Masquerading as Human

“On the Internet, nobody knows you’re a lightbulb.” With aid from HeroMachine and Wiki Commons
On the Internet, nobody knows you’re a lightbulb. Cybersecurity & the ethics of the simplest of “personified systems”—things that act as if they were human: Clickbots, Zombies, and Imposter ‘bots.

This article follows up both my three recent articles on cybersecurity and my series on Machine Ethics published under the Personified Systems banner. For the last couple of years, I’ve been referring to systems that we interact with the way we do with other people as personified systems. They include systems that talk, recognize our voices and faces, drive our cars and so on. Some are AIs; some are simpler systems; someday they may include full AGIs— artificial general intelligences that are even capable of acting as autonomous moral agents (AMAs). Regardless of their sophistication, one thing that we want them all to do is act like trustworthy persons to the extent possible. Therefore, I argue, it is important for us to be exploring Machine Ethics today.

The emergence of the so-called “Internet of Things” (IoT) is rapidly increasing the number and kind of Internet-connected devices in our homes, businesses, vehicles and pockets. Many of these devices are not designed with security in mind, both as a cost saving matter, and from a lack of interest or understanding. As things as small as key rings, doorbells, bathroom scales, and light bulbs are connected to the net, very little attention is paid to their impact on security and privacy. These devices are thought of as much simpler than general purpose PCs, and use less powerful processors, so it is tempting to think of them as not needing or having the resources for security. Unfortunately, we have seen a number of illustrations in the last year or two of why this isn’t good enough.

One of the more dramatic Internet outages of the last several years occurred this past October, when a Distributed Denial of Service (DDoS) attack against the Dyn DNS service prevented the addresses of a number of heavily used services, such as Twitter, Amazon, Netflix, CNN and many others from being looked up, effectively rendering them inaccessible to users all over the net. The attack was conducted using a huge network of compromised machines, a “botnet” called Mirai. Unlike early botnets, which consisted largely of PCs, the Mirai net was made up largely of IoT devices such as security cameras and DVRs. This attack was not an isolated event, but rather part of a trend that is growing so quickly that Bruce Schneier and the MIT Technology Review declared “Botnets of Things” one of the 10 “Breakthrough Technologies” of 2017.

So far, the main use of IoT botnets has been DDoS attacks such as the one on Dyn, and an earlier one against the web site of security researcher and writer Brian Krebs, but given the rapid growth of the Internet of Things, and its general low level of security, we can expect to see them used for many more purposes. Given that the profit motive has become very powerful in the world of malware, as the growth of IoT creates the opportunity for bot herders to build larger and larger botnets, many of those purposes will be profit-driven.

One of the major uses that PC-based botnets are put to is as “ClickBots”, bots used to commit various types of “click fraud”. That is, bots clicking on advertising or other web links to make it appear that a great many humans have seen and reacted to the links. This is done for a number of purposes. Blogs and other sites that host ads may hire clickbots to make it look like they have a lot of visitors and are generating a lot of clicks, so as to increase their ad revenue. Competitors may hire clickbots to click on the competition’s pay-per-click links, causing them to waste their ad budgets on ads seen mostly by bots. Purveyors of fake news rely on clickbots to make it look like their stories are being read and liked by large numbers of readers, so that news aggregators will pick up their bogus stories.

InfoSec, Ad-Tech and news aggregators have all invested in efforts to detect clickbots and render them ineffective. The simplest bots ran on large servers, and so could be detected by their common IP address, and that address blacklisted. Using large distributed populations of compromised PCs renders this strategy ineffective. Still, early clickbot networks could be detected behaviorally. They clicked on many more links per unit time than humans, not bothering to take the time to read the main content of the site. Having them pace themselves solves that.

Since they were just programs reading and scanning the source of a page, they could give themselves away by clicking on links that would have been off screen—too far down the page or shifted outside the margins of the viewport. This resulted in clickbots that actually parse HTML, calculating what is on screen and “scrolling” to their targets and ignoring off screen links. Each step along the way results in the bots appearing and acting more like humans, more personified. This is done all through simple algorithms and not more sophisticated AI techniques… yet.

One of the first tools used to prevent bots from masquerading as humans on the net was CAPTCHA (which is said to stand for “Completely Automated Public Turing test to tell Computers and Humans Apart”), which started as challenges to recognize distorted and obscured text in an image or do simple math and word problems. Over the years, bot coders got better and better at writing code to solve these problems, and so the CAPTCHA challenges had to get harder and harder, resulting in something of an arms race. Recently, Google, who had acquired the innovative reCAPTCHA, developed a behavioral analysis and tracking-based method for recognizing the differences between humans and bots. If bot creators are going to overcome this latest generation, they will have to create bots that behave like humans for days or weeks at a time, visiting many sites and acting as if they are reading them.

One can envision both AI-based and non-AI simulations of humans using web browsers that can behave humanly enough to trick Google’s noCAPTCHA and the click-fraud prevention measures, and one of those is to use huge armies of bots hosted on IoT devices. A camera, router, DVR, and perhaps even a refrigerator or lightbulb working with a list of websites not much larger than the number of sites the average human uses, a script and a random number generator could pretend to be a human user, and it would only take a few tens of thousands of them to commit profitable click fraud, or make a fake news story look to have real followers.

