Slashdot Mirror
Mixter Speaks About the Latest DDoS
ochinko writes, "This is an interview with the German programmer who wrote TFN and TFN2K. Basically he says that it's quite easy to launch such attacks but extremely difficult, if not impossible, for the initiators to be tracked." Suck.com has a pretty good article on the attacks, as well. Maybe I should take credit for the DDoS attacks and become an international superstar.
There is more than a hint of ego in this guys work (if indeed it was him) by putting it in a public forum (albeit for good reasons) he knew that people were going to abuse his creation.
Maybe he should have let the relevant people know abot the problem before putting the code in the public domain.
In many ways I suspect he wanted an attack to vindicate himself, show off his skills whilst remaining on the side of the light and generally bask in the publicity...
Working for the (other) man
Does anyone but me see the goal behind these attacks? Think of the names... CNN (owned by Time/Warner) Etoys (obvious) Yahoo (corperatism ruined a once great story) etc.. all the targets are huge corperations that believed they were more powerful than the "hackers" and believe themselves above morality. Perhaps this will cath their attention... Maybe things like the Fox flash page, frivolous lawsuits, etc. will be diminished. Or not ;) I'm not saying this kind of behavior should be encouraged, or if it is even accceptable... it IS very poor advocacy. I'm just saying, i think i know where these guys are coming from... I'm practically there myself. In fact, I think alot of us are.
I don't want to paint Mixter in the same light as the script kiddies who launched the attack. However, it is ludicrous to compare his DoS programs with the likes of, what I would call, "true" security professionals (e.g. cDc, l0pht, Solar Design, etc.). What he did, was make a bigger, better, and badder-ass gun for the script kiddies. The monkeys could have flooded major sites before Mixter made his presense felt. Mixter merely made it easier for the monkeys, both to execute and get away with.
No rational and reasonably intelligent person would have denied the possibility of this "security problem". The vulnerability to flooding isn't a security flaw per se, that could just be patched if the victims were a little more aware. Unlike l0pht (et. al) he isn't putting pressure on the manufacturers and vendors by releasing his code.
That being said, Mixter didn't do these attacks. He isn't evil, and I have a certain amount of respect for him. I do have problem, though, with portraying his creation of these DoS programs as being intrinsically good, nevermind his motives.
Ok, I know who did it. It was my cousin's sister's broker's dealer's aunt's friend who told me that they knew a guy who happened to have the next ASN up from this girl who once exchanged Email with a cypherpunk who was loosely refered to in Cryptonomicon which was secretly a true story about this guy who towed my car for me.... um, where was I?
;-)
Oh yeah, Hemos did it.
This is from the suck.com article.:
But the people who truly deserve the blame for the public's hours-long inability to swap "Steam Engine" jackknives on eBay are the short-sighted, tight-fisted monkeys who managed to build a multi-billion dollar industry on an insecure networking system, something so fragile that it can be brought to its knees by anyone willing to bother. The fact that a target as big and fat as Yahoo is fundamentally vulnerable to something as simple as a DoS attack is a clear invitation to go right ahead and shut them down.
Whoa, that's pretty intense there. They also go on to say that since vandalism is inevitable, its up to the people who will be vandalized to protect themselves. I agree to a good extent.
My question is this: How can you properly protect against many DOS attacks? Once so many requests come in from one IP, you block that IP? I can see problems there, such as if many customers through one ISP go through a cachebox. The way I see it, stopping this is just as hard as stopping the slashdot effect. What types of protections are there concering router-level protection?
thanks..
PS - I know that packets coming from our ISP cannot be spoofed due to our routers, so if my box (soul.apk.net) caught wind of the problem, nothing would be allowed out anyway. However, I don't think it's always our job to do the security for outgoing traffic.
- Mike Roberto
-- roberto@apk.net
--- AOL IM: MicroBerto
Berto
There are basically two problems: a huge number of machines vulnerable to off-the-shelf attacks, and the difficulty of detecting packet storms with phony source addresses. Both of these are fixable, but not trivially.
One way to address the first problem is to have a certain percentage of machines set up by default to detect and immediately report break-in attempts. This will detect large-scale attacks, and will trace them back one level. Not all machines need to have this, just 1% or so. If, say, most Linux machines did this, the problem would get much smaller. If most Microsoft machines did it, the problem would go away. We'll probably see this happen over the next year or two.
I can think of a few ways to address the second problem, some of which I've already discussed. With a little help in some routers, some interesting things become possible. Suppose there was an ICMP control message you could send to a router which said "turn on Record Route on IP packets sent to me for the next N seconds." Given that primitive, you could build a backwards traceroute.
