The only surprise is that nobody thought of this sooner



  • Create a 'legal' botnet using free cloud services.

    Last week at the RSA Conference, a pair of researchers demonstrated how
    it was possible to legally create a botnet for free by abusing trial
    accounts made available by high-powered platform-as-a-service (PaaS) and
    infrastructure-as-a-service (IaaS) offerings.

    The question they asked themselves was how hard would it be to automate the process of signing up for an unlimited number of free accounts from these sites and then developing a central control system from which an attacker could potentially launch malicious activities. The answer: not hard at all.

    "We were really easily able to get hundreds of boxes on certain providers and have a central way to launch things like massive port scans," Ragan says. "We also did a proof-of-concept on cryptocurrency or Bitcoin mining. If you're getting this free computing power and don't have the power bill from it, why not use that to generate mining? That would be a huge motivation for malicious threat actors using these platforms."

    The process of developing the botnet came with the usual kinks. For example, the researchers told an amusing story about scrambling in the middle of the night to code a "stop" mechanism to their automated system once they turned it on and saw it worked.

    "We had basically just coded the start button, and then we thought, 'Uh, oh! How do we stop it?'" Salazar said. "We had to quickly figure out how to stop our botnet from getting away from us."

     



  • Windows needs a stop button. I pushed the start button but now I can't stop it.


  • Discourse touched me in a no-no place

    @Link said:

    For
    example, the researchers told an amusing story about scrambling in the
    middle of the night to code a "stop" mechanism to their automated system
    once they turned it on and saw it worked.
    And you didn't post this on the Bad Ideas thread, why, exactly...?



  •  This is how Skynet arises.


  • Discourse touched me in a no-no place

    Oh, “security researchers”. Or even security “researchers”. (“Security” “researchers”? ‘Security “researchers”’? Whatever.) Idiots who cause damage to all sorts of systems and think that they're entitled to do so. Treat as full black-hats if they're not writing up in proper conferences and journals.



  • Let me introduce: [link=http://www.youtube.com/watch?v=pOHDRC88jyk]Nobody[/link].


  • SockDev

    @Ben L. said:

    Windows needs a stop button. I pushed the start button but now I can't stop it.
     

    The KTM X-Bow goes one better - to start it, you need to press 'Stop'.



  • Really, nobody thought of this sooner? Literally the first thing I thought when I saw that Amazon gives free computing hours was "I wonder if you could just keep making new accounts to get more whenever you run out". Granted I didn't actually try it, because I don't like getting into messy stuff, but if you give something away for free people will always look for ways to abuse it (and usually succeed).



  •  What did you think NSA used for DoSing ICR servers?

    There were ever only two options, really. And now that the clouds are here, they no longer need to fear any leaks about their usage of illegal traditional botnets.

    Of course, in the true American fashion, they used to buy botnet execution time from the open market. Using off-the-shelf solutions is very much encouraged in the government.

     ...And now the parallels of U.S. Army bribing the Taleban, to not attack supply convoys, comes to mind. Do they still do that, or did they get over that phase already?



  • @PJH said:

    @Link said:
    For
    example, the researchers told an amusing story about scrambling in the
    middle of the night to code a "stop" mechanism to their automated system
    once they turned it on and saw it worked.
    And you didn't post this on the Bad Ideas thread, why, exactly...?
    I'm stupid.

    Next question.



  • @anonymous234 said:

    Really, nobody thought of this sooner? Literally the first thing I thought when I saw that Amazon gives free computing hours was "I wonder if you could just keep making new accounts to get more whenever you run out". Granted I didn't actually try it, because I don't like getting into messy stuff, but if you give something away for free people will always look for ways to abuse it (and usually succeed).

    Google gives you (or, at least, used to) $1000 in VPS credits. All you need to do is outsource filling a quick name/surname/reason form to some seventh-world country and you can basically run a crapload of machines either until you run out of free hours, or the big G catches up to you.

    Still, I do wonder if it isn't way easier to hack up a site of free $currentlyhotchick nudes and steal a mailing list. Never underestimate the stupidity of general public.



  • @Maciejasjmj said:

    Never underestimate the stupidity of general public.
    Indeed. That is the only truly infinite resource in the universe.



  • The president of agalmic.holdings.root.184.97.AB5 is agalmic.holdings.root.184.97.201. The secretary is agalmic.holdings.root.184.D5, and the chair is agalmic.holdings.root.184.E8.FF. All the shares are owned by those companies in equal measure, and I can tell you that their regulations are written in Python.

     



  • Amazon requires you to enter a phone number and then calls it (yes, actual voice call, not SMS) to validate that it's really yours.

    Although nowadays virtual phone numbers are a thing...


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.