Slashdot Mirror
Mixter Speaks About the Latest DDoS
ochinko writes, "This is an interview with the German programmer who wrote TFN and TFN2K. Basically he says that it's quite easy to launch such attacks but extremely difficult, if not impossible, for the initiators to be tracked." Suck.com has a pretty good article on the attacks, as well. Maybe I should take credit for the DDoS attacks and become an international superstar.
Essentially if no one can essentially be caught that means that the useless companies will just go bezerk and target everyone including those using our favorite OS.
Slashdot social engineering at it's finest
There is more than a hint of ego in this guys work (if indeed it was him) by putting it in a public forum (albeit for good reasons) he knew that people were going to abuse his creation.
Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.
In many ways I suspect he wanted an attack to vindicate himself, show off his skills whilst remaining on the side of the light and generally bask in the publicity...
Working for the (other) man
. . . here in pittsburgh have been claiming credit for the attacks already. But then again, I suppose everyone and their script-kiddie brother is. Quite honestly I don't believe that we'll ever know who did it, but I'm sure we'll have someone to crucify for it. The government seems to be pretty good about that.
Bad things often happen to good people,
It is up to them to see that they remain good.
I am impressed by the maturity shown to the global community by this white-hat hacker in discussing security issues for the Internet.
This kind of attitude will go far in showing the true difference between those sincerely interested in the security of our communications and "script-kiddies" only out for personal glorification and status among their peers.
I liked the clarification about his role as a hacker in the traditional sense of the word. Too often these days the word "hacker" is thrown around indiscriminately and the insights shown in this interview may help to show the general public what the difference is.
Does anyone but me see the goal behind these attacks? Think of the names... CNN (owned by Time/Warner) Etoys (obvious) Yahoo (corperatism ruined a once great story) etc.. all the targets are huge corperations that believed they were more powerful than the "hackers" and believe themselves above morality. Perhaps this will cath their attention... Maybe things like the Fox flash page, frivolous lawsuits, etc. will be diminished. Or not ;) I'm not saying this kind of behavior should be encouraged, or if it is even accceptable... it IS very poor advocacy. I'm just saying, i think i know where these guys are coming from... I'm practically there myself. In fact, I think alot of us are.
Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.
I'm curious how he was supposed to do this.
"Dear mega web site.
I am a high schooler how has written a program that..."
plonk
This sounds like Lopht all over again, people put up web sites, do a crappy job administering, and probably won't listen to an 18 year old who woudl warn them.
Also, would you have suggested he email the same warning to each of the 5 million sites running Apache?
I think the best he could have done was post it to a public, security oriented place and hope the web admins are doing their jobs by monitoring it.
George
I don't want to paint Mixter in the same light as the script kiddies who launched the attack. However, it is ludicrous to compare his DoS programs with the likes of, what I would call, "true" security professionals (e.g. cDc, l0pht, Solar Design, etc.). What he did, was make a bigger, better, and badder-ass gun for the script kiddies. The monkeys could have flooded major sites before Mixter made his presense felt. Mixter merely made it easier for the monkeys, both to execute and get away with.
No rational and reasonably intelligent person would have denied the possibility of this "security problem". The vulnerability to flooding isn't a security flaw per se, that could just be patched if the victims were a little more aware. Unlike l0pht (et. al) he isn't putting pressure on the manufacturers and vendors by releasing his code.
That being said, Mixter didn't do these attacks. He isn't evil, and I have a certain amount of respect for him. I do have problem, though, with portraying his creation of these DoS programs as being intrinsically good, nevermind his motives.
Not hacker.
At the end of the film they all jump up shouting "I'm Spartacus". So the Romans cruxified every last one of them, 6000 men along the Via Appia as a warning to other slaves.
threadeds blog
Let's look at this situation as if it were a traditional murder, or a mass slaying.
"Dozens gunned down in shopping mall", for example.
Do you think the FBI would all of a sudden start hunting for an individual who is known to have designed guns? Of course not. They go after the guy who wielded the gun.
But with anything net-related, when Something Bad Happens, they go after the tool-makers (as well as the tool-users).
The big difference between net tools and guns, as far as "tools to commit crimes with"? The gun manufacturers have a powerfuly lobby (NRA) and boatloads of cash. Folks like Mixter are much easier prey.
"People" using "unnecessary" quotes should be "shot".
Ok, I know who did it. It was my cousin's sister's broker's dealer's aunt's friend who told me that they knew a guy who happened to have the next ASN up from this girl who once exchanged Email with a cypherpunk who was loosely refered to in Cryptonomicon which was secretly a true story about this guy who towed my car for me.... um, where was I?
;-)
Oh yeah, Hemos did it.
This is from the suck.com article.:
But the people who truly deserve the blame for the public's hours-long inability to swap "Steam Engine" jackknives on eBay are the short-sighted, tight-fisted monkeys who managed to build a multi-billion dollar industry on an insecure networking system, something so fragile that it can be brought to its knees by anyone willing to bother. The fact that a target as big and fat as Yahoo is fundamentally vulnerable to something as simple as a DoS attack is a clear invitation to go right ahead and shut them down.
Whoa, that's pretty intense there. They also go on to say that since vandalism is inevitable, its up to the people who will be vandalized to protect themselves. I agree to a good extent.
My question is this: How can you properly protect against many DOS attacks? Once so many requests come in from one IP, you block that IP? I can see problems there, such as if many customers through one ISP go through a cachebox. The way I see it, stopping this is just as hard as stopping the slashdot effect. What types of protections are there concering router-level protection?
thanks..
PS - I know that packets coming from our ISP cannot be spoofed due to our routers, so if my box (soul.apk.net) caught wind of the problem, nothing would be allowed out anyway. However, I don't think it's always our job to do the security for outgoing traffic.
- Mike Roberto
-- roberto@apk.net
--- AOL IM: MicroBerto
Berto
I'm going to be just like Mixter!!
I will dump gasoline all around every dotcom company, and then all the SCRIPT KIDDIE LOSAHS CAN LIGHT A FLAME NEAR EACH ONE.
THIS WAY, I CAN FEEL LIKE I DIDNT DO ANYTHING WRONG.
THANKS!
What a business strategy. I think I'm going to start my own business, then create a monopoly by using DDoS to wipe out all of my competition. Hmm, what will be next? Maybe my company should have it's own DDoS department.
kwsNI
I've been using Linux for a few years now but am currently setting up a web server which is failrly new to me. As a newbie it's bound to have many security holes until i've finished reading the books :-) Even then i know it won't be secure. So, is there really no way to stop these attacks? if not, what measures can a sysadmin take to at least minimalise the impact od DoS attacks?
how annoying is that stupid tiny column of text. its so distracting i barely got thru the damn article.
The Washington Post has an article saying that the FBI is preparing to question several suspects in the case.
trollday is tomorrow ya gook!
Denial of service attacks need to be removed from the "hack" category. I can cause a denial of service to a major city by stopping my car in the middle of the interstate. Does that make me a "hacker"? I think is registers under "stupid".
I assume it stands for Distributed Denial Of Service but that hasn't been made explicit. /. should have a page describing TLA's ^H^H^H^H Three Letter Acronyms and the like used recently.
Anyway, to get back on topic. What's to stop the compromised machines from creating the packets in such a way as they appear to come from loads of different random IP's (I assume that most OS's don't let you fake but remember theses machines have been comprimised already so this could be disable/got around or whatever).
That way the victim (insert big site name here) would have no way to tell if a request was valid or not (even if they had loads of humans looking at every incoming packet!)
Some(most?) routers (at ISP's or in Universities for eg.) would probably check the origin but I'm sure there are many people who are allowed create whatever packets they want.
In this case, it would even be impossible to find out which computers were the zombies!, never mind tracking the "master" IP's that signalled the zombies to start pumping out the (fake?) packets.
Most/All the routers in the world will have to be made more paranoid and/or using IPSec or Reverse-DNS or something....
I'll quit my rambling by summing up that:
We can't stop this any time in the forseeable future.
The thing most of the people is missing is that these tools are not rocket science, these tools are not SMP kernel hacking. These tools make a reasonable use of some modern programming tools. Some cryptography (not too difficult), some IP client/server and not much more.
