Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Television Media

ABC TV Does Two Major Cracker Stories 227

karma vs Dogma writes "ABC ran a couple of stories tonight on the "Evils of Crackers/Hackers". Read the summaries of the World News Tonight story and the 20/20 story. I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another."
This discussion has been archived. No new comments can be posted.

ABC TV Does Two Major Cracker Stories

Comments Filter:
  • Not having seen that actual broadcast, the summaries don't mention any actual costs, only that if you deface a website making $18mill a day you are commiting a serious crime (didn't say it cost them over $5 dollars).

    Hacker/cracker I don't know anybody who came from that era that cares about that.

    My opinion: all the newbies complaining and whining don't have much of a leg to stand on when they moan about a phrase that came before their time; when the people who originally used it, have resolved that it really doesn't matter anymore.

    Note: spelling and grammar checking off because I don't care
  • by simpleguy ( 5686 ) on Tuesday December 21, 1999 @03:00AM (#1457176) Homepage
    Also imagine another scenario.

    An e-commerce website's home page gets defaced with the usual elite cracker message.
    Insulting the sysadmin.
    Shouts to the peeps.
    Links to places ... and..
    "Oh yea sysadmin, thanks for your customers' credit card numbers. I am gonna have some fun this month"

    Just imagine how seriously this can hurt the business. People get informed that the website has been "owned by some elite hackers' and the credit card numbers they used to purchase stuff there are ...ummm.. owned.

    No matter what the website does to re-assure the customers that vital data has not been broken into, it will still lose MANY customers.

    Will you purchase from ..lets say Amazon if their website gets defaced with a similar message as above?

    Simpleguy
  • I really hate it when people go off bashing the administrators when they haven't necessarily done anything wrong or incompetantly at all. These guys are the victims. The script kiddies that mount these downloadable attacks are the people we need to be fighting here.
    I quite agree. However, there are two points which the original poster made which were quite good:
    • Ludicrously inflated costs - $300K to clean up a server? Does it really take 4 man-years? Personally, I think this is a case of management choosing to hide costs in something they won't take political heat for. I expect Y2k will have similar abusers...
    • A non-trivial number of sites that are broken into had not been patched in months or years. This really isn't excusable for a system with a full-time admin and, I'm sure you'd agree, is quite different from being one of the "lucky" front-liners when some new attack appears.
  • They cite a webpage that's making $18 million per day. If it's down for a day, that's $18 million they just lost.
    • An $18,000,000 site should have backup servers, frequent backup tapes and so forth.
    • What about disaster recovery - how were they planning to handle things if there was a hurricane, earthquake, fire, etc. Lose $18M/day until Sun ships them a new box?
    • If they're making that kind of money, shouldn't they have at least one full-time security guru?
    • If they didn't do any of the above (necessary to claim the kind of damage they're [fraudulently] claiming) aren't they going to be liable for some sort of share-holders lawsuit, just like I would be if I set up a huge shopping mall and was too cheap to buy locks or hire guards? (Note that the cost of everything abouve would be under 5% of a single days revenue, if their figures were true (unlikely))
  • While the figures cited are somewhat bloated, there's a lot more cost associated with something like this than simply putting the cracked page back up. I've worked in organizations where this has happened (not my fault, though ;>) and it usually leads to 1-2 weeks of beefing up security to prevent the same thing from happening again.
    This isn't something that can be blamed on the crackers, though. Beefing up security is something that should have been done anyway. It's like buying a lock for the front door after someone walked in...
  • Sorry, I don't buy it. You'd only disrupt the backbones, and little else - most small/medium-sized ISPs use static routes. Backbones do use protocols like BGP, but not all of them (use the same protocol). And I would certainly expect that they would not be allowing rogue packets past their border routers - especially routing (from icmp, bgp, dhcp, or anything of the sort). I am willing to listen if you have actually been inside these networks and seen that such packets make it onto their internal network - I have neither the time nor inclination to try something like this. Maybe you're more bored than I am and have actually looked around. Anyway, while you can certainly raise cain on a network that relies on such dynamic protocols, the problem would disappear as quickly as it appeared - ie: about 30 minutes (assuming high clueon radiation in the NOC).

    Besides, incorrectly routed packets still go *somewhere*, and icmp can still act as a return mechanism to indicate where these "hacking" attempts are being made so the admins can track it and temporarily assign static routes to the affected router(s). 30 minutes to take down, 30 minutes to bring back online. Again, this assumes the clueon index was particularily high at the affected backbones at the time of attack.... *cough* Not sprint *cough* ...

    This doesn't preclude the possibility of a more long-term guerilla war being made on the backbones, but that wouldn't "take the whole 'net down in 30 minutes". It would make the evening commute more interesting though.. and I for one think it would give the community a solid kick in their complacency.

    Personally, I wonder how many servers have been silently compromised inside these networks and are being used as relays for other attacks. If the cracker kept a low profile, such activity might remain undiscovered for some time. That is a much more serious risk IMO than some 30-minute orgasm of custom packets being thrown at the backbones.

  • I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another.

    Well, don't you know that the salaries of all the SysAdmins, web designers, programmers, and consultants that happen to be working during the hour it takes them to fix the page all need to be paid. I mean, it's not as if they wouldn't have been there working anyway if the "hack" had never happened ;)
  • This is how it works:
    If my fence is broken and the neighbors mutt gets
    into my yard. When I sue him, I can recover the
    cost of fixing my fence, plus some overhead, and
    lets see - oh my labour is worth $50/hour. Isn't
    it obviouse, that the damned neighbors dog caused
    the expense, never mind that I built the fence out
    of rotted scrapwood.
    I hope I am wrong in the assesment of the logic
    being used in these cases, but I don't think I am.
  • Surely you arent suggesting that 60 minutes without any internet backbone would be no big deal?
  • probably ones like amazon, onsale, ebay,etc...
  • I'm thinking about ways it could be done, didn't Melissa do a lot of damage? It occurs to me that the big problem with Melissa was that it propagated so quickly that it tied up a lot of servers. Now, if the Melissa virogen had written it with the intent of taking down the Internet, could he have figured out a way to make it propagate even more quickly? I know Melissa wasn't a very sophisticated virus (it just took advantage of one of the many security holes in Micros~1 product line) but it seems to me that if someone really knew what they were doing they could create a worm or virus that was much more devestating.

    I'm just saying, it isn't that farfetched, considering the software a lot of people using the Internet use. Remember, the fact that the Internet can (theoretically) survive a nuclear attack doesn't mean that this kind of sabotage won't work, remember the Morris Worm? This kind of sabotage operates on a completely different principal than physical damage.

    Of course, it may be that things aren't as prone to this kind of sabotage as we may think, but I think that just as the Schlieffen Plan would've insured Germany's victory in WWI if it had played out the way they expected (i.e. Britain and the US stayed out of the war) it is possible to have a plan that could take out the Internet, whether it would work in real life or not.

  • I'm realy confused why a company which makes that much money (ok a signifigant amount) would even have a problem with fudged webpages like that.

    Haven't there employees heard about checksums, backups and crontabs? I'm mean have a cron job check the checksums of the web site files every 20 minutes and if there off page the sysadmin or automatically restore from backup and recycle the webserver/servlet engine. This way the company would lose 40 minuts of business at the most.

    Am I off here? anyone care to point out my oversights?

  • by Anonymous Coward
    The l0pht makes a point of doing tests and experimentation on their *own* machines. This is, in my mind, what separates them from crackers.

    Cracking Groups like Global Hell play with other people's hardware without permission. L0pht, though, is not a cracking group. Duke was talking about the l0pht when he made his analogy, which I find to fit rather well with what they do.
  • by bons ( 119581 ) on Tuesday December 21, 1999 @06:59AM (#1457192) Homepage Journal
    First: L0pht [l0pht.com]

    Second:Attrition.org [attrition.org]

    Of special note is the Attrittion Mirror of defaced sites [attrition.org]. This will allow you decide how much "damage" is actuall done and how much "help" was actually done. Please not that this varies greatly by individual.


    The problem that exists is that these people, often under 21, see big giant gaping holes in the security systems and this bothers them. If they report it, nothing happens because no one has, or ever will, listen to them. (Some sites have been defaced repeatedly, without ever having fixed the holes, even after the fix was placed in the HTML!)


