Mixter Speaks About the Latest DDoS 187
ochinko writes, "This is an interview with the German programmer who wrote TFN and TFN2K. Basically he says that it's quite easy to launch such attacks but extremely difficult, if not impossible, for the initiators to be tracked." Suck.com has a pretty good article on the attacks, as well. Maybe I should take credit for the DDoS attacks and become an international superstar.
You know what that means! (Score:1)
Ahh the moral vacuume of the hacker (Score:5)
There is more than a hint of ego in this guys work (if indeed it was him) by putting it in a public forum (albeit for good reasons) he knew that people were going to abuse his creation.
Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.
In many ways I suspect he wanted an attack to vindicate himself, show off his skills whilst remaining on the side of the light and generally bask in the publicity...
some people . . . (Score:1)
Hacker - Not Script-Kiddie (Score:1)
This kind of attitude will go far in showing the true difference between those sincerely interested in the security of our communications and "script-kiddies" only out for personal glorification and status among their peers.
I liked the clarification about his role as a hacker in the traditional sense of the word. Too often these days the word "hacker" is thrown around indiscriminately and the insights shown in this interview may help to show the general public what the difference is.
Method to Madness (Score:5)
Does anyone but me see the goal behind these attacks? Think of the names... CNN (owned by Time/Warner) Etoys (obvious) Yahoo (corperatism ruined a once great story) etc.. all the targets are huge corperations that believed they were more powerful than the "hackers" and believe themselves above morality. Perhaps this will cath their attention... Maybe things like the Fox flash page, frivolous lawsuits, etc. will be diminished. Or not ;) I'm not saying this kind of behavior should be encouraged, or if it is even accceptable... it IS very poor advocacy. I'm just saying, i think i know where these guys are coming from... I'm practically there myself. In fact, I think alot of us are.
Re:Ahh the moral vacuume of the hacker (Score:2)
What relevant people? Should he have called up everyone running a website from their whois entry just to tell them that DoS just got bigger and badder? This could happen to anyone for chrissakes! It's a damn DoS attack! He did all he could do: Submit the program to relevant security organizations. CERT, etc, all had a heads up on this attack to the tune of months! If they stuck their heads up their asses and ignored it, thats not his problem.
Re:Ahh the moral vacuume of the hacker (Score:3)
Suppose you make guns. I don't care any type of guns. Now suppose a couple of stupid kids decide to shoot up a high school? Sound familiar. Are you then to blame because someone did something stupid?
What about a hammer. I have used a hammer many times, however I still can bang the hammer on my thumb does that mean I can sue you because I screwed up?
The answer is no.
There is more than a hint of ego in this guys work (if indeed it was him) by putting it in a public forum (albeit for good reasons) he knew that people were going to abuse his creation.
People like attention nothing new.
Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.
Dear Mr. Police officer I am going to run at least 10 red lights and speed 145 times in resendial zones in the next 6 months please revoke my liscence now ok?
No one is stupid enough to take that level of a hit.
In many ways I suspect he wanted an attack to vindicate himself, show off his skills whilst remaining on the side of the light and generally bask in the publicity...
If you don't open your big mouth you get into less trouble that way.
Taking credit (Score:1)
And how does he notify the proper authorities? (Score:1)
I'm curious how he was supposed to do this.
"Dear mega web site.
I am a high schooler how has written a program that..."
plonk
This sounds like Lopht all over again, people put up web sites, do a crappy job administering, and probably won't listen to an 18 year old who woudl warn them.
Also, would you have suggested he email the same warning to each of the 5 million sites running Apache?
I think the best he could have done was post it to a public, security oriented place and hope the web admins are doing their jobs by monitoring it.
George
My beef with Mixter... (Score:3)
No rational and reasonably intelligent person would have denied the possibility of this "security problem". The vulnerability to flooding isn't a security flaw per se, that could just be patched if the victims were a little more aware. Unlike l0pht (et. al) he isn't putting pressure on the manufacturers and vendors by releasing his code.
That being said, Mixter didn't do these attacks. He isn't evil, and I have a certain amount of respect for him. I do have problem, though, with portraying his creation of these DoS programs as being intrinsically good, nevermind his motives.
I'm Spartacus! (Score:1)
At the end of the film they all jump up shouting "I'm Spartacus". So the Romans cruxified every last one of them, 6000 men along the Via Appia as a warning to other slaves.
Compare this situation to real life... (Score:1)
"Dozens gunned down in shopping mall", for example.
Do you think the FBI would all of a sudden start hunting for an individual who is known to have designed guns? Of course not. They go after the guy who wielded the gun.
But with anything net-related, when Something Bad Happens, they go after the tool-makers (as well as the tool-users).
The big difference between net tools and guns, as far as "tools to commit crimes with"? The gun manufacturers have a powerfuly lobby (NRA) and boatloads of cash. Folks like Mixter are much easier prey.
Re:Ahh the moral vacuume of the hacker (Score:2)
He did. By putting it in public domain. The relevant people read the public domain. If they do not they just imitate to be relevant.
Let's face it security on most of the Internet sites is bad and on some has gone worse as their corporativism/size has increased. Nothing unexpected.
It was... this guy (Score:4)
Oh yeah, Hemos did it.
Re:Ahh the moral vacuume of the hacker (Score:3)
As he points out, his "program is publicly known" and "people have a chance of identifying it locally when it is installed on their server by searching for binary patterns, as the FBI proved." and "the real problem is the insecurity of the huge amount of servers". I look after a number of web sites, some e-commerce. IMHO these tools should be announced, because I get to test my systems and harden them against them. I get to tune system parameters to minimise the effect of DoS attacks, and secure systems against compromise. Security by obscurity is no security. Keeping these programs in the underground just increaces the risk.
suck.com lays the smack down (Score:3)
But the people who truly deserve the blame for the public's hours-long inability to swap "Steam Engine" jackknives on eBay are the short-sighted, tight-fisted monkeys who managed to build a multi-billion dollar industry on an insecure networking system, something so fragile that it can be brought to its knees by anyone willing to bother. The fact that a target as big and fat as Yahoo is fundamentally vulnerable to something as simple as a DoS attack is a clear invitation to go right ahead and shut them down.
Whoa, that's pretty intense there. They also go on to say that since vandalism is inevitable, its up to the people who will be vandalized to protect themselves. I agree to a good extent.
My question is this: How can you properly protect against many DOS attacks? Once so many requests come in from one IP, you block that IP? I can see problems there, such as if many customers through one ISP go through a cachebox. The way I see it, stopping this is just as hard as stopping the slashdot effect. What types of protections are there concering router-level protection?
thanks..
PS - I know that packets coming from our ISP cannot be spoofed due to our routers, so if my box (soul.apk.net [apk.net]) caught wind of the problem, nothing would be allowed out anyway. However, I don't think it's always our job to do the security for outgoing traffic.
- Mike Roberto
-- roberto@apk.net
--- AOL IM: MicroBerto
I like the possibilities. (Score:1)
kwsNI
No way to stop them? (Score:1)
FBI Set to Query Hacker Suspects (Score:1)
Re:Ahh the moral vacuume of the hacker (Score:1)
I think you have missed the point. A gun has a primary purpose, to maim or kill. A hammer has the purpose of driving innanimate objects (nails) into other objects (through wrists and into wood). The intent of the tool is shown through its design.
Dear Mr. Police officer I am going to run at least 10 red lights and speed 145 times in resendial zones in the next 6 months please revoke my liscence now ok?
Proposing that you are going to commit crimes is different than doing or admitting you've done crimes. They really can't get you for saying that you are going to speed, they just have to wait and catch you when you do.
If you don't open your big mouth you get into less trouble that way.
The classic mistake that "hackers" make is that they can't keep quiet about what they've done.
"If you do something cool and no one knows about it then it can't be cool."
Re:Ahh the moral vacuume of the hacker (Score:1)
If you have made something that's sole purpose is to cause harm them you should be big enough to take some of the blame when it is used for such matters.
Look at Nobel who became a pacifict and campaigned against his own invention when he realised it created one of the most effective ways to kill people.
Look at Oppenheimer, and many others through history.
As for hammers, their sole purpose isn't to cause harm and kill.
