (through some tying with the OS market that I don't understand)

(3) I claim the market for desktop security solutions isn't a monopoly and gave evidence to that effect

Surely you're merely confused over antecedents here and don't really mean to say that a working market for desktop security solutions logically implies a working market for secure network nodes?

Kevin,

In your haste, you are losing site of what logically follows from your argument. Let me start by re-stating what's been said, because I think you're mis-stating it again.

1) Eric says that the market for securing desktop computers is failing because of mismatched incentives. This follows from his cite and discussion of the Operation Spam Zombie project.

2) You claim the market for desktop security solutions isn't a monopoly, because you only consider a subset of the market. Microsoft is by far the largest vendor of desktop security softare because they include desktop security software in every copy of the Windows OS, which is installed on 98%+ of the Zombie machines cited in the reports associated with Operation Spam Zombie.

3) You also claim that installing McAfee or PcIllin nearly eliminates the Zombie problem.

So, (according to your logic) if Microsoft included the functionality associated with McAfee or PcIllin in every copy of Windows then there would be no need for Operation Spam Zombie. Security would no longer be underprovided by the market.

Before I go into the other conclusions, I'll stop there to see if you continue to disagree.

Steve, you're missing a key point--the use of large numbers of users' personal computers for the sending of spam (or for DDoS attacks, for that matter) does not depend on the insecurity of those personal computers.

Suppose there were a perfect security solution available for every one of those computers. One element of that solution, of course, would be VM technology that allowed users to run any downloaded code (SETI@home, for instance) completely safely, regardless of its provenance, without any risk of its altering, harming, obtaining or in any way interfering with the other information and code on the computer.

The day after that solution became available, the spammers would release Spam@home, a program which rewards the user in some way (showing pleasing images of some sort, for instance), in return for its use of the host computer's spare cycles and bandwidth to send spam. The result: the user is happy, the spammer is happy, the spam problem is as bad as it ever was, and the only change is that obsessive fanatics like you can no longer rant about how the security properties of a particular software company's product are the source of all evil in the world.

The same argument applies to DDoS attacks, by the way. The underlying problem that makes these nuisances possible is that the Internet, and the email network built on top of it, fail to provide accountability for the traffic sent on them. (I've written a position paper on this subject, which I hope some day to get accepted at a conference open-minded enough to consider this kind of networking heresy.)

Wow. Dan Simon coming to my defense. I'd better check for a swarm of locusts ;-)

My response is pretty much what Dan said, with some preface and relying on incentives rather than accountability. If Microsoft suddenly offered free virus protection for every extant version of Windows, then there is the _potential_ for drastically reducing the zombie problem. Just as there is the _potential_ for doing it now.

The problem is that you have to get people to download it and turn it on, which costs them time and effort. Just like you have to get people to buy it now.

But, you've got to overcome that cost. OR as Dan so nicely illustrated, overcome the ability of your opponent to make a better offer.

I'm not missing this point. The proposed solution of cutting off computer ISP access is unworkable. ISP customer support doesn't have the ability to explain anything this detailed to my mother and they never will.

Further, if it believed that some type of zombie removal software can be installed to solve the problem then my line of reasoning still holds. There is no reason that Microsoft can't be asked to do it on Microsoft desktop computers that constitute 98%+ of the spamming machines.

Which leads to the bigger issue of incentives. If Microsoft were charged "pollution fees" for every copy of Windows that emitted spam then I think we would see a solution to the spam problem occur in rapid order.

Giving incentives to customers that they can not possibly understand is a brain dead idea. However, from a political perspective, I will not openly fight the FTC action. Because when it fails to address the problem while causing pain (which can be identified directly with institutions) for many people, it will leave the door open for more substantial change.

I don't think the incentives are that hard to understand here: "Buy some security software and turn automatic updates on or we'll cut you off." My mother would certainly understand that.

I would also note that most large cable and Baby Bells are exercising an increasingly greater degree of control over the internet connections they provide to the average consumer. Including remotely configuring your modem. Won't be that long until the majority of them will include the option of remotely managed desktop security software.

So I think the incentives will become even easier: "Check this box on your service agreement or we may have to cut you off."

Kevin,

Both you and Dan just said that desktop security software doesn't solve the problem. And now you're stating that it is the solution again. I wish you would make up your mind.

