Slashdot Mirror

Peterus7 asks: "I'm a student at the University of Washington, and I was planning on majoring in Computer Science or Informatics until I took Computer science, and I'm realizing that it's simply beyond me. I grew up with computers, and naturally I want to study a field that involves a lot of interaction between people and technology (mainly computers), but the Intro to Java class I'm taking now is driving me over the edge. Any suggestions for a technologically intensive field that doesn't require ungodly amounts of coding, or perhaps any general methods for surviving computer science courses for new students?"

N8F8 asks: "I would like to come up with an inexpensive reading assist device for the visually impaired. Something that would give them a close-up view of things without having to stoop over. For under $500. What I would like is a method to connect a USB/Firewire webcam to a CDMA phone or PDA and display the picture in real-time. Or replace the PDA with an inexpensive eyeglass mounted display. Are there better options?"

"Over 1.2 million Americans are in the advanced stages of Macular Degeneration. People with very poor vision have a hard time reading everyday items like food labels, grocery store signs and newspapers. Many have resorted to carrying around large magnifying glasses and other tools so they can stoop over or pull things close enough to read. As you might imagine, this can make everyday chores rather cumbersome.

Initially, two ideas came to mind:

• A coherent fiber optic cable with a taper end to magnify the image
• A portable video camera connected to a tiny LCD monitor

A quick posting to the sci.optics newsgroup killed the first approach. Price, performance and reliability tip the scales in favor of the second option.

The second option brought several possibilities to mind. Tiny cameras are cheap and plentiful- from USB/Firewire webcams to tiny spy cams. The ideal device would have built-in auto focus. The Apple iSight is the only webcam I've found with built in auto focus, are there others?

Tiny monitors are another matter. Many articles covering 'near eye displays', 'heads up displays' and 'head mounted displays' have been published. There are even a few interesting products on the market. Unfortunately they are all extremely expensive.

Nearly every new PDA, CDMA phone, digital camera and digital video camera contains a nice little LCD screen. Perhaps using one of these devices could help keep the cost down?"

StefanJ writes "Researchers at the University of Washington -- supported by the NASA's Astrobiology Institute, its Planetary Atmospheres program, and Intel -- have come up with a new simulation of planetary formation that suggests that not only are terrestrial planets (small, rocky worlds, as opposed to gas giants) are common, but that water worlds (the subset of terrestrials that have sufficient water to support Life As We Know It) may be plentiful as well. A key factor as to how 'wet' a planetary system's terrestrial worlds get: The eccentricity of the orbits of the system's jovian worlds. It will be a while before we have telescopes good enough to actually see terrestrial planets and spec out their atmospheric composition, allowing us to reality-check these simulations. But it's still cool to play with sims like this. I can't wait for the home version! (Emergency backup link to Science Daily article based on the press release.)"

StefanJ writes "Researchers at the University of Washington -- supported by the NASA's Astrobiology Institute, its Planetary Atmospheres program, and Intel -- have come up with a new simulation of planetary formation that suggests that not only are terrestrial planets (small, rocky worlds, as opposed to gas giants) are common, but that water worlds (the subset of terrestrials that have sufficient water to support Life As We Know It) may be plentiful as well. A key factor as to how 'wet' a planetary system's terrestrial worlds get: The eccentricity of the orbits of the system's jovian worlds. It will be a while before we have telescopes good enough to actually see terrestrial planets and spec out their atmospheric composition, allowing us to reality-check these simulations. But it's still cool to play with sims like this. I can't wait for the home version! (Emergency backup link to Science Daily article based on the press release.)"

An anonymous reader writes "Embedded Linux and an open, hacker-friendly architecture power the world's first high definition media player, the $499 Roku HD1000. The brainchild of ReplayTV inventor Anthony Wood, the device could touch off a cottage industry of third-party applications and media packs that work with its Linux-based OS and user-friendly media APIs. Out of the box, the HD1000 can stream MPEG and MPEG2, play music, loop JPEGs, and more to an HDTV -- all at the same time. Roku is selling "Art Packs" of everything from museum-quality art to hot-rod cars as memory cards that work with the device. And, the company will release a C/C++ SDK for the HD1000 before 2004. Finally, there's something to actually show on your $5,000 54-inch plasma TV or 37-inch LCD TV." (Roku is also one of the companies mentioned in an earlier posting about using hi-def displays as digital art galleries).

Thanks to Wired News for their article discussing the continuing rise of academic programs related to videogames, covering the University Of Southern California, who are "...planning to offer a minor degree in the topic in the fall of 2004... it is believed to be the first major research university to do so." The article also notes that, previously, "gaming programs were limited to more-specialized schools such as DigiPen in the Seattle area and art schools like the Art Institute of California in San Francisco, which offers a degree in game art and design. NYU and the University of Washington have certificate programs in video games, and others, like MIT, wrap gaming into media studies programs."

belswick writes "UW has posted a paper titled "Measuring and Analyzing the Characteristics of Napster and Gnutella Hosts" at Washington in PDF form. Interesting reading for those who implement P2P software, with actual measurements, tools, and topologies. You 3l33t H4x0rz are ACM members, R1gh4?" You can get a cache of the PDF and view it online as well.

benna writes "The New Scientist reports, 'The Big Bang sounded more like a deep hum than a bang, according to an analysis of the radiation left over from the cataclysm. Physicist John Cramer of the University of Washington in Seattle has created audio files of the event which can be played on a PC. "The sound is rather like a large jet plane flying 100 feet above your house in the middle of the night," he says.' Apparently the idea for the project came from an 11 year old."

tetraconz writes "The University of Washington has been working on a vast 3000km undersea network to research the ocean floor off the West Coast. From the executive summary: (PDF) "The goal of NEPTUNE is to establish a coherent system of high-speed, submarine communication-control links using fiber-optic cables to connect remote, interactive experimental sites with land-based research laboratories and classrooms." This is an important project to explore the last unknown region of the Earth: the ocean. Check out the project homepage."

tetraconz writes "The University of Washington has been working on a vast 3000km undersea network to research the ocean floor off the West Coast. From the executive summary: (PDF) "The goal of NEPTUNE is to establish a coherent system of high-speed, submarine communication-control links using fiber-optic cables to connect remote, interactive experimental sites with land-based research laboratories and classrooms." This is an important project to explore the last unknown region of the Earth: the ocean. Check out the project homepage."

tetraconz writes "The University of Washington has been working on a vast 3000km undersea network to research the ocean floor off the West Coast. From the executive summary: (PDF) "The goal of NEPTUNE is to establish a coherent system of high-speed, submarine communication-control links using fiber-optic cables to connect remote, interactive experimental sites with land-based research laboratories and classrooms." This is an important project to explore the last unknown region of the Earth: the ocean. Check out the project homepage."

tetraconz writes "The University of Washington has been working on a vast 3000km undersea network to research the ocean floor off the West Coast. From the executive summary: (PDF) "The goal of NEPTUNE is to establish a coherent system of high-speed, submarine communication-control links using fiber-optic cables to connect remote, interactive experimental sites with land-based research laboratories and classrooms." This is an important project to explore the last unknown region of the Earth: the ocean. Check out the project homepage."

An anonymous reader writes "Track two-dozen oceanographers on their one-month expedition to the Lost City, submersed off the Mid-Atlantic Ridge. Since up to a third of the planet's total biomass may live below 100 meters, one goal is to see if microbes can survive without volcanic heat--instead living off the heat of a limestone rock reaction where the crust meets the mantle. After 15 years of dormancy, this is also rumored to be the script line of the fourth Indiana Jones installment."

Slashback is packed tonight with updates and clarifications on several fronts: read on below for, among other things, BitTorrent download stats after the recent Red Hat 9 release, the BSA's questionable statistical methods when it comes to calculating incentives and losses in the source-secret software world, and (can you believe?) yet another way to assemble an eerie pulsing light fixture.

Click on through for some impressive graphs ... . bramcohen writes "Since RedHat 9 got /.'ed last week there have been over ten thousand complete downloads using BitTorrent. Initial traffic got very high, transferring over a gibibit a second. All throughout the BitTorrent servers, run by volunteers using stock tools, held up just fine. Meanwhile downloads from RedHat Network, only available to subscribers, transferred at a crawl. The third Animatrix also got quite a few downloads. Thanks to everyone who left their downloaders running, and David Stutz and Eike Frost for setting things up."

If you exaggerate enough the first time, subsequent revisions sound like concessions. Russell McOrmond writes "An article in ITBusiness.ca includes references to the methodology of the BSA studies, and how it confuses Free/Libre and Open Source Software with piracy. There are some related articles talking about CAAST/BSA on my work weblog from the past."

Tap, Tap, Tap. feagle814 writes "Recently, I saw a question on Ask Slashdot that intrigued me. The person was asking for ideas relating to building your own glowing and color-changing ball. Being the kind of person to take such a general request for comments and turn it into a personal reason for living, I quickly skimmed the description on ThinkGeek and came up with these requirements for my project:

1. It must meet the generic description of the Ambient Orb,
2. It must cost less than $50 to make,
3. It must be wireless, with at least a 30-foot range, and
4. It must be controllable by home computer.

After much deliberation, I came up with the following solution. I've included pictures and instructions, as well as a recounting of my experiences."

Not just a simulation. Olmy's Jart writes "This is a followup to yesterday's article on "Samba Exploit Discovered, Fixed". Digital Defense has posted an apology to the Samba Team for posting a complete live working exploit (not even a mere "proof of concept", but a zero day rooter) on their site for this vulnerability. The exploit has been taken down, for what that's worth now. This is being reported in an article on ZDNet AU. Digital Defense now claims that this was done without the approval of their management."

Funny, CompUSA is finally selling duplicators, too. Unominous Coward writes "According to this article, the man who planned to install CD copying machines around Australia has withdrawn from the idea. Not surprisingly, this was after a lawsuit by the music industry."

Anyone who would like to buy me one is free to do so. prostoalex writes "Sharp Zaurus deal is back at Home Shopping Network. Sharp Zaurus SL-5500 is $199, but a coupon code HSN4897 knocks the price down by 15%. With standard shipping the order comes to around $173."

We need both more Korean food and more Korean electronics. Jo "directhex" Shields writes "HEXUS.net has completed its extensive messing around with GamePark's GP32 Handheld, which recieved a mention a couple of days ago on Slashdot (and recieved the usual thrashing from members too busy to read the article but not too busy to post trashy ill-informed comments about it).

It should help to clear up a few myths about what the unit is, what it tries to do, and what it succeeds at doing. Read the review, and pass mighty Slashdot Judgement."

brarrr writes "I'm starting out in graduate school at the UW in Materials Science and Engineering and doing research on spin electronics. Results from this work have me searching for a Mac OS X plotting/graphing program for 2D data and there are many of them, but no useful comparison anywhere. What do you use? What do you recommend? Why? My uses will include plotting, presentation, curve fit, trendline analysis, and more. I've looked briefly at: pro Fit, gnuplot (difficult to use, not very professional output), Abscissa (site is down, cannot evaluate), SmileLab (not very robust), Tecplot, IGOR (so far the best looking, but expensive), and KaleidaGraph (difficult to use, feels poorly ported). So what works/doesn't work? And don't bother saying Excel...."

brarrr writes "I'm starting out in graduate school at the UW in Materials Science and Engineering and doing research on spin electronics. Results from this work have me searching for a Mac OS X plotting/graphing program for 2D data and there are many of them, but no useful comparison anywhere. What do you use? What do you recommend? Why? My uses will include plotting, presentation, curve fit, trendline analysis, and more. I've looked briefly at: pro Fit, gnuplot (difficult to use, not very professional output), Abscissa (site is down, cannot evaluate), SmileLab (not very robust), Tecplot, IGOR (so far the best looking, but expensive), and KaleidaGraph (difficult to use, feels poorly ported). So what works/doesn't work? And don't bother saying Excel...."

caseyuw writes "Gibson is planning to roll out their Magic this year with the delivery of guitars using Cat 5 instead of analog cables to connect instruments and amplifiers. The debate over the quality of digital vs analog signal processing is not new, but using a 'Magic' Les Paul would force you entirely into the digital domain." We mentioned this last year, but the above article has much more information.

A not-so Anonymous Coward asks: "I'm working on setting up a surveillance system over a standard IP network and I've ran into some difficulties with the audio. The camera is a Pelco spectra III dome cam, which transmits the video to a web interface via a Pelco-net NET101T-A transmitter. The camera is completely controlled via the web interface. The transmitter also includes bi-directional audio capabilities. I have the audio transmission from the mic working very nicely, but have so far been unable to transmit audio from the PC side to the transmitter, which should route the signal to the RCA audio out, which leads to standard amp/speakers in a remote location. Does anybody have experience with this sort of setup, Pelco hardware specifically, or at least some suggestions?"

wasaty writes "Yesterday new PINE came out. Main new feature is (at last!) threading support. Look here for a full list of changes." Ah, my first "real" e-mail program; watching it change is like watching evolution in motion.

wasaty writes "Yesterday new PINE came out. Main new feature is (at last!) threading support. Look here for a full list of changes." Ah, my first "real" e-mail program; watching it change is like watching evolution in motion.

andrewchen writes "Can poisoning peer to peer networks really work? Business 2.0 picked up my research paper from Slashdot and wrote an article about it. In my paper, I argue that P2P networks may have an inherent "tipping point" that can be triggered without stopping 100% of the nodes on the network, using a model borrowed from biological systems. For those who think they have a technical solution to the problem, I outlined a few problems with the obvious solutions (moderation, etc.)."

Artifice_Eternity writes "For 20 years, citizens of Florida have been pushing for high-speed rail, as an alternative to the state's ever-growing, yet ever-crowded highways. A previous plan, the Florida Overland eXpress (FOX), was killed by governor Jeb Bush in 1998. The voters responded by passing a referendum to require the building of a "bullet train," starting by November 2003. The new Florida High Speed Rail Authority is focusing first on the busy Miami-Orlando and Tampa-Orlando corridors, but eventually hopes to serve the whole state. And they are seriously considering maglev technology! If the Florida HSR system did use maglev, it would be the largest one in the world. (Right now, maglev is in use on test tracks in Germany and Japan, with a 30-kilometer system under construction in Shanghai.) However, I like this humorous proposal best: it takes the idea of a "bullet train" literally, using the Jules Verne approach to propulsion."

Artifice_Eternity writes "For 20 years, citizens of Florida have been pushing for high-speed rail, as an alternative to the state's ever-growing, yet ever-crowded highways. A previous plan, the Florida Overland eXpress (FOX), was killed by governor Jeb Bush in 1998. The voters responded by passing a referendum to require the building of a "bullet train," starting by November 2003. The new Florida High Speed Rail Authority is focusing first on the busy Miami-Orlando and Tampa-Orlando corridors, but eventually hopes to serve the whole state. And they are seriously considering maglev technology! If the Florida HSR system did use maglev, it would be the largest one in the world. (Right now, maglev is in use on test tracks in Germany and Japan, with a 30-kilometer system under construction in Shanghai.) However, I like this humorous proposal best: it takes the idea of a "bullet train" literally, using the Jules Verne approach to propulsion."