Another example. I create a genetically mutated virus that kills all people with blue eyes, but keep it safe. If someone breaks in and releases it, I am still the one who brought it into exstance and I am morally implicated in the genocide for creating the tool with a primary role of destruction in the first place.
As for the bit about the public domain, I put that in because he knew the effect it would have and shouldn't denythe consequences of his action.
With liberty comes responsibility.
Re:Method to Madness (Score:1)
Enough Already! (Score:1)
Re:My beef with Mixter... (Score:1)
-B
you spelled loser wrong, even phonetically.
Re:Ahh the moral vacuume of the hacker (Score:2)
And for his/her next trick, Yaruar will blame car makers for drunk driving.
Come on, people -- tools and weapons are inanimate. They have no intent. The wielder of the tool is completely responsible for the outcome. Mixter's tool was designed to increase the security of a network, by pointing out its vulnerabilities. You can't blame him for the misuse of the tool by some idiot(s).
Please get the casuality straight.
Re:Ahh the moral vacuume of the hacker (Score:1)
> themselves from blame as the creators by saying
> that theirs is a tool that is misused.
Well, it is he how pulls the trigger that is blamed for the crime. But, in the electronic world flaws aren't fixed until someone points them out. There was no damage done by these attacks, no data lost, only down time.
Don't think that I condon the use of these tools. In fact I look down upon those that do use them.
> There is more than a hint of ego in this guys
> work (if indeed it was him) by putting it in a
> public forum(albeit for good reasons) he knew
> that people were going to abuse his creation.
Every good tool has a dark side. Should we only let those who are 'worthy' have the powerful ones? All good tools get abused, and those that do the abuseing should get punished.
> Maybe he should have let the relevant people
> know about the problem before putting the code
> in the public domain.
Why? Again, unless companies get a little kick in the pants they won't fix a damn thing. In this case the threat existed for a long time(and we knew about it) but no-one took the time to fix it because "It won't happen to me."
> In many ways I suspect he wanted an attack to
> vindicate himself, show off his skills whilst
> remaining on the side of the light and generally
> bask in the publicity...
I would expect something more than pure speculation from someone that posts here.
And the gross use of the term hacker. I got an idea, why don't you goto the jargon files and lookup a good definition. Then maybe you will realize that little punks like the one(s) who did this attack are but a small percentage of our actual population.
Remember that in ALL societies it is always about 5% of the population that is the troblemakers. Unfortunatly these are always the ones that get the presses attention.
Re:Compare this situation to real life... (Score:1)
There's a much bigger difference - there are very legitimate reasons for the average person to have a gun - namely, defense of self, family and property. Whereas the only legitimate use for these net tools is akin to having a set of lock picks to determine how vulnerable your own locks are against being picked.
Re:Ahh the moral vacuume of the hacker (Score:1)
The mechanics of the tool are shown in its design, the intent of the tool is shown in the actions of the user.
Is it at all possible to stop DDoS? (Score:1)
Anyway, to get back on topic. What's to stop the compromised machines from creating the packets in such a way as they appear to come from loads of different random IP's (I assume that most OS's don't let you fake but remember theses machines have been comprimised already so this could be disable/got around or whatever).
That way the victim (insert big site name here) would have no way to tell if a request was valid or not (even if they had loads of humans looking at every incoming packet!)
Some(most?) routers (at ISP's or in Universities for eg.) would probably check the origin but I'm sure there are many people who are allowed create whatever packets they want.
In this case, it would even be impossible to find out which computers were the zombies!, never mind tracking the "master" IP's that signalled the zombies to start pumping out the (fake?) packets.
Most/All the routers in the world will have to be made more paranoid and/or using IPSec or Reverse-DNS or something....
I'll quit my rambling by summing up that:
We can't stop this any time in the forseeable future.
No rocket science (Score:1)
Hell, I could have written these tools in a couple of weeks!!!! And taking into account that it has been years since my hands last typed C it cannot be that difficult.
Ok, Mixter released those tools to the public. So?
Sooner or later someone would!
Or worse yet would not and instead take dozens of sites down with noone expecting it!
Just ranting... Nevermind...
Re:Ahh the moral vacuume of the hacker (Score:1)
--
Re:Ahh the moral vacuume of the hacker (Score:1)
I know the definition, I know a lot of old school hackers, I also know a lot of crackers, I definately put him in the first category.
Re:Ahh the moral vacuume of the hacker (Score:1)
I agree, to an extent.
Feel free to claim innocence if you create a gun. But if that gun has special human-seeking bullets, then it could only be used for one purpose.
The DDoS tools are such creations. There is no legitimate use for them. They can only be used to harm the performance of a network. A DDoS attack is not all that different from a standard DoS, except that it is harder to track down. I see no reason for a network admin to try this on his network.
Obviously he does not care about the internet at all. Or cares more about looking 31337 than actually helping the internet.
With your own "Dear Mr. Police officer" line, you imply that he knew what he did was wrong. Doing something you know is wrong is called "immoral" and "sociopathic". What a great guy.
Crackers, this loser, and probably you care more about themselves than the internet. Go away. Come back when you grow up.
Remember Morris? (Score:3)
There are basically two problems: a huge number of machines vulnerable to off-the-shelf attacks, and the difficulty of detecting packet storms with phony source addresses. Both of these are fixable, but not trivially.
One way to address the first problem is to have a certain percentage of machines set up by default to detect and immediately report break-in attempts. This will detect large-scale attacks, and will trace them back one level. Not all machines need to have this, just 1% or so. If, say, most Linux machines did this, the problem would get much smaller. If most Microsoft machines did it, the problem would go away. We'll probably see this happen over the next year or two.
I can think of a few ways to address the second problem, some of which I've already discussed. With a little help in some routers, some interesting things become possible. Suppose there was an ICMP control message you could send to a router which said "turn on Record Route on IP packets sent to me for the next N seconds." Given that primitive, you could build a backwards traceroute.
There is a strong argument for the likes of CDC... (Score:3)
What we have today with open disclosure, is a system where operating systems, vendors, and sysadmins become somewhat seasoned and hardened to attack because of this kind of disclosure.
Somwhat more debatably: Although script kiddies may be a pain in the ass, and their motives are selfish and childish, they do (collectively) ironically serve a function of sorts. Without script kiddies, it would be much easier to shrug off the importance of these flaws; it would potentially allow for a terrorist group, foreign government, or even a group of criminals to do serious economic damage in a wide-spread, highly coordinated, and professional attack. Remember that the independant acts of a million script kiddies all doing their own thing, is likely not nearly as dangerous as the coordinated efforts of a professional organization (not to mention that the professional organization could do it by suprise, virtually overnight)
That being said, to clear up any confusion, I don't believe the internet is, at this point at least, terribly significant to our ACTUAL economy (GDP...as opposed to the imaginary one the press and politicans love to talk about). Even the actions of terrorists are not going to have all that great an impact (in my "other" scenario)--just that they'd have a greater impact were it not for disclosure. (Although, with corporate networks today being connected to the internet in various fashions, there is potential of significant information loss through the internet)
The Software Gun. (Score:1)
Re:It was... this guy (Score:1)
ya know, if you believe the "six-degrees of separation" theory, that statement is not too far from being true.
-c
more Mixter: from the wall street journal (Score:3)
February 14, 2000
By DAVID P. HAMILTON and JIM CARLTON
Staff Reporters of THE WALL STREET JOURNAL
Computer sleuths and federal investigators continued to narrow their search for the culprits behind last week's hacker attacks against Yahoo! Inc. and other Web sites, obtaining evidence from several computers used in the attacks that points to at least two potential suspects.
While the investigation appears to be making progress, law-enforcement officials say they haven't yet come up with hard suspects. However, evidence obtained from analysis of network traffic, computer-security logs and monitoring of Internet-hacker channels known as Internet Relay Chat, or IRC, has let investigators focus on the activities of two known hackers. So far, the two have been identified only by their online pseudonyms.
See recent articles about hacker attacks on major Web sites.
Join the discussion: Has the recent wave of denial-of-service attacks done anything to change your view of e-commerce and online trading or the companies in those industries? Do attacks such as these on major Web sites change the way you view the Internet and computing in general?