Since you're claiming that adding desktop security software to the desktop operating system is the solution again, then by allowing MSFT to fail to provide it, you are transferring the cost from Microsoft (the monopoly provider) to both the consumer and the ISP. If the market for desktop computer software were competitive then the consumer would pay regardless of the solution to eliminate externalities. But since the market for desktop software is a monopoly, the overall welfare of the entire system can be improved by asking Microsoft to bear the cost. The deadweight loss associated with the monopoly market for desktop software decreases if Microsoft's marginal cost more closely approaches its marginal revenue. And, in this case, there is no worry that providing security software would cause Microsoft's margine calst to exceed marginal revenue.

Now, it's not that the solution that you're defending is bad for all situations. Some aspects of it are a good idea to address problems in a market where the externality isn't overwhelmingly caused by a lack of security software on Microsoft desktop computers. The net effect of the incentives will be to strengthen the competitive fringe (Apple, Linux), which could reduce the deadweight loss and losses to total welfare associated with the Microsoft monopoly in desktop operating systems. But the proposed system has complexity greater than zero. The net costs to total welfare are going to overwhelm its potential benefits. This is an easy calculation because the net cost to a consumer when Microsoft provides the solution approximates zero and when anyone else provides a solution the net cost is always greater than zero.

So, under the Operation Spam Zombie plan, Microsoft's shareholders should rejoice that they will not be held responsible for the externality their product creates. As a Microsoft employee, I would expect Dan Simon to be 'for' this solution. But, in terms of total welfare for the US and its citizens, this looks like a raw deal.

Note: there are a few mistyped sections of the above, but kevin's an economist and should be able to substitute 'price' in the right place.

Steve, you've once again completely misrepresented the problem. Have you ever heard of a program called Kazaa? It comes loaded with spyware. Yet millions of users download and install Kazaa, because it does something that they want. Do you really think that if Kazaa came with spam@home instead of spyware, users would suddenly stop using Kazaa? (Well, Eric might, but I don't, and you probably don't, either.)

Users do not let their machines send spam because they're helpless to stop their machines from doing so. There are in fact many ways that they could stop their machines from sending spam--we all know what they are, because we all use these methods ourselves, and that's why our machines don't send spam. Users let their machines send spam because there's no reason not to--period. (Indeed, there's a perfectly good reason to let their machines send spam--not worrying about spambot software makes it easy and fun to try all the wacky offers that come one's way via email and the Web.)

Now, you're proposing that a particular company be punished every time someone's machine is used to send spam. The incentives here are, as Kevin points out, not really too hard to understand--unless you're bound and determined, as you seem to be, not to understand them. Users have no reason not to let their machines send spam, and spammers have every reason to entice users into sending spam. Thus the spammers will use every feature available to applications on users' machines to send spam, and users will--for the right enticement--assist the spammers in doing so. The only option left for the company in question is to shut down as much functionality as possible on users' machines, making them completely useless for any Internet communication--not just spam. This may be ideal for you, since you hate this particular company with a completely irrational passion, and therefore want to prevent them from selling any products. But it's certainly not ideal for the consumer--or for anyone else, for that matter, that doesn't share your rabid animus.

On the other hand, making users accountable for the spam they send using their ISPs' service is exactly the right way to incentivize users to stop their machines from sending spam. Products would show up on the market immediately--many of them already exist, in fact--to help users prevent their machines from sending spam, and instead of ignoring these products, users would see these products as useful to them, and therefore use them. It would then be harder for spammers to get users' machines to send spam, and overall spam volume might even decline.

But as your previous comment shows, you don't really care about reducing spam. You simply think that the company you hate has too much money, and any excuse to confiscate it, however lame, is just fine with you. You're entitled to your obsession, of course--but please don't dress it up as a claim about computer security.

Dan,

Despite your uninformed and unwarranted ad hominem attack, I'll reply to the substance of your message. Although I was a recognized high performance employee at Microsoft, my former employment has no bearing on my customer-centric economic analysis. Please keep in mind that your statements are a reflection of Microsoft's position and I will treat them as such.

Computer users in the U.S. already have an incentive not to send spam. Spending spam is a federal crime. So no smart user will readily admit to knowingly doing it. Any software company that produces a spambot is also committing a federal crime.

Since a user must be tricked into sending spam by an entity attempting to avoid responsibility for its actions, installation of any spambot is a security problem associated with the operating system's allowance for installation of rogue software. My Blackberry, XBox, cell phones, and Sony Playstation can't easily install these spambots -- the problem is nearly entirely caused by Microsoft Windows Desktop PCs, as has been outlined in the government reports justifying the Operation Spam Zombie project.

Helping the user prevent the installation of illegal and malicious software should be in the OS. Producing incentives to require the use of a third party product (at a cost to the consumer) is simply unbundling a piece of what should be in the operating system to charge higher monopoly rents for the use of Windows.

