Sunday, May 01, 2011

How To Cut The "Proxy Problem" In Half

For those who don't know (and you know who you are), I have been professionally involved with proxies of one sort or another for over fifteen years.  For the past three years I've taken it upon myself to study the issue of open proxies in depth.  I scrape all the well-known proxy lists available on the Web, geolocate the IP addresses and collect the whole mess in a MySQL database. 

Besides the well-known lists I have also been lucky enough to have stumbled upon some private, "for pay" proxy lists whose operators didn't know how to write a proper robots.txt file and a handful of hacker and SPAMmer sites that kept their own lists.  In fact 20% of the database came from just one of those hacker sites.

On the 19th of April, I published a notice explaining the origin of the ubiquitous port 9415 proxies, which result from insecure default settings in a popular software package with 100,000,000 (one hundred million) active users, most of whom live in China.  Someone didn't like that and as a result I'm no longer publishing my results in the venues you were used to finding them.  Except for this one, and there's no telling how long it will last.

Why?  Here's some Wild Speculation™.  You don't have to believe a word of it.  It's presented to make you go "hmmm".  If you own a tinfoil hat, please put it on now.

There has been a lot of press about cyberwar these days.  And a lot of hype.  But there have been few skeptics (see this Forbes article for a good dose of cyberskepticism).  A lot of the hype could be spin from the HBGary story of earlier this year.  Spin in the form of generating fear.  We must protect ourselves from the Cyber Boogie Man.

So what, if anything, does this have to do with Chinese proxies?  They make an excellent choice for covert false flag operations.  A jump point if you need to convince someone (perhaps with budget authority) of the grim reality of an Advanced Persistent Threat.

That's it.  At least it makes me go "hmmm".  I would think that someone would like to see these proxies disappear, especially the company that wrote the software, unless they're spooks, too.

With that in mind, we're going to track these proxies for the next few months.  I have a feeling they will never go away, even though it should be a simple fix for the people who wrote the software.  Here are the numbers as I saw them for April, 2011:

As you can see, port 9415 proxies are almost half of all proxies published on proxy lists.  For the people who think proxies are a Bad Thing, there you go.  Fix these and you cut the problem in half.  I'll even let you take all the credit for doing it.  You'll be heroes.

And I'll be the Bad Guy.


No comments:

Post a Comment