Skip to content

S is for Security; S is for Spam; S is for Stefan Savage

Ok so October is over, as is daylight savings, and cybersecurity awareness month. But, like all awareness months, I say why think about the issue for just that time? Nay, let us consider cybersecurity more often. Perhaps now. To start I offer Stefan Savage. Stefan is a professor of computer science and engineering at UCSD.

This interview with Stefan is a great way to get into the area. For example, did you know that the drug war and security may share similar features? And yes reading beyond one’s direct field is wise. A key insight was that assigning value to malware and spam helps fight the problems and that a focus on only technical solutions was not as effective as one might think or hope:

We’d been working together for quite a few years on large-scale attacks (e.g., worms, viruses, DDoS, etc.), and while we’d had lots of technical successes looking at those problems head on, it was pretty clear that the world wasn’t getting any more secure . Around that time we became exposed to the breadth of activity involved in underground trading of compromised accounts, credit cards, spam mailers, email lists, etc. — anything you could think of . This was really our inspiration, because we came to recognize the role that the profit motive was playing in all this (although spam was key to this evolution, we wouldn’t make the link until later).

I think it helped that at the time I was reading a book on the history of the drug war and the failings of supply reduction as a strategy due to the poor understanding of drug distribution economics. We came to see that our community had a similarly poor understanding of the value chain for economically motivated attackers and thus didn’t understand that our various technical interventions actually played minor roles, at best, in mitigating their actions.

Furthermore, the interview is simply a fun read of the way some serendipitous encounters, failed projects that nonetheless connected people working on the problem, and good old fashioned “I didn’t know I couldn’t do that” lead to “oh, yes I can do that”

this little team got excited about understanding how Storm worked, but — aside from Brandon — they had basically zero skill doing reverse engineering. So not knowing that this was a crazy approach to pursue, they tried reverse engineering the command and control (C&C) protocol in a blackbox fashion — sending data at a captive bot, writing down what it did, theorizing about why it did those things, or letting it talk to its normal C&C and seeing what it tried to do in response to various commands it received . Brandon was busy, but provided key insights when they hit roadblocks (e .g ., message encryption), but the rest was just raw guesswork over a period of several months . Vern and I had our doubts whether this was a good way for everyone to spend their time, since we weren’t confident they could do it, or even what the research question would be if they succeeded. Geoff Voelker was on sabbatical in India for this period, so he was blissfully unaware of how much time was being wasted on this . However, we gave the students a long leash and somehow they pulled it off, documenting most of the C&C protocol and then building a set of parsers that could interpret it.

Some key insights:

–Spammers work on commission
–Trying to explain to a university why one needs to buy goods from criminal organizations is funny (They were really trying to understand the entire system) and can lead to “Why can’t you just use a purchase order?” responses
–Failures matter

First, we failed repeatedly to wrap our minds around this paper. We had at least two aborted attempts to submit a paper only to discover that we still didn’t really understand what we were doing . I know that Vern, Geoff, and I all had doubts if this thing would ever come together (18 months of work without anything to show can shake even the most confident person) . We tried, but ended up failing, to incorporate a strong analysis of the spam delivery component (which programs were advertised by which botnets, which used Webmail, etc .), and we spent months building complex models for inferring the different individual affiliates of different program,s ultimately to discard them for the final paper . There is at least another paper’s worth of work in all the stuff that we left on the “cutting room floor,” but we chose to focus on the parts we were the most confident about.