Andrew writes "I'm a undergraduate at the University of Washington, and after seeing this article on Salon, I dusted off a paper I had written last year. I examined P2P networks under a model usually used in describing animal populations, and found that it may be possible to cause a collapse in the network based on the intrinsic nature of the technology. Just as in animal populations, P2P networks require a sizable "critical mass" of users, and overharvesting can cause a systemic collapse - what if this were done on purpose? Quite ominously, my second recommendation on disruption was carrying damaged or incorrectly named files. You can read theabstract and the actual paper"

Andrew writes "I'm a undergraduate at the University of Washington, and after seeing this article on Salon, I dusted off a paper I had written last year. I examined P2P networks under a model usually used in describing animal populations, and found that it may be possible to cause a collapse in the network based on the intrinsic nature of the technology. Just as in animal populations, P2P networks require a sizable "critical mass" of users, and overharvesting can cause a systemic collapse - what if this were done on purpose? Quite ominously, my second recommendation on disruption was carrying damaged or incorrectly named files. You can read theabstract and the actual paper"

Andrew writes "I'm a undergraduate at the University of Washington, and after seeing this article on Salon, I dusted off a paper I had written last year. I examined P2P networks under a model usually used in describing animal populations, and found that it may be possible to cause a collapse in the network based on the intrinsic nature of the technology. Just as in animal populations, P2P networks require a sizable "critical mass" of users, and overharvesting can cause a systemic collapse - what if this were done on purpose? Quite ominously, my second recommendation on disruption was carrying damaged or incorrectly named files. You can read theabstract and the actual paper"

At first, there was mbox, then there was Maildir, and Bill begat Outlook and .mbx. CaraCalla wonders if there is a better way to store mail than the way we currently store it today. I admit, with the changes that email has undergone over the past 5 years (changes in what is being sent, not necessarily in how it is sent), it may be time to reinvent the mail format. Read on for CaraCalla's analysis of the current mail options, and his thoughts on where we may go in the future. If you were to design your own MUA, how would you design its mail storage? CaraCalla asks: "Does anybody know a good, free solution for storing mail on unix hosts? The reason that I ask this question is my discontent with available techniques:

• mbox: There are problems with locking, corruption, access-times, and bloat.
• Maildir: Do you really want to clutter your system with millions of small files? That's waste of inodes, space (unless perhaps you use Linux/ReiserFS or SGi) and just try to open a Maildir with 1000+ mails and see how long it takes your favorite Mailprogram to only display the subjects.
• Cyrus: Basically the same as Maildir with database features.
• UW-Imap mbx: That's classical mbox with extensions allowing multiple access.
• Evolution: Basically mbox with database features.
• Windows clients: Typically some proprietary db-format. Pathetic.

But the thing that bugs me most is disk space. Typical inboxes are made of 5% to 10% of Text including Headers and HTML. The rest are BASE64- (or UU-) encoded pictures, word documents, zip archives and so on. The problem here is the encoding which wastes considerable amounts of space (at least one third).

Some ideas about the ideal mail-storage:

• One file per Mailbox-folder, allowing multiple folders per user. Should those files reside in one central location or in users Homedirs?
• Compression: Should messages be broken into pieces and the MIME-attachments stored separately (thus searching of the text parts would still be possible without decompressing the whole file)?
• File format: gdbm, Sleepycat db? Something new?
• Should the security model allow users to directly access their files, grep them, copy them around?
• Shared folders, virtual domains?
• Unicode support in folder names? Imap message-IDs, flags, useragent specific state-information?
• How would MTAs deliver mail? How would clients access? File-locking (NFS)?
• What about backwards-compatibility? Writing libmailstore (anyone)? adopting UW c-client?

Does my ideal mailstorage exist somewhere? Is somebody working on a project addressing this? Does anybody have some other hints? And please no mbox/Maildir flamewar!"

At first, there was mbox, then there was Maildir, and Bill begat Outlook and .mbx. CaraCalla wonders if there is a better way to store mail than the way we currently store it today. I admit, with the changes that email has undergone over the past 5 years (changes in what is being sent, not necessarily in how it is sent), it may be time to reinvent the mail format. Read on for CaraCalla's analysis of the current mail options, and his thoughts on where we may go in the future. If you were to design your own MUA, how would you design its mail storage? CaraCalla asks: "Does anybody know a good, free solution for storing mail on unix hosts? The reason that I ask this question is my discontent with available techniques:

• mbox: There are problems with locking, corruption, access-times, and bloat.
• Maildir: Do you really want to clutter your system with millions of small files? That's waste of inodes, space (unless perhaps you use Linux/ReiserFS or SGi) and just try to open a Maildir with 1000+ mails and see how long it takes your favorite Mailprogram to only display the subjects.
• Cyrus: Basically the same as Maildir with database features.
• UW-Imap mbx: That's classical mbox with extensions allowing multiple access.
• Evolution: Basically mbox with database features.
• Windows clients: Typically some proprietary db-format. Pathetic.

But the thing that bugs me most is disk space. Typical inboxes are made of 5% to 10% of Text including Headers and HTML. The rest are BASE64- (or UU-) encoded pictures, word documents, zip archives and so on. The problem here is the encoding which wastes considerable amounts of space (at least one third).

Some ideas about the ideal mail-storage:

• One file per Mailbox-folder, allowing multiple folders per user. Should those files reside in one central location or in users Homedirs?
• Compression: Should messages be broken into pieces and the MIME-attachments stored separately (thus searching of the text parts would still be possible without decompressing the whole file)?
• File format: gdbm, Sleepycat db? Something new?
• Should the security model allow users to directly access their files, grep them, copy them around?
• Shared folders, virtual domains?
• Unicode support in folder names? Imap message-IDs, flags, useragent specific state-information?
• How would MTAs deliver mail? How would clients access? File-locking (NFS)?
• What about backwards-compatibility? Writing libmailstore (anyone)? adopting UW c-client?

Does my ideal mailstorage exist somewhere? Is somebody working on a project addressing this? Does anybody have some other hints? And please no mbox/Maildir flamewar!"

Drath writes "Researchers at Purdue University are conducting a study by placing Sony Aibo robots in a Lafayette, IN nursing home. They want to see if robots can make people happy. Lets hope they have robot insurance." Makes you wonder if the AARP will have a position paper on this. Hope when I get old(er) I'll have gold plated killer robots around for my entertainment. pycananthemum also was kind enough sent in a link to the Project page.

thaen writes: "Might want to check out the latest offering from arstechnica.com. Somebody has compiled a 51-page book of recipes written by geeks, for geeks, and originally posted in the arstechnica 'Lounge' forum. Mmmm...the omelette..." I seriously hope that the macaroni and cheese recipe really needs "tabasco sauce", rather than "tobacco sauce", because I can't even imagine... no. Not going to think about it.

Slashback tonight with updates on SSH vulnerabilities, the Queen's web server, the European answer to GPS (in danger, it seems) and your ever-thinner rights to use software for anything you don't have specific permission for.

Sometimes being British means self-flagellation. Ferox writes: "The November Web Site Survey from Netcraft reveals something interesting: 'Two years ago the Queen of England became an unlikely icon for the Linux revolution when her webmaster replaced Solaris as the platform for the Royal Family's site, citing the better price/performance of the Dell/Linux platform over the previous incumbent, Sun/Solaris. The open source community celebrated and speculated on when the Apache web server might receive the "By Royal Appointment" moniker. This week the site has changed platforms again, this time to Microsoft-IIS.'"

Keep your hands and passwords inside the car at all times. Niels Provos passed along word of his ongoing research into network security, with some slightly depressing news about the state of Internet security.

Even though the CRC32 bug has been found over a year ago, over 30% of all servers are still vulnerable today. Graph at http://www.citi.umich.edu/u/provos/ssh/crc32.png.

In February 2001, Razor Bindview released their "Remote vulnerability in SSH daemon crc32 compensation attack detector" advisory, which outlined a gaping hole in deployed SSH servers that can lead to a remote attacker gaining privileged access.

In November 2001, Dave Dittrich published a detailed analysis of the "CRC32 compensation attack detector exploit." This exploit is currently widely in use. CERT released Incident Note IN-2001-12.

At the Center for Information Technology Integration, Niels Provos and Peter Honeyman have been scanning the University of Michigan for vulnerable SSH server software to identify and update vulnerable SSH servers. However, scans of the Internet show that system and security administrators must react and update their SSH servers. At this writing, over 30% of all SSH servers appear to have the CRC32 bug.

A simple solution is to remove support for Version One of the SSH protocol. The majority of servers on the Internet support the SSH v2 protocol. To test whether your network has vulnerable SSH servers, you might use the ScanSSH tool.

References: "ScanSSH - Scanning the Internet for SSH Servers", Niels Provos and Peter Honeyman, 16th USENIX Systems Administration Conference (LISA). San Diego, CA, December 2001. This information is also available at http://www.citi.umich.edu/u/provos/ssh/

Don't play with your food, or your games. janolder writes "In the matter of the Civilization III translation project (articles on slashdot, apolyton and heise), the fans have gotten the short end of the stick. The project web site (translation.civ3.de) has been down for a while. Earlier this week, both the web site operator and Kai Fiebach, the project leader, signed Infogrames' cease and desists out of fear of further legal action. The legal position (not to mention the moral postion) of the fans did not appear to be too weak - EULA's are not binding in Germany and supplying patches to a program is certainly not the same as translating a book and distributing the translated manuscript.

Infogrames Germany has issued another press release (translation and my comments) justifying their legal action and position. It makes for an interesting peek into the mindset of a game publisher.

The good news is that Infogrames is considering a more timely release of Civilzation III in Germany.

The bad news is that the cease and desists apparently forbid any modification of Civ3 in any way, shape or form. So no more custom maps for your friends, custom rules or any such copyright infringing activity, please! Is it just me, or has the world suddenly become a less interesting place?"

Not as if Americans always know where we are, either. ByTor-2112 writes "Hate to be the bearer of bad news so soon after a story is posted, but as I commented on the previous story, it appears that galileo has some funding issues. Honestly, did anyone really expect the EU to go through with it? It took them long enough to agree on a common currency!"

dbowden writes: "Recently, Slashdot ran an article about a humanoid robot which runs Linux. It weighs 121 lbs, uses two 750 MHz Pentium III processors, and runs RT-Linux. It also requires a technician to push around a huge power supply that's attached to the robot by an umbilical cord. I found another robot, Baps, which only weighs 6.6 lbs (3 Kg), runs on a single 133 MHz Pentium processor with 32 MB of RAM and 48 MB of flash memory, and is based on a child's toy that was designed in 1888. It also runs on Linux, but requires very little power to move (it can be run on CO2 cartridges), so it doesn't require an umbilical cord, or bulky power supply." (He's also got some tips on building your own below.)

"I remember playing with these toys as a child, and thinking how cool they were. For the ./ers who like to build robots, both of these walkers use McKibben Artificial Muscles instead of normal pneumatic cylinders.

I built one of these last week -- they're surprisingly easy to build, and I think they'll be fun to play with. For those with larger budgets, who don't want to build their own, The Shadow Robot Co. in the UK, and Images Co. in the US, both sell pre-made air muscles."

dbowden writes: "Recently, Slashdot ran an article about a humanoid robot which runs Linux. It weighs 121 lbs, uses two 750 MHz Pentium III processors, and runs RT-Linux. It also requires a technician to push around a huge power supply that's attached to the robot by an umbilical cord. I found another robot, Baps, which only weighs 6.6 lbs (3 Kg), runs on a single 133 MHz Pentium processor with 32 MB of RAM and 48 MB of flash memory, and is based on a child's toy that was designed in 1888. It also runs on Linux, but requires very little power to move (it can be run on CO2 cartridges), so it doesn't require an umbilical cord, or bulky power supply." (He's also got some tips on building your own below.)

"I remember playing with these toys as a child, and thinking how cool they were. For the ./ers who like to build robots, both of these walkers use McKibben Artificial Muscles instead of normal pneumatic cylinders.

I built one of these last week -- they're surprisingly easy to build, and I think they'll be fun to play with. For those with larger budgets, who don't want to build their own, The Shadow Robot Co. in the UK, and Images Co. in the US, both sell pre-made air muscles."

bhendrickson writes: "Berkeley law professor Lawrence Lessig delivered the most cogent speech I have heard defending the freedoms created by technology and threatened by expanding intellectual property laws. While Lessig's conclusions about napster, packet switching, and antitrust are far from revolutionary for Slashdot, his legal and historical perspective I found compelling. The Mp3 is available directly or as a stream both provided by technetcast ." Great thing to stream while you're at work.

EconomyGuy writes "Looks like the some big players all got together to respond to Microsoft's recent claims about the GPL. CNet is running a story about it, or you can read the response right here. If names like ESR, Linus, RMS, and Perens can all agree on something to say, then Microsoft's plan to split the community just might back fire on them."

Scott Brauer writes: "The University of Washington's Center for Nanotechnology has announced that the UW will be host to the first nanotech degree program in the U.S. An article in The Daily, the campus newspaper, mentions here that the Ph.D. offered is an 'option program' within a group of other programs, meaning that 'students will earn simulatneous degrees in both nanotechnology and in one of nine other departments.' The program is estimated to have 20 to 40 students per year, including this year, as soon as the Board of Regents makes its expected vote of approval. Another article can be found here."

Scott Brauer writes: "The University of Washington's Center for Nanotechnology has announced that the UW will be host to the first nanotech degree program in the U.S. An article in The Daily, the campus newspaper, mentions here that the Ph.D. offered is an 'option program' within a group of other programs, meaning that 'students will earn simulatneous degrees in both nanotechnology and in one of nine other departments.' The program is estimated to have 20 to 40 students per year, including this year, as soon as the Board of Regents makes its expected vote of approval. Another article can be found here."

Scott Brauer writes: "The University of Washington's Center for Nanotechnology has announced that the UW will be host to the first nanotech degree program in the U.S. An article in The Daily, the campus newspaper, mentions here that the Ph.D. offered is an 'option program' within a group of other programs, meaning that 'students will earn simulatneous degrees in both nanotechnology and in one of nine other departments.' The program is estimated to have 20 to 40 students per year, including this year, as soon as the Board of Regents makes its expected vote of approval. Another article can be found here."

Elias Israel asks: "The UW IMAP documentation comes right out and says: keeping mail in a flat file is slow and annoying. Especially if, like me, you get tons of e-mail. I've tried filtering. I've tried archiving. I've tried everything. But the sad fact is that I just have too much email and it takes too long for the IMAP server to do anything because it has to scan each mail file to find the message boundaries. With all of the development that surrounds pgSQL and MySQL, I would have thought that someone would have come up with a c-client driver for one of these freely-available databases, so that you could use something fast and indexed for the back-end of your IMAP server. Even the discussion forum on the UW IMAP information pages is strangely silent on the issue. What gives? Is anyone out there working on it? If not, why not?"

I'm here at Ottawa Linux Symposium, and I took the Quickies to the crowd and let them pick some of today's Quickies. Hope you like them. CitizenC told us to check out The Kama Sutra of Winnie the Pooh. Scary. alpha264 wrote in about a pegboard computer." Darkness Productions told us that Spaz Labs was back." Phrogman shared a huge collection of Space Images now available on Spaceref.com. kbolton told us to look at streaming anime for free. scampbell said that Yamaha Paper Craft has updated their rare-animal paper sculpture collection to include the Yellow-eyed Penguin. _endgame mentioned that voting has begun for the Freenet Logo." An anonymous coward wrote in about the Men of Sieg Hall calendar. I included that one for Telsa. cdlu wrote (from about ten feet away) about this thing that creates much annoyance from the console. MURL said that Christopher Lee has been cast in the role of a charismatic separatist in Episode II. And finally, I just wanted to mention that Dave Taylor from that company stopped by just to make sure that he wasn't mentioned in the Quickies. Teehee.