The fact of the matter is that there is nothing the cDc (et. al) does, that can't be created independantly by other hackers. Imagine a world in which none of these exploits are disclosed, and also that 99% of sites on the internet run NT4.0. Without disclosure and general public knowledge of these exploits, MS would never act to patch it--it costs a great deal of money. Some may argue that it is not necessary to actually create a trivial exploit that script kiddies can exploit. While this may have some merit (I even agree somewhat with this approach, it depends largely on the circumstances and the vendor), it has been shown with MS (and a few others), time and time again, that they'll simply dismiss a vulnerability as "theoretical", or even "impossible", unless you make it known that you're going to create an exploit for it--and have demonstrated your abilities to make it a reality before.
What we have today with open disclosure, is a system where operating systems, vendors, and sysadmins become somewhat seasoned and hardened to attack because of this kind of disclosure.
Somwhat more debatably: Although script kiddies may be a pain in the ass, and their motives are selfish and childish, they do (collectively) ironically serve a function of sorts. Without script kiddies, it would be much easier to shrug off the importance of these flaws; it would potentially allow for a terrorist group, foreign government, or even a group of criminals to do serious economic damage in a wide-spread, highly coordinated, and professional attack. Remember that the independant acts of a million script kiddies all doing their own thing, is likely not nearly as dangerous as the coordinated efforts of a professional organization (not to mention that the professional organization could do it by suprise, virtually overnight)
That being said, to clear up any confusion, I don't believe the internet is, at this point at least, terribly significant to our ACTUAL economy (GDP...as opposed to the imaginary one the press and politicans love to talk about). Even the actions of terrorists are not going to have all that great an impact (in my "other" scenario)--just that they'd have a greater impact were it not for disclosure. (Although, with corporate networks today being connected to the internet in various fashions, there is potential of significant information loss through the internet)
February 14, 2000
By DAVID P. HAMILTON and JIM CARLTON
Staff Reporters of THE WALL STREET JOURNAL
Computer sleuths and federal investigators continued to narrow their search for the culprits behind last week's hacker attacks against Yahoo! Inc. and other Web sites, obtaining evidence from several computers used in the attacks that points to at least two potential suspects.
While the investigation appears to be making progress, law-enforcement officials say they haven't yet come up with hard suspects. However, evidence obtained from analysis of network traffic, computer-security logs and monitoring of Internet-hacker channels known as Internet Relay Chat, or IRC, has let investigators focus on the activities of two known hackers. So far, the two have been identified only by their online pseudonyms.
See recent articles about hacker attacks on major Web sites.
Join the discussion: Has the recent wave of denial-of-service attacks done anything to change your view of e-commerce and online trading or the companies in those industries? Do attacks such as these on major Web sites change the way you view the Internet and computing in general?
The hacker raids, which overloaded major e-commerce sites with packets of meaningless data in so-called denial-of-service attacks, didn't threaten any data stored on those Internet servers. Many in the security community initially derided the attacks as unsophisticated, saying they could be conducted with tools widely available on the Internet.
Now, however, it appears that at least one of the attackers may have been far more skilled than the apparent copycats that followed, said David Brumley, a system-software developer in Stanford University's information-technology department who has taken an active role in the hunt for the perpetrators. The hacker, who is believed to be responsible for the attack on Yahoo -- the first of last week's large-scale assaults -- mounted a particularly complex operation using highly customized tools, Mr. Brumley said.
Mr. Brumley said this hacker's online pseudonym is known, but he wouldn't reveal it to avoid jeopardizing the investigation. He added that this hacker appears to have dropped out of regular IRC chats in the last few days. The hacker is thought to reside in the U.S., he said.
A second, apparently less-skilled hacker believed to live in Canada was being watched as a possible copycat, said Michael Lyle, chief technical officer of Internet-security firm Recourse Technologies Inc. (www.recourse.com). The hacker, known by the online pseudonym "mafiaboy," allegedly was recorded in an IRC chat soliciting orders to shut down the Cable News Network and E*Trade Group Inc. sites, Mr. Lyle said.
Stanford's Mr. Brumley confirmed that a hacker using the mafiaboy pseudonym was a focus of the investigation. However, he said, some in the hacker community don't believe the person behind the name was involved in the attacks. Indeed, mafiaboy is said to have later retracted the claims and a law-enforcement official said that authorities, while scrutinizing his actions, aren't sure he is responsible.
Mr. Lyle and other security experts at Recourse, of Palo Alto, Calif., said they have viewed snippets of dialogue and have verified more of it from other hackers, and plan to give the information to the Federal Bureau of Investigation. "We think there were several hackers who launched the attacks in copycat fashion," Mr. Lyle said.
Interest also has grown in a hacker identified as "Mixter." In a series of e-mail exchanges with The Wall Street Journal, online-news provider ZDNet and other media, Mixter has described himself as a 20-year-old German programmer living in the area of Hanover, Germany.
Mixter is credited with having authored the Tribe Flood Network software, or TFN, one of the interrelated-attack tools believed to have been used in the attacks. A similar software is "trinoo." A third, called stacheldraht-German for barbed wire-is based on TFN but uses trinoo features. Mixter is credited only with TFN.