The hacker raids, which overloaded major e-commerce sites with packets of meaningless data in so-called denial-of-service attacks, didn't threaten any data stored on those Internet servers. Many in the security community initially derided the attacks as unsophisticated, saying they could be conducted with tools widely available on the Internet.
Now, however, it appears that at least one of the attackers may have been far more skilled than the apparent copycats that followed, said David Brumley, a system-software developer in Stanford University's information-technology department who has taken an active role in the hunt for the perpetrators. The hacker, who is believed to be responsible for the attack on Yahoo -- the first of last week's large-scale assaults -- mounted a particularly complex operation using highly customized tools, Mr. Brumley said.
Mr. Brumley said this hacker's online pseudonym is known, but he wouldn't reveal it to avoid jeopardizing the investigation. He added that this hacker appears to have dropped out of regular IRC chats in the last few days. The hacker is thought to reside in the U.S., he said.
A second, apparently less-skilled hacker believed to live in Canada was being watched as a possible copycat, said Michael Lyle, chief technical officer of Internet-security firm Recourse Technologies Inc. (www.recourse.com). The hacker, known by the online pseudonym "mafiaboy," allegedly was recorded in an IRC chat soliciting orders to shut down the Cable News Network and E*Trade Group Inc. sites, Mr. Lyle said.
Stanford's Mr. Brumley confirmed that a hacker using the mafiaboy pseudonym was a focus of the investigation. However, he said, some in the hacker community don't believe the person behind the name was involved in the attacks. Indeed, mafiaboy is said to have later retracted the claims and a law-enforcement official said that authorities, while scrutinizing his actions, aren't sure he is responsible.
Mr. Lyle and other security experts at Recourse, of Palo Alto, Calif., said they have viewed snippets of dialogue and have verified more of it from other hackers, and plan to give the information to the Federal Bureau of Investigation. "We think there were several hackers who launched the attacks in copycat fashion," Mr. Lyle said.
Interest also has grown in a hacker identified as "Mixter." In a series of e-mail exchanges with The Wall Street Journal, online-news provider ZDNet and other media, Mixter has described himself as a 20-year-old German programmer living in the area of Hanover, Germany.
Mixter is credited with having authored the Tribe Flood Network software, or TFN, one of the interrelated-attack tools believed to have been used in the attacks. A similar software is "trinoo." A third, called stacheldraht-German for barbed wire-is based on TFN but uses trinoo features. Mixter is credited only with TFN.
In e-mail interviews, Mixter said -- in fluent English -- that he had no direct connection to the attacks and criticized the use of his software to paralyze online companies. He said TFN was written solely to demonstrate Internet-system weaknesses.
Mixter first appeared on the Internet hacker scene around July 1998, posting less-well-known software programs he had authored on security-related Web sites, according to Dave Dittrich, a University of Washington computer-security expert who has analyzed some of Mixter's software.
Mixter has voluminous postings at a site called Packet Storm, a division of Kroll-O'Gara Information Security Group in Palo Alto. Last month, a paper Mixter wrote on Internet security won a $10,000 prize in a Packet Storm competition. Mixter's most recent addition to the site is a lengthy treatise on how to deal with attacks such as last week's.
A law-enforcement official said the FBI is trying to talk to Mixter through German authorities, but that Mixter isn't a leading suspect at this point.
The FBI has run into problems retracing the source of the attacks because some sites used weren't keeping complete logs of computer traffic, according to a person involved in the case. "Some of the sites didn't capture all of the traffic" because their record-keeping software isn't set up to record that level of detail, a law-enforcement official said.
With help from computer experts at the affected Web sites, the FBI is still analyzing what information they have gleaned from those logs. In addition, according to someone involved in the case, dozens of agents from field offices -- including San Francisco, Los Angeles, Atlanta and Boston -- are conducting interviews with sources who monitor hacking activity.
"There hasn't been a huge number of people taking credit," said a law enforcement official, but the FBI is looking at them all.
The first major breaks in the case came late last week, when investigators learned that computers at several California universities, including Stanford, the University of California at Santa Barbara and the University of California at Los Angeles, were involved in the attacks. Several university officials said their computers were infiltrated prior to the attacks and used to fire the barrage of data packets that temporarily knocked out several sites, including Yahoo, Amazon.com Inc., eBay Inc., E*Trade and CNN, a unit of Time Warner Inc.
At UC Santa Barbara a network programmer noted "abnormalities" in the university's network traffic when he logged in Tuesday night. After further checks, the programmer discovered the following morning that one computer on the network had been broken into and used to attack the CNN Web site, according to Robert Sugar, the university's acting director of information technology.
Upon that discovery, the programmer alerted both CNN officials and the FBI, Mr. Sugar said. Campus officials said the hacker who broke into that computer left many traces, and said the FBI already has obtained reams of data as a result.
Mr. Sugar declined to describe the computer except to say it was an older desktop machine, a description consistent with a computer workstation. Security experts long have warned that older computers used for less-sensitive work at universities, where high-bandwidth Internet connections are common, are particularly vulnerable to such intrusions.
A hacker also apparently manipulated a Stanford network router -- a computer specially designed to direct Internet traffic -- as part of an attack that overloaded the Web site of eBay, San Jose, Calif. That kind of attack, known as a "smurf" attack after the first software tool designed specifically to conduct it, didn't entail an electronic break-in at Stanford's computers, Mr. Brumley said. Instead, the hacker subverted a router "broadcast" feature used to direct an entire cluster of computers to blast packets at eBay.
Meanwhile, other sleuths continued to probe the extent of the Internet's vulnerability to attacks. Network Associates Inc., a security company in Santa Clara, Calif., said a voluntary-screening program detected three cases of denial-of-service software installed on host servers: one in a university computer in Berlin, another at a university in Iowa and one in a nonuniversity computer in Long Beach, Calif. None of these detections necessarily indicate these computers were employed in last week's attacks, the company said.
As investigators continued their work, the computer industry struggled to reach common ground on security issues in order to present a united front at a White House meeting scheduled for tomorrow.
The dilemma for the computer industry, public-policy advocates say, is how to develop and agree upon standards that the government can support and protect without disrupting the open nature of the Internet. But given the different perspectives of government and industry, that won't be easy. Kim Alexander, head of the nonprofit California Voters Foundation, is one of the few people conversant in both the political and technological worlds. "It's like they speak two different languages," she says.
Many companies hit by last week's attacks continued to lie low. But some appear likely to take a more active stand against government intervention. AT&T Corp. dealt with attacks in the past week against some of its customers but remains opposed to government intervention to protect networks.
"It is important for the government [to take] a role in something that is illegal and affects commerce. Past that point, we clearly believe in self-regulation in this industry," said Rose Klimovich, AT&T's director of global intellectual-property-network services.
Some hackers, meanwhile, continued to toy with security experts over the weekend. Late Saturday or early Sunday morning, a hacker with the handle "Coolio" defaced the rsa.com Web site, which is owned by Internet-security firm RSA Data Security Inc., a unit of RSA Security Inc. of Bedford, Mass. The defaced site bore a picture of two men pictured on RSA's official Web site with the letter "L" branded on their foreheads, and carried the message: "The most trusted name in e-commerce has been owned" by Coolio.
Scott Schnell, a marketing vice president at RSA, said the company doesn't use the rsa.com site, which normally redirects Web surfers to RSA's main page at rsasecurity.com. He said the hacker hijacked the rsa.com Internet address and redirected it to the defaced page. Mr. Schnell said RSA was working with its Internet provider to resolve the situation.
David Cloud and Douglas A. Blackmon contributed to this story.
Re:Linux is so stable.. (Score:1)
not a linux error.
Re:I like the possibilities. (Score:1)
---
Re:Ahh the moral vacuume of the hacker (Score:2)
...phil
Who gets hurt the most? (Score:1)
I suppose my biggest fear is that the government would try to invent/incorporate some sort of master control system (super ICMP?) for IP. Not only would this likely be ineffective in deterring a serious attacker, but it would likely invite abuse as well. I'm not sure that our fearless leaders in DC comprehend the issues involved.