OldSoldier writes: "Here is an article that was first published in the April issue of a small SciFi magazine called Analog. The author, John Cramer, is one of two columnists for the Alternate View column and his columns are very thoughtful and more grounded in science than most. In particular, this article states that there is a small but growing group of physicists who have come up with an alternate formulation to Einstein's General Relativity equations that do two rather stunning things. One is that they allow super massive non-black hole objects and the other is that they are able to be quantized. If you like this article, I suggest you go to his index and read some of his previous articles."

OldSoldier writes: "Here is an article that was first published in the April issue of a small SciFi magazine called Analog. The author, John Cramer, is one of two columnists for the Alternate View column and his columns are very thoughtful and more grounded in science than most. In particular, this article states that there is a small but growing group of physicists who have come up with an alternate formulation to Einstein's General Relativity equations that do two rather stunning things. One is that they allow super massive non-black hole objects and the other is that they are able to be quantized. If you like this article, I suggest you go to his index and read some of his previous articles."

OldSoldier writes: "Here is an article that was first published in the April issue of a small SciFi magazine called Analog. The author, John Cramer, is one of two columnists for the Alternate View column and his columns are very thoughtful and more grounded in science than most. In particular, this article states that there is a small but growing group of physicists who have come up with an alternate formulation to Einstein's General Relativity equations that do two rather stunning things. One is that they allow super massive non-black hole objects and the other is that they are able to be quantized. If you like this article, I suggest you go to his index and read some of his previous articles."

OldSoldier writes: "Here is an article that was first published in the April issue of a small SciFi magazine called Analog. The author, John Cramer, is one of two columnists for the Alternate View column and his columns are very thoughtful and more grounded in science than most. In particular, this article states that there is a small but growing group of physicists who have come up with an alternate formulation to Einstein's General Relativity equations that do two rather stunning things. One is that they allow super massive non-black hole objects and the other is that they are able to be quantized. If you like this article, I suggest you go to his index and read some of his previous articles."

Last week, I gave a presentation on SurfWatch, and blocking software in general, in downtown Holland, Mich. Preparing for it was an interesting experience, mostly in annoyance, hard work, and dealing with getting seriously sick two days before. Read on for the story of recovering, preparing, talking, giving away $100, a bolt of lightning, and why nothing anyone does is going to stop fundamentalists from bringing issues like this to America's ballots.

I'm not a public speaker, and I hadn't stood before an audience in quite a while. The feedback I'd gotten from my first presentation on SurfWatch was that I talked too fast and too much. At the time, I'd wanted to communicate as much as possible of what the Censorware Project had learned over the last two years, in a half hour. An impossible task, and I shouldn't have tried.

But I felt I could do better, so I wanted to try again. That's the effort that ended up becoming Thursday's presentation.

My main problem is that the subject is complicated. Many computer professionals have this problem when trying to communicate computer-related ideas to nonprofessionals. If these things were simple, we wouldn't need computers. But trying to get across too much information in a half hour didn't work.

The other thing I'd tried that didn't work was borrowing the computers of the Family Research Council. The FRC had two computers set up, one filtered and one not, run by two volunteers. I'd thought it would be a clever coup to use their own computers to show their software failing.

But it wasn't impressive for one reason: when I showed an innocent Web site blocked, all that showed up was the "Blocked by SurfWatch" screen. I was using the FRC's filtered computer and their other one was turned off. Nobody had any idea that valuable information was being blocked, except me.

Kind of the way the censorship works in the library. But not an effective demo.

For my second go at it, I rented a ballroom in downtown Holland, advertised it in the paper, and brought my own computers. I purchased SurfWatch and installed it on one of them. And I spent some time thinking over which issues were important enough to hit and which were just too technical to mention.

Setting up was great fun, if by "fun" I mean wrestling with a network under a deadline. The 10baseT jack didn't seem to be connected, one of the extension cords didn't work, a projector wouldn't turn on, and finally I was faced with Windows' endless dialog boxes of options just to use DHCP. But it all worked out with time to spare.

I began my talk by explaining out why I was there and why blocking software was wrong. Currently, Holland's opposition to the software is being waged largely on political issues: chiefly, the fact that three-fourths of library taxpayers cannot vote on the ballot. To many, what the blocking software actually does is a non-issue.

But these are mere procedural concerns. Every community is going to have to face the core problem squarely, sooner or later; it might as well be now. So I began my talk by laying out, from the beginning, my belief that blocking software inherently violates the First Amendment.

After talking about some of the myths put forth in the community's debate, my next step was to display some pornography on the big screens. The local Family Research Council has been trotting out a presentation that focuses on some of the most graphic stuff available on the web: bestiality, fisting, etc. I'd decided to try not offending my audience quite as much. I chose some milder Web pages, mostly softcore, though several of the sites I chose also contained harder material.

And, of course, unlike the Family Research Council's, my demonstration showed the pornography appearing on both screens: filtered and un-.

I think I'll not reveal here which porn sites I showed. I want to see how long SurfWatch goes without finding them. So far it's been about two weeks, but of course revealing them here would get them blocked immediately for PR purposes.

I will say that I chose six sites that all begin with the letter "A". This was to make the point that there is plenty of unblocked pornography - there being 25 other letters in the alphabet. As if to make my point, a Tennessee paper ran that same day a story about a schoolteacher who was fired for accessing over a hundred porn sites - right through the school's "filter."

After all, if the software fails only a tiny fraction of the time, it still allows through - dozens? hundreds? thousands? - of porn sites. How many porn sites does the average person need? What's the point in blocking 99% of it, if the remaining sites are more than enough to keep anyone busy?

The next step in my talk was the flip side: showing protected Web pages unfairly blocked. Finding a plethora of wrongly-blocked pages was easy. SurfWatch uses URL keyword blocking, so, for example, the complete text of the classic book Of Human Bondage is blocked because of "bondage" in the URL. The hard part was narrowing the list down to 10 to demonstrate.

(If you're interested, here are the ten blocked pages I used: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10.)

Next, I pointed out that these sorts of errors were not often corrected. What data there is suggests that most errors go unfixed. In our analysis of Web logs in the State of Utah, we found about 300 wrongly blocked sites, of which only six were overridden. Also, in the Family Research Council's $7,000 canned demo, they tried to show how easy it was to fix errors by unblocking The Onion. Since they couldn't even do their prepared site correctly (they left graphics.theonion.com blocked), how could the staff be expected to do the job on real sites, in a busy library?

I explained that the errors I'd found were intrinsic to blocking software, because of the growth of the Web. In my first talk, I spent 10 minutes talking about exponential growth; this time, I just gave the impressive figure that, during just the course of my talk, a million Web pages were created or changed. Much quicker and I'm sure it made the same point.

There seemed to be concern, in Holland, that pornography just "popsup" at any time, for no reason. I debunked that myth by pointing out that typos almost never lead to offensive Web sites. I read this quote from the Supreme Court's ruling on the Communications Decency Act, where they affirmed a lower court's conclusions:

"Communications over the Internet do not 'invade' an individual's home or appear on one's computer screen unbidden. Users seldom encounter content 'by accident.' ... Almost all sexually explicit images are preceded by warnings as to the content. Even the Government's witness ... testified that the 'odds are slim' that a user would come across a sexually explicit site by accident."

All the incidents of "verified pornography" in the Holland press seem to boil down to the same two cases over and over. In the first, a woman was reading Hotmail and, when she was done, closed the browser window. Behind it was porn that another user had left up as a prank.

There are programs that can be run between users' sessions to shut down Netscape and clear its history - my local library is using one with much success - so blocking software isn't necessary to solve this problem. I've explained this to the woman, but she continues to use her incident as an argument for blocking software.

The second incident involved a teenage girl. It seems she was at the library computer and stumbled across naked women purely by accident while doing an innocent search for chocolate chip cookie recipes. Interestingly, she didn't report this to her mother, apparently out of embarrassment, until weeks later. I'd like to speak with her as well but the local pro-filtering groups refuse to put her in touch with me.

I haven't been able to replicate this event, and neither have other people who have tried. And I know a lot about search engines. Now, I'm not saying it didn't happen. Maybe it was a misunderstanding.

What I did in my speech was hold up a $100 bill and offer it to the first person who could show me how it was done. I'll make the same offer to Slashdot readers. Let's see whether this is an urban legend or not. See the bottom of this story for the rules.

I spoke briefly about the legal issues. The Holland area has been hearing suggestions that it will be legally safer to use blocking software. In fact, though the case law is by no means definitive, the experiences of Livermore and Loudoun point toward the opposite conclusion.

Next was the fun part, where I brought up some quotes from the two organizations pushing filters in Holland to illustrate the folly of relying on unaccountable third parties for censorship. In a 1996 legal brief, the Family Research Council had mentioned Cyber Patrol by name as a product that families and libraries "should make use of." But just two years later, in a bulletin called "Filtering Out Decency," they were warning parents away from using the same software.

Why? Because Cyber Patrol had stuck to its guidelines for what constituted hate speech. They had reviewed the American Family Association, the other organization pushing filters in Holland, and found them to be espousing intolerance of homosexuals. The entire AFA site now found itself censored, by the same type of software it had been pushing. In a bulletin called "Filtering Out Morality," the AFA warned parents to think twice before using any blocking software:

"In a secularist culture, both filtering software and federal regulations may well be used to filter out Christianity along with other undesirable elements.

"Another kind of software simply informs parents what sites their children have visited. Instead of making it impossible for children to see certain sites, this approach puts parental discipline at the center. Children, realizing that their parents are looking over their shoulders, are thus taught to internalize the restraints and to develop a conscience of their own.

"As Christians get involved in these debates - before they get filtered altogether - they should keep in mind the warning of the great Puritan poet John Milton ... 'If it come to prohibiting, there is not aught more likely to be prohibited than truth itself.'"

Teaching children to develop a moral conscience of their own? There's a radical idea. Why did it take censorship backfiring before anyone thought of that?

I wrapped things up by talking for a bit about the importance of teaching these moral lessons to children. The children of today are growing up in the 21st century. The Internet will be available to them on every street corner and desk, and mostly unfiltered. What they need is not a temporary and leaky set of blinders strapped on. They need to be given an ethical foundation and the self-reliance to make good decisions about their own lives.

Somewhere in there I called up the AFA's Web site and showed that their discussion about pornography was blocked by SurfWatch as if it were pornography. That got a chuckle from the audience and made the point: it isn't just one product that backfires. The very product that has been pushed in their community blocks the very organization that has spent $35,000 pushing it.

As I wrote in an earlier article, I'm not sure any of this will make any difference to most people. For most, the issue is and will always be pornography: to be against pornography is to support filters.

And the opposition to sexually explicit material is, at heart, an emotional one. It's a primal one. Sex and fear are two of the gut instincts that we humans carry with us from our earliest days.

The day after my talk, the Holland Sentinel carried a powerfulinterview with the man who is behind the city's ballot initiative. IrvBos is the head of the Holland Area Family Association, a branch of the American Family Association.

It seems his aversion to pornography began when he was a boy, in a dramatic incident. At the age of 12, he found a book by the side of the road - a book with stories about "pretty graphic things," a book that the young boy secreted away in his parents' barn.

When "lightning struck the barn, burning it to the ground," it must have been a frightening demonstration of God's power to the guilty child, the child who associated that barn with sneaking behind his parents' back to do evil things, to read evil words.

I think I put together a pretty good presentation Thursday night, but it couldn't have compared to a bolt from the sky striking down a house of evil - like "Sodom and Gomorra," according to Mr.Bos's recollections.

That's hard to top. I can talk about the Internet equivalents of electrons and lightning rods all I want. But I don't think anyone can get through to people who believe this battle to be an epic one, a battle of good and evil. There is something primal there.

We'll see Tuesday night how the vote comes out.

Rules for the $100 offer are as follows. Find a search result URL that shows naked people, for a search on "chocolate chip cookies" or "chocolate chip cookie recipes." I'll accept any variant that an inexperienced Web-surfer might search for. Your result must appear on one of the first five pages of results returned (typically the first 50 results). I'll accept any major search engine. Send me the exact query you used; I will only accept queries I can verify to work as claimed. You aren't allowed to put up a cookie page, submit it, then change its content; to prevent this, you have until 11:59PMEST, Wednesday the 23rd. Only the first person gets the money; order is determined by timestamp of Received: headers at my server. I'll mail you a check or donate it to your favorite charity. This offer is made by me personally, not Slashdot, Andover.net, or VALinux. Notify me at jamie@mccarthy.org.

Update: 02/22 9:30 PM EST by J : I'm getting a lot of submissions that underscore the importance of properly spelling queries. Since I said I'd allow variants, I'll allow these and pick the most reasonable-sounding to give the $100 to. Some of the better ones so far: "chocchipcooky," "chocolateecipe," and the amusing "chocolatecoochie." If you can't beat those, don't bother emailing me.

But what I'm really looking for is a search engine result that looks innocent - that a 16-year-old girl might click on without suspecting pornography at the other end. See the CNN story:

"She typed in 'Chocolate Chip Cookies,' hit the search button and immediately there appeared before her eyes a picture of a nude woman."

The issue is whether pornography appears unexpectedly, from clicking on an innocent-looking link. If no one finds one of those, the other Slashdot authors and I will just decide on the most reasonable-sounding of the other submissions (first entries win ties).

Ryandav writes "Dr. Doug Englebart, inventor of the mouse, and Dr. Alan Kay, creator of overlapping windows, were both part of the research group that created ARPAnet, and were heavily involved at Xerox PARC. Both were invited by the Progress Project and the University of Washington to speak about issues confronting humans as we rethink information technology in the future. The entertaining talk was archived for Webcast here." For those who enjoyed the article we posted earlier about the origins of the Lisa UI, check this out, too.

We've linked to plenty of "secondhand" media pieces about the recent DoS attacks on major commercial Web sites. Fine. Now here's real, hard-core hard-tech info on the subject - in answer to your excellent questions - from somebody who actually knows what's going on, namely Dave Dittrich from the University of Washington. He's been interviewed up the yin-yang this last week by mainstream reporters who probably wouldn't understand half the answers he gives here. But this is Slashdot, so he didn't have to hold back or dumb anything down. Click below and enjoy!

Dave:

First off, I'd like to thank Slashdot for giving me an opportunity to spew my opinions. Since Slashdot readers look for "stuff that matters," I'll #include [std/disclaimer.h] and say that this is me talking, not my employer, and I'll be honest about what I think the issues are (and hopefully not ramble too much).

Is a network proof against DDoS possible?
by Paul Crowley

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?

Dave:

There are flaws in anything created by humans. Sure, the TCP/IP protocols we are using today have some weaknesses, but they also work amazingly well, don't you think? And all things created by humans are improved over time as new ideas are developed and known problems are identified and solved. Its just a matter of how quickly these improvements can be implemented, and as we've seen with GOSIP, IPv6, etc. change can come very slowly. (A good book on this topic if you are interested is "Diffusion of Innovations", by Everett M. Rogers, The Free Press, ISBN 0-02-926650-5.)

Denial of service attacks are one of the easiest forms of attacking systems and networks; resources can easily be exhausted, programming flaws in network stacks and devices can be exploited to cause failures, covert channels can be created allowing hidden and practically unstoppable communication and control. In other words, there is no single "this problem" to be solved here, but rather a hole bunch of little "these problems".

In fact, the current DDoS tools implement UDP large packet floods, TCP SYN (session setup resource exhaustion) floods, ICMP "echo" floods and "Smurf" (directed broadcast ICMP "echo reply") floods, and other DoS techniques could easily be added (and many other exploits exist).

Yes, there are some proposed fixes that can address some of these problems. I'll get to them in a minute.