    So they make a mistake. They try to draw atttention to the fact before someone less kind, (for example a rival organization) uses the same holes to download actual sensitive information. (Warning, this kind of thought process can occurr to you when you've read too much cyberpunk.)


    I'm older and wiser now. I realize that people REALLY DON'T care about security. Normally they just want something to rant about. The status quo is to lock your car door for security but if you lock the keys in your car you expect a locksmith to get them out in under a minute.


    Think about it. If the locksmith can do it in under a minute, so can I.


    They may not be adults, they may be fools, and they may annoy the computer professionals that are responsible for security but let's look at it this way.
    If some kids can take down whitehouse.com, why couldn't Zhirinovsky [slashdot.org] hire someone to do the same, only with a lot more creativity and subtleness. (Wouldn't the media just love it if someone found a collection of porn jpegs on whitehouse.gov?)


    They're criminals. They view themselves as unsung heros. In short, they're the Chicago Seven [umkc.edu] of a new generation. Even Richard Daley's famous quote could still apply:

    "Gentlemen, let's get something straight. The police aren't in the streets to create disorder; they are in the streets to preserve disorder." -- Mayor Richard Daley

  • Any "good" intruder can do a lot to cover his tracks, but all it takes is an admin watching network packets with the ISP of the source on the phone.

    There's always a trail. It all boils down to who has the resources and time to follow it.

    It amuses me how many l33t hax0r IRK kiddies there are that think they're indestructible, that the only kids that are ever caught are the ones they show on TV, that they'll never be discovered or prosecuted. And when the FBI raids their house and their parents are stuck losing their home and his college tuition money paying for damages, guess who's out there laughing his ass off.
  • by tpck ( 66866 ) on Tuesday December 21, 1999 @03:02AM (#1457198)
    "If you deface a Web site of a company that is making $18 million dollars a day, you are committing a pretty serious crime," says Assistant U.S. Attorney Matthew Yarbrough.

    And a $17 million dollar a day site? Less serious? What about a $0 dollar a day site, say a unicef.org or whyme.com?

    I'm sick of money being equated with importance.

    I have no respect for script kiddies that deface webpages randomly, launch pointless DoS attacks, etc. They all seem unproductive and malicious.

    Though I do rather like those people over at the L0pht. :) Original, creative, and damn, they actually DO stuff, unlike 99% of them damn script kiddies.

    Still, I'm sick of all these [hc]racker stories. The media does seem to be doing a slightly better job lately though. Well, sometimes.

  • Script kiddies bother the hell out of me.

    The first quote of the story: "Young cyber whizzes with knowledge to infiltrate the most secure computer systems in the world are growing in numbers and ability," should really be changed to say "Young cyber whizzes with knowledge to download freely available exploits that anybody with a minimal sense of security should be able to patch."

    The worst part is that the media is the only thing that feeds the so-called 'intelligence' of most people. I guess thats why the world seems to be in a downward spiral. It'd be cool if journalists would ask for expert opinions from people who know something about the subject, but I think they teach you not to do that in Journalism101 or something.

  • From the World News Tonight article:
    "...the members of L0pht see what they do as neither good nor bad."
    ""We feel we're actually making a difference," says one L0pht member."

    Is it just me or do those two phrases seem to contradict each other?

  • I read that first article about the secretive shadowy sinister L0pht gang, and laughed so hard I spilled my coffee. Oooh yeah, L0pht is a big top secret all right. I'm sure I can rely on the rest of the /. readers, insiders and conspirators one and all, to not publicly reveal the location of their top-secret underground web site at, just guess, yep you got it, www.l0pht.com, 'cause if the Man finds out, whooey!

    If the major media could stop kissing Jeff Bezos's ass for just a few minutes they'd see that amazon.com's fraudulent patent is a bigger threat to the Internet than all the hackers in the world put together. But Bezos is a billionaire, and Americans - rich ones, at least, like the management of the mass media - don't seem to be able to think clearly in the overwhelming presence of billionaires, whom they worship, unreflectively, disgustingly, just like a crackhead worships a big old chunk of crack.

    Yours WDK - WKiernan@concentric.net

  • We did not go into details about taking down the net in 30 minutes because we don't all need another script kiddie attack. See we can't win. If we tell the world how to do it we are just bad guys enabling malicious hackers. If we don't tell the world we are just clueless boasters.

    If anyone is seriously interested in this topic I suggest learning the BGP routing protocol paying close attention to the authentications mechanisms or lack thereof. Then study the network topology of the backbone provider interconnection points (the NAPs and MAEs). Then learn how to craft your own packets with a library like libnet. Then do some long nights of experimenting (on your own equipments of course).

    If you don't want to do all that work yourself you are going to have to trust us. :-) Remember, things never work like they are supposed to. If they did there wouldn't be nearly so much hacking!

    weld@l0pht.com

  • Ok, class, today we learn about how to wildly inflate the cost of repairing cracker damage. First, we need to think of it -as- damage. That, in itself, is a powerful psychological tool to help inflate the costs.

    Second, we must make the assumption that if one file has been altered, -any- file on the system could have been altered. Remember, don't use tripwire, or any similar tool, as this will eat into your damage assessments. Figure in the time of a complete deletion of the system, a fresh re-install of all applications, and finally a restore from your latest backup tapes.

    Remember, system restoration should be put in as overtime, so your figures for damages should reflect this.

    Then, you must factor in the cost of the system being down, in terms of time lost (wages) to all company employees over the entire day, even if they probably wouldn't have used the system at all. It's still a loss of potential, which is still a cost.

    Then, you must factor in the cost of calling in the technical support people from the company you bought the system from, to fix the security hole. Even if you buy technical support, when you get the system, you're still using it, so there's still a cost -somewhere- in the system. Fixing the security hole yourself is a big no-no, as this would imply incompetency on the part of the technical staff. As technical staff are, by definition, competent, any hole that exists must be obscure and only known to the company that you bought the system from.

    Then, consider the cost of loss of revenue from any banner adverts your site carries. That it's not your loss is irrelevent. It's still a cost of the damage. Assume everyone who enters your site follows a banner advert and purchases something. This may not be entirely accurate, but it's a possibility, so it's still a potential cost and therefore counts.

    Finally, consider the cost of image. Any points lost on the stock market, that day, are potentially a result of the system crack, so you can estimate how much the company lost in value as a result. It's important to remember that, even when any other factor in the Universe seems more likely, always assume the worst possible case, for damages.

    This completes your class in damage assessment and valuation. You are now qualified Public Relations officers, capable of handling the worst system cracks with dignity.

  • While the figures cited are somewhat bloated, there's a lot more cost associated with something like this than simply putting the cracked page back up. I've worked in organizations where this has happened (not my fault, though ;>) and it usually leads to 1-2 weeks of beefing up security to prevent the same thing from happening again. This will usually include generating new passwords for all users in the system and phoning them to get the new passwords out. For public/non-profit organizations this can mean several thousand dollars and a couple hundred man-hours of personnel time which could be spent doing more important things.
  • Wow! I'm not sure if those articles could have been more devoid of content, yet still so sensationalist.

    We have a group of hackers (crackers? smackers? ugh...) who claim they can crack any password in seconds and bring down the entire Internet in, what was it? 30 minutes? And the 'reporter' just lets the statements stand! He didn't question (seem to) question them on how feasible this really was or go and talk to security professionals for their take on the claims. Without any attempt to refute or prove their boasts, you'll have even more people scared of the awful hackers. Sigh...

    Dana
  • yet again the terms hacker and cracker are

    confused !

    what a surprise ?!

    oh yeah the showdown of "government vs. hackers"

  • This guy about the computer virus is stupid. Obviously he has never heard of a backup. "All of its gone forever." PLEASE!!!
  • that was a very intriguing article.
    i want the uswest database of numbers being monitored by the police!
    actually, i wanted it 3 years ago when I was dealing. Now, it wouldnt be nearly as exciting.
  • And if you had any wits you might have guessed that that's where I got the idea from. Have a young person take you to a doctor for senility and overt crankiness.
  • I does occur to me that the news media seems to pick stories based on their "sexiness" rather than their relevance. I mean I read somewhere online that a group of crackers in Thailand used the fact that a guy was paying for things on Amazon.com with his ATM card to empty the guys account. I don't know how they did it, but it seems to me that this would be a lot more useful information to the general public, and is a lot more dangerous crime, than a group of crackers who put grafitti up on the White House web site. (Oooh, scary!) I mean it would even contain a useful bit of information for semi-computer literate people out there, "don't use your ATM card to buy things online."