In e-mail interviews, Mixter said -- in fluent English -- that he had no direct connection to the attacks and criticized the use of his software to paralyze online companies. He said TFN was written solely to demonstrate Internet-system weaknesses.
Mixter first appeared on the Internet hacker scene around July 1998, posting less-well-known software programs he had authored on security-related Web sites, according to Dave Dittrich, a University of Washington computer-security expert who has analyzed some of Mixter's software.
Mixter has voluminous postings at a site called Packet Storm, a division of Kroll-O'Gara Information Security Group in Palo Alto. Last month, a paper Mixter wrote on Internet security won a $10,000 prize in a Packet Storm competition. Mixter's most recent addition to the site is a lengthy treatise on how to deal with attacks such as last week's.
A law-enforcement official said the FBI is trying to talk to Mixter through German authorities, but that Mixter isn't a leading suspect at this point.
The FBI has run into problems retracing the source of the attacks because some sites used weren't keeping complete logs of computer traffic, according to a person involved in the case. "Some of the sites didn't capture all of the traffic" because their record-keeping software isn't set up to record that level of detail, a law-enforcement official said.
With help from computer experts at the affected Web sites, the FBI is still analyzing what information they have gleaned from those logs. In addition, according to someone involved in the case, dozens of agents from field offices -- including San Francisco, Los Angeles, Atlanta and Boston -- are conducting interviews with sources who monitor hacking activity.
"There hasn't been a huge number of people taking credit," said a law enforcement official, but the FBI is looking at them all.
The first major breaks in the case came late last week, when investigators learned that computers at several California universities, including Stanford, the University of California at Santa Barbara and the University of California at Los Angeles, were involved in the attacks. Several university officials said their computers were infiltrated prior to the attacks and used to fire the barrage of data packets that temporarily knocked out several sites, including Yahoo, Amazon.com Inc., eBay Inc., E*Trade and CNN, a unit of Time Warner Inc.
At UC Santa Barbara a network programmer noted "abnormalities" in the university's network traffic when he logged in Tuesday night. After further checks, the programmer discovered the following morning that one computer on the network had been broken into and used to attack the CNN Web site, according to Robert Sugar, the university's acting director of information technology.
Upon that discovery, the programmer alerted both CNN officials and the FBI, Mr. Sugar said. Campus officials said the hacker who broke into that computer left many traces, and said the FBI already has obtained reams of data as a result.
Mr. Sugar declined to describe the computer except to say it was an older desktop machine, a description consistent with a computer workstation. Security experts long have warned that older computers used for less-sensitive work at universities, where high-bandwidth Internet connections are common, are particularly vulnerable to such intrusions.
A hacker also apparently manipulated a Stanford network router -- a computer specially designed to direct Internet traffic -- as part of an attack that overloaded the Web site of eBay, San Jose, Calif. That kind of attack, known as a "smurf" attack after the first software tool designed specifically to conduct it, didn't entail an electronic break-in at Stanford's computers, Mr. Brumley said. Instead, the hacker subverted a router "broadcast" feature used to direct an entire cluster of computers to blast packets at eBay.
Meanwhile, other sleuths continued to probe the extent of the Internet's vulnerability to attacks. Network Associates Inc., a security company in Santa Clara, Calif., said a voluntary-screening program detected three cases of denial-of-service software installed on host servers: one in a university computer in Berlin, another at a university in Iowa and one in a nonuniversity computer in Long Beach, Calif. None of these detections necessarily indicate these computers were employed in last week's attacks, the company said.
As investigators continued their work, the computer industry struggled to reach common ground on security issues in order to present a united front at a White House meeting scheduled for tomorrow.
The dilemma for the computer industry, public-policy advocates say, is how to develop and agree upon standards that the government can support and protect without disrupting the open nature of the Internet. But given the different perspectives of government and industry, that won't be easy. Kim Alexander, head of the nonprofit California Voters Foundation, is one of the few people conversant in both the political and technological worlds. "It's like they speak two different languages," she says.
Many companies hit by last week's attacks continued to lie low. But some appear likely to take a more active stand against government intervention. AT&T Corp. dealt with attacks in the past week against some of its customers but remains opposed to government intervention to protect networks.
"It is important for the government [to take] a role in something that is illegal and affects commerce. Past that point, we clearly believe in self-regulation in this industry," said Rose Klimovich, AT&T's director of global intellectual-property-network services.
Some hackers, meanwhile, continued to toy with security experts over the weekend. Late Saturday or early Sunday morning, a hacker with the handle "Coolio" defaced the rsa.com Web site, which is owned by Internet-security firm RSA Data Security Inc., a unit of RSA Security Inc. of Bedford, Mass. The defaced site bore a picture of two men pictured on RSA's official Web site with the letter "L" branded on their foreheads, and carried the message: "The most trusted name in e-commerce has been owned" by Coolio.
