Posted
by
CmdrTaco
from the no-surprise-there dept.
quakeslut writes "It's Feb. 1st everyone... and all of you who have been reading Slashdot know that today MyDoom.A begins it's attack... according to Reuters, SCO has already been hit hard. Stay tuned for Tuesday when MyDoom.B hits Microsoft..."
This discussion has been archived.
No new comments can be posted.
I just called his home and it sounds like his wife on the answering machine. It said something like, "Hello, you've reach the McBrides. We're not home at the moment, please leave a message and we'll get back to to you", or something to that effect.
I left a message:
"Sorry to say, but, you've been Slashdotted. Have a good Sunday."
and then I hung up.
Tee-hee-hee! Let's all/. his home phone! (I know this is cruel, but it's fun)
I think we should all send him a present! For example, these guys [wormman.com] will ship a big ol' batch of live crickets. For $58, we could ship ol' Darl 5000 crickets and I know that would cheer him up!
I must say,/. readers dissapoint me more and more. Incitement of harrassment is exactly the sort of thing Bruce Perens was trying to get away from.
The response to the mydoom virus and the sco case in general on here and other forums might well have put the advance of Linux back 5 years in terms of it's corporate image.
This should not be a personal battle against one individual (and now by your actions and that of others direct harrassment of his family) it should be a legal and economic battle. Whatever moral high ground the linux community might have about the sco case is effectively undermined by childish actions such as these.
I could see some point in publishing the company address and his corporate number. But publishing his personal contact details is reprehensible. Encouraging harrassment is not big, clever or funny.
by Anonymous Coward writes:
on Sunday February 01, 2004 @10:36AM (#8150807)
Some guy on winnetmag obviously thinks they should be offline, they must have brought it upon themselves [winnetmag.com], as he seems to think the virus is the fault of UNIX. he says that "A new email virus called MyDoom is spreading rapidly across the Internet through UNIX mail servers, bringing with it a dangerous attachment that, when opened, can give attackers access to users' computers through an electronic backdoor."
Sunday isn't even a business day? How much money will they not lose?
There is one basic flaw in your assumption. Granted, for many businesses, this would hold true, but not SCO. Being attacked on Sunday is just as detrimental as being attacked on Wednesday, as it appears they make just as much money when no one is there as they do when the place is fully staffed: nothing.
I am sure they will spin this around and demonstrate how this hurt them terribly, costing them tens, if not hundreds of dollars in potential sales;) Then again, they will blame the Linux community for this, even though its soley from a bunch of owned Windows boxes. This is akin to blaming Smith and Wesson for injuries to the neighbors when you fire your gun in random directions.
Sunday isn't even a business day? How much money will they not lose?
...are you saying they would loose money if it was a business day?
Well, I guess they have received "linux-fees" from 12 linux users so far... so if the DoS attack keeps the website down for a week, they might loose like USD 600 (or whatever the fee was).
The person who wrote the worm is not very good anyways... only 25% of infected machines will perform the DoS attack (see the virus information page for McAfee and Symantec).
Anyways, they are counting that there's about 1Million infected machines, and if 25% of those do the DoS attack, it's 250 000 machines.. which would still be the largest DDoS attack in history so far.
One thing I don't understand is why the DNS entry hasn't been removed for www.sco.com. I mean, they have no chance in hell of stopping this thing, and keeping the DNS entry intact causes a slowdown on a lot more things than just SCO's webserver.
I guess it's just a matter of time until www.sco.com is pointing to www.slashdot.org:)
I would expect that deliberately setting a domain that you knew was under attack to point at anyone would make you just as guilty of the attack as whomever set it up to begin with.
Oh, hi andy. Yes, this is what we refer to as an "off by one" error. The attack is scheduled Feb 1 (Sun) through Feb 12 (Thu). That's off by one. Feb 2-13 would have gotten you two full business weeks.
SCO obviously does not care about being forewarned,
and wants to milk this for all they can.
From the article:
"While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning," Jeff Carlon, worldwide director of Information Technology infrastructure, The SCO Group, said in the statement.
NOTE TO SCO: You don't have to communicate any
series of contingency plans to anyone except
your own IT staff (if you have any left).
Any press releases from SCO will be
obvious FUD and will not mean a damn thing.
Yeah, I read that and knew that couldn't be the mindset of a technology company. It must be true that SCO has completed the transition into a litigious entity. I mean, who is going to buy or trust OS software from people that had 5 days notice of this event and couldn't think of a single thing to do to protect their site?
Registrar: DOTSTER
Domain Name: SCO.COM
Created on: 03-SEP-87
Expires on: 02-SEP-04
Last Updated on: 22-JAN-03
Take note that the last change of their domain record was a year ago last sunday,. No one even bothered to do something as simple as change www.sco.com to a place holder on another subnet and then use their massive free publicity to announce their alternate name for the duration of the virus DDOS attack.
When the response boils down to nothing more than a promise to make more announcements, well, I think they are sacrificing what is left of their technical reputation.
SCO has updated their dns servers and axed the record for www.sco.com. NXDOMAIN means no such domain. Wonder why SCO didn't announce that they themselves took www.sco.com completely offline.
Hopefully the media will know about this when SCO complains about the DDOS attack. Now I know why the rest of their services are fairly intact and responding.
My point is that sevaeral SCO folks ( and Darl specifically) are blaming the actual traffic flood, even todays PR release [groklaw.net].
LINDON, Utah, Feb. 1/PRNewswire-FirstCall/ -- The SCO Group, Inc. (Nasdaq: SCOX), the owner of the UNIX(R) operating system and a leading provider of UNIX-based solutions, has confirmed that a large scale, Denial of Service attack has started that has made the company's Web site, www.sco.com, completely unavailable. Internet traffic began building momentum on Saturday evening and by midnight Eastern Time the SCO Web site was flooded with requests beyond its capacity. The company expects these attacks to continue through Feb. 12.
SCO has made their website completely unavailable by removing the www.sco.com name record, not a flood of packets. They have mentioned nothing about packet filtering at the router level or any alternative method of keeping their main site online. When the attacks start flooding Microsoft, do you think they will just take their main site down or look at a solution that keeps them up?
I'm only pointing out that SCO is not being honest about the reason for their web sites complete unavailablity. They could still be online with several alternative options that they aren't exploring and want to act like they have no choice in the matter. It looks like they are taking the 'poor me' attitude when things could have been made much better with a little effort.
Maybe their site isn't as important to the operation of their new business model. It may be an even bigger asset to them as a publicity tool while it is down ( due to their lack of name record). When I see them admit that they took it down themselves, then they will have a bit more credibility. With no name record, thus no actual attack on their site, they can't know when the attack would have ended or how severe the flood would have been. They can't really track the attack via DNS lookup operations because that can't give an accurate picture of the potential flood, only the number of participating machines.
They've removed the means to gather statistics about the attack and devise means to counter a defense. The opposite of what I would expect of Microsoft, IBM, Symantec, RedHat, Slashdot or thousands of other sites on the internet.
Speaking of FUD... Is there a way to tell if it's actually DoS'd, or if they shut it down themselves??
www.sco.com has been pulled from their dns records. Their whois info shows four dns servers: ns.calderasystems.com, ns2.calderasystems.com, c7ns1.center7.com and nsca.sco.com. IFAIK ns.sco.com, ns1.sco.com and ns2.sco.com use to be their DNSs of record. I ran a quick check of www.sco.com on all seven servers and found it had been removed. Since their is no ip number for that name sco never sees the http request.
I personally would've changed it to lo (127.0.0.1) so at least other dns servers would cache the first request (and serve out copies without checking) thus taking avoiding a lot of those hits to their dns servers everytime MYDOOM makes it's request. Even with their current setup they should avoid most of the force of MYDOOM (unless it attacks a range of active names and/or numbers).
The better solution if they want to keep their web server alive is to channel all requests to another web server with a thin pipe (say a T1) right off a backbone that reads the http client header, discards the MYDOOM requests (also with some real ones) and forwards everyone else to their real http server (say www2.sco.com). This could greatly minimize MYDOOM's damage, changing the a hurricane into a rain shower.
On the other hand doing it their way allows them to more easily cry "poor [sco]", claim this attack completely shut them down, have a record of exactly how many attacks they're getting and claim they lost business (like they had any anyways). This whole attack has "script kiddie" written all over it. If the author lives in the US there's a fair chance they'll catch him, and then he's SOL. In my opinion MYDOOM discredits the gnu/linux community. sco sucks but this isn't the way. An opinion shared by most in our community.
Thanks for the info, saved in my evergrowing "SCOpera" files:)
I looked at MyDoom's innards, and it struck me as odd, not typical script-kiddie material at all. I got the sense it was the work of someone whose programming work had *not* previously included this sort of thing. So I'm inclined to agree with the speculation that it's primarily a spammer's zombie-generating tool, built by contract with some starving professional coder, and that the SCO and M$ DoS components are red herrings.