Other methods?
by Dr Caleb

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? >From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Dave:

I don't claim to be enough of an expert on IPv6 yet to say which of the current set of DoS attacks are eliminated by its features (better to ask the real experts like Steve Bellovin). Perhaps IPv6's Quality of Service features, IPSec authentication features, etc., *may* provide a means of defeating some packet flood attacks by rate limiting flows, allowing quicker discarding of "invalid" packets, etc., but I'm not sure if it will entirely eliminate DoS attacks.

There are other new proposals that have recently been put forward for consideration, such as Bob Moskowitz' "Host Identity Protocol" (which addresses some problems in TCP session establishment and identification of "valid" packets) and a proposed method of tracing packet flows (independent on ISP involvement) that uses a probabilistic packet marking technique developed (coincidentally) by researchers at the University of Washington. Documents describing both of these are available at:

http://staff.washington.edu/dittrich/misc/ddos/

Since IPv6 is *still* not widely implemented, and these other proposals are likely years from implementation as well, it is probably best to focus now on the fundamental issue in large scale DDoS attacks, and that is we need to put a MAJOR emphasis on minimizing the population of systems that can be trivially root compromised. (I didn't say it would be an *easy* solution, but it is one thing that can be started immediately.)

Stop Spoofing At The Backbone?
by Effugas

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation (their backup networks will cease to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Dave:

Eliminating IP source address spoofing would eliminate attacks such as forged DNS query attacks and the MacOS 9 TCP/IP stack bug (both packet size/number amplification flood attacks), and would definitely make it easier to trace packets back to their source networks, greatly simplifying and speeding up the (still major) task of stopping the agents from sending out packets and doing forensic investigation. Add to that the elimination of incoming directed broadcast packets and you also get rid of "Smurf" amplification attacks.

Not only do I think this should be done at a site's border routers, but also on all routers within the network. Programs like stacheldraht attempt to determine if they can successfully send packets with forged source addresses, and both it and TFN2K have code to randomize packets on a per octet basis (not exactly CIDR compatible, but still pretty clever and effective.) This means that if you have a /16 network with several hundred subnets, the agents could forge the final two octets, looking like they are coming from hosts on all of a site's subnets at once. Depending on your network infrastructure and political organization and authority, this can either force you to have to sniff on *each* subnet, or do your own router-by-router debugging of packet flows to locate the actual host(s) sending the packets (links to various documents on packet tracing are found on the page I referenced above.) If no host can forge source addresses beyond its own subnet, the task is greatly simplified (and you only need to put filters on one router to stop the flow from one agent host.)

Practices like those described in RFC 2267 should, in my opinion, be a standard requirement under any network peering agreement and AUP, but what motivation do ISPs and NAPs have to enforce them? Its not common for a company to say to a customer, "Hey, I don't want to take your money!" It tends to be a matter of waiting for an attack to happen for upper management to start asking the techies how to react, but by then the damage is already done. More emphasis on prevention and preparation for possible attacks seems to me to be more prudent (some ways of mitigating DDoS attacks are also listed on the page referenced above). If it costs more, so be it. That is the price of betting our economy on the Internet as its fundamental infrastructure.

The bad news here is that this tactic of filtering does nothing to deal with bandwidth (or other resource, like half-open socket) consumption attacks -- e.g., large packet UDP or ICMP floods, or SYN floods to random ports -- so again we've only solved a subset of the problems (forged addresses and directed broadcast), not to mention this solution doesn't help at all with the initial compromises and installation of agents.

Firewalls for Dummies?
by hiendohar

With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?

Dave:

I expect the average Joe DSL to probably learn the hard way, just like he learned not to step off the curb in rush hour against the traffic light, and to take everything valuable out of his car when he parks it on a dark city street: by suffering an incident, and the resulting cleanup cost.

This is an education problem of *huge* proportion, and just like the filtering question, there isn't much motivation for ISPs to hand-hold their growing customer base, and their marketing department -- just take a look at their ads -- tells you how fast they are, but doesn't say a word about the new risks you will face (some will mail you a warning a few months later, which may be a bit too late.)

Not only that, but most broadband ISPs have user bases far larger than they have staffing to support, so even trying to contact them, find your way through the tier1/tier2/first line manager/Nth line manager hierarchy, and actually identify the owner of a compromised cable modem or DSL served system can take days. These customer's systems make excellent bases for scanning/attacking other sites, running eggdrop bots, or "bouncing" connections to make it harder to trace attack activity, and the intruders know this.

As for education, I am not quite sure what can be done there. Mandatory "driver's license" style tests before getting a DSL account? Forget it. "Tickets" handed out by the Net Police for allowing your system to be compromised and used to attack other sites? Not likely, and I don't think anyone wants that. Law suits by victims of attacks against the owners of compromised systems? That is already starting to happen, but do we really want people to learn as a result of law suits, to throw lawyers at the problem, diverting badly needed system admin funds to pay $200 an hour to the suits?

There probably will need to be some monetary incentive to securing systems (because people pay attention to money.) The federal government is passing laws about privacy of personal, medical, and credit information (and these can't be private if the systems that house them are not secure), and insurance companies will likely start charging higher rates for systems that are not managed well and become involved in security incidents with high dollar damages (but PLEASE, first raise the rates on anyone who drives a car while talking on a cell phone!)

Some ISPs now offer security services, and will provide "firewall" services for their customers, but this comes at a high price. Most users want $19.95 a month service, which is basically just buying a raw, wide open pipe.

"Personal firewall" software is also becoming popular, but I've wasted many an hour explaining to someone reporting an "attack" that what his program was reporting was either a false positive, or was mis-categorized, and not at all what they thought. Feature filled packet filtering programs allow users to shoot themselves in the foot and break TCP/IP applications, while overly simplified programs leave gaping holes or users turn off too much and only think they have security. A lot more work and education is needed in this area.

A fruitless exercise?
by john@iastate.edu

Isn't the intersection of the sets:

• Clueless enough to allow massive DoS out of their network.
• Yet likely to install this detector.

pretty darn small?

Dave:

Yes. Next question?

Seriously, the detection of agents/handlers on a system, and on the network, let alone doing forensic data gathering to assist in stopping a distributed attack and identifying the attacker, is not easy. There are too many ways for an intruder to disable logging and accounting, conceal programs and files using "root kits" and loadable kernel modules, and change the defaults for commands and packet contents that will defeat the file system and network scanners that have been developed to deal with these DDoS programs, and the learning curve is steep to counter the intruders' anti-detection measures.

This is one of my pet peeves; THERE ARE NOT ENOUGH GOOD SYSTEM ADMINISTRATORS. There needs to be WAY MORE of them, they need to be PAID AND TRAINED BETTER, and (to put it bluntly) they need to be considered a critical resource REQUIRED for powerful computers on the Internet today, not as overhead expense to be minimized.

The fundamental requirement for securing (or breaking into) any system is knowing how the system works, how to take it apart and how to put it back together again. These DDoS attacks over the past six months have been made more costly to respond to because of things like "root kits", which exceed the average admins ability to get around. For more on why, see:

http://staff.washington.edu/dittrich/misc/faqs/roo tkits.faq

I think a big reason that Universities, K-12s, small businesses and non-profits, and home users with cable modem and DSL lines have their systems regularly compromised is because these systems are often deemed a necessity for research or business, but the only money that goes into them is the money it took to buy the hardware in the first place. They very often do not have tape drives, software upgrade licenses and regular patch application, sufficient manuals or books on system administration, and the person administering the system is usually the first person who can spell "U-N-I-X" and has a "real" job doing research, programming, or Web page design.

People need to start thinking about today's top of the line computers on gigabit networks as the equivalent of a BMW, a Range Rover, or an Audi A series. You would be an idiot to only put gas into it and never take it in for regular maintenance, instead trying to do the work yourself in the garage, and to leave a spare set of keys in plain view on the dashboard. No, you take your car in regularly to a trusted and trained mechanic (and pay $50 an hour for their skills), change the oil and rotate the tires regularly, and do your best to keep it from being stolen (including buying those annoying car alarms that nobody pays attention to when they go off.) But that is basically what too many people do with computers; don't take care of them, don't hire skilled people to regularly maintain them, don't adequately monitor them, and don't really care if someone else hijacks them.

I regularly hear people say, "I don't care about securing my system. I don't have anything important on it. What could they steal?" Well, there are gigabytes of disc space these days, REALLY fast CPUs that can spit out lots of packets, and high-speed network connections. It is when tens or hundreds of thousands of people think and act this same way that someone else suffers. This attitude HAS to change and people HAVE to learn about the risks and ways to address them.

Should security research be done in obscurity?
by crush

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Dave:

Yes, I think the open research model is justified. There is a passage in the Bible (John 8:32, and on a plaque in CIA HQ), "And ye shall know the truth, and the truth shall set ye free." But that only works when everyone knows the truth (and uses that information wisely in their design and purchasing decisions). Until that balance is reached, those who wish to abuse this knowledge win out over those who have not yet attained it. It's that simple (and that hard - ooh, how Zen like.)

As you point out, there is a large percentage of system admins that don't have the same knowledge as those who break into their systems. If that percentage (of a very large, and growing number of powerful computers on fast networks) isn't reduced, the total number of systems that can be compromised and controlled by an attacker grows to the point where its now possible to build attack networks of two or three THOUSAND computers.

What I think needs to happen is to follow the advice of someone (I forget the source) who said, "There should be a hacker on every board of directors," and I would add on every development team. I don't think it helps to ignore weaknesses, or keep them quiet, because they will eventually cause problems. And it is not enough to identify the weaknesses if nobody learns from the mistakes of the past and actively tries to avoid them in the future. One reason that these changes occur so slowly, in my opinion, is that the people who really know the technical details of security are too far removed from the real decision makers, and the layers of managerial filtering inbetween often filter out the security voices in favor of the "lets please the masses" voices.

Engineers are not taught simply how to construct buildings, they are taught how to know when they will fail so they don't come crashing down and kill everyone. There are standards and codes that say how buildings should be constructed, and we (for the most part) don't have much trouble with buildings killing us in the U.S. But software and operating systems are designed for ease of installation and use by the largest number of (untrained) people possible and practically nobody complains. Where is this same sense of "we must build it so it doesn't break?"

I hear an ad for a new online bank and think, "Great. Now all my bank Web based business communication site and think, "Great. Now the people discussing business plans will have their discussions at risk." I hear a news story about a company that facilitates designing buildings online and think, "Great. Now the plans to unknown office buildings are at risk." I can just picture the CEOs and the stock analysts drooling at how cool and efficient these new web tools are, and how much money the company that produced them is going to make, but unless they are designed with security in mind from the start, they should all be considered very risky to use.

Somebody in a position of decision making authority for any e-business needs to understand these weaknesses that are discovered and publicized, and to make sure these weaknesses are acknowledged and addressed in ALL computer based system and application designs.

Recognizing DoS
by angst_ridden_hipster

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30 p.m. in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing them. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home e-mail and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the Web?

Dave:

Not necessarily. Sure, normal usage may exceed capacity. But a protest by thousands of people is not "normal usage;" that is a mass exercise of individual rights in a democracy to gather and express their opinions. [I live about four blocks from where the tear gas and concusive grenades were being lobbed at protesters, and I personally think the response was excessive and the protesters had a right to protest. They weren't damaging property in my neighborhood, they were chased into it, and traffic could simply go around it. Seattleites are used to backups, like you point out.]

I'm really don't know if I'd have a problem if 3,000 people decided to all individually use their browsers and click away at a major Web site as a form of protest, using their own computers and risking possible legal action as a price. (The JavaScript used to protest the WTO was a cool hack, and quite publicly known and used by individuals with their choice. That is less quesionable in my mind as a means of protest.) That's what it means to have freedom of assembly and freedom of speech; you protest in person, gathering with like minds. I marched against the Gulf War bombing, and was glad I could exercise that right when I felt it was important.

I *don't* think it is OK for a single individual (or small group) to take control of the resources of 3,000 *unknowing* individuals' resources and anonymously force them into that individual's service. That is not an exercise of democratic speech, that's theft of private resources. That's what DDoS attacks are.

If there is a problem with truly normal usage exceeding capacity, you could argue that capacity simply needs to be increased, and there is a cost associated with that increase. I start to question things when this increase in capacity is made on an insufficient budget, so there is nothing left for people and tools to protect the new "required" infrastructure. If the infrastructure is so vital, should its proper monitoring and administration be neglected? Is it wise to use this as the infrastructure for our record-setting-growth economy? If we build a fragile infrastructure for our economy just for the sake of growth and short term revenue (and pandering to customers demanding more and more services at lower and lower prices), and the result is that an individual can wage an anonymous protest and take parts of it down. I'd rather that the growth was a bit slower and infrastructure was more secure.

Antionline: True help?
by cswiii

I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?

Dave:

I have not seen any news reports that Antionline was enlisted to assist the FBI (and don't see anything searching CNN online.) I also read a Reuters article that claimed Mixter wrote stacheldraht (he did not), and that stacheldraht is used to break into systems (it has nothing to do with breaking in, just sending packets -- the break-ins are done using other tools, which usually implement buffer overflows in services like rpc.cmsd, rpc.ttdbserverd, amd, named, etc.)

Just because the media says something (or worse, one reporter quotes another reporter) that doesn't mean it is true. They make plenty of mistakes, especially when reporting on tight deadlines (I have published corrections to some articles in the DDoS page I referenced above.)

Government
by interiot

If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:

• Understand the problem well enough
• Spot good solutions if they come along

Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

Dave:

"The government" is a pretty big population, which includes federal law enforcement (as you point out), as well as a huge slew of departments and agencies, their state/local equivalents (including public schools and universities). In such a large population, you will find both skilled and unskilled members of that population (fitting a bell-shaped curve like most populations).

If we don't like it that all attacks are attributed to "hackers", we should likewise have some respect and not just jerk our knees and say anyone who works for the government is automatically clueless.

The Government Accounting Office (GAO) has been auditing and analyzing many of the federal departments and agencies for years, and some of its reports (I have a number linked on my home page) are pretty critical, while others highlight agencies that have done a lot to secure their systems and provide "best practices" advice to improve the situation.

As for law enforcement, the FBI has been doing a lot recently to create a skilled central core of computer crime analysis and investigation resources, and in establishing training facilities and developing working relationships with their peer agencies in other countries (since the Internet is global, response must be global). Since they haven't been at this very long, of course this will be a bumpy and sometimes inconsistent process, and it will take time to build depth and breadth of computer forensics skills (and there is usually a LOT of forensic data to process and understand), but they are working very hard.

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

If you've read the National Plan -- subtitled "An Invitation to a Dialogue" -- you will see that a great deal of thought has gone into dealing with infrastructure protection, and that they are asking for cooperation and input from the private sector security experts, which means us. (Now is the time to make your opinions known, and that doesn't just mean ranting on the dc-stuff list, where you are preaching to the choir. Of course, people there will agree with you, but does that change anything? You need to write your Congressional representatives, the President's Council, and vote.)

I, too, question the amount of emphasis in the current budget being placed on surveillance, but I'm really happy to see money being allocated to programs like better forensic analysis capabilities and identifying talented high-school students and helping them to study computer security in college, rather than ignoring their talent (a form of disrespect or a result of fear) and risking losing them to a life of attacking systems instead of securing them.