Scott Schnell, a marketing vice president at RSA, said the company doesn't use the rsa.com site, which normally redirects Web surfers to RSA's main page at rsasecurity.com. He said the hacker hijacked the rsa.com Internet address and redirected it to the defaced page. Mr. Schnell said RSA was working with its Internet provider to resolve the situation.
David Cloud and Douglas A. Blackmon contributed to this story.
Once upon a time, I was something of a grey hat. I, at one point, wrote modified and wrote numerous programs and scripts that did similar things (thus I refuse to vilify him). I did say that I have some "respect" for him, and that skill was what I was referring to, even though I haven't personally seen the latest jaurez much. That being said, the idea of a distributed DoS attack isn't entirely new. Back in my day (towards the end), there was a program called FAPI (or was it FABI?) written by some folks that I knew. It wasn't quite as sophisticated, but it could have been developed much further, if anyone put the time into it.
If you confessed to a murder, but couldn't produce a body, you wouldn't be in jail. If you confessed and weren't able to recount the details of the crime, they would laugh at you and send you on your way - after a visit to a shrink, I hope.
False confessions are not rare, especially for high profile crimes. The FBI may be completely clueless, but they certainly aren't going to investigate every Usenet kook or IRC whackjob that claims responsibility.
BTW, I did it. Me, A Big Gnu Thrush. So catch me if you can, because 3 days from know, at 25:62 GMT, I'm going to strike again, and no one can stop me!
-insert maniacal laughter-
That may be your purpose for a gun. For me, the main purpose of one of my guns is for home defense. The main purpose of some of my other guns is recreation at the shooting range. The main purpose of the model 94 Winchester (circa 1897) is as a decorative showpiece above the fireplace mantle. The main purpose of the rifle is for hunting.
What a narrow limited view you have, and further what arrogance you have to even suggest that your one view on the purpose of guns is the only purpose.
This PC happens to run windows (Yes. I know. I'm inherently evil and feeding the great satan. Just flame me and moderate me down for admitting it and get on with your lives.)
I installed a firewall (Zonelabs), mostly because it was free, and also because I decided that if I wasn't part of the problem yet, it was only a matter of time.
Results: I was getting probed at an average of once every 20 minutes from a variety of locations. Urk! (Please note, my ip starts with a 24, which tends to indicate an @home or roadrunner cable modem service)
Side note: If you want to test your machine, go to Steve Gibson's SheildsUP!. It's a bit slow at the moment (and posting this ain't gonna make it faster). Personally I wish I had known about this site before this insanity started.
-----
No Zen is good zen
The cracker who broke into the University machines is unlikely to have done so in the daytime, their time. From this, you should be able to determine the probable timezone.
But how will this help?
In and of itself, it wouldn't. This is where things really depend on the people used to carry the DDoS attack software. To have broken in, the crackers are likely to have scanned the ports and services. From this, you should be able to collect some statistics as to what sort of timeframe the cracker was operating in.
Now, how will -this- help?
Again, it won't, unless more than one site was used in the DDoS attack. There'll be a time difference, as it's improbable the person cracked all sites simultaneously. This will give you a much clearer picture of what was cracked, and when.
THEN, you look at the relative times involved. (Although the logs will undoubtably have been altered, it may still be possible to see over what timeframe the alterations cover). This gives you a rough guesstimate as to the path of the different connections, and will narrow down the search to specific nodes within each of the possible countries.
Now, some of those nodes will be improbable. It's unlikely that the crackers would have gone through a corporate website, for example, unless that site, itself, had been cracked.
If the cracker(s) went through multiple computers to get to those they eventually used, then, yes, it is impossible to trace them. Triangulation needs at least two known points and a direction. But, if they didn't, this is the best bet anyone has of identifying who did it, unless the person(s) step forward.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If I print out the entire Slash source, then shove it down someone's throat until they choke and die, is CmdrTaco responsible?
:)
If I tie someone up and force them to read all of Signal 11's posts while I scream "Karma! Karma! Karma!" in their ear, is Signal 11 responsible?
If I force someone to read every Jon Katz article until their brain (also) turns to Jell-O pudding, is Katz responsible?
Sorry, I've just read too many gun analogies on this thread. I went a little crazy there. It won't happen again....
Save the whales. Feed the hungry. Free the mallocs.
I prefer hands-on experience, and the research papers, to the views of any ISP where profits are measured by bandwidth sold, not bandwidth utilised.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Look at DeCSS or css-auth?
Are they tools whos sole purpose is to cause harm and aid people in the thievery and piracy of intellectual property, or just tools that will let us play our legitimately bought DVD's in linux?
Only 36 hours ago there was that article about the head of the RIAA and his opinions about how DeCSS had no purpose other than piracy. And we mostly, 99% agree that he's wrong. Well then, why all this argument for the case of TFN? Why are many of us unhappy about TFN and blaming the author for all the problems he caused by the tools he created, yet happy about the creation of DeCSS and css-auth?
Why the double-standard?
