[liberationtech] Twitter Underground Market Research - pdf

Rich Kulawiec rsk at gsp.org
Wed Jun 5 15:33:16 PDT 2013 

On Tue, Jun 04, 2013 at 06:44:37PM +0100, Bernard Tyers - ei8fdb wrote:
> I wonder if there is any connection between these  merchants and botnets?
> Botnet owners or spammers would seem like a great source of "valid" IDs.

Let me introduce a term you might/might not have heard before in other
contexts to this conversation: "abuse magnet".  An abuse magnet is a service
whose operators either (a) did not anticipate the ways in which it
would be abused and architect to defeat them or (b) did anticipate them,
but simply didn't care to spend the time and money necessary.

In both cases the operators have thus neatly shifted the burden of damage
control (in terms of effort, money, etc.) onto the entire rest of the Internet.
Given that in nearly all such instances, "the entire rest of the Internet"
takes no action (or even realizes that this has happened) this is usually
an extremely cost-effective, low-risk strategy.  Scummy, but cost-effective
and low-risk. [1]

An example of this would be Yahoo's email service.  After Yahoo made
the decision some years ago to fire/layoff/disband its abuse team,
it wasn't long until spammers, phishers, scammers, etc. realized that
they could move in and take over the place.  And they did.  Why not?

As a result, outbound abuse from Yahoo's email service is chronic
and pervasive.  So is abuse support using it, i.e., it's quite popular
as a location for phisher dropboxes, it's frequently used to register
spammer/phisher/typosquatter/etc. domains, and so on.

Anyway, I don't particularly mean to pound on Yahoo -- although they
certainly deserve it.  My more general point is that there are entire
classes of abuse magnets out there which are either overrun by abusers
or in the process of being so.  To name a few:

	- freemail services
	- URL shorteners
	- "social networks"
	- cheap domains

It's therefore not at all surprising to see abusers such as phishers,
spammers and botnet operators utilizing these in combination: they're
zero/low-cost resources, they're available in abundance, they have
non-existent or wholly dysfunctional abuse desks [2], and there are few,
if any, consequences for engaging in massive abuse. [3]

And I do mean "massive": for example, I wouldn't be surprised at all if
someone put proof on the table that 90% of all freemail accounts or 90% of
Twitter accounts are owned by abusers.  I'm not saying that's true,
because I can't prove it's true: I'm just saying that I wouldn't even
raise an eyebrow if someone else proved it to me, because it seems
quite reasonable.  The same will eventually be true (if it isn't already)
on "social networks" because there's no reason for it not to be,
and every reason for abusers to make it so.

Besides: who's going to stop them?

Certainly not service operators who want to tell their venture
capitalists/shareholders that they have 5.7 bajillion users...even
if they really do know that 5.1 bajillion of those are bogus.
What, *exactly*, is their motivation to do something about that?
(And besides, there is substantial evidence supporting the proposition
that some of them ARE the abusers.)

And all of this is before we get to the problem of hijacked accounts,
i.e., those which were opened by real live legitimate users but don't
belong to them any more.  (In the case of freemail providers, this is
already epidemic.  And getting worse.)

The fix for this mess is to think about the potential for abuse while
ideas are still at the back-of-the-envelope or scribbled-on-a-whiteboard
stage.  But few people do that, and as a result they create
architectures that are difficult to defend from abuse in production
even if they *want* to do so.  It almost never seems to occur to them,
at that early stage, that their shiny new creation may have uses other
than the ones they envision for it.

	"It's a poor atom blaster that won't point both ways."
		--- Isaac Asimov, "Foundation"

One more point: operations that are this incompetent and negligent
cannot possibly provide any real assurance of security and privacy
to their users, because their putative operators are no longer in
full control of them.  Not really.  Oh, they can make noises about
doing so, and they can pretend that they're doing so...but they can't.

---rsk

[1] One of the most profound, useful, cogent statements on this
point comes from Paul Vixie via the NANOG mailing list:

	If you give people the means to hurt you, and they do it, and
	you take no action except to continue giving them the means to
	hurt you, and they take no action except to keep hurting you,
	then one of the ways you can describe the situation is "it isn't
	scaling well".

This explains, in one sentence, precisely why we have a spam problem
in 2013, thirty years after the fix for it was completely understood.

[2] One baseline test of this is to find out whether mail to the RFC-2142
stipulated address abuse@[domain] is handled properly.  Responsible,
professional operations route traffic sent to that address to a person
or a team (depending on operation size/scope) who are ready and able
to immediately investigate incidents and make the abuse stop.
Irresponsible/abuse magnet operations route it to autoresponders
and/or incompetent people, or blackhole it, or forward it to the 
abusers (yes, really) or simply don't support the address.

[3] Unless you're an idiot like "Spamford" Wallace, and you foolishly
tread so heavily that even the dimwitted are roused to action.

More information about the liberationtech mailing list