Hell, I could have written these tools in a couple of weeks!!!! And taking into account that it has been years since my hands last typed C it cannot be that difficult.
Ok, Mixter released those tools to the public. So?
Sooner or later someone would!
Or worse yet would not and instead take dozens of sites down with noone expecting it!
Just ranting... Nevermind...
Why would you, the poster of this article, want to use a Japanese word for penis as your alias? Are you announcing you have one or is it envy that drove you to use this alias?
BTW, of all those who will be murdered worldwide, it has been discovered that you are far more likely to be murdered by a family member than by a stranger. We need to outlaw families now! From now on, mate selection will be handled at random by the gov't and children will be immediately separated from their parents after birth. Overly strong friendships may also be cause for forced separation. And of course, all romance must be made illegal too. If all this will save *just* *one* *life*... it'll all be worth it.
There are basically two problems: a huge number of machines vulnerable to off-the-shelf attacks, and the difficulty of detecting packet storms with phony source addresses. Both of these are fixable, but not trivially.
One way to address the first problem is to have a certain percentage of machines set up by default to detect and immediately report break-in attempts. This will detect large-scale attacks, and will trace them back one level. Not all machines need to have this, just 1% or so. If, say, most Linux machines did this, the problem would get much smaller. If most Microsoft machines did it, the problem would go away. We'll probably see this happen over the next year or two.
I can think of a few ways to address the second problem, some of which I've already discussed. With a little help in some routers, some interesting things become possible. Suppose there was an ICMP control message you could send to a router which said "turn on Record Route on IP packets sent to me for the next N seconds." Given that primitive, you could build a backwards traceroute.
The fact of the matter is that there is nothing the cDc (et. al) does, that can't be created independantly by other hackers. Imagine a world in which none of these exploits are disclosed, and also that 99% of sites on the internet run NT4.0. Without disclosure and general public knowledge of these exploits, MS would never act to patch it--it costs a great deal of money. Some may argue that it is not necessary to actually create a trivial exploit that script kiddies can exploit. While this may have some merit (I even agree somewhat with this approach, it depends largely on the circumstances and the vendor), it has been shown with MS (and a few others), time and time again, that they'll simply dismiss a vulnerability as "theoretical", or even "impossible", unless you make it known that you're going to create an exploit for it--and have demonstrated your abilities to make it a reality before.
What we have today with open disclosure, is a system where operating systems, vendors, and sysadmins become somewhat seasoned and hardened to attack because of this kind of disclosure.
Somwhat more debatably: Although script kiddies may be a pain in the ass, and their motives are selfish and childish, they do (collectively) ironically serve a function of sorts. Without script kiddies, it would be much easier to shrug off the importance of these flaws; it would potentially allow for a terrorist group, foreign government, or even a group of criminals to do serious economic damage in a wide-spread, highly coordinated, and professional attack. Remember that the independant acts of a million script kiddies all doing their own thing, is likely not nearly as dangerous as the coordinated efforts of a professional organization (not to mention that the professional organization could do it by suprise, virtually overnight)
That being said, to clear up any confusion, I don't believe the internet is, at this point at least, terribly significant to our ACTUAL economy (GDP...as opposed to the imaginary one the press and politicans love to talk about). Even the actions of terrorists are not going to have all that great an impact (in my "other" scenario)--just that they'd have a greater impact were it not for disclosure. (Although, with corporate networks today being connected to the internet in various fashions, there is potential of significant information loss through the internet)
Oh scary is the day when the gov't comes to equate certain software with guns. On the plus side, we in the US will then have a constitutional right to our cracking tools (for target shooting our own systems and to test for their security, of course). On the down side, we'll see 5 day waiting periods and gov't required registration and licensing of certain software. And the makers of these "dangerous software", just like the heavily regulated gun mfg cos. and gunsmiths and ratailers, will also come to be heavily regulated by the gov't. Software Engineers will have to have certain "security clearances" backed up by periodic psychological profiling and extensive background checks, before access to certain types of programming knowledge and research is granted. All of which will redefine programming to be a priveledge that can be revoked at any time. PH33R the future. I know I do.
February 14, 2000
By DAVID P. HAMILTON and JIM CARLTON
Staff Reporters of THE WALL STREET JOURNAL
Computer sleuths and federal investigators continued to narrow their search for the culprits behind last week's hacker attacks against Yahoo! Inc. and other Web sites, obtaining evidence from several computers used in the attacks that points to at least two potential suspects.
While the investigation appears to be making progress, law-enforcement officials say they haven't yet come up with hard suspects. However, evidence obtained from analysis of network traffic, computer-security logs and monitoring of Internet-hacker channels known as Internet Relay Chat, or IRC, has let investigators focus on the activities of two known hackers. So far, the two have been identified only by their online pseudonyms.
See recent articles about hacker attacks on major Web sites.
Join the discussion: Has the recent wave of denial-of-service attacks done anything to change your view of e-commerce and online trading or the companies in those industries? Do attacks such as these on major Web sites change the way you view the Internet and computing in general?
The hacker raids, which overloaded major e-commerce sites with packets of meaningless data in so-called denial-of-service attacks, didn't threaten any data stored on those Internet servers. Many in the security community initially derided the attacks as unsophisticated, saying they could be conducted with tools widely available on the Internet.
Now, however, it appears that at least one of the attackers may have been far more skilled than the apparent copycats that followed, said David Brumley, a system-software developer in Stanford University's information-technology department who has taken an active role in the hunt for the perpetrators. The hacker, who is believed to be responsible for the attack on Yahoo -- the first of last week's large-scale assaults -- mounted a particularly complex operation using highly customized tools, Mr. Brumley said.
Mr. Brumley said this hacker's online pseudonym is known, but he wouldn't reveal it to avoid jeopardizing the investigation. He added that this hacker appears to have dropped out of regular IRC chats in the last few days. The hacker is thought to reside in the U.S., he said.
A second, apparently less-skilled hacker believed to live in Canada was being watched as a possible copycat, said Michael Lyle, chief technical officer of Internet-security firm Recourse Technologies Inc. (www.recourse.com). The hacker, known by the online pseudonym "mafiaboy," allegedly was recorded in an IRC chat soliciting orders to shut down the Cable News Network and E*Trade Group Inc. sites, Mr. Lyle said.
Stanford's Mr. Brumley confirmed that a hacker using the mafiaboy pseudonym was a focus of the investigation. However, he said, some in the hacker community don't believe the person behind the name was involved in the attacks. Indeed, mafiaboy is said to have later retracted the claims and a law-enforcement official said that authorities, while scrutinizing his actions, aren't sure he is responsible.
Mr. Lyle and other security experts at Recourse, of Palo Alto, Calif., said they have viewed snippets of dialogue and have verified more of it from other hackers, and plan to give the information to the Federal Bureau of Investigation. "We think there were several hackers who launched the attacks in copycat fashion," Mr. Lyle said.
Interest also has grown in a hacker identified as "Mixter." In a series of e-mail exchanges with The Wall Street Journal, online-news provider ZDNet and other media, Mixter has described himself as a 20-year-old German programmer living in the area of Hanover, Germany.
Mixter is credited with having authored the Tribe Flood Network software, or TFN, one of the interrelated-attack tools believed to have been used in the attacks. A similar software is "trinoo." A third, called stacheldraht-German for barbed wire-is based on TFN but uses trinoo features. Mixter is credited only with TFN.
In e-mail interviews, Mixter said -- in fluent English -- that he had no direct connection to the attacks and criticized the use of his software to paralyze online companies. He said TFN was written solely to demonstrate Internet-system weaknesses.
Mixter first appeared on the Internet hacker scene around July 1998, posting less-well-known software programs he had authored on security-related Web sites, according to Dave Dittrich, a University of Washington computer-security expert who has analyzed some of Mixter's software.
Mixter has voluminous postings at a site called Packet Storm, a division of Kroll-O'Gara Information Security Group in Palo Alto. Last month, a paper Mixter wrote on Internet security won a $10,000 prize in a Packet Storm competition. Mixter's most recent addition to the site is a lengthy treatise on how to deal with attacks such as last week's.