I believe the only way we can deal with this is the way it's always been done: as a community. It has been pointed out that a lot of the zombies in recent attacks have been Linux/Unix boxes. I know there are a lot of resources on the web for Unix security.RootShell [rootshell.com], for example is a good site not only for descriptions of exploits, but actual code you can use to test your box. There is a lot of information about Unix/Linux security out there, but it's unlikely that any newbie will be exposed to it before during or immediately following the install of their OS. And we all know what kind of daemons get installed by default these days. I don't know if it exists, but a clearinghouse of security info, including not only alerts/exploits but instructions for newbies on how to fix problems would probably go a long way. Just raising the issue of security consistently (banner ads, links from most major linux sites) to this clearinghouse would probably be enough to get the attention of people who are working with Linux. Does something like this exist? If not, would anyone else be interested in setting it up? Perhaps it could be part of the LDP. Who knows. I'm envisioning far more than might be practical, but if anyone else is interested, e-mail me at po.cwru.edu, username dwb2.
Re:Method to Madness (Score:1)
Ok then... Why not Barns and Noble instead of Amazon? (one Click Shopping???) Why not shopper.com instead of Buy.com? (Corperation not making any money whatsoever and selling products at a loss, looking for a big IPO) Why not ABCNews.com, or News.com, but CNN.com? (Time/Warner) Theres quite a common thread here...
Yes... (Score:2)
Re:suck.com lays the smack down (Score:2)
How can you properly protect against many DOS attacks?
How can you properly protect yourself against real world vandalism? Vigilance, monitoring, and prosecution. We just need another generation to grow up and realize, by being taught from a young age, that these antics do nothing but hurt in the long run. What we have is a generation of kids and young adults who have no moral framework for their activities on the Internet. It has also empowered the disenfranchised (*cough*) to make their voices heard both far and wide.
Anyway, you can't stop them through normal means, here's the offical word [cert.org] (from over two years ago)
--
Re:Ahh the moral vacuume of the hacker (Score:2)
And this tool was to throw lots of data at a machine. Just as there are devices that are build to ram cars are 60 MPH into a solid wall. This does *NOT* mean that they intend for it to be used with real people instead of test dummies in the drivers seat..
Re:Method to Madness (Score:3)
(Of course, if there were a DoS at AOL, would anyone even notice? :-)
The first thing that came to mind for me was the old "A-B-C murders" gimmick: hit your real target, and hit some unrelated bystanders before and after to make it look random.
The prepetrator may have had a beef agains Buy.com specifically ("I got yer restocking fee right here, buddy") and screwed around with them on the day of their IPO, and hit the others so as to make it look like random vandalism.
On a related note, last night's spam attack (Score:1)
First of all, yes, I'm the person responsible for the spamming. I would like to explain why I did it, and what I hope comes of this. I've already explained myself in scattered places in the discussion thread itself, so I'll just sum my thoughts up here.
Writing the spambot was rather easy. It was something I could quickly cobble-together with a couple very simple shell-scripts. The hardest part was reformatting the text into an HTTP POST request. I also posted the scripts to the discussion thread, for a variety of reasons.
- I felt that my doing it would inspire others to do it as well. By releasing the source I could remove some of the potential thrill for some other would-be spammers.
- I felt that only the truly lame would continue to use the script after the one story was completely FUBARed. This would make it easy to remove them permanently (in a bit I'll explain why this would help).
- I feel that the current state of moderation is laughable. It's become a source of elitism, a way for snobbish karma-jockeys to moderate up statements they agree with and moderate down those who think differently than them. Personally, I think that if moderation weren't such a BFD then there wouldn't be all these anti-moderation trolls.
A bit about myself. I'm a grad student in CS. I participated (and ranked visibly) in LokiHack. I'm not your run-of-the-mill skript kiddie. However, I've also gotten sick and tired of the way that Slashdot's discussion forums have become. A huge noise, very little signal, mostly from people who are sick of the moderation system and moderators who spend more time moderating those nuisances down than moderating the USEFUL comments up. I felt the need for a cathartic expunge.I think that trolls, spammers, and offtopic posters can be dealt with FAR better than they are now. I'm done with my fun for the night, and in the meantime I hope this can lead to some better moderation in a few regards:
- There is no reason for a single IP address to need to post more than one comment per minute. In fact, more than one every five minutes is pushing it as long as the originating IP address returned by most proxy servers is honored (of course, it's possible to abuse past that, but at least it's a start). At the very most, 5 comments/minute from a single proxy IP address is more than enough.
- There should be no AC account. Everyone should be required to log in, though they can still post anonymously. Accounts which have been found to be spamming can be terminated.
- AC posts should be treated the same as normal posts. Karma, time since registering on
/., and the like should have no bearing on post score. Anything else results in snobbery and elitism. - A comment should start out neutral, and there should be multiple levels of downwards as well as upwards moderation. Just because a post from an anonymous poster has been marked downwards once doesn't mean it should be relegated into obscurity forever. Also, as good as M2 is, it can only do so much.
- Most importantly, moderation shouldn't be such a BFD. It's the "I'm a moderator, it's my job" attitude which the trolls and spammers are backlashing againt, not the existence of moderation. Perhaps giving out more moderator points is in order; in fact, allowing people to moderate on any story they haven't posted on seems like a good situation.
I hope you'll listen to me, regardless of the inconvenience I gave to the Slashdot readers and admin for one relatively unimportant story which would have been soon forgotten anyway. I've had my fun, and someone else could have done a shitload worse and not been so willing to point out flaws after the fact. That's not a justification, of course, but it's the best I can give.Thank you for reading this far. Good night.
Thank you Judge Mills Lane,.. (Score:1)
now could you step off your moral podium so i can look you in the eye and see if you really are as dumb as you seem?
whether or not he's egotistical and whatever purposes he wrote the tools for, he is NOT to blame for the way they were used. the absence of a punishable offender does not mean we go after the person who wrote the tool(s) of their crime.
if i use a cinderblock to bash your head in for effusing such pin-headed opinions on a public forum (and then getting moderated up to the top of the heap!), should we then go find the manufacturer and yell at him for making a weapon that can be used to kill?
ok, so you say 'but dave, this was a specialized tool that could really only be used for one purpose. he knew how it would be used!' so, ok, i build a guilloteine (i slaughtered the spelling, i know..), but you stick your little sister's neck under it and set the blade on its way.. you are the one who did it, not me.
he probably is an egotistical bastard, i have no clue, i don't know the guy. but he is not to blame and if he is as self-centered as you say, then drawing more attention to him is only serving his purposes.
...dave
Re:Remember Morris? (Score:1)
Traffic.
Lots and lots more traffic.
Especially if done in the same regard as DoS's are donw...
Re:suck.com lays the smack down (Score:2)
If people implemented either of those, DoS attacks would be simply dropped by the routers as excess traffic from that address or class. The attack would hurt nobody, because it would reach nobody.
This would still work against DDoS attacks, because the network identifies a class for each type of packet. If you had 1,000 computers, all pinging away, the router would drop everything from all 1,000, as it would exceed the preset limit for that class.
Wouldn't it overload the user's router? Depends on how good their router is. =Ideally=, this would be implemented on the backbone, itself. That way, it'd get filtered out before it could crash any connection.
Re:Ahh the moral vacuume of the hacker (Score:2)
Yaruar Wrote:
Your opinion, Yaruar, reflects the moral righteousness of a coward. Instead of addressing the behavior of the wrongdoers, you attack the actions of a toolmaker who 'made it possible'.
Your simile with weapons manufacturers is apt, but your conclusions are wrong. Tools in and of themselves, as inanimate objects, can be neither good nor evil. It is the intent of the tool user, and the actions performed by said tool user which are either good or evil. If 'evil' actions are socially unacceptable (thus codified into law), I say it is reasonable for a manufacturer to assume that the 'evil' uses of their tool will not outweigh the 'good' uses. The mere possiblity of wrongdoers misusing the tool for 'evil' does not invalidate the 'good' that is done with a tool. Neither does it make the manufacturer responsible for another individual's evil/bad/illegal actions.
Please explain how Mixter's good faith effort to inform the public of a security problem (by publicly posting his code, to enable testing for vulnerability) qualifies as a 'moral vacuum'? You accuse Mixter of being an egotistical hacker (spoken as a dirty word) because he supplied his tool to the public. I, on the other hand, say he did good, by publishing his tool(s), and rightly expecting the 'good guys' to use it to protect themselves before the 'bad guys' used it to hurt them.