Canadian Company Provides Web Security Countermeasure
Flamborough, Ontario, February 15, 2000
While corporate Technology executives meet with President Clinton's staff
at the White House to discuss the recent catastrophic Denial of Service
problems for web business, a small Canadian company today announced the
pending release of a solution.
In order to be a successful countermeasure the cooperation and adaptation
by the infrastructure industry will be necessary. Platformed on the
GateWeaver VPN Firewall server, the company expects to have its newest
"Crossing Guard" module in the mass market channel by mid March. The
offering will be in two formats: Software only and an Integrated Hardware
device.
The GateWeaver products are compatible with Macintosh, Microsoft Windows,
Unix operating systems and Novell networks.
Crossing Guard is an initiative to combat the recent increase of DoS
(Denial of Service) attacks that have been responsible for Internet server
downtime. The key to defeating a DoS attack is to push the attack as far
from the victimized server as possible, preferably right back to the
initiating client. This allows the server to continue servicing its
clientele quickly and efficiently.
Crossing Guard works to provide a "breathing window" during a Denial of
Service attack to isolate attackers and initiate a response. By working
with ISPs and backbone providers, an attacked server can request a
reprieve from the closest Crossing Guard to the attacker, stopping the
packet storm in its tracks. This reprieve will last for 60 minutes:
enough time to contact network providers for more thorough response, while
not limiting the freedom of the net or disconnecting a large gateway that
serves many clients.
When an attack is detected, either through server unresponsiveness or more
proactive network monitoring tools the system administrator logs into the
local Crossing Guard server which attempts to contact the next upstream
Crossing Guard to the attacker through the primary network connection and
failing that through a backup connection. Each Crossing Guard will relay
the countermeasure request as far up the tree as able so as to limit the
bandwidth consumed by the attack to as short a distance as possible.
Each Crossing Guard will store the request for later review as well as
notify system administrators in each network the attack is passing through
of the countermeasure and provide contact information for the attacked
server administrator to arrange for a more permanent protection solution.
The Crossing Guard specification is expected to be released to the Internet
community for peer review and implementation. Our goal is to create a
solution that scales from the largest intercontinental provider down to the
smallest local ISP. With this in mind, the GateWeaver implementation of
Crossing Guard will be available as a software product free of charge to
local ISPs.
All hardware vendors, network providers, ISPs, and Businesses doing
Business on the Web are invited to join in developing a self regulating
solution to contain and deter against Denial of Service attacks.
GateWeaver.com has made available a free distribution version of its
firewall-VPN software. The company anticipates releasing the software
version of Crossing Guard in the same manner.
Contact Information
www.gateweaver.ca
www.gateweaver.com
The Manor Group Ltd.
Chris Maxwell
Cmaxwell@themanor.net
905-689-2001 Phone
877-manor-99 Toll Free
And how exactly do you do your home defense with a gun, without potentially maiming and killing? Pry it between the door and the post so it becomes harder to open the door? How do you hunt with a rifle without killing? Use it as a crude spade to dig a hole? The gun that was produced in 1897 by the Winchester factory, was that intended to be a showpiece?
What a narrow limited view you have, and further what arrogance you have to even suggest that your one view on the purpose of guns is the only purpose.
Perhaps you should consult a dictionary and look up the words primary and only. Those meanings aren't equivalent.
-- Abigail
thanks for making my point.
--
+&x
"The Hacker's Handbook" (back in the 1980's) said the same thing, for the same reason. There was a lot of very insightful stuff (IMHO) in that book.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Or you could go by that one commercial with the person shooting the animals - as in with a camera - which is the best kind of sport hunting I can think of, since you can show off the animal you caught (on film) without harming it (unless you believe that photons hitting an emulsion takes away the soul of the last thing the photons bounced off of).
---
"'Is not a quine' is not a quine" is a quine.
"'Is not a quine' is not a quine" is a quine.
Quine "quine?
And that gives you credibility exactly how? Or your father for that matter. The decision of dropping the bomb wasn't made by the to be formed occupational forces.
Military estimates are that as many as 250,000 Americans would probably have lost their lives, and Japanese casualties from the American invasion would have topped 1,000,000. Estimates are that if the Soviet Union had invaded from the north (where I lived), casualties would have tripled over those expected in the American invasion. From what elderly Japanese people told me when I lived there, the deaths from starvation and disease would probably have pushed the death toll much higher.
Maybe, maybe not. It's a bit hard to believe more American would die than died while fighting in Europe, when the US was fighting on two fronts. As for the estimated Japanese deaths, I'm not questioning the numbers, but in 1945, the people who decided to drop the bombs didn't give a rat's ass for the lives of the Japanese. Otherwise, they would have picked different targets than large cities.
When Emporer Hirohito saw the damage of these bombs (which they had been warned about), he overruled his military advisors and told the Japanese people to lay down their arms and welcome the Americans
Yeah, to save his own ass. He might as well done that if the bombs had not been dropped - it's something we will never know.
