Way back in March 2013 the first bounty based security competition was run in Goa at nullcon. I had blogged about this and was happy with the development.
http://infosecgallery.blogspot.in/2013/03/about-bounties-government-ethics-and.html
A recent media report about FB paying about $ 1 m in bug bounty reopened an old discussion about botnets, bounties, ethics and skills available in India. Of course this is an emotional issue and bound to raise passions - some overt and some covert.
I must say that I am a supporter of the actions taken that day in March and the bounty payout. It was all done responsibly and the people who think otherwise have no clue about the event and the actions of the day.
What is surprising is the amount of animosity towards the action taken by the Indian Government organization in carrying out the malware analysis.
This was reported in the media as a botnet takedown as it sounds more exotic and exciting. And this seems to have become the unbecoming of the issue and the bone of contention between the naysayers and the yaysayers.
The argumentative and critical discussions were catalyzed by an academic in that far away land of the pure - the US of A - virtuous, land of liberty and free speech, invader keeper of the world's freedom. All this sounds so funny in the face of the prism and wikileak disclosures.
Well this academic Mr DD, saw the news article (apparently on the newswire) and read the words Botnet Takedown. He got angry at India's action calling it irresponsible and wrote a blog. Apparently his blog is more widely followed than mine and he has more admirers - so this also got carried on the newswire and many forums. All started name calling and criticizing the Indian action.
I went into a meeting with Mr DD and a number of foreign "concerned" netizens to discuss Indian action. In the meeting Mr DD acknowledged that the ONLY source he depended on was the news article and said thanks for clearing the air and was sorry about the misunderstanding.
I have clarified this in Indian Information Security forums but, today, months after the event I find that the thinking of a few of my fellow countrymen is still clouded and biased. Unfortunately this foggy thinking leads to statements which are personal and, at times, sound racist.
Yes maybe India is not ready but then who is ! The US establishment begs China to go easy and China take umbrage on their spy program. On the one hand USA talks about the threat from every country which does not align to their line of thought and on the other hand it unleashed the worlds biggest spy system and digital WMD (stuxnet) when no one knew the spelling of cyberwar.
Well to come back to the criticism of the Indian government malware analysis - the so called botnet takedown - can anyone tell me why so much noise was made about the Indian action ? Why can't the Indian state take offensive action on anything or anyone that is carrying out an attack on the nation. India and any country is very well within their rights to take defensive action and in a cyber attack scenario a defensive action may well be an offensive one.
The BIG question is why are the same Indian and foreign players (Mr DD et al) did not making the same loud noises when Microsoft did a real botnet takedown! This has "ruffled the feathers of the security community" and seems to have "exposed sensitive information that was shared among a handful of researchers"
http://www.eweek.com/security/microsofts-botnet-takedown-campaign-10-reasons-it-keeps-doing-it/http://www.csoonline.com/article/734812/microsoft-criticized-for-botnet-takedown-tacticshttp://krebsonsecurity.com/2012/04/microsoft-responds-to-critics-over-botnet-bruhaha/
Why is there noise only when the Indian establishment did some reverse engineering in public. The same people who throw crap at journalists believed the two words these guys wrote and it seems that they plan to carry it for a lifetime.
That's their choice but then there is more to that particular malware than just this brouhaha about Indian capability, kiddies etc. What was behind this malware was an unpleasant surprise for the establishment.
In conclusion all I can say is that we should start having greater confidence in the capabilities of the establishment. There may be a few good men, but they are trying their best and they all have few good men working with them. Every action may not be best-in-class but then where can one find this level?
The community should work to contribute and has to accept and live with the fact that the government (or establishment) is not agile and works in it's own slow and steady way.
On the other hand the government must realize that it cannot tame this animal alone as it just does not have the capability, capacity, ability or agility to counter cyber threats. The professional community must be brought in to contribute to policy and technology and with open arms and an open mind.
Until then.... que sera sera...
Labels: botnet takedown, botnets, bounty program, india, nullcon