As an aside:
Who is morally superior: 1) a woman lying in an alley, raped, beaten, and strangled by her own stockings, or 2) a woman explaining to the police how her attacker recieved that fatal gun shot wound to the chest? Evildoers will find tools to use for evil, whether they are firearms, knives, baseball/cricket bats, or a woman's silk stockings. Check the UK's (and Australia's for that matter) violent crime statistics after the complete (near-complete in Australia) ban on firearms ownership.
A modest proposal (Score:1)
Please stop reading so much JonKatz.
No you wouldn't (Score:2)
False confessions are not rare, especially for high profile crimes. The FBI may be completely clueless, but they certainly aren't going to investigate every Usenet kook or IRC whackjob that claims responsibility.
BTW, I did it. Me, A Big Gnu Thrush. So catch me if you can, because 3 days from know, at 25:62 GMT, I'm going to strike again, and no one can stop me!
-insert maniacal laughter-
Re:suck.com lays the smack down (I think NOT) (Score:1)
Say it with me now, "Marking packets is bad mm'kay"
What purpose do Mixtor's tools have? (Score:1)
What can Mixtor's tools be used for? His tools send large amounts of data to targets via multiple clients. Can anyone think of a reasonable use of a tool like this? Surely, it doesn't protect anyone. I can't think of anywhere I'd use this "tool" to troubleshoot a network. I'm stumped. I think it's generally accepted that if I write a computer virus, and give it to my friend. And he decides to unleash it at his workplace, that we're both going to get busted. "But, I just wrote it..I didnt spread it"..Yeah try telling that one.
So Mixtor, thanks for the great tool! I'll use it daily I'm sure..Can't wait to find some use for it.
The other argument I hear is "Well he used it to prove a vulnurability". The problem with this argument is that everyone knew about DDOS before his "tools" were released. If Mixtor had made a post on a security site about a bug he'd found in linux that gave a hacker root, I'd be all behind him for posting how to do it. Because nobody knows about the bug! But everyone knew about DDOS. But there's not much you can do to stop it on the receiving end, only on the client sides. His tools have one purpose: malicious intent.
I'm sure many people here have thought of the idea of DDOS before(especially when distributed clients first came out), and many of you also have the programming skills to write the clients necessary to do a DDOS. But you haven't. Most likely because you understand it can be done. THERES NOTHING TO PROVE. Mixtor wasn't first, he was just the first one missing the morals to understand the implications.
Re:Ahh the moral vacuume of the hacker (Score:1)
These attacks show two things:
1. There are a lot of insecure systems out there. These can & will be abused by people. As broadband access becomes more widespread this problem is only going to get worse.
2. Egress filtering needs to be implemented at the lowest service providers. Most people implement filters on all their inbound connections, but most people forget the outbound. Just allowing only packets from your network would eliminate spoofed packets. At least this way a DDoS would be traceable.
Major problems like this need to be addressed.
Re:Method to Madness (Score:1)
Good points, perhaps you are right. i just found it exteremely co-incidental when I read the list of the companies attacked that day, at how familiar some of the names were from recent stories on slashdot.... Amazon, Buy.com, Cnn.. etc. Just hit me as soon as ir ead them. but you could be right, who knows?
What qualifies you to decide the purpose of a gun? (Score:2)
That may be your purpose for a gun. For me, the main purpose of one of my guns is for home defense. The main purpose of some of my other guns is recreation at the shooting range. The main purpose of the model 94 Winchester (circa 1897) is as a decorative showpiece above the fireplace mantle. The main purpose of the rifle is for hunting.
What a narrow limited view you have, and further what arrogance you have to even suggest that your one view on the purpose of guns is the only purpose.
Re:Ahh the moral vacuume of the hacker (Score:2)
attacker (Score:1)
I noticed he never said "cracker" or "script-kiddie." He said "attacker" several times. I like this, I think it's a better fit. After all, any fool can fire a gun but not too many can design one though, at least one that doesn't explode when fired. By this analogy, almost anyone can attack but not everyone can hack.
-M
Bueller. Bueller. (Score:1)
Re:Ahh the moral vacuume of the hacker (Score:1)
Now that I've woken up. (Score:5)
This PC happens to run windows (Yes. I know. I'm inherently evil and feeding the great satan. Just flame me and moderate me down for admitting it and get on with your lives.)
I installed a firewall (Zonelabs [zonelabs.com]), mostly because it was free, and also because I decided that if I wasn't part of the problem yet, it was only a matter of time.
Results: I was getting probed at an average of once every 20 minutes from a variety of locations. Urk! (Please note, my ip starts with a 24, which tends to indicate an @home or roadrunner cable modem service)
Side note: If you want to test your machine, go to Steve Gibson's SheildsUP! [grc.com]. It's a bit slow at the moment (and posting this ain't gonna make it faster). Personally I wish I had known about this site before this insanity started.
-----
security resources (Score:1)
To get a good start in finding out more about systems security go to http://www.deter.com/unix
From there you will find better places to post deeper question.
-M
Is it possible to trace these attacks? (Score:2)
The cracker who broke into the University machines is unlikely to have done so in the daytime, their time. From this, you should be able to determine the probable timezone.
But how will this help?
In and of itself, it wouldn't. This is where things really depend on the people used to carry the DDoS attack software. To have broken in, the crackers are likely to have scanned the ports and services. From this, you should be able to collect some statistics as to what sort of timeframe the cracker was operating in.
Now, how will -this- help?
Again, it won't, unless more than one site was used in the DDoS attack. There'll be a time difference, as it's improbable the person cracked all sites simultaneously. This will give you a much clearer picture of what was cracked, and when.
THEN, you look at the relative times involved. (Although the logs will undoubtably have been altered, it may still be possible to see over what timeframe the alterations cover). This gives you a rough guesstimate as to the path of the different connections, and will narrow down the search to specific nodes within each of the possible countries.
Now, some of those nodes will be improbable. It's unlikely that the crackers would have gone through a corporate website, for example, unless that site, itself, had been cracked.
If the cracker(s) went through multiple computers to get to those they eventually used, then, yes, it is impossible to trace them. Triangulation needs at least two known points and a direction. But, if they didn't, this is the best bet anyone has of identifying who did it, unless the person(s) step forward.
What we need... (Score:1)
Cliche-fest (Score:2)
If I tie someone up and force them to read all of Signal 11's posts while I scream "Karma! Karma! Karma!" in their ear, is Signal 11 responsible?
If I force someone to read every Jon Katz article until their brain (also) turns to Jell-O pudding, is Katz responsible?
Sorry, I've just read too many gun analogies on this thread. I went a little crazy there. It won't happen again....
Re:suck.com lays the smack down (I think NOT) (Score:2)
Use is in the eye of the beholder (Score:2)
Are they tools whos sole purpose is to cause harm and aid people in the thievery and piracy of intellectual property, or just tools that will let us play our legitimately bought DVD's in linux?
Only 36 hours ago there was that article about the head of the RIAA and his opinions about how DeCSS had no purpose other than piracy. And we mostly, 99% agree that he's wrong. Well then, why all this argument for the case of TFN? Why are many of us unhappy about TFN and blaming the author for all the problems he caused by the tools he created, yet happy about the creation of DeCSS and css-auth?
Why the double-standard?
Re:Ahh the moral vacuume of the hacker (Score:2)
code may have as its only use to break into a system, but distributing
the source of the code makes the weaknesses public, and so able to be
dealt with. Closing these publicly known holes then improves the
security of the whole system even against unknown attacks.
The situation is different with DDoS: everyone knows what the
security vulnerabilities are, and they are nothing that the target can
protect against by themselves. Instead the solution depends upon
changing the way routers work (eg. stopping them allowing broadcast
PINGs which have no constructive use, and are the key to this kind of
DDoS attack).
To sum up, nothing constructive is achieved by publishing code
that makes use of a known vulnerability, as in this case, but
something constructive is achieved by publishing hitherto unknown
vulnerabilities.
Canadian Company Provides Web Security (Score:2)
Flamborough, Ontario, February 15, 2000
While corporate Technology executives meet with President Clinton's staff
at the White House to discuss the recent catastrophic Denial of Service
problems for web business, a small Canadian company today announced the
pending release of a solution.