A law-enforcement official said the FBI is trying to talk to Mixter through German authorities, but that Mixter isn't a leading suspect at this point.
The FBI has run into problems retracing the source of the attacks because some sites used weren't keeping complete logs of computer traffic, according to a person involved in the case. "Some of the sites didn't capture all of the traffic" because their record-keeping software isn't set up to record that level of detail, a law-enforcement official said.
With help from computer experts at the affected Web sites, the FBI is still analyzing what information they have gleaned from those logs. In addition, according to someone involved in the case, dozens of agents from field offices -- including San Francisco, Los Angeles, Atlanta and Boston -- are conducting interviews with sources who monitor hacking activity.
"There hasn't been a huge number of people taking credit," said a law enforcement official, but the FBI is looking at them all.
The first major breaks in the case came late last week, when investigators learned that computers at several California universities, including Stanford, the University of California at Santa Barbara and the University of California at Los Angeles, were involved in the attacks. Several university officials said their computers were infiltrated prior to the attacks and used to fire the barrage of data packets that temporarily knocked out several sites, including Yahoo, Amazon.com Inc., eBay Inc., E*Trade and CNN, a unit of Time Warner Inc.
At UC Santa Barbara a network programmer noted "abnormalities" in the university's network traffic when he logged in Tuesday night. After further checks, the programmer discovered the following morning that one computer on the network had been broken into and used to attack the CNN Web site, according to Robert Sugar, the university's acting director of information technology.
Upon that discovery, the programmer alerted both CNN officials and the FBI, Mr. Sugar said. Campus officials said the hacker who broke into that computer left many traces, and said the FBI already has obtained reams of data as a result.
Mr. Sugar declined to describe the computer except to say it was an older desktop machine, a description consistent with a computer workstation. Security experts long have warned that older computers used for less-sensitive work at universities, where high-bandwidth Internet connections are common, are particularly vulnerable to such intrusions.
A hacker also apparently manipulated a Stanford network router -- a computer specially designed to direct Internet traffic -- as part of an attack that overloaded the Web site of eBay, San Jose, Calif. That kind of attack, known as a "smurf" attack after the first software tool designed specifically to conduct it, didn't entail an electronic break-in at Stanford's computers, Mr. Brumley said. Instead, the hacker subverted a router "broadcast" feature used to direct an entire cluster of computers to blast packets at eBay.
Meanwhile, other sleuths continued to probe the extent of the Internet's vulnerability to attacks. Network Associates Inc., a security company in Santa Clara, Calif., said a voluntary-screening program detected three cases of denial-of-service software installed on host servers: one in a university computer in Berlin, another at a university in Iowa and one in a nonuniversity computer in Long Beach, Calif. None of these detections necessarily indicate these computers were employed in last week's attacks, the company said.
As investigators continued their work, the computer industry struggled to reach common ground on security issues in order to present a united front at a White House meeting scheduled for tomorrow.
The dilemma for the computer industry, public-policy advocates say, is how to develop and agree upon standards that the government can support and protect without disrupting the open nature of the Internet. But given the different perspectives of government and industry, that won't be easy. Kim Alexander, head of the nonprofit California Voters Foundation, is one of the few people conversant in both the political and technological worlds. "It's like they speak two different languages," she says.
Many companies hit by last week's attacks continued to lie low. But some appear likely to take a more active stand against government intervention. AT&T Corp. dealt with attacks in the past week against some of its customers but remains opposed to government intervention to protect networks.
"It is important for the government [to take] a role in something that is illegal and affects commerce. Past that point, we clearly believe in self-regulation in this industry," said Rose Klimovich, AT&T's director of global intellectual-property-network services.
Some hackers, meanwhile, continued to toy with security experts over the weekend. Late Saturday or early Sunday morning, a hacker with the handle "Coolio" defaced the rsa.com Web site, which is owned by Internet-security firm RSA Data Security Inc., a unit of RSA Security Inc. of Bedford, Mass. The defaced site bore a picture of two men pictured on RSA's official Web site with the letter "L" branded on their foreheads, and carried the message: "The most trusted name in e-commerce has been owned" by Coolio.
Scott Schnell, a marketing vice president at RSA, said the company doesn't use the rsa.com site, which normally redirects Web surfers to RSA's main page at rsasecurity.com. He said the hacker hijacked the rsa.com Internet address and redirected it to the defaced page. Mr. Schnell said RSA was working with its Internet provider to resolve the situation.
David Cloud and Douglas A. Blackmon contributed to this story.
Looks to me like an Apache error,
not a linux error.
I suppose my biggest fear is that the government would try to invent/incorporate some sort of master control system (super ICMP?) for IP. Not only would this likely be ineffective in deterring a serious attacker, but it would likely invite abuse as well. I'm not sure that our fearless leaders in DC comprehend the issues involved.
I believe the only way we can deal with this is the way it's always been done: as a community. It has been pointed out that a lot of the zombies in recent attacks have been Linux/Unix boxes. I know there are a lot of resources on the web for Unix security.RootShell, for example is a good site not only for descriptions of exploits, but actual code you can use to test your box. There is a lot of information about Unix/Linux security out there, but it's unlikely that any newbie will be exposed to it before during or immediately following the install of their OS. And we all know what kind of daemons get installed by default these days. I don't know if it exists, but a clearinghouse of security info, including not only alerts/exploits but instructions for newbies on how to fix problems would probably go a long way. Just raising the issue of security consistently (banner ads, links from most major linux sites) to this clearinghouse would probably be enough to get the attention of people who are working with Linux. Does something like this exist? If not, would anyone else be interested in setting it up? Perhaps it could be part of the LDP. Who knows. I'm envisioning far more than might be practical, but if anyone else is interested, e-mail me at po.cwru.edu, username dwb2.
Don't Panic...
Once upon a time, I was something of a grey hat. I, at one point, wrote modified and wrote numerous programs and scripts that did similar things (thus I refuse to vilify him). I did say that I have some "respect" for him, and that skill was what I was referring to, even though I haven't personally seen the latest jaurez much. That being said, the idea of a distributed DoS attack isn't entirely new. Back in my day (towards the end), there was a program called FAPI (or was it FABI?) written by some folks that I knew. It wasn't quite as sophisticated, but it could have been developed much further, if anyone put the time into it.
First of all, yes, I'm the person responsible for the spamming. I would like to explain why I did it, and what I hope comes of this. I've already explained myself in scattered places in the discussion thread itself, so I'll just sum my thoughts up here.
Writing the spambot was rather easy. It was something I could quickly cobble-together with a couple very simple shell-scripts. The hardest part was reformatting the text into an HTTP POST request. I also posted the scripts to the discussion thread, for a variety of reasons.
- I felt that my doing it would inspire others to do it as well. By releasing the source I could remove some of the potential thrill for some other would-be spammers.
- I felt that only the truly lame would continue to use the script after the one story was completely FUBARed. This would make it easy to remove them permanently (in a bit I'll explain why this would help).
- I feel that the current state of moderation is laughable. It's become a source of elitism, a way for snobbish karma-jockeys to moderate up statements they agree with and moderate down those who think differently than them. Personally, I think that if moderation weren't such a BFD then there wouldn't be all these anti-moderation trolls.
A bit about myself. I'm a grad student in CS. I participated (and ranked visibly) in LokiHack. I'm not your run-of-the-mill skript kiddie. However, I've also gotten sick and tired of the way that Slashdot's discussion forums have become. A huge noise, very little signal, mostly from people who are sick of the moderation system and moderators who spend more time moderating those nuisances down than moderating the USEFUL comments up. I felt the need for a cathartic expunge.I think that trolls, spammers, and offtopic posters can be dealt with FAR better than they are now. I'm done with my fun for the night, and in the meantime I hope this can lead to some better moderation in a few regards:
- There is no reason for a single IP address to need to post more than one comment per minute. In fact, more than one every five minutes is pushing it as long as the originating IP address returned by most proxy servers is honored (of course, it's possible to abuse past that, but at least it's a start). At the very most, 5 comments/minute from a single proxy IP address is more than enough.