As you say, SC0-baiting is great fun, but illegal attacks do nothing for the case against them (tho they seem to be using it to further their own case *against* themselves, judging by the "time travel" element that Groklaw pointed out) and just make us look bad. SCO is perfectly capable of cutting their own throats without "help".
SCO had plenty of time to prepare for this. They were well aware it was coming. I personally believe it's a publicity stunt. (which probably wouldn't surprise anybody around here).
makes you wonder if they had anything to do with the virus itself? if someone was going to make a blatent attempt at SCO - why not make it a surprise. publicity stunt it may be, all being run on feb 1 (sunday, non business day) - its obviously worked. news all over the world has picked this up.
Analysis shows that all other sites on that router ring are working properly, that the net is no slower than usual and that You can still download SCO Linux [sco.com] from their site.
SCO Linux includes all the SCO disputed IP under the GPL, so download it now and burn to CD - keep it on a shelf and if anyone tries to claim money show that SCO have given you a license to use the code under the GPL.
O'BRIEN: One final thought. You're talking about the ultimate hall of smoke and mirrors here. What are the chances you could be duped into giving the reward to a culprit?
MCBRIDE: Well, the way it works here, Miles, is to pay the reward out means that that person will be in jail. So I guess conceivably they could turn themselves in, go to jail, sit around with their $250,000 and get out. So I guess maybe that's the way to make money. Since you can't make money w
But don't type 'wget -r --accept=.rpm --http-user= --http-pass= http://linuxupdate.sco.com/scolinux/update/RPMS.up dates/', no sir! That just wouldn't be friendly, now would it?
It might well be a publicity stunt; but it's not like they're completely unprepared, at least according to netcraft [netcraft.com]:
We had expected that SCO might take www.sco.com out of the DNS in the run up to the MyDoom DDoS payload in order to keep the denial of service http traffic off the Internet. So far, though, www.sco.com still resolves and receives http requests, though closing the connection without sending a response.
That said, the sco.com hostmaster is reserving his options, with the TTL set to just 60 seconds at time of writing.
So instead of DDOSing the webserver, they'll DDOS their DNS provider.
Still, better than nothing I guess...
Setting it to two, four, or even sixteen minutes wouldn't have caused them to lose much flexability, and since the DDOS "client" dings them every 60 seconds (IIRC) it would have put one half, one fourth or one sixteenth as much load on DNS.
But I guess that's what you get when you got a lawyer running the IT department.
Not yet. I just checked all 4 of their name servers:
AUTHORITY SECTION: sco.com. 6H IN NS ns.calderasystems.com. sco.com. 6H IN NS ns2.calderasystems.com. sco.com. 6H IN NS nsca.sco.com. sco.com. 6H IN NS c7ns1.center7.com.
and all of them return www.sco.com. 1M IN A 216.250.128.12
So their name servers are still up and running, and pointing to a valid address. Reasonably, they have a 1 minute TTL, which will give them a quick response if they do decide to point it at 127.0.0.1 or 66.35.250.150.
the AC
the slashdot crud filter doesn't like double semi-colons in posts
A DDOS like this will have a trivial effect on a company like SCO, whose business model does not depend on its web site. For Microsoft, though, it really might cut into their bottom line and esteem as a company. Let's hope something good comes out of this idiocy.
well, a DDOS attack on MSN wouldn't look so good. all those subscribers in redneckistan with suddenly no homepage to click on. "Ethel Sue! The Inter-o-net ain't workin'" "Billy John, I done told you we should have went and got ourselves that there newfangled Verimazon Dee Ass El!"
The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack
I'm typing this and the time is currently 14:30UTC.
For those who are interested, it does appear to work in wine, before the news of it reached slashdot, I ran a copy of it in controlled conditions under Wine to see what it would do. It appears to be mainly a spam relay with SCO DOS'ing added as an afterthought.
Course it's not funny they will just say "The terrorist group "Linux Community" has claimed responsibility for the attacks" and declare us part of the axis of weasel like they did the other day on CNN.
Does anyone believe that this will do anything except help SCO? It associates their enemies (IBM, Linux), with worm/virus creators and spammers. If this sort of thing keeps up, the US Legislative and Executive branches will actively take the side of SCO and MS against Linux and it's "hackers".
What do they need a website for anyway? Their only business is lawsuits and press releases.
YOU might not assume those things, but Joe Public will. It's all about perception. And if they catch the perp and he DOES turn out to be a linux zealot, it will taint the whole community.
Just because YOU have some sense and intelligence doesn't mean the press or the public does.
Ah, and that is exactly the attitude that is holding Linux and OSS in general back.
Public perception DOES matter, dimwit. Unless you want Linux to forever be a niche OS on the desktop that is. Maybe you do, and you're entitled to that opinion.
OpenBSD journal was commenting on how SCO moved their servers to OBSD: http://www.deadly.org/article.php3?sid=20040131082 431 Not even the might of OpenBSD web servers can stand up to a mass of infected windows boxen - watch out Microsoft, they're coming your way soon!
I don't advocate virus attacks to further the OSS community's aims...all Linux software authors and organizations ought to be suing SCO instead. That kind of attack will cost them real money and time, and won't generate any sympathy from anyone (who's sane anyhow).
by Anonymous Coward writes:
on Sunday February 01, 2004 @09:48AM (#8150507)
According to heise.de [heise.de](in English [google.com]) MyDoom.B is not nearly as widespread as the A-version. According to the article the A-version just had a good start, because it was distributed through an IRC-Botnet. So we will probably not see microsoft.com going down.
What I don't get is how this virus spread so far, considering how hard it must to be get infected by it. You'd have to go out of your way to get infected since the spreads its self as zip compressed attachment.
I can understand how past viri have spread so quickly taking advantages of exploits in Outlook and Windows RPC etc, but this doesn't seem to use any exploits what so ever.
Is it just a lot of stupid users or I am missing something?
An infection where the user knowledgeably accepts a substance ( even if considered harmless at the moment of acceptance ) should be called "a poison", not "a virus".
If you are given a drink that will kill you, but you drink it without knowing - that's a poison. If someone sneezes a few feets away and an airplane passes by you at the same exact moment of the other person sneezing and you can't hear the sneeze, and you get infected - then it's a virus.
Hence, opening an executable is subjecting yourself to the possibility of poisoning. Reading your email while a flaw is exploited in your email client is a virus.
a lot of stupid users? yes and no. For the past 4 versions of Windows Microsoft has refused to remove a huge security hole called file extension hiding. They knew it was a gigantic hole when they added it, and many MANY times industry experts have pleaded to them to remove it. Microsoft refuses.
Microsoft did not spread the virus but they created the tools to ensure it's spread by the non-technical.
and people ask about the "cost" of linux, how about the extreme cost of continuing to use Microsoft products...
For the past 4 versions of Windows Microsoft has refused to remove a huge security hole called file extension hiding.
Bollocks. The people commonly infected with viruses wouldn't even know what a file extension was, let alone the difference between an exe and a txt file.
"The one with the W is a word file, the portrait is a graphic file etc". Give a file "virus.exe" the same icon graphic as a word file, and most users wouldn't know the difference.
On the other hand, if you don't hide the extension, then each of us here would be constantly dealing with dumb users who have renamed "Document1.doc" to "Report" (no extension). For 99% of users, hiding extensions is a good idea.
So explain to me why I've had this conversation several times with my users:
Well, of course I opened it. It says it's a JPG, and you can't get a virus from a JPG.
I don't understand - I thought you couldn't get a virus from a text file?
It's just a web page, it can't possibly be a virus.
Answer: a little knowledge is a dangerous thing. Especially if you're dealing with people who have file extensions turned on at work, but off at home, or vice versa.
What I find particularly fascinating about all of this is the fact that this is being treated primarily as a user education issue. While it's true that a savvy user can dodge this attack completely by simply not opening the attachment in question, one might still rightly ask, "Why is it that users have to be security-savvy in order to effectively use their computers?" Many of the security problems that we see are, in fact, caused by architectural flaws.
The lack of distinction between executable files and data is the first problem. Windows differentiates between data files and programs through file naming convention; the mere construction of a filename is sufficient to get the operating system to attempt to run it if the user should happen to click on it within the GUI.
Other operating systems don't do this. Unix systems have an attribute separate from the filename that indicates that the file is executable code. This attribute (a permission bit, actually) must be set in order for the code to execute in response to a click from within the GUI (or, for that matter, in response to actions in the command-line interface). Had this worm been effective on a Unix system, it would have required that the user save the attachment as a file, modify the executable permissions for the file, then invoke the application. Most other non-Unix systems with which I've worked are similar; you have to either explicitly communicate to the operating system "run this file as a program" or somehow bless the file in order to turn it into an application.
Once the application is running, we discover the next major architectural flaw: it's possible for most users of Windows to modify the behavior of the operating system itself without realizing it. Most modern operating systems require a user to be in some sort of a privileged mode in order to install applications or otherwise change the behavior of the system. The "su" command (or, better yet, the "sudo" command) in Unix allows one to assume "superuser" privileges for this purpose. In Windows, you have to be logged in as a user with administrative rights to the computer, but there's no simple way to assume and release privileges for the purpose of installing an application. So most users (outside the most restrictive of corporate environments) use their Windows environments from a login with full administrative privileges. This is the equivalent of running one's Unix environment while logged in as "root," a practice regarded as reckless and incompetent. Unfortunately, it's very hard to get work done in Windows any other way.
