David Dittrich

P2P as botnet command and control: A deeper insight

The research community is now focusing on the integration of peer-to-peer (P2P) concepts as incremental improvements to distributed malicious software networks (now generically referred to as botnets). While much research exists in the field of P2P in terms of protocols, scalability, and availability of content in P2P file sharing networks, less exists (until this last year) in terms of the shift in C&C from central C&C using clear-text protocols, such as IRC and HTTP, to distributed mechanisms for C&C where the botnet becomes the C&C, and is resilient to attempts to mitigate it. In this paper we review some of the recent work in understanding the newest botnets that employ P2P technology to increase their survivability, and to conceal the identities of their operators. We extend work done to date in explaining some of the features of the Nugache P2P botnet, and compare how current proposals for dealing with P2P botnets would or would not affect a pure-P2P botnet like Nugache. Our findings are based on a comprehensive 2-year study of this botnet.

Computer Science Security Research and Human Subjects: Emerging Considerations for Research Ethics Boards

This paper explores the growing concerns with computer science research, and in particular, computer security research and its relationship with the committees that review human subjects research. It offers cases that review boards are likely to confront, and provides a context for appropriate consideration of such research, as issues of bots, clouds, and worms enter the discourse of human subjects review.

Building an Active Computer Security Ethics Community

In spite of significant ethical challenges faced by researchers evaluating modern threats, the computer security field has yet to grow its own active ethics community to describe and evaluate the ethical implications of its work. Modern threats such as denial-of-service (DoS) attacks, worms, viruses, phishing, and botnets underscore the need for Internet security research in an increasingly networked and computationally reliant society. This research involves not only appropriate responses but also difficult issues of privacy and responsible disclosure of vulnerability information.

A case study in ethical decision making regarding remote mitigation of botnets

It is becoming more common for researchers to find themselves in a position of being able to take over control of a malicious botnet. If this happens, should they use this knowledge to clean up all the infected hosts? How would this affect not only the owners and operators of the zombie computers, but also other researchers, law enforcement agents serving justice, or even the criminals themselves? What dire circumstances would change the calculus about what is or is not appropriate action to take? We review two case studies of long-lived malicious bot-nets that present serious challenges to researchers and responders and use them to illuminate many ethical issues regarding aggressive mitigation. We make no judgments about the questions raised, instead laying out the pros and cons of possible choices and allowing workshop attendees to consider how and where they would draw lines. By this, we hope to expose where there is clear community consensus as well as where controversy or uncertainty exists.

It's not stealing if you need it: a panel on the ethics of performing research using public data of illicit origin

In a world where sensitive data can be published to a worldwide audience with the press of a button, researchers are increasingly making use of datasets that were publicized under questionable circumstances. In many cases, such research would otherwise not be possible. For instance, Weir et al. examined over thirty million user-generated passwords in order to observe the effects of entropy on password cracking [10].

The ethics of social honeypots

This paper considers some of the ethical issues surrounding the study of malicious activity in social networks, specifically using a technique known as social honeypots combined with the use of deception. This is a potentially touchy area of study that is common to social and behavioral research that is well understood to fall within the boundaries of human subjects research that is regulated in the United States and reviewed by institutional review boards, but is not well understood by computer security researchers or those in the private sector. The firestorm of controversy over the 2014 “emotional contagion” study of Facebook users shows that learning about being deceived may itself be the harm, to both those users involved and their trust in researchers and research in general. Should researchers have an obligation to try to find research methods that do not involve deception to achieve the same research results?

An ethical examination of the internet census 2012 dataset: a menlo report case study

In 2012, an anonymous individual used basic techniques such as default or no passwords on Internet access equipment to get unauthorized access and install a scanning botnet on hundreds of thousands of commodity network devices around the world. Making efforts to minimize potential harm, this individual still took actions that would never be sanctioned by an academic ethics review board (and violated computer trespass statutes around the globe), to perform an unprecedented internet-wide scan at a scale and speed never seen before. Then, some results and the raw data were published for anyone to access, raising a host of ethical and legal questions. One central question is whether researchers who, but for the illegally obtained data, could not ethically or legally perform the same experiment or produce the same data themselves should use that data. Might the lack of community condemnation for performing such potentially illegal and unethical experiments create a situation where researchers are effectively encouraging law breaking by those willing to risk getting caught to create data that is otherwise not justifiable to create, simply to allow researchers to get around ethical restrictions? In this paper we examine this event in the context of the guiding principles outlined in the Menlo Report in an attempt to better understand the ethical implications of such actions.

A refined ethical impact assessment tool and a case study of its application

Research of or involving Information and Communications Technology (ICT) presents a wide variety of ethical challenges and the relative immaturity of ethical decision making in the ICT research community has prompted calls for additional research and guidance. The Menlo report, a revisiting of the seminal Belmont report, seeks to bring clarity to this arena by articulating a basic set of ethical principles for ICT research. However the gap between such principles and actionable guidance for the ethical conduct of ICT research is large. In previous work we sought to bridge this gap through the construction of an ethical impact assessment (EIA) tool that provided a set of guiding questions to help researchers understand how to apply the Menlo principles. While a useful tool, experiences in the intervening years have caused us to rethink and expand the EIA. In this paper we: (i) discuss the various challenges encountered in applying the original EIA, (ii) present a new EIA framework that represents our evolved understanding, and (iii) retrospectively apply this EIA to an ethically challenging, original study in ICTR.