For example, I know at least one admin (who was 15 at the time I met him) who knows more about securing Unix systems than many admins I encounter on a daily basis. Sure, he was 15 and had some issues with judgment that 15-year-olds have that caused friction with his employers, but he was just 15! Give him a break, and respect his talents! If he was managed more closely, his obvious skills would *still* be an asset to his former employers. I don't want to see someone like this get frustrated at not finding a place to get paid for what he loves to do, and land in jail for following his curiosity and passion in his own way (which usually involves making an eventual mistake in judgment that draws the attention of law enforcement). I already pointed out there is a lack of skilled system administrators, and I'd rather see young talent be put to use to solve these problems, and the National Plan addresses this.

Internet Worm
by Ex Machina

What do you have to say to the idea that this could be a DoS attack launched by computers infected with a Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a synchronized DoS?

Dave:

Given what I've seen as far as these particular tools go (including the scanner used by one group), I have no reason to believe the current attacks are automated and worm-like.

That said, I think it won't be long before someone *tries* to take that next step and further automate the process of scanning & intrusion to constitute DDoS networks.

Think about it, though, for a moment. Using the current DDoS tools, the intruders need to create a large network, without losing agents due to attrition as system/network admins notice the initial "setup" intrusions, and they would have to control the growth of this network so that the handlers are not crushed under the weight of an overly large network (or exposed because the agent "Hi mom!" traffic gets too noisy), hope that clocks are synchronized well enough to not expose the attack too early, and to control the resulting network during an attack, all without being detected. There are some tricky issues of coordination and communication that must be dealt with to prevent such a worm from running wild and disclosing itself. Whoever wants to try this should probably ask rtm about what it feels like to make that kind of mistake.

The alternative is to not use a coordinated/distributed model, but instead use the more standard model of propagating uncontrolled attack agents using a combination of social engineering and trojan horse programs. This has already happened.

In early February, 1999, a message faked to look like it came from Microsoft, claiming to be an upgrade to Internet Explorer (with an attached program named "ie0199.exe") was sent to many thousands of users on the Internet. Those who ran this program got what appeared to be an innocuous error message about a missing DLL, and most just gave up and deleted the message. What they didn't realize was that they had just unwittingly installed a program on their system that set itself up to run on boot the *next* time the system came back up. At next system startup, the program then started sending packets (as a self-described act of revenge) to random hosts on the Bulgarian Telecommunications Company network, causing them significant problems for who knows how long.

Worms also seem to work best against a single, self similar operating system/architecture/service combination, which means the attackers would have to do the same recon scanning they do now to get a list of these hosts, so why not just stick with what they know works and infect systems on the list in parallel, instead of by some non-deterministic spreading behavior?

We've linked to plenty of "secondhand" media pieces about the recent DoS attacks on major commercial Web sites. Fine. Now here's real, hard-core hard-tech info on the subject - in answer to your excellent questions - from somebody who actually knows what's going on, namely Dave Dittrich from the University of Washington. He's been interviewed up the yin-yang this last week by mainstream reporters who probably wouldn't understand half the answers he gives here. But this is Slashdot, so he didn't have to hold back or dumb anything down. Click below and enjoy!

Dave:

First off, I'd like to thank Slashdot for giving me an opportunity to spew my opinions. Since Slashdot readers look for "stuff that matters," I'll #include [std/disclaimer.h] and say that this is me talking, not my employer, and I'll be honest about what I think the issues are (and hopefully not ramble too much).

Is a network proof against DDoS possible?
by Paul Crowley

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?

Dave:

There are flaws in anything created by humans. Sure, the TCP/IP protocols we are using today have some weaknesses, but they also work amazingly well, don't you think? And all things created by humans are improved over time as new ideas are developed and known problems are identified and solved. Its just a matter of how quickly these improvements can be implemented, and as we've seen with GOSIP, IPv6, etc. change can come very slowly. (A good book on this topic if you are interested is "Diffusion of Innovations", by Everett M. Rogers, The Free Press, ISBN 0-02-926650-5.)

Denial of service attacks are one of the easiest forms of attacking systems and networks; resources can easily be exhausted, programming flaws in network stacks and devices can be exploited to cause failures, covert channels can be created allowing hidden and practically unstoppable communication and control. In other words, there is no single "this problem" to be solved here, but rather a hole bunch of little "these problems".

In fact, the current DDoS tools implement UDP large packet floods, TCP SYN (session setup resource exhaustion) floods, ICMP "echo" floods and "Smurf" (directed broadcast ICMP "echo reply") floods, and other DoS techniques could easily be added (and many other exploits exist).

Yes, there are some proposed fixes that can address some of these problems. I'll get to them in a minute.

Other methods?
by Dr Caleb

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? >From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Dave:

I don't claim to be enough of an expert on IPv6 yet to say which of the current set of DoS attacks are eliminated by its features (better to ask the real experts like Steve Bellovin). Perhaps IPv6's Quality of Service features, IPSec authentication features, etc., *may* provide a means of defeating some packet flood attacks by rate limiting flows, allowing quicker discarding of "invalid" packets, etc., but I'm not sure if it will entirely eliminate DoS attacks.

There are other new proposals that have recently been put forward for consideration, such as Bob Moskowitz' "Host Identity Protocol" (which addresses some problems in TCP session establishment and identification of "valid" packets) and a proposed method of tracing packet flows (independent on ISP involvement) that uses a probabilistic packet marking technique developed (coincidentally) by researchers at the University of Washington. Documents describing both of these are available at:

http://staff.washington.edu/dittrich/misc/ddos/

Since IPv6 is *still* not widely implemented, and these other proposals are likely years from implementation as well, it is probably best to focus now on the fundamental issue in large scale DDoS attacks, and that is we need to put a MAJOR emphasis on minimizing the population of systems that can be trivially root compromised. (I didn't say it would be an *easy* solution, but it is one thing that can be started immediately.)

Stop Spoofing At The Backbone?
by Effugas

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation (their backup networks will cease to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Dave:

Eliminating IP source address spoofing would eliminate attacks such as forged DNS query attacks and the MacOS 9 TCP/IP stack bug (both packet size/number amplification flood attacks), and would definitely make it easier to trace packets back to their source networks, greatly simplifying and speeding up the (still major) task of stopping the agents from sending out packets and doing forensic investigation. Add to that the elimination of incoming directed broadcast packets and you also get rid of "Smurf" amplification attacks.

Not only do I think this should be done at a site's border routers, but also on all routers within the network. Programs like stacheldraht attempt to determine if they can successfully send packets with forged source addresses, and both it and TFN2K have code to randomize packets on a per octet basis (not exactly CIDR compatible, but still pretty clever and effective.) This means that if you have a /16 network with several hundred subnets, the agents could forge the final two octets, looking like they are coming from hosts on all of a site's subnets at once. Depending on your network infrastructure and political organization and authority, this can either force you to have to sniff on *each* subnet, or do your own router-by-router debugging of packet flows to locate the actual host(s) sending the packets (links to various documents on packet tracing are found on the page I referenced above.) If no host can forge source addresses beyond its own subnet, the task is greatly simplified (and you only need to put filters on one router to stop the flow from one agent host.)

Practices like those described in RFC 2267 should, in my opinion, be a standard requirement under any network peering agreement and AUP, but what motivation do ISPs and NAPs have to enforce them? Its not common for a company to say to a customer, "Hey, I don't want to take your money!" It tends to be a matter of waiting for an attack to happen for upper management to start asking the techies how to react, but by then the damage is already done. More emphasis on prevention and preparation for possible attacks seems to me to be more prudent (some ways of mitigating DDoS attacks are also listed on the page referenced above). If it costs more, so be it. That is the price of betting our economy on the Internet as its fundamental infrastructure.

The bad news here is that this tactic of filtering does nothing to deal with bandwidth (or other resource, like half-open socket) consumption attacks -- e.g., large packet UDP or ICMP floods, or SYN floods to random ports -- so again we've only solved a subset of the problems (forged addresses and directed broadcast), not to mention this solution doesn't help at all with the initial compromises and installation of agents.

Firewalls for Dummies?
by hiendohar

With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?

Dave:

I expect the average Joe DSL to probably learn the hard way, just like he learned not to step off the curb in rush hour against the traffic light, and to take everything valuable out of his car when he parks it on a dark city street: by suffering an incident, and the resulting cleanup cost.

This is an education problem of *huge* proportion, and just like the filtering question, there isn't much motivation for ISPs to hand-hold their growing customer base, and their marketing department -- just take a look at their ads -- tells you how fast they are, but doesn't say a word about the new risks you will face (some will mail you a warning a few months later, which may be a bit too late.)

Not only that, but most broadband ISPs have user bases far larger than they have staffing to support, so even trying to contact them, find your way through the tier1/tier2/first line manager/Nth line manager hierarchy, and actually identify the owner of a compromised cable modem or DSL served system can take days. These customer's systems make excellent bases for scanning/attacking other sites, running eggdrop bots, or "bouncing" connections to make it harder to trace attack activity, and the intruders know this.

As for education, I am not quite sure what can be done there. Mandatory "driver's license" style tests before getting a DSL account? Forget it. "Tickets" handed out by the Net Police for allowing your system to be compromised and used to attack other sites? Not likely, and I don't think anyone wants that. Law suits by victims of attacks against the owners of compromised systems? That is already starting to happen, but do we really want people to learn as a result of law suits, to throw lawyers at the problem, diverting badly needed system admin funds to pay $200 an hour to the suits?

There probably will need to be some monetary incentive to securing systems (because people pay attention to money.) The federal government is passing laws about privacy of personal, medical, and credit information (and these can't be private if the systems that house them are not secure), and insurance companies will likely start charging higher rates for systems that are not managed well and become involved in security incidents with high dollar damages (but PLEASE, first raise the rates on anyone who drives a car while talking on a cell phone!)

Some ISPs now offer security services, and will provide "firewall" services for their customers, but this comes at a high price. Most users want $19.95 a month service, which is basically just buying a raw, wide open pipe.

"Personal firewall" software is also becoming popular, but I've wasted many an hour explaining to someone reporting an "attack" that what his program was reporting was either a false positive, or was mis-categorized, and not at all what they thought. Feature filled packet filtering programs allow users to shoot themselves in the foot and break TCP/IP applications, while overly simplified programs leave gaping holes or users turn off too much and only think they have security. A lot more work and education is needed in this area.

A fruitless exercise?
by john@iastate.edu

Isn't the intersection of the sets:

• Clueless enough to allow massive DoS out of their network.
• Yet likely to install this detector.

pretty darn small?

Dave:

Yes. Next question?

Seriously, the detection of agents/handlers on a system, and on the network, let alone doing forensic data gathering to assist in stopping a distributed attack and identifying the attacker, is not easy. There are too many ways for an intruder to disable logging and accounting, conceal programs and files using "root kits" and loadable kernel modules, and change the defaults for commands and packet contents that will defeat the file system and network scanners that have been developed to deal with these DDoS programs, and the learning curve is steep to counter the intruders' anti-detection measures.

This is one of my pet peeves; THERE ARE NOT ENOUGH GOOD SYSTEM ADMINISTRATORS. There needs to be WAY MORE of them, they need to be PAID AND TRAINED BETTER, and (to put it bluntly) they need to be considered a critical resource REQUIRED for powerful computers on the Internet today, not as overhead expense to be minimized.

The fundamental requirement for securing (or breaking into) any system is knowing how the system works, how to take it apart and how to put it back together again. These DDoS attacks over the past six months have been made more costly to respond to because of things like "root kits", which exceed the average admins ability to get around. For more on why, see:

http://staff.washington.edu/dittrich/misc/faqs/roo tkits.faq

I think a big reason that Universities, K-12s, small businesses and non-profits, and home users with cable modem and DSL lines have their systems regularly compromised is because these systems are often deemed a necessity for research or business, but the only money that goes into them is the money it took to buy the hardware in the first place. They very often do not have tape drives, software upgrade licenses and regular patch application, sufficient manuals or books on system administration, and the person administering the system is usually the first person who can spell "U-N-I-X" and has a "real" job doing research, programming, or Web page design.

People need to start thinking about today's top of the line computers on gigabit networks as the equivalent of a BMW, a Range Rover, or an Audi A series. You would be an idiot to only put gas into it and never take it in for regular maintenance, instead trying to do the work yourself in the garage, and to leave a spare set of keys in plain view on the dashboard. No, you take your car in regularly to a trusted and trained mechanic (and pay $50 an hour for their skills), change the oil and rotate the tires regularly, and do your best to keep it from being stolen (including buying those annoying car alarms that nobody pays attention to when they go off.) But that is basically what too many people do with computers; don't take care of them, don't hire skilled people to regularly maintain them, don't adequately monitor them, and don't really care if someone else hijacks them.

I regularly hear people say, "I don't care about securing my system. I don't have anything important on it. What could they steal?" Well, there are gigabytes of disc space these days, REALLY fast CPUs that can spit out lots of packets, and high-speed network connections. It is when tens or hundreds of thousands of people think and act this same way that someone else suffers. This attitude HAS to change and people HAVE to learn about the risks and ways to address them.

Should security research be done in obscurity?
by crush

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Dave:

Yes, I think the open research model is justified. There is a passage in the Bible (John 8:32, and on a plaque in CIA HQ), "And ye shall know the truth, and the truth shall set ye free." But that only works when everyone knows the truth (and uses that information wisely in their design and purchasing decisions). Until that balance is reached, those who wish to abuse this knowledge win out over those who have not yet attained it. It's that simple (and that hard - ooh, how Zen like.)

As you point out, there is a large percentage of system admins that don't have the same knowledge as those who break into their systems. If that percentage (of a very large, and growing number of powerful computers on fast networks) isn't reduced, the total number of systems that can be compromised and controlled by an attacker grows to the point where its now possible to build attack networks of two or three THOUSAND computers.

What I think needs to happen is to follow the advice of someone (I forget the source) who said, "There should be a hacker on every board of directors," and I would add on every development team. I don't think it helps to ignore weaknesses, or keep them quiet, because they will eventually cause problems. And it is not enough to identify the weaknesses if nobody learns from the mistakes of the past and actively tries to avoid them in the future. One reason that these changes occur so slowly, in my opinion, is that the people who really know the technical details of security are too far removed from the real decision makers, and the layers of managerial filtering inbetween often filter out the security voices in favor of the "lets please the masses" voices.

Engineers are not taught simply how to construct buildings, they are taught how to know when they will fail so they don't come crashing down and kill everyone. There are standards and codes that say how buildings should be constructed, and we (for the most part) don't have much trouble with buildings killing us in the U.S. But software and operating systems are designed for ease of installation and use by the largest number of (untrained) people possible and practically nobody complains. Where is this same sense of "we must build it so it doesn't break?"

I hear an ad for a new online bank and think, "Great. Now all my bank Web based business communication site and think, "Great. Now the people discussing business plans will have their discussions at risk." I hear a news story about a company that facilitates designing buildings online and think, "Great. Now the plans to unknown office buildings are at risk." I can just picture the CEOs and the stock analysts drooling at how cool and efficient these new web tools are, and how much money the company that produced them is going to make, but unless they are designed with security in mind from the start, they should all be considered very risky to use.

Somebody in a position of decision making authority for any e-business needs to understand these weaknesses that are discovered and publicized, and to make sure these weaknesses are acknowledged and addressed in ALL computer based system and application designs.

Recognizing DoS
by angst_ridden_hipster

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30 p.m. in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing them. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home e-mail and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the Web?

Dave:

Not necessarily. Sure, normal usage may exceed capacity. But a protest by thousands of people is not "normal usage;" that is a mass exercise of individual rights in a democracy to gather and express their opinions. [I live about four blocks from where the tear gas and concusive grenades were being lobbed at protesters, and I personally think the response was excessive and the protesters had a right to protest. They weren't damaging property in my neighborhood, they were chased into it, and traffic could simply go around it. Seattleites are used to backups, like you point out.]