- There should be no AC account. Everyone should be required to log in, though they can still post anonymously. Accounts which have been found to be spamming can be terminated.
- AC posts should be treated the same as normal posts. Karma, time since registering on
/., and the like should have no bearing on post score. Anything else results in snobbery and elitism. - A comment should start out neutral, and there should be multiple levels of downwards as well as upwards moderation. Just because a post from an anonymous poster has been marked downwards once doesn't mean it should be relegated into obscurity forever. Also, as good as M2 is, it can only do so much.
- Most importantly, moderation shouldn't be such a BFD. It's the "I'm a moderator, it's my job" attitude which the trolls and spammers are backlashing againt, not the existence of moderation. Perhaps giving out more moderator points is in order; in fact, allowing people to moderate on any story they haven't posted on seems like a good situation.
I hope you'll listen to me, regardless of the inconvenience I gave to the Slashdot readers and admin for one relatively unimportant story which would have been soon forgotten anyway. I've had my fun, and someone else could have done a shitload worse and not been so willing to point out flaws after the fact. That's not a justification, of course, but it's the best I can give.Thank you for reading this far. Good night.
now could you step off your moral podium so i can look you in the eye and see if you really are as dumb as you seem?
whether or not he's egotistical and whatever purposes he wrote the tools for, he is NOT to blame for the way they were used. the absence of a punishable offender does not mean we go after the person who wrote the tool(s) of their crime.
if i use a cinderblock to bash your head in for effusing such pin-headed opinions on a public forum (and then getting moderated up to the top of the heap!), should we then go find the manufacturer and yell at him for making a weapon that can be used to kill?
ok, so you say 'but dave, this was a specialized tool that could really only be used for one purpose. he knew how it would be used!' so, ok, i build a guilloteine (i slaughtered the spelling, i know..), but you stick your little sister's neck under it and set the blade on its way.. you are the one who did it, not me.
he probably is an egotistical bastard, i have no clue, i don't know the guy. but he is not to blame and if he is as self-centered as you say, then drawing more attention to him is only serving his purposes.
...dave
Think different? I'd be happy if most people would just think...
I left around just enough information for the /. admins to figure out my identity. We'll see if they ever figure it out.
"It has also empowered the disenfranchised (*cough*) to make their voices heard both far and wide."
Please stop reading so much JonKatz.
-- In the future, everyone will code Perl for 15 minutes. --
If you confessed to a murder, but couldn't produce a body, you wouldn't be in jail. If you confessed and weren't able to recount the details of the crime, they would laugh at you and send you on your way - after a visit to a shrink, I hope.
False confessions are not rare, especially for high profile crimes. The FBI may be completely clueless, but they certainly aren't going to investigate every Usenet kook or IRC whackjob that claims responsibility.
BTW, I did it. Me, A Big Gnu Thrush. So catch me if you can, because 3 days from know, at 25:62 GMT, I'm going to strike again, and no one can stop me!
-insert maniacal laughter-
QoS Support? are you nuts?, Do you have any idea of the kind of inefficiency created by using QoS to mark packets? Work with a major ISP for awhile and you'll understand, the internet is amazingly stable considering it uses routers held together with chewing gum, they can't handle QoS. QoS is a bad idea, marking packets is a bad idea.
Say it with me now, "Marking packets is bad mm'kay"
I've heard someone bringing up the argument that guns can't be blamed for the idiot who uses them. However, guns have the excuse that they can be used for hunting for food. Or for protection.
What can Mixtor's tools be used for? His tools send large amounts of data to targets via multiple clients. Can anyone think of a reasonable use of a tool like this? Surely, it doesn't protect anyone. I can't think of anywhere I'd use this "tool" to troubleshoot a network. I'm stumped. I think it's generally accepted that if I write a computer virus, and give it to my friend. And he decides to unleash it at his workplace, that we're both going to get busted. "But, I just wrote it..I didnt spread it"..Yeah try telling that one.
So Mixtor, thanks for the great tool! I'll use it daily I'm sure..Can't wait to find some use for it.
The other argument I hear is "Well he used it to prove a vulnurability". The problem with this argument is that everyone knew about DDOS before his "tools" were released. If Mixtor had made a post on a security site about a bug he'd found in linux that gave a hacker root, I'd be all behind him for posting how to do it. Because nobody knows about the bug! But everyone knew about DDOS. But there's not much you can do to stop it on the receiving end, only on the client sides. His tools have one purpose: malicious intent.
I'm sure many people here have thought of the idea of DDOS before(especially when distributed clients first came out), and many of you also have the programming skills to write the clients necessary to do a DDOS. But you haven't. Most likely because you understand it can be done. THERES NOTHING TO PROVE. Mixtor wasn't first, he was just the first one missing the morals to understand the implications.
That may be your purpose for a gun. For me, the main purpose of one of my guns is for home defense. The main purpose of some of my other guns is recreation at the shooting range. The main purpose of the model 94 Winchester (circa 1897) is as a decorative showpiece above the fireplace mantle. The main purpose of the rifle is for hunting.
What a narrow limited view you have, and further what arrogance you have to even suggest that your one view on the purpose of guns is the only purpose.
You're right, he showed us a better face for the word hacker than the distorted mask usually shown by the popular media.
I noticed he never said "cracker" or "script-kiddie." He said "attacker" several times. I like this, I think it's a better fit. After all, any fool can fire a gun but not too many can design one though, at least one that doesn't explode when fired. By this analogy, almost anyone can attack but not everyone can hack.
-M
... saw him pass out at 31 flavours last night. I guess it's pretty serious.
This PC happens to run windows (Yes. I know. I'm inherently evil and feeding the great satan. Just flame me and moderate me down for admitting it and get on with your lives.)
I installed a firewall (Zonelabs), mostly because it was free, and also because I decided that if I wasn't part of the problem yet, it was only a matter of time.
Results: I was getting probed at an average of once every 20 minutes from a variety of locations. Urk! (Please note, my ip starts with a 24, which tends to indicate an @home or roadrunner cable modem service)
Side note: If you want to test your machine, go to Steve Gibson's SheildsUP!. It's a bit slow at the moment (and posting this ain't gonna make it faster). Personally I wish I had known about this site before this insanity started.
-----
No Zen is good zen
Gasp! How can you doubt the awesome e733tne55 of the Ninja Strike Force?! A thousand heifers may be killed in one night by a running Ratte...
First of all, this is not the best forum to ask that question. This discussion is very general and you came very close to asking an in-depth question.
To get a good start in finding out more about systems security go to http://www.deter.com/unix
From there you will find better places to post deeper question.
-M
The cracker who broke into the University machines is unlikely to have done so in the daytime, their time. From this, you should be able to determine the probable timezone.
But how will this help?
In and of itself, it wouldn't. This is where things really depend on the people used to carry the DDoS attack software. To have broken in, the crackers are likely to have scanned the ports and services. From this, you should be able to collect some statistics as to what sort of timeframe the cracker was operating in.
Now, how will -this- help?
Again, it won't, unless more than one site was used in the DDoS attack. There'll be a time difference, as it's improbable the person cracked all sites simultaneously. This will give you a much clearer picture of what was cracked, and when.
THEN, you look at the relative times involved. (Although the logs will undoubtably have been altered, it may still be possible to see over what timeframe the alterations cover). This gives you a rough guesstimate as to the path of the different connections, and will narrow down the search to specific nodes within each of the possible countries.
Now, some of those nodes will be improbable. It's unlikely that the crackers would have gone through a corporate website, for example, unless that site, itself, had been cracked.
If the cracker(s) went through multiple computers to get to those they eventually used, then, yes, it is impossible to trace them. Triangulation needs at least two known points and a direction. But, if they didn't, this is the best bet anyone has of identifying who did it, unless the person(s) step forward.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
What we need is an organization much like the RBL, except this will be a black hole for networks who permit spoofed packets to go through their routers. I certainly don't want any spoofed headers reaching my network, but the power to do anything about it is on the router of the network originating the spoofed packet.
Screw Micro$oft.