In order to be a successful countermeasure the cooperation and adaptation
by the infrastructure industry will be necessary. Platformed on the
GateWeaver VPN Firewall server, the company expects to have its newest
"Crossing Guard" module in the mass market channel by mid March. The
offering will be in two formats: Software only and an Integrated Hardware
device.
The GateWeaver products are compatible with Macintosh, Microsoft Windows,
Unix operating systems and Novell networks.
Crossing Guard is an initiative to combat the recent increase of DoS
(Denial of Service) attacks that have been responsible for Internet server
downtime. The key to defeating a DoS attack is to push the attack as far
from the victimized server as possible, preferably right back to the
initiating client. This allows the server to continue servicing its
clientele quickly and efficiently.
Crossing Guard works to provide a "breathing window" during a Denial of
Service attack to isolate attackers and initiate a response. By working
with ISPs and backbone providers, an attacked server can request a
reprieve from the closest Crossing Guard to the attacker, stopping the
packet storm in its tracks. This reprieve will last for 60 minutes:
enough time to contact network providers for more thorough response, while
not limiting the freedom of the net or disconnecting a large gateway that
serves many clients.
When an attack is detected, either through server unresponsiveness or more
proactive network monitoring tools the system administrator logs into the
local Crossing Guard server which attempts to contact the next upstream
Crossing Guard to the attacker through the primary network connection and
failing that through a backup connection. Each Crossing Guard will relay
the countermeasure request as far up the tree as able so as to limit the
bandwidth consumed by the attack to as short a distance as possible.
Each Crossing Guard will store the request for later review as well as
notify system administrators in each network the attack is passing through
of the countermeasure and provide contact information for the attacked
server administrator to arrange for a more permanent protection solution.
The Crossing Guard specification is expected to be released to the Internet
community for peer review and implementation. Our goal is to create a
solution that scales from the largest intercontinental provider down to the
smallest local ISP. With this in mind, the GateWeaver implementation of
Crossing Guard will be available as a software product free of charge to
local ISPs.
All hardware vendors, network providers, ISPs, and Businesses doing
Business on the Web are invited to join in developing a self regulating
solution to contain and deter against Denial of Service attacks.
GateWeaver.com has made available a free distribution version of its
firewall-VPN software. The company anticipates releasing the software
version of Crossing Guard in the same manner.
Contact Information
www.gateweaver.ca
www.gateweaver.com
The Manor Group Ltd.
Chris Maxwell
Cmaxwell@themanor.net
905-689-2001 Phone
877-manor-99 Toll Free
Re:What qualifies you to decide the purpose of a g (Score:2)
And how exactly do you do your home defense with a gun, without potentially maiming and killing? Pry it between the door and the post so it becomes harder to open the door? How do you hunt with a rifle without killing? Use it as a crude spade to dig a hole? The gun that was produced in 1897 by the Winchester factory, was that intended to be a showpiece?
What a narrow limited view you have, and further what arrogance you have to even suggest that your one view on the purpose of guns is the only purpose.
Perhaps you should consult a dictionary and look up the words primary and only. Those meanings aren't equivalent.
-- Abigail
Re:Ahh the moral vacuume of the hacker (Score:2)
They might have been invented with one intention, and the actual droppings might have ended WW2, but anyone with any insight will know that they weren't at all necessary to end WW2. Don't forget, the war in Europe was already over in August 1945, and Japan had no significant airforce or Navy left. There was absolutely no question left who would win the Asian conflict. The main reason the bombs were dropped was to impress the Soviets, and to prevent them from joining the war in Asia and them claiming some of the booty. The cold war had already started.
They had also an unexpected side benefit - they avoided World War 3.
That's highly debatable. WW3 hasn't happened (yet), but that doesn't mean nuclear weapons prevented that. And a few times, the world has been on the brink of a WW3 *because* of nuclear weapons. The world would have been quite different if Truman had dropped the bomb in Korea, or if the Cuban missile crises would have went the other way.
There are scientists who create machines that can be used to kill people, but that can also be used to better purposes.
There's a big difference between can and intended to. I think the world would be a safer place without guns - it's worth the price of the occasional bear in your back garden and the lack of a recreational shooting range. But the world wouldn't be better of without hammers. Hammers can be used to kill, but it's not their main purpose.
Whose side are you on?
Me? I'm on the rational side. The world is filled with lusers. If you create something, and make it available to everyone, you have some form of responsibility. The world isn't an anarchy filled with irresponsible people.
-- Abigail
Huh - exactly. (Score:2)
--
Re:Ahh the moral vacuume of the hacker (Score:2)
I feel like I'm swimming upstream here, but I'm going to agree with you and I'm going to go one step further.
I have to wonder how many of these guys really give a damn about security. If these people are so concerned about security why aren't they out breaking into peoples homes to show how easy it is to do that? Isn't that the same concept? This isn't about security, it's about smashing mailboxes, or throwing eggs at cars as they pass under a bridge.
This whole thing just smells like your basic "angry-anti-social-anti-establishment" activity. This is nothing but an act of cowardice commited by a coward.
I'll be able to forgive their actions if the "hacker" is under 18, otherwise I say the "hacker" should grow the fuck up and I sincerly wish years in a jail cell upon you.
Re:Ahh the moral vacuume of the hacker (Score:2)
That's like saying "it's ok to hand out guns so it becomes known how unsafe movie theaters are, and people can fix security".
Handing out code isn't necessary at all to show weaknesses. You can also write an article about it, and *gasp* release some code that fixes the problem. Of course, in this case, the "holes" weren't exactly new. 20 years ago, people know about them as well. The big difference was, 20 years ago noone (mass) distributed code to abuse the holes, and there were no problems.
If someone is really concerned about the existing security holes, and wants to do something about it, then by all means, *do* something about it. Fix the holes, jump on the IP6 bandwagon, port kernels and applications to use IP6. But don't hand lusers the tools to exploit the weaknesses. Noone, absolutely noone is helped by that. Unless you find ego-stroking helping.
-- Abigail
Re:What does localtime have to do with anything? (Score:2)
Re:Ahh the moral vacuume of the hacker (Score:2)
Yeah, except that in the 25+ years of the existance of the current holes, noone did misuse the holes on a scale as was done recently.
Just because evildoers might find tools doesn't mean you don't carry any responsibility (moral and sometimes legal as well) for handing them the tools on a silver platter.
Burgerking didn't say "we are innocent - they did it themselves" when some kids experiences some rather nasty side effects of playing with a toy. And that was for something with a harmless intended purpose.
People have a moral responsibility for their actions, and that includes giving away dangerous stuff to lusers. Even if they live in a jurisdiction that is to backwards to recognize this.
-- Abigail
Re:What qualifies you to decide the purpose of a g (Score:2)
Or you could go by that one commercial with the person shooting the animals - as in with a camera - which is the best kind of sport hunting I can think of, since you can show off the animal you caught (on film) without harming it (unless you believe that photons hitting an emulsion takes away the soul of the last thing the photons bounced off of).
---
"'Is not a quine' is not a quine" is a quine [nmsu.edu].
Re:Nuclear weapons... ended WW-II earlier. (Score:2)
And that gives you credibility exactly how? Or your father for that matter. The decision of dropping the bomb wasn't made by the to be formed occupational forces.
Military estimates are that as many as 250,000 Americans would probably have lost their lives, and Japanese casualties from the American invasion would have topped 1,000,000. Estimates are that if the Soviet Union had invaded from the north (where I lived), casualties would have tripled over those expected in the American invasion. From what elderly Japanese people told me when I lived there, the deaths from starvation and disease would probably have pushed the death toll much higher.
Maybe, maybe not. It's a bit hard to believe more American would die than died while fighting in Europe, when the US was fighting on two fronts. As for the estimated Japanese deaths, I'm not questioning the numbers, but in 1945, the people who decided to drop the bombs didn't give a rat's ass for the lives of the Japanese. Otherwise, they would have picked different targets than large cities.
When Emporer Hirohito saw the damage of these bombs (which they had been warned about), he overruled his military advisors and told the Japanese people to lay down their arms and welcome the Americans
Yeah, to save his own ass. He might as well done that if the bombs had not been dropped - it's something we will never know.
The real reason atomic weapons were invented in the United States was because the government realized that they were in an arms race with the Nazi's, and that they absolutely had to win.