    Of course, I hate the way they do these types of stories anyway, and that FBI guy was the stiffest, most humorless and least charming guy I've seen on TV in a long time.

  • If someone really knew how to do this, they would do it. Since this hasn't been done it's but an un-tested theory and doesn't amount to jack. I say take down the Internet if you can, lets re-build it right!

    Let's translate this into a real world analogy, and the absurdity will be evident.

    Some group says "This bridge that is the main route into or out of this large city is hazardous; all it would take is a large truck to ram the right spot on it and the whole thing would collapse."

    ''If someone really knew how to do this, they would do it''

    Wrong. Not all people who investigate security holes are malicious. In fact, probably very few are, which is why we don't have more break-ins and such than we already have.

    ''Since this hasn't been done it's but an un-tested theory and doesn't amount to jack. I say take down the Internet if you can, lets re-build it right!''

    So you're going to blow up a perfectly usable bridge, causing another to be built at great expense, just because you can? I suppose you're going to volunteer your time to help re-build what you so carelessly destroyed? No? You don't know how to build bridges? Maybe you shouldn't be so eager to tear them down, then.

    Safety groups in the real world are all the time pointing out how dangerous products are. Why is it when a group does the same about computer security, they get roundly flamed no matter what they say or how they say it?
  • Does this mean companies like McDonalds or Microsoft deserve greater protection than some mom and pop site?

    Umm, this is like saying "Does Fort Knox deserves greater protection than a convenience store?"

    The risk and potential damages are much greater to a big corporation, so it would be kind of stupid to afford it no extra protection. (duh)

  • My guess is the network just listened to what the company said, and didn't research just how difficult it is to restore from tape :-) Also, here we go again with the hacker/cracker debate...I wonder if any media will ever get that one right????
  • A guy from the one hacked company had hired one of the global hell hackers as a consultant after he was hacked.

    The security guy's justification was that if he had turned the hacker in, he would have become a target of global hell.

    Furthermore, he felt that since he had paid one global hell hacker, he wouldn't be attacked by anyone else in the group.

    Two Thoughts:

    1. Holy racketeering batman. Say what you want about whether or not hacking systems is ok, but doing it to extort money from people is unjustifiable.

    2. Stupid sysadmins who pay hackers are idiots. This is like paying off the mafia and keeping your mouth shut about it. Sure, you'll probably be safe. But you've just encouraged them to use the same tactics against other companies,insured their existence FOREVER, and you're going to have them on your a** that whole time.

  • Did anyone else notice the Battlezone arcade game in the background? Hey, these hackers have TASTE.
  • Dell pulls in a lot of money per day (over $10M/day, definately), and in response to "Our Man In Redmond", the company doesn't necessarily have to make their $18M/day all year round -- Most websites sales go up in (*gasp*) December due to holiday shopping.

    Anyway, the $18M/Day is probably gross sales, not net profits.

  • Both of those stories were annoying, but what bothered me the most was ABC's general attitude that hackers will do malitious cracks because they can.

    It's like saying the FBI should keep a close watch on Alan Cox because he convievably could add a backdoor hack to the Linux kernel allowing him to break into any system that used it.
  • You don't even need that really. What you need is the ability to lie about the AS that you belong to and start flooding peers of that AS with bogus routes until the peer runs out of memory.

    Routers don't like it when they run out of memory, especially Ciscos. I ran into similar issues when I was implementing OSPF and accidentally killed a dozen Ciscos, a few Ascends and Portmasters with some miscrafted packets. Its harder to do with MD5 authentication in place though.

  • by Foogle ( 35117 ) on Tuesday December 21, 1999 @02:21AM (#1457222) Homepage
    They explain the high cost (to a point) in the synopsis. It's not the actual cost of replacing the file... that's pretty minimal. No, it's lost income because of the disruption. They cite a webpage that's making $18 million per day. If it's down for a day, that's $18 million they just lost. There aren't *too* many pages that pull in $18 million a day, are there? Well, the point remains anyway.

    -----------

    "You can't shake the Devil's hand and say you're only kidding."

  • While this is not a great analogy, it actually harms you :)

    First of all, if the dog does do damage to your yard, you can sue for the damage to your yard. Your ability to collect damages, however, is mitigated by the broken fence. But only because it is damned obvious that you have a broken fence, and not because there is a way in.

    If, for example, your neighbours child starts throwing rocks over a solid fence and breaks a window, the neighbours are fully responsible for those damages. Even though you failed to fully isolate your house from such damage.

    Now, computer security is much harder than building a fence. Recognizing holes is very hard. And just because someone has a computer on the internet does not mean that they have the time or the skill to make their fences into fortresses.

    Anyone who understands security at all knows that the only way to completely secure your computer is to turn it off and lock in a safe. The minute you turn it on and take it out of the safe (not necessarily in that order), you are opening it up to security risks. Putting it on a closed network opens it up to more risks. And putting it on the Internet opens it up to even more risks.

    If we expect every computer on the internet to have top notch security, then we are seriously limiting who can have computers on the internet. We therefore need to vigorously punish those who would exploit the complicated nature of computer security.

  • Note that they do not claim replacing one page with another costs millions of dollars, but that they claim shutting down a website of a company making millions of dollars is a crime.

    Suppose someone took down index.html at www.amazon.com for an hour. That coulde easily run into high losses for them, since their business is web based. I wouldn't know about index.html at www.cocacola.com, though. Do they make any money with their site ?

  • Did anyone notice that they said the White House comms were disrupted for two days while the web environment was restored.

    The comms are run out of Ft. Richie in Cumberland MD, and not even remotely connected to the Web site.

    Also, the Web site is just brochureware, there is no gateway to anything important.

  • How come when you hear about cracker/hacker groups , their exploits are always related to web servers? Are there no other forms of critical computers connected to the 'net at large? What's hacking? What's cracking?

    It's the lack of background and CONTEXT that really detracts from the credibility of these mass media news reports (this applies to places like zdnet and c|net also). They never mention the types of computer services (aside from web servers) that are attacked, or even begin to hint at the general methods which are employed. This inability to provide real information seems to indicate that these articles are nothing more than fear mongering dollar grabbers.

    I've read in a few posts here on /. that the target audience of these stories is not interested in the technical details. I will agree to a point, but only because I can't recall ever seeing real information ever being presented to the masses and it's never been tested. Until such a time as when they actually present a frame of reference for their stories, this amounts to nothing besides fear mongering.

    What I'd like to see is an article on the damaging effects of fear mongering on businesses. How many dollars a year are lost due to uneducated pontification and agenda furthering FUD campaigns? How many businesses have lost money because a panicked executive heard from a friend of a friend that X problem is at hand and emergency procedures ,costing millions of dollars in capital and man-hours, must be put into place, only to find out later that it was not good information?

    Stop knee-jerk reactions. Put a muzzle on poor journalism. Educate, don't pontificate.

  • I was going to (politely(maybe)) inform them of the difference between hacker and cracker after I saw it, but the cowards don't post their email adress from their website. Does anyone know what it is?
  • I don't see why anyone would consider these crackers (sorry, the misuse of hacker really peeves me) to be dangerous, since most of them don't actually know crap about computers (the exception being L0pht, who I would place more into the hacker category anyway). They're just downloading exploits from Bugtraq and trying them out. If you keep you stuff up to date and are smart with your initial configuration (ssh2 and sftp access only, tripwire, logcheck, etc) any attacks that aren't prevented outright should be noticed right away.

    Of course, it's not an ideal world, blah, blah, blah, but anyway my point is that people should be protecting their computers with real security, not laws that only "solve" the problem after the fact.
  • It takes ONE mailing list to find out about these problems in advance most of the time. If their sites are worth so much money to them why can't the invest the 2-45mins each day to check this stuff out!!??

    I think that's one of the crackers' points. If you browse through the attrition [attrition.org] mirrors you notice a lot of the defacements actually leave a hotmail address telling the admin to email them for what is wrong, or stating the address of where they left the original index.


    mcrandello@my-deja.com
    rschaar{at}pegasus.cc.ucf.edu if it's important.
  • In that same morally ambiguous way, the members of L0pht see what they do as neither good nor bad. More akin to Robin Hood, whose merry band of outlaws used unorthodox ways to help.