The winning articles (all of em) are referenced at: http://packetstorm.securify.com/paper s/contest/ 'Mixter's' is found at: http://packetstorm.securify .com/papers/contest/Mixter.doc
Reality is like a Suitcase, we only take it out of storage when needed. -penfold
If I print out the entire Slash source, then shove it down someone's throat until they choke and die, is CmdrTaco responsible?
:)
If I tie someone up and force them to read all of Signal 11's posts while I scream "Karma! Karma! Karma!" in their ear, is Signal 11 responsible?
If I force someone to read every Jon Katz article until their brain (also) turns to Jell-O pudding, is Katz responsible?
Sorry, I've just read too many gun analogies on this thread. I went a little crazy there. It won't happen again....
Save the whales. Feed the hungry. Free the mallocs.
Score 3: Lawsuit bait
Next time, you might consider a link.
That is all.
I prefer hands-on experience, and the research papers, to the views of any ISP where profits are measured by bandwidth sold, not bandwidth utilised.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Look at DeCSS or css-auth?
Are they tools whos sole purpose is to cause harm and aid people in the thievery and piracy of intellectual property, or just tools that will let us play our legitimately bought DVD's in linux?
Only 36 hours ago there was that article about the head of the RIAA and his opinions about how DeCSS had no purpose other than piracy. And we mostly, 99% agree that he's wrong. Well then, why all this argument for the case of TFN? Why are many of us unhappy about TFN and blaming the author for all the problems he caused by the tools he created, yet happy about the creation of DeCSS and css-auth?
Why the double-standard?
Okay, I admit I am a little green when it come to the finer side of IP. Okay, I'm really green! Anyway, since DDOS relies pretty much on PiNG, would a reasonable amount of protection be gained by killing ICMP at the router/firewall? It would keep it from getting to the servers, but would it help reduce the 'tidle wave' of traffic on it's way to the router?
Somebody enlighten me! (Flame certainly welcome, I could use a good laugh!)
"Inspire me! Tell me it cannot be done!"
off-topic post...
I was thinking, why doesn't someone create a distributed program to preform audits of internet sites
script kiddies already have tools that will scan IP blocks and check for secuirty holes, so why not write one that is used for good?
my idea is this, the client downloads a block of IPs from the master server (which should be able to patch the client so the client can scan for new exploits). the client scans those IPs for known vulnrabilities, if it finds it it looks up in the whois database the admin of the site, sends them an email and tells them
a. what exploits were found
b. a description of each exploit
c. and where to get a patch to fix the exploit
also a central database could be managed with all the information the clients had collected and statisitcs could be generated just to show how *bad* internet security currently is. if you had 50,000 machines doing constant scans of the net and telling the admins about what holes they have in their systems you should be able to keep a constant track of security on the internet as a whole.
I know someone could reverse engineer this program to do a distributed security exploit, but if they did that, that would just force companies to secure their sites, so the end result is the same
of course the scan should scan for all known vulnrabilities on all known OSs and allow for it to be updated so the newest exploits can be detected and corrected...
anywho, just a thought...
Canadian Company Provides Web Security Countermeasure
Flamborough, Ontario, February 15, 2000
While corporate Technology executives meet with President Clinton's staff
at the White House to discuss the recent catastrophic Denial of Service
problems for web business, a small Canadian company today announced the
pending release of a solution.
In order to be a successful countermeasure the cooperation and adaptation
by the infrastructure industry will be necessary. Platformed on the
GateWeaver VPN Firewall server, the company expects to have its newest
"Crossing Guard" module in the mass market channel by mid March. The
offering will be in two formats: Software only and an Integrated Hardware
device.
The GateWeaver products are compatible with Macintosh, Microsoft Windows,
Unix operating systems and Novell networks.
Crossing Guard is an initiative to combat the recent increase of DoS
(Denial of Service) attacks that have been responsible for Internet server
downtime. The key to defeating a DoS attack is to push the attack as far
from the victimized server as possible, preferably right back to the
initiating client. This allows the server to continue servicing its
clientele quickly and efficiently.
Crossing Guard works to provide a "breathing window" during a Denial of
Service attack to isolate attackers and initiate a response. By working
with ISPs and backbone providers, an attacked server can request a
reprieve from the closest Crossing Guard to the attacker, stopping the
packet storm in its tracks. This reprieve will last for 60 minutes:
enough time to contact network providers for more thorough response, while
not limiting the freedom of the net or disconnecting a large gateway that
serves many clients.
When an attack is detected, either through server unresponsiveness or more
proactive network monitoring tools the system administrator logs into the
local Crossing Guard server which attempts to contact the next upstream
Crossing Guard to the attacker through the primary network connection and
failing that through a backup connection. Each Crossing Guard will relay
the countermeasure request as far up the tree as able so as to limit the
bandwidth consumed by the attack to as short a distance as possible.
Each Crossing Guard will store the request for later review as well as
notify system administrators in each network the attack is passing through
of the countermeasure and provide contact information for the attacked
server administrator to arrange for a more permanent protection solution.
The Crossing Guard specification is expected to be released to the Internet
community for peer review and implementation. Our goal is to create a
solution that scales from the largest intercontinental provider down to the
smallest local ISP. With this in mind, the GateWeaver implementation of
Crossing Guard will be available as a software product free of charge to
local ISPs.
All hardware vendors, network providers, ISPs, and Businesses doing
Business on the Web are invited to join in developing a self regulating
solution to contain and deter against Denial of Service attacks.
GateWeaver.com has made available a free distribution version of its
firewall-VPN software. The company anticipates releasing the software
version of Crossing Guard in the same manner.
Contact Information
www.gateweaver.ca
www.gateweaver.com
The Manor Group Ltd.
Chris Maxwell
Cmaxwell@themanor.net
905-689-2001 Phone
877-manor-99 Toll Free
"
"From where do you obtain your premise?
While I'm not in the habit of breaking into "University machines", if I was to do so, I think there would be a 50/50 chance of it being during the hours of local daylight (or darkness) just like anything else I do online. A histogram of my online activity based upon time of day tends to be rather flat I believe.
I fail to see a daylight-only pattern (per localtime) as prevalent among any of my online associates either. Your premise is significantly flawed.
How do you hunt without killing the animals?
Just curious.
It's called new wave but it's just the same.
And how exactly do you do your home defense with a gun, without potentially maiming and killing? Pry it between the door and the post so it becomes harder to open the door? How do you hunt with a rifle without killing? Use it as a crude spade to dig a hole? The gun that was produced in 1897 by the Winchester factory, was that intended to be a showpiece?
What a narrow limited view you have, and further what arrogance you have to even suggest that your one view on the purpose of guns is the only purpose.
Perhaps you should consult a dictionary and look up the words primary and only. Those meanings aren't equivalent.
-- Abigail
It LOOKS like English. I know what most of the words mean....
/.
:-)
But I can't for the life of me figure out what you're talking about. Everything after "shut up" is either a misquote or a rant against the corporate sanitization of
What corporate sanitization are you talking about?
Is it the corporate sanitization that has reduced the number of REAL technical articles. Instead, we have many more touchy-feely "let's talk about rights and social issues so EVERYONE can participate" articles.
Is it the corporate sanitization that has turned Slashdot into a parody of what it used to be?
Is it the corporate sanitization that has decided that "News for Nerds. Stuff that matters," is the same thing as, "Patting ourselves on the back for using Linux?"
Finally, is it the corporate sanitization that causes posters to take themselves so seriously that they get baited into long flamewars with trolls?
Have a nice day.
-- In the future, everyone will code Perl for 15 minutes. --
thanks for making my point.
--
+&x
A blatant advertisement posted as a comment, moderated up for being informative.
Why bother paying for banner ads on Slashdot? I'll just post a full fscking press release and count on the moderators to do their thing.
Sorry, Wah. I think I understand what you meant by corporate sanitization now.
