Crime fears as cheap PCs head for Africa

Initiatives such as the OLPC and Classmate could mean an explosion in botnets in the developing world, warn security experts

Pete Warren
The Guardian,

One Laptop Per Child project, Nigeria

The OLPC could have the unwanted side effect of fuelling cybercrime in Africa

What if the plans to spread low-cost One Laptop Per Child (OLPC) and Intel Classmate computers to the developing world work? What if in a few years there are hundreds of millions of them out there? Many might applaud. But among computer security experts, there’s growing concern that those scheme could inadvertently lead to a huge increase in computer crime.

Because of course, only europeans can maintain and update software, wheras the ‘darkies’ cannot.

Initiatives such as the OLPC and the Classmate are intended to help bridge the digital divide. But security experts warn that there could be an unforeseen negative effect.

“There is the possibility of creating the largest botnet in the world,” says Yuval Ben-Ithak of Finjan, a computer security company. This view is borne out by a recent report by F-Secure identifying Africa as one of the emerging cybercrime threats.

When they say, “this view is borne out”, what it really means is that someone else repeated the same lines. There is no proof, no proof of concept, no study, nothing. Just a bunch of fear mongering twaddle of the type the Guardian loves to peddle.

Phenomenal takeup

“Within the past few years, internet take-up in emerging markets has been phenomenal,” says Mikko Hypponen, chief research officer at F-Secure. “The trend is expected to continue and spread into areas such as Africa, India and central America. People are developing sophisticated computer skills. But,” he adds, “they have limited opportunities to profit from them legally. There will be a delay before legal systems catch up with developments in the IT sector. Computer criminals may also be able to escape the law more easily in countries which are undergoing serious political and security problems.”

The case of Onel de Guzman, the student who wrote the 2000 Love Bug virus and who escaped prosecution because the Philippines, his home, had no offence with which to prosecute him, is a case in point.

No, it is not, because this story WAS about ‘Africans’ fueling ‘cybercrime’. Phillipinos, ‘Africans’ what’s the difference? “They are all foreigners innit!”

But Ivan Krstic, OLPC’s director of security hardware, points to the choice of Linux as the operating system for the computers. “You cannot have one program loading from the internet that can then go to your [email] address book and then send out a spam message to everyone,” Krstic explains. “The program can only work in its own area and has no functionality beyond that.

“For anything to be able to achieve that overall control, the attack would have to be written to the system kernel, and those are the hardest attacks to launch. Those vulnerabilities do exist, but they are patched very quickly. It would be difficult to get them to run bots.” However, there is an option to run Windows XP on the machine – which means, concedes Krstic, “they can be attacked. All of the connotations of Windows security apply.”

And FINALLY we have some common sense in writing.

OLPC will not be used to create huge botnets because it is running Linux. Botnets normally run on winblows, the OS so beloved by and the meat and potatoes of the computer illiterate fear-monger journalist.

Don’t install winblows, and there is no problem from botnets.

Next?

The Windows-based Intel Classmate also includes a nod at security. Countries buying it can opt for antivirus software, included for a higher price, but must negotiate that with AV companies themselves; and a hardware setting disables the laptop if it is not connected to an antivirus monitoring network for a certain period of time. This is to safeguard the machine from becoming part of a botnet, which can disable antivirus checking.

And there you have the whole security and journalist fear-mongering industry in a nutshell. It is all about selling software, and inducing people to buy it through fear.

In case you did not know, this is the Intel Classmate:

The Classmate PC powered by Intel for emerging markets worldwide

The World Ahead Program from Intel Corporation aims to enhance lives by accelerating access to uncompromised technology for everyone, anywhere in the world. Focused on people in the world’s developing communities, it integrates and extends Intel’s efforts to advance progress in four areas: accessibility, connectivity, education, and content.

It runs Winblows (requiring 2gig flash), or Mandriva (requiring 1gig flash [no surprise there ay?]).

The bigger problem in the long term may be the developing world’s choice of operating system. “Most of the machines we are shipping have Windows on them. That’s the operating system most countries want,” says Intel.

And do you wonder why? All these people, these government ministers are more computer illiterate than Guardian journalists, and they read the Guardian and take their lead from them and the other newspapers. They are also under massive bribery pressure to accept winblows:

Dear Steve,

Hi, this is François, from Mandriva.