    Hey! I resent that!

    Did anyone else notice that they used the word 'crack' a couple of times, rather than 'hack'? Are things looking up?

  • Personally, I thought you guys did well last night. Raised some awareness. This seems to be the goal in general. I think L0pht did make gains in this effort.

    They were clear, concise and stayed well away from the impressions that all hackers are script kiddie punks.

    Good Job!

  • Um, I'm not seeing this Battlezone game? The L0pht article at http://www.abcnews.go.com/onair/WorldNewsTonight/w nt_991220_CL_L0pht_feature.html? All I see is a pic of some code?
  • I caught the end of it. They kept referring to this group of script kiddies as a "virtual gang", I guess in effort to conjure up images of drugs and violence and organized crime. Which is of course what the script kiddies want, right, it makes them look dangrous and powerful. They really drove it home at the end of the segment, when they mentioned that one of the kids might go to jail for a time, and questioning "is the right thing to do?" They then got some human prop to say just how dangerous and pissed-off this kid is going to be after serving time. Give me a break!

    Oh, and that's not the best part. The very next story was about a poor little sick dog who goes around the hospital giving sympathy to the poor little sick children.

    This is blatant propoganda. Meaningless emotional arguments designed to focus our hate and fear. Those kids are so dangerous. And the puppies are so cute! What if those dangerous kids hurts one of the puppies! Heavens no! I hate those dangerous kids!

    So let's recap. Kids with computers: BAD! Puppies in hospitals: GOOD! Now take your soma and let's all sing "I love Big Brother!"
  • Actually I noticed one of the guys running E. You could just see the bottom right of the screen, but I could see an iconbox and other stuff, enough to know immediately what it was.
  • I thought these two articles were relatively well-done considering the intended audiences. There's a big difference between the average ABC News viewer and the average /. reader. ABC News shouldn't have the same depth of complexity, as the whole point of TV news is to take a complicated issue and explain it in terms that the average Joe can understand. This can be done poorly, but sometimes it can be done well. I think these two articles are done relatively well. In particular, the World News Tonight article gave a good summary of the good/evil qualities of h/cracking (i.e., cracking reveals security flaws that can be fixed).

    Yes, the majority of media coverage about hackers/crackers is really paranoid, but this one wasn't so bad.

  • by Stiletto ( 12066 ) on Tuesday December 21, 1999 @03:28AM (#1457241)
    "They cite a webpage that's making $18 million per day. If it's down for a day, that's $18 million they just lost."

    No, that's $18 million that they never made. There is a subtle but important difference. You can't lose money you never had.
    ________________________________
  • Last spring I developed a site for a small business using OpenMarket's ShopSite [shopsite.com]. It sells for $495, and has a great backend for keeping track of products and orders. It's quite flexible, though it could be more flexible. Overall, it's a really good product - easy to use for the client, and I haven't had many callbacks for support, though they have done a substantial amount of business.

    -Alex

  • Think about it: there are lots fewer people out there that know about routing protocols than know about, say, Unix. How would even your average slashdot reader know what their vulnerabilities are, much less the general public? It's easy to make fun of what you don't understand; most of us should understand that from experience. Given the track record of these guys, I tend to believe them when they say that something like this can be done. I just hope that the people responsible for the various pieces of the backbone listen and fix holes.
  • I read it as, "a web site that makes the company $18M/day." If they're pulling in $18M of revenue from their web site alone, and that web site is out put of commission for a day, they will not make $18M that day. Thus, the outage cost them $18M in lost revenue.
  • It could also be 18M people spending $1 a day on their site. $1 isn't much, and most people would be quite happy buying whatever $1 product this is from a competing site, or not at all.

    The lost revenue figures are quite valid and the point still stands. Companies sue and prove these kinds of damages *very* regularly (not necessarily Internet-related either), so this is not a new concept.
  • It's just not that simple. There's no doubt that most of these monetary claims are vastly exaggerated, but it's not just a matter of replacing an index.html file. If someone broke into your house and spray painted a tag on your bathroom wall, would you just shrug it off, clean it, shut your doors, and continue on with life? No. You'd beef up your security.

    That's irrelevant to the cost of replacing the web content.

    This is the cost to fix your security holes; it has nothing to do with the web site at all. If there are security holes, then it's the administrator's job to fix them, and this can't honestly be counted against repairing the website; these are two different things. (The cost for a sysadmin's time is already paid for - it doesn't matter if he's doing it adequately or not.)

    Fact is a lot of these sites may be "asking for it" with their poor admins and shaky security, but that doesn't make it right.

    Nobody is saying that it does make it right - but that has nothing to do with calculating the cost of restoring a website from a backup.
  • Been there. Done that. I have had the displeasure of meeting most of the members of 'Global Hell'. Let me describe them to you. It's a bunch of kids, and a bully. Very simple. Mosthated, who is the leader of the Global Hell, is the bully, and mostly everyone else is a kid. The kids hang around the bully because they _need_ the vindication of being cool, of having a peer group. These kids have no self esteem or self worth. The amount of control Mosthated shows over them is quite disgusting. He says something, they all agree. He laughs, they laugh. I did get the opportunity to tell Mosthated that he was more cracker than hacker, and he didn't agree. But he did...decide...that he'd better leave me alone. I guess even Global Hell fears common sense.
  • But what can I expect from an AC.

    You can have a perfectly competant sysadmin, one that performs his job 100% correctly, 100% accurately, and applies patches and security fixes exactly 0 seconds after they're announced and STILL BE VULNERABLE TO ATTACK.

    It's not infrequent that a vulnerability will be discovered and exploited *before* it's announced on the major security mailing lists and web sites. There's also the possibility that it's announced at 3AM and the company silently rooted by 3:05AM. What are you going to do, have all your admins get paged at any hour of the day every time an e-mail comes to Bugtraq?

    I won't disagree that some admins shouldn't carry the title. More often than not, a vulnerability is exploited long after it's been released, but THIS IS NOT ALWAYS THE CASE.

    I really hate it when people go off bashing the administrators when they haven't necessarily done anything wrong or incompetantly at all. These guys are the victims. The script kiddies that mount these downloadable attacks are the people we need to be fighting here.
  • The punishment should be proportional to the amount of damaged caused. If a kid caused 100M$ of damage, he obviously can't pay 100M$ any more than he can pay 10k$, and it isn't quite fair that he serve the same prison sentence (if any) for both crimes. I think it's perfectly fair to base severity on damage.

    You also have the funding factor. If you cause a huge company damage, they're probably going to unleash quite a team of lawyers upon you, unlike some non-profit web site that would barely be able to bring civil charges of its own.
  • With viruses available for downloading from the Web, extensive computer language knowledge is no longer needed

    Hmm...sounds like they're talking about script kiddies to me. I find it interesting that ABC focuses on the the 3vi1 h@x0rz as opposed to the lack of responsible security measures on the part of those who get cracked. Maybe these companies "making $18 million dollars a day" should shell out a few bucks for some decent firewalls, intrusion detection, and the IT people to run that show.

    Keep your servers patched up, run them on UNIX boxen with extra security measures, and for god's sake, don't short-change your people for equipment or personel. It's really not that difficult.

  • I agree - these articles were better than average and even mentioned that script kiddies had tools to make it easier to do more damage with less knowledge.

    I was particularly impressed that they chose the l0pht, which *is* a legitimate hacker group. I'm not so sure about GH, but they've made enough news to be worth mentioning.

  • One of the reports mentioned one breakin to some website costing the company $700,000.

    I could see that if it was a big time e-retailer or Ford or something, but not at the scale of the outfit they were describing.

  • The sentence makes a lot more sense if we read it as saying that the company makes $18M a day, not the website. It means: "It is a crime to make fun of people who make money", and it is scary. Very scary.

    JM
  • by Junks Jerzey ( 54586 ) on Tuesday December 21, 1999 @03:46AM (#1457261)
    There was the usual nonsense, like confusing crackers and hackers and getting crack attempts and viruses all mixed-up. But otherwise, a few things really jumped out at me:

    * Global Hell came across as extremely juvenile.
    * The so-called leader of GH (Patrick something) was just a typical angst ridden teen. He couldn't elucidate his purpose or ideals; his philosophy pretty much broke down to "All the corporations of the world are trying to opress me in some unexplainable way, and, oh yeah, I'm really bored."
    * The world "brilliant" was used several times in relation to crackers, as if they're working on things that require a PhD and sophisticated programming ability. I'd hardly put exploiting security holes into that category.