-- In the future, everyone will code Perl for 15 minutes. --
Your mention of "potentially" is your own undoing right there. i.e., The mere sight of the gun may cause the Bad Guy to flee. And that's good enough for me if he does. You only shoot them when they threaten your life. As an example, how many times per year does the average police officer, in the line of duty, draw his gun from its holster and point it at someone? Now of those times, how many times is the drawn gun actually discharged? Drawing a gun != using a gun. The ratio of discharge/draws is very low (under 10%). Does that make actual injury the "primary" (your word) purpose of the weapon? Is a 10% use "primary"? I think not.
Perhaps you should consult a dictionary and look up the words primary and only. Those meanings aren't equivalent.
The primary purpose (of my handgun) remains defense. See above to understand the difference. (No dictionary required!)
I'm thinking maybe you don't wanna joke about taking credit for the denial o' service attacks while the FBI is on the case... they might be treating jokes about ddos the way airports treat jokes about luggage bombs...
http://www.farmerbob.org
you stupid asshole! You can even spell "Natilie"!
--Truth Mode On--
Wrong. But before I say why (although I also claim to be an an avid WW2 history buff), you should listen to what I have to say:let me offer a couple of credentials:- my father was part of the Occupation forces in Southern Japan at the end of WWII.
- I lived in Japan in an area where there just aren't many Americans, speak, read and write Japanese with decent fluency, and have read the histories in both languages, which also leads to my next point
- I have met and talked to survivors of the Hiroshima bomb in their native tongue.
The atomic bombs [nukes weren't invented until 1948] made it unnecessary for a ground invasion of the main Japanese islands. Military estimates are that as many as 250,000 Americans would probably have lost their lives, and Japanese casualties from the American invasion would have topped 1,000,000. Estimates are that if the Soviet Union had invaded from the north (where I lived), casualties would have tripled over those expected in the American invasion. From what elderly Japanese people told me when I lived there, the deaths from starvation and disease would probably have pushed the death toll much higher.When Emporer Hirohito saw the damage of these bombs (which they had been warned about), he overruled his military advisors and told the Japanese people to lay down their arms and welcome the Americans, something he could not have done if the Russians had been the invaders.
A secondary point. The real reason atomic weapons were invented in the United States was because the government realized that they were in an arms race with the Nazi's, and that they absolutely had to win.
Finally, the main influence on the Russians was that the US Gov't basically said "hey, Japan has surrendered, and any further aggression is unjustified, therefore we will oppose it, militarily if need be". In diplomatic terms, it also didn't hurt that the U.S. had the atomic ace in their hand, and noone else did. So the U.S. could (Teddy Roosevelt's actual quote is the bold lettered words) "speak softly and still be heard because they were carrying a very big, very dangerous stick."
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
Ph33r The Man
Analogy 1:
"I grow a bunch of melons and give them away for free. Someone takes one and uses it to club someone to death. Am I responsible?"
Analogy 2:
"You build a bunch of tactical nuclear weapons, bundle them with instructions on how to use them as mailbombs, and give one to each clinically psychotic person in the country. Aren't you responsible for what happens?"
(My own personal opinion, for what it's worth, is that releasing outlines of security problems - with enough information to show they're genuine and let the appropriate folks to develop patches to counter them - is good. Releasing script-kiddie-ready toolkits is bad. Unhappily, we don't live in a black-and-white world so it may not always be possible to do the former without making the latter fairly trivial.)
Mat.
Or you could go by that one commercial with the person shooting the animals - as in with a camera - which is the best kind of sport hunting I can think of, since you can show off the animal you caught (on film) without harming it (unless you believe that photons hitting an emulsion takes away the soul of the last thing the photons bounced off of).
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
Another "tool", Stacheldraht, is apparently a modification of Trinoo. I've been looking at the source code for it and I can only say it's amazing these things actually work at all! The level of sophistication in the programming of Stacheldraht, at least, is abysmal! I haven't seen the source for TFN or TFN2K but it wouldn't surprise me if it was in the same class. In no particular order Stacheldraht exhibits: Tons of unused variables Casting of pointers that don't need to be casted Spaghetti code par excellence Mass use of deprecated network programming funcs. Inclusion of .C source in .h files (ugh) Multiple header files with no rhyme or reason A lack of understanding of the 'fork()' process Definition of functions that don't exist Non-declaration of functions that do exist The best thing I can say for it is that if the guy who wrote it is from Germany at least the variable names chosen are somewhat understandable in their use. One thing that strikes me is the way the authors tout these tools as being for demonstration of vulnerabilities. Then once the vulnerability has been demonstrated in a huge way, they continue to modify and upgrade the programs! Just for demonstration purposes? Yeah, right.
Yeah. The only difference between him and 40 million other people with just as much or more skill than he has, is that the other 40 million have morals. If he would have sent the code in to CERT and then sat on it, not telling anyone, I would have respected him more. But he wanted the glory for himself, and therefore no, I will not respect him.
You do realize that Rob probably has a log of that and is reporting it to your ISP right now.
nc
I disagree with that. It has been publically known for decades that doors don't stand a change against an attack by a tank. My landlord isn't going to put an anti-tank ditch around my apartment. Why? Because only a few have the expertise to create a tank, and those that do, don't leave them on the streets for anyone to grab. And that's more than enough to keep my stuff safe from an attack by a tank.
As long as people behave irresponsible, be it by making actual attacks, or by putting the means into the hands of anyone who feels like it, "hackers" will keep a bad name. Nor is it going to help any open source movement at all. Whining about being portraited in a negative way in the media here on slashdot isn't going to solve that. Do you really think Joe R. Websurfer gives a damn "it's ok to make the tools available", "this attack shows that people have to spend more time and money in securing their sites", etc? No. He notices that his favourite websites were unavailable for some hours. And that the same crowd that wants him to run Linux instead of Windows (partially) defends the actions.
-- Abigail
What packet kiddies like this don't seem to realize is that there is always a trail. All it takes is a few competant admins and a few phone calls.
There are already tools out there for the detection of these types of DDoS attacks, and there are already procedures (and software in some cases) for quickly tracing back spoofed IP addresses. Adding a relay in there just makes it take a little longer (assuming the initial request for a DDoS attack wasn't already detected by the attacker's ISP or any system in between).
Depending on how many Hax0ReD systems you're bouncing between to request a typical smurf attack, and depending on the time it takes the victim/victim's ISP to notice, your true origin can be discovered in as little as a few minutes. Work is already underway on automating the process of tracing back spoofed IP's. With a quick phone call to each of the sites you're bouncing from, you can be tracked down in a matter of seconds. All the victim has to do is activate software and tell it the nature of the attack. In fact, any site along the way that detects the attack itself or the instructions to instigate the attack can do the same thing.
You think you're invincible? Impossible to find? When you have a half dozen angry, highly intelligent people methodically following the trail back to your PC (one of which could be working for the ISP you're dialed up to), how long before you think you'll be caught? Do you honestly think that the only people caught pulling crap like this are the ones that show up on TV? Contact your local police or FBI office for statistics.
When you are caught, then the real ass fucking begins. A major DoS attack (like most smurf attacks or any of these DDoS attacks) can cost an ISP hundreds of thousands of dollars (that's six digits). If you're a minor, that means your parents probably get stuck footing the bill. They'll lose their house, their car, your college tuition (but I guess you probably didn't really want to go to college anyways so that's no big loss), to say nothing about the computer equipment you might have in your home (even if it's not yours). We haven't even touched on the compromised accounts yet. Each one of your DDoS client hosts constitutes a breakin and unauthorized use (minimum -- actual charges will probably be a lot more), each with its own penalties and fines. You think Mitnick was imprisoned for too long? They're going to have a hundred times the amount of evidence on you than they had on them. How long do you think you'll end up being behind bars?
Is this really worth it, kids? Is your l33tness really that important? You know, in a few short years (months or weeks for the more pathetic), nobody is going to remember who the fuck you are, much less any of your l33t conquests. Do you really think you're going to get in the newspapers and have a bunch of "security firms" offer you nice cushy $150,000 jobs working with nice state-of-the-art computer hardware? I suggest you stop buying into what your kiddie friends are saying on IRC and do a little hard research on your own. I imagine you're going to be pretty disappointed.
Get a life, man.
Damn, all this shit about Mixter being the innocent informant is making me sick. I talked to him a number of times, watched his activities long before anyone here heard about him and I can tell you, he did not only write TFN with an intention to wreak havoc, but he actually did it himself!
