[Beowulf] [tt] World's most powerful supercomputer goes online

Jim Lux James.P.Lux at jpl.nasa.gov
Sat Sep 1 07:38:51 PDT 2007


At 06:23 AM 9/1/2007, Robert G. Brown wrote:
>On Fri, 31 Aug 2007, Jim Lux wrote:
>
>Similarly lots of other problems become tractible to a brute force
>search algorithm when you can displose of order of 20 petaclocks worth
>of cycles. (Am I multiplying that out right?  10^7 times 2x10^9 =
>2x10^16, 9 is giga, 12 is tera, 15 is peta.  Yup.  Petacycles.).  Brute
>force searches require minimal IPCs, although I'm sure there are
>interesting problems associated with IPCs and data harvesting when it
>has to be done in "stealth" mode and not lead investigators back to you
>and when you need to make it robust against nodes dropping out (being
>cleaned by their owners) and popping back in (as yet another virus
>propagates).

There is a fair amount of literature on such communications problems. 
For instance, the classic Byzantine Generals problem deals with how 
to reliably communicate through (potentially deliberately) unreliable 
channels.  And if the seamier side of the internet isn't byzantine, what is?



>Then there is denial of service.  Everybody knows that this is an
>attack, but few recognize its potential terror value.  Just remember the
>>>cost<< of some of the countdown viruses of years past.  Some of them
>literally shut down the Internet for close to a day -- clogging all the
>main arteries and switch points until hosts were run down one at a time
>and isolated by their hosting ISPs.  The cost of those incidents in real
>dollars, lost productivity, and human misery was easily a billion
>dollars each (I read estimates that were much higher, but I don't want
>to be hyperbolic so let's stay conservative here).

When speaking or writing of world domination, a bit of hyperbole is 
called for, no?



>  A bot-cloud attack
>could be far more costly and last far, far longer, in part because if it
>were well-designed it could shape-shift every five minutes and vary e.g.
>IP number, signature, target.  It could also turn on and off at random
>times to make it very difficult to track each bot back to its infected
>host.  If it times itself to take advantage of one of those two-month
>long window vulnerabilities (yes, a lot of them last for PLENTY of time
>for this to be feasible) so that it can essentially instantly re-infect
>a wide class of hosts at will as they are cleansed, it could force the
>shutdown of nearly every Windows system in the world until it is
>hand-cleaned and patched -- the Internet itself would be useless in
>fixing the problem.  The cost of such a complete attack would be
>staggering -- banking, commerce, education, defense -- all at a
>standstill.  It would probably trigger a full depression (led of course
>by the complete collapse of Microsoft as the full cost of its appalling
>and perpetual vulnerability is finally laid bare).


I'm sure we'll have plenty of time to discuss this through the 
chainlink walls of our future accommodation at points south.  I hope 
hurricane season is over by then.


>Truthfully, I've been waiting for foreign terror powers to figure this
>one out and attempt such an attack, but so far we've been lucky.  Bot
>driven attacks on individual systems of course happen all the time --
>check out the logs of pretty much any server and count the number of
>times per day some system in Korea or South America or God Knows Where
>tries to probe its way down your ssh ports and standard accounts in
>search of an idiot who left in a default password (or put a stupid
>password or root).  These folks aren't looking for fun, they're looking
>for money.

And that's the problem.  Say you have the ultimate DoS machine. It's 
not feasible to call up, say, Bank of America and tell them: send us 
X million or we shut down your consumer website (or your intranet, or 
whatever).  First, you have the classic ransom pickup problem.  It's 
pretty straightforward to move <$100K without leaving too much of a 
trail, much tougher to do it with $100M, unless the recipient has a 
substantial investment and preparation, which is hard to do on a "low 
budget" sort of scale.  And it's tough to move from the $10K to the 
$10M bracket without travelling through the $100K-$1M zone without 
attracting a lot of attention.  Second, if you ask for huge sums from 
one victim, they're going to have a big incentive to not pay.  So 
you're back to the how to extort smallish sums from lots of victims 
and get it collected. That's a bigger administrative headache than 
running the botnet.
their own.


<rgb's description of the immense expense and effort dealing with 
this kind of thing>

So, it seems that while the SuperBotNet is amazingly effective as a 
device for forcing millions of dollars of extra sysadmin time in 
terms of keeping up with the continuous and pervasive annoyances, 
it's not particularly profitable for its operator.  In the lingo: 
they haven't figured out how to monetize the botnet.

It's more like one of those James Bond novels where Blofeld creates a 
virus that will decimate the world's population of chickens.  Unlike 
in the novel, though, there's no way to collect the ransom.







More information about the Beowulf mailing list