And the allied forces defeated the Nazi's without the use of atomic weapons.
Re:There is a strong argument for the likes of CDC (Score:2)
I disagree with that. It has been publically known for decades that doors don't stand a change against an attack by a tank. My landlord isn't going to put an anti-tank ditch around my apartment. Why? Because only a few have the expertise to create a tank, and those that do, don't leave them on the streets for anyone to grab. And that's more than enough to keep my stuff safe from an attack by a tank.
As long as people behave irresponsible, be it by making actual attacks, or by putting the means into the hands of anyone who feels like it, "hackers" will keep a bad name. Nor is it going to help any open source movement at all. Whining about being portraited in a negative way in the media here on slashdot isn't going to solve that. Do you really think Joe R. Websurfer gives a damn "it's ok to make the tools available", "this attack shows that people have to spend more time and money in securing their sites", etc? No. He notices that his favourite websites were unavailable for some hours. And that the same crowd that wants him to run Linux instead of Windows (partially) defends the actions.
-- Abigail
Impossible to track? Hardly (Score:2)
There are already tools out there for the detection of these types of DDoS attacks, and there are already procedures (and software in some cases) for quickly tracing back spoofed IP addresses. Adding a relay in there just makes it take a little longer (assuming the initial request for a DDoS attack wasn't already detected by the attacker's ISP or any system in between).
Depending on how many Hax0ReD systems you're bouncing between to request a typical smurf attack, and depending on the time it takes the victim/victim's ISP to notice, your true origin can be discovered in as little as a few minutes. Work is already underway on automating the process of tracing back spoofed IP's. With a quick phone call to each of the sites you're bouncing from, you can be tracked down in a matter of seconds. All the victim has to do is activate software and tell it the nature of the attack. In fact, any site along the way that detects the attack itself or the instructions to instigate the attack can do the same thing.
You think you're invincible? Impossible to find? When you have a half dozen angry, highly intelligent people methodically following the trail back to your PC (one of which could be working for the ISP you're dialed up to), how long before you think you'll be caught? Do you honestly think that the only people caught pulling crap like this are the ones that show up on TV? Contact your local police or FBI office for statistics.
When you are caught, then the real ass fucking begins. A major DoS attack (like most smurf attacks or any of these DDoS attacks) can cost an ISP hundreds of thousands of dollars (that's six digits). If you're a minor, that means your parents probably get stuck footing the bill. They'll lose their house, their car, your college tuition (but I guess you probably didn't really want to go to college anyways so that's no big loss), to say nothing about the computer equipment you might have in your home (even if it's not yours). We haven't even touched on the compromised accounts yet. Each one of your DDoS client hosts constitutes a breakin and unauthorized use (minimum -- actual charges will probably be a lot more), each with its own penalties and fines. You think Mitnick was imprisoned for too long? They're going to have a hundred times the amount of evidence on you than they had on them. How long do you think you'll end up being behind bars?
Is this really worth it, kids? Is your l33tness really that important? You know, in a few short years (months or weeks for the more pathetic), nobody is going to remember who the fuck you are, much less any of your l33t conquests. Do you really think you're going to get in the newspapers and have a bunch of "security firms" offer you nice cushy $150,000 jobs working with nice state-of-the-art computer hardware? I suggest you stop buying into what your kiddie friends are saying on IRC and do a little hard research on your own. I imagine you're going to be pretty disappointed.
Get a life, man.
Re:Ahh the moral vacuume of the hacker (Score:2)
party and explain the weakness without releasing details publically.
But what about cases such as Microsoft's one-time pretence that
certain security vulnerabilities did not endanger their users? A case
can be made that, on balance, CDoC releasing BackOrifice was a good
thing, because it forced recognition of the issue.
I'm not saying this is the normal case; instead I am simply arguing
that it isn't always vandalism to release code that makes use of
security weaknesses.
BTW, the DDoS vulnerability can be fixed within IPv5.
Re:Method to Madness (Score:2)
IMO, buy.com was pretty lucky that the DOSers decided to hit yahoo before hitting them, otherwise their stock price would have been much more badly affected. ("hey, if they can take down yahoo, they can take down anyone right? So it's not really our fault; market, don't blame us").
Re:Nuclear weapons... ended WW-II earlier. (Score:2)
Oh, really? They would have 2 cities turned into nuclear waste piles less to worry about.
-- Abigail
Re:Ahh the moral vacuume of the hacker (Score:2)
That's like saying "hand out untraceble guns so the goverment will speed up the gun control laws". It's a dangerous, irresponsible attitude. I lock my doors not because people can get it - I lock my doors because there are thieves. And I don't fancy the idea to have to hire a security guard because someone is handing out sledgehammers, just to prove the point that doors have weaknesses.
-- Abigail
The problem(s) (Score:2)
First, the vast majority of these hackers aren't as philosophically attached to Open Source as you, not to mention most of slashdot, appear to be. They're largely different groups, with some overlap in between. So what may motivate slashdot to change their stance, likely will not sufficiently sway most in the security "community".
Secondly, assuming the two groups are one in the same, the Open Source community should not change its stance on something so fundamental as this, based on public perception. It goes against most of what Open Source supposedly stands for--truth before "perception". In my eyes (not that I'm a zealot), it would equivelent to agreeing to sell all source code, yet keep it "open", for the sake of appeasing those for whom Open Source and communism are synonymous.
Thirdly, I don't believe the general public is truely aware of Open Source in this context. There may be a vague recognition of the words:"Linux", "Open Source", and "slashdot", but they don't know its stances on such things. So public perception is essentially a non-issue.
Fourthly, I believe you must distinguish between security (as in files, information, private networks, etc) and denial of service. I, offhand, can't think of too many large sites that target the general public that have been offline for extended periods of time due to hacking. I was not exactly advocating DoS utility creation, thus I will not touch on it.
Last, but not least, I don't believe any actions (against SECURITY exploit publication) by law, the open source "community", or other wise, are going to have a significant, sustained, and positive affect on security for the general public. As I alluded to earlier, I believe there is a substantial argument for the publication of exploits. Put simply, by making the publication of exploits a "no no", you merely drive it underground. The net effect of this is that even the highest security of sites are left to guess at what the hacker community has in terms of exploits (this is especially true with propietary and very much closed source vendors (e.g., Microsoft)). While your "tank" argument (as you percieve it) may come into play here, I must disagree. The same elements that make the internet such a great thing, also have to effect of providing a common ground and forums for hackers, while providing every "hacker" with potential access to every site on the internet--vastly different from the "local" scenario you seem to be describing.
Actions against publication of exploits may have the effect of driving the script kiddies out of town (or rather, just leaving them illequipped), but I'm not even sure if that is necessarily a good thing (as I mentioned earlier in the "seasoning" argument). Such actions may have the effect of just leaving these exploits in the hands of elite professionals. Imagine, say, the KGB (or whatever it is called today) looking to harm United States in 10 years, after the internet is responsible for 50% (extrmely high in my opinion) of our GDP in one way or another. If you assume that your actions were successfull, that you drove all hackers in the US out of business. What are you left with? The same Microsoft. The same universities. The same military networks. Corporate networks. Unphased by the prospect (lack of publication) of exploits, hackings, and the like. So many unseasoned targets, with, what are frankly OBVIOUS exploits. With one or two obvious exploits, they could turn it over on networks automatically--realizing success proportions that today's script kiddies can't even dream of. Giving them access to even 10% of major internet sites, could not only be an extremely valuable intelligence tool, but it could also be an economic and telecommunications weapon.
Though, the KGB attacking may be an extreme and unlikely scenario, it could also be a devastating one. More likely, and somewhat less devastating, would be terrorists and the like using it in somewhat less coordinated attacks. Or industrial theft, espionage, etc. carried out against virgin targets.
By making security an industry, by allowing publication, you do more than just improve the actual design of operating systems and the like. You create a more educated group of security professionals. Who, in turn, create a more aware group of system admins. Who in turn demand more secure software from vendors... The interplay between all these forces and groups does have positive consequences.