He 0wned thousands of machines again a short time after his bust, and he fought out stupid IRC wars with them to boost his ego.
So the people defending him, SHUT THE FSCK UP, you don't know how this guy talked a few months ago ("I need to do this to fight back"). Now he's playing the shocked programmer; damn, he had the chance to make clear the net works because WE want it, not because we fear the feds, but he fucks it up, lies to the public and even makes his mother do it. Why do people like him have to be so incredible morons in real life?
- You wonder that my dad has to do with the credibility of what I said? Well, how about a) the fact that if the war had gone on longer, he would have been fighting in the invasion forces as a machine gunner, and b) he was in areas relatively not touched by the war, yet the Japanese people were starving. So I know directly from a family member what things were like in late 1945 to mid 1947 what the conditions were like.
- "It's a bit hard to believe more American would die than died while fighting in Europe, when the US was fighting on two fronts." Nice try, but I didn't make up the figures, they are a matter of military history. Look into the history books about the U.S. casualties on Okinawa and Iwo Jima, and consider that the Japanese people were preparing to fight a Vietnam style guerilla war if the U.S. invaded. Then decide if the wartime estimate of a quarter million casualties was realistic.
- "In 1945, the people who decided to drop the bombs didn't give a rat's ass for the lives of the Japanese." Sorry, wrong again. The U.S. warned Japan repeatedly of exactly how bad this new weapon would be, all in the interest of stopping the bloodshed. Secondarily, in Japanese terms, Hiroshima and Nagasaki were relatively smaller cities than some of the other available targets. If the powers that be didn't care, the first bomb would have exploded just over the edge of Tokyo Bay, and probably would have killed well over a million people between the explosion, the resulting tsunami (tidal wave), and the radiation poisoning that would have followed. This would have been followed by bombs in Osaka, not Nagasaki, then Kyoto, and for all intents and purposes, the Japanese national heritage would have been pretty well obliterated.
- "He (Hirohito) might as well done that if the bombs had not been dropped - it's something we will never know." Strike three, and you're out. The history of the matter as recorded at the time (in Japanese and later translated into English) is that Hirohito realized that he was facing the imminent destruction of his people if he personally did not tell them to NOT fight, because there was no one else all of the people would have followed. I have also read that at the time of his decision, it was not even sure whether or not Hirohito would even survive, whether his own military leaders or the Americans would do him in. I don't call that saving one's backside. I call it pretty damn noble.
- "And the allied forces defeated the Nazi's without the use of atomic weapons." Well, at least, you got one right, having previously struck out. But in the process you totally overlooked the reason for my post, which will follow.
--flame mode off--The whole point of my original post is that as horrible as the atomic weapons were, they were not used without thinking about the consequences before hand, and not just to send a message to the USSR.
--Flame mode back on--
Oh, and by the way -- if you don't know what you are talking about, don't try to frag the comments of those that do. [sometimes I've even been known to be one of them]. It won't work and you only look stupid in the process.
--flame mode off--
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
Hey, this MisterX still lives with his mommy! I was watching the news, and they called his number to talk to him and got his mom on the phone. What a fucking pathetic loser! Like I say, all these script kiddies are burger flippers living in their folks basement. If they are so talented, why aren't they doing something worthwhile and getting rich? Because they are degenerates, no more advanced than vandals and shoplifters.
I dislike your tank analogy. I fail to see how it applies to security. Do you mean to tell me that changing the Open Source credo/dogma from disclosure to "security by obscurity" is going to stop script kiddies? Honestly? Or do you mean that they simply should make the exploits less trivial? Or that security exploits are fine, but DoS utilities are not?
First, the vast majority of these hackers aren't as philosophically attached to Open Source as you, not to mention most of slashdot, appear to be. They're largely different groups, with some overlap in between. So what may motivate slashdot to change their stance, likely will not sufficiently sway most in the security "community".
Secondly, assuming the two groups are one in the same, the Open Source community should not change its stance on something so fundamental as this, based on public perception. It goes against most of what Open Source supposedly stands for--truth before "perception". In my eyes (not that I'm a zealot), it would equivelent to agreeing to sell all source code, yet keep it "open", for the sake of appeasing those for whom Open Source and communism are synonymous.
Thirdly, I don't believe the general public is truely aware of Open Source in this context. There may be a vague recognition of the words:"Linux", "Open Source", and "slashdot", but they don't know its stances on such things. So public perception is essentially a non-issue.
Fourthly, I believe you must distinguish between security (as in files, information, private networks, etc) and denial of service. I, offhand, can't think of too many large sites that target the general public that have been offline for extended periods of time due to hacking. I was not exactly advocating DoS utility creation, thus I will not touch on it.
Last, but not least, I don't believe any actions (against SECURITY exploit publication) by law, the open source "community", or other wise, are going to have a significant, sustained, and positive affect on security for the general public. As I alluded to earlier, I believe there is a substantial argument for the publication of exploits. Put simply, by making the publication of exploits a "no no", you merely drive it underground. The net effect of this is that even the highest security of sites are left to guess at what the hacker community has in terms of exploits (this is especially true with propietary and very much closed source vendors (e.g., Microsoft)). While your "tank" argument (as you percieve it) may come into play here, I must disagree. The same elements that make the internet such a great thing, also have to effect of providing a common ground and forums for hackers, while providing every "hacker" with potential access to every site on the internet--vastly different from the "local" scenario you seem to be describing.
Actions against publication of exploits may have the effect of driving the script kiddies out of town (or rather, just leaving them illequipped), but I'm not even sure if that is necessarily a good thing (as I mentioned earlier in the "seasoning" argument). Such actions may have the effect of just leaving these exploits in the hands of elite professionals. Imagine, say, the KGB (or whatever it is called today) looking to harm United States in 10 years, after the internet is responsible for 50% (extrmely high in my opinion) of our GDP in one way or another. If you assume that your actions were successfull, that you drove all hackers in the US out of business. What are you left with? The same Microsoft. The same universities. The same military networks. Corporate networks. Unphased by the prospect (lack of publication) of exploits, hackings, and the like. So many unseasoned targets, with, what are frankly OBVIOUS exploits. With one or two obvious exploits, they could turn it over on networks automatically--realizing success proportions that today's script kiddies can't even dream of. Giving them access to even 10% of major internet sites, could not only be an extremely valuable intelligence tool, but it could also be an economic and telecommunications weapon.
Though, the KGB attacking may be an extreme and unlikely scenario, it could also be a devastating one. More likely, and somewhat less devastating, would be terrorists and the like using it in somewhat less coordinated attacks. Or industrial theft, espionage, etc. carried out against virgin targets.
By making security an industry, by allowing publication, you do more than just improve the actual design of operating systems and the like. You create a more educated group of security professionals. Who, in turn, create a more aware group of system admins. Who in turn demand more secure software from vendors... The interplay between all these forces and groups does have positive consequences.
Larger, more important sites, are benefitting a great deal from the status quo. In the short run, I fully realize that the current nature of publicication+script kiddies leave the less attended to sites at something of a disadvantage. Many of these "smaller' or less important sites can't afford to worry about security a great deal, they can't afford to check the latest vulnerabilities before they're put in the hands of thousands of script kiddies world wide. For whatever it is a worth though, I believe that the vast majority of vulnerabilities are due to shear negligence of the vendors. Put simply, they couldn't care enough about security to make it a priority. I do believe that, when and if script kiddies ever become THAT much of a problem, the vendors will have to respond by creating higher quality (less hype, spend more time making sure it works, instead of rushing it out the door) and more secure software. If it a reasonably possible (and I believe it is), market forces will dictate to the vendors.
Could stop this if they had the cpu headroom (they dont?) CPU's get faster every month - can someone comment, or is there just no demand for this feature - as opposed to sheer raw shoveling speed
You have just openly admitted to abusing your priveledge to moderate. Moderation fails when the moderators refuse to read unmoderated posts.
Look at www.dubbele.com for another great free firewall solution.