I can understand why Microsoft might wish to create an environment that provides incentives to users of computer desktops such that a marginal user will value spam removal software (usually called desktop security software) at a value greater than $0. Creating this incentive creates a market for Microsoft and other companies to provide such a product. However, in the current case where Microsoft owns 98% of the market, instead of providing an incentive for Microsoft to build a better operating system which comes bundled with software to eliminate the installation or removal of spambots, we are creating an environment which rewards them with more revenue per Windows desktop. In other words, the FTC is providing an environment to reward Microsoft with an increase in monopoly rents.

In the long term, providing incentives for ISPs to have user machines behave correctly does make sense. But the short term market problem is much more readily associated with Microsoft's monopoly desktop position. If we see an increase in the average revenue per desktop to Microsoft (and income from desktop security products) then we will know that Microsoft has successfully unbundled the desktop operating system in order to extract higher rents.

Do I think Microsoft extracting higher monopoly rents is good for total welfare? No, I don't because economic theory tells us that the deadweight loss associated with such an improving monopoly position is bad for total welfare.

Steve, thanks for allowing me the opportunity to clarify: My statements are most decidedly not in any way statements on behalf of Microsoft. I make all my comments to blogs as a private individual, I made no reference to Microsoft myself in my comments, and the opinions I express are my own, and my own only.

Moreover, my opinions reflect my status as a member of the computer security research community, who has published papers on computer security and cryptography, and participated in numerous community activities, including program committees for established computer security research conferences.

And speaking in that capacity, I can say that I sincerely believe your analysis of the technical security problems associated with spambots (putting aside, for the moment, your opinions on commercial matters) to be completely, utterly wrongheaded. I'm all for better end host security, and am actively pursuing research that I hope will further this goal. But the problems of spam and DDoS simply will not be solved by solving the problem of end host security. And your endless harping on business issues that have absolutely nothing to do with computer security does not change that simple fact.

By the way, Steve, I hope it's clear from the previous comment that my (possibly quite fallible) personal impression of your motivation is not the relevant issue. I apologize for introducing it--I should have stuck to the purely technical issues in the discussion.

I also hope you'll do the same regarding your equally irrelevant, and quite incorrect, impression of my motivation, based--as far as I can tell--only on the identity of my employer.

Let me begin by apologizing for the introduction of your affiliation with Microsoft as relevant to your position. I'm sure that, any hint of influence to the side, you honestly believe in your position.

It also appears that we are talking past each other in the discussion. I am not talking about DDoS. I am talking solely about a specific policy proposal by the FTC to stop spam originating nearly entirely from desktop PCs running the Microsoft Windows operating system.

You also seem to get caught up when I say, "solution". You seem to assume that I mean solution for an entire range of problem sets. Instead, I mean a solution presented to a customer for solving a problem presented to them: suddenly they've been disconnected from the network with only the promise of dealing with ISP technical support to figure out why. To reconnect to the network, the ISP will invariably give a very constrained set of options to the customer, like running approved desktop security software. If this "approved software" doesn't work, the customer will be stuck in an infinite loop of ISP tech support hell, a situation common under the best of situations today.

Forcing a customer into this situation, as a matter of policy, in the current environment is an extremely bad policy decision, for many of the reasons that I've outlined previously. And, yes, like several prominent former Microsoft executives, I think Microsoft should share in that cost of enhacing desktop security cleanup.

If it is wrongheaded to believe spambot malware is removed from PCs by desktop security software, then I am guilty.

At the risk of stepping into the crossfire, I have a purely technical opinion question for Dan and Steve.

Assume I'm running Windows XP. I have Microsoft's Automatic Updates turned on. I've installed the full spectrum versions of PC-cillin, McAfee, or Norton, set its update frequency at maximum, and set it to perform real time scans of email and Web.

Do you think there's any significant chance of somebody turning my machine into a zombie?

First of all, upon further consideration, I'd like to retract all the portions of my comments dealing with Steve's personal opinions of Microsoft. In retrospect, they were inappropriate, and I shouldn't have made them.

Second, in reply to Kevin (and partially to Steve), it's very difficult to evaluate the "chance" of somebody obtaining control of a fully updated, properly firewalled machine. First of all, there's always the possibility of a "zero-day" exploit that attacks necessary or intentional holes in the firewall. Second, there's the possibility that some random application you installed contains a vulnerability sufficient to allow a machine to be taken over--at least to the extent of becoming a spam zombie. (The Witty worm, for example, if I recall correctly, attacked a particular brand of third-party security software.) And finally, there's the possibility I alluded to before--that you might deliberately install spam zombie software, for reasons of your own, whether or not you know that's what you're doing.

