A practical resource for managing advanced persistent threats (APTs)
One congressman's opposition to SOPA worth noting

SOPA: a great example of failing to know your enemy...or your friends

Proponents of SOPA want Congress to believe that DNS filtering will strike a death blow to online piracy. They argue that preventing the domain names that criminals use for infringing sites from resolving to Internet addresses will prevent criminals from distributing copyrighted material or selling knockoff versions of "brand" goods.

The premise is false.


Photo by LesHoward

Know Your Enemy

If we have learned nothing else about electronic crime in the past decade, we do know one thing for certain. Online criminals adapt.

When an attack, stealth, or evasion technique ceases to be effective, online criminals try something different. A recent article at Dark Reading reports that security consultants and government agencies are tracking a dozen groups responsible for advanced persistent threats. What these parties have learned about one group in particular provides a wonderful teaching moment for SOPA proponents. 

APT actors identified as the Comment Crew uses HTML comments (information for web developers that is not use by a browser to render a page) to remotely control infected computers that form its botnet. An obvious countermeasure here is to strip comments from web traffic. This will disrupt communications, the botnet will be contained, and additional measures will be taken to dismantle it. 

Blocking HTML comments will be effective against Comment Crew, but for how long? History suggests that the answer is "not long at all". Does anyone seriously believe that the Comment Crew will throw their hands up in dismay and abandon their criminal or state sponsored activities?  The Comment Crew will employ a different means to communicate with its bots; specifically, they'll find a way to bypass or evade the countermeasures deployed against them.  

An important aside here is that stripping HTML comments is a good example of a proportional measure. Organizations or ISPs will voluntarily implement the HTML comment filtering countermeasure at their own site. They will enforce it within the boundaries of their own administrative domain, and will try not to harm or interfere with the daily operations of other networks in the process. Blocking the domain names of every web site that hosts HTML containing comments is not proportional. It overreaches, the results are unpredictable, and there is a high probability of disruption of desired and intended operations or collateral damage.

An unintended consequence of implementing Draconian filters when a more granular solution would suffice is that not only will criminal actors seek a way to evade such measures but legitimate users will do so as well. In Mandates Can't Alter the Facts, Paul Vixie explains that users will evade mandated filtering by using any of "dozens if not thousands of off-shore Domain Name servers they can switch to with the click of a mouse." Paul's claim is corroborated by a recent Cisco 2011 Security Report that 7 of 10 employees admit to violating IT policies in order to access the Internet. We live in a world where the prevailing attitude is that Internet access is a basic human right, US citizens will no doubt scoff the law. 

[ED: With nearly perfect timing for my article, an Addon for Mozilla Firefox - DNS Evasion to Stop Oppressive Policy in America (DeSOPA) - is now available. "When turned on, DeSopa intercepts URLs, sends the base URL to three offshore DNS services via HTTP, makes a best effort to check that two of them are equivalent, caches the IP for the browser session, redirects to the equivalent URL using the IP, and substitutes out the domain name in the source code with the IP address for future requests."]

Comment Crew is one of dozens I could cite to illustrate that SOPA proponents neither understand nor respect their adversaries. SOPA presupposes that criminals, faced with a DNS filtering shock and awe campaign, will fold tents and leave the Internet. Good luck with this.

Friend or Foe?

Sadly, SOPA proponents neither know nor respect their friends nor do they distinguish friend from foe. Individuals who oppose SOPA are portrayed as "pro-piracy", insensitive to the harm and loss musicians suffer, and other equally ludicrous characterizations. 

Does anyone seriously think that the best Internet and security minds in the world have never considered broad brush filtering of domain names as a measure to stop online piracy? We have, and we concluded long ago that this measure will not work, is not scalable or enforceable, and not without consequences. Despite this, SOPA proponents argue something along the lines of "despite the warnings and criticisms you've offered regarding DNS filtering we still want to add the considerable weight of federal legislation and force everyone to use it because doing this is better than doing nothing." In doing so, these proponents dismiss and disrespect the members of the technical community that work daily to defeat all forms of online criminal activity. Ironically, some of these members are employed by the very organizations most vocal in supporting SOPA, and they are probably collaborating with security and law enforcement to takedown a piracy site as you read this article. 


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.