After a few people got hit by these DDoS attacks, apparently ZDnet faked an attack on themselves to get their own name publicised. They didn't want to be left out!
I wonder if any of the attacks actually did happen...
Hirohito was not not a noble man. He wasn't anything better than Hitler.
-- Abigail
I wish you'd clarify what your position actually is! Are you referring to DoS utilities, or security exploits? I don't advocate, from a positive net effect point of view, the publication of DoS programs, at least not those that are merely designed for massive flooding using well established techniques. However, I am a strong advocate of disclosure. Proper disclosure, to me, means first approaching the vendor(s) and/or discussing the vulnerability from a technical approach. Failing a positive reaction from the vendors (when they can reasonably solve the problem), then publication of an exploit may be in order.
Guns are of entirely different nature. When someone is shot, that is the end--there is no worse crime. Thousands of people have been killed by guns in this country. Empirically speaking, script kiddies have done very little severe damage with security exploits (not DoS scripts).
In releasing guns to the general public, no reasonable person could claim that it results in a positive net effect. It is not possible, for example, to, say, merely apply a new chemical to your clothing that makes it bullet proof. Nor, could you claim that your bullet vulnerability is due to some flaw in your body or your clothing that can merely be patched. Furthermore, We have a strong military--foreign invaders are not going to be deterred by small civilian arms. Anyone who could defeat the US military would defeat US citizens with relative ease, regardless of how many rifles they may have. Additionally, we have a strong police--most people don't need that kind of protection. Yet my arguments for exploits still stand (atleast you refuse to attack them head on). Vendors are forced to take corrective action every day, that, many of them, would not otherwise have taken were it not for the current approach. The larger ISPs are starting to harden themselves to script kiddies, and are, in the process, making it tougher for wide-spread (particularly automated) hacking by other more malicious interests.
To boil this all down for you. Publishing an exploit is not INTRINSICALLY immoral. If you wish to say it is unwise or immoral, you should make an argument that the results of publishing the exploit is. I could see your arguing, perhaps, that, the short-term losses far outweigh my somewhat longer-term and more theoretical benefits. However, I obviously take a very different view, both in the assumptions made (on which these decisions are predicated) and in the conclusions reached.
- Hirohito did not politic his way into power for the express purpose of totalitarian government and world domination, he was the hereditary ruler. Much as the English monarchy today, he actually had very little political power.
- Although the Japanese troops had a well deserved ugly reputation for brutality (especially in Nanking China), the Japanese never embarked on a Hirohito-led genocide.
- When Hirohito's message went out over the radio, it went over the most politically powerful group in his nation, directly to the people -- who in turn made the changes that took the power back from the military to the people. With the help of the Americans -- In the process the Japanese people went in a few short years from a people with a history of seven to eight hundred years of being an oppressed majority under military dictatorship (called shoguns -- the emperor was essentially a figurehead) to being a fairly robust democracy.
- If Hirohito was as bad as Hitler, then why did he never stand trial as a war criminal, a la Nurenberg?
A final point. When Hirohito died in 1989, why did the U.S. send dignitaries to the funeral if he was as bad as Hitler?Lastly, although I have been harsh in my criticism of your points, I also recognize and agree with you that war (including atomic and nuclear weapons) is a horrendous thing -- and that I am not just on the side of the Japanese, Hirohito, the U.S. military, or anybody in all of this.
What I am on the side of is accuracy in history, without the bias of our current pessimism or political correctness to change the how actual historical events are portrayed.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
I've read all of your comments so far, and I really think you're missing an enormous point, especially when you consistantly resort to your guns/tanks/some-kind-of-military-hardware.
The point is that script kiddies are doing it now... what is to prevent (as mentioned above) an organised and motivated criminal group from doing the same to (as someone else pointed out) mask another crime? What if these criminals paid some 'developers' lots of cash to develop an effective attack against Yahoo or CNN or some kind of financial dot com?
Form your own conclusions - me personally, I'd rather yahoo went down for several hours once in a while. Much better that they get burned and patch up instead of getting thuroughly fucked by someone with real criminal intent, especially when that company might have information about me.
My advice to you abigail-II is grow up, and be a little more pragmatic. Sure, punish the script kiddies, but remember that they are like an innoculation against *real* cyber-crime.
Until the end of the war, Japanese Emperors were seen as gods, a status no English monarch ever achieved.
Although the Japanese troops had a well deserved ugly reputation for brutality (especially in Nanking China), the Japanese never embarked on a Hirohito-led genocide.
Ask that to the Koreans. Ask that to the few survivors of the slaves that build the Burma railroad. I'm too young to have experienced the war, but the generation before me did. And from that generation, I know many people that lived in Indonesia in the early 40s. (I am Dutch, and Indonesia was a Dutch dependency at the time). I know many people who spend a significant number of years of their childhood in prison camps. I know people who lost their fathers/brothers/uncles in Japanese labour camps. I know people who were tortured by the Japanese, and suffered the rest of their lives from the consequences. I know people who, after more than 50 years, *still* wake up during the night with nightmares. All done in name of the emperor of Japan.
If Hirohito was as bad as Hitler, then why did he never stand trial as a war criminal, a la Nurenberg?
I've no answer for this twisted US political agenda point. It certainly had not unanimous support from its allies, but given the US dominance, what could they do about it?
A final point. When Hirohito died in 1989, why did the U.S. send dignitaries to the funeral if he was as bad as Hitler?
Economical and political reasons. The US was never (partially) occupied by Japan, nor did it have a significant number of civilians that suffered or died in prison and labour camps.
Let me rephrase that question. Why was it that the Netherlands, who more than any other country in the world depends on foreign trade for its economy, which has Japan as one of its biggest trading partners, and which, like Japan, is a monarchy did not send any dignitaries? No member of the royal family, no political hotshot? Just a tiny delegation from the embassy. And while there were dignitaries a month later during the inauguration of the new emperor, it was a rather small one, and didn't include the queen or her spouse, because the entire concept of "emperor of Japan" is considered tainted.
-- Abigail
It is fine and good to say, that, you object to "...handing out the tools to exploit a hole...to anyone that wants it". However, if the act isn't intrinsically bad, then you should to argue exactly why you feel this way. This argument, naturally, involves weighing the costs and the benefits, on both the short term and the long term (aggregated).
As i've said before, i'm an advocate of disclosure. However, that does not mean that I think all, or even most security "pros", are motivated altruistically. In fact, the motive to publish is very much of a self-centered one. I, for a long time, have held the belief that there is something of a symbiotic relationship between script kiddies and the security professionals who create exploits (script kiddy fodder). The professional not only improves his recognition as a security guru, but he also helps drive up demand for his services when the script kiddies, inevitably, start hacking.
That being said, not every act done out of self-interest is NECESSARILY bad in any context (e.g., the entreprenuer). Nor does every act done out of self-interest, with initially negative consequences, have a net bad effect (e.g., the small business that displaces mom-and-pop stores).
Some of the pros follow a path, which I believe, to be optimal. That is, they first generally discuss the exploit and/or email the vendor(s) and ask them to patch it. Then, after a given period of time, or if the vendor(s) refuse to fix the problem, they'll publish an exploit. Unfortunately, many vendors are less than honest when it comes to these issues, so they force the hand of the hacker. In these kinds of cases, I advocate 100%.
Another argument which I have mixed feeling for, is one of KEEPING the security profession alive. This can be supported by arguing that exploits are necessary for both education (of other pros, but also the up-and-coming kiddies). Remember, that many types of exploits work cross-platform with minimal work applied. So that, if I were to create an exploit on, say, Solaris, and email Sun exclusively, the other security professionals would not benefit from my new technique. Nor would the other vendors' systems necessarily be exposed to the same level of scrutiny.
The secondary argument i'll make, is that in order to have a system hardened against truely determined attackers, we need a system where security is deemed to be IMPORTANT. If the only reminder of the importance of security is the more stealthfull/determined hackers (e.g., the oppositive of a script kiddy) that i've referred to, the costs of hiring professionals would be deemed as too steep relative to the apparent unlikelyhood of getting hacked. This is where, i'll say that the symbiotic relationship comes into play...possibly for our benefit...in the long term...