    Interesting overall.
  • By the way, something just now occurred to me concerning amazon.com's patented technology. Does amazon.com require the user to enter a password as well as the cookie info? and if the latter, doesn't that add up to more than Just One Click(tm)? I regularly shop at a couple of web stores which store at least your account name in a cookie, so when you jump to the "Checkout" page your name is already filled in, even including your credit card number (which is displayed as "xxxx-xxxx-xxxx-1234"). But to get to the "Checkout" page you have to present your password first. At any rate, that certainly wouldn't be new or unique (that is, patentable) technology for amazon.com to do it that way.

    But if the everything you need for ordering is already stored in cookies, doesn't that present a king-size security hole? Suppose, for example, one of my co-workers orders something from amazon.com with their web browser. And suppose I want to play a mean trick on this co-worker. So I copy his cookies file. Now if all the customer info is keyed off the cookies in the user's PC, I can't exactly steal anything; even if I order something, it will get sent to the original shipping address. But as harassment, I can order up, say, twenty copies of "Mein Kampf" or "The Joys of Enema Sex" or something obnoxious like that on his credit card, with Just One Click!(tm). Is that possible?

    I'm almost tempted to break the boycott to experiment. It would be easy enough; just make an actual purchase from one PC, copy the cookie file to a second PC, and see if I can make a second order with Just One Click!(tm).

    amazon.com has got a LOT of customers. If there really is such a big, obvious security hole in their patented technology, then maybe these news magazines could make themselves really useful to their readers by warning them away, rather than blathering about the Dire Threat to American Security posed by a few industrious security hackers and a bunch of dumbass script kiddies.

    At any rate I hope I'm wrong, and there is a mechanism which forestalls illegitimate ordering. amazon.com and Jeff Bezos can certainly go to Hell for all I care, but I'd hate to see all those innocent customers getting screwed.

    Yours WDK - WKiernan@concentric.net

  • Second, we must make the assumption that if one file has been altered, -any- file on the system could have been altered. Remember, don't use tripwire, or any similar tool, as this will eat into your damage assessments

    Do you honestly think that companies stating they've suffered 10M$ in damages ever actually get paid 10M$ by the attacker?

    Companies have to weigh costs. There's the additional cost of implementing and maintaining something like Tripwire (which, as another poster mentioned, doesn't do crap for data) against the potential cost of a system intrusion. If your company has the funding for it, they've probably implemented a modest amount of security mechanisms (including things like Tripwire).

    If your company doesn't have this funding, compromises must be made. Does that make this company irresponsible, incompetant, or "asking" to be rooted? Hell no.

    For those types of companies (read: most), you HAVE to make the assumption that the system has been compromised in more than one way, with back doors in place and that the intruder has access to your internal systems as well. You need to cut off the network, locate the exploit used to break into the system, and totally re-build the OS and applications on the affected systems (probably ones even suspected of being rooted as well). Not taking these steps would be far more irresponsible of the admins than ignoring security bulletins in the first place (assuming they even did, and that if they hadn't, it would have helped them, which isn't always the case).

    Remember, system restoration should be put in as overtime, so your figures for damages should reflect this.

    Yep. Damages accumulate as network or web sites stay unreachable. The costs of overtime would presumably be less than the costs of staying offline. If this weren't the case, it wouldn't be worth it and it could probably wait until normal business hours. (Of course, I'd still physically disconnect the machines from the Internet during this time.)

    you're still using it, so there's still a cost -somewhere- in the system.

    If I get 10 free hours of tech support from a vendor, and I use all of that up as the result of an attack, you're damn right I should be compensated.

    Fixing the security hole yourself is a big no-no

    Apparently you're under the delusion that all corporate environments are using Linux on all of their mission-critical systems.

    For those of us in the real world, we have to wait for vendor patches and upgrades, or we have to implement workarounds. Fortunately, major vendors tend to be quite helpful in emergency situations like this.
  • You're right, it does sound like script kiddies. Script kiddies are who are responsible for 99% of the publicized "cracks" and web site defacements, so it's only natural to mention them.

    With respects to shelling out money for better security measures, most businesses have to make compromises in this respect. Is the cost of adding firewalls, maintaining high-security systems and the necessary IT training to keep things up to date and running securely more or less than the cost of one noticable intrusion a year?

    Just because you think you're capable of running such a setup doesn't automatically mean it's cheap for companies to do so. Just because they make compromises in this respect, does that mean they're incompetant or *deserving* of an attack?

    And of course for those systems that *are* exposed in some fashion, it isn't uncommon for exploits to vulnerabilities to be published/brought into use by script kiddies *before* an announcement is made and fixes/workarounds made available. There are frequently windows of vulnerability for even the most competant and secure administrators and networks.
  • It's an ILLEGAL INTRUSION.

    If you want to break into systems to learn how security works, be able to examine code, etc., GO TO COLLEGE. Most universities have some very EXCELLENT network security courses where the students do precisely this, and have access to all sorts of very interesting hardware. Do not use my systems for your stupid games or "education", whatever it is you want to call it. How am I supposed to know you didn't touch anything vital? If you break into a bank vault just to "learn", and the cops come to your house the next morning, do you think they're going to care or believe you if you said, "But I didn't take any money!"

    And just because a system isn't 100% impenetrable to your l33t hax0r skilLZ does not necessarily mean the admin is remotely incompetant. What if the exploit was made available before an announcement/fix/workaround was made? What if both were released at 3AM? Is the admin incompetant because his pager isn't set to wake him up every time an e-mail message is posted to Bugtraq? Is the company *deserving* of an attack just because they don't spend 80% of their meager revenue on network security?

    If you break into my system illegally, REGARDLESS of your intentions, I will prosecute you and you will go to jail. Period.
  • Tripwire won't do squat for you verifying the integrity of the data, name a single large website that only does static data that never changes the data during the day... what you mean tripwire can't verify the integrity of the data in my database?

    Look how much bad data cost buy.com when they advertised monitors at below cost due to a typo; now imagine how much a company could lose by changing data within a database. Now think how many man hours it would take to verify that data by hand, restoring isn't a cake walk either to restore an Oracle database we have here on site took 36 hours (restoring from tape, replaying the redo logs, etc.) that database is big (talking in the t's as in terabyte). This is where big-time costs come in, how do I know that friendly intruder didn't modify my data that changes every minute or every second?

    Reading through the rest of your post you are saying:

    1) that tripwire will check everything and I should not worry. Hmm guess I don't use any dynamic data... that's real cool website

    2) that only one machine could be penetrated not any others. Guess that same exploit wouldn't work agains any others.

    3) that attacks only happen during the day. Isn't that nice how they only do that during normal working hours.

    4) that wages lost due to downtime really are a freebie to the company. I wonder if I can convince my boss that giving me a $100k raise would actually equal $0 cost to the company.

    5) that the stock market doesn't really care about bad news. Tell that to whoever at Microsoft said tech stocks are overvalued since his porfolio lost a few mill that day when the stock went down a point or two. (ok, that's pushing it but it's true)

    You might want to add that my time working on a compromised box is free time since that other project wasn't important anyway (hey they pay me to fund my pepsi habit, not because I have any real work to do)


    Grammar and spell check off because I could care less.
  • by CausticPuppy ( 82139 ) on Tuesday December 21, 1999 @04:12AM (#1457279)
    Hell, I can't write C worth a crap, and I could take down much of the internet in only *TEN MINUTES.*

    All I'd need is a backhoe.

  • Well, anyone who gets their "news" from TV is ignorant, in the truest sense of the word. Unfortunately, that is most people today.
  • I expect we'll see more of these in these last couple weeks of life. If Russia's nukes don't go off and burn over New York, Chicago, California, the end of the world is bound to come via 14yr olds shutting down everything.

    A few things in the 20/20 piece struck me as odd. First, the head punk of this Global Hell didn't come across as anything more than your average script kiddie. He basically just cracks into places because he's bored. One thing he said in the very beginning was that he loves his computer more than "anything in the world." Not his mom (there was no dad in the interview, hmm), or anything of real importance, but an electronic box. This is the first stage in social disorders like this.

