|inittitle>[(text-colour:"red")[
(text-style:"rumble")[#Malware Disruption]]]
(live: 3s)[(replace: ?inittitle)[(transition: "dissolve")[
##A New Job
You have just been offered a position as a system administrator for **Rogue Services**, a web hosting provider that prides itself on its reliability to its customer base. The company motto is “*cheap, guaranteed uptime, no matter what.*”
<img style="float: right; width:200px; margin: 10px;" src="images/rogueservices.png" alt="Rogue Services" title="Rogue Services"/>
The recruiter explains that this motto—and the company culture that accompanies it—is very attractive to many business owners, including independent web-based retailers that need reliable service at a low cost.
☞ [[That sounds great! [Accept the job.]->Accept the job.]]
☞ [[Research the company a bit first.]]
]]
(stop:)
](set: $accept to true)You accept the job.
In the first few days, you spend time reviewing Rogue Services’ policies, terms of service, and systems documentation. Your supervisor suggests that you familiarize yourself with the company's clients, as you will soon take on system support duties. You are impressed with the wide array of retailers, activists, and software developers who are using Rogue Services to support their work.
You do notice, however, that some clients do not appear to have forward-facing webpages, but instead have a number of scripts and tools installed to their accounts.
☞ [[Investigate one of these anomalous accounts.]]
☞ [[Deciding it is unethical to pry into client assets, you choose to continue perusing the system documentation.->Take-Down Request]](set: $negativeStory to false)(set: $positiveStory to false)
You are a bit wary of over-zealous recruiters. They always seem to frame their clients in the most favorable light.
Before accepting the job, you decide to dig around and research Rogue Services online. You find a couple of news stories that mention Rogue Services specifically. Maybe one of these stories will provide some insight into the company that the recruiter did not share.
☞ Read the article *[[Rogue Services Lives Up To Its Name]]*.
☞ Read the article *[[Rogue Services’ “No Matter What” Policy Against Tyranny->Rogue Services' "No Matter What" Policy Against Tyranny]]*.
☞ [[[Accept the job.]->Accept the job.]] (set: $negativeStory to true)
<img style="float: left; width:200px; margin: 10px;" src="images/rogueservices.png" alt="Rogue Services" title="Rogue Services"/>
##Rogue Services Lives Up To Its Name
*Joseph Johnson*
<hr/>
While many of Rogue’s clients are independent web-based retailers, some are focused on malware and spam. Several botnets have used Rogue’s reliability guarantees to protect their command-and-control servers from take-down attempts. Spam and other fraudulent services have leveraged Rogue for continuous delivery. Corrupted advertisements often link to code hosted on Rogue to exploit browser vulnerabilities to infect machines with ransomware.
Despite repeated requests from major ISPs and international organizations, Rogue refuses to intervene with these services, citing their “no matter what” pledge to their customers.
Spokeswoman Åsa Jorgensen spoke on the issue, “Our customers have relied on our ‘no questions asked’ approach to web service as a tool of empowerment against corrupt governments and restrictive policies. Many of our customers are just small business owners who sell a product. Should we deny them service if we don’t like their products?”
<hr/>
(if: $positiveStory is false)[☞ Read the article *[[Rogue Services’ “No Matter What” Policy Against Tyranny->Rogue Services' "No Matter What" Policy Against Tyranny]]*.
]☞ [[[Accept the job.]->Accept the job.]] (set: $positiveStory to true)
##Rogue Services’ “No Matter What” Policy Against Tyranny
*Larry Lyndon*
<hr/>
The world may not have known about the recent genocide in Xinjiang if not for Rogue Services, a web hosting service with a mission—to provide reliable service “no matter what.” In the case of activist citizen Bai Yi, “no matter what” includes the full weight of the Chinese government’s repressive web censorship policies.
<img style="float: right; height:100px; margin: 10px;" src="images/ChinavsRogue.png" alt="China vs. Rogue Services" title="China vs. Rogue Services"/>
Mr. Bai’s website, which translates in English to “How Many Deaths?”, offers daily stories from local citizens, detailing the toll of the police state on their personal lives. Mr. Bai chose Rogue Services because of its advertised policy, and took precautions to anonymize those who spoke out.
