The Bots That Stole Christmas

Intro

Who remembers heading out the night before ticket sales opened for your favorite band and camping out with all the other crazy fans who were in queue to buy the best seats when it opened the following morning? Or doing the same at a game store because a new game was coming out the next day and you needed to be the first to finish the campaign?! I do.

These scenarios are quickly becoming a thing of the past, as these environments are now mechanized and favor machines, not humans. Machines will not take over in the form of Skynet, but in the form of everyday automation, and this machine-scale world is already here today. This holiday season, I found myself in that exact position as I tried to get the new PlayStation 5 (PS5) via every single avenue I could. Each time, I was met with machines beating me to the punch. Online retail is no longer a human-scale offering, but rather an opportunity for bots and machines to outmaneuver and outperform the average buyer and help someone with often less-than-scrupulous morals make a quick buck on people’s fear of missing out (FOMO). In this blog, I want to share that experience and then show how this extends to what is coming for information security. It’s time to defend at machine-scale or die!

This whole scenario makes me think back to a quote from the Matrix:

“Throughout human history, we have been dependent on machines to survive. Fate, it seems, is not without a sense of irony.”

Get the new PS5 via an online retailer, wrap it, and have it ready for Christmas morning. Sounds easy enough. Christmas has passed and still no PS5 in sight. I’m a Distinguished Engineer so it is not that I am new to technology and my failure here is simply the fact that I am trying to shop in the traditional manner which is to show up at a website at a certain time and transact with my browser until my order is complete. That’s the old way. The new way is to employ software automation on your behalf so that your shopping task can operate at machine-scale and not at human-scale. No matter how fast you might be able to get that item in your cart and get to checkout, odds are, you’re not faster than a series of bots doing the same thing en-masse.

The first community to harness this unfair advantage are the folks who don’t want it for themselves, but instead want to use this scarcity to resell them on online auction sites for a profit. In the case of the PS5, the item in question retails at 499.99 USD. Meanwhile, scalpers now regularly sell them at 1100.00 USD on places like eBay. They have rightfully earned the name Grinch Bots. Many online retailers are aware of and actively trying to thwart this kind of activity, blocking tens of millions of bots attempts within the first 30 minutes of another batch being available for sale.

There’s a bot for that!

When mobile phones were coming of age, everyone would say “there’s an app for that!” These days, it is more likely that you will want to claim that “there’s a bot for that!” Yes, that is right, you can find services on the internet that will use bots to do your bidding, allowing you to operate at machine speed and machine-scale. There are even services out there that compare bot services to one another. So, the question becomes: To shop for high demand items on the Internet, will I need to employ bots?!

My experience says YES you will.

These shopping bot services are not illegal (yet). The US has legislation in the form of the 2016 BOTS Act which made it illegal to use software to scalp tickets and is now proposing a similar Stopping Grinch Bot Act that targets people who use bots to circumvent anti-bot protections from retailers.

And before you start thinking that this is just someone’s home project or a side-hustle, some of these bot groups have been known to make millions in profits over the course of a few weeks!

The machine-scale mega trend

The megatrend here is what we used to call “digitization,” but there’s a bit more to it than that. Retail, once a completely manual process, was then augmented by machines, and is now almost fully automated by machines, which brings with it huge advantages – both for the good guys and the bad guys. At what point are you automated enough to consider your business to be operating at machine-scale? The fact of the matter is that like online shopping, you can no longer defend your business at human-scale. I’m not talking about a future that is years out, I am talking about right now. You are facing an adversary that now has easy access to machine-speed, machine-scale perception, and machine-scale operations. Are you ready for this next level of threat actor?

A few questions you may want to consider when assessing your readiness:

  • What percentage of threat detection is automated versus manual?
  • For the automated detection, is the fidelity high enough to be safe to automate a response?
  • How much of your infrastructure can be automated safely?
    • How much is still too dangerous to automate and why?
  • What are your automation goals this year, in 3 years, and again in 5 years? Will you ever get to a 70% automated? 80%?

Automating what was once manual is always considered to be progress – that is at least, when it works as designed.

As a security professional, we must also do our threat modeling to design systems that can operate in the face of a hostile environment and one that has an active and learning set of adversaries.

While I still don’t have a subscription to a bot service to buy a PS5, the game of cybersecurity is one that I consider more fun, more engaging, and one that I am subscribed to whether I like it or not.