Larger, more important sites, are benefitting a great deal from the status quo. In the short run, I fully realize that the current nature of publicication+script kiddies leave the less attended to sites at something of a disadvantage. Many of these "smaller' or less important sites can't afford to worry about security a great deal, they can't afford to check the latest vulnerabilities before they're put in the hands of thousands of script kiddies world wide. For whatever it is a worth though, I believe that the vast majority of vulnerabilities are due to shear negligence of the vendors. Put simply, they couldn't care enough about security to make it a priority. I do believe that, when and if script kiddies ever become THAT much of a problem, the vendors will have to respond by creating higher quality (less hype, spend more time making sure it works, instead of rushing it out the door) and more secure software. If it a reasonably possible (and I believe it is), market forces will dictate to the vendors.
Re:suck.com lays the smack down (Score:2)
--
Re: learn your history before you sound off. (Score:2)
Hirohito was not not a noble man. He wasn't anything better than Hitler.
-- Abigail
Re:Ahh the moral vacuume of the hacker (Score:2)
No, the weakness lies (partially) in the protocol. It's not really feasible for an admin to say "oh, let's get rid of IP4, and use nothing but IPv6".
Doors have weaknesses too. They don't hold against the attack of a tank. And as long as noone starts building tanks and leave them on the street for grabs, that isn't a problem.
-- Abigail
Re:The problem(s) (Score:2)
Should we also hand out machine guns to gangs, so we will be aware in case of an attack by another country?
Just because it is important to protect yourself and make your site and connections secure doesn't mean it is ok to hand out tools to make attacks easy.
-- Abigail
Ummm, rational? (Score:2)
Guns are of entirely different nature. When someone is shot, that is the end--there is no worse crime. Thousands of people have been killed by guns in this country. Empirically speaking, script kiddies have done very little severe damage with security exploits (not DoS scripts).
In releasing guns to the general public, no reasonable person could claim that it results in a positive net effect. It is not possible, for example, to, say, merely apply a new chemical to your clothing that makes it bullet proof. Nor, could you claim that your bullet vulnerability is due to some flaw in your body or your clothing that can merely be patched. Furthermore, We have a strong military--foreign invaders are not going to be deterred by small civilian arms. Anyone who could defeat the US military would defeat US citizens with relative ease, regardless of how many rifles they may have. Additionally, we have a strong police--most people don't need that kind of protection. Yet my arguments for exploits still stand (atleast you refuse to attack them head on). Vendors are forced to take corrective action every day, that, many of them, would not otherwise have taken were it not for the current approach. The larger ISPs are starting to harden themselves to script kiddies, and are, in the process, making it tougher for wide-spread (particularly automated) hacking by other more malicious interests.
To boil this all down for you. Publishing an exploit is not INTRINSICALLY immoral. If you wish to say it is unwise or immoral, you should make an argument that the results of publishing the exploit is. I could see your arguing, perhaps, that, the short-term losses far outweigh my somewhat longer-term and more theoretical benefits. However, I obviously take a very different view, both in the assumptions made (on which these decisions are predicated) and in the conclusions reached.
Re:Ahh the moral vacuume of the hacker (Score:2)
issue in the most hysterical terms. A closer legal analogy would be
the law on trespass.
It is a dangerous case, but to look at the sledgehammer analogy:
suppose a company is selling doors claiming that they are suitable for
bank vaults, and me and a friend discover that we can break through
the doors in about five minutes with sledgehammers. Suppose we
contact the company, and their response is `you are lying, the doors
are perfectly adequate for the purpose', then is it not the case that
revealing this weakness in the doors serves the public function of
expoing false claims?
Re:Ahh the moral vacuume of the hacker (Score:2)
Perhaps, but that's not the issue. The analogue would be to hand out sledgehammers to everyone who wants one. Which is totally different than singling out a single door for a presentation.
-- Abigail
Re: Hirohito was not a noble man. (Score:2)
Until the end of the war, Japanese Emperors were seen as gods, a status no English monarch ever achieved.
Although the Japanese troops had a well deserved ugly reputation for brutality (especially in Nanking China), the Japanese never embarked on a Hirohito-led genocide.
Ask that to the Koreans. Ask that to the few survivors of the slaves that build the Burma railroad. I'm too young to have experienced the war, but the generation before me did. And from that generation, I know many people that lived in Indonesia in the early 40s. (I am Dutch, and Indonesia was a Dutch dependency at the time). I know many people who spend a significant number of years of their childhood in prison camps. I know people who lost their fathers/brothers/uncles in Japanese labour camps. I know people who were tortured by the Japanese, and suffered the rest of their lives from the consequences. I know people who, after more than 50 years, *still* wake up during the night with nightmares. All done in name of the emperor of Japan.
If Hirohito was as bad as Hitler, then why did he never stand trial as a war criminal, a la Nurenberg?
I've no answer for this twisted US political agenda point. It certainly had not unanimous support from its allies, but given the US dominance, what could they do about it?
A final point. When Hirohito died in 1989, why did the U.S. send dignitaries to the funeral if he was as bad as Hitler?
Economical and political reasons. The US was never (partially) occupied by Japan, nor did it have a significant number of civilians that suffered or died in prison and labour camps.
Let me rephrase that question. Why was it that the Netherlands, who more than any other country in the world depends on foreign trade for its economy, which has Japan as one of its biggest trading partners, and which, like Japan, is a monarchy did not send any dignitaries? No member of the royal family, no political hotshot? Just a tiny delegation from the embassy. And while there were dignitaries a month later during the inauguration of the new emperor, it was a rather small one, and didn't include the queen or her spouse, because the entire concept of "emperor of Japan" is considered tainted.
-- Abigail
Re:Ummm, rational? (Score:2)
Both.
Publishing an exploit is not INTRINSICALLY immoral.
Of course not. I never claimed it was. What I argue against is handing out the tools to exploit a hole (be it a DoS or a security breach) to anyone who wants it.
-- Abigail
Re:Ahh the moral vacuume of the hacker (Score:2)
arguing that sometimes publishing tools that make it painfully obvious
that certain security vulnerabilities can be exploited *can* be a good
thing. I note that Bruce Schneier's latest Cryptogram [counterpane.com]
comes to pretty much the same position as I. He's come from the
opposite direction to me, though: I used to think it was always
irresponsible to publish such code, until the CDoC's BackOrifice was
published.
Where is your argument? (Score:2)
As i've said before, i'm an advocate of disclosure. However, that does not mean that I think all, or even most security "pros", are motivated altruistically. In fact, the motive to publish is very much of a self-centered one. I, for a long time, have held the belief that there is something of a symbiotic relationship between script kiddies and the security professionals who create exploits (script kiddy fodder). The professional not only improves his recognition as a security guru, but he also helps drive up demand for his services when the script kiddies, inevitably, start hacking.
That being said, not every act done out of self-interest is NECESSARILY bad in any context (e.g., the entreprenuer). Nor does every act done out of self-interest, with initially negative consequences, have a net bad effect (e.g., the small business that displaces mom-and-pop stores).
Some of the pros follow a path, which I believe, to be optimal. That is, they first generally discuss the exploit and/or email the vendor(s) and ask them to patch it. Then, after a given period of time, or if the vendor(s) refuse to fix the problem, they'll publish an exploit. Unfortunately, many vendors are less than honest when it comes to these issues, so they force the hand of the hacker. In these kinds of cases, I advocate 100%.
Another argument which I have mixed feeling for, is one of KEEPING the security profession alive. This can be supported by arguing that exploits are necessary for both education (of other pros, but also the up-and-coming kiddies). Remember, that many types of exploits work cross-platform with minimal work applied. So that, if I were to create an exploit on, say, Solaris, and email Sun exclusively, the other security professionals would not benefit from my new technique. Nor would the other vendors' systems necessarily be exposed to the same level of scrutiny.
The secondary argument i'll make, is that in order to have a system hardened against truely determined attackers, we need a system where security is deemed to be IMPORTANT. If the only reminder of the importance of security is the more stealthfull/determined hackers (e.g., the oppositive of a script kiddy) that i've referred to, the costs of hiring professionals would be deemed as too steep relative to the apparent unlikelyhood of getting hacked. This is where, i'll say that the symbiotic relationship comes into play...possibly for our benefit...in the long term...
Re:Nuclear weapons... ended WW-II earlier. (Score:2)
Jazilla.org - the Java Mozilla [sourceforge.net]