I'm really don't know if I'd have a problem if 3,000 people decided to all individually use their browsers and click away at a major Web site as a form of protest, using their own computers and risking possible legal action as a price. (The JavaScript used to protest the WTO was a cool hack, and quite publicly known and used by individuals with their choice. That is less quesionable in my mind as a means of protest.) That's what it means to have freedom of assembly and freedom of speech; you protest in person, gathering with like minds. I marched against the Gulf War bombing, and was glad I could exercise that right when I felt it was important.

I *don't* think it is OK for a single individual (or small group) to take control of the resources of 3,000 *unknowing* individuals' resources and anonymously force them into that individual's service. That is not an exercise of democratic speech, that's theft of private resources. That's what DDoS attacks are.

If there is a problem with truly normal usage exceeding capacity, you could argue that capacity simply needs to be increased, and there is a cost associated with that increase. I start to question things when this increase in capacity is made on an insufficient budget, so there is nothing left for people and tools to protect the new "required" infrastructure. If the infrastructure is so vital, should its proper monitoring and administration be neglected? Is it wise to use this as the infrastructure for our record-setting-growth economy? If we build a fragile infrastructure for our economy just for the sake of growth and short term revenue (and pandering to customers demanding more and more services at lower and lower prices), and the result is that an individual can wage an anonymous protest and take parts of it down. I'd rather that the growth was a bit slower and infrastructure was more secure.

Antionline: True help?
by cswiii

I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?

Dave:

I have not seen any news reports that Antionline was enlisted to assist the FBI (and don't see anything searching CNN online.) I also read a Reuters article that claimed Mixter wrote stacheldraht (he did not), and that stacheldraht is used to break into systems (it has nothing to do with breaking in, just sending packets -- the break-ins are done using other tools, which usually implement buffer overflows in services like rpc.cmsd, rpc.ttdbserverd, amd, named, etc.)

Just because the media says something (or worse, one reporter quotes another reporter) that doesn't mean it is true. They make plenty of mistakes, especially when reporting on tight deadlines (I have published corrections to some articles in the DDoS page I referenced above.)

Government
by interiot

If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:

• Understand the problem well enough
• Spot good solutions if they come along

Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

Dave:

"The government" is a pretty big population, which includes federal law enforcement (as you point out), as well as a huge slew of departments and agencies, their state/local equivalents (including public schools and universities). In such a large population, you will find both skilled and unskilled members of that population (fitting a bell-shaped curve like most populations).

If we don't like it that all attacks are attributed to "hackers", we should likewise have some respect and not just jerk our knees and say anyone who works for the government is automatically clueless.

The Government Accounting Office (GAO) has been auditing and analyzing many of the federal departments and agencies for years, and some of its reports (I have a number linked on my home page) are pretty critical, while others highlight agencies that have done a lot to secure their systems and provide "best practices" advice to improve the situation.

As for law enforcement, the FBI has been doing a lot recently to create a skilled central core of computer crime analysis and investigation resources, and in establishing training facilities and developing working relationships with their peer agencies in other countries (since the Internet is global, response must be global). Since they haven't been at this very long, of course this will be a bumpy and sometimes inconsistent process, and it will take time to build depth and breadth of computer forensics skills (and there is usually a LOT of forensic data to process and understand), but they are working very hard.

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

If you've read the National Plan -- subtitled "An Invitation to a Dialogue" -- you will see that a great deal of thought has gone into dealing with infrastructure protection, and that they are asking for cooperation and input from the private sector security experts, which means us. (Now is the time to make your opinions known, and that doesn't just mean ranting on the dc-stuff list, where you are preaching to the choir. Of course, people there will agree with you, but does that change anything? You need to write your Congressional representatives, the President's Council, and vote.)

I, too, question the amount of emphasis in the current budget being placed on surveillance, but I'm really happy to see money being allocated to programs like better forensic analysis capabilities and identifying talented high-school students and helping them to study computer security in college, rather than ignoring their talent (a form of disrespect or a result of fear) and risking losing them to a life of attacking systems instead of securing them.

For example, I know at least one admin (who was 15 at the time I met him) who knows more about securing Unix systems than many admins I encounter on a daily basis. Sure, he was 15 and had some issues with judgment that 15-year-olds have that caused friction with his employers, but he was just 15! Give him a break, and respect his talents! If he was managed more closely, his obvious skills would *still* be an asset to his former employers. I don't want to see someone like this get frustrated at not finding a place to get paid for what he loves to do, and land in jail for following his curiosity and passion in his own way (which usually involves making an eventual mistake in judgment that draws the attention of law enforcement). I already pointed out there is a lack of skilled system administrators, and I'd rather see young talent be put to use to solve these problems, and the National Plan addresses this.

Internet Worm
by Ex Machina

What do you have to say to the idea that this could be a DoS attack launched by computers infected with a Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a synchronized DoS?

Dave:

Given what I've seen as far as these particular tools go (including the scanner used by one group), I have no reason to believe the current attacks are automated and worm-like.

That said, I think it won't be long before someone *tries* to take that next step and further automate the process of scanning & intrusion to constitute DDoS networks.

Think about it, though, for a moment. Using the current DDoS tools, the intruders need to create a large network, without losing agents due to attrition as system/network admins notice the initial "setup" intrusions, and they would have to control the growth of this network so that the handlers are not crushed under the weight of an overly large network (or exposed because the agent "Hi mom!" traffic gets too noisy), hope that clocks are synchronized well enough to not expose the attack too early, and to control the resulting network during an attack, all without being detected. There are some tricky issues of coordination and communication that must be dealt with to prevent such a worm from running wild and disclosing itself. Whoever wants to try this should probably ask rtm about what it feels like to make that kind of mistake.

The alternative is to not use a coordinated/distributed model, but instead use the more standard model of propagating uncontrolled attack agents using a combination of social engineering and trojan horse programs. This has already happened.

In early February, 1999, a message faked to look like it came from Microsoft, claiming to be an upgrade to Internet Explorer (with an attached program named "ie0199.exe") was sent to many thousands of users on the Internet. Those who ran this program got what appeared to be an innocuous error message about a missing DLL, and most just gave up and deleted the message. What they didn't realize was that they had just unwittingly installed a program on their system that set itself up to run on boot the *next* time the system came back up. At next system startup, the program then started sending packets (as a self-described act of revenge) to random hosts on the Bulgarian Telecommunications Company network, causing them significant problems for who knows how long.

Worms also seem to work best against a single, self similar operating system/architecture/service combination, which means the attackers would have to do the same recon scanning they do now to get a list of these hosts, so why not just stick with what they know works and infect systems on the list in parallel, instead of by some non-deterministic spreading behavior?

We've linked to plenty of "secondhand" media pieces about the recent DoS attacks on major commercial Web sites. Fine. Now here's real, hard-core hard-tech info on the subject - in answer to your excellent questions - from somebody who actually knows what's going on, namely Dave Dittrich from the University of Washington. He's been interviewed up the yin-yang this last week by mainstream reporters who probably wouldn't understand half the answers he gives here. But this is Slashdot, so he didn't have to hold back or dumb anything down. Click below and enjoy!

Dave:

First off, I'd like to thank Slashdot for giving me an opportunity to spew my opinions. Since Slashdot readers look for "stuff that matters," I'll #include [std/disclaimer.h] and say that this is me talking, not my employer, and I'll be honest about what I think the issues are (and hopefully not ramble too much).

Is a network proof against DDoS possible?
by Paul Crowley

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?

Dave:

There are flaws in anything created by humans. Sure, the TCP/IP protocols we are using today have some weaknesses, but they also work amazingly well, don't you think? And all things created by humans are improved over time as new ideas are developed and known problems are identified and solved. Its just a matter of how quickly these improvements can be implemented, and as we've seen with GOSIP, IPv6, etc. change can come very slowly. (A good book on this topic if you are interested is "Diffusion of Innovations", by Everett M. Rogers, The Free Press, ISBN 0-02-926650-5.)

Denial of service attacks are one of the easiest forms of attacking systems and networks; resources can easily be exhausted, programming flaws in network stacks and devices can be exploited to cause failures, covert channels can be created allowing hidden and practically unstoppable communication and control. In other words, there is no single "this problem" to be solved here, but rather a hole bunch of little "these problems".

In fact, the current DDoS tools implement UDP large packet floods, TCP SYN (session setup resource exhaustion) floods, ICMP "echo" floods and "Smurf" (directed broadcast ICMP "echo reply") floods, and other DoS techniques could easily be added (and many other exploits exist).

Yes, there are some proposed fixes that can address some of these problems. I'll get to them in a minute.

Other methods?
by Dr Caleb

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? >From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Dave:

I don't claim to be enough of an expert on IPv6 yet to say which of the current set of DoS attacks are eliminated by its features (better to ask the real experts like Steve Bellovin). Perhaps IPv6's Quality of Service features, IPSec authentication features, etc., *may* provide a means of defeating some packet flood attacks by rate limiting flows, allowing quicker discarding of "invalid" packets, etc., but I'm not sure if it will entirely eliminate DoS attacks.

There are other new proposals that have recently been put forward for consideration, such as Bob Moskowitz' "Host Identity Protocol" (which addresses some problems in TCP session establishment and identification of "valid" packets) and a proposed method of tracing packet flows (independent on ISP involvement) that uses a probabilistic packet marking technique developed (coincidentally) by researchers at the University of Washington. Documents describing both of these are available at:

http://staff.washington.edu/dittrich/misc/ddos/

Since IPv6 is *still* not widely implemented, and these other proposals are likely years from implementation as well, it is probably best to focus now on the fundamental issue in large scale DDoS attacks, and that is we need to put a MAJOR emphasis on minimizing the population of systems that can be trivially root compromised. (I didn't say it would be an *easy* solution, but it is one thing that can be started immediately.)

Stop Spoofing At The Backbone?
by Effugas

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation (their backup networks will cease to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Dave:

Eliminating IP source address spoofing would eliminate attacks such as forged DNS query attacks and the MacOS 9 TCP/IP stack bug (both packet size/number amplification flood attacks), and would definitely make it easier to trace packets back to their source networks, greatly simplifying and speeding up the (still major) task of stopping the agents from sending out packets and doing forensic investigation. Add to that the elimination of incoming directed broadcast packets and you also get rid of "Smurf" amplification attacks.

Not only do I think this should be done at a site's border routers, but also on all routers within the network. Programs like stacheldraht attempt to determine if they can successfully send packets with forged source addresses, and both it and TFN2K have code to randomize packets on a per octet basis (not exactly CIDR compatible, but still pretty clever and effective.) This means that if you have a /16 network with several hundred subnets, the agents could forge the final two octets, looking like they are coming from hosts on all of a site's subnets at once. Depending on your network infrastructure and political organization and authority, this can either force you to have to sniff on *each* subnet, or do your own router-by-router debugging of packet flows to locate the actual host(s) sending the packets (links to various documents on packet tracing are found on the page I referenced above.) If no host can forge source addresses beyond its own subnet, the task is greatly simplified (and you only need to put filters on one router to stop the flow from one agent host.)

Practices like those described in RFC 2267 should, in my opinion, be a standard requirement under any network peering agreement and AUP, but what motivation do ISPs and NAPs have to enforce them? Its not common for a company to say to a customer, "Hey, I don't want to take your money!" It tends to be a matter of waiting for an attack to happen for upper management to start asking the techies how to react, but by then the damage is already done. More emphasis on prevention and preparation for possible attacks seems to me to be more prudent (some ways of mitigating DDoS attacks are also listed on the page referenced above). If it costs more, so be it. That is the price of betting our economy on the Internet as its fundamental infrastructure.

The bad news here is that this tactic of filtering does nothing to deal with bandwidth (or other resource, like half-open socket) consumption attacks -- e.g., large packet UDP or ICMP floods, or SYN floods to random ports -- so again we've only solved a subset of the problems (forged addresses and directed broadcast), not to mention this solution doesn't help at all with the initial compromises and installation of agents.

Firewalls for Dummies?
by hiendohar

With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?

Dave:

I expect the average Joe DSL to probably learn the hard way, just like he learned not to step off the curb in rush hour against the traffic light, and to take everything valuable out of his car when he parks it on a dark city street: by suffering an incident, and the resulting cleanup cost.

This is an education problem of *huge* proportion, and just like the filtering question, there isn't much motivation for ISPs to hand-hold their growing customer base, and their marketing department -- just take a look at their ads -- tells you how fast they are, but doesn't say a word about the new risks you will face (some will mail you a warning a few months later, which may be a bit too late.)

Not only that, but most broadband ISPs have user bases far larger than they have staffing to support, so even trying to contact them, find your way through the tier1/tier2/first line manager/Nth line manager hierarchy, and actually identify the owner of a compromised cable modem or DSL served system can take days. These customer's systems make excellent bases for scanning/attacking other sites, running eggdrop bots, or "bouncing" connections to make it harder to trace attack activity, and the intruders know this.

As for education, I am not quite sure what can be done there. Mandatory "driver's license" style tests before getting a DSL account? Forget it. "Tickets" handed out by the Net Police for allowing your system to be compromised and used to attack other sites? Not likely, and I don't think anyone wants that. Law suits by victims of attacks against the owners of compromised systems? That is already starting to happen, but do we really want people to learn as a result of law suits, to throw lawyers at the problem, diverting badly needed system admin funds to pay $200 an hour to the suits?

There probably will need to be some monetary incentive to securing systems (because people pay attention to money.) The federal government is passing laws about privacy of personal, medical, and credit information (and these can't be private if the systems that house them are not secure), and insurance companies will likely start charging higher rates for systems that are not managed well and become involved in security incidents with high dollar damages (but PLEASE, first raise the rates on anyone who drives a car while talking on a cell phone!)

Some ISPs now offer security services, and will provide "firewall" services for their customers, but this comes at a high price. Most users want $19.95 a month service, which is basically just buying a raw, wide open pipe.

"Personal firewall" software is also becoming popular, but I've wasted many an hour explaining to someone reporting an "attack" that what his program was reporting was either a false positive, or was mis-categorized, and not at all what they thought. Feature filled packet filtering programs allow users to shoot themselves in the foot and break TCP/IP applications, while overly simplified programs leave gaping holes or users turn off too much and only think they have security. A lot more work and education is needed in this area.

A fruitless exercise?
by john@iastate.edu

Isn't the intersection of the sets:

• Clueless enough to allow massive DoS out of their network.
• Yet likely to install this detector.

pretty darn small?

Dave:

Yes. Next question?

Seriously, the detection of agents/handlers on a system, and on the network, let alone doing forensic data gathering to assist in stopping a distributed attack and identifying the attacker, is not easy. There are too many ways for an intruder to disable logging and accounting, conceal programs and files using "root kits" and loadable kernel modules, and change the defaults for commands and packet contents that will defeat the file system and network scanners that have been developed to deal with these DDoS programs, and the learning curve is steep to counter the intruders' anti-detection measures.

This is one of my pet peeves; THERE ARE NOT ENOUGH GOOD SYSTEM ADMINISTRATORS. There needs to be WAY MORE of them, they need to be PAID AND TRAINED BETTER, and (to put it bluntly) they need to be considered a critical resource REQUIRED for powerful computers on the Internet today, not as overhead expense to be minimized.