I’m sure we are way too small for you to have heard of us. You know, we are one of these Linux company who is working hard to make its place in the market. We publish a Linux Distro, called Mandriva Linux. Mandriva Linux 2008, our last edition, has a pretty good review and we’re proud of it. You should try it, I’m sure you’d like it. We also happen to be one of the Linux companies that did not sign an agreement with your company (nobody’s perfect).

We recently closed a deal with the Nigerian Government. Maybe you heard about it, Steve. They were looking for an affordable hardware+software solution for their schools. The initial batch was 17,000 machines. We had a good deal to respond to their need: the Classmate PC from Intel, with a customized Mandriva Linux solution. We presented the solution to the local government, they liked the machine, they liked our system, they liked what we offered them, especially the fact that it was open, and that we could customize it for their country and so on.

Then, your people get in the game and the deal got more competitive. I would not say it got dirty, but someone could have said that. Your team fought and fought again the deal, but still the customer was happy with the CMPC and Mandriva.

We actually closed the deal, we took the order, we qualified the software, we got the machine shipped. To conclude, we did our job. And, the machine are being delivered right now.

Now, we hear a different story from the customer : “we shall pay for the Mandriva Software as agreed, but we shall replace it by Windows afterward.”

Wow! I’m impressed, Steve! What have you done to these guys to make them change their mind like this? It’s quite clear to me, and it will be to everyone. How do you call what you just did Steve? There is various names for it, I’m sure you know them. […]

http://blog.mandriva.com/2007/10/31/an-open-letter-to-steve-ballmer/

So to claim that, “That’s the operating system most countries want” is just disingenuous. These government people do not know anything about operating systems; they just want the best possible deal, whatever it is, and if you offer them a PC running Linux, and explain why it is so good, they will accept it, just like the Nigerian government did.

These excuses are echoes of the ones we used to hear not so long ago, “Linux is not ready for the desktop” is the one that you have to strain to hear the most, as it has faded to almost nothing.

It adds that teachers will receive training from Intel to monitor the network and will be able to see if changes have been made to the machines: “Some schools using the computers will have a teacher who is responsible for security on their networks, others will have an IT person.” As a last resort the Classmate, like the OLPC XO, can be wiped clean and restored to its factory settings.

So in fact, there is no problem at all.

But while Windows has its problems, Linux may not offer much better protection, says Guillaume Lovet, a botnet expert for Fortinet. “The first botnets were Stacheldraht, Trinoo and TFN, and were built in Linux,” says Lovet. He also dismisses claims that the low bandwidth and internet use in parts of the developing world – the World Economic Forum’s 2007 Africa Competitiveness Report estimated that African internet use was just 3.4% of the world total – would act as a brake on the development of botnets.

Whoa!

What these journalists never do is challenge assertions made in their pieces. Lets find out EXACTLY what that last blockquothed text really means:

============================

The “stacheldraht” distributed denial of service attack tool

============================

David Dittrich
University of Washington
Copyright 1999. All rights reserved.
December 31, 1999

Introduction
————

The following is an analysis of “stacheldraht”, a distributed denial of service attack tool, based on source code from the “Tribe Flood Network” distributed denial of service attack tool. [Note that throughout this analysis, actual nicks, site names, and IP addresses have been sanitized.]

Stacheldraht (German for “barbed wire”) combines features of the “trinoo” distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents.

For more information on trinoo and TFN, see:

http://staff.washington.edu/dittrich/misc/trinoo.analysis
http://staff.washington.edu/dittrich/misc/tfn.analysis

In late June and early July of 1999, one or more groups were installing and testing trinoo networks and waging medium to large scale denial of service attacks employing networks of over 2000 compromised systems. These attacks involved, and were aimed at, systems around the globe.

In late August/early September of 1999, focus began to shift from trinoo to TFN, presumed to be the original code by Mixter. Then in late September/early October, a program that looked a lot like the TFN agent, known as “stacheldraht”, began to show up on systems in Europe and the United States.