I trust we can all agree that the latter two problems can't possibly be the responsibility of the host OS to prevent.

Dan,

I'm not sure I agree with your last statement here. I've certain;y seen suggestions that host os restrict access to the network to authorized programs, precisely to prevent applications acting as spam zombies, ddos, etc. I'm not sure I'd characterize it as their responsibility, but certainly they *could* do so, no? (I'm ignoring the case where you explicitly authorize access to those ports as opposed to just loading some piece of software that happens to access them...)

I definitely wasn't including the "deliberate" case in my question. If you intentionally install some questionable software, you deserve what you get. If you were tricked into such an installation, well, it's a good thing your ISP will be able to detect that you've been compromised.

As for the second case, the security packages I mentioned attempt to protect you from malware targeted at common third party programs. So to a first order, I think we can reduce this to the zero-day exploit case.

So I think the real question is, "What is the chance of a broad and effective zero-day exploit?" Moreover, will things be so bad that an individual shutoff won't actually have any impact because much of the Internet will be down anyway?

My intuition is that taking the measures I specified will protect you from shutoff in all cases but those when your service would be badly compromised anyway.

Eric: Yes, of course--I meant "can't possibly be the responsibility of the host OS" in the sense of "no reasonable person would assign responsibility to the host OS for this". Certainly a tightly restrictive host OS could exert various policies limiting network access to a short list of supposedly "safe" applications. (Then again, one of those applications would presumably have been the security application targeted by the Witty worm....) Or, for that matter, the host OS could simply not offer network services to applications at all--or not allow non-authorized applications to run. But I doubt many people are willing to pay such a price in the flexibility and utility of PCs that they'd actually advocate an effectively "closed" host OS as the norm.

Kevin: I actually think the model for zero-day exploits more closely resembles the "tricked" scenario than the classic Internet-busting superworm. If I had a zero-day exploit and a desire to make money sending spam, I'd much rather stealthily infect hosts until I had control over a very large botnet, than try to blast my way across the Internet, effectively announcing to the world that I needed to be purged from everybody's machine right away. The first you'd notice of me, in fact--if you noticed me at all--would be the moment I started sending spam from your compromised host. (Notice the remarkable lack of scanning worm incidents recently, despite the ubiquity of unpatched hosts with known wormable vulnerabilities. I conclude that worm writers, who have become more professional of late, agree with me.) ISP notification of compromise might therefore be useful in the case of zero-day exploits as well as zombifications-by-deception.

Dan,

I agree with you, though I would observe that you actually see this suggestion reasonably often made by "trusted computing" type people....

Ahh. Given your model of zero-day exploits, it seems like detecting and shutting off zombies is helpful. It provides a first line of defense when "typical" desktop security features fail.

Seems like the ISPs should then offer "Zombie Insurance", wherein they would do whatever it takes to remove the offending software from your machine up to and including sending a tech out.

Of course, they'd offer a discount to people who enrolled in their "certified" program wherein they can check to make sure you've got Automatic Updates turned on and proper desktop security software installed.

Before I re-engage, I will preface my comment with a statement that I don't believe Microsoft influences Dan's position on our current discussion line in any way.

But I'll take issue with Dan's characterization that "no reasonable person would assign responsibility to the host OS to restrict access to the network to authorized programs".

First, Microsoft has included increasing levels of this capability in every version of Windows that I can recall since Windows 98 EE. If these are unnecessary features that cannot reasonably be expected of an OS vendor, then why is Microsoft spending tens to hundreds of millions of dollars implementing them? In my mind, the debate may be with "how much" not "if" a reasonable person can expect them to be included.

Second, given Kevin's scenario (Assume I'm running Windows XP. I have Microsoft's Automatic Updates turned on. I've installed the full spectrum versions of PC-cillin, McAfee, or Norton, set its update frequency at maximum, and set it to perform real time scans of email and Web.) ... the configuration options in Windows versions are so complex, they can easily lead a consumer to configure their machine in such a way that their machine is updated, McAfeed, and still vulnerable to infection. A simple example is misconfiguring Internet connection sharing.

Third, "who pays" for the desktop security software and for the other costs associated with zombie defense is an issue of total welfare. And given that this is a FTC regulatory action, any consideration of policy should be accompanied by an economic analysis of total welfare. If the economic model points to Microsoft sharing the cost for zombie defense then a reasonable person would conclude that this could be expected from the company.

i am an idiot and i am lead by richard simmons

Leave a comment