As a result, malware like the MyDoom worm can take advantage of these administrative privileges in order to make itself harder to remove. It's quite common for such applications to add themselves to the list of things that run when the computer is started up. One variant of the MyDoom worm even goes so far as to damage a network configuration file in order to make it difficult for antivirus software to download updated signature files. These attacks work only because the worm is easily able to gain administrative rights to the computer. There's certainly plenty of mischief that can be perpetrated as an ordinary user, but it's quite a bit easier to prevent when the OS is off-limits. And, when bad things do happen, it's vastly easier to clean up the damage when the integrity of the operating system itself isn't in question.
So, the next time you hear the claim that a security problem is caused by a user acting stupid, consider this: is it really the case that the user is stupid, or is the real stupidity the set of architectural decisions that enable the user to make mistakes?
Never underestimate the power of human stupidity. I spent a whole working day doing nothing but cleaning this virus (with stinger) in the process of which I found a couple other worms as well. You ask people, why did you even look at that attachment? What made you think it was a good idea to run it? And half of them say, I didn't open an attachment! Well, bollocks to you, obviously they're clicking things without realizing what they're clicking. People need more computer training, plain and simple. I wonder if the situation would be analogous to driver training. Germany has much much driver training than the USA and consequently they can have highways where you can drive as fast as you can manage without doing anything stupid (besides drive really fast in the first place.) Of course, there, if you get caught without your reflective triangle on the autobahn, kiss your license good bye; Same if you're hogging the left lane and someone flashes their brights at you, and you don't get over.
I wonder if more computer training would reduce the number of "accidents" like this that we have here. It seems even most persons who use the computer as a key part of their job every day have no idea what the hell they're doing. I'm not expecting them to know (much about) how it works, just to sort of get an idea of what's a good idea, and what isn't.
traceroute to 216.250.128.12 (216.250.128.12), 30 hops max, 38 byte packets
1 66.182.216.1 (66.182.216.1) 44.788 ms 45.293 ms 45.307 ms
2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.143 ms 54.774 ms 51.355 ms
3 iah-core-02.inet.qwest.net (205.171.31.142) 54.766 ms 51.816 ms 56.265 ms
4 dal-core-01.inet.qwest.net (205.171.8.125) 56.562 ms 56.563 ms 58.236 ms
5 dal-core-02.inet.qwest.net (205.171.25.130) 58.450 ms 54.056 ms 58.734 ms
6 dap-brdr-01.inet.qwest.net (205.171.225.2) 231.204 ms 99.812 ms 92.647 ms
7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.997 ms 61.537 ms 77.399 ms
8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 55.789 ms 60.882 ms 57.735 ms
9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 57.992 ms 63.093 ms 58.382 ms 10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 89.096 ms 93.724 ms 93.356 ms 11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.825 ms 84.570 ms 85.701 ms 12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 109.317 ms 98.882 ms 314.447 ms 13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 104.638 ms 99.345 ms 104.216 ms 14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 100.682 ms 105.112 ms 101.775 ms 15 * * *
linuxupdate.sco.com has address 216.250.128.241
traceroute to 216.250.128.241 (216.250.128.241), 30 hops max, 38 byte packets
1 66.182.216.1 (66.182.216.1) 48.151 ms 89.228 ms 47.732 ms
2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.187 ms 49.542 ms 52.654 ms
3 iah-core-02.inet.qwest.net (205.171.31.142) 53.441 ms 101.028 ms 53.714 ms
4 dal-core-01.inet.qwest.net (205.171.8.125) 319.413 ms 57.257 ms 59.600 ms
5 dal-core-02.inet.qwest.net (205.171.25.130) 57.595 ms 55.800 ms 57.578 ms
6 dap-brdr-01.inet.qwest.net (205.171.225.2) 61.077 ms 56.746 ms 59.109 ms
7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.587 ms 54.717 ms 59.362 ms
8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 60.098 ms 61.397 ms 58.609 ms
9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 67.524 ms 59.960 ms 71.663 ms 10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 93.370 ms 113.441 ms 92.632 ms 11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.880 ms 85.503 ms 85.974 ms 12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 98.055 ms 97.907 ms 98.232 ms 13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 99.287 ms 96.170 ms 99.050 ms 14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 101.741 ms 104.765 ms 100.452 ms 15 c7pub-216-250-136-254.center7.com (216.250.136.254) 106.771 ms 100.281 ms 105.686 ms 16 linuxupdate.sco.com (216.250.128.241) 106.443 ms 107.751 ms 105.682 ms
(thanks for the tip of trying linuxupdate.sco.com)
traceroute to www.sco.com (216.250.128.12), 30 hops max, 40 byte packets
. ..
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.902 ms 22.986 ms 20.92 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.957 ms 20.977 ms 20.878 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 24.012 ms 22.046 ms 20.96 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.907 ms 23.2 ms 23.912 ms
8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.96 ms 22.868 ms 23.999 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.063 ms 22.648 ms 23.905 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.954 ms 37.252 ms 47.928 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.88 ms 37.841 ms 38.944 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.949 ms 49.296 ms 50.948 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.886 ms 49.851 ms 50.774 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.912 ms 52.526 ms 51.004 ms
15 * * *
traceroute to linuxupdate.sco.com (216.250.128.241), 30 hops max, 40 byte packets
. ..
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.947 ms 20.046 ms 20.905 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.919 ms 29.145 ms 20.855 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 20.951 ms 22.991 ms 23.963 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.945 ms 22.989 ms 23.894 ms
8 p5-1-0-3.rar1.dallas-tx.us.xo.net (65.106.4.193) 23.955 ms 25.426 ms 24.013 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 26.979 ms 62.002 ms 27.099 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.821 ms 37.981 ms 38.89 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.789 ms 38.094 ms 38.888 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 51.054 ms 50.024 ms 50.811 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 51.001 ms 49.886 ms 50.934 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.903 ms 53.136 ms 53.841 ms
15 c7pub-216-250-136-254.center7.com (216.250.136.254) 50.937 ms 51.759 ms 50.787 ms
16 linuxupdate.sco.com (216.250.128.241) 51.004 ms 52.438 ms 50.988 ms
traceroute to ftp.calderasystems.com (216.250.128.13), 30 hops max, 40 byte packets
. ..
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.892 ms 20.06 ms 23.887 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 21.051 ms 19.935 ms 21.034 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 23.82 ms 23.095 ms 23.868 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.987 ms 23.063 ms 20.829 ms
8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.989 ms 22.84 ms 23.934 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.086 ms 25.935 ms 23.877 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.916 ms 38.112 ms 38.925 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.603 ms 38.096 ms 38.94 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.947 ms 49.871 ms 50.914 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.944 ms 49.782 ms 51.008 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 50.836 ms 53.072 ms 53.935 ms
15 * * *
So either they're being merely slashdotted or they "accidentally on purpose" kicked www.sco.com's router power plug out of the wall. According to ARIN, they're all on the same/20 network, so they're probably not on a different final link from XO. They're certainly not being DoS'ed for bandwidth.
Curiously, this article seems to imply that there was a political agenda behind DDoSing SCO - but to quote Mikko Hypponen of F-secure a bit more:
"It's also possible the attack against SCO is just a smokescreen to misdirect attention away from the backdoor component in the virus - which is most likely included in order to facilitate sending of spam email messages."
Similiar, albeit longer, quote from him asserting that indeed spammers were behind this worm was in the local newspaper on Friday, but it's in Finnish and I'm too lazy to translate it. But the above quote can be found here [f-secure.com].
Yes, it's a classic trick, and it's worked for thousands of years. I'ts worked for politicians and armies. It's worked for the con-artist and the cult leader. What is this trick? Miss-direction. If you think that this virus has anything at all to do with the open source community or SCO then your not keeping your eye on the ball sparky!
1. This virus makes a machine an open relay. Considering recent legislation [spamlaws.com] and other anti-spam techniques I smell spammer bovine feces here.
3. The open source community is coming up with various anti-spam measures. Don't you think the spammers would love painting their enemy as petulant child - as they have proven themselves to be?
MyDOOM isn't the open source community pissing on on SCO, it's spammers pissing on all of us.
From a list that I am on, there was consideration that routes to SCO may be dropped due to the expected traffic to SCO. The plans were to null route the traffic at the edge of individual AS's.
I know some people think this virus makes the linux community look bad, but that's not really the case. It's just another windows virus in a long line of windows viruses, written somewhere by some asshole for whatever reason they see fit. Even if it turns out that the writter is a Linux fanatic, you can't hold the whole community responsibe for the actions of one individual. Personally i think it's a good thing because it does serve three useful functions (no i did not write it:)).