The unassuming, diminutive Bai reflects on his work. “The world carries on in spite of what happens here. With the website, at least we have a voice, and maybe, someday, someone will listen and come to our aid.”
<hr/>
(if: $negativeStory is false)[☞ Read the article *[[Rogue Services Lives Up To Its Name]]*.
]☞ [[[Accept the job.]->Accept the job.]] (set: $investigateAnomaly to true)You decide to dig into one of these anomalous accounts a bit more to learn how these scripts function and what they are used for. After all, a systems administrator should know how the machines are being utilized to best maintain security and optimize balancing system resources!
*Hmm*...These particular scripts appear to be used to deploy malware on any system whose users are foolish enough to execute them. Although the account does not contain any forward-facing pages that link to these scripts, they could be referenced elsewhere.
☞ “Maybe I should report this to my supervisor,” you think. (link: "[Report your findings to your supervisor.]")[(set: $supervisorConsulted to true) (go-to: "Report your findings to your supervisor.")]
☞ (link: "Keep this to yourself until you gain more familiarity with the company, clients, and policies.")[(set: $supervisorConsulted to false) (go-to: "Take-Down Request")]
<!--Invisible links->
[[ ->Report your findings to your supervisor.]]
[[ ->Take-Down Request]]You decide to report the malware scripts to your supervisor.
She says, “Yes, we have quite a few clients who use our hosting services for...more nefarious purposes. Only, our entire business model and our *reputation* is built on our ‘no matter what’ policy. We consider policing content to not be our role. Our role is providing reliable service while maintaining honesty with our customer base. They like to know that their work is *safe with us*.”
(if: $negativeStory is true)[You remember reading the article, *Rogue Services Lives Up To Its Name*. The spokesperson for the company made a similar statement to the press. ](if: $positiveStory is true)[You recall that the article, *Rogue Services' “No Matter What” Policy Against Tyranny*, outlined a positive outcome of this policy, empowering the oppressed with a voice.]
☞ (link: "Satisfied with this answer, you continue with your duties.")[(set: $supervisorSatisfactory to true) (go-to: "Take-Down Request")]
☞ (link: "Although you find this troubling, you continue with your duties.")[(set: $supervisorSatisfactory to false)(go-to: "Take-Down Request")]
<!--Invisible links->
[[ ->Take-Down Request]]After working at Rogue Services for a couple of months, you feel settled in. You are fairly confident in your skillset and how to navigate the company servers. You have been given more responsibilities; you have even been given lead administrator duties for a number of clients.
One day, you receive a concerning email, outlining a *take-down request* for a clients’ assets—a client that falls under your purview.
<div style="border:solid 1px #ffffff; padding: 1em; line-height:100%; font-size: 75%;">(font:"Courier")[(text-colour: #999)[Delivered-To: you@rogueservices.com]
(text-colour: #666)[(text-style:"blurrier")[Received: from BL0PF11MB3691.namprd11.prod.rogueservices.com (fe80:c130:2dc5:23a3:41ff) by BL0PF11MB3691.namprd11.prod.rogueservices.com (fe80:c130:2dc5:23a3:41ff%6) with mapi id 17.22.3491.025; Thu, 17 Sep 2020 20:06:30 +0000]]
(text-colour: #999)[From: Agent Guy <agentguy@agency.gov>
To: "you@rogueservices.com" <you@rogueservices.com>
Subject: Take-Down Request RE: Client] (text-colour: #666)[(text-style:"blurrier")[Black Hat Bad Guy Company]]
(text-colour: #999)[Date: Thu, 17 Sep 2020 20:04:57 +0000
To Rogue Services:
This letter is official notification under §1030 of the Computer Fraud and Abuse Act (CFAA), that you immediately quarantine all digital content owned by the client referenced above from your server and disable their services immediately.
Please also be advised that law requires you, as a service provider, to retain copies of all infringing digital material and comply with search and seizure requests from US Federal Agencies. Failure to comply may result in criminal and civil charges.
Agent Guy
United States Department of Justice
]]</div>
☞ (link: "Keep this to yourself.")[(set: $keepToSelf to true) (go-to: "Disobey take-down request.")]
