When a new women comes to live with Wilma Weatherby she is given new perspective on life. The film was produced for the Boston 48 Hour Film Project in May 2010.  The 48 Hour Film Project comes to many cities – in Boston about 100 directors each produced a 4-7 minute film in 48 Hours.  We had to randomly pick a genre Friday night and then were given a few required plot elements.  We had to meet the following requirements:

• The required line of dialog was “You win some, you lose some”
• the required prop was “a scale”
• the required character was “Winston or Wilma Weatherby, Gardener”.
• I chose the genre “Film Noir” out of a bag of genres

Just a bit of background to put this into context. Basically a botnet is a collection of compromised computers that are all controlled by a single entity. Typically a hacker will create a virus that will infect hundreds/thousands of machines. The machines can be anything from home computers to government and military super computers. The virus will then notify the creator of an infection, or the creator will actively search for infections. The virus will provide some means for the creator to log onto the infected computers and issue commands. In the case of BBC, they logged onto hacker chat forums and then purchased access to a botnet that a hacker was controlling. We could certainly speak to the ethical arguments against paying a criminal for unauthorized access to 22,000 computers.

The first attack is certainly against the terms of service of gmail and hotmail. Bombarding gmail and hotmail with spam certainly goes against gmail’s terms of service: “5.4 You agree that you will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services).” as well as hotmail’s: “damage, disable, overburden, or impair the service (or the network(s) connected to the service) or interfere with anyone’s use and enjoyment of the service; “. It is also most likely against the terms of service of many of the ISPs that each individual infected PC of the botnet was connected to. It is also of course illegal to gain unauthorized access to 22,000 computers and then order those computers to perform various functions.

Similar arguments can be found against the DDoS attack. The dangers of making use of this botnet should have been quite obvious to BBC and certainly the “security firm” Prevx. Certainly Prevx had no proof as to the stability of the software that was controlling the botnet. What if when they had ordered the botnet to attack their test server a bug in the DNS client of the botnet had caused the PCs to actually attack CNN.com instead? What if there was also a bug in the authentication server of the botnet and after ordering 1000 machines to attack, the authentication server then crashed, and they were unable to stop the attack? These are all questions that have been thought through many times, and they are precisely the reason why virus research of this type is conducted on isolated test networks.

The last action BBC took is also quite dangerous. What they did is craft an image that explained the user’s PC had been infected and then gave instructions on how to remove the infection. They then ordered the botnet to change the desktop wallpaper of all 22,000 infected machines to that information image. There are several problems with doing this, and they have all been discussed thoroughly before. The idea that one could use viruses to actually help infected machines is certainly very compelling. Bruce Schneier talks a bit about this in the entry titled “Benevolent Worms”. It is an excellent post and certainly worth reading. He mentions the worm “called Blast.D or Nachi, it infects computers through the same vulnerability that Blaster did. When it infects a computer, it finds and deletes Blaster, and then applies the Microsoft patch to the computer so that the vulnerability is closed and Blaster cannot reinfect. It then scans the network for other infected machines and repairs them, too.” The basic argument against using a worm (or in this case a botnet) to automatically fix a computer is that of unintended consequences. Performing updates and upgrades to computers is typically a hard thing to get right. When a company like IBM has to upgrade Windows XP on thousands of computers you can be sure they will thoroughly test the upgrade before rolling it out on all the production machines. It often happens that a well intended Microsoft update will render a necessary program unable to load after the update. If you have ever had “funny” things happen after a windows update you will get the idea. The BBC case of “merely” changing the desktop wallpaper on someone’s machine is no different. There could have been a bug in the change desktop wallpaper method that causes the computer to crash. Or someone could have been using the desktop wallpaper content for a public billboard.

BBC and Prevx would certainly do well to read up on a bit of history. In November 2, 1988 Robert Tappan Morris launched the Morris worm from MIT that was meant to estimate the size of the internet. Unfortunately, the worm spread too rapidly causing a denial of service and costing $10M-100M. Morris got three years probation, 400 hours of community service, and a $10,000 fine. It has been shown many times that it is not lawful to gain unauthorized access to systems for any purpose (at least in the U.S.). The high profile trials of both Kevin Mitnick and Kevin Poulsen certainly helped establish this. I hope for our sake that BBC’s hacking days are over.

Gary McGraw summarizes some of his complaints with the list in his post: Software [In]security: Top 11 Reasons Why Top 10 (or Top 25) Lists Don’t Work. Gary’s 2nd item reads: “… Top ten lists tend to focus on bugs, to the detriment of any attention for design-level problems.”

I would disagree with Gary and argue that real world examples of attacks are what actually drive security design best practice. From a theoretical standpoint an attack must be conceived before a programmer can design defensively against it. For example the SANS item CWE-426: Untrusted Search Path reads “If the search path is under attacker control, then the attacker can modify it to point to resources of the attacker’s choosing.” Once a programmer is aware of this type of attack it drives future design and care of externally configurable application start up state. Other items on the SANS list equally drive design choices, such as item CWE-602: Client-Side Enforcement of Server-Side Security.

Gary goes on to state: “.. Bug lists change with the prevailing technology winds…”. Really? The SANS top 25 list is actually quite generic, save a few items. The following items are very general, have been known for decades, and continue to be relevant and problematic security issues: “External Control of Critical State Data”, “Incorrect Calculation”, “Improper Input Validation”, “Failure to Preserve OS Command Structure”, “Cleartext Transmission of Sensitive Information”, “Error Message Information Leak” and “Improper Encoding or Escaping of Output”. All of these items from the top 25 list represent general attach vectors relevant to a wide variety of programming languages and domains.

If you haven’t already I would highly recommend checking out the CWE/SANS TOP 25 Most Dangerous Programming Errors. It represents a great base of common attacks. Learning these should be a good step towards thinking defensively, designing defensively and coding defensively.

A short created by a hand-drawn animation class I took with Karen Aqua and Ken Field at Somerville Community Access Television. Each student created drawings that they would animate into another student’s drawings. Ken and Karen produced the video. I was responsible the no-parking sign, the mailbox, the barber pole and the compass.

Just a little something about shoes. A short documentary exploring the casual shoe owner, the shoe store owner and the connoisseur. How do you feel about your shoes? Shot in HDV, completed in 2008.

A short day-in-the-life-of film explores the simplicity of everyday life. A young women rakes for oysters at sunrise and photographs professionally by day. Shot on 16mm B/W reversal in the Fall of 2006.