    Then he got his computer taken away in a police raid, and what happens? His mother, seeking nothing but making the boy happy, goes out and buys another one the next day. No discipline or anything, but "Oh honey, here's a new computer. Will you love me now?" Now in my day, the parents would have thrown a fit over the police raiding our house and I wouldn't get out of the dungeon for weeks. Has anything changed in just ten years since I was a teen, or was it because my parents didn't need to try so hard for the kids to like them?

    Then there was that goofball at the American Retirement Company or whatever saying he's hired this guy as a "consultant" to prevent him from sicking all the other kiddies on the company. Wasn't there some law back when the mob did these things which made it just as illegal to pay off these sort of extortionists?

    One funny part in it was when they talked about the virus due to explode next year. They said it was spread by Microsoft's email program. Sounds to me the way to cure that is to not use MS Outlook.

    Oh. And I have just lost $500,000 typing this post using the media's magical calculator.
  • I wasn't suggesting a 'Trashing the Internet HOWTO' (or would it be a mini-HOWTO because it only takes 30 minutes :) )

    My point was that the reporter took no steps to verify their (your?) claims. Even if the boasts aren't far-fetched, it's reporting like this that spread confusion and panic.

    I remember reading about one of the first high-profile hacker busts (was it Mitnick?) that said the prison officials wouldn't let him use the phone while he was in jail because everyone thought he could make one call and start a nuclear war.

    When the general public becomes misinformed, it gives the government excuses to pass regulatory laws. If thousands of average at-work net surfers read the article and start worrying that every 14 year old kid who owns a computer and wears glasses can destroy the internet, the government will helpfully pass all sorts of laws to limit use and what not.

    Won't happen? Remember all the stories about Geek Profiling and metal detectors in schools? Youth violence has plummeted since the early 90s and is still falling, but thanks to the media, people *percieve* that kids [esp. geek kids] are getting more and more violent so school officials can now get away with expelling people for playing Quake.

    I guess a summary of my point is: Lousy reporting has really annoying consequences.

    Dana
  • To non-technical people, anything computer geeks do seems "brilliant." Some people are absolutely amazed, and in awe of my divine gift, when I do a TRACERT from a Windoze box!
    Of course, the l0pht people play on this when it comes to the media, and make statements like "We can take down the entire internet in 30 minutes."
  • Melissa's a good beginning example to show the weakness of the internet, but all Melissa did was become a "cholesterol," if it were, to the "arteries" of the internet. Once it was cleaned out, everything got back up and running.

    As it was suggested, I did some looking into BGP, because quite frankly, it'd be pathetic for me to blabber on about something that I didn't understand. The only problem is, you need a pretty good understanding of IP to understand how BGP works, and there isn't much documentation out there that sums it up in a dime. Here's the easiest explination I can get for how BGP works (the whole document that goes in to far greater detail can be found at http://www.netaxs.com/~freedman/bgp.html [netaxs.com]) :

    The primary purpose of BGP4 (as we're studying it here) is to advertise routes to other networks ("Autonomous Systems").

    An AS, or Autonomous System, is a way of referring to "someone's network". That network could be yours; a friend's; MCI's; Sprintlink's; or anyone's. Normally an AS will have someone or ones responsible for it (a point of contact, typically called a NOC, or Network Operations Center) and one or multiple "border routers" (where routers in that AS peer and exchange routes with other ASs), as well as a simple or complicated internal routing scheme so that every router in that AS knows how to get to every other router and destination within that AS.


    Layman's terms: Every personal network out there (company networks, school networks, government networks) works in it's own little private world. BGP (BGP4 is just the current version of BGP) is the protocol (acronym stands for Border Gateway Protocol) that allows all these networks to talk to each other. The protocol is utilized by Cisco's routers, and since Cisco currently has the majority share of internet routers currently in use, if l0pht (or anyone else who knows how to do it) creates specific scripts that break these bonds between the network, the majority, not all the internet, but the good majority of it, will fall like the giant it is.

    How can you bring it down? Well, due to my ignorance, I'm not completely sure, but I believe the web site I quoted earlier sheds some light on it:

    When you "advertise" routes to other entities (ASs), one way of thinking of those route "advertisements" is as "promises" to carry data to the IP space represented in the route being advertised. For example, if you advertise 192.204.4.0/24 (the "Class C" starting at 192.204.4.0 and ending at 192.204.4.255), you promise that if someone sends you data destined for any address in 192.204.4.0/24, you know how to carry that data to its ultimate destination. The cardinal sin of BGP routing is advertising routes that you don't know how to get to. This is called "black-holing" someone - because if you advertise, or promise to carry data to, some part of the IP space that is owned by someone else, and that advertisement is more specific than the one made by the owner of that IP space, all of the data on the Internet destined for the black-holed IP space will flow to your border router. Needless to say, this makes that address space "disconnected from the 'net" for the provider that owns the space, and makes many people unhappy...Anyway, the bottom line: Test your configs and watch out for typos. Think everything that you do through in terms of how it could screw up.

    Layman's terms: Say someone wanted to shop at Amazon.com. Their computer says "take me to Amazon.com". If my computer saw the request "take me to Amazon.com," and I wanted to stop the request, I could say "Sure, I know where it is... follow me!" Then I'd lead him to a cliff edge and tell him it's right over the cliff. Poof, end of request. If I wanted my computer to direct everyone who asked for Amazon.com to someplace OTHER than Amazon.com, I'd just stick an arrow sign by the cliff that said "Amazon.com -->", directing them over the cliff.

    Even Lamer Layman's terms: remember the good old Looney Toons cartoons where Wil'E'Coyote would repaint the road and dashed-yellow line, directing it to the face of a cliff? If the Road Runner was a packet of information traveling pretty fast on a network (the roads), and you "tweaked" the network and told it that this new route (repainted road) went somewhere, when infact it ends abruptly (cliff wall), you're going to loose the information (aka "SPLAT!").

    For man with no mind: "Oh, you want to know where New York is? Try looking in Russia."

    Another place that explains the BGP protocol and actually makes the technicalities of it easier to understand (diagrams and simple numbers), the address is http://www.alliancedatacom.com/cisco-bgp-routing.h tm [alliancedatacom.com].

  • Say you can shut down the Internet for a prolonged period of time. What purpose would that serve? What has the "Internet" community done more harm than good any group of people? (I've seen almost EVERY minority/majority use the Internet to spread their word. Its cheap, annoymous, use almost any media (pictures/words) and can reach a worldwide audience.)

    Could you imagine the amount of pressure law-enforcement departments would have to capture those responsible? Could you imagine the laws that would be enforced/enacted to prevent this thing from occuring again? Could you imagine the BigBrother mechinicms then put into place?

    Wouldn't this be a BIG step backwards for the Internet?

    And what would it prove? Is it worth it?
  • As noted in previous discussions, no sysadmin worth the name is simply going to restore-and-forget. Any that would? Fire 'em.

    They're probably counting the costs of the full security audit, including lost business due to downtime -- since it's a BAD idea to not bring the system down for a full check if some loser's obtained root access. At the very least, one needs to eliminate the possibility of remaining backdoors (probably a full re-install if possible), lock it down, and preferably try to figure out the points of entry and anything, such as database records, that may have been affected.
  • by CausticPuppy ( 82139 ) on Tuesday December 21, 1999 @04:45AM (#1457309)
    You know, if a group of physicists really put their minds to it, they could devise a way to vaporize the entire planet in a millisecond. I guess that makes them brilliant. If I tell the world how to do it I am just a bad guy enabling malicious evil scientists. If I don't tell the world I am just a clueless boaster.

    If anyone is seriously interested in this topic, I suggest studying up on M-theory, and pay close attention to the energy potential regarding De Sitter space. Then you just have to spend some long nights experimenting with the correct particle interactions (use your own equipment, of course) until you finally create your own Type 1A supernova explosion.

    If you don't want to do all that work yourself you are going to have to trust me. :-) Things never work like they're supposed to, but if this DOES work, you risk destroying your lab equipment, your house, Earth, the sun and eight other planets, Proxima Centauri, and roasting any planets that happen to be orbiting nearby stars. But you'll prove to everybody how smart you are by demonstrating a serious flaw in the existing version of our universe.
  • ...Now in my day, the parents would have thrown a fit over the police raiding our house and I wouldn't get out of the dungeon for weeks....