☞ [[Disable client access immediately.]]
☞ [[Discuss the letter with your supervisor.]]
<!--Invisible Links-->
[[ ->Disobey take-down request.]](set: $disabledClient to true)You decide to comply with the request immediately and disable the referenced client’s access to their data. (if: $supervisorSatisfactory is true)[You and your supervisor agree that policing content is not your role, but the letter was threatening.](if: $supervisorSatisfactory is false)[Although you did discuss this very account with your supervisor, you felt uneasy about her position.]
Some time later, your supervisor approaches you about the client’s inability to access their accounts. As you explain the situation, you supervisor becomes agitated.
“Why didn’t you bring this to me? (if: $supervisorConsulted is true)[As we discussed, i](else:)[I]t is not our position to limit content. It violates the *‘no matter what’* policy that our customers have come to *trust*. If this gets out, it will be (text-colour: "red")[(text-style: "rumble")[disastrous]] for our business. (if: $supervisorSatisfactory is true)[I thought we were in agreement. ]You must reenable access immediately.”
☞ [[Comply, and reenable access.->Disobey take-down request.]]
☞ [[Refuse.]]This seems above your pay grade. You don’t feel as if this is a decision you can make alone, so you decide to bring the matter to your supervisor.
She explains, ”(if: $supervisorConsulted is true)[As we discussed, i](else:)[I]t is not our position to limit content. It violates the *‘no matter what’* policy that our customers have come to *trust*. If we were to comply, it would be (text-colour: "red")[(text-style: "rumble")[disastrous]] for our business. (if: $supervisorSatisfactory is true)[When we last spoke, I thought we were in agreement. ]There is no way we can comply with the take-down request.”
☞ [[You agree.->Disobey take-down request.]]
☞ [[You disagree, and remove the client’s access privileges.->Refuse.]](set: $fired to true)She frowns.
“I see that we have irreconcilable differences. If you do not *agree* with company policy—that’s one thing. But, if cannot *comply*—that’s another. Unfortunately, this means we will have to let you go.”
As you turn away, you hear her mumble, “I guess I’ll need to handle this myself.”
(css: "font-size: 150%")[☠] (text-colour: "red")[You’re fired!]
☞ [[Endgame]]You are adamant that the right thing to do is refuse the take-down request and allow the client unfettered access to their account.
A company meeting is called to discuss the matter. The CEO explains, “Although this may be admittedly a (text-colour: "grey")[gray] area ethically—depending on your point-of-view—we are absolutely within our *legal* rights. In the past, international pressure from other governments has failed, because we are based in a country whose laws do not limit digital freedoms. We are in the clear.”
(if: $positiveStory is true)[
You remember that the article, *Rogue Services' “No Matter What” Policy Against Tyranny*, overviewed China’s inability to force a take down of the dissident website.
]
☞ [[Carry on with your work.]](set: $investigateFS to false)(set: $continueInvestigateDOS to false)You carry on with your work, disregarding the take-down request. After all, the U.S. government has no jurisdiction over Rogue Services’ servers.
After some time, you notice that the Rogue servers are getting many more requests than usual, and clients are beginning to suffer outages. Upon further investigation, it appears that a Denial of Service attack is underway against the company!
Many of Rogue’s retail clients are calling for support—their customers and userbase are unable to connect to their sites. They are unaware that the entire service provider is affected.
☞ [[Contact the clients and explain the service outage.]]
☞ [[Investigate the Denial of Service attack.]](set: $clientsContacted to true)You decide that clients come first. You contact each of the affected clients and explain that the current outages are due to a Denial of Service attack from an unknown source. You are unsure of the estimated downtime, but will work with Rogue’s security experts to mitigate the damage.
Many of your clients are displeased, and blame the company for the interruption in service, citing Rogue’s focus on “reliability”. A minority of clients are appreciative, noting that they choose Rogue Services because of their up-front honesty in customer service.
☞ [[Investigate the Denial of Service attack.]]Deciding to waste no more time, you consult with Rogue’s security team to investigate the Denial of Service attack, and determine its origin.