These attacks prompted CERT to release Incident Note 99-04:

http://www.cert.org/incident_notes/IN-99-04.html

Like trinoo, stacheldraht is made up of master (handler) and daemon, or “bcast” (agent) programs. The handler/agent terminology was developed at the CERT Distributed System Intruder Tools workshop held in November 1999, and will be used in this analysis instead of the stacheldraht specific terms. It is highly recommended that the CERT workshop report be read as well. See:

http://www.cert.org/reports/dsit_workshop.pdf

There is some competition to stacheldraht in the form of Mixter’s new version of TFN — Tribe Flood Network 2000, or TFN2K — released on December 21, 1999. For more on TFN2K, See:

http://packetstorm.securify.com/distributed/
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html

Along with trinoo’s handler/agent features, stacheldraht also shares TFN’s features of distributed network denial of service by way of ICMP flood, SYN flood, UDP flood, and “Smurf” style attacks. Unlike the original TFN and TFN2K, the analyzed stacheldraht code does not contain the “on demand” root shell bound to a TCP port (it may be based on earlier TFN code than was made public by Mixter in mid-1999).

One of the weaknesses of TFN was that the attacker’s connection to the master(s) that control the network was in clear-text form, and was subject to standard TCP attacks (session hijacking, RST sniping, etc.) Stacheldraht deals with this by adding an encrypting “telnet alike” (stacheldraht term) client.

Stacheldraht agents were originally found in binary form on a number of Solaris 2.x systems, which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services “statd”, “cmsd” and “ttdbserverd”. They have been witnessed “in the wild” as late as the writing of this analysis.

After publishing analyses of trinoo and Tribe Flood Network on Bugtraq in December 1999, an incident investigator at another institution provided stacheldraht source code that was obtained from a file cache in a stolen account. (I would like to thank this investigator, and also thank the folks at SecurityFocus for providing the open forum that allowed this to occur.) This analysis was done using this captured source code (labelled version 1.1, with source file modification dates ranging from 8/15/1999 to 10/17/1999).

The Makefiles contain rules for Linux and Solaris, with the default being Linux (even though it appears that the code does not work very reliably on Linux). For the purposes of this analysis, all programs were compiled and run on Red Hat Linux 6.0 systems. As far as I am aware, the agent has been witnessed “in the wild” only on Solaris 2.x systems.

[…]

http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

Stacheldraht was only seen in the wild on Solaris 2.x systems so saying, “The first botnets were Stacheldraht, Trinoo and TFN, and were built in Linux,” doesnt really apply to OLPC, and futthermore, all of the above happened in 1999. The question to ask here is, “have there been any botnets running on Linux since 1999?”. Journalists would no doubt add that seven years in internet time is an eternity, but we wont sink that low here.

“It doesn’t take any bandwidth to control or make a botnet,” Lovet says. “Aggregated bandwidth is what is important, and that would still be massive. You could still build a huge cyber-weapon with only a thousand of these machines.”

‘Huge cyber-weapon’….this is the language of fear-mongering. Its good in science fiction, but inappropriate in a newspaper, in an article about OLPC, an entirely noble and beneficial effort, which will transform the lives and brains of millions of people.

Of course, there are those in the west whose worst nightmare is a third world population weaned on logic, able to programme and organize, immune to stupidity and because of all that, free. No more Kwashiorkor bellied pickininnies to plaster in their papers and opine about. A REAL tragedy.

That leads us to the subtext of this article. OLPC will breed the next generation of 419 scammers, all fluent in Python and UNIX, which is the very backbone of the internets. It would sound like this coming out of their mouths:

“We are breeding a whole new generation of internet cybercriminals by providing OLPC to so many people” an expert from G-Secure said, “this army of highly skilled black hats will dominate any future internet if we do not take preventative measures now.”

Heh…’Black Hats’!!!!

For the botnet herders – the people who create and control botnets – there would also be kudos in staking a claim in a new area. “We have seen botnets involved in landgrab exercises in the past,” says Greg Day, a security analyst for McAfee.

McAfee, another anti-virus vendor. You have heard the rumor that Anti-Virus companies fund the creation of viruses so that they can keep the fear level up and artificially sustain their vampiric subscription business model right? Nah, its just a ‘conspiracy theory’.

Just as alarming for Mark Sunner, chief technology officer of Messagelabs, which monitors email traffic on behalf of the government, is that the machines could be used as a recruiting ground for criminals.

Its alarming is it? Just what EXACTLY is the scenario that is ‘alarming’ in this case? Perhaps when this man says ‘recruiting’ he is referring to recruiting the newly trained up Python programmers who are willing and able to be turned to… the Dark Side. ROTFL!

Herd goats, or bots?