    My parents liked Mark Twain's idea about taking a teenage boy and stuffing him in an empty barrel (providing him food and water through the hole in the side), and keeping him there until his eighteenth birthday, upon which a suitable ceremony was performed during which the parents would decide whether to let the boy out... or plug up the hole.

    How much did my parents like Mark Twain's idea? Well, let's just say that for two months after my eighteenth birthday, I had to wear dark glasses to help my eyes adapt... :) How well did it work? Well, we had a grand total of 0 (zero) police raids on our house during my teenaged years, and the same number of confiscated computers.

    Perhaps Mark Twain should be required reading among parents of script kiddies....

    Then there was that goofball at the American Retirement Company or whatever saying he's hired this guy as a "consultant" to prevent him from sicking all the other kiddies on the company....

    In the days of the Viking raids, sometimes the Danes would exact tribute from cities in return for their "protection" from being plundered. This was called "Danegeld," and a funny thing about it -- the amount required tended to get bigger each year as the reavers returned. A common saying was the "Once you start paying Danegeld, you can't get rid of the Dane."

    Perhaps a reading of medieval history should be a requirement for corporate managers.

  • by mmmmbeer ( 107215 ) on Tuesday December 21, 1999 @05:47AM (#1457318)
    Among all the hacker vs. cracker comments here, I might have missed something, but did anyone else notice the end of the 20/20 article? The article was about hacking & cracking, but the tips they gave at the end were about viruses! I can understand the media's (ongoing) hacking/cracking confusion, but can't they tell the difference between that and a virus?!
  • by smack.addict ( 116174 ) on Tuesday December 21, 1999 @05:50AM (#1457319)

    Note: the "you" in this post is a general "you" and not a reference to the original poster or any other poster in this thread.

    Whether it is $5/day or $18 million/day, the fact remains that people who hack other people's computers are violating others. There is no justification for that. Getting into an argument over exactly how much it costs takes away from that fact.

    Here are the general reasons I here cracker dorks and script kiddies give for their asshole behavior:

    • I am doing them a service by exposing their vulnerability!
      Bullshit. If you wanted to do them a service, you would email the sys admin the hole being exploited. Breaking into their web site is, at best, a way of publically damaging the reputation of the web site in question as well as doing damage that can range from inconvenience to, yes, millions of dollars a day. It is very similar to breaking into your neighbours house and spray painting the walls because they forgot to lock the front door. Finally, it is very difficult to secure an NT or a UNIX machine. Punishing people because they are not the experts you think you are (but likely are not) is pathetic.
    • It's a company!
      And that makes it OK? I don't care if it is Microsoft, it is still just as wrong as doing it to an individual.
    • They did XXX (where XXX is some supposedly evil act).
      Again, so what? That does not make the act of breaking into a web site any more justified.
    • And, of course, the implied argument of this thread, "it doesn't cost them anything".
      It always costs them something. It may not be $18 million/day. It may be giving up a weekend after having worked a month without getting a weekend. It may not be anything you value at all. But it is certainly something valued by someone associated with the target site. And no one has any right to force that person to incur that cost.
  • I mean, come on. Does ABC really have that much influence on legislators? 20/20 is nothing more than a video tabloid and World News Tonight ought to be renamed "Weekly World News Tonight - Now In Full Colour!" or something sensationalist along those lines. Oh, I hear you. "But, Count Spatula, people really do take notice of programs like this one, and politicians get their cues from these newscasters!" Drek. The people who take these programs seriously also think their cats are actually their children and buy the Enquirer because "Elvis isn't really dead, just hiding in Poughkeepsie". As far as politicians go, the more criminalization that occurs, the better. It makes them look good at election time.

  • > Also, the Web site is just brochureware, there is no gateway to anything important.

    That's starting to change. Remember the web pages of three years ago? Hi! We're here! We sell stuff! Visit us in the real world! Nothing more than a billboard on the side of the highway. Now corporations are starting to use their webpages for something useful.

    But brochureware is going down the wayside. What we REALLY need right now is one of the self-proclaimed "e-commerce" commanies to build a real online store app for mom and pop. (Or a rentable service.) Of course, it would also make a REALLY USEFUL open source project.

    But as we get away from brochureware, boy, it is going to be Christmas time for the crackers.
  • I saw this last night but couldn't submit a link since 20/20 was inaccessible.

    It was ridiculous.

    I got the impression that those kids threatened ABC so they could spend sometime grandstanding.

    Every single person who spoke sounded like a complete idiot. Cripes, the White House might have secure internal systems, but cracking the web site should be a trivial task. When it was done, the site was probably being run by a secretary using NT. [Point, Click, white-out]
  • by eyeball ( 17206 ) on Tuesday December 21, 1999 @02:30AM (#1457329) Journal
    What was it that sysadmin said? "It cost us hundreds of thousands of dollars to reboot and repair those servers." Maybe I should hack my own site at work and tell my boss I need $300,000 to reboot the servers. Can you say new house? :)
  • Granted, I didn't see the program(s), and I'm not a security expert... but if someone is able to break into a web site by whatever exploits, they presumably have figured out one or more username/password pairs. Since many companies would likely use these names/passwords on more than one of their machines (I know, not a very bright idea), then there would be the cost of "changing all of the locks" so to speak. Plus the costs of beefing up security to prevent it from happening again (even if "lax security" wasn't the cause of the break-in)
  • I saw that on ABC last night and read another artic le on ABCNEWS.com [go.com] from and interview with L0pht saying they can take down the Internet in 30 minutes. I've thought about it and couldn't come up with anything off the top of my head. Is this a group just boasting or is there any fact to it? Wasn't the decentrailzed nature of the Internet designed to avoid going down during war and the like?
  • What kind of hacker wouldn't have an install of the most widely used software on the net? Would he want to limit himself to being able to only break into *nix systems? Hackers need to know every operating system they can.
  • by theonetruekeebler ( 60888 ) on Tuesday December 21, 1999 @06:09AM (#1457350) Homepage Journal
    Fear sells. This has been a major tenet of yellow journalism and of publishing in general for some time.

    And the easiest thing to make someone afraid of is something they are dependent on, but can't control or don't understand. Fear is a great hook--you're watching Friends or whatever and all of a sudden some talking heads pop up and says, "Why bottled water may be bad for you, tonight on the 11AliveCast." So you watch the 11AliveCast and they keep teasing you along until 11:26PM, when they tell you bottled water isn't fluoridated so please for ghod's sake brush.

    And the next week bottled water sales are down. They really are. Air travel drops a small but significant amount after airline crashes, and boy-oh-boy do those ever grab airtime. The irony is that lots of those panickers end up driving, which is far more dangerous than flying.

    Or one sociopath goes and puts cyanide in Tylenol capsules in Chicago in 1982. The press went absolutely batshit over that one, and within a month seven local poisonings became 270 copycats poisonings nationwide, and every bottle of Tylenol in the U.S. had to be taken off the shelf. Within a year all OTC pharmeceuticals were repackaged to be tamper resistant, for over $1.3 billion per year in direct costs, never mind the indirect costs of making otherwise harmless medicines impossible for elderly people to open.

    Sending the population into a panic also makes governments adopt hasty, poorly thought-out measured to remedy what their citizens are convinced are terrible, terrible problems. Does anybody remember the plastic handgun scare of 1985? Huge panic, many laws passed, product did not exist and is still technologically unfeasible.

    Whipping up a frenzy of concern and fear may not be responsible journalism, but it brings in readers and viewers, consequences be damned. Speaking of hasty government actions, read about W.R. Hearst's interest in the Spanish-American war some time, if you're ever curious about the lengths people have gone to to sell papers.

    Moral: The manipulation of public perception can turn minor problems into major problems, not the least of which will be the public perception itself.

    --

  • I think this is another terrible argument. First of all, there is no need for a 15 year old to get computer knowledge by damaging other people's intellectual property. This is akin to saying drive-by-shootings need to be tolerated otherwise where would people pick up the skills needed to join the army?

    In short, we would not be deprived of much technical talent at all. It really shows that you place no value on my time, my money, or my property to ask me to "suck it up" and deal with losing time and money because some 15 year old is bored--or worse, because they want to hurt me somehow by making me look like a fool or intentionally costing me that time, money, or property.

