[Beowulf] [tt] World's most powerful supercomputer goes online

andrew holway andrew at moonet.co.uk
Sat Sep 1 09:03:11 PDT 2007

Does the mass replication of an exploit really constitute a
supercomputer? Has it reached the point where a computing environment
capable of supporting programs is created or is it simply a mechanism
of attack controlled by a human operator?


On 01/09/07, Jim Lux <James.P.Lux at jpl.nasa.gov> wrote:
> At 06:23 AM 9/1/2007, Robert G. Brown wrote:
> >On Fri, 31 Aug 2007, Jim Lux wrote:
> >
> >Similarly lots of other problems become tractible to a brute force
> >search algorithm when you can displose of order of 20 petaclocks worth
> >of cycles. (Am I multiplying that out right?  10^7 times 2x10^9 =
> >2x10^16, 9 is giga, 12 is tera, 15 is peta.  Yup.  Petacycles.).  Brute
> >force searches require minimal IPCs, although I'm sure there are
> >interesting problems associated with IPCs and data harvesting when it
> >has to be done in "stealth" mode and not lead investigators back to you
> >and when you need to make it robust against nodes dropping out (being
> >cleaned by their owners) and popping back in (as yet another virus
> >propagates).
> There is a fair amount of literature on such communications problems.
> For instance, the classic Byzantine Generals problem deals with how
> to reliably communicate through (potentially deliberately) unreliable
> channels.  And if the seamier side of the internet isn't byzantine, what is?
> >Then there is denial of service.  Everybody knows that this is an
> >attack, but few recognize its potential terror value.  Just remember the
> >>>cost<< of some of the countdown viruses of years past.  Some of them
> >literally shut down the Internet for close to a day -- clogging all the
> >main arteries and switch points until hosts were run down one at a time
> >and isolated by their hosting ISPs.  The cost of those incidents in real
> >dollars, lost productivity, and human misery was easily a billion
> >dollars each (I read estimates that were much higher, but I don't want
> >to be hyperbolic so let's stay conservative here).
> When speaking or writing of world domination, a bit of hyperbole is
> called for, no?
> >  A bot-cloud attack
> >could be far more costly and last far, far longer, in part because if it
> >were well-designed it could shape-shift every five minutes and vary e.g.
> >IP number, signature, target.  It could also turn on and off at random
> >times to make it very difficult to track each bot back to its infected
> >host.  If it times itself to take advantage of one of those two-month
> >long window vulnerabilities (yes, a lot of them last for PLENTY of time
> >for this to be feasible) so that it can essentially instantly re-infect
> >a wide class of hosts at will as they are cleansed, it could force the
> >shutdown of nearly every Windows system in the world until it is
> >hand-cleaned and patched -- the Internet itself would be useless in
> >fixing the problem.  The cost of such a complete attack would be
> >staggering -- banking, commerce, education, defense -- all at a
> >standstill.  It would probably trigger a full depression (led of course
> >by the complete collapse of Microsoft as the full cost of its appalling
> >and perpetual vulnerability is finally laid bare).
> I'm sure we'll have plenty of time to discuss this through the
> chainlink walls of our future accommodation at points south.  I hope
> hurricane season is over by then.
> >Truthfully, I've been waiting for foreign terror powers to figure this
> >one out and attempt such an attack, but so far we've been lucky.  Bot
> >driven attacks on individual systems of course happen all the time --
> >check out the logs of pretty much any server and count the number of
> >times per day some system in Korea or South America or God Knows Where
> >tries to probe its way down your ssh ports and standard accounts in
> >search of an idiot who left in a default password (or put a stupid
> >password or root).  These folks aren't looking for fun, they're looking
> >for money.
> And that's the problem.  Say you have the ultimate DoS machine. It's
> not feasible to call up, say, Bank of America and tell them: send us
> X million or we shut down your consumer website (or your intranet, or
> whatever).  First, you have the classic ransom pickup problem.  It's
> pretty straightforward to move <$100K without leaving too much of a
> trail, much tougher to do it with $100M, unless the recipient has a
> substantial investment and preparation, which is hard to do on a "low
> budget" sort of scale.  And it's tough to move from the $10K to the
> $10M bracket without travelling through the $100K-$1M zone without
> attracting a lot of attention.  Second, if you ask for huge sums from
> one victim, they're going to have a big incentive to not pay.  So
> you're back to the how to extort smallish sums from lots of victims
> and get it collected. That's a bigger administrative headache than
> running the botnet.
> their own.
> <rgb's description of the immense expense and effort dealing with
> this kind of thing>
> So, it seems that while the SuperBotNet is amazingly effective as a
> device for forcing millions of dollars of extra sysadmin time in
> terms of keeping up with the continuous and pervasive annoyances,
> it's not particularly profitable for its operator.  In the lingo:
> they haven't figured out how to monetize the botnet.
> It's more like one of those James Bond novels where Blofeld creates a
> virus that will decimate the world's population of chickens.  Unlike
> in the novel, though, there's no way to collect the ransom.
> _______________________________________________
> Beowulf mailing list, Beowulf at beowulf.org
> To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf

More information about the Beowulf mailing list