“You can imagine a whole swathe of internet boiler-rooms being created among people who can make more money from internet crime than herding goats,” says Sunner, who points to the fact that Africa already has the highly technologically literate Nigerian 419 group, one of the oldest cyber-crime organisations.

and BANG there it is, said out loud. These people are more inclined to be criminals than the millions of children with laptops in the west. Of course, this came from the mouth of a Government contractor, the types that know all about criminality from the inside.

As for the subheading, what do YOU make of it?

The latter are very dangerous, says a former head of the UK’s now disbanded West African Organised Crime Unit. “They are organised like a business. They are already building most of the bogus bank sites on the web. If you ship computers to Nigeria then a lot of them will inevitably make their way to 419. I mentioned this to someone who is still monitoring 419 and they said ‘you might as well shut down the internet and go back to pen and ink’.”

Which is exactly what they want for these people, to shut down THEIR internets and cut them off from the rest of the world. Note that this ‘alarming’ situation is so bad that the ‘West African Organised Crime Unit’ is now closed down, and that they talk about bogus bank sites, not sophisticated botnets. This article is a hodge podge of nonsense, a fear bouillabaisse for the computer illiterate cuisine eaters that dirty their hands on that shitty paper. And let us not forget that 419 only works because there are gullible, greedy westerners who fall for it day after day. 419 is social engineering, not software engineering Unsurprisingly, these nincompoops cannot make the distinction; its all ‘cybercrime’ to them.

Sunner, meanwhile, notes the dangers that the machines represent to Africa’s own emerging internet infrastructure. “There are a lot of viruses are already heading for Africa and China and the consequences of spam can be terrible if you do not have much bandwidth,” he says.

As this very article says, in the only part of it that is sensible, OLPC cannot be used to send out spam because:

“You cannot have one program loading from the internet that can then go to your [email] address book and then send out a spam message to everyone,”

so OLPC cannot be used as a zombie machine to send out spam. Insert joke here about how Zombies come from the west indies in any case, not west africa.

Both Intel and OLPC point out that the laptops will often only have intermittent connectivity. That might lower the risk of getting infected – or the chances of getting security upgrades.

Bullshit. OLPC and Intel Classmate are not gong to get ‘infected’ by anything as long as they are running Linux. If they do, it can be fixed quickly. The risk mentioned here is extremely low, and the fixes easy to roll out. This is a non issue, full stop. The long term effect of OLPC will be to educate millions of people around the world, and any problems along the way will be temporary.

But the bleak picture may be avoidable, says Rolf Roessing, a security expert for KPMG. “If we are to bring IT to Africa then it will not work unless we bring security with it. Computer security in the west grew because of a loss of innocence and there are still weaknesses in the developed world because of a lack of awareness. If you bring IT to developing countries then you have to develop awareness, too.”

[…]

http://www.guardian.co.uk/technology/2008/feb/07/olpc.security

The picture is not at all ‘bleak’; bad journalism as in this article is the most bleak part of this story.

OLPC is going to change the world, in a good way, and there is nothing that negative spinning, fear-mongering journalists and ‘no darkie computer programmers’ racists can do about it. Both of the latter groups, and the ‘security’ companies are on the wrong side of history. The internet is going to reach everywhere, it will be beneficial. Deal with it.

IT is already in Africa, and the last thing that the people who live in the sovereign countries on that continent need is to copy the ‘security’ model of broken monopoly OS, fear-mongering, security company subscription. Thankfully, the Pandora’s box is already open. Linux has a strong foothold, and it will completely dominate the desktop in all of the target countries. This will happen not only because it makes sense, but because the absurd anti copying policies of Micro$oft will drive people to install other operating systems that can be freely and easily copied without any pain or risk of the customer coming back to say, “my computer is broken”. Additionally, the users of OLPC 15 years from now, having grown up with open systems will reflexively reject any OS that tries to lock them down with DRM, false security models and bullshit.

Computer security grew in the west not because of a ‘loss of innocence’ but because of a lack of computer literacy and the winblows monopoly. Now that those things are breaking, despite the efforts of scumbags on every side, as people dump windows and move to linux we will see fewer problems and a more healthy working environment.

The question you want to ask yourself is this; do you want to be a part of what made the magic happen, or do you want to be aligned with the enemy?

This entry was posted on Thursday, February 7th, 2008 at 3:03 pm and is filed under Bollocks, Fear-mongering, Geekn, People, Someone Stupid Said, The Facts.