On Wed, 12 Nov 2008, Kee Hinckley wrote:
After reading this, and the (Washington Post I believe--I'm away from my
laptop right now) article on this, two things are bothering me.
The article expressed a good deal of frustration with the (lack of) speed
with which law enforcement has been tackling these issues. What wasn't clear
was whether any attempt had been made to involve them prior to the shutdown.
At the very least, it seems that this makes any prosecution more difficult.
While it appears that folks did a great job of following the network
connections--to nail the individuals involved you need to follow the money.
Even worse, what if the FBI *was* investigating them already, and now their
target has been shut down? Unless there was behind-the-scenes cooperation
that hasn't been reported, someone (on either the technical or law
enforcement side) was not behaving responsibly. This should have been a
coordinated shutdown--simultaneously involving closing network connections
and arresting individuals.
Secondly, aren't we still playing whack-a-mole here? The network controlled
over a million compromised PCs. Those machines are still compromised. Since
the individuals who controlled them are evidently still at large, I think
it's safe to assume that the keys to those machines are still out there. If
that's the case, then those machines will be up and spamming again inside of
a week. The only thing that might delay that would be if the primary payment
processors really were taken offline as well. I don't want to open the
"counter-virus" can of worms. But how hard would it have been to identify the
control sequences for those PCs and change them to random sequences? Shutting
down a central control center is good news, but taking 1.5 million PCs
permanently (at least until next infection) out of a botnet would be really
impressive.
Maybe more information will prove me wrong, but right now this seems more
like a lost opportunity than a great success. I was quite surprised to hear
that so many operations were centralized in one place. I doubt that
opportunity is going to come again.
All your points sound valid to me, but I am already proved wrong that
while I believed this to be a great precedent and a strategic move... it
wouldn't happen again. It did... twice, since Atrivo, Estdomians (kinda)
and now mccolo.
Kee Hinckley
CEO/CTO Somewhere, Inc.