  • Yes, but how do you value the service that the web site is providing to its users. I don't mean direct revenue but technical support, product announcements, general information. Companies can pretty much put their own pricetags to these services and then complain when the site goes down that we we're just unable to provide $18 million worth of service because of some punk with a script.

    This is partly true too. Imagine the additional cost if everyone using the microsoft(okay, a lame choice) site for technical support and information would have to call them instead of just few clicks in the browser. In that case even the slightes disruption would result in huge 'damage'. And in cases like yahoo the revenues just from advertisement are probably astronomical.

    It is the same way that the federal government can put a pricetag to it's "valuable" public service websites. It's like disabling library doors so that nobody can get in..

  • "I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another."

    Well., that simple really. There are 3 main areas of cost to the hacked company that need to be taken into account:

    1. Paying a student $5 to upload a new html file
    2. Lost earnings/buisness on the website (sometimes long term)
    3. Lost productivity on the 12 managers/directors running around sreaming 'hacked! we have been hacked! dont panic!

    The 3rd point is of course the most important one, these managers can get seriously disterbed and ofton spend days away from their more productive work of playing windows solitaire.

    On a more serious note, these figures tend to also include figures such as hireing security people to come in and 'beef up security', run risc assesments ecetera. The other key factor is that figures are always overstated, particaly to help with the end of year figures and also to help push law enforcement to do something about it (How good a response do you think the FBI give when you complain you lost $5?). The final issue is of course lost credability.

    There are additional things to be taken into account. Companies have been known to fake hack attempts at their own websites for the exposure it gains them. I wonder if any of these hacked websites would ever be willing to declare a negative cost to the whole thing?

  • by Ater ( 87170 ) on Tuesday December 21, 1999 @02:45AM (#1457373)
    What annoys me most about all these "hacker" stories (and most other stories too) in the news is that the reporter never ever has a friggin clue about the subject. I'm sure that l0pht and maybe GH to some extent have some legit hacking/cracking abilities, but for all I know it could just be another article glorifieing script kiddies. I bet that if ABC interviewed some random 13 year old script kiddie in place of these groups, the article would pretty much be the exact same. We'd probably read something like, "Using these advanced password cracking programs, a skilled hacker like l33tb0y13 could break into even the most secure computers in the world" or some such inane tripe.

    I notice how most of the articles never really deal with the methods the crackers use. Instead what I see are quotations of the hackers boasting, and of the writer fearfully agreeing. Throw in some quotes from a paranoid and clueless law enforcement official and you got yourself an article.

    I wish ABC would have hired someone who knew what he was doing to interview those "hackers." Get an authentic security expert (and not someone like Vranesevich) and have ask some technically oriented questions. I wouldn't mind seeing some big time cracker group exposed as a band of script kiddies or even seeing a real legit group's skills be verified by a competent source. As it stands, every hacker article appears to be FUD and needless paranoia written and advertised by someone who cant tell a telnet port from his ass. I want to see facts and commentary by someone who understands what he is talking about rather than seeing so many broad, unfounded statements rubber stamped and published.
  • Do you want a miracle or something?

    "Hackers (sic), now with their own conventions and magazines,"

    Defcon 7.0, and soon 8.0. 2600 and Phrack are both > 5 years old. NOW!? These people think at the speed of a dead elephant. I'm sure they get up each day, do exactly the same thing, go to sleep, and dream exactly the same dreams they've had for the past 20 years.

    I mean, I regularly seem to be probed by some script kiddie program that brute force checks phf, convert.bas, some Front Page things, etc. It's annoying, yes. Dangerous? No. If I don't securely lock and check on my building when I leave work, and don't buy a security system, I won't be insured. I wish "website insurance" would come out so adjustors could go, "Windows NT you say. How's 1,000,000 a month for a premiun?" Maybe then we'd finally see some professionalism forced past those PHBs and clueless MCSEs.

    "With viruses available for downloading from the Web, extensive computer language knowledge is no longer needed." I remember having to deal with the Stoned Monkey virus in 1994 at a computer lab. It was more because clueless 12 year olds didn't know much about computers. Thankfully, the lab had a good teacher (I was just a TA checking on the machines). Professionalism is, again, a solution. Know your job, and do your job.

    On to the second article..

    "Their code name is "The L0pht,""
    Their group name. Double moron points for showing ddd or some visual debugger at work in the image there.

    "They are the elite of hackers, whose notoriety brought them before Congress a year ago."
    "20/20 says hackers are reeel cool d00ds! I want to be one now!" ... Jeez, I can't /wait/ to see what new script kiddies this has spawned.

    "That's correct," one L0pht member responded. "It would definitely take a few days for people to figure out what was going on."
    "On no, the internet is down again.." .. A few days to notice that a website is down? PLEASE. If slashdot takes longer than 8 seconds to load, I experience withdrawl symptoms.

    "What they do is try to break into programs we're led to believe are secure."
    "But MS said that this Exchange server was mission critical, even though it doesn't have any relay protection, forces us to use LookOut!, and has many obvious holes!"

    "They refer to each other by nicknames. By not revealing their real names, they protect themselves from lawsuits by companies and individuals."
    They're too young to have lawsuits pressed against them.

    "hey say it's to remind us how we've become reliant on computers for more than just communicating; .... Are they legitimizing destructive behavior?"
    "Look, you rely too much on Oxygen. When I strangle you, you die! Stop relying on Oxygen so much!" .. Jeez..

    It's clear that both the reporter's poor understanding, and L0pht's annoying boasting, have contributed to bad, bad articles. Seconds to crack a password? Well, if your root password is "rootpwd," I should hope so! :-P
    ---
  • Okay. Even telling them can be bad. Example.
    A friend of mine, he finds that some unix machines used to run some financial stuff for the local university/college (which he was currently attending) had a flaw in it.. he was pokin away at it from the lab one night. Now, he did NOTHING. He did NOT deface anything, or change anything.
    He did plant one file in a directory, simply to show that it could be done.
    The next morning (when people were at work again) he notified the computer services people about the security problem, and told them to look in such-and-such a directory and to look at the file permissions to demonstrate.

    The end result was, people's egos were bruised the wrong way, and though they didn't kick him out, they 'mutually agreed' that he would drop out of school (comp. sci) and they wouldn't persue the matter any further.

  • A better analogy would be that they go out and pick locks on other people's houses or cars, but then instead of stealing anything, they hang a big sign on the door saying "Company X builds sh*tty locks, see?"

    I'll be the first one to admit, the companies whose executives use their first names as passwords deserve to be publically embarrassed when they determine security policies and methods without knowing anything about the subject, but even the more benign hackers are not exactly Consumer Reports. They do not "buy" the locks, they test other people's.

    The most disturbing thing about the two stories is the fact that the U.S. Attorney wonk they interviewed basically implied that the richer the person you mess with, the more serious the crime: "If you deface a Web site of a company that is making $18 million dollars a day, you are committing a pretty serious crime," says Assistant U.S. Attorney Matthew Yarbrough
  • Remember that at the end of the year the amount and quality of news is significantly less that any time during the rest of the calendar year. That is why there are so many "scary" Y2K stories and now Cracker/Hacker stories. The News departments know that most people that continue to watch these news/entertainment prime-time programs are middle-class 35-60 Americans w/kids that don't understand the Internet and if they do they think it starts with "You've got mail!!". It is sad when journalist enlist attention starved individuals (so called Crackers) to make a segment of productive, hard working people (Hackers but I hate that word) look bad.
  • by Our Man In Redmond ( 63094 ) on Tuesday December 21, 1999 @02:54AM (#1457398)
    Mr. Calculator tells me $18 million a day equates to $6,570,000,000 a year. If there was a web site making that much money we'd be hearing about it. OTOH for a company to be making a mere $100 million a year they would only have to take in somewhere on the order of $275,000 a day which is still a significant amount of money to see lost just because someone wanted to prve how 1337 they are.
    --
  • If they shutdown amazon.com's index.html for a couple of hours it might actually save Amazon some money. Seems like if they are doing business they are loosing money...so stop them from doing business and they might make money.
  • I work in security and my wife and I watched both broadcasts last night. Her comment was "Why isn't this the same as breaking and entering".

    i spoted mumbo jumbo about the FCC and interstate laws but for the most part I really didn't know.

    Why isn't page defacement classified as breaking and entering?

The most difficult thing in the world is to know how to do a thing and to watch someone else doing it wrong, without commenting. -- T.H. White

Working...