bot roast

Cyber-crime

A good bot roast
Jun 21st 2007
From The Economist print edition


Lawmen get to grips with audacious computer-rustlers

MOST people would hate it if criminals impersonated them in order to commit crimes. But that is just what happens when the emerging gang of wrongdoers called “bot-herders” hijack other people's computers, stitch them together in a “botnet” and use them to send spam, steal data or disrupt the internet.

Public opinion is untroubled, or sees them as a mere irritant: an obscure, geeky sort of prankster. But law-enforcement officials in many countries view them as a ballooning threat. America's Federal Bureau of Investigation (FBI) calls botnets a danger to national security, the national information infrastructure and the economy. Botnet attacks last month on Estonia, during a row with Russia over a Soviet-era war memorial, attracted close attention from NATO, the Pentagon and other government agencies.

Now the FBI has announced the first successes in what it calls “Operation Bot Roast”.

This investigation, the largest to date, has led to indictments against three men accused of using up to 1m hijacked computers, many of them outside America, for criminal purposes. If convicted, they face long prison terms.

As the criminal-justice system grinds into action against cyber-criminals, civil lawsuits are beginning too. An American pharmaceutical company, Abbott Laboratories, is suing a French group of AIDS campaigners, Act Up-Paris, for allegedly crashing its website in April. The activists complain that Abbott is overcharging people in poor countries for its drugs.

The FBI hopes that the latest operation will not just frighten bot-herders, but also encourage computer-owners to show more public-spiritedness. Shawn Henry, a senior FBI official, thinks that owning a computer should be more like driving a car. “You have to take tests. It's a lot of responsibility being behind the wheel of a 3,000lb piece of machinery.”

But that is not the way the internet works. Most owners of infected computers neither know nor care that their machines may be damaging an unknown person in an unknown way. Initially the FBI said it wanted to track down infected computers in the botnets it had identified and warn their owners. But that is technically difficult, and hugely time-consuming.

Then it advised people worried about their computers' health to call the company that provides their internet service. But the economics of that look flawed. Danny McPherson of Arbor, an internet-security company, points out that most internet providers make only a couple of dollars of profit a month per customer. Having a human being answer a customer's call costs an average of $25. Unsurprisingly, most internet providers strongly prefer their customers not to call, or offer advice only via a premium-rate line.

That reflects a deeper problem: though cyber-hygiene is a public good, it is unclear who should pay for it, or who can be sued for careless behaviour (or worse) that leads to the pollution of the internet. Individual conscientiousness has its limits. Given the hundreds of thousands of new threats recorded each year, a really solid anti-virus protection should update every few minutes, notes Mr McPherson. But that's not practical. Most such software is more lucrative than effective. It works against less than half the extant threats, a level he calls “pathetic”. It can be compared to a car seatbelt—a precaution, but no substitute for safe driving.

A partial answer to botnets lies in better defences and detection. New software tends to be less vulnerable than old versions (though nothing prevents people running old, cheap and dangerous browsers and e-mail programs if they choose). It is becoming easier to identify botnets and to spot the clever and scary ones quickly. As botnets evolve from simple vandalism to sophisticated criminality, people take them more seriously. “If your machine is owned by an outsider it can be used at night to attack someone else. But it can also be used to steal your personal information,” says Martin Lindner of Carnegie Mellon University, who works with the American government on internet security.

A second difficulty is that cyber-crime does not respect national borders. The recent FBI investigation targeted American bot-herders with mainly American victims. But in plenty of countries, running a botnet is either not illegal at all, or can be done with impunity. The American administration may quibble about multilateral law enforcement on some issues. But its cyber-sheriffs want an international posse, as soon as possible.