The fundamental requirement for securing (or breaking into) any system is knowing how the system works, how to take it apart and how to put it back together again. These DDoS attacks over the past six months have been made more costly to respond to because of things like "root kits", which exceed the average admins ability to get around. For more on why, see:

http://staff.washington.edu/dittrich/misc/faqs/roo tkits.faq

I think a big reason that Universities, K-12s, small businesses and non-profits, and home users with cable modem and DSL lines have their systems regularly compromised is because these systems are often deemed a necessity for research or business, but the only money that goes into them is the money it took to buy the hardware in the first place. They very often do not have tape drives, software upgrade licenses and regular patch application, sufficient manuals or books on system administration, and the person administering the system is usually the first person who can spell "U-N-I-X" and has a "real" job doing research, programming, or Web page design.

People need to start thinking about today's top of the line computers on gigabit networks as the equivalent of a BMW, a Range Rover, or an Audi A series. You would be an idiot to only put gas into it and never take it in for regular maintenance, instead trying to do the work yourself in the garage, and to leave a spare set of keys in plain view on the dashboard. No, you take your car in regularly to a trusted and trained mechanic (and pay $50 an hour for their skills), change the oil and rotate the tires regularly, and do your best to keep it from being stolen (including buying those annoying car alarms that nobody pays attention to when they go off.) But that is basically what too many people do with computers; don't take care of them, don't hire skilled people to regularly maintain them, don't adequately monitor them, and don't really care if someone else hijacks them.

I regularly hear people say, "I don't care about securing my system. I don't have anything important on it. What could they steal?" Well, there are gigabytes of disc space these days, REALLY fast CPUs that can spit out lots of packets, and high-speed network connections. It is when tens or hundreds of thousands of people think and act this same way that someone else suffers. This attitude HAS to change and people HAVE to learn about the risks and ways to address them.

Should security research be done in obscurity?
by crush

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Dave:

Yes, I think the open research model is justified. There is a passage in the Bible (John 8:32, and on a plaque in CIA HQ), "And ye shall know the truth, and the truth shall set ye free." But that only works when everyone knows the truth (and uses that information wisely in their design and purchasing decisions). Until that balance is reached, those who wish to abuse this knowledge win out over those who have not yet attained it. It's that simple (and that hard - ooh, how Zen like.)

As you point out, there is a large percentage of system admins that don't have the same knowledge as those who break into their systems. If that percentage (of a very large, and growing number of powerful computers on fast networks) isn't reduced, the total number of systems that can be compromised and controlled by an attacker grows to the point where its now possible to build attack networks of two or three THOUSAND computers.

What I think needs to happen is to follow the advice of someone (I forget the source) who said, "There should be a hacker on every board of directors," and I would add on every development team. I don't think it helps to ignore weaknesses, or keep them quiet, because they will eventually cause problems. And it is not enough to identify the weaknesses if nobody learns from the mistakes of the past and actively tries to avoid them in the future. One reason that these changes occur so slowly, in my opinion, is that the people who really know the technical details of security are too far removed from the real decision makers, and the layers of managerial filtering inbetween often filter out the security voices in favor of the "lets please the masses" voices.

Engineers are not taught simply how to construct buildings, they are taught how to know when they will fail so they don't come crashing down and kill everyone. There are standards and codes that say how buildings should be constructed, and we (for the most part) don't have much trouble with buildings killing us in the U.S. But software and operating systems are designed for ease of installation and use by the largest number of (untrained) people possible and practically nobody complains. Where is this same sense of "we must build it so it doesn't break?"

I hear an ad for a new online bank and think, "Great. Now all my bank Web based business communication site and think, "Great. Now the people discussing business plans will have their discussions at risk." I hear a news story about a company that facilitates designing buildings online and think, "Great. Now the plans to unknown office buildings are at risk." I can just picture the CEOs and the stock analysts drooling at how cool and efficient these new web tools are, and how much money the company that produced them is going to make, but unless they are designed with security in mind from the start, they should all be considered very risky to use.

Somebody in a position of decision making authority for any e-business needs to understand these weaknesses that are discovered and publicized, and to make sure these weaknesses are acknowledged and addressed in ALL computer based system and application designs.

Recognizing DoS
by angst_ridden_hipster

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30 p.m. in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing them. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home e-mail and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the Web?

Dave:

Not necessarily. Sure, normal usage may exceed capacity. But a protest by thousands of people is not "normal usage;" that is a mass exercise of individual rights in a democracy to gather and express their opinions. [I live about four blocks from where the tear gas and concusive grenades were being lobbed at protesters, and I personally think the response was excessive and the protesters had a right to protest. They weren't damaging property in my neighborhood, they were chased into it, and traffic could simply go around it. Seattleites are used to backups, like you point out.]

I'm really don't know if I'd have a problem if 3,000 people decided to all individually use their browsers and click away at a major Web site as a form of protest, using their own computers and risking possible legal action as a price. (The JavaScript used to protest the WTO was a cool hack, and quite publicly known and used by individuals with their choice. That is less quesionable in my mind as a means of protest.) That's what it means to have freedom of assembly and freedom of speech; you protest in person, gathering with like minds. I marched against the Gulf War bombing, and was glad I could exercise that right when I felt it was important.

I *don't* think it is OK for a single individual (or small group) to take control of the resources of 3,000 *unknowing* individuals' resources and anonymously force them into that individual's service. That is not an exercise of democratic speech, that's theft of private resources. That's what DDoS attacks are.

If there is a problem with truly normal usage exceeding capacity, you could argue that capacity simply needs to be increased, and there is a cost associated with that increase. I start to question things when this increase in capacity is made on an insufficient budget, so there is nothing left for people and tools to protect the new "required" infrastructure. If the infrastructure is so vital, should its proper monitoring and administration be neglected? Is it wise to use this as the infrastructure for our record-setting-growth economy? If we build a fragile infrastructure for our economy just for the sake of growth and short term revenue (and pandering to customers demanding more and more services at lower and lower prices), and the result is that an individual can wage an anonymous protest and take parts of it down. I'd rather that the growth was a bit slower and infrastructure was more secure.

Antionline: True help?
by cswiii

I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?

Dave:

I have not seen any news reports that Antionline was enlisted to assist the FBI (and don't see anything searching CNN online.) I also read a Reuters article that claimed Mixter wrote stacheldraht (he did not), and that stacheldraht is used to break into systems (it has nothing to do with breaking in, just sending packets -- the break-ins are done using other tools, which usually implement buffer overflows in services like rpc.cmsd, rpc.ttdbserverd, amd, named, etc.)

Just because the media says something (or worse, one reporter quotes another reporter) that doesn't mean it is true. They make plenty of mistakes, especially when reporting on tight deadlines (I have published corrections to some articles in the DDoS page I referenced above.)

Government
by interiot

If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:

• Understand the problem well enough
• Spot good solutions if they come along

Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

Dave:

"The government" is a pretty big population, which includes federal law enforcement (as you point out), as well as a huge slew of departments and agencies, their state/local equivalents (including public schools and universities). In such a large population, you will find both skilled and unskilled members of that population (fitting a bell-shaped curve like most populations).

If we don't like it that all attacks are attributed to "hackers", we should likewise have some respect and not just jerk our knees and say anyone who works for the government is automatically clueless.

The Government Accounting Office (GAO) has been auditing and analyzing many of the federal departments and agencies for years, and some of its reports (I have a number linked on my home page) are pretty critical, while others highlight agencies that have done a lot to secure their systems and provide "best practices" advice to improve the situation.

As for law enforcement, the FBI has been doing a lot recently to create a skilled central core of computer crime analysis and investigation resources, and in establishing training facilities and developing working relationships with their peer agencies in other countries (since the Internet is global, response must be global). Since they haven't been at this very long, of course this will be a bumpy and sometimes inconsistent process, and it will take time to build depth and breadth of computer forensics skills (and there is usually a LOT of forensic data to process and understand), but they are working very hard.

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

If you've read the National Plan -- subtitled "An Invitation to a Dialogue" -- you will see that a great deal of thought has gone into dealing with infrastructure protection, and that they are asking for cooperation and input from the private sector security experts, which means us. (Now is the time to make your opinions known, and that doesn't just mean ranting on the dc-stuff list, where you are preaching to the choir. Of course, people there will agree with you, but does that change anything? You need to write your Congressional representatives, the President's Council, and vote.)

I, too, question the amount of emphasis in the current budget being placed on surveillance, but I'm really happy to see money being allocated to programs like better forensic analysis capabilities and identifying talented high-school students and helping them to study computer security in college, rather than ignoring their talent (a form of disrespect or a result of fear) and risking losing them to a life of attacking systems instead of securing them.

For example, I know at least one admin (who was 15 at the time I met him) who knows more about securing Unix systems than many admins I encounter on a daily basis. Sure, he was 15 and had some issues with judgment that 15-year-olds have that caused friction with his employers, but he was just 15! Give him a break, and respect his talents! If he was managed more closely, his obvious skills would *still* be an asset to his former employers. I don't want to see someone like this get frustrated at not finding a place to get paid for what he loves to do, and land in jail for following his curiosity and passion in his own way (which usually involves making an eventual mistake in judgment that draws the attention of law enforcement). I already pointed out there is a lack of skilled system administrators, and I'd rather see young talent be put to use to solve these problems, and the National Plan addresses this.

Internet Worm
by Ex Machina

What do you have to say to the idea that this could be a DoS attack launched by computers infected with a Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a synchronized DoS?

Dave:

Given what I've seen as far as these particular tools go (including the scanner used by one group), I have no reason to believe the current attacks are automated and worm-like.

That said, I think it won't be long before someone *tries* to take that next step and further automate the process of scanning & intrusion to constitute DDoS networks.

Think about it, though, for a moment. Using the current DDoS tools, the intruders need to create a large network, without losing agents due to attrition as system/network admins notice the initial "setup" intrusions, and they would have to control the growth of this network so that the handlers are not crushed under the weight of an overly large network (or exposed because the agent "Hi mom!" traffic gets too noisy), hope that clocks are synchronized well enough to not expose the attack too early, and to control the resulting network during an attack, all without being detected. There are some tricky issues of coordination and communication that must be dealt with to prevent such a worm from running wild and disclosing itself. Whoever wants to try this should probably ask rtm about what it feels like to make that kind of mistake.

The alternative is to not use a coordinated/distributed model, but instead use the more standard model of propagating uncontrolled attack agents using a combination of social engineering and trojan horse programs. This has already happened.

In early February, 1999, a message faked to look like it came from Microsoft, claiming to be an upgrade to Internet Explorer (with an attached program named "ie0199.exe") was sent to many thousands of users on the Internet. Those who ran this program got what appeared to be an innocuous error message about a missing DLL, and most just gave up and deleted the message. What they didn't realize was that they had just unwittingly installed a program on their system that set itself up to run on boot the *next* time the system came back up. At next system startup, the program then started sending packets (as a self-described act of revenge) to random hosts on the Bulgarian Telecommunications Company network, causing them significant problems for who knows how long.

Worms also seem to work best against a single, self similar operating system/architecture/service combination, which means the attackers would have to do the same recon scanning they do now to get a list of these hosts, so why not just stick with what they know works and infect systems on the list in parallel, instead of by some non-deterministic spreading behavior?

We've linked to plenty of "secondhand" media pieces about the recent DoS attacks on major commercial Web sites. Fine. Now here's real, hard-core hard-tech info on the subject - in answer to your excellent questions - from somebody who actually knows what's going on, namely Dave Dittrich from the University of Washington. He's been interviewed up the yin-yang this last week by mainstream reporters who probably wouldn't understand half the answers he gives here. But this is Slashdot, so he didn't have to hold back or dumb anything down. Click below and enjoy!

Dave:

First off, I'd like to thank Slashdot for giving me an opportunity to spew my opinions. Since Slashdot readers look for "stuff that matters," I'll #include [std/disclaimer.h] and say that this is me talking, not my employer, and I'll be honest about what I think the issues are (and hopefully not ramble too much).

Is a network proof against DDoS possible?
by Paul Crowley

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?

Dave:

There are flaws in anything created by humans. Sure, the TCP/IP protocols we are using today have some weaknesses, but they also work amazingly well, don't you think? And all things created by humans are improved over time as new ideas are developed and known problems are identified and solved. Its just a matter of how quickly these improvements can be implemented, and as we've seen with GOSIP, IPv6, etc. change can come very slowly. (A good book on this topic if you are interested is "Diffusion of Innovations", by Everett M. Rogers, The Free Press, ISBN 0-02-926650-5.)

Denial of service attacks are one of the easiest forms of attacking systems and networks; resources can easily be exhausted, programming flaws in network stacks and devices can be exploited to cause failures, covert channels can be created allowing hidden and practically unstoppable communication and control. In other words, there is no single "this problem" to be solved here, but rather a hole bunch of little "these problems".

In fact, the current DDoS tools implement UDP large packet floods, TCP SYN (session setup resource exhaustion) floods, ICMP "echo" floods and "Smurf" (directed broadcast ICMP "echo reply") floods, and other DoS techniques could easily be added (and many other exploits exist).

Yes, there are some proposed fixes that can address some of these problems. I'll get to them in a minute.

Other methods?
by Dr Caleb

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? >From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Dave:

I don't claim to be enough of an expert on IPv6 yet to say which of the current set of DoS attacks are eliminated by its features (better to ask the real experts like Steve Bellovin). Perhaps IPv6's Quality of Service features, IPSec authentication features, etc., *may* provide a means of defeating some packet flood attacks by rate limiting flows, allowing quicker discarding of "invalid" packets, etc., but I'm not sure if it will entirely eliminate DoS attacks.

There are other new proposals that have recently been put forward for consideration, such as Bob Moskowitz' "Host Identity Protocol" (which addresses some problems in TCP session establishment and identification of "valid" packets) and a proposed method of tracing packet flows (independent on ISP involvement) that uses a probabilistic packet marking technique developed (coincidentally) by researchers at the University of Washington. Documents describing both of these are available at:

http://staff.washington.edu/dittrich/misc/ddos/

Since IPv6 is *still* not widely implemented, and these other proposals are likely years from implementation as well, it is probably best to focus now on the fundamental issue in large scale DDoS attacks, and that is we need to put a MAJOR emphasis on minimizing the population of systems that can be trivially root compromised. (I didn't say it would be an *easy* solution, but it is one thing that can be started immediately.)

Stop Spoofing At The Backbone?
by Effugas

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation (their backup networks will cease to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Dave:

Eliminating IP source address spoofing would eliminate attacks such as forged DNS query attacks and the MacOS 9 TCP/IP stack bug (both packet size/number amplification flood attacks), and would definitely make it easier to trace packets back to their source networks, greatly simplifying and speeding up the (still major) task of stopping the agents from sending out packets and doing forensic investigation. Add to that the elimination of incoming directed broadcast packets and you also get rid of "Smurf" amplification attacks.

Not only do I think this should be done at a site's border routers, but also on all routers within the network. Programs like stacheldraht attempt to determine if they can successfully send packets with forged source addresses, and both it and TFN2K have code to randomize packets on a per octet basis (not exactly CIDR compatible, but still pretty clever and effective.) This means that if you have a /16 network with several hundred subnets, the agents could forge the final two octets, looking like they are coming from hosts on all of a site's subnets at once. Depending on your network infrastructure and political organization and authority, this can either force you to have to sniff on *each* subnet, or do your own router-by-router debugging of packet flows to locate the actual host(s) sending the packets (links to various documents on packet tracing are found on the page I referenced above.) If no host can forge source addresses beyond its own subnet, the task is greatly simplified (and you only need to put filters on one router to stop the flow from one agent host.)

