There are two fascinating developments in the world of online security that are so sensational as to seem right out of a cyberpunk thriller.

The first, which I've spoken about on CBC recently, is the resilience of the Conficker worm, which culminates in some kind of action on April 1st 2009.

The second is an incredible espionage initiative called GhostNet, which friends of mine at the Citizen Lab here in Toronto have helped unearth and expose to the public.

Combined these two stories depict something I've been describing as an open arms race, in which proxy forces develop new types of information based weapons and test them live on the internet. While it's never clear who the players are behind this perpetual information war, researchers are able to dissect the tools and compromised systems to portray a fascinating tale of computer-based cloak and dagger.

In the case of Conficker, we have another one of these super worms, following in the success of the Storm Worm, that is able to infect millions of windows machines and act on the bidding of it's mysterious owners. As the latest and greatest, Conficker employs a sophisticated p2p command and control system that uses military grade encryption to cover it's tracks.

The one thing that researchers have been able to determine so far is that on April 1st 2009 the Conficker infected machines are programmed to download new instructions. These instructions might be as basic as a software update, or a prank, although given the potential power of all these infected machines the possibility of a large scale attack also has to be considered.

The power that we see manifesting in these types of super worms and related phenomena forces me to ask the question of who is responsible and who benefits.

How do you develop new internet based weapons in an open environment? Once you reach a certain scale of weaponry you cannot leave the testing to the laboratory alone. This is why they exploded nuclear weapons in the deserts or in the South Pacific. Is this what we're now seeing online in terms of the latest iterations of these advanced botnets?

While there are numerous hidden layers to the internet, and multiple means by which to hide, eventually all ghosts become visible.

This is wonderfully illustrated by the report Tracking GhostNet: Investigating a Cyber Espionage Network produced by the Citizen Lab here in Toronto and the SecDev group in Ottawa.

To quote an email I got from Citizen Lab founder and friend Ron Deibert:

For security reasons, we have redacted parts of the report until affected parties can be notified by the relevant authorities. A full uncensored report will be released in one week.

A New York Times story by John Markoff about the report is here: http://www.nytimes.com/2009/03/29/technology/29spy.html

This report is the culmination of a 10 month investigation of alleged Chinese cyber spying against Tibetan institutions. It documents a vast suspected cyber espionage network of over 1,295 infected computers in 103 countries, referred to in the report as GhostNet. Close to 30% of the infected hosts are considered high-value political and economic targets, and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of the attack tools used by the GhostNet system were far-reaching, and include the ability to retrieve documents, and turn on web cameras and audio systems. The investigation was able to conclude that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama.

While this does seem sensational it should not be surprising. One also has to assume that a system like this which can be discovered is certainly not the most sophisticated or effective which would continue to go on undetected.

However there is both a tension towards transparency and a power found in the openness of the internet. The more the internet is used as infrastructure as part of these larger espionage initiatives, the greater the chances they will be discovered by researchers committed to an open and democratic society.

Similarly the open source movement holds many lessons and examples that provide insight into how technology evolves and influences the tools that people choose to use. We have to remember that as these new weapons are developed we can only speculate on who will choose to use and help further refine their capabilities.

This is well summarized by a quote I found via the nytimes article cited above:

“What Chinese spooks did in 2008, Russian crooks will do in 2010 and even low-budget criminals from less developed countries will follow in due course,” the Cambridge researchers, Shishir Nagaraja and Ross Anderson, wrote in their report, “The Snooping Dragon: Social Malware Surveillance of the Tibetan Movement.”

Update: Joe Stewart has created a nifty eye chart that can tell you if you're infected by Conficker. Yes, you read that right, an eye chart that actually does what an anti-virus program may not be able to. :)