The real reason atomic weapons were invented in the United States was because the government realized that they were in an arms race with the Nazi's, and that they absolutely had to win.
And the allied forces defeated the Nazi's without the use of atomic weapons.
I disagree with that. It has been publically known for decades that doors don't stand a change against an attack by a tank. My landlord isn't going to put an anti-tank ditch around my apartment. Why? Because only a few have the expertise to create a tank, and those that do, don't leave them on the streets for anyone to grab. And that's more than enough to keep my stuff safe from an attack by a tank.
As long as people behave irresponsible, be it by making actual attacks, or by putting the means into the hands of anyone who feels like it, "hackers" will keep a bad name. Nor is it going to help any open source movement at all. Whining about being portraited in a negative way in the media here on slashdot isn't going to solve that. Do you really think Joe R. Websurfer gives a damn "it's ok to make the tools available", "this attack shows that people have to spend more time and money in securing their sites", etc? No. He notices that his favourite websites were unavailable for some hours. And that the same crowd that wants him to run Linux instead of Windows (partially) defends the actions.
-- Abigail
What packet kiddies like this don't seem to realize is that there is always a trail. All it takes is a few competant admins and a few phone calls.
There are already tools out there for the detection of these types of DDoS attacks, and there are already procedures (and software in some cases) for quickly tracing back spoofed IP addresses. Adding a relay in there just makes it take a little longer (assuming the initial request for a DDoS attack wasn't already detected by the attacker's ISP or any system in between).
Depending on how many Hax0ReD systems you're bouncing between to request a typical smurf attack, and depending on the time it takes the victim/victim's ISP to notice, your true origin can be discovered in as little as a few minutes. Work is already underway on automating the process of tracing back spoofed IP's. With a quick phone call to each of the sites you're bouncing from, you can be tracked down in a matter of seconds. All the victim has to do is activate software and tell it the nature of the attack. In fact, any site along the way that detects the attack itself or the instructions to instigate the attack can do the same thing.
You think you're invincible? Impossible to find? When you have a half dozen angry, highly intelligent people methodically following the trail back to your PC (one of which could be working for the ISP you're dialed up to), how long before you think you'll be caught? Do you honestly think that the only people caught pulling crap like this are the ones that show up on TV? Contact your local police or FBI office for statistics.
When you are caught, then the real ass fucking begins. A major DoS attack (like most smurf attacks or any of these DDoS attacks) can cost an ISP hundreds of thousands of dollars (that's six digits). If you're a minor, that means your parents probably get stuck footing the bill. They'll lose their house, their car, your college tuition (but I guess you probably didn't really want to go to college anyways so that's no big loss), to say nothing about the computer equipment you might have in your home (even if it's not yours). We haven't even touched on the compromised accounts yet. Each one of your DDoS client hosts constitutes a breakin and unauthorized use (minimum -- actual charges will probably be a lot more), each with its own penalties and fines. You think Mitnick was imprisoned for too long? They're going to have a hundred times the amount of evidence on you than they had on them. How long do you think you'll end up being behind bars?
Is this really worth it, kids? Is your l33tness really that important? You know, in a few short years (months or weeks for the more pathetic), nobody is going to remember who the fuck you are, much less any of your l33t conquests. Do you really think you're going to get in the newspapers and have a bunch of "security firms" offer you nice cushy $150,000 jobs working with nice state-of-the-art computer hardware? I suggest you stop buying into what your kiddie friends are saying on IRC and do a little hard research on your own. I imagine you're going to be pretty disappointed.
Get a life, man.
Oh, really? They would have 2 cities turned into nuclear waste piles less to worry about.
-- Abigail
I dislike your tank analogy. I fail to see how it applies to security. Do you mean to tell me that changing the Open Source credo/dogma from disclosure to "security by obscurity" is going to stop script kiddies? Honestly? Or do you mean that they simply should make the exploits less trivial? Or that security exploits are fine, but DoS utilities are not?
First, the vast majority of these hackers aren't as philosophically attached to Open Source as you, not to mention most of slashdot, appear to be. They're largely different groups, with some overlap in between. So what may motivate slashdot to change their stance, likely will not sufficiently sway most in the security "community".
Secondly, assuming the two groups are one in the same, the Open Source community should not change its stance on something so fundamental as this, based on public perception. It goes against most of what Open Source supposedly stands for--truth before "perception". In my eyes (not that I'm a zealot), it would equivelent to agreeing to sell all source code, yet keep it "open", for the sake of appeasing those for whom Open Source and communism are synonymous.
Thirdly, I don't believe the general public is truely aware of Open Source in this context. There may be a vague recognition of the words:"Linux", "Open Source", and "slashdot", but they don't know its stances on such things. So public perception is essentially a non-issue.
Fourthly, I believe you must distinguish between security (as in files, information, private networks, etc) and denial of service. I, offhand, can't think of too many large sites that target the general public that have been offline for extended periods of time due to hacking. I was not exactly advocating DoS utility creation, thus I will not touch on it.