Practices like those described in RFC 2267 should, in my opinion, be a standard requirement under any network peering agreement and AUP, but what motivation do ISPs and NAPs have to enforce them? Its not common for a company to say to a customer, "Hey, I don't want to take your money!" It tends to be a matter of waiting for an attack to happen for upper management to start asking the techies how to react, but by then the damage is already done. More emphasis on prevention and preparation for possible attacks seems to me to be more prudent (some ways of mitigating DDoS attacks are also listed on the page referenced above). If it costs more, so be it. That is the price of betting our economy on the Internet as its fundamental infrastructure.

The bad news here is that this tactic of filtering does nothing to deal with bandwidth (or other resource, like half-open socket) consumption attacks -- e.g., large packet UDP or ICMP floods, or SYN floods to random ports -- so again we've only solved a subset of the problems (forged addresses and directed broadcast), not to mention this solution doesn't help at all with the initial compromises and installation of agents.

Firewalls for Dummies?
by hiendohar

With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?

Dave:

I expect the average Joe DSL to probably learn the hard way, just like he learned not to step off the curb in rush hour against the traffic light, and to take everything valuable out of his car when he parks it on a dark city street: by suffering an incident, and the resulting cleanup cost.

This is an education problem of *huge* proportion, and just like the filtering question, there isn't much motivation for ISPs to hand-hold their growing customer base, and their marketing department -- just take a look at their ads -- tells you how fast they are, but doesn't say a word about the new risks you will face (some will mail you a warning a few months later, which may be a bit too late.)

Not only that, but most broadband ISPs have user bases far larger than they have staffing to support, so even trying to contact them, find your way through the tier1/tier2/first line manager/Nth line manager hierarchy, and actually identify the owner of a compromised cable modem or DSL served system can take days. These customer's systems make excellent bases for scanning/attacking other sites, running eggdrop bots, or "bouncing" connections to make it harder to trace attack activity, and the intruders know this.

As for education, I am not quite sure what can be done there. Mandatory "driver's license" style tests before getting a DSL account? Forget it. "Tickets" handed out by the Net Police for allowing your system to be compromised and used to attack other sites? Not likely, and I don't think anyone wants that. Law suits by victims of attacks against the owners of compromised systems? That is already starting to happen, but do we really want people to learn as a result of law suits, to throw lawyers at the problem, diverting badly needed system admin funds to pay $200 an hour to the suits?

There probably will need to be some monetary incentive to securing systems (because people pay attention to money.) The federal government is passing laws about privacy of personal, medical, and credit information (and these can't be private if the systems that house them are not secure), and insurance companies will likely start charging higher rates for systems that are not managed well and become involved in security incidents with high dollar damages (but PLEASE, first raise the rates on anyone who drives a car while talking on a cell phone!)

Some ISPs now offer security services, and will provide "firewall" services for their customers, but this comes at a high price. Most users want $19.95 a month service, which is basically just buying a raw, wide open pipe.

"Personal firewall" software is also becoming popular, but I've wasted many an hour explaining to someone reporting an "attack" that what his program was reporting was either a false positive, or was mis-categorized, and not at all what they thought. Feature filled packet filtering programs allow users to shoot themselves in the foot and break TCP/IP applications, while overly simplified programs leave gaping holes or users turn off too much and only think they have security. A lot more work and education is needed in this area.

A fruitless exercise?
by john@iastate.edu

Isn't the intersection of the sets:

• Clueless enough to allow massive DoS out of their network.
• Yet likely to install this detector.

pretty darn small?

Dave:

Yes. Next question?

Seriously, the detection of agents/handlers on a system, and on the network, let alone doing forensic data gathering to assist in stopping a distributed attack and identifying the attacker, is not easy. There are too many ways for an intruder to disable logging and accounting, conceal programs and files using "root kits" and loadable kernel modules, and change the defaults for commands and packet contents that will defeat the file system and network scanners that have been developed to deal with these DDoS programs, and the learning curve is steep to counter the intruders' anti-detection measures.

This is one of my pet peeves; THERE ARE NOT ENOUGH GOOD SYSTEM ADMINISTRATORS. There needs to be WAY MORE of them, they need to be PAID AND TRAINED BETTER, and (to put it bluntly) they need to be considered a critical resource REQUIRED for powerful computers on the Internet today, not as overhead expense to be minimized.

The fundamental requirement for securing (or breaking into) any system is knowing how the system works, how to take it apart and how to put it back together again. These DDoS attacks over the past six months have been made more costly to respond to because of things like "root kits", which exceed the average admins ability to get around. For more on why, see:

http://staff.washington.edu/dittrich/misc/faqs/roo tkits.faq

I think a big reason that Universities, K-12s, small businesses and non-profits, and home users with cable modem and DSL lines have their systems regularly compromised is because these systems are often deemed a necessity for research or business, but the only money that goes into them is the money it took to buy the hardware in the first place. They very often do not have tape drives, software upgrade licenses and regular patch application, sufficient manuals or books on system administration, and the person administering the system is usually the first person who can spell "U-N-I-X" and has a "real" job doing research, programming, or Web page design.

People need to start thinking about today's top of the line computers on gigabit networks as the equivalent of a BMW, a Range Rover, or an Audi A series. You would be an idiot to only put gas into it and never take it in for regular maintenance, instead trying to do the work yourself in the garage, and to leave a spare set of keys in plain view on the dashboard. No, you take your car in regularly to a trusted and trained mechanic (and pay $50 an hour for their skills), change the oil and rotate the tires regularly, and do your best to keep it from being stolen (including buying those annoying car alarms that nobody pays attention to when they go off.) But that is basically what too many people do with computers; don't take care of them, don't hire skilled people to regularly maintain them, don't adequately monitor them, and don't really care if someone else hijacks them.

I regularly hear people say, "I don't care about securing my system. I don't have anything important on it. What could they steal?" Well, there are gigabytes of disc space these days, REALLY fast CPUs that can spit out lots of packets, and high-speed network connections. It is when tens or hundreds of thousands of people think and act this same way that someone else suffers. This attitude HAS to change and people HAVE to learn about the risks and ways to address them.

Should security research be done in obscurity?
by crush

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Dave:

Yes, I think the open research model is justified. There is a passage in the Bible (John 8:32, and on a plaque in CIA HQ), "And ye shall know the truth, and the truth shall set ye free." But that only works when everyone knows the truth (and uses that information wisely in their design and purchasing decisions). Until that balance is reached, those who wish to abuse this knowledge win out over those who have not yet attained it. It's that simple (and that hard - ooh, how Zen like.)

As you point out, there is a large percentage of system admins that don't have the same knowledge as those who break into their systems. If that percentage (of a very large, and growing number of powerful computers on fast networks) isn't reduced, the total number of systems that can be compromised and controlled by an attacker grows to the point where its now possible to build attack networks of two or three THOUSAND computers.

What I think needs to happen is to follow the advice of someone (I forget the source) who said, "There should be a hacker on every board of directors," and I would add on every development team. I don't think it helps to ignore weaknesses, or keep them quiet, because they will eventually cause problems. And it is not enough to identify the weaknesses if nobody learns from the mistakes of the past and actively tries to avoid them in the future. One reason that these changes occur so slowly, in my opinion, is that the people who really know the technical details of security are too far removed from the real decision makers, and the layers of managerial filtering inbetween often filter out the security voices in favor of the "lets please the masses" voices.

Engineers are not taught simply how to construct buildings, they are taught how to know when they will fail so they don't come crashing down and kill everyone. There are standards and codes that say how buildings should be constructed, and we (for the most part) don't have much trouble with buildings killing us in the U.S. But software and operating systems are designed for ease of installation and use by the largest number of (untrained) people possible and practically nobody complains. Where is this same sense of "we must build it so it doesn't break?"

I hear an ad for a new online bank and think, "Great. Now all my bank Web based business communication site and think, "Great. Now the people discussing business plans will have their discussions at risk." I hear a news story about a company that facilitates designing buildings online and think, "Great. Now the plans to unknown office buildings are at risk." I can just picture the CEOs and the stock analysts drooling at how cool and efficient these new web tools are, and how much money the company that produced them is going to make, but unless they are designed with security in mind from the start, they should all be considered very risky to use.

Somebody in a position of decision making authority for any e-business needs to understand these weaknesses that are discovered and publicized, and to make sure these weaknesses are acknowledged and addressed in ALL computer based system and application designs.

Recognizing DoS
by angst_ridden_hipster

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30 p.m. in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing them. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home e-mail and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the Web?

Dave:

Not necessarily. Sure, normal usage may exceed capacity. But a protest by thousands of people is not "normal usage;" that is a mass exercise of individual rights in a democracy to gather and express their opinions. [I live about four blocks from where the tear gas and concusive grenades were being lobbed at protesters, and I personally think the response was excessive and the protesters had a right to protest. They weren't damaging property in my neighborhood, they were chased into it, and traffic could simply go around it. Seattleites are used to backups, like you point out.]

I'm really don't know if I'd have a problem if 3,000 people decided to all individually use their browsers and click away at a major Web site as a form of protest, using their own computers and risking possible legal action as a price. (The JavaScript used to protest the WTO was a cool hack, and quite publicly known and used by individuals with their choice. That is less quesionable in my mind as a means of protest.) That's what it means to have freedom of assembly and freedom of speech; you protest in person, gathering with like minds. I marched against the Gulf War bombing, and was glad I could exercise that right when I felt it was important.

I *don't* think it is OK for a single individual (or small group) to take control of the resources of 3,000 *unknowing* individuals' resources and anonymously force them into that individual's service. That is not an exercise of democratic speech, that's theft of private resources. That's what DDoS attacks are.

If there is a problem with truly normal usage exceeding capacity, you could argue that capacity simply needs to be increased, and there is a cost associated with that increase. I start to question things when this increase in capacity is made on an insufficient budget, so there is nothing left for people and tools to protect the new "required" infrastructure. If the infrastructure is so vital, should its proper monitoring and administration be neglected? Is it wise to use this as the infrastructure for our record-setting-growth economy? If we build a fragile infrastructure for our economy just for the sake of growth and short term revenue (and pandering to customers demanding more and more services at lower and lower prices), and the result is that an individual can wage an anonymous protest and take parts of it down. I'd rather that the growth was a bit slower and infrastructure was more secure.

Antionline: True help?
by cswiii

I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?

Dave:

I have not seen any news reports that Antionline was enlisted to assist the FBI (and don't see anything searching CNN online.) I also read a Reuters article that claimed Mixter wrote stacheldraht (he did not), and that stacheldraht is used to break into systems (it has nothing to do with breaking in, just sending packets -- the break-ins are done using other tools, which usually implement buffer overflows in services like rpc.cmsd, rpc.ttdbserverd, amd, named, etc.)

Just because the media says something (or worse, one reporter quotes another reporter) that doesn't mean it is true. They make plenty of mistakes, especially when reporting on tight deadlines (I have published corrections to some articles in the DDoS page I referenced above.)

Government
by interiot

If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:

• Understand the problem well enough
• Spot good solutions if they come along

Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

Dave:

"The government" is a pretty big population, which includes federal law enforcement (as you point out), as well as a huge slew of departments and agencies, their state/local equivalents (including public schools and universities). In such a large population, you will find both skilled and unskilled members of that population (fitting a bell-shaped curve like most populations).

If we don't like it that all attacks are attributed to "hackers", we should likewise have some respect and not just jerk our knees and say anyone who works for the government is automatically clueless.

The Government Accounting Office (GAO) has been auditing and analyzing many of the federal departments and agencies for years, and some of its reports (I have a number linked on my home page) are pretty critical, while others highlight agencies that have done a lot to secure their systems and provide "best practices" advice to improve the situation.

As for law enforcement, the FBI has been doing a lot recently to create a skilled central core of computer crime analysis and investigation resources, and in establishing training facilities and developing working relationships with their peer agencies in other countries (since the Internet is global, response must be global). Since they haven't been at this very long, of course this will be a bumpy and sometimes inconsistent process, and it will take time to build depth and breadth of computer forensics skills (and there is usually a LOT of forensic data to process and understand), but they are working very hard.

I would also say that I think the Clinton administration has done a much better job than its predecessors in trying to address these issues (e.g., the President's Commission on Critical Infrastructure Protection, the formation of NIPC to coordinate incident response and information dissemination to the public and private business sectors, and the National Plan for Information Systems Protection.)

If you've read the National Plan -- subtitled "An Invitation to a Dialogue" -- you will see that a great deal of thought has gone into dealing with infrastructure protection, and that they are asking for cooperation and input from the private sector security experts, which means us. (Now is the time to make your opinions known, and that doesn't just mean ranting on the dc-stuff list, where you are preaching to the choir. Of course, people there will agree with you, but does that change anything? You need to write your Congressional representatives, the President's Council, and vote.)

I, too, question the amount of emphasis in the current budget being placed on surveillance, but I'm really happy to see money being allocated to programs like better forensic analysis capabilities and identifying talented high-school students and helping them to study computer security in college, rather than ignoring their talent (a form of disrespect or a result of fear) and risking losing them to a life of attacking systems instead of securing them.

For example, I know at least one admin (who was 15 at the time I met him) who knows more about securing Unix systems than many admins I encounter on a daily basis. Sure, he was 15 and had some issues with judgment that 15-year-olds have that caused friction with his employers, but he was just 15! Give him a break, and respect his talents! If he was managed more closely, his obvious skills would *still* be an asset to his former employers. I don't want to see someone like this get frustrated at not finding a place to get paid for what he loves to do, and land in jail for following his curiosity and passion in his own way (which usually involves making an eventual mistake in judgment that draws the attention of law enforcement). I already pointed out there is a lack of skilled system administrators, and I'd rather see young talent be put to use to solve these problems, and the National Plan addresses this.

Internet Worm
by Ex Machina

What do you have to say to the idea that this could be a DoS attack launched by computers infected with a Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a synchronized DoS?

Dave:

Given what I've seen as far as these particular tools go (including the scanner used by one group), I have no reason to believe the current attacks are automated and worm-like.

That said, I think it won't be long before someone *tries* to take that next step and further automate the process of scanning & intrusion to constitute DDoS networks.

Think about it, though, for a moment. Using the current DDoS tools, the intruders need to create a large network, without losing agents due to attrition as system/network admins notice the initial "setup" intrusions, and they would have to control the growth of this network so that the handlers are not crushed under the weight of an overly large network (or exposed because the agent "Hi mom!" traffic gets too noisy), hope that clocks are synchronized well enough to not expose the attack too early, and to control the resulting network during an attack, all without being detected. There are some tricky issues of coordination and communication that must be dealt with to prevent such a worm from running wild and disclosing itself. Whoever wants to try this should probably ask rtm about what it feels like to make that kind of mistake.

The alternative is to not use a coordinated/distributed model, but instead use the more standard model of propagating uncontrolled attack agents using a combination of social engineering and trojan horse programs. This has already happened.

In early February, 1999, a message faked to look like it came from Microsoft, claiming to be an upgrade to Internet Explorer (with an attached program named "ie0199.exe") was sent to many thousands of users on the Internet. Those who ran this program got what appeared to be an innocuous error message about a missing DLL, and most just gave up and deleted the message. What they didn't realize was that they had just unwittingly installed a program on their system that set itself up to run on boot the *next* time the system came back up. At next system startup, the program then started sending packets (as a self-described act of revenge) to random hosts on the Bulgarian Telecommunications Company network, causing them significant problems for who knows how long.

Worms also seem to work best against a single, self similar operating system/architecture/service combination, which means the attackers would have to do the same recon scanning they do now to get a list of these hosts, so why not just stick with what they know works and infect systems on the list in parallel, instead of by some non-deterministic spreading behavior?