Slashdot Mirror
Understanding Script Kiddies
Kzip sent us an interesting paper on script kiddies. It basically follows a log of a box being cracked and rooted, and then has tons of IRC logs with the responsible folks. A lot of insight into the mentality, but more important, the novice skill level required to do serious damage to many systems.
A few months ago I saw a step by step instruction set on how to exploit a machine with the BIND vulnerability, and I have to admit, I was tempted to try it, to see if it'd work. Moreso, I was kind of like "wow, I could do all these steps even though I'm dumb", and I know if I had there would have for sure been a little buzz of delight.
I used to buy beer with fake ID before I was of age, and it was the greatest, there was a total high when it worked. That is sort of script kiddy-like, it's not like I dud anything clever or anything, I just showed the clerk my ID and bought it, but it still felt wicked, and I think that's the thing in play here: It's easy to say "oh those kids don't know anything, what they're doing requires no thought" etc, and it's true (reading these transcripts makes you realize how incredibly dumb they are, it's really sad), but it is irrelevant, because as long as breaking into a box gives them a little buzz and feeling of accomplishment, they aren't going to stop.
p.s. the part where the guy is talking about how fat he is, that is so priceless and hilarious. If it wasn't so pathetic I'd laugh till I cried
sig:
See the "..for smart people" banners Wired runs here? Look elsewhere guys.
fun replying to myself, but there is some seriously solid witty banter in there.
:i want some one with good writing skillz ::/ :to write About, FAQ :etc
:is this para write for About :? :K1dd13 came into existance almost a year ago. It was born out of hate and contempt for violence, atrocities and human rights violations against Muslims, specially the affectees in Kashmir. It was precipitated to bring the attention of world leaders and :? :organizations to the issue in cyberspace which is today the leading source of communication. :is that fair enuff? :eyah I guess :I thought it was like a hacking group
:what is lahore ? :lahore==city :Sp07 give me a good quote :I thought it was the whore in french :ill go get a quote fo you :heh :ok :I dont know any in my ehad :hea :d :Silence is gold, if nothing better you hold. :tahts gay :I heard a quote before :goes something like "If you want peace, you must prepare for war" :I herad it in a simpsons episode
:im a pothead :hehe :oh :what does it mean btw :P :? :someone who smokes lots of weed :hahaha :pot-heads :pot = weed :oh :i get tons f weed :but :i dont do it :heh :not weed in your garden or anything
:how much do you weight? :for real :300 punds :for real? :yes :you serious? :for real :yep ::) :serious :dont lie :hehe :i`m FAT :300 is a lot :as :s ::) :nope i`m 300#$@ :how old are you? :17
:dude :4 years back :H M :H M :i was 400 :and then i lost 200 :DAYUMMMMMMMMM :you liar :nutriotion :and then :how can you be 400 pounds when your 13? :I WAS :you liar :tendency :and :lots of eating :but then i left the diet and excersise :but i`ll loose it again :i`m serious now ::) :400 is too much for a 13 year old :when i`m serious imake sure to achieve the goal :maybe like 200 is cool :but 400 :no way :hahahaha :200 is still fat but 400 is like a fucking elephant
:smoking marjuana is likee 'cool'? :I GUESS :ITS FUN :oh :ITS NOT LIKE SMOKING :it tastes good?
:IT TAKES ME TO MY OWN WORLD :MWUHAHAHAHAHA :Ok i disclose my self. :I`m a FED :?? :OH SHIT :You are busted :FUCK YOU :DIE MOTHER FUCKER :FOR REAL???? :officer :yes. :suck my dick :dude :relax :no wonder :how would a pakistanian know english :its all clear :hey :hehe :your not really a fed right?? :y0 :? :dont even joke like that :nope :ok :MAKES ME FEEL NERVOUS :i`m not a fed :why did u take it so serious? :I DUNNO
:man dont think i`m a fed ::) :i`m a elite hacker
[ Dick admits he isn't top of the class at creative writing.]
:D1ck
:D1ck
:D1ck
:D1ck
[Here we have a fancy debate on the mission statement. These guys take themselves a tad too seriously.]
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
[ Our l33t h4x0rs look for profound quotes to adorn their web site]
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
[Dick doesn't know what pot is, but tries to look l33t by claiming he has lots of it. Rather Clintonesque admission follows. Spo7 isn't impressed].
:Sp07
:Sp07
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
[Spo7 expresses skepticism about Dick's impressive fluctuations in mass. He tries to get to the bottom of it. Suspenseful stuff, this.]
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck :
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
[Dick has forgotten he has said he smokes weed. A rare occasion when he admits not knowing something follows...]
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
[Dick, ever the crafty one, shocks Spo7 with a clever deceptive move. Spo7 almost has a heart attack, but dick clarifies the situation.]
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
> Then again, could it be that society implicity
> tells boys that they need to be "macho and
> manly"? Sort of how society tells girls they
> need to be "skinny and beautiful"?
I think its more than that. People always want to blame drug abuse, violence, etc as "the problems" when really, I think they are symptomes of larger, and more fundamental, problems with our societies social structures...specifically they are rotting.
At a start, look at chldren in the US versus other countries. In france or other European countries a 5 year old kid can sit through a formal diner. How many 5 year olds in the US can do the same?
We have stopped teaching our children responsibility and discipline. In fact, we have taught them that they can be irresponsible...its expected of them.
Now as for firearms...they ARE a buzz enhancer in a way. I have used them...holding a gun is a high in and of itself. The realization that YOU now can decided life or death at a whim. Its power.
Does that make them bad? No. It, like anything, is something a person must be taught to control. I have cousins who have owned firearms since they were 11. They are some of the safest people I know with guns. They were taught the simple rules from extremely early ages.
You NEVER point a gun unless you intend to fire it. You NEVER point a gun at a person unless your life is in danger. You ALWAYS treat every gun as if its loaded (even if you have the firing pin in your pocket!). Its all about respect for the power of the tool and for basic life.
It is much harder to aquire discipline later in life than early. Hell I am 22 and just now starting to learn to discipline myself. Its NOT easy. Its a skill that needs to be taught young.
All in all I don't think our society breeds healthy life attitudes. Its a much harder problem to solve than just being reactionary and trying to solve the symptomes (like prohibition of drugs, drunk driving penalties, etc etc) but raising responsible people with healthy life attitudes will solve these at the source.
System cracking is just an extension