Last, but not least, I don't believe any actions (against SECURITY exploit publication) by law, the open source "community", or other wise, are going to have a significant, sustained, and positive affect on security for the general public. As I alluded to earlier, I believe there is a substantial argument for the publication of exploits. Put simply, by making the publication of exploits a "no no", you merely drive it underground. The net effect of this is that even the highest security of sites are left to guess at what the hacker community has in terms of exploits (this is especially true with propietary and very much closed source vendors (e.g., Microsoft)). While your "tank" argument (as you percieve it) may come into play here, I must disagree. The same elements that make the internet such a great thing, also have to effect of providing a common ground and forums for hackers, while providing every "hacker" with potential access to every site on the internet--vastly different from the "local" scenario you seem to be describing.
Actions against publication of exploits may have the effect of driving the script kiddies out of town (or rather, just leaving them illequipped), but I'm not even sure if that is necessarily a good thing (as I mentioned earlier in the "seasoning" argument). Such actions may have the effect of just leaving these exploits in the hands of elite professionals. Imagine, say, the KGB (or whatever it is called today) looking to harm United States in 10 years, after the internet is responsible for 50% (extrmely high in my opinion) of our GDP in one way or another. If you assume that your actions were successfull, that you drove all hackers in the US out of business. What are you left with? The same Microsoft. The same universities. The same military networks. Corporate networks. Unphased by the prospect (lack of publication) of exploits, hackings, and the like. So many unseasoned targets, with, what are frankly OBVIOUS exploits. With one or two obvious exploits, they could turn it over on networks automatically--realizing success proportions that today's script kiddies can't even dream of. Giving them access to even 10% of major internet sites, could not only be an extremely valuable intelligence tool, but it could also be an economic and telecommunications weapon.
Though, the KGB attacking may be an extreme and unlikely scenario, it could also be a devastating one. More likely, and somewhat less devastating, would be terrorists and the like using it in somewhat less coordinated attacks. Or industrial theft, espionage, etc. carried out against virgin targets.
By making security an industry, by allowing publication, you do more than just improve the actual design of operating systems and the like. You create a more educated group of security professionals. Who, in turn, create a more aware group of system admins. Who in turn demand more secure software from vendors... The interplay between all these forces and groups does have positive consequences.
Larger, more important sites, are benefitting a great deal from the status quo. In the short run, I fully realize that the current nature of publicication+script kiddies leave the less attended to sites at something of a disadvantage. Many of these "smaller' or less important sites can't afford to worry about security a great deal, they can't afford to check the latest vulnerabilities before they're put in the hands of thousands of script kiddies world wide. For whatever it is a worth though, I believe that the vast majority of vulnerabilities are due to shear negligence of the vendors. Put simply, they couldn't care enough about security to make it a priority. I do believe that, when and if script kiddies ever become THAT much of a problem, the vendors will have to respond by creating higher quality (less hype, spend more time making sure it works, instead of rushing it out the door) and more secure software. If it a reasonably possible (and I believe it is), market forces will dictate to the vendors.
Hirohito was not not a noble man. He wasn't anything better than Hitler.
-- Abigail
I wish you'd clarify what your position actually is! Are you referring to DoS utilities, or security exploits? I don't advocate, from a positive net effect point of view, the publication of DoS programs, at least not those that are merely designed for massive flooding using well established techniques. However, I am a strong advocate of disclosure. Proper disclosure, to me, means first approaching the vendor(s) and/or discussing the vulnerability from a technical approach. Failing a positive reaction from the vendors (when they can reasonably solve the problem), then publication of an exploit may be in order.
Guns are of entirely different nature. When someone is shot, that is the end--there is no worse crime. Thousands of people have been killed by guns in this country. Empirically speaking, script kiddies have done very little severe damage with security exploits (not DoS scripts).
In releasing guns to the general public, no reasonable person could claim that it results in a positive net effect. It is not possible, for example, to, say, merely apply a new chemical to your clothing that makes it bullet proof. Nor, could you claim that your bullet vulnerability is due to some flaw in your body or your clothing that can merely be patched. Furthermore, We have a strong military--foreign invaders are not going to be deterred by small civilian arms. Anyone who could defeat the US military would defeat US citizens with relative ease, regardless of how many rifles they may have. Additionally, we have a strong police--most people don't need that kind of protection. Yet my arguments for exploits still stand (atleast you refuse to attack them head on). Vendors are forced to take corrective action every day, that, many of them, would not otherwise have taken were it not for the current approach. The larger ISPs are starting to harden themselves to script kiddies, and are, in the process, making it tougher for wide-spread (particularly automated) hacking by other more malicious interests.
To boil this all down for you. Publishing an exploit is not INTRINSICALLY immoral. If you wish to say it is unwise or immoral, you should make an argument that the results of publishing the exploit is. I could see your arguing, perhaps, that, the short-term losses far outweigh my somewhat longer-term and more theoretical benefits. However, I obviously take a very different view, both in the assumptions made (on which these decisions are predicated) and in the conclusions reached.