While the smallest microprocessors available today are far less powerful than those in contemporary laptop and desktop computers, they are comparable to systems that were used to host multi-user operating systems a few decades ago, and shouldn’t be underestimated. The average IoT lightbulb may be a little on the small side for creating a sophisticated simulation of a human surfing the web, but it isn’t unthinkable, and there are plenty of IoT devices that are just a bit smarter than the average lightbulb and capable of a more credible imitation. It may be the case that on the internet, Google can tell that you’re a lightbulb, but there are plenty of devices that are only a bit more sophisticated that could fool them.

Markets, Vigilantes, Rules and Regulations

As Bruce Schneier pointed out last fall when the Dyn and Krebs attacks were happening, one of the major things hindering solutions to the Botnet of Things problem is that neither the manufacturer or the customer has a vested interest in the problem. Attacks such as DDoS, and those of clickbots are made not against the owner of the compromised device, but against targets on the net as a whole. Therefore, if they are done judiciously, they do not harm the owner of the device, nor, perhaps, even come to their attention. This means that customers are not clamoring for better security in their IoT devices, even though, for society as a whole, that insecurity is a major threat. With customers uninterested in paying extra for security, manufacturers are not particularly motivated to provide it. Absent customers and providers with a vested interest, market forces cannot solve problems.

This lack of vested interest has spurred the development of a response from the hacker community: vigilante malware. Such malware comes in two forms. The first sort is the do-gooder botnet. Software of this sort breaks into vulnerable systems, patches the vulnerabilities, and then goes away, at least assuming that they do it right. In 2015, for instance, Symantec reported “Wifatch”, a botnet whose only job appeared to be to remove malware and close up vulnerabilities in routers and DVRs. Wifatch may not be entirely beneficent in the future. It is a botnet, with the potential of conducting malicious attacks some time in the future. Another similar botnet called “Hajime” was discovered recently. So far it has done nothing but spread to over 300,000 IoT devices and secure them against other malware. It claims to be a created by “a white hat securing some systems”.

If Wifatch and Hajime resemble the good hearted rascals and rogues of pulp adventure and comic books, the second sort of vigilante malware represents the dark side, the sort of vigilantes who act as judge, jury and executioner. Their motto comes closer to the Vietnam-era explanation that, “It became necessary to destroy the town to save it.” The clearest example of this is a series of four malware systems known as “Brickerbot”. These systems, which operate out of a base of compromised servers, seek out systems that are vulnerable to botnet malware such as Mirai, infect them, change their configurations and firmware in such a way as to permanently cripple them, to “brick them”, in tech slang, meaning to render them no more useful than a brick.

Brickerbot’s clear goal is to give the owners and manufacturers a reason to care about security. “If you don’t fix the vulnerabilities in your IoT devices, we’ll come by and smash them.” Now the owners have something to lose, as do the manufacturers.

If market forces alone cannot solve the problem and outlaw vigilantes aren’t an acceptable solution, then a more formal mechanism is needed, be it laws, regulations, self-regulation or codified ethics. The problem with laws is that they take a long time to pass, are hard to change and are often subject to a lot of special interests during their creation. As a result, they frequently address problems of the past, not those of the present, and can be a stumbling block for new solutions in the future. As a result, laws in the fast moving tech sector are often clumsy and can threaten innovation. Regulations are a bit more flexible and manageable, but still have many of the same difficulties.

Self-regulation, standards, best practices, and professional codes of ethics are more flexible, though they have less power than laws and regulations. Examples of voluntary self-regulation are organizations such as UL—originally Underwriters Laboratory—and the Comics Code Authority (CCA), to cite rather dissimilar entities. It is worth noting that for its first 118 years, UL operated as a non-profit, and for the last 5 has been a for-profit organization, so it actually provides two models. UL, in fact, is one of several organizations striving to establish cybersecurity standards. Another organization, the CITL—Cyber Independent Testing Lab—operates as UL did originally, as a non-profit. It is not my intention to advocate for either of them or for any specific existing effort, but to illustrate the basic concept.

I mentioned the CCA, not because their mission was particularly similar to insuring cybersecurity, but because they illustrate the need for consumer and industry support. The CCA was created by the comics industry in the early 1950s as an alternative to government censorship. Faced with the threat of censorship by the US federal government, the publishers adopted strong standards on content, and established an independent body to enforce adherence. Retailers were soon hesitant to carry comics that didn’t bear the CCA certification stamp. Over the years, however, as public tastes changed, first small independents and then the major publishers found that there was sufficient market for uncensored content that they abandoned the mark, and by 2011, no comics carried the CCA mark.

There are pluses and minuses to all of the possible mechanisms: laws, government regulations, self-regulation, professional ethics, best practices and moral and public pressure. Which of these is the best solution to the problems of untrustworthy bots is debatable, and should be discussed. Personified Systems—devices that pass for human—are with us to stay, and detecting them will become increasingly difficult over time. The issue facing us is how we get them integrated into society as trustworthy pseudo-people.

For details on the Krebs attack, see:

Bruce Schneier has written a number of books and articles of interest in this realm:

  • Liars and Outliers, a 2012 outline of the many mechanisms that societies have used throughout the centuries to insure trust.
  • Botnets of Things”, his March/April 2017 MIT Technology Review article outlining why compromised IoT devices are a growing trend.
  • Security Economics of the Internet of Things”, an October, 2016 article that originally appeared in Vice Motherboard, outlining the reasons that market forces are ineffective against the Botnets of Things.

My previous cybersecurity posts: