Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
News

Mixter Speaks About the Latest DDoS 187

ochinko writes, "This is an interview with the German programmer who wrote TFN and TFN2K. Basically he says that it's quite easy to launch such attacks but extremely difficult, if not impossible, for the initiators to be tracked." Suck.com has a pretty good article on the attacks, as well. Maybe I should take credit for the DDoS attacks and become an international superstar.
This discussion has been archived. No new comments can be posted.

Mixter Speaks About the Latest DDoS

Comments Filter:
  • Essentially if no one can essentially be caught that means that the useless companies will just go bezerk and target everyone including those using our favorite OS.
  • by Yaruar ( 125933 ) on Tuesday February 15, 2000 @06:48AM (#1271909)
    No. The fact that I authored these tools does in no way mean that I condone their active use. I must admit I was quite shocked to hear about the latest attacks. It seems that the attackers are pretty clueless people who misuse powerful resources and tools for generally harmful and senseless activities just "because they can."
    Reminds me of most weapons makers who dissolve themselves from blame as the creators by saying that theirs is a tool that is misused.

    There is more than a hint of ego in this guys work (if indeed it was him) by putting it in a public forum (albeit for good reasons) he knew that people were going to abuse his creation.

    Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.

    In many ways I suspect he wanted an attack to vindicate himself, show off his skills whilst remaining on the side of the light and generally bask in the publicity...

  • . . . here in pittsburgh have been claiming credit for the attacks already. But then again, I suppose everyone and their script-kiddie brother is. Quite honestly I don't believe that we'll ever know who did it, but I'm sure we'll have someone to crucify for it. The government seems to be pretty good about that.
  • I am impressed by the maturity shown to the global community by this white-hat hacker in discussing security issues for the Internet.
    This kind of attitude will go far in showing the true difference between those sincerely interested in the security of our communications and "script-kiddies" only out for personal glorification and status among their peers.
    I liked the clarification about his role as a hacker in the traditional sense of the word. Too often these days the word "hacker" is thrown around indiscriminately and the insights shown in this interview may help to show the general public what the difference is.
  • by brunes69 ( 86786 ) <slashdot&keirstead,org> on Tuesday February 15, 2000 @06:54AM (#1271912)

    Does anyone but me see the goal behind these attacks? Think of the names... CNN (owned by Time/Warner) Etoys (obvious) Yahoo (corperatism ruined a once great story) etc.. all the targets are huge corperations that believed they were more powerful than the "hackers" and believe themselves above morality. Perhaps this will cath their attention... Maybe things like the Fox flash page, frivolous lawsuits, etc. will be diminished. Or not ;) I'm not saying this kind of behavior should be encouraged, or if it is even accceptable... it IS very poor advocacy. I'm just saying, i think i know where these guys are coming from... I'm practically there myself. In fact, I think alot of us are.

  • should have let the relevant people know abot the problem before putting the code in the public domain.

    What relevant people? Should he have called up everyone running a website from their whois entry just to tell them that DoS just got bigger and badder? This could happen to anyone for chrissakes! It's a damn DoS attack! He did all he could do: Submit the program to relevant security organizations. CERT, etc, all had a heads up on this attack to the tune of months! If they stuck their heads up their asses and ignored it, thats not his problem.
  • by slashdot-terminal ( 83882 ) on Tuesday February 15, 2000 @06:56AM (#1271914) Homepage
    Reminds me of most weapons makers who dissolve themselves from blame as the creators by saying that theirs is a tool that is misused.


    Suppose you make guns. I don't care any type of guns. Now suppose a couple of stupid kids decide to shoot up a high school? Sound familiar. Are you then to blame because someone did something stupid?

    What about a hammer. I have used a hammer many times, however I still can bang the hammer on my thumb does that mean I can sue you because I screwed up?

    The answer is no.

    There is more than a hint of ego in this guys work (if indeed it was him) by putting it in a public forum (albeit for good reasons) he knew that people were going to abuse his creation.

    People like attention nothing new.

    Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.

    Dear Mr. Police officer I am going to run at least 10 red lights and speed 145 times in resendial zones in the next 6 months please revoke my liscence now ok?

    No one is stupid enough to take that level of a hit.

    In many ways I suspect he wanted an attack to vindicate himself, show off his skills whilst remaining on the side of the light and generally bask in the publicity...

    If you don't open your big mouth you get into less trouble that way.

  • I wonder how many of the people that are taking credit would continue to do so if they were prosecuted. If I went into the local police station and confessed to a murder, arsen, etc. then I would be in cuffs so fast it would make your spin as fast as a 10,000 rpm hd.

  • Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.

    I'm curious how he was supposed to do this.

    "Dear mega web site.

    I am a high schooler how has written a program that..."

    plonk

    This sounds like Lopht all over again, people put up web sites, do a crappy job administering, and probably won't listen to an 18 year old who woudl warn them.

    Also, would you have suggested he email the same warning to each of the 5 million sites running Apache?

    I think the best he could have done was post it to a public, security oriented place and hope the web admins are doing their jobs by monitoring it.

    George
  • by FallLine ( 12211 ) on Tuesday February 15, 2000 @06:59AM (#1271917)
    I don't want to paint Mixter in the same light as the script kiddies who launched the attack. However, it is ludicrous to compare his DoS programs with the likes of, what I would call, "true" security professionals (e.g. cDc, l0pht, Solar Design, etc.). What he did, was make a bigger, better, and badder-ass gun for the script kiddies. The monkeys could have flooded major sites before Mixter made his presense felt. Mixter merely made it easier for the monkeys, both to execute and get away with.

    No rational and reasonably intelligent person would have denied the possibility of this "security problem". The vulnerability to flooding isn't a security flaw per se, that could just be patched if the victims were a little more aware. Unlike l0pht (et. al) he isn't putting pressure on the manufacturers and vendors by releasing his code.

    That being said, Mixter didn't do these attacks. He isn't evil, and I have a certain amount of respect for him. I do have problem, though, with portraying his creation of these DoS programs as being intrinsically good, nevermind his motives.

  • Maybe I should take credit for the DDoS attacks and become an international superstar.

    At the end of the film they all jump up shouting "I'm Spartacus". So the Romans cruxified every last one of them, 6000 men along the Via Appia as a warning to other slaves.

  • Let's look at this situation as if it were a traditional murder, or a mass slaying.

    "Dozens gunned down in shopping mall", for example.

    Do you think the FBI would all of a sudden start hunting for an individual who is known to have designed guns? Of course not. They go after the guy who wielded the gun.

    But with anything net-related, when Something Bad Happens, they go after the tool-makers (as well as the tool-users).

    The big difference between net tools and guns, as far as "tools to commit crimes with"? The gun manufacturers have a powerfuly lobby (NRA) and boatloads of cash. Folks like Mixter are much easier prey.

  • Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.

    He did. By putting it in public domain. The relevant people read the public domain. If they do not they just imitate to be relevant.

    Let's face it security on most of the Internet sites is bad and on some has gone worse as their corporativism/size has increased. Nothing unexpected.

  • by ajs ( 35943 ) <ajs.ajs@com> on Tuesday February 15, 2000 @07:04AM (#1271923) Homepage Journal
    Ok, I know who did it. It was my cousin's sister's broker's dealer's aunt's friend who told me that they knew a guy who happened to have the next ASN up from this girl who once exchanged Email with a cypherpunk who was loosely refered to in Cryptonomicon which was secretly a true story about this guy who towed my car for me.... um, where was I?

    Oh yeah, Hemos did it. ;-)
  • by rasilon ( 18267 ) on Tuesday February 15, 2000 @07:05AM (#1271924) Homepage
    s/hacker/cracker/
    As he points out, his "program is publicly known" and "people have a chance of identifying it locally when it is installed on their server by searching for binary patterns, as the FBI proved." and "the real problem is the insecurity of the huge amount of servers". I look after a number of web sites, some e-commerce. IMHO these tools should be announced, because I get to test my systems and harden them against them. I get to tune system parameters to minimise the effect of DoS attacks, and secure systems against compromise. Security by obscurity is no security. Keeping these programs in the underground just increaces the risk.
  • by MicroBerto ( 91055 ) on Tuesday February 15, 2000 @07:05AM (#1271925)
    This is from the suck.com article. [suck.com]:

    But the people who truly deserve the blame for the public's hours-long inability to swap "Steam Engine" jackknives on eBay are the short-sighted, tight-fisted monkeys who managed to build a multi-billion dollar industry on an insecure networking system, something so fragile that it can be brought to its knees by anyone willing to bother. The fact that a target as big and fat as Yahoo is fundamentally vulnerable to something as simple as a DoS attack is a clear invitation to go right ahead and shut them down.

    Whoa, that's pretty intense there. They also go on to say that since vandalism is inevitable, its up to the people who will be vandalized to protect themselves. I agree to a good extent.

    My question is this: How can you properly protect against many DOS attacks? Once so many requests come in from one IP, you block that IP? I can see problems there, such as if many customers through one ISP go through a cachebox. The way I see it, stopping this is just as hard as stopping the slashdot effect. What types of protections are there concering router-level protection?

    thanks..

    PS - I know that packets coming from our ISP cannot be spoofed due to our routers, so if my box (soul.apk.net [apk.net]) caught wind of the problem, nothing would be allowed out anyway. However, I don't think it's always our job to do the security for outgoing traffic.

    - Mike Roberto
    -- roberto@apk.net
    --- AOL IM: MicroBerto
  • What a business strategy. I think I'm going to start my own business, then create a monopoly by using DDoS to wipe out all of my competition. Hmm, what will be next? Maybe my company should have it's own DDoS department.

    kwsNI
  • I've been using Linux for a few years now but am currently setting up a web server which is failrly new to me. As a newbie it's bound to have many security holes until i've finished reading the books :-) Even then i know it won't be secure. So, is there really no way to stop these attacks? if not, what measures can a sysadmin take to at least minimalise the impact od DoS attacks?
  • The Washington Post has an article [washingtonpost.com] saying that the FBI is preparing to question several suspects in the case.
  • Suppose you make guns. I don't care any type of guns. Now suppose a couple of stupid kids decide to shoot up a high school? Sound familiar. Are you then to blame because someone did something stupid? What about a hammer. I have used a hammer many times, however I still can bang the hammer on my thumb does that mean I can sue you because I screwed up?

    I think you have missed the point. A gun has a primary purpose, to maim or kill. A hammer has the purpose of driving innanimate objects (nails) into other objects (through wrists and into wood). The intent of the tool is shown through its design.

    Dear Mr. Police officer I am going to run at least 10 red lights and speed 145 times in resendial zones in the next 6 months please revoke my liscence now ok?

    Proposing that you are going to commit crimes is different than doing or admitting you've done crimes. They really can't get you for saying that you are going to speed, they just have to wait and catch you when you do.

    If you don't open your big mouth you get into less trouble that way.

    The classic mistake that "hackers" make is that they can't keep quiet about what they've done.
    "If you do something cool and no one knows about it then it can't be cool."


  • Suppose you make guns. I don't care any type of guns. Now suppose a couple of stupid kids decide to shoot up a high school? Sound familiar. Are you then to blame because someone did something stupid?
    If you have made something that's sole purpose is to cause harm them you should be big enough to take some of the blame when it is used for such matters.

    Look at Nobel who became a pacifict and campaigned against his own invention when he realised it created one of the most effective ways to kill people.

    Look at Oppenheimer, and many others through history.

    As for hammers, their sole purpose isn't to cause harm and kill.

    Another example. I create a genetically mutated virus that kills all people with blue eyes, but keep it safe. If someone breaks in and releases it, I am still the one who brought it into exstance and I am morally implicated in the genocide for creating the tool with a primary role of destruction in the first place.

    As for the bit about the public domain, I put that in because he knew the effect it would have and shouldn't denythe consequences of his action.

    With liberty comes responsibility.

  • all the targets are huge corperations that believed they were more powerful than the "hackers" and believe themselves above morality. Isn't it possible that they just attack these sites because of how big they are? I mean, if you want publicity, you don't nuke that kid in school who was mean to you, you crash the sites that are getting a zillion hits a day.
  • Denial of service attacks need to be removed from the "hack" category. I can cause a denial of service to a major city by stopping my car in the middle of the interstate. Does that make me a "hacker"? I think is registers under "stupid".
  • Mudge is meeting with the President of the United States next week? What's on your schedule?

    -B

    you spelled loser wrong, even phonetically.

  • Reminds me of most weapons makers who dissolve themselves from blame as the creators by saying that theirs is a tool that is misused.

    And for his/her next trick, Yaruar will blame car makers for drunk driving.

    Come on, people -- tools and weapons are inanimate. They have no intent. The wielder of the tool is completely responsible for the outcome. Mixter's tool was designed to increase the security of a network, by pointing out its vulnerabilities. You can't blame him for the misuse of the tool by some idiot(s).

    Please get the casuality straight.

  • > Reminds me of most weapons makers who dissolve
    > themselves from blame as the creators by saying
    > that theirs is a tool that is misused.

    Well, it is he how pulls the trigger that is blamed for the crime. But, in the electronic world flaws aren't fixed until someone points them out. There was no damage done by these attacks, no data lost, only down time.
    Don't think that I condon the use of these tools. In fact I look down upon those that do use them.

    > There is more than a hint of ego in this guys
    > work (if indeed it was him) by putting it in a
    > public forum(albeit for good reasons) he knew
    > that people were going to abuse his creation.

    Every good tool has a dark side. Should we only let those who are 'worthy' have the powerful ones? All good tools get abused, and those that do the abuseing should get punished.

    > Maybe he should have let the relevant people
    > know about the problem before putting the code
    > in the public domain.

    Why? Again, unless companies get a little kick in the pants they won't fix a damn thing. In this case the threat existed for a long time(and we knew about it) but no-one took the time to fix it because "It won't happen to me."

    > In many ways I suspect he wanted an attack to
    > vindicate himself, show off his skills whilst
    > remaining on the side of the light and generally
    > bask in the publicity...

    I would expect something more than pure speculation from someone that posts here.

    And the gross use of the term hacker. I got an idea, why don't you goto the jargon files and lookup a good definition. Then maybe you will realize that little punks like the one(s) who did this attack are but a small percentage of our actual population.
    Remember that in ALL societies it is always about 5% of the population that is the troblemakers. Unfortunatly these are always the ones that get the presses attention.

  • The big difference between net tools and guns, as far as "tools to commit crimes with"? The gun manufacturers have a powerfuly lobby (NRA) and boatloads of cash. Folks like Mixter are much easier prey.

    There's a much bigger difference - there are very legitimate reasons for the average person to have a gun - namely, defense of self, family and property. Whereas the only legitimate use for these net tools is akin to having a set of lock picks to determine how vulnerable your own locks are against being picked.
  • You would have been more consistent if you had said that the primary purpose of a gun was to embed a small piece of lead into an object at distance...
    The mechanics of the tool are shown in its design, the intent of the tool is shown in the actions of the user.
  • I assume it stands for Distributed Denial Of Service but that hasn't been made explicit. /. should have a page describing TLA's ^H^H^H^H Three Letter Acronyms and the like used recently.

    Anyway, to get back on topic. What's to stop the compromised machines from creating the packets in such a way as they appear to come from loads of different random IP's (I assume that most OS's don't let you fake but remember theses machines have been comprimised already so this could be disable/got around or whatever).
    That way the victim (insert big site name here) would have no way to tell if a request was valid or not (even if they had loads of humans looking at every incoming packet!)

    Some(most?) routers (at ISP's or in Universities for eg.) would probably check the origin but I'm sure there are many people who are allowed create whatever packets they want.

    In this case, it would even be impossible to find out which computers were the zombies!, never mind tracking the "master" IP's that signalled the zombies to start pumping out the (fake?) packets.

    Most/All the routers in the world will have to be made more paranoid and/or using IPSec or Reverse-DNS or something....

    I'll quit my rambling by summing up that:
    We can't stop this any time in the forseeable future.
  • The thing most of the people is missing is that these tools are not rocket science, these tools are not SMP kernel hacking. These tools make a reasonable use of some modern programming tools. Some cryptography (not too difficult), some IP client/server and not much more.

    Hell, I could have written these tools in a couple of weeks!!!! And taking into account that it has been years since my hands last typed C it cannot be that difficult.

    Ok, Mixter released those tools to the public. So?

    Sooner or later someone would!

    Or worse yet would not and instead take dozens of sites down with noone expecting it!

    Just ranting... Nevermind...
  • Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.
    Whom, exactly, was he supposed to notify before releasing his program?
    --
  • I was using Hacker to describe Mixter which is still how I would describe him.

    I know the definition, I know a lot of old school hackers, I also know a lot of crackers, I definately put him in the first category.

  • I agree, to an extent.

    Feel free to claim innocence if you create a gun. But if that gun has special human-seeking bullets, then it could only be used for one purpose.

    The DDoS tools are such creations. There is no legitimate use for them. They can only be used to harm the performance of a network. A DDoS attack is not all that different from a standard DoS, except that it is harder to track down. I see no reason for a network admin to try this on his network.

    Obviously he does not care about the internet at all. Or cares more about looking 31337 than actually helping the internet.

    With your own "Dear Mr. Police officer" line, you imply that he knew what he did was wrong. Doing something you know is wrong is called "immoral" and "sociopathic". What a great guy.

    Crackers, this loser, and probably you care more about themselves than the internet. Go away. Come back when you grow up.

  • by Animats ( 122034 ) on Tuesday February 15, 2000 @07:35AM (#1271949) Homepage
    I dunno. This guy sounds more like Morris, Jr., the Internet worm guy from 1988. Morris, though, had a bug in his code, so his breakins choked the machine they were on.

    There are basically two problems: a huge number of machines vulnerable to off-the-shelf attacks, and the difficulty of detecting packet storms with phony source addresses. Both of these are fixable, but not trivially.

    One way to address the first problem is to have a certain percentage of machines set up by default to detect and immediately report break-in attempts. This will detect large-scale attacks, and will trace them back one level. Not all machines need to have this, just 1% or so. If, say, most Linux machines did this, the problem would get much smaller. If most Microsoft machines did it, the problem would go away. We'll probably see this happen over the next year or two.

    I can think of a few ways to address the second problem, some of which I've already discussed. With a little help in some routers, some interesting things become possible. Suppose there was an ICMP control message you could send to a router which said "turn on Record Route on IP packets sent to me for the next N seconds." Given that primitive, you could build a backwards traceroute.

  • by FallLine ( 12211 ) on Tuesday February 15, 2000 @07:41AM (#1271950)
    The fact of the matter is that there is nothing the cDc (et. al) does, that can't be created independantly by other hackers. Imagine a world in which none of these exploits are disclosed, and also that 99% of sites on the internet run NT4.0. Without disclosure and general public knowledge of these exploits, MS would never act to patch it--it costs a great deal of money. Some may argue that it is not necessary to actually create a trivial exploit that script kiddies can exploit. While this may have some merit (I even agree somewhat with this approach, it depends largely on the circumstances and the vendor), it has been shown with MS (and a few others), time and time again, that they'll simply dismiss a vulnerability as "theoretical", or even "impossible", unless you make it known that you're going to create an exploit for it--and have demonstrated your abilities to make it a reality before.

    What we have today with open disclosure, is a system where operating systems, vendors, and sysadmins become somewhat seasoned and hardened to attack because of this kind of disclosure.

    Somwhat more debatably: Although script kiddies may be a pain in the ass, and their motives are selfish and childish, they do (collectively) ironically serve a function of sorts. Without script kiddies, it would be much easier to shrug off the importance of these flaws; it would potentially allow for a terrorist group, foreign government, or even a group of criminals to do serious economic damage in a wide-spread, highly coordinated, and professional attack. Remember that the independant acts of a million script kiddies all doing their own thing, is likely not nearly as dangerous as the coordinated efforts of a professional organization (not to mention that the professional organization could do it by suprise, virtually overnight)

    That being said, to clear up any confusion, I don't believe the internet is, at this point at least, terribly significant to our ACTUAL economy (GDP...as opposed to the imaginary one the press and politicans love to talk about). Even the actions of terrorists are not going to have all that great an impact (in my "other" scenario)--just that they'd have a greater impact were it not for disclosure. (Although, with corporate networks today being connected to the internet in various fashions, there is potential of significant information loss through the internet)
  • by Anonymous Coward
    Oh scary is the day when the gov't comes to equate certain software with guns. On the plus side, we in the US will then have a constitutional right to our cracking tools (for target shooting our own systems and to test for their security, of course). On the down side, we'll see 5 day waiting periods and gov't required registration and licensing of certain software. And the makers of these "dangerous software", just like the heavily regulated gun mfg cos. and gunsmiths and ratailers, will also come to be heavily regulated by the gov't. Software Engineers will have to have certain "security clearances" backed up by periodic psychological profiling and extensive background checks, before access to certain types of programming knowledge and research is granted. All of which will redefine programming to be a priveledge that can be revoked at any time. PH33R the future. I know I do.
  • <i>It was my cousin's sister's broker's dealer's aunt's friend who told me that they knew a guy who happened to have the next ASN up from this girl who once exchanged Email with a cypherpunk who was loosely refered to in Cryptonomicon...</i>

    ya know, if you believe the "six-degrees of separation" theory, that statement is not too far from being true.

    -c
  • by werd life ( 94886 ) on Tuesday February 15, 2000 @07:51AM (#1271954)
    Leads Aid in Narrowing List Of Suspects in Web Attacks
    February 14, 2000

    By DAVID P. HAMILTON and JIM CARLTON
    Staff Reporters of THE WALL STREET JOURNAL

    Computer sleuths and federal investigators continued to narrow their search for the culprits behind last week's hacker attacks against Yahoo! Inc. and other Web sites, obtaining evidence from several computers used in the attacks that points to at least two potential suspects.

    While the investigation appears to be making progress, law-enforcement officials say they haven't yet come up with hard suspects. However, evidence obtained from analysis of network traffic, computer-security logs and monitoring of Internet-hacker channels known as Internet Relay Chat, or IRC, has let investigators focus on the activities of two known hackers. So far, the two have been identified only by their online pseudonyms.

    See recent articles about hacker attacks on major Web sites.

    Join the discussion: Has the recent wave of denial-of-service attacks done anything to change your view of e-commerce and online trading or the companies in those industries? Do attacks such as these on major Web sites change the way you view the Internet and computing in general?

    The hacker raids, which overloaded major e-commerce sites with packets of meaningless data in so-called denial-of-service attacks, didn't threaten any data stored on those Internet servers. Many in the security community initially derided the attacks as unsophisticated, saying they could be conducted with tools widely available on the Internet.

    Now, however, it appears that at least one of the attackers may have been far more skilled than the apparent copycats that followed, said David Brumley, a system-software developer in Stanford University's information-technology department who has taken an active role in the hunt for the perpetrators. The hacker, who is believed to be responsible for the attack on Yahoo -- the first of last week's large-scale assaults -- mounted a particularly complex operation using highly customized tools, Mr. Brumley said.

    Mr. Brumley said this hacker's online pseudonym is known, but he wouldn't reveal it to avoid jeopardizing the investigation. He added that this hacker appears to have dropped out of regular IRC chats in the last few days. The hacker is thought to reside in the U.S., he said.

    A second, apparently less-skilled hacker believed to live in Canada was being watched as a possible copycat, said Michael Lyle, chief technical officer of Internet-security firm Recourse Technologies Inc. (www.recourse.com). The hacker, known by the online pseudonym "mafiaboy," allegedly was recorded in an IRC chat soliciting orders to shut down the Cable News Network and E*Trade Group Inc. sites, Mr. Lyle said.

    Stanford's Mr. Brumley confirmed that a hacker using the mafiaboy pseudonym was a focus of the investigation. However, he said, some in the hacker community don't believe the person behind the name was involved in the attacks. Indeed, mafiaboy is said to have later retracted the claims and a law-enforcement official said that authorities, while scrutinizing his actions, aren't sure he is responsible.

    Mr. Lyle and other security experts at Recourse, of Palo Alto, Calif., said they have viewed snippets of dialogue and have verified more of it from other hackers, and plan to give the information to the Federal Bureau of Investigation. "We think there were several hackers who launched the attacks in copycat fashion," Mr. Lyle said.

    Interest also has grown in a hacker identified as "Mixter." In a series of e-mail exchanges with The Wall Street Journal, online-news provider ZDNet and other media, Mixter has described himself as a 20-year-old German programmer living in the area of Hanover, Germany.

    Mixter is credited with having authored the Tribe Flood Network software, or TFN, one of the interrelated-attack tools believed to have been used in the attacks. A similar software is "trinoo." A third, called stacheldraht-German for barbed wire-is based on TFN but uses trinoo features. Mixter is credited only with TFN.

    In e-mail interviews, Mixter said -- in fluent English -- that he had no direct connection to the attacks and criticized the use of his software to paralyze online companies. He said TFN was written solely to demonstrate Internet-system weaknesses.

    Mixter first appeared on the Internet hacker scene around July 1998, posting less-well-known software programs he had authored on security-related Web sites, according to Dave Dittrich, a University of Washington computer-security expert who has analyzed some of Mixter's software.

    Mixter has voluminous postings at a site called Packet Storm, a division of Kroll-O'Gara Information Security Group in Palo Alto. Last month, a paper Mixter wrote on Internet security won a $10,000 prize in a Packet Storm competition. Mixter's most recent addition to the site is a lengthy treatise on how to deal with attacks such as last week's.

    A law-enforcement official said the FBI is trying to talk to Mixter through German authorities, but that Mixter isn't a leading suspect at this point.

    The FBI has run into problems retracing the source of the attacks because some sites used weren't keeping complete logs of computer traffic, according to a person involved in the case. "Some of the sites didn't capture all of the traffic" because their record-keeping software isn't set up to record that level of detail, a law-enforcement official said.

    With help from computer experts at the affected Web sites, the FBI is still analyzing what information they have gleaned from those logs. In addition, according to someone involved in the case, dozens of agents from field offices -- including San Francisco, Los Angeles, Atlanta and Boston -- are conducting interviews with sources who monitor hacking activity.

    "There hasn't been a huge number of people taking credit," said a law enforcement official, but the FBI is looking at them all.

    The first major breaks in the case came late last week, when investigators learned that computers at several California universities, including Stanford, the University of California at Santa Barbara and the University of California at Los Angeles, were involved in the attacks. Several university officials said their computers were infiltrated prior to the attacks and used to fire the barrage of data packets that temporarily knocked out several sites, including Yahoo, Amazon.com Inc., eBay Inc., E*Trade and CNN, a unit of Time Warner Inc.

    At UC Santa Barbara a network programmer noted "abnormalities" in the university's network traffic when he logged in Tuesday night. After further checks, the programmer discovered the following morning that one computer on the network had been broken into and used to attack the CNN Web site, according to Robert Sugar, the university's acting director of information technology.

    Upon that discovery, the programmer alerted both CNN officials and the FBI, Mr. Sugar said. Campus officials said the hacker who broke into that computer left many traces, and said the FBI already has obtained reams of data as a result.

    Mr. Sugar declined to describe the computer except to say it was an older desktop machine, a description consistent with a computer workstation. Security experts long have warned that older computers used for less-sensitive work at universities, where high-bandwidth Internet connections are common, are particularly vulnerable to such intrusions.

    A hacker also apparently manipulated a Stanford network router -- a computer specially designed to direct Internet traffic -- as part of an attack that overloaded the Web site of eBay, San Jose, Calif. That kind of attack, known as a "smurf" attack after the first software tool designed specifically to conduct it, didn't entail an electronic break-in at Stanford's computers, Mr. Brumley said. Instead, the hacker subverted a router "broadcast" feature used to direct an entire cluster of computers to blast packets at eBay.

    Meanwhile, other sleuths continued to probe the extent of the Internet's vulnerability to attacks. Network Associates Inc., a security company in Santa Clara, Calif., said a voluntary-screening program detected three cases of denial-of-service software installed on host servers: one in a university computer in Berlin, another at a university in Iowa and one in a nonuniversity computer in Long Beach, Calif. None of these detections necessarily indicate these computers were employed in last week's attacks, the company said.

    As investigators continued their work, the computer industry struggled to reach common ground on security issues in order to present a united front at a White House meeting scheduled for tomorrow.

    The dilemma for the computer industry, public-policy advocates say, is how to develop and agree upon standards that the government can support and protect without disrupting the open nature of the Internet. But given the different perspectives of government and industry, that won't be easy. Kim Alexander, head of the nonprofit California Voters Foundation, is one of the few people conversant in both the political and technological worlds. "It's like they speak two different languages," she says.

    Many companies hit by last week's attacks continued to lie low. But some appear likely to take a more active stand against government intervention. AT&T Corp. dealt with attacks in the past week against some of its customers but remains opposed to government intervention to protect networks.

    "It is important for the government [to take] a role in something that is illegal and affects commerce. Past that point, we clearly believe in self-regulation in this industry," said Rose Klimovich, AT&T's director of global intellectual-property-network services.

    Some hackers, meanwhile, continued to toy with security experts over the weekend. Late Saturday or early Sunday morning, a hacker with the handle "Coolio" defaced the rsa.com Web site, which is owned by Internet-security firm RSA Data Security Inc., a unit of RSA Security Inc. of Bedford, Mass. The defaced site bore a picture of two men pictured on RSA's official Web site with the letter "L" branded on their foreheads, and carried the message: "The most trusted name in e-commerce has been owned" by Coolio.

    Scott Schnell, a marketing vice president at RSA, said the company doesn't use the rsa.com site, which normally redirects Web surfers to RSA's main page at rsasecurity.com. He said the hacker hijacked the rsa.com Internet address and redirected it to the defaced page. Mr. Schnell said RSA was working with its Internet provider to resolve the situation.

    David Cloud and Douglas A. Blackmon contributed to this story.

  • Looks to me like an Apache error,
    not a linux error.
  • If you created a monopoly in this way , you will be sued by the DDoJ ;-)
    ---
  • I'm afraid I can't agree on this one. It's one thing to talk about a denial-of-service attack, and even to demonstrate it. The early flood tools demonstrated that flaw just fine. But TFN doesn't acutally show us anything new about DoS attacks. It's sole "purpose" (if it has a legimitate purpose) is to demonstrate that the ultimate source of a DoS can be disguised, and we already knew that.


    ...phil
  • Again, the issue of poor security on internet attached machines is, I'm sure, well understood by most of those reading today. Unfortunately, the groups taking the most action (ie governement, big business) don't seem to fully fathom the mechanism by which these attacks succeed. I don't even know if there is a way to stop a coordinated DoS attack short of the traditional method of calling everyone who's spewing out traffic. With more sophisticated tools (that say, generate valid traffic) how would one differentiate between attackers and real clients? Short of adding more bandwidth I don't see any easy short term solutions. The fact that the government, particularly the FBI, thinks they can solve the problem by throwing money at it, performing wiretapping, etc, is frightening. Even more so considering that they're supposed to have met with Industry Leaders to discuss the problem.

    I suppose my biggest fear is that the government would try to invent/incorporate some sort of master control system (super ICMP?) for IP. Not only would this likely be ineffective in deterring a serious attacker, but it would likely invite abuse as well. I'm not sure that our fearless leaders in DC comprehend the issues involved.

    I believe the only way we can deal with this is the way it's always been done: as a community. It has been pointed out that a lot of the zombies in recent attacks have been Linux/Unix boxes. I know there are a lot of resources on the web for Unix security.RootShell [rootshell.com], for example is a good site not only for descriptions of exploits, but actual code you can use to test your box. There is a lot of information about Unix/Linux security out there, but it's unlikely that any newbie will be exposed to it before during or immediately following the install of their OS. And we all know what kind of daemons get installed by default these days. I don't know if it exists, but a clearinghouse of security info, including not only alerts/exploits but instructions for newbies on how to fix problems would probably go a long way. Just raising the issue of security consistently (banner ads, links from most major linux sites) to this clearinghouse would probably be enough to get the attention of people who are working with Linux. Does something like this exist? If not, would anyone else be interested in setting it up? Perhaps it could be part of the LDP. Who knows. I'm envisioning far more than might be practical, but if anyone else is interested, e-mail me at po.cwru.edu, username dwb2.

  • Ok then... Why not Barns and Noble instead of Amazon? (one Click Shopping???) Why not shopper.com instead of Buy.com? (Corperation not making any money whatsoever and selling products at a loss, looking for a big IPO) Why not ABCNews.com, or News.com, but CNN.com? (Time/Warner) Theres quite a common thread here...

  • Once upon a time, I was something of a grey hat. I, at one point, wrote modified and wrote numerous programs and scripts that did similar things (thus I refuse to vilify him). I did say that I have some "respect" for him, and that skill was what I was referring to, even though I haven't personally seen the latest jaurez much. That being said, the idea of a distributed DoS attack isn't entirely new. Back in my day (towards the end), there was a program called FAPI (or was it FABI?) written by some folks that I knew. It wasn't quite as sophisticated, but it could have been developed much further, if anyone put the time into it.

  • How sad is it that Suck has, by far, the best article on this subject so far? Pointing out the real problem, IP, the people who should fix it, the "dot coms", and the reason they won't, money.

    How can you properly protect against many DOS attacks?

    How can you properly protect yourself against real world vandalism? Vigilance, monitoring, and prosecution. We just need another generation to grow up and realize, by being taught from a young age, that these antics do nothing but hurt in the long run. What we have is a generation of kids and young adults who have no moral framework for their activities on the Internet. It has also empowered the disenfranchised (*cough*) to make their voices heard both far and wide.

    Anyway, you can't stop them through normal means, here's the offical word [cert.org] (from over two years ago)

    --
  • I think you have missed the point. A gun has a primary purpose, to maim or kill. A hammer.... The intent of the tool is shown through its design.

    And this tool was to throw lots of data at a machine. Just as there are devices that are build to ram cars are 60 MPH into a solid wall. This does *NOT* mean that they intend for it to be used with real people instead of test dummies in the drivers seat..
  • by shaum ( 32770 ) on Tuesday February 15, 2000 @08:03AM (#1271964) Homepage
    all the targets are huge corperations that believed they were more powerful than the "hackers" and believe themselves above morality.
    But if the attackers are motivated by anti-corp sentiment -- then why weren't Microsoft and AOL, the big-mama-jammas of the net, the first to be hit? As far as I know, these DoS guys haven't laid a glove on either one.

    (Of course, if there were a DoS at AOL, would anyone even notice? :-)

    The first thing that came to mind for me was the old "A-B-C murders" gimmick: hit your real target, and hit some unrelated bystanders before and after to make it look random.

    The prepetrator may have had a beef agains Buy.com specifically ("I got yer restocking fee right here, buddy") and screwed around with them on the day of their IPO, and hit the others so as to make it look like random vandalism.

  • (This is an email I wrote to Rob Malda explaining my stance on the massive spam attack last night. I was hoping he'd post it. I guess I'll have to instead.)

    First of all, yes, I'm the person responsible for the spamming. I would like to explain why I did it, and what I hope comes of this. I've already explained myself in scattered places in the discussion thread itself, so I'll just sum my thoughts up here.

    Writing the spambot was rather easy. It was something I could quickly cobble-together with a couple very simple shell-scripts. The hardest part was reformatting the text into an HTTP POST request. I also posted the scripts to the discussion thread, for a variety of reasons.

    1. I felt that my doing it would inspire others to do it as well. By releasing the source I could remove some of the potential thrill for some other would-be spammers.
    2. I felt that only the truly lame would continue to use the script after the one story was completely FUBARed. This would make it easy to remove them permanently (in a bit I'll explain why this would help).
    3. I feel that the current state of moderation is laughable. It's become a source of elitism, a way for snobbish karma-jockeys to moderate up statements they agree with and moderate down those who think differently than them. Personally, I think that if moderation weren't such a BFD then there wouldn't be all these anti-moderation trolls.
    A bit about myself. I'm a grad student in CS. I participated (and ranked visibly) in LokiHack. I'm not your run-of-the-mill skript kiddie. However, I've also gotten sick and tired of the way that Slashdot's discussion forums have become. A huge noise, very little signal, mostly from people who are sick of the moderation system and moderators who spend more time moderating those nuisances down than moderating the USEFUL comments up. I felt the need for a cathartic expunge.

    I think that trolls, spammers, and offtopic posters can be dealt with FAR better than they are now. I'm done with my fun for the night, and in the meantime I hope this can lead to some better moderation in a few regards:

    1. There is no reason for a single IP address to need to post more than one comment per minute. In fact, more than one every five minutes is pushing it as long as the originating IP address returned by most proxy servers is honored (of course, it's possible to abuse past that, but at least it's a start). At the very most, 5 comments/minute from a single proxy IP address is more than enough.
    2. There should be no AC account. Everyone should be required to log in, though they can still post anonymously. Accounts which have been found to be spamming can be terminated.
    3. AC posts should be treated the same as normal posts. Karma, time since registering on /., and the like should have no bearing on post score. Anything else results in snobbery and elitism.
    4. A comment should start out neutral, and there should be multiple levels of downwards as well as upwards moderation. Just because a post from an anonymous poster has been marked downwards once doesn't mean it should be relegated into obscurity forever. Also, as good as M2 is, it can only do so much.
    5. Most importantly, moderation shouldn't be such a BFD. It's the "I'm a moderator, it's my job" attitude which the trolls and spammers are backlashing againt, not the existence of moderation. Perhaps giving out more moderator points is in order; in fact, allowing people to moderate on any story they haven't posted on seems like a good situation.
    I hope you'll listen to me, regardless of the inconvenience I gave to the Slashdot readers and admin for one relatively unimportant story which would have been soon forgotten anyway. I've had my fun, and someone else could have done a shitload worse and not been so willing to point out flaws after the fact. That's not a justification, of course, but it's the best I can give.

    Thank you for reading this far. Good night.


  • now could you step off your moral podium so i can look you in the eye and see if you really are as dumb as you seem?

    whether or not he's egotistical and whatever purposes he wrote the tools for, he is NOT to blame for the way they were used. the absence of a punishable offender does not mean we go after the person who wrote the tool(s) of their crime.

    if i use a cinderblock to bash your head in for effusing such pin-headed opinions on a public forum (and then getting moderated up to the top of the heap!), should we then go find the manufacturer and yell at him for making a weapon that can be used to kill?

    ok, so you say 'but dave, this was a specialized tool that could really only be used for one purpose. he knew how it would be used!' so, ok, i build a guilloteine (i slaughtered the spelling, i know..), but you stick your little sister's neck under it and set the blade on its way.. you are the one who did it, not me.

    he probably is an egotistical bastard, i have no clue, i don't know the guy. but he is not to blame and if he is as self-centered as you say, then drawing more attention to him is only serving his purposes.
    ...dave
  • so what happens when you start to send a bunch of "turn record route" across the internet?

    Traffic.

    Lots and lots more traffic.

    Especially if done in the same regard as DoS's are donw...
  • C'mon! That's easy! Either routers should have QoS support, or load limiters for a given IP address or packet class.

    If people implemented either of those, DoS attacks would be simply dropped by the routers as excess traffic from that address or class. The attack would hurt nobody, because it would reach nobody.

    This would still work against DDoS attacks, because the network identifies a class for each type of packet. If you had 1,000 computers, all pinging away, the router would drop everything from all 1,000, as it would exceed the preset limit for that class.

    Wouldn't it overload the user's router? Depends on how good their router is. =Ideally=, this would be implemented on the backbone, itself. That way, it'd get filtered out before it could crash any connection.

  • Mixter Wrote:
    I found it really disturbing and scary when I read that President Clinton is intending to dedicate $240 million for the sole purpose of wiretapping and domestic surveillance. In my opinion, no amount of denial of service attacks or computer intrusions could ever cause a comparable amount of money to be lost in the future. Additionally, such methods and laws can easily be circumvented by malicious people using compromised systems to relay through a number of encrypted channels and are therefore affecting everyone except the people they are intended against.
    I have to give the guy credit for this observation. Personally, I think we should all be concerned about the FBI's increasing budget for these kinds of surveillance activities: For any who didn't already know, U.S. law no longer prohibits the Federal Bureau of Investigation from conducting international operations. If we don't police our community voluntarily, some government agency will be happy to increase our taxes and take over the job.

    Yaruar Wrote:
    Reminds me of most weapons makers who dissolve themselves from blame as the creators by saying that theirs is a tool that is misused. ...he knew that people were going to abuse his creation.

    Your opinion, Yaruar, reflects the moral righteousness of a coward. Instead of addressing the behavior of the wrongdoers, you attack the actions of a toolmaker who 'made it possible'.

    Your simile with weapons manufacturers is apt, but your conclusions are wrong. Tools in and of themselves, as inanimate objects, can be neither good nor evil. It is the intent of the tool user, and the actions performed by said tool user which are either good or evil. If 'evil' actions are socially unacceptable (thus codified into law), I say it is reasonable for a manufacturer to assume that the 'evil' uses of their tool will not outweigh the 'good' uses. The mere possiblity of wrongdoers misusing the tool for 'evil' does not invalidate the 'good' that is done with a tool. Neither does it make the manufacturer responsible for another individual's evil/bad/illegal actions.

    Please explain how Mixter's good faith effort to inform the public of a security problem (by publicly posting his code, to enable testing for vulnerability) qualifies as a 'moral vacuum'? You accuse Mixter of being an egotistical hacker (spoken as a dirty word) because he supplied his tool to the public. I, on the other hand, say he did good, by publishing his tool(s), and rightly expecting the 'good guys' to use it to protect themselves before the 'bad guys' used it to hurt them.

    As an aside:
    Who is morally superior: 1) a woman lying in an alley, raped, beaten, and strangled by her own stockings, or 2) a woman explaining to the police how her attacker recieved that fatal gun shot wound to the chest? Evildoers will find tools to use for evil, whether they are firearms, knives, baseball/cricket bats, or a woman's silk stockings. Check the UK's (and Australia's for that matter) violent crime statistics after the complete (near-complete in Australia) ban on firearms ownership.

  • "It has also empowered the disenfranchised (*cough*) to make their voices heard both far and wide."

    Please stop reading so much JonKatz.
  • If you confessed to a murder, but couldn't produce a body, you wouldn't be in jail. If you confessed and weren't able to recount the details of the crime, they would laugh at you and send you on your way - after a visit to a shrink, I hope.

    False confessions are not rare, especially for high profile crimes. The FBI may be completely clueless, but they certainly aren't going to investigate every Usenet kook or IRC whackjob that claims responsibility.

    BTW, I did it. Me, A Big Gnu Thrush. So catch me if you can, because 3 days from know, at 25:62 GMT, I'm going to strike again, and no one can stop me!

    -insert maniacal laughter-
  • QoS Support? are you nuts?, Do you have any idea of the kind of inefficiency created by using QoS to mark packets? Work with a major ISP for awhile and you'll understand, the internet is amazingly stable considering it uses routers held together with chewing gum, they can't handle QoS. QoS is a bad idea, marking packets is a bad idea.

    Say it with me now, "Marking packets is bad mm'kay"
  • by Anonymous Coward
    I've heard someone bringing up the argument that guns can't be blamed for the idiot who uses them. However, guns have the excuse that they can be used for hunting for food. Or for protection.

    What can Mixtor's tools be used for? His tools send large amounts of data to targets via multiple clients. Can anyone think of a reasonable use of a tool like this? Surely, it doesn't protect anyone. I can't think of anywhere I'd use this "tool" to troubleshoot a network. I'm stumped. I think it's generally accepted that if I write a computer virus, and give it to my friend. And he decides to unleash it at his workplace, that we're both going to get busted. "But, I just wrote it..I didnt spread it"..Yeah try telling that one.

    So Mixtor, thanks for the great tool! I'll use it daily I'm sure..Can't wait to find some use for it.

    The other argument I hear is "Well he used it to prove a vulnurability". The problem with this argument is that everyone knew about DDOS before his "tools" were released. If Mixtor had made a post on a security site about a bug he'd found in linux that gave a hacker root, I'd be all behind him for posting how to do it. Because nobody knows about the bug! But everyone knew about DDOS. But there's not much you can do to stop it on the receiving end, only on the client sides. His tools have one purpose: malicious intent.

    I'm sure many people here have thought of the idea of DDOS before(especially when distributed clients first came out), and many of you also have the programming skills to write the clients necessary to do a DDOS. But you haven't. Most likely because you understand it can be done. THERES NOTHING TO PROVE. Mixtor wasn't first, he was just the first one missing the morals to understand the implications.
  • These attacks show two things:

    1. There are a lot of insecure systems out there. These can & will be abused by people. As broadband access becomes more widespread this problem is only going to get worse.

    2. Egress filtering needs to be implemented at the lowest service providers. Most people implement filters on all their inbound connections, but most people forget the outbound. Just allowing only packets from your network would eliminate spoofed packets. At least this way a DDoS would be traceable.

    Major problems like this need to be addressed.

  • Good points, perhaps you are right. i just found it exteremely co-incidental when I read the list of the companies attacked that day, at how familiar some of the names were from recent stories on slashdot.... Amazon, Buy.com, Cnn.. etc. Just hit me as soon as ir ead them. but you could be right, who knows?

  • A gun has a primary purpose, to maim or kill.

    That may be your purpose for a gun. For me, the main purpose of one of my guns is for home defense. The main purpose of some of my other guns is recreation at the shooting range. The main purpose of the model 94 Winchester (circa 1897) is as a decorative showpiece above the fireplace mantle. The main purpose of the rifle is for hunting.

    What a narrow limited view you have, and further what arrogance you have to even suggest that your one view on the purpose of guns is the only purpose.

  • That's like saying that after the Nuke attack was published, that each and every subsequent exploit of its type was pointless, because we already knew there were holes in the stack! Bull. Every fix caused a new hole to be discovered, and although not all vendors (Redmond, are you out there?) have even completly fixed the exploits at least we know they are there.
  • You're right, he showed us a better face for the word hacker than the distorted mask usually shown by the popular media.

    I noticed he never said "cracker" or "script-kiddie." He said "attacker" several times. I like this, I think it's a better fit. After all, any fool can fire a gun but not too many can design one though, at least one that doesn't explode when fired. By this analogy, almost anyone can attack but not everyone can hack.

    -M

  • ... saw him pass out at 31 flavours last night. I guess it's pretty serious.
  • It shouldn't matter what possible effects source code can have, just because someone might be able to trade DVD's over IRC, should we stop distributing the DVD decryption source code? We need to keep the public aware of potential problems and security holes, and releasing source is the best way to bring things into light.

  • by bons ( 119581 ) on Tuesday February 15, 2000 @08:27AM (#1271985) Homepage Journal
    Situation: I have a home PC attached to acable modem that's always on (in my case, Seti [berkeley.edu] - those who would prefer that I do distributed.net [distributed.net], sorry, but I've made my choice for my reasons.)
    This PC happens to run windows (Yes. I know. I'm inherently evil and feeding the great satan. Just flame me and moderate me down for admitting it and get on with your lives.)
    I installed a firewall (Zonelabs [zonelabs.com]), mostly because it was free, and also because I decided that if I wasn't part of the problem yet, it was only a matter of time.

    Results: I was getting probed at an average of once every 20 minutes from a variety of locations. Urk! (Please note, my ip starts with a 24, which tends to indicate an @home or roadrunner cable modem service)

    Side note: If you want to test your machine, go to Steve Gibson's SheildsUP! [grc.com]. It's a bit slow at the moment (and posting this ain't gonna make it faster). Personally I wish I had known about this site before this insanity started.

    -----

  • First of all, this is not the best forum to ask that question. This discussion is very general and you came very close to asking an in-depth question.

    To get a good start in finding out more about systems security go to http://www.deter.com/unix

    From there you will find better places to post deeper question.

    -M
  • Maybe. That really depends.

    The cracker who broke into the University machines is unlikely to have done so in the daytime, their time. From this, you should be able to determine the probable timezone.

    But how will this help?

    In and of itself, it wouldn't. This is where things really depend on the people used to carry the DDoS attack software. To have broken in, the crackers are likely to have scanned the ports and services. From this, you should be able to collect some statistics as to what sort of timeframe the cracker was operating in.

    Now, how will -this- help?

    Again, it won't, unless more than one site was used in the DDoS attack. There'll be a time difference, as it's improbable the person cracked all sites simultaneously. This will give you a much clearer picture of what was cracked, and when.

    THEN, you look at the relative times involved. (Although the logs will undoubtably have been altered, it may still be possible to see over what timeframe the alterations cover). This gives you a rough guesstimate as to the path of the different connections, and will narrow down the search to specific nodes within each of the possible countries.

    Now, some of those nodes will be improbable. It's unlikely that the crackers would have gone through a corporate website, for example, unless that site, itself, had been cracked.

    If the cracker(s) went through multiple computers to get to those they eventually used, then, yes, it is impossible to trace them. Triangulation needs at least two known points and a direction. But, if they didn't, this is the best bet anyone has of identifying who did it, unless the person(s) step forward.

  • What we need is an organization much like the RBL, except this will be a black hole for networks who permit spoofed packets to go through their routers. I certainly don't want any spoofed headers reaching my network, but the power to do anything about it is on the router of the network originating the spoofed packet.
  • If I print out the entire Slash source, then shove it down someone's throat until they choke and die, is CmdrTaco responsible?

    If I tie someone up and force them to read all of Signal 11's posts while I scream "Karma! Karma! Karma!" in their ear, is Signal 11 responsible?

    If I force someone to read every Jon Katz article until their brain (also) turns to Jell-O pudding, is Katz responsible?

    Sorry, I've just read too many gun analogies on this thread. I went a little crazy there. It won't happen again.... :)
  • I prefer hands-on experience, and the research papers, to the views of any ISP where profits are measured by bandwidth sold, not bandwidth utilised.
  • Look at DeCSS or css-auth?

    Are they tools whos sole purpose is to cause harm and aid people in the thievery and piracy of intellectual property, or just tools that will let us play our legitimately bought DVD's in linux?

    Only 36 hours ago there was that article about the head of the RIAA and his opinions about how DeCSS had no purpose other than piracy. And we mostly, 99% agree that he's wrong. Well then, why all this argument for the case of TFN? Why are many of us unhappy about TFN and blaming the author for all the problems he caused by the tools he created, yet happy about the creation of DeCSS and css-auth?

    Why the double-standard?

  • Well, I disagree, though I disagree with Mixter's actions. A piece of
    code may have as its only use to break into a system, but distributing
    the source of the code makes the weaknesses public, and so able to be
    dealt with. Closing these publicly known holes then improves the
    security of the whole system even against unknown attacks.

    The situation is different with DDoS: everyone knows what the
    security vulnerabilities are, and they are nothing that the target can
    protect against by themselves. Instead the solution depends upon
    changing the way routers work (eg. stopping them allowing broadcast
    PINGs which have no constructive use, and are the key to this kind of
    DDoS attack).

    To sum up, nothing constructive is achieved by publishing code
    that makes use of a known vulnerability, as in this case, but
    something constructive is achieved by publishing hitherto unknown
    vulnerabilities.

  • Canadian Company Provides Web Security Countermeasure

    Flamborough, Ontario, February 15, 2000

    While corporate Technology executives meet with President Clinton's staff
    at the White House to discuss the recent catastrophic Denial of Service
    problems for web business, a small Canadian company today announced the
    pending release of a solution.

    In order to be a successful countermeasure the cooperation and adaptation
    by the infrastructure industry will be necessary. Platformed on the
    GateWeaver VPN Firewall server, the company expects to have its newest
    "Crossing Guard" module in the mass market channel by mid March. The
    offering will be in two formats: Software only and an Integrated Hardware
    device.

    The GateWeaver products are compatible with Macintosh, Microsoft Windows,
    Unix operating systems and Novell networks.

    Crossing Guard is an initiative to combat the recent increase of DoS
    (Denial of Service) attacks that have been responsible for Internet server
    downtime. The key to defeating a DoS attack is to push the attack as far
    from the victimized server as possible, preferably right back to the
    initiating client. This allows the server to continue servicing its
    clientele quickly and efficiently.

    Crossing Guard works to provide a "breathing window" during a Denial of
    Service attack to isolate attackers and initiate a response. By working
    with ISPs and backbone providers, an attacked server can request a
    reprieve from the closest Crossing Guard to the attacker, stopping the
    packet storm in its tracks. This reprieve will last for 60 minutes:
    enough time to contact network providers for more thorough response, while
    not limiting the freedom of the net or disconnecting a large gateway that
    serves many clients.

    When an attack is detected, either through server unresponsiveness or more
    proactive network monitoring tools the system administrator logs into the
    local Crossing Guard server which attempts to contact the next upstream
    Crossing Guard to the attacker through the primary network connection and
    failing that through a backup connection. Each Crossing Guard will relay
    the countermeasure request as far up the tree as able so as to limit the
    bandwidth consumed by the attack to as short a distance as possible.

    Each Crossing Guard will store the request for later review as well as
    notify system administrators in each network the attack is passing through
    of the countermeasure and provide contact information for the attacked
    server administrator to arrange for a more permanent protection solution.

    The Crossing Guard specification is expected to be released to the Internet
    community for peer review and implementation. Our goal is to create a
    solution that scales from the largest intercontinental provider down to the
    smallest local ISP. With this in mind, the GateWeaver implementation of
    Crossing Guard will be available as a software product free of charge to
    local ISPs.

    All hardware vendors, network providers, ISPs, and Businesses doing
    Business on the Web are invited to join in developing a self regulating
    solution to contain and deter against Denial of Service attacks.

    GateWeaver.com has made available a free distribution version of its
    firewall-VPN software. The company anticipates releasing the software
    version of Crossing Guard in the same manner.

    Contact Information

    www.gateweaver.ca
    www.gateweaver.com

    The Manor Group Ltd.
    Chris Maxwell
    Cmaxwell@themanor.net
    905-689-2001 Phone
    877-manor-99 Toll Free
  • That may be your purpose for a gun. For me, the main purpose of one of my guns is for home defense. The main purpose of some of my other guns is recreation at the shooting range. The main purpose of the model 94 Winchester (circa 1897) is as a decorative showpiece above the fireplace mantle. The main purpose of the rifle is for hunting.

    And how exactly do you do your home defense with a gun, without potentially maiming and killing? Pry it between the door and the post so it becomes harder to open the door? How do you hunt with a rifle without killing? Use it as a crude spade to dig a hole? The gun that was produced in 1897 by the Winchester factory, was that intended to be a showpiece?

    What a narrow limited view you have, and further what arrogance you have to even suggest that your one view on the purpose of guns is the only purpose.

    Perhaps you should consult a dictionary and look up the words primary and only. Those meanings aren't equivalent.

    -- Abigail

  • Sometimes, the most effective way to kill people will avoid a bigger harm. Nuclear weapons were invented with one intention: to end World War 2. They were successful at that; nuclear weapons, whose only purpose was to kill people, avoided millions of human deaths in WW2.

    They might have been invented with one intention, and the actual droppings might have ended WW2, but anyone with any insight will know that they weren't at all necessary to end WW2. Don't forget, the war in Europe was already over in August 1945, and Japan had no significant airforce or Navy left. There was absolutely no question left who would win the Asian conflict. The main reason the bombs were dropped was to impress the Soviets, and to prevent them from joining the war in Asia and them claiming some of the booty. The cold war had already started.

    They had also an unexpected side benefit - they avoided World War 3.

    That's highly debatable. WW3 hasn't happened (yet), but that doesn't mean nuclear weapons prevented that. And a few times, the world has been on the brink of a WW3 *because* of nuclear weapons. The world would have been quite different if Truman had dropped the bomb in Korea, or if the Cuban missile crises would have went the other way.

    There are scientists who create machines that can be used to kill people, but that can also be used to better purposes.

    There's a big difference between can and intended to. I think the world would be a safer place without guns - it's worth the price of the occasional bear in your back garden and the lack of a recreational shooting range. But the world wouldn't be better of without hammers. Hammers can be used to kill, but it's not their main purpose.

    Whose side are you on?

    Me? I'm on the rational side. The world is filled with lusers. If you create something, and make it available to everyone, you have some form of responsibility. The world isn't an anarchy filled with irresponsible people.

    -- Abigail

  • thanks for making my point.

    --
  • ****I'm afraid I can't agree on this one. It's one thing to talk about a denial-of-service attack, and even to demonstrate it. The early flood tools demonstrated that flaw just fine. But TFN doesn't acutally show us anything new about DoS attacks. It's sole "purpose" (if it has a legimitate purpose) is to demonstrate that the ultimate source of a DoS can be disguised, and we already knew that. ******

    I feel like I'm swimming upstream here, but I'm going to agree with you and I'm going to go one step further.

    I have to wonder how many of these guys really give a damn about security. If these people are so concerned about security why aren't they out breaking into peoples homes to show how easy it is to do that? Isn't that the same concept? This isn't about security, it's about smashing mailboxes, or throwing eggs at cars as they pass under a bridge.

    This whole thing just smells like your basic "angry-anti-social-anti-establishment" activity. This is nothing but an act of cowardice commited by a coward.

    I'll be able to forgive their actions if the "hacker" is under 18, otherwise I say the "hacker" should grow the fuck up and I sincerly wish years in a jail cell upon you.
  • Well, I disagree, though I disagree with Mixter's actions. A piece of code may have as its only use to break into a system, but distributing the source of the code makes the weaknesses public, and so able to be dealt with. Closing these publicly known holes then improves the security of the whole system even against unknown attacks.

    That's like saying "it's ok to hand out guns so it becomes known how unsafe movie theaters are, and people can fix security".

    Handing out code isn't necessary at all to show weaknesses. You can also write an article about it, and *gasp* release some code that fixes the problem. Of course, in this case, the "holes" weren't exactly new. 20 years ago, people know about them as well. The big difference was, 20 years ago noone (mass) distributed code to abuse the holes, and there were no problems.

    If someone is really concerned about the existing security holes, and wants to do something about it, then by all means, *do* something about it. Fix the holes, jump on the IP6 bandwagon, port kernels and applications to use IP6. But don't hand lusers the tools to exploit the weaknesses. Noone, absolutely noone is helped by that. Unless you find ego-stroking helping.

    -- Abigail

  • "The Hacker's Handbook" (back in the 1980's) said the same thing, for the same reason. There was a lot of very insightful stuff (IMHO) in that book.
  • Evildoers will find tools to use for evil

    Yeah, except that in the 25+ years of the existance of the current holes, noone did misuse the holes on a scale as was done recently.

    Just because evildoers might find tools doesn't mean you don't carry any responsibility (moral and sometimes legal as well) for handing them the tools on a silver platter.

    Burgerking didn't say "we are innocent - they did it themselves" when some kids experiences some rather nasty side effects of playing with a toy. And that was for something with a harmless intended purpose.

    People have a moral responsibility for their actions, and that includes giving away dangerous stuff to lusers. Even if they live in a jurisdiction that is to backwards to recognize this.

    -- Abigail

  • You could have bad aim...

    Or you could go by that one commercial with the person shooting the animals - as in with a camera - which is the best kind of sport hunting I can think of, since you can show off the animal you caught (on film) without harming it (unless you believe that photons hitting an emulsion takes away the soul of the last thing the photons bounced off of).
    ---
    "'Is not a quine' is not a quine" is a quine [nmsu.edu].

  • my father was part of the Occupation forces in Southern Japan at the end of WWII.

    And that gives you credibility exactly how? Or your father for that matter. The decision of dropping the bomb wasn't made by the to be formed occupational forces.

    Military estimates are that as many as 250,000 Americans would probably have lost their lives, and Japanese casualties from the American invasion would have topped 1,000,000. Estimates are that if the Soviet Union had invaded from the north (where I lived), casualties would have tripled over those expected in the American invasion. From what elderly Japanese people told me when I lived there, the deaths from starvation and disease would probably have pushed the death toll much higher.

    Maybe, maybe not. It's a bit hard to believe more American would die than died while fighting in Europe, when the US was fighting on two fronts. As for the estimated Japanese deaths, I'm not questioning the numbers, but in 1945, the people who decided to drop the bombs didn't give a rat's ass for the lives of the Japanese. Otherwise, they would have picked different targets than large cities.

    When Emporer Hirohito saw the damage of these bombs (which they had been warned about), he overruled his military advisors and told the Japanese people to lay down their arms and welcome the Americans

    Yeah, to save his own ass. He might as well done that if the bombs had not been dropped - it's something we will never know.

    The real reason atomic weapons were invented in the United States was because the government realized that they were in an arms race with the Nazi's, and that they absolutely had to win.

    And the allied forces defeated the Nazi's without the use of atomic weapons.

  • Some may argue that it is not necessary to actually create a trivial exploit that script kiddies can exploit. While this may have some merit (I even agree somewhat with this approach, it depends largely on the circumstances and the vendor), it has been shown with MS (and a few others), time and time again, that they'll simply dismiss a vulnerability as "theoretical", or even "impossible", unless you make it known that you're going to create an exploit for it--and have demonstrated your abilities to make it a reality before.

    I disagree with that. It has been publically known for decades that doors don't stand a change against an attack by a tank. My landlord isn't going to put an anti-tank ditch around my apartment. Why? Because only a few have the expertise to create a tank, and those that do, don't leave them on the streets for anyone to grab. And that's more than enough to keep my stuff safe from an attack by a tank.

    As long as people behave irresponsible, be it by making actual attacks, or by putting the means into the hands of anyone who feels like it, "hackers" will keep a bad name. Nor is it going to help any open source movement at all. Whining about being portraited in a negative way in the media here on slashdot isn't going to solve that. Do you really think Joe R. Websurfer gives a damn "it's ok to make the tools available", "this attack shows that people have to spend more time and money in securing their sites", etc? No. He notices that his favourite websites were unavailable for some hours. And that the same crowd that wants him to run Linux instead of Windows (partially) defends the actions.

    -- Abigail

  • What packet kiddies like this don't seem to realize is that there is always a trail. All it takes is a few competant admins and a few phone calls.

    There are already tools out there for the detection of these types of DDoS attacks, and there are already procedures (and software in some cases) for quickly tracing back spoofed IP addresses. Adding a relay in there just makes it take a little longer (assuming the initial request for a DDoS attack wasn't already detected by the attacker's ISP or any system in between).

    Depending on how many Hax0ReD systems you're bouncing between to request a typical smurf attack, and depending on the time it takes the victim/victim's ISP to notice, your true origin can be discovered in as little as a few minutes. Work is already underway on automating the process of tracing back spoofed IP's. With a quick phone call to each of the sites you're bouncing from, you can be tracked down in a matter of seconds. All the victim has to do is activate software and tell it the nature of the attack. In fact, any site along the way that detects the attack itself or the instructions to instigate the attack can do the same thing.

    You think you're invincible? Impossible to find? When you have a half dozen angry, highly intelligent people methodically following the trail back to your PC (one of which could be working for the ISP you're dialed up to), how long before you think you'll be caught? Do you honestly think that the only people caught pulling crap like this are the ones that show up on TV? Contact your local police or FBI office for statistics.

    When you are caught, then the real ass fucking begins. A major DoS attack (like most smurf attacks or any of these DDoS attacks) can cost an ISP hundreds of thousands of dollars (that's six digits). If you're a minor, that means your parents probably get stuck footing the bill. They'll lose their house, their car, your college tuition (but I guess you probably didn't really want to go to college anyways so that's no big loss), to say nothing about the computer equipment you might have in your home (even if it's not yours). We haven't even touched on the compromised accounts yet. Each one of your DDoS client hosts constitutes a breakin and unauthorized use (minimum -- actual charges will probably be a lot more), each with its own penalties and fines. You think Mitnick was imprisoned for too long? They're going to have a hundred times the amount of evidence on you than they had on them. How long do you think you'll end up being behind bars?

    Is this really worth it, kids? Is your l33tness really that important? You know, in a few short years (months or weeks for the more pathetic), nobody is going to remember who the fuck you are, much less any of your l33t conquests. Do you really think you're going to get in the newspapers and have a bunch of "security firms" offer you nice cushy $150,000 jobs working with nice state-of-the-art computer hardware? I suggest you stop buying into what your kiddie friends are saying on IRC and do a little hard research on your own. I imagine you're going to be pretty disappointed.

    Get a life, man.
  • Normally the responsible thing to do is to contact the vulnerable
    party and explain the weakness without releasing details publically.
    But what about cases such as Microsoft's one-time pretence that
    certain security vulnerabilities did not endanger their users? A case
    can be made that, on balance, CDoC releasing BackOrifice was a good
    thing, because it forced recognition of the issue.

    I'm not saying this is the normal case; instead I am simply arguing
    that it isn't always vandalism to release code that makes use of
    security weaknesses.

    BTW, the DDoS vulnerability can be fixed within IPv5.

  • The prepetrator may have had a beef agains Buy.com specifically ("I got yer restocking fee right here, buddy") and screwed around with them on the day of their IPO, and hit the others so as to make it look like random vandalism

    IMO, buy.com was pretty lucky that the DOSers decided to hit yahoo before hitting them, otherwise their stock price would have been much more badly affected. ("hey, if they can take down yahoo, they can take down anyone right? So it's not really our fault; market, don't blame us").
  • But the consequences of not dropping it would have certainly affected the occupational forces, in a very negative way.

    Oh, really? They would have 2 cities turned into nuclear waste piles less to worry about.

    -- Abigail

  • But what about cases such as Microsoft's one-time pretence that certain security vulnerabilities did not endanger their users? A case can be made that, on balance, CDoC releasing BackOrifice was a good thing, because it forced recognition of the issue.

    That's like saying "hand out untraceble guns so the goverment will speed up the gun control laws". It's a dangerous, irresponsible attitude. I lock my doors not because people can get it - I lock my doors because there are thieves. And I don't fancy the idea to have to hire a security guard because someone is handing out sledgehammers, just to prove the point that doors have weaknesses.

    -- Abigail

  • I dislike your tank analogy. I fail to see how it applies to security. Do you mean to tell me that changing the Open Source credo/dogma from disclosure to "security by obscurity" is going to stop script kiddies? Honestly? Or do you mean that they simply should make the exploits less trivial? Or that security exploits are fine, but DoS utilities are not?

    First, the vast majority of these hackers aren't as philosophically attached to Open Source as you, not to mention most of slashdot, appear to be. They're largely different groups, with some overlap in between. So what may motivate slashdot to change their stance, likely will not sufficiently sway most in the security "community".

    Secondly, assuming the two groups are one in the same, the Open Source community should not change its stance on something so fundamental as this, based on public perception. It goes against most of what Open Source supposedly stands for--truth before "perception". In my eyes (not that I'm a zealot), it would equivelent to agreeing to sell all source code, yet keep it "open", for the sake of appeasing those for whom Open Source and communism are synonymous.

    Thirdly, I don't believe the general public is truely aware of Open Source in this context. There may be a vague recognition of the words:"Linux", "Open Source", and "slashdot", but they don't know its stances on such things. So public perception is essentially a non-issue.

    Fourthly, I believe you must distinguish between security (as in files, information, private networks, etc) and denial of service. I, offhand, can't think of too many large sites that target the general public that have been offline for extended periods of time due to hacking. I was not exactly advocating DoS utility creation, thus I will not touch on it.

    Last, but not least, I don't believe any actions (against SECURITY exploit publication) by law, the open source "community", or other wise, are going to have a significant, sustained, and positive affect on security for the general public. As I alluded to earlier, I believe there is a substantial argument for the publication of exploits. Put simply, by making the publication of exploits a "no no", you merely drive it underground. The net effect of this is that even the highest security of sites are left to guess at what the hacker community has in terms of exploits (this is especially true with propietary and very much closed source vendors (e.g., Microsoft)). While your "tank" argument (as you percieve it) may come into play here, I must disagree. The same elements that make the internet such a great thing, also have to effect of providing a common ground and forums for hackers, while providing every "hacker" with potential access to every site on the internet--vastly different from the "local" scenario you seem to be describing.

    Actions against publication of exploits may have the effect of driving the script kiddies out of town (or rather, just leaving them illequipped), but I'm not even sure if that is necessarily a good thing (as I mentioned earlier in the "seasoning" argument). Such actions may have the effect of just leaving these exploits in the hands of elite professionals. Imagine, say, the KGB (or whatever it is called today) looking to harm United States in 10 years, after the internet is responsible for 50% (extrmely high in my opinion) of our GDP in one way or another. If you assume that your actions were successfull, that you drove all hackers in the US out of business. What are you left with? The same Microsoft. The same universities. The same military networks. Corporate networks. Unphased by the prospect (lack of publication) of exploits, hackings, and the like. So many unseasoned targets, with, what are frankly OBVIOUS exploits. With one or two obvious exploits, they could turn it over on networks automatically--realizing success proportions that today's script kiddies can't even dream of. Giving them access to even 10% of major internet sites, could not only be an extremely valuable intelligence tool, but it could also be an economic and telecommunications weapon.

    Though, the KGB attacking may be an extreme and unlikely scenario, it could also be a devastating one. More likely, and somewhat less devastating, would be terrorists and the like using it in somewhat less coordinated attacks. Or industrial theft, espionage, etc. carried out against virgin targets.

    By making security an industry, by allowing publication, you do more than just improve the actual design of operating systems and the like. You create a more educated group of security professionals. Who, in turn, create a more aware group of system admins. Who in turn demand more secure software from vendors... The interplay between all these forces and groups does have positive consequences.

    Larger, more important sites, are benefitting a great deal from the status quo. In the short run, I fully realize that the current nature of publicication+script kiddies leave the less attended to sites at something of a disadvantage. Many of these "smaller' or less important sites can't afford to worry about security a great deal, they can't afford to check the latest vulnerabilities before they're put in the hands of thousands of script kiddies world wide. For whatever it is a worth though, I believe that the vast majority of vulnerabilities are due to shear negligence of the vendors. Put simply, they couldn't care enough about security to make it a priority. I do believe that, when and if script kiddies ever become THAT much of a problem, the vendors will have to respond by creating higher quality (less hype, spend more time making sure it works, instead of rushing it out the door) and more secure software. If it a reasonably possible (and I believe it is), market forces will dictate to the vendors.

  • doh, I'm not sure what you read into my comment, and reading it again, I think I see why. Call it a troll and be done with it, sorry.

    --
  • I don't call that saving one's backside. I call it pretty damn noble.

    Hirohito was not not a noble man. He wasn't anything better than Hitler.

    -- Abigail

  • Between your first statement and this one, I can't understand why you would think that Mixter is any more responsible for the actions of lamer miscreants than the admins of the sites that got hit. After all, as you say, these holes have been known about for 25+ years. Aren't the admins morally responsible for leaving open a means of disrupting their sites'?

    No, the weakness lies (partially) in the protocol. It's not really feasible for an admin to say "oh, let's get rid of IP4, and use nothing but IPv6".

    Doors have weaknesses too. They don't hold against the attack of a tank. And as long as noone starts building tanks and leave them on the street for grabs, that isn't a problem.

    -- Abigail

  • Though, the KGB attacking may be an extreme and unlikely scenario, it could also be a devastating one. More likely, and somewhat less devastating, would be terrorists and the like using it in somewhat less coordinated attacks. Or industrial theft, espionage, etc. carried out against virgin targets.

    Should we also hand out machine guns to gangs, so we will be aware in case of an attack by another country?

    Just because it is important to protect yourself and make your site and connections secure doesn't mean it is ok to hand out tools to make attacks easy.

    -- Abigail

  • I wish you'd clarify what your position actually is! Are you referring to DoS utilities, or security exploits? I don't advocate, from a positive net effect point of view, the publication of DoS programs, at least not those that are merely designed for massive flooding using well established techniques. However, I am a strong advocate of disclosure. Proper disclosure, to me, means first approaching the vendor(s) and/or discussing the vulnerability from a technical approach. Failing a positive reaction from the vendors (when they can reasonably solve the problem), then publication of an exploit may be in order.

    Guns are of entirely different nature. When someone is shot, that is the end--there is no worse crime. Thousands of people have been killed by guns in this country. Empirically speaking, script kiddies have done very little severe damage with security exploits (not DoS scripts).

    In releasing guns to the general public, no reasonable person could claim that it results in a positive net effect. It is not possible, for example, to, say, merely apply a new chemical to your clothing that makes it bullet proof. Nor, could you claim that your bullet vulnerability is due to some flaw in your body or your clothing that can merely be patched. Furthermore, We have a strong military--foreign invaders are not going to be deterred by small civilian arms. Anyone who could defeat the US military would defeat US citizens with relative ease, regardless of how many rifles they may have. Additionally, we have a strong police--most people don't need that kind of protection. Yet my arguments for exploits still stand (atleast you refuse to attack them head on). Vendors are forced to take corrective action every day, that, many of them, would not otherwise have taken were it not for the current approach. The larger ISPs are starting to harden themselves to script kiddies, and are, in the process, making it tougher for wide-spread (particularly automated) hacking by other more malicious interests.

    To boil this all down for you. Publishing an exploit is not INTRINSICALLY immoral. If you wish to say it is unwise or immoral, you should make an argument that the results of publishing the exploit is. I could see your arguing, perhaps, that, the short-term losses far outweigh my somewhat longer-term and more theoretical benefits. However, I obviously take a very different view, both in the assumptions made (on which these decisions are predicated) and in the conclusions reached.

  • The analogy with guns is spurious and only serves to characterise the
    issue in the most hysterical terms. A closer legal analogy would be
    the law on trespass.

    It is a dangerous case, but to look at the sledgehammer analogy:
    suppose a company is selling doors claiming that they are suitable for
    bank vaults, and me and a friend discover that we can break through
    the doors in about five minutes with sledgehammers. Suppose we
    contact the company, and their response is `you are lying, the doors
    are perfectly adequate for the purpose', then is it not the case that
    revealing this weakness in the doors serves the public function of
    expoing false claims?

  • Suppose we contact the company, and their response is `you are lying, the doors are perfectly adequate for the purpose', then is it not the case that revealing this weakness in the doors serves the public function of expoing false claims?

    Perhaps, but that's not the issue. The analogue would be to hand out sledgehammers to everyone who wants one. Which is totally different than singling out a single door for a presentation.

    -- Abigail

  • Hirohito did not politic his way into power for the express purpose of totalitarian government and world domination, he was the hereditary ruler. Much as the English monarchy today, he actually had very little political power.

    Until the end of the war, Japanese Emperors were seen as gods, a status no English monarch ever achieved.

    Although the Japanese troops had a well deserved ugly reputation for brutality (especially in Nanking China), the Japanese never embarked on a Hirohito-led genocide.

    Ask that to the Koreans. Ask that to the few survivors of the slaves that build the Burma railroad. I'm too young to have experienced the war, but the generation before me did. And from that generation, I know many people that lived in Indonesia in the early 40s. (I am Dutch, and Indonesia was a Dutch dependency at the time). I know many people who spend a significant number of years of their childhood in prison camps. I know people who lost their fathers/brothers/uncles in Japanese labour camps. I know people who were tortured by the Japanese, and suffered the rest of their lives from the consequences. I know people who, after more than 50 years, *still* wake up during the night with nightmares. All done in name of the emperor of Japan.

    If Hirohito was as bad as Hitler, then why did he never stand trial as a war criminal, a la Nurenberg?

    I've no answer for this twisted US political agenda point. It certainly had not unanimous support from its allies, but given the US dominance, what could they do about it?

    A final point. When Hirohito died in 1989, why did the U.S. send dignitaries to the funeral if he was as bad as Hitler?

    Economical and political reasons. The US was never (partially) occupied by Japan, nor did it have a significant number of civilians that suffered or died in prison and labour camps.

    Let me rephrase that question. Why was it that the Netherlands, who more than any other country in the world depends on foreign trade for its economy, which has Japan as one of its biggest trading partners, and which, like Japan, is a monarchy did not send any dignitaries? No member of the royal family, no political hotshot? Just a tiny delegation from the embassy. And while there were dignitaries a month later during the inauguration of the new emperor, it was a rather small one, and didn't include the queen or her spouse, because the entire concept of "emperor of Japan" is considered tainted.

    -- Abigail

  • I wish you'd clarify what your position actually is! Are you referring to DoS utilities, or security exploits?

    Both.

    Publishing an exploit is not INTRINSICALLY immoral.

    Of course not. I never claimed it was. What I argue against is handing out the tools to exploit a hole (be it a DoS or a security breach) to anyone who wants it.

    -- Abigail

  • Do recall that I am *not* supporting mixter's action. I am, however,
    arguing that sometimes publishing tools that make it painfully obvious
    that certain security vulnerabilities can be exploited *can* be a good
    thing. I note that Bruce Schneier's latest Cryptogram [counterpane.com]
    comes to pretty much the same position as I. He's come from the
    opposite direction to me, though: I used to think it was always
    irresponsible to publish such code, until the CDoC's BackOrifice was
    published.
  • It is fine and good to say, that, you object to "...handing out the tools to exploit a hole...to anyone that wants it". However, if the act isn't intrinsically bad, then you should to argue exactly why you feel this way. This argument, naturally, involves weighing the costs and the benefits, on both the short term and the long term (aggregated).

    As i've said before, i'm an advocate of disclosure. However, that does not mean that I think all, or even most security "pros", are motivated altruistically. In fact, the motive to publish is very much of a self-centered one. I, for a long time, have held the belief that there is something of a symbiotic relationship between script kiddies and the security professionals who create exploits (script kiddy fodder). The professional not only improves his recognition as a security guru, but he also helps drive up demand for his services when the script kiddies, inevitably, start hacking.

    That being said, not every act done out of self-interest is NECESSARILY bad in any context (e.g., the entreprenuer). Nor does every act done out of self-interest, with initially negative consequences, have a net bad effect (e.g., the small business that displaces mom-and-pop stores).

    Some of the pros follow a path, which I believe, to be optimal. That is, they first generally discuss the exploit and/or email the vendor(s) and ask them to patch it. Then, after a given period of time, or if the vendor(s) refuse to fix the problem, they'll publish an exploit. Unfortunately, many vendors are less than honest when it comes to these issues, so they force the hand of the hacker. In these kinds of cases, I advocate 100%.

    Another argument which I have mixed feeling for, is one of KEEPING the security profession alive. This can be supported by arguing that exploits are necessary for both education (of other pros, but also the up-and-coming kiddies). Remember, that many types of exploits work cross-platform with minimal work applied. So that, if I were to create an exploit on, say, Solaris, and email Sun exclusively, the other security professionals would not benefit from my new technique. Nor would the other vendors' systems necessarily be exposed to the same level of scrutiny.

    The secondary argument i'll make, is that in order to have a system hardened against truely determined attackers, we need a system where security is deemed to be IMPORTANT. If the only reminder of the importance of security is the more stealthfull/determined hackers (e.g., the oppositive of a script kiddy) that i've referred to, the costs of hiring professionals would be deemed as too steep relative to the apparent unlikelyhood of getting hacked. This is where, i'll say that the symbiotic relationship comes into play...possibly for our benefit...in the long term...
  • I'm not justifying it, but from what I've read, heard, and watched on PBS, Japan had absolutely no intention to surrender in any way, and was prepared to fight tooth and nail the whole way. Japan needed a wake up call. It needed to realize that there WERE very real consequences of refusing to surrender, that hit home hard. That the Allies would not stand to drag the war on and incur more and more fatalities to come to the eventually inevitable conclusion of Japanese defeat. I don't think we even really knew for sure if the bombs would actually work. Japan could have at any time said "You know what, this sucks, we're going to lose anyway, we give up", but they stalwartly refused to and all indications were that they were going to make this as nasty and drawn out as they could.

    Jazilla.org - the Java Mozilla [sourceforge.net]

Human resources are human first, and resources second. -- J. Garbers

Working...