It forces somes asshole companies of the net for a while.
It raises awareness of the whole SCO fiasco and I'm not seeing much in the way if sympathy for them in the press.
It shows once again that windows is a virus ridden insecure platform.
Forget about the DDOS attacks. It's a distraction. The bigger problem is that the DDOS may be able to be changed on command to any other site on the internet.
This is a spam zombie virus. We need to work securing our comprimised systems and keeping them from joining the spam network and obeying the commands. If anyone has any real information about how this virus works as a relay and how to stop it at the network level please post it.
So far I've found the following links. Blocking port 3127 at the router seems like it could help a lot. Any other (real) solutions would be appreciated.
Given that they knew this was coming, and knew that they didn't have the bandwidth/CPU to handle the masssive overload, why didn't SCO Just set the A record for their website to 127.0.0.1 for a couple of days?? Either that or 192.168.42.42... With the former, a virus infected machine would simply attack itself. With the later, it would try to contact a well known address which would allow sysadmins to find any infected machine (and remove the virus) by simply looking for references to the address.
www.sco.com no longer resolves. They removed it from their name server yesterday. Only sco.com without the www resolves to an ip address. The attack should be almost completely averted by now because of this, but sco.com is still down.
The only possible cause I see for them to still be offline is if they took it offline themselves, or there's been another attack that they've failed to mention to the press, but it's unlikely that they'd turn down any opportunity to slam us if that were the case. Check it yourselves. The worm specifically attacks the domain www.sco.com, which no longer exists, and the dns entry expired yesterday. All that worm traffic should be going to oblivion by now, because Windows doesn't reuse expired dns records when requery attempts fail.
i think it was a joke, unfortunately, you're right he shouldn't even have cracked the joke, because some journalists reading this will take it seriously (damn, forgot to bookmark an example a few days ago).
The parent comment is a JOKE. It is meant to be an amusing commentary on the general attitude of the open source community (us) towards SCO and its current business model. In no way is it meant to encourage illegal attacks (DDoS) on fradulent businesses (SCO). The above JOKE is just a joke, and an amusing one at that.
I wish it wouldn't happen. This virus is painting the Linux community as a bunch of petulant adolescents - regardless of who's doing it.
I'm trying to remember who in the Linux community was quoted in the Wall Street Journal as saying "Let's take the high road." We should do just that. We all know that SCO doesn't have a leg to stand on. Let's let them sink themsleves.
I wish it wouldn't happen. This virus is painting the Linux community as a bunch of petulant adolescents - regardless of who's doing it.
I've been concerned about exactly the same thing. Regardless of where the virus really came from, the fact that SCO and MS were targeted may well have an impact on coming legal and public relations struggles that are important to the Open Source community. Don't think for a minute that this isn't understood completely by strategists at those two companies (as well as other
"I wish it wouldn't happen. This virus is painting the Linux community as a bunch of petulant adolescents"
In case anyone still thinks this virus is related to linux people, let's put it as bluntly as we can:
Spammers have created yet another virus to send their emails, not caring about the cost to you, your computer, the law, or the internet in general
If you believed the spammer lies about how you've opted in to something, or how this is their freedom of speech, or how you can just press delete, then this should be the evidence you need: spammers are prepared to take down the entire internet for their own personal gain.
If anybody has bought anything advertised by email, or is considering doing so, or knows anybody who buys from email advertisements, then please be aware: you are supporting the criminals who are deliberately and maliciously attacking your computer, and the computers of your friends. Their programs are constantly bombarding your computer, where any mistake you make could lead to your computer becoming unusable by you, and being used to send illegal emails in vast quantities to the computers of others.
If any newspaper editor is reading this, and thinks "it's attacking SCO, it must be programmed by a Linux advocate", wake up and smell the misdirection. The DDOS in this virus was added as an afterthought. "Virus creation wizard step 6: you are nearly finished creating your virus. now type the name of a website you want it to attack"
What I want to know is how many people infected their computers on purpose and how man just didin't remove the virus after they found it? Most prople won't do a criminal act will but ignoring somebody elses?
What I want to know is how many people infected their computers on purpose and how man just didin't remove the virus after they found it? Most prople won't do a criminal act will but ignoring somebody elses?
Actually, as a private computer techie, I've been removing MyDoom from my client's computers for the past couple of days. It really is amazing how fast it's spread...
As a Linux geek I must admit to a small snicker at SCO's misfortune here, but it is definately not the right way to go about solving the SCO problem. All publicity is *NOT* good publicity, and the last thing we need is the world to think "Linux == Geeks spreading virii". I've been taking pains to point out the spam connection with the MyDoom virus, and I think that's the angle we should persue here. I can only hope that the next looser who DOSes SCO gives us as easy an "its not us" angle.
Did someone write a variant that went for www.reuters.com? Although they claim Sco.com was the only discernible victim on Sunday. There were no other reports of outages or slowdowns elsewhere online due to the worm..
Does anyone remember the article about Distributed Reflection Denial of Service [grc.com] from around 2 years ago? Quotating that one: I imagine that anyone reading this page is already well aware of my feelings regarding the deliberate and unnecessary inclusion of the raw socket API in a mass market c
Did you read the paragraph preceding the one you cite from the article? It reflects my own initial thoughts on reading your post, and doesn't attempt to blame the OS for what really is a network problem:
If ISPs would begin adopting the practice of preventing the escape of fraudulently addressed packets from within their controlled networks, this potent attack, and its many cousins, would die overnight.
This seems much wiser a suggestion than the anti-MS paragraph which you chose to cite. Who better to set actual network policy than those responsible for managing those networks?
Microsoft including a raw socket API is about as evil as Microsoft supporting the creation of outgoing connections to any arbitrary mail servers -- sure, it's open to abuse (DDoS, spam, etc.), but removing the sort of API that traceroute and ping tools would use to perform useful work is not a security fix. It closer to asking Home Depot not to sell hammers because they can be used as weapons.
Further, having MS remove the raw socket API would lead those with cruel intentions to use non-Windows machines exclusively to do their evil deeds. Consider that the mind which concludes that the raw socket API must be removed because of the unpleasant actions of a few people probably isn't far from thinking that operating systems which are engineered in an open and flexible environment can be used for subversion as well. Suddenly those using "subversive" non-MS operating systems which haven't removed raw packet interfaces are a little more suspect in the public eye.
If ISPs would only permit traffic with sane source IP addresses to leave their networks, then the only effect sending such packets out would have would be to waste traffic between the would-be tricksters and their ISP's router(s).
lthough I certainly don't approve of these malicious virii, I can't help but think that Microsoft is partially responsible for the attacks on itself. Maybe this will be a wake up call to them that security on Windows sucks ass.
In related news: Due to an overwhelming number of trojans DoS attacking various sites, Microsoft has decided that only Internet Explorer is allowed to make outgoing HTTP GET requests on port 80.
Telling people not to voice their opionions because of fear of what other people might think of you is an asinine way to excersice your right to free speech.
Yes, free speech is something we believe in at slashdot as well. We can and should make jokes. Why? Because we always make jokes about things! I would make a joke right now, but (1) I'm not that funny, and (2) I'm just too shocked that I am being told in a +5 comment not to say something.
Let the media report what they will. The fact is, some part of the community that you posted to can find humour in this. We are for sure a community that finds humour in everything.
Actually, now that I read your comment again, I am not sure you are serious. Perhaps it was just a joke and our mods have modded you insightfull?
Unfortunately, this is really the media's fault. There were several high profile articles that quoted posts modded +5, Funny on Slashdot's original article about MyDoom and cited them as the voice of the Open Source community, taking glee at this new virus. It was essentially cited as evidence that the "nefarious" Open Source community was somehow behind this virus or honestly approved of it. Basically these people don't understand how Slashdot works, that we find humor in even the most macabre topics, and that one person's comment doesn't mean anything more than that one random person thought something. As another poster said, it's like quoting a guy in a bar in LA and saying "people in LA think this...".
Anyway, I know and you know how to spot a troll/humorous post/etc. on Slashdot. And we know that people's opinions go all over the map on many issues discussed on Slashdot. Joe Reporter doesn't get this and there is a real risk of them printing more smear-stories about a community that like-it-or-not you will be perceived as part of by virtue of posting here. It's reasonable for us to try not to make that community look bad - not saying not to speak your mind, but to keep in mind that in a high profile story like this, even though you may be Joe Nobody, your words could be used against you and lots of other people.
Before you spout more junk maybe you want to avail yourselves of some information [groklaw.net].
The virus is written in Russia as a mail relay vehichle. They are just using the SCO issues as a foil, and indeed it worked on you. There even is an apology inside the virus from the author stating that he is just doing his "job"
Utility is when you have one telephone, luxury is when you have two,
opulence is when you have three -- and paradise is when you have none.
-- Doug Larson
obvious (Score:5, Funny)
Re:obvious (Score:5, Funny)
Apart from slashdot readers and lawyers who goes to the SCO site these days?
Oh yes, folk who clicked on the 'Make SCO.com your home page' link.
