Harnessing spam bots for cyber warfare

Disclaimer

I have not researched internet criminal law and I won't speculate on the legality of this idea. I'm not advocating any type of internet warfare or vandalism. Don't implement this idea unless you determine that it is completely legal.

Summary

With that disclaimer out of the way, I'd like to explain one of my most ambitious and long-planned idea: redirect spam bots to launch a DDoS attack on a website. Even small websites have to guard their forms against bot spam. Why shouldn't this enormous source of resource-wasting power be put to good use?

Background

Spam bots work on the economics of scale. Unscrupulous companies and criminal organizations pay spammers to use their servers to crawl the internet, looking for comment forms and public email addresses. When a spam server (or bot) finds a web form, it fills it out with a mix of garbage and spam links and moves on. If the data is posted on the website in some way (blog comment, forum posting, wiki entry), the bot has succeeded in exposing the link to more people. If even a minute percentage of the people who see the link click on it, the hiring organization can make money by infecting the unwary user's computer with malware and selling his personal information.

However, if the spam is detected by any part of the system, it is blocked and the bot has failed. Unfortunately, it has still consumed the bandwidth and computing power of the victim web server. In addition, the victim server's organization has to use its resources to harden its website against spam bots. On a low-traffic website, the spam bot traffic is negligible, but on larger sites, the cost of spam bots is significant. One only needs to examine the measures taken against bot spam to realize its power: reCaptcha, image rotation tests, and a few more esoteric schemes. Despite all these barriers, spammers can make money with spam bots.

Plan of action

Why should all those spam bot processing cycles be used for nefarious purposes? Right now, when a website detects a spam bot, it has several options: it can block the IP address of the bot, preventing the bot from coming back; it can simply reroute the bot to a dead-end page; or it can attempt to waste the spam bot's processing cycles by rerouting the bot to a bot trap. Typically, bot traps work by enticing the bot to fill out a never-ending line of forms or follow a web of garbage links.

What if this stream of spam bots was instead pointed at link farms or phishing sites? Web forms could reroute the spam bots they detect to a spam bot portal site that would reroute the spam bots to known nefarious sites. If a significant number of websites used the portal as a bot trap, the effect on the nefarious sites could be devastating. The spurious sites would be crushed by the traffic from their own advertising bots.

Eventually, the portal site could be automated to find and destroy targets on its own. It could pick its targets from the list of sites ejected from Google's index for phishing or link farming. Once it had chosen a site, it would redirect its traffic to that site, checking each minute to see if the site was still functioning. Perhaps it could crush multiple sites simultaneously by evaluating their stability and pointing just enough traffic at each to overwhelm it.

Obviously, this idea would be far more difficult to implement than to describe. How would the portal handle the massive amounts of traffic? Who would want to shoulder the cost of this plan? How would the predator portal get the list of sites rejected from Google's index?

Do you think this plan is viable?

Scribblenauts: Accomplishment and potential

Although Scribblenauts is a terrifically fun and shockingly innovative game, its concept is even more compelling than its gameplay. Scribblenauts is a new game for the Nintendo DS in which you solve puzzles by summoning and using items. If your goal is encased in a block of ice, you could break the ice with a hammer, melt it with a flamethrower, or detonate it with a grenade. The game's hook is that you can summon almost any item imaginable.

Hidden machinery

Of course, the game is phenomenal, but the technology behind it is even more impressive. 5th Cell, the developers of Scribblenauts, managed to cram tens of thousands of interactive, animated characters and items on a tiny DS cartridge. On top of the actual pictures, they programmed in complex interactions between the items. For example, a toaster will turn bread into toast; monsters scare and attack people; cops shoot criminals and chase donuts; and beavers gnaw down trees. This game's backend is completely unprecedented.

Unlimited Possibilities

Imagine if the contents of the Scribblenauts asset database were accessible to all game developers. Designing a traditional game would be a breeze: lay out a level, populate it with items and characters, and show the player an objective. However, giving developers (and players) instantaneous access to a massive library of items would create entirely new gaming possibilities. An RPG could allow players to equip their teams with typical household items with different strengths and weaknesses. A point-and-click adventure could use the sprites and interactions to let the player pick up literally any item in a room and use it in the game. A platformer could use the vast selection of items and characters to make each level a unique experience. A universal resource database could fundamentally change process of creating and playing games.

Making the concept a reality

Thinking about the possibilities if the Scribblenauts database was open is entertaining but unproductive. In order to give developers and users the power of instant item creation, steps must be taken.

1. A lightweight format for interactively animated sprites must be established. Whether it's a particular arrangement of sprites on a sheet or an XML dialect for defining how a character's parts fit together and interact, there must be a standard for people to follow.
2. A central database must be created to systematically store and retrieve the standardized sprites. It must be easy for people to contribute, but impossible for someone to damage or corrupt. The sprites and their interactions must be version-controlled.
3. Developers must have access to the database from their games. Web-based technologies could access the database directly, but pc-based games should be able to use a copy of the database. It could be optimized and compressed, or developers could simply "check out" the portion of the database they intend to use. Perhaps, when a game using the entire database is started, it could check to see if any new items have been added to the database.

Conclusion

The game Scribblenauts is an enormous accomplishment, but it could be so much more. The technology behind Scribblenauts could revolutionize the resource management of game development, tearing down barriers for both designers and developers to create experiences. Nevertheless, in order for that to happen, 5th Cell must release the Scribblenauts' resource database for non-commercial use, or the independent developer community must unite to create their own asset database.

If you'd like to support the developers of Scribblenauts (and me), you can buy Scribblenauts for yourself.