Until the end of the war, Japanese Emperors were seen as gods, a status no English monarch ever achieved.
Although the Japanese troops had a well deserved ugly reputation for brutality (especially in Nanking China), the Japanese never embarked on a Hirohito-led genocide.
Ask that to the Koreans. Ask that to the few survivors of the slaves that build the Burma railroad. I'm too young to have experienced the war, but the generation before me did. And from that generation, I know many people that lived in Indonesia in the early 40s. (I am Dutch, and Indonesia was a Dutch dependency at the time). I know many people who spend a significant number of years of their childhood in prison camps. I know people who lost their fathers/brothers/uncles in Japanese labour camps. I know people who were tortured by the Japanese, and suffered the rest of their lives from the consequences. I know people who, after more than 50 years, *still* wake up during the night with nightmares. All done in name of the emperor of Japan.
If Hirohito was as bad as Hitler, then why did he never stand trial as a war criminal, a la Nurenberg?
I've no answer for this twisted US political agenda point. It certainly had not unanimous support from its allies, but given the US dominance, what could they do about it?
A final point. When Hirohito died in 1989, why did the U.S. send dignitaries to the funeral if he was as bad as Hitler?
Economical and political reasons. The US was never (partially) occupied by Japan, nor did it have a significant number of civilians that suffered or died in prison and labour camps.
Let me rephrase that question. Why was it that the Netherlands, who more than any other country in the world depends on foreign trade for its economy, which has Japan as one of its biggest trading partners, and which, like Japan, is a monarchy did not send any dignitaries? No member of the royal family, no political hotshot? Just a tiny delegation from the embassy. And while there were dignitaries a month later during the inauguration of the new emperor, it was a rather small one, and didn't include the queen or her spouse, because the entire concept of "emperor of Japan" is considered tainted.
-- Abigail
It is fine and good to say, that, you object to "...handing out the tools to exploit a hole...to anyone that wants it". However, if the act isn't intrinsically bad, then you should to argue exactly why you feel this way. This argument, naturally, involves weighing the costs and the benefits, on both the short term and the long term (aggregated).
As i've said before, i'm an advocate of disclosure. However, that does not mean that I think all, or even most security "pros", are motivated altruistically. In fact, the motive to publish is very much of a self-centered one. I, for a long time, have held the belief that there is something of a symbiotic relationship between script kiddies and the security professionals who create exploits (script kiddy fodder). The professional not only improves his recognition as a security guru, but he also helps drive up demand for his services when the script kiddies, inevitably, start hacking.
That being said, not every act done out of self-interest is NECESSARILY bad in any context (e.g., the entreprenuer). Nor does every act done out of self-interest, with initially negative consequences, have a net bad effect (e.g., the small business that displaces mom-and-pop stores).
Some of the pros follow a path, which I believe, to be optimal. That is, they first generally discuss the exploit and/or email the vendor(s) and ask them to patch it. Then, after a given period of time, or if the vendor(s) refuse to fix the problem, they'll publish an exploit. Unfortunately, many vendors are less than honest when it comes to these issues, so they force the hand of the hacker. In these kinds of cases, I advocate 100%.
Another argument which I have mixed feeling for, is one of KEEPING the security profession alive. This can be supported by arguing that exploits are necessary for both education (of other pros, but also the up-and-coming kiddies). Remember, that many types of exploits work cross-platform with minimal work applied. So that, if I were to create an exploit on, say, Solaris, and email Sun exclusively, the other security professionals would not benefit from my new technique. Nor would the other vendors' systems necessarily be exposed to the same level of scrutiny.
The secondary argument i'll make, is that in order to have a system hardened against truely determined attackers, we need a system where security is deemed to be IMPORTANT. If the only reminder of the importance of security is the more stealthfull/determined hackers (e.g., the oppositive of a script kiddy) that i've referred to, the costs of hiring professionals would be deemed as too steep relative to the apparent unlikelyhood of getting hacked. This is where, i'll say that the symbiotic relationship comes into play...possibly for our benefit...in the long term...
I'm not justifying it, but from what I've read, heard, and watched on PBS, Japan had absolutely no intention to surrender in any way, and was prepared to fight tooth and nail the whole way. Japan needed a wake up call. It needed to realize that there WERE very real consequences of refusing to surrender, that hit home hard. That the Allies would not stand to drag the war on and incur more and more fatalities to come to the eventually inevitable conclusion of Japanese defeat. I don't think we even really knew for sure if the bombs would actually work. Japan could have at any time said "You know what, this sucks, we're going to lose anyway, we give up", but they stalwartly refused to and all indications were that they were going to make this as nasty and drawn out as they could.
Jazilla.org - the Java Mozilla
It's 10 PM. Do you know if you're un-American?