Re:obvious (Score:4, Funny)
Darl C McBride
1799 Vintage Oak Ln
Salt Lake City, UT 84121-6539
(801)424-2006
Hmmmm, I wonder, is it possible to slashdot someone's phone? If you can't get thru try sending him a postcard.
Re:obvious (Score:3, Funny)
Re:obvious (Score:5, Funny)
Yes, it is. Dave Barry did it to the American Teleservices Association.
They got a huge number of calls, the voicemail filled, and they finally had to disconnect the number.
Here's the article that did it:
"Ask not what telemarketers can do to you" [miami.com]
Re:obvious (Score:5, Funny)
in my crontab:
@hourly
Got his wife on the answering machine (Score:3, Funny)
I just called his home and it sounds like his wife on the answering machine. It said something like, "Hello, you've reach the McBrides. We're not home at the moment, please leave a message and we'll get back to to you", or something to that effect.
I left a message:
"Sorry to say, but, you've been Slashdotted. Have a good Sunday."
and then I hung up.
Tee-hee-hee! Let's all
(I know this is cruel, but it's fun)
Re:Got his wife on the answering machine (Score:3, Funny)
you should leave a message saying that you'd like to speak to her McHusband.
I Feel Bad For Him... (Score:5, Funny)
Re:I Feel Bad For Him... (Score:4, Funny)
I'm in for $5. It's better than paying $699 later.
Better yet... (Score:3, Interesting)
Re:obvious (Score:4, Insightful)
The response to the mydoom virus and the sco case in general on here and other forums might well have put the advance of Linux back 5 years in terms of it's corporate image.
This should not be a personal battle against one individual (and now by your actions and that of others direct harrassment of his family) it should be a legal and economic battle. Whatever moral high ground the linux community might have about the sco case is effectively undermined by childish actions such as these.
I could see some point in publishing the company address and his corporate number. But publishing his personal contact details is reprehensible. Encouraging harrassment is not big, clever or funny.
Re:Addy for condolescence cards? (Score:4, Informative)
I guess there just aren't that many Darl's around, probably something for which we should be grateful.
Re:obvious (Score:3, Funny)
The virus is spread by UNIX (Score:4, Interesting)
sheesh where do they get these people
Re:obvious (Score:5, Funny)
I just keep hitting refresh over and over and over again - still nothing - hmmmmmm
Someone ought to check those links before posting
FAKE attack? (Score:3, Interesting)
C:\>ping www.sco.com
Unknown host www.sco.com.
C:\>ping www2.sco.com
Pinging www2.sco.com [216.250.128.33] with 32 bytes of data:
Reply from 216.250.128.33: bytes=32 time=71ms TTL=49
Reply from 216.250.128.33: bytes=32 time=69ms TTL=49
Reply from 216.250.128.33: bytes=32 time=69ms TTL=49
Reply from 216.250.128.33: bytes=32 time=68ms TTL=49
Ping statistics for 216.250.128.33:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-s
Re:obvious (Score:5, Funny)
Come on, automation is your friend.
I just have a terminal open running ping -f www.sco.com
When it starts actually replying regularly I'll know it's good to go again.
Why today... (Score:5, Insightful)
Re:Why today... (Score:3, Funny)
That must be one company where everyday of the week is a case of the Monday's.
But don't say that to loud around Lawrence.
Re:Why today... (Score:5, Funny)
I've been trying to buy three more CPU licenses for Linux, and now I can't use those machines until SCO's online store comes back up.
Re:Why today... (Score:5, Funny)
Re:Why today... (Score:5, Interesting)
There is one basic flaw in your assumption. Granted, for many businesses, this would hold true, but not SCO. Being attacked on Sunday is just as detrimental as being attacked on Wednesday, as it appears they make just as much money when no one is there as they do when the place is fully staffed: nothing.
I am sure they will spin this around and demonstrate how this hurt them terribly, costing them tens, if not hundreds of dollars in potential sales
Re:Why today... (Score:5, Insightful)
Re:Why today... (Score:4, Interesting)
Well, I guess they have received "linux-fees" from 12 linux users so far... so if the DoS attack keeps the website down for a week, they might loose like USD 600 (or whatever the fee was).
The person who wrote the worm is not very good anyways... only 25% of infected machines will perform the DoS attack (see the virus information page for McAfee and Symantec).
Anyways, they are counting that there's about 1Million infected machines, and if 25% of those do the DoS attack, it's 250 000 machines.. which would still be the largest DDoS attack in history so far.
One thing I don't understand is why the DNS entry hasn't been removed for www.sco.com. I mean, they have no chance in hell of stopping this thing, and keeping the DNS entry intact causes a slowdown on a lot more things than just SCO's webserver.
I guess it's just a matter of time until www.sco.com is pointing to www.slashdot.org
Re:Why today... (Score:3, Insightful)
Comment removed (Score:5, Insightful)
Re:Why today... (Score:3, Interesting)
Oh, hi andy. Yes, this is what we refer to as an "off by one" error. The attack is scheduled Feb 1 (Sun) through Feb 12 (Thu). That's off by one. Feb 2-13 would have gotten you two full business weeks.
Bad programmer. Go sit by your dish.
Re:Why today... (Score:5, Informative)
From the article:
"While we expect this attack to continue throughout the next few weeks, we have a series of contingency plans to deal with this problem and we will begin communicating those plans on Monday morning," Jeff Carlon, worldwide director of Information Technology infrastructure, The SCO Group, said in the statement.
NOTE TO SCO: You don't have to communicate any series of contingency plans to anyone except your own IT staff (if you have any left). Any press releases from SCO will be obvious FUD and will not mean a damn thing.
Lawyer think... (Score:4, Insightful)
Registrar: DOTSTER
Domain Name: SCO.COM
Created on: 03-SEP-87
Expires on: 02-SEP-04
Last Updated on: 22-JAN-03
Take note that the last change of their domain record was a year ago last sunday,. No one even bothered to do something as simple as change www.sco.com to a place holder on another subnet and then use their massive free publicity to announce their alternate name for the duration of the virus DDOS attack.
When the response boils down to nothing more than a promise to make more announcements, well, I think they are sacrificing what is left of their technical reputation.
Re:Lawyer think... (Score:5, Informative)
[root]# host www.sco.com
Host www.sco.com not found: 3(NXDOMAIN)
[root]# dig www.sco.com
; > DiG 9.2.1rc1 > www.sco.com
SCO has updated their dns servers and axed the record for www.sco.com. NXDOMAIN means no such domain. Wonder why SCO didn't announce that they themselves took www.sco.com completely offline.
Hopefully the media will know about this when SCO complains about the DDOS attack. Now I know why the rest of their services are fairly intact and responding.
Re:Lawyer think... (Score:5, Insightful)
SCO has made their website completely unavailable by removing the www.sco.com name record, not a flood of packets. They have mentioned nothing about packet filtering at the router level or any alternative method of keeping their main site online. When the attacks start flooding Microsoft, do you think they will just take their main site down or look at a solution that keeps them up?
I'm only pointing out that SCO is not being honest about the reason for their web sites complete unavailablity. They could still be online with several alternative options that they aren't exploring and want to act like they have no choice in the matter. It looks like they are taking the 'poor me' attitude when things could have been made much better with a little effort.
Maybe their site isn't as important to the operation of their new business model. It may be an even bigger asset to them as a publicity tool while it is down ( due to their lack of name record). When I see them admit that they took it down themselves, then they will have a bit more credibility. With no name record, thus no actual attack on their site, they can't know when the attack would have ended or how severe the flood would have been. They can't really track the attack via DNS lookup operations because that can't give an accurate picture of the potential flood, only the number of participating machines.
They've removed the means to gather statistics about the attack and devise means to counter a defense. The opposite of what I would expect of Microsoft, IBM, Symantec, RedHat, Slashdot or thousands of other sites on the internet.
Re:Why today... (Score:5, Interesting)
www.sco.com has been pulled from their dns records. Their whois info shows four dns servers: ns.calderasystems.com, ns2.calderasystems.com, c7ns1.center7.com and nsca.sco.com. IFAIK ns.sco.com, ns1.sco.com and ns2.sco.com use to be their DNSs of record. I ran a quick check of www.sco.com on all seven servers and found it had been removed. Since their is no ip number for that name sco never sees the http request.
I personally would've changed it to lo (127.0.0.1) so at least other dns servers would cache the first request (and serve out copies without checking) thus taking avoiding a lot of those hits to their dns servers everytime MYDOOM makes it's request. Even with their current setup they should avoid most of the force of MYDOOM (unless it attacks a range of active names and/or numbers).
The better solution if they want to keep their web server alive is to channel all requests to another web server with a thin pipe (say a T1) right off a backbone that reads the http client header, discards the MYDOOM requests (also with some real ones) and forwards everyone else to their real http server (say www2.sco.com). This could greatly minimize MYDOOM's damage, changing the a hurricane into a rain shower.