After some time, you determine that the attack originates from a number of independent security vendors. It seems unlikely that these contractors would cooperate with one another in a coordinated attack...unless they were working for a common employer. You feel like this may be related to the take-down request—and Rogue Services’ refusal.
While your team discusses the implications of these findings, one system administrator notices that the filesystem on one of the primary servers has become corrupted.
☞ [[Continue to investigate the Denial of Service attack.]]
☞ [[Investigate the corrupted filesystem.]](set: $continueInvestigateDOS to true)You decide to determine if the Denial of Service attack is targeted to Rogue specifically, or if it is being carried out against a number of service providers.
After digging around and making some calls, it has become clear that the attack is directed solely against Rogue Services. This is unarguably a retaliatory response to the take-down refusal. Could it be that the U.S. government turned to cyberattacks when the legal system failed?
(if: $investigateFS is false)[☞ [[Investigate the corrupted filesystem.]]
]☞ [[Relay your findings to management.]](set: $investigateFS to true)You decide to address the corrupted filesystem as an immediate concern. Unchecked, it could cause irreversible damage.
One of your security team has pinpointed the source of the corruption—a targeted worm attack has spread through out Rogue's network. The worm has been present but inactive for weeks. It is likely that backups are also affected, and clients will lose everything. This will affect all clients—even the legitimate retailers.
(if: $continueInvestigateDOS is false)[☞ [[Continue to investigate the Denial of Service attack.]]
]☞ [[Relay your findings to management.]]You relay the bad news to your supervisor, who shares it with Rogue’s top executives. It is unlikely that Rogue Services will be able to recover the immense amount of data lost with the corrupted filesystems—even after the Denial of Service attack is mitigated.
It is likely that the two attacks were coordinated—with the service interruption serving as a needed distraction from Rogue’s ability to isolate and contain the destructive worm.
(css: "font-size: 150%")[☠] (text-colour: "red")[Rogue Services is defunct.]
The U.S. government later claimed responsibility for the attack, stating that as a result of this coordinated action, **spam and botnet traffic worldwide immediately dropped significantly**. In addition, new infections of several forms of ransomware ceased.
One news report featured an interview with an Agent S. Guy, who suggested that, “This type of offensive may become more common. Governments worldwide are increasingly considering cybercrime to be a form of terrorism rather than simply being a legal matter. It’s all-out war.”
☞ [[Endgame]]#Game Over<img style="float: right; width:200px; margin: 10px;" src="images/rogueservices.png" alt="Rogue Services" title="Rogue Services"/>
Some notable events in this playthrough:
(if: $accept is true)[ • You accepted a job with Rogue Services.
](if: $negativeStory is true)[ • You researched Rogue Services before taking the job and found a negative story.
](if: $positiveStory is true)[ • You researched Rogue Services before taking the job and found a positive story.
](if: $investigateAnomaly is true)[ • You chose to investigate the anomalous accounts.
](if: $keepToSelf is true)[ • You decided not to share the take-down request.
](if: $supervisorConsulted is true)[ • You consulted your supervisor about the take-down request.
](if: $supervisorSatisfactory is false)[ • You disagreed with your supervisor about the take-down request.
](if: $supervisorSatisfactory is true)[ • You agreed with your supervisor about the take-down request.
](if: $disabledClient is true)[ • You immediately disabled the client’s access.
](if: $clientsContacted is true)[ • You contacted affected clients about the Denial of Service attacks.
](if: $fired is true)[ • You were fired.
]
<hr/>
###Next Steps:
Be prepared to discuss the application of the <a href="https://www.acm.org/code-of-ethics" target="_blank">ACM Code of Ethics</a> to this scenario. You should be prepared to take on multiple viewpoints and discuss how specific Principles apply.static: ./audio/static.wavThis "Choose Your Own Outcome" interactive story is based on the case study, “<a href="https://ethics.acm.org/code-of-ethics/using-the-code/case-malware-disruption">Malware Disruption</a>”, by the ACM Committee on Professional Ethics.
☞ (link-repeat: 'Start the story.')[(track: 'static', 'play')(goto: 'A New Job')]
[[ ->A New Job]]