Business - Written by Jeff DeChambeau on Monday, September 8, 2008 10:58 - 3 Comments
Facebook: the silent botnet
Wired’s Threat Level has a story up about how researchers have created a facebook application that’s capable of delivering Distributed Denial of Service (DDoS) attacks using nothing more than a facebook application and its users. The application, Photo of the Day, is installed by users who want a daily photograph. When users load up the page/photo of the day, the application sends a server to a third-party server (the one being attacked) and requests a large file from it, usually a high resolution image. This high resolution image is silently downloaded to the user’s computer, and not displayed. The effect of this is that by simply using the application, users are draining bandwidth from some targetted server. If enough users are using the application in this way, the server could get overloaded with requests, and rendered inaccessible to the people who are actually trying to visit it.
The researchers chose to point the hidden attack at their own server, of course — but were surprised that more than 1,000 Facebook users installed the application, even though they only mentioned it to friends.
That led to a peak of 300 requests per hour and on its peak day, the traffic went above 6 Mbits per second.
It’s a pretty clever attack. But 6Mbits isn’t really that much, it’s roughly equivalent to the maximum speed of a typical DSL connection (or double the speed of a typical DSL connection if your building, like mine, has old copper wiring). Given enough users and sufficiently large taget files, this attack could be pretty potent.
Distributed attacks like these are not new, but using a social networking platform (in this way), instead of unguarded IIS installs, is new. Arguably this is the next step from myspace/msn virus spam, where an account is breached and it messages all of its contacts, requesting that they “install a picture” — which is actually the attack software. But this is the first time that I’ve seen an attack like this that actually delivers value to the nodes (in this case, the application users).
Nefarious hackers have already had users willingly (albeit unknowingly) participate in illegal online activities. In what was another very clever move, spammers were able to get users to solve CAPTCHAs in exchange for free porn (the link is clean). They used these results to sign up for online email accounts, to likely be used to sell pharmacueticals back to those same users.
All of this seems to bring about, once again, the conclusion that technology is not inherently good or evil, but a) people will use it to do bad things (or expose them, like the facebook researchers), and b) users need to be protected, most often from themselves and their unsafe computing habits.
I think that the problem with b) is that computer security education, while quickly growing in importance, simply isn’t sexy. So instead of safe habits, annoying security applications are phoned-in. As computing power moves from the desktop to the cloud, people are going to have to port (or learn) their safe computing habits to a new venue, otherwise it’s going to really be the wild west, where no server or account is safe from harm. Facebook is just the latest example.
Also, and this isn’t exactly Wikinomics related, but the BBC has a great piece on the history of the construction of the Large Hadron Collider. Check it out.
Business - Oct 5, 2010 12:00 - 0 Comments
More In Business
- Facebook, Facebook, Facebook
- Survey: How are you using Facebook, Twitter, smart phones, and other technology platforms?
- Will Facebook be your CRM provider?
- Wiki Banking
- The importance of being competent
Entertainment - Aug 3, 2010 13:14 - 2 Comments
More In Entertainment
- Lessons in collaboration from B.B. King’s
- CL!CK – LEGO’s fun social product development platform
- Peer Pressure 2.0: Farmville
- Online gaming more than just fun
- The NFL – The most protective league, attempting to control the uncontrollable
Society - Aug 6, 2010 8:19 - 4 Comments
More In Society
- Balance: customer receptivity vs. customer revulsion
- The Net Gen: Too plugged-in for parenting?
- Are you addicted to social media?
- The privacy discussion we need to have
- “The Data-Driven Life”: Who’s not interested in discovery?