On the other hand doing it their way allows them to more easily cry "poor [sco]", claim this attack completely shut them down, have a record of exactly how many attacks they're getting and claim they lost business (like they had any anyways). This whole attack has "script kiddie" written all over it. If the author lives in the US there's a fair chance they'll catch him, and then he's SOL. In my opinion MYDOOM discredits the gnu/linux community. sco sucks but this isn't the way. An opinion shared by most in our community.
Re:Why today... (Score:5, Interesting)
I looked at MyDoom's innards, and it struck me as odd, not typical script-kiddie material at all. I got the sense it was the work of someone whose programming work had *not* previously included this sort of thing. So I'm inclined to agree with the speculation that it's primarily a spammer's zombie-generating tool, built by contract with some starving professional coder, and that the SCO and M$ DoS components are red herrings.
As you say, SC0-baiting is great fun, but illegal attacks do nothing for the case against them (tho they seem to be using it to further their own case *against* themselves, judging by the "time travel" element that Groklaw pointed out) and just make us look bad. SCO is perfectly capable of cutting their own throats without "help".
How stupid do you have to be? (Score:5, Interesting)
Re:How stupid do you have to be? (Score:5, Insightful)
makes you wonder if they had anything to do with the virus itself? if someone was going to make a blatent attempt at SCO - why not make it a surprise. publicity stunt it may be, all being run on feb 1 (sunday, non business day) - its obviously worked. news all over the world has picked this up.
Re:How stupid do you have to be? (Score:5, Interesting)
SCO Linux includes all the SCO disputed IP under the GPL, so download it now and burn to CD - keep it on a shelf and if anyone tries to claim money show that SCO have given you a license to use the code under the GPL.
Re:How stupid do you have to be? (Score:5, Informative)
Re:How stupid do you have to be? (Score:3, Interesting)
O'BRIEN: One final thought. You're talking about the ultimate hall of smoke and mirrors here. What are the chances you could be duped into giving the reward to a culprit?
MCBRIDE: Well, the way it works here, Miles, is to pay the reward out means that that person will be in jail. So I guess conceivably they could turn themselves in, go to jail, sit around with their $250,000 and get out. So I guess maybe that's the way to make money. Since you can't make money w
Re:How stupid do you have to be? (Score:3, Funny)
Re:How stupid do you have to be? (Score:3, Funny)
Re:How stupid do you have to be? (Score:5, Interesting)
It might well be a publicity stunt; but it's not like they're completely unprepared, at least according to netcraft [netcraft.com]:
Re:How stupid do you have to be? (Score:3, Interesting)
Still, better than nothing I guess...
Setting it to two, four, or even sixteen minutes wouldn't have caused them to lose much flexability, and since the DDOS "client" dings them every 60 seconds (IIRC) it would have put one half, one fourth or one sixteenth as much load on DNS.
But I guess that's what you get when you got a lawyer running the IT department.
Cheers,
Greg
Well actually... (Score:5, Informative)
So the traffic just won't get to them anyway..
Re:Well actually... (Score:5, Informative)
AUTHORITY SECTION:
sco.com. 6H IN NS ns.calderasystems.com.
sco.com. 6H IN NS ns2.calderasystems.com.
sco.com. 6H IN NS nsca.sco.com.
sco.com. 6H IN NS c7ns1.center7.com.
and all of them return
www.sco.com. 1M IN A 216.250.128.12
So their name servers are still up and running, and pointing to a valid address. Reasonably, they have a 1 minute TTL, which will give them a quick response if they do decide to point it at 127.0.0.1 or 66.35.250.150.
the AC
the slashdot crud filter doesn't like double semi-colons in posts
every rose has its thorn (Score:3, Insightful)
Re:MS Business Model (Score:5, Funny)
Wait (Score:5, Funny)
Until Saturday when MyDoom.S hits Slashdot..
Re:Wait (Score:5, Funny)
It shouldn't have happened yet (Score:5, Informative)
From this page [sarc.com]:
The DoS attack will start at 16:09:18 UTC (08:09:18 PST) on February 1, 2004. The worm checks the local system time and date to determine if it should initiate the DoS attack
I'm typing this and the time is currently 14:30UTC.
For those who are interested, it does appear to work in wine, before the news of it reached slashdot, I ran a copy of it in controlled conditions under Wine to see what it would do. It appears to be mainly a spam relay with SCO DOS'ing added as an afterthought.
Re:It shouldn't have happened yet (Score:3, Insightful)
Server (Score:5, Funny)
We dont need no SCO let the #*($&# burn!
Course it's not funny they will just say "The terrorist group "Linux Community" has claimed responsibility for the attacks" and declare us part of the axis of weasel like they did the other day on CNN.
Helps SCO and Microsoft (Score:4, Insightful)
Does anyone believe that this will do anything except help SCO? It associates their enemies (IBM, Linux), with worm/virus creators and spammers. If this sort of thing keeps up, the US Legislative and Executive branches will actively take the side of SCO and MS against Linux and it's "hackers".
What do they need a website for anyway? Their only business is lawsuits and press releases.
Re:Helps SCO and Microsoft (Score:5, Insightful)
Just because YOU have some sense and intelligence doesn't mean the press or the public does.
Re:Helps SCO and Microsoft (Score:3, Insightful)
Public perception DOES matter, dimwit. Unless you want Linux to forever be a niche OS on the desktop that is. Maybe you do, and you're entitled to that opinion.
SCO move to BSD (Score:3, Informative)
Not even the might of OpenBSD web servers can stand up to a mass of infected windows boxen - watch out Microsoft, they're coming your way soon!
Netcraft stats (Score:5, Informative)
http://news.netcraft.com/archives/2004/02/01/sund
And graphs showing the results:
http://uptime.netcraft.com/perf/graph?site=www.sc
Funny, when I go to SCO's site... (Score:5, Funny)
Just like the IBM lawsuit... ;-)
I don't advocate virus attacks to further the OSS community's aims...all Linux software authors and organizations ought to be suing SCO instead. That kind of attack will cost them real money and time, and won't generate any sympathy from anyone (who's sane anyhow).
DLoP still worse. (Score:5, Funny)
netcraft advice (Score:3, Informative)
M$ might not be hit so hard.. (Score:4, Interesting)
How did this virus spread so easily? (Score:5, Interesting)
I can understand how past viri have spread so quickly taking advantages of exploits in Outlook and Windows RPC etc, but this doesn't seem to use any exploits what so ever.
Is it just a lot of stupid users or I am missing something?
Re:How did this virus spread so easily? (Score:3, Funny)
Re:How did this virus spread so easily? (Score:4, Insightful)
If you are given a drink that will kill you, but you drink it without knowing - that's a poison. If someone sneezes a few feets away and an airplane passes by you at the same exact moment of the other person sneezing and you can't hear the sneeze, and you get infected - then it's a virus.
Hence, opening an executable is subjecting yourself to the possibility of poisoning. Reading your email while a flaw is exploited in your email client is a virus.
Re:How did this virus spread so easily? (Score:5, Informative)
Microsoft did not spread the virus but they created the tools to ensure it's spread by the non-technical.
and people ask about the "cost" of linux, how about the extreme cost of continuing to use Microsoft products...
Re:How did this virus spread so easily? (Score:5, Insightful)
Bollocks. The people commonly infected with viruses wouldn't even know what a file extension was, let alone the difference between an exe and a txt file.
"The one with the W is a word file, the portrait is a graphic file etc". Give a file "virus.exe" the same icon graphic as a word file, and most users wouldn't know the difference.
On the other hand, if you don't hide the extension, then each of us here would be constantly dealing with dumb users who have renamed "Document1.doc" to "Report" (no extension). For 99% of users, hiding extensions is a good idea.
Re:How did this virus spread so easily? (Score:3, Insightful)
So explain to me why I've had this conversation several times with my users:
Well, of course I opened it. It says it's a JPG, and you can't get a virus from a JPG.
I don't understand - I thought you couldn't get a virus from a text file?
It's just a web page, it can't possibly be a virus.
Answer: a little knowledge is a dangerous thing. Especially if you're dealing with people who have file extensions turned on at work, but off at home, or vice versa.
Re:How did this virus spread so easily? (Score:5, Interesting)
The lack of distinction between executable files and data is the first problem. Windows differentiates between data files and programs through file naming convention; the mere construction of a filename is sufficient to get the operating system to attempt to run it if the user should happen to click on it within the GUI.
Other operating systems don't do this. Unix systems have an attribute separate from the filename that indicates that the file is executable code. This attribute (a permission bit, actually) must be set in order for the code to execute in response to a click from within the GUI (or, for that matter, in response to actions in the command-line interface). Had this worm been effective on a Unix system, it would have required that the user save the attachment as a file, modify the executable permissions for the file, then invoke the application. Most other non-Unix systems with which I've worked are similar; you have to either explicitly communicate to the operating system "run this file as a program" or somehow bless the file in order to turn it into an application.
Once the application is running, we discover the next major architectural flaw: it's possible for most users of Windows to modify the behavior of the operating system itself without realizing it. Most modern operating systems require a user to be in some sort of a privileged mode in order to install applications or otherwise change the behavior of the system. The "su" command (or, better yet, the "sudo" command) in Unix allows one to assume "superuser" privileges for this purpose. In Windows, you have to be logged in as a user with administrative rights to the computer, but there's no simple way to assume and release privileges for the purpose of installing an application. So most users (outside the most restrictive of corporate environments) use their Windows environments from a login with full administrative privileges. This is the equivalent of running one's Unix environment while logged in as "root," a practice regarded as reckless and incompetent. Unfortunately, it's very hard to get work done in Windows any other way.
As a result, malware like the MyDoom worm can take advantage of these administrative privileges in order to make itself harder to remove. It's quite common for such applications to add themselves to the list of things that run when the computer is started up. One variant of the MyDoom worm even goes so far as to damage a network configuration file in order to make it difficult for antivirus software to download updated signature files. These attacks work only because the worm is easily able to gain administrative rights to the computer. There's certainly plenty of mischief that can be perpetrated as an ordinary user, but it's quite a bit easier to prevent when the OS is off-limits. And, when bad things do happen, it's vastly easier to clean up the damage when the integrity of the operating system itself isn't in question.
So, the next time you hear the claim that a security problem is caused by a user acting stupid, consider this: is it really the case that the user is stupid, or is the real stupidity the set of architectural decisions that enable the user to make mistakes?
Re:How did this virus spread so easily? (Score:5, Funny)
Re:How did this virus spread so easily? (Score:4, Insightful)
I wonder if more computer training would reduce the number of "accidents" like this that we have here. It seems even most persons who use the computer as a key part of their job every day have no idea what the hell they're doing. I'm not expecting them to know (much about) how it works, just to sort of get an idea of what's a good idea, and what isn't.
DDoS attack time table + analysis of DoS in Mydoom (Score:5, Informative)
http://www.math.org.il/mydoom-facts.txt
It contains the Time Table for the attack along with reverse engineering analysis of the DoS component in Mydoom.
You might also want to check:
http://www.math.org.il/newworm-digest1.tx
Which contains an analysis and reverse engineering bits for Mydoom.A>
Is it Down or is it 'down'? (Score:4, Interesting)
traceroute to 216.250.128.12 (216.250.128.12), 30 hops max, 38 byte packets
1 66.182.216.1 (66.182.216.1) 44.788 ms 45.293 ms 45.307 ms
2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.143 ms 54.774 ms 51.355 ms
3 iah-core-02.inet.qwest.net (205.171.31.142) 54.766 ms 51.816 ms 56.265 ms
4 dal-core-01.inet.qwest.net (205.171.8.125) 56.562 ms 56.563 ms 58.236 ms
5 dal-core-02.inet.qwest.net (205.171.25.130) 58.450 ms 54.056 ms 58.734 ms
6 dap-brdr-01.inet.qwest.net (205.171.225.2) 231.204 ms 99.812 ms 92.647 ms
7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.997 ms 61.537 ms 77.399 ms
8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 55.789 ms 60.882 ms 57.735 ms
9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 57.992 ms 63.093 ms 58.382 ms
10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 89.096 ms 93.724 ms 93.356 ms
11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.825 ms 84.570 ms 85.701 ms
12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 109.317 ms 98.882 ms 314.447 ms
13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 104.638 ms 99.345 ms 104.216 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 100.682 ms 105.112 ms 101.775 ms
15 * * *
linuxupdate.sco.com has address 216.250.128.241
traceroute to 216.250.128.241 (216.250.128.241), 30 hops max, 38 byte packets
1 66.182.216.1 (66.182.216.1) 48.151 ms 89.228 ms 47.732 ms
2 iah-edge-13.inet.qwest.net (63.149.189.73) 51.187 ms 49.542 ms 52.654 ms
3 iah-core-02.inet.qwest.net (205.171.31.142) 53.441 ms 101.028 ms 53.714 ms
4 dal-core-01.inet.qwest.net (205.171.8.125) 319.413 ms 57.257 ms 59.600 ms
5 dal-core-02.inet.qwest.net (205.171.25.130) 57.595 ms 55.800 ms 57.578 ms
6 dap-brdr-01.inet.qwest.net (205.171.225.2) 61.077 ms 56.746 ms 59.109 ms
7 p3-2.IR1.Dallas2-TX.us.xo.net (206.111.5.13) 59.587 ms 54.717 ms 59.362 ms
8 p5-2-0-3.RAR1.Dallas-TX.us.xo.net (65.106.4.197) 60.098 ms 61.397 ms 58.609 ms
9 p0-0-0-1.RAR2.Dallas-TX.us.xo.net (65.106.1.42) 67.524 ms 59.960 ms 71.663 ms
10 p1-0-0.RAR2.Denver-CO.us.xo.net (65.106.0.41) 93.370 ms 113.441 ms 92.632 ms
11 p0-0-0-2.RAR1.Denver-CO.us.xo.net (65.106.1.81) 89.880 ms 85.503 ms 85.974 ms
12 p4-0-0.MAR1.SaltLake-UT.us.xo.net (65.106.6.74) 98.055 ms 97.907 ms 98.232 ms
13 p0-0.CHR1.SaltLake-UT.us.xo.net (207.88.83.42) 99.287 ms 96.170 ms 99.050 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 101.741 ms 104.765 ms 100.452 ms
15 c7pub-216-250-136-254.center7.com (216.250.136.254) 106.771 ms 100.281 ms 105.686 ms
16 linuxupdate.sco.com (216.250.128.241) 106.443 ms 107.751 ms 105.682 ms
Re:Is it Down or is it 'down'? (Score:5, Informative)
traceroute to www.sco.com (216.250.128.12), 30 hops max, 40 byte packets .
.
.
. .
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.902 ms 22.986 ms 20.92 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.957 ms 20.977 ms 20.878 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 24.012 ms 22.046 ms 20.96 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.907 ms 23.2 ms 23.912 ms
8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.96 ms 22.868 ms 23.999 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.063 ms 22.648 ms 23.905 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.954 ms 37.252 ms 47.928 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.88 ms 37.841 ms 38.944 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.949 ms 49.296 ms 50.948 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.886 ms 49.851 ms 50.774 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.912 ms 52.526 ms 51.004 ms
15 * * *
traceroute to linuxupdate.sco.com (216.250.128.241), 30 hops max, 40 byte packets
. .
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.947 ms 20.046 ms 20.905 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 20.919 ms 29.145 ms 20.855 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 20.951 ms 22.991 ms 23.963 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.945 ms 22.989 ms 23.894 ms
8 p5-1-0-3.rar1.dallas-tx.us.xo.net (65.106.4.193) 23.955 ms 25.426 ms 24.013 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 26.979 ms 62.002 ms 27.099 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.821 ms 37.981 ms 38.89 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.789 ms 38.094 ms 38.888 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 51.054 ms 50.024 ms 50.811 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 51.001 ms 49.886 ms 50.934 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 53.903 ms 53.136 ms 53.841 ms
15 c7pub-216-250-136-254.center7.com (216.250.136.254) 50.937 ms 51.759 ms 50.787 ms
16 linuxupdate.sco.com (216.250.128.241) 51.004 ms 52.438 ms 50.988 ms
traceroute to ftp.calderasystems.com (216.250.128.13), 30 hops max, 40 byte packets
. .
4 bb1-p5-2.rcsntx.sbcglobal.net (151.164.243.13) 20.892 ms 20.06 ms 23.887 ms
5 bb2-p6-0.rcsntx.swbell.net (151.164.191.122) 21.051 ms 19.935 ms 21.034 ms
6 ex1-p11-0.eqdltx.sbcglobal.net (151.164.191.229) 23.82 ms 23.095 ms 23.868 ms
7 asn2828-xo-eqdltx.sbcglobal.net (151.164.248.14) 23.987 ms 23.063 ms 20.829 ms
8 p5-2-0-3.rar1.dallas-tx.us.xo.net (65.106.4.197) 23.989 ms 22.84 ms 23.934 ms
9 p0-0-0-1.rar2.dallas-tx.us.xo.net (65.106.1.42) 24.086 ms 25.935 ms 23.877 ms
10 p1-0-0.rar2.denver-co.us.xo.net (65.106.0.41) 38.916 ms 38.112 ms 38.925 ms
11 p0-0-0-2.rar1.denver-co.us.xo.net (65.106.1.81) 38.603 ms 38.096 ms 38.94 ms
12 p4-0-0.mar1.saltlake-ut.us.xo.net (65.106.6.74) 50.947 ms 49.871 ms 50.914 ms
13 p0-0.chr1.saltlake-ut.us.xo.net (207.88.83.42) 50.944 ms 49.782 ms 51.008 ms
14 205.158.14.114.ptr.us.xo.net (205.158.14.114) 50.836 ms 53.072 ms 53.935 ms
15 * * *
So either they're being merely slashdotted or they "accidentally on purpose" kicked www.sco.com's router power plug out of the wall. According to ARIN, they're all on the same /20 network, so they're probably not on a different final link from XO. They're certainly not being DoS'ed for bandwidth.
What they didn't include in the article (Score:5, Insightful)
Curiously, this article seems to imply that there was a political agenda behind DDoSing SCO - but to quote Mikko Hypponen of F-secure a bit more:
"It's also possible the attack against SCO is just a smokescreen to misdirect attention away from the backdoor component in the virus - which is most likely included in order to facilitate sending of spam email messages."
Similiar, albeit longer, quote from him asserting that indeed spammers were behind this worm was in the local newspaper on Friday, but it's in Finnish and I'm too lazy to translate it. But the above quote can be found here [f-secure.com].
Classic Trick (Score:5, Insightful)
1. This virus makes a machine an open relay. Considering recent legislation [spamlaws.com] and other anti-spam techniques I smell spammer bovine feces here.
2. More and more spammers used high jacked machines for DNS, web service as well as relaying their crap. spammers Check out the nanae news group for more examples [google.com]
3. The open source community is coming up with various anti-spam measures. Don't you think the spammers would love painting their enemy as petulant child - as they have proven themselves to be?
MyDOOM isn't the open source community pissing on on SCO, it's spammers pissing on all of us.
AngryPeopleRule [angrypeoplerule.com]
null routing to sco? (Score:3, Informative)
It's not really a bad thing (Score:4, Insightful)
Whats not to like.
The virus was actually a huge failure... (Score:3, Funny)
...sco.com is only down because it's on the front page of Slashdot!
I WANT TO "SWITCH" BACK! (Score:4, Funny)
dammit! why are mac users always left out of the fun?! >_
Ignore the man behind the curtain (Score:4, Informative)
This is a spam zombie virus. We need to work securing our comprimised systems and keeping them from joining the spam network and obeying the commands. If anyone has any real information about how this virus works as a relay and how to stop it at the network level please post it.
So far I've found the following links. Blocking port 3127 at the router seems like it could help a lot. Any other (real) solutions would be appreciated.
http://xforce.iss.net/xforce/alerts/id/161 [iss.net]
http://www.savvy.net/detail.asp?category_id=7&art
www A 127.0.0.1 (Score:5, Insightful)
What about Version B? (Score:3, Interesting)
But wait!!! I can prove it's not the virus. (Score:5, Informative)
The only possible cause I see for them to still be offline is if they took it offline themselves, or there's been another attack that they've failed to mention to the press, but it's unlikely that they'd turn down any opportunity to slam us if that were the case. Check it yourselves. The worm specifically attacks the domain www.sco.com, which no longer exists, and the dns entry expired yesterday. All that worm traffic should be going to oblivion by now, because Windows doesn't reuse expired dns records when requery attempts fail.
> www.sco.com
Server: ns.calderasystems.com
Address: 216.250.130.1
*** ns.calderasystems.com can't find www.sco.com: Non-existent domain
> sco.com
Server: ns.calderasystems.com
Address: 216.250.130.1
Non-authoritative answer:
Name: sco.com
Address: 216.250.128.12
Re:I'm Doing My Part (Score:5, Insightful)
Please stop as you're injuring the community you're trying to help.
GJC
Re:I'm Doing My Part (Score:3, Interesting)
Re:I'm Doing My Part (Score:3, Funny)
The parent comment is a JOKE. It is meant to be an amusing commentary on the general attitude of the open source community (us) towards SCO and its current business model. In no way is it meant to encourage illegal attacks (DDoS) on fradulent businesses (SCO). The above JOKE is just a joke, and an amusing one at that.
Thank you.
Re:Finally! (Score:5, Insightful)
I'm trying to remember who in the Linux community was quoted in the Wall Street Journal as saying "Let's take the high road." We should do just that. We all know that SCO doesn't have a leg to stand on. Let's let them sink themsleves.
Re:Finally! (Score:5, Insightful)
No, it's not. The media (and SCO, et al for obvious reasons) is painting the F/OSS community as adolescents
Re:Finally! (Score:3, Insightful)
I've been concerned about exactly the same thing. Regardless of where the virus really came from, the fact that SCO and MS were targeted may well have an impact on coming legal and public relations struggles that are important to the Open Source community. Don't think for a minute that this isn't understood completely by strategists at those two companies (as well as other
Re:Finally! (Score:5, Insightful)
In case anyone still thinks this virus is related to linux people, let's put it as bluntly as we can:
Spammers have created yet another virus to send their emails, not caring about the cost to you, your computer, the law, or the internet in general
If you believed the spammer lies about how you've opted in to something, or how this is their freedom of speech, or how you can just press delete, then this should be the evidence you need: spammers are prepared to take down the entire internet for their own personal gain.
If anybody has bought anything advertised by email, or is considering doing so, or knows anybody who buys from email advertisements, then please be aware: you are supporting the criminals who are deliberately and maliciously attacking your computer, and the computers of your friends. Their programs are constantly bombarding your computer, where any mistake you make could lead to your computer becoming unusable by you, and being used to send illegal emails in vast quantities to the computers of others.
If any newspaper editor is reading this, and thinks "it's attacking SCO, it must be programmed by a Linux advocate", wake up and smell the misdirection. The DDOS in this virus was added as an afterthought. "Virus creation wizard step 6: you are nearly finished creating your virus. now type the name of a website you want it to attack"
Re:Finally! (Score:5, Interesting)
I think a lot of folks have mixed feelings on this on.
Re:Finally! (Score:4, Funny)
Re:Finally! (Score:5, Interesting)
As a Linux geek I must admit to a small snicker at SCO's misfortune here, but it is definately not the right way to go about solving the SCO problem. All publicity is *NOT* good publicity, and the last thing we need is the world to think "Linux == Geeks spreading virii". I've been taking pains to point out the spam connection with the MyDoom virus, and I think that's the angle we should persue here. I can only hope that the next looser who DOSes SCO gives us as easy an "its not us" angle.
Re:What's the difference? (Score:5, Funny)
Simple. The virus is less effective.
Re:Slashdotted Reuters? (Score:3, Insightful)
Does anyone remember the article about Distributed Reflection Denial of Service [grc.com] from around 2 years ago? Quotating that one: I imagine that anyone reading this page is already well aware of my feelings regarding the deliberate and unnecessary inclusion of the raw socket API in a mass market c
Re:Slashdotted Reuters? (Score:5, Informative)
This seems much wiser a suggestion than the anti-MS paragraph which you chose to cite. Who better to set actual network policy than those responsible for managing those networks?
Microsoft including a raw socket API is about as evil as Microsoft supporting the creation of outgoing connections to any arbitrary mail servers -- sure, it's open to abuse (DDoS, spam, etc.), but removing the sort of API that traceroute and ping tools would use to perform useful work is not a security fix. It closer to asking Home Depot not to sell hammers because they can be used as weapons.
Further, having MS remove the raw socket API would lead those with cruel intentions to use non-Windows machines exclusively to do their evil deeds. Consider that the mind which concludes that the raw socket API must be removed because of the unpleasant actions of a few people probably isn't far from thinking that operating systems which are engineered in an open and flexible environment can be used for subversion as well. Suddenly those using "subversive" non-MS operating systems which haven't removed raw packet interfaces are a little more suspect in the public eye.
If ISPs would only permit traffic with sane source IP addresses to leave their networks, then the only effect sending such packets out would have would be to waste traffic between the would-be tricksters and their ISP's router(s).
Re:Ironic isn't it? (Score:3, Funny)
In related news: Due to an overwhelming number of trojans DoS attacking various sites, Microsoft has decided that only Internet Explorer is allowed to make outgoing HTTP GET requests on port 80.
Re:No joke (Score:5, Insightful)
Telling people not to voice their opionions because of fear of what other people might think of you is an asinine way to excersice your right to free speech.
Yes, free speech is something we believe in at slashdot as well. We can and should make jokes. Why? Because we always make jokes about things! I would make a joke right now, but (1) I'm not that funny, and (2) I'm just too shocked that I am being told in a +5 comment not to say something.
Let the media report what they will. The fact is, some part of the community that you posted to can find humour in this. We are for sure a community that finds humour in everything.
Actually, now that I read your comment again, I am not sure you are serious. Perhaps it was just a joke and our mods have modded you insightfull?
Re:No joke (Score:5, Insightful)
Anyway, I know and you know how to spot a troll/humorous post/etc. on Slashdot. And we know that people's opinions go all over the map on many issues discussed on Slashdot. Joe Reporter doesn't get this and there is a real risk of them printing more smear-stories about a community that like-it-or-not you will be perceived as part of by virtue of posting here. It's reasonable for us to try not to make that community look bad - not saying not to speak your mind, but to keep in mind that in a high profile story like this, even though you may be Joe Nobody, your words could be used against you and lots of other people.
Ignoramous equally disturbing (Score:4, Insightful)
The virus is written in Russia as a mail relay vehichle. They are just using the SCO issues as a foil, and indeed it worked on you. There even is an apology inside the virus from the author stating that he is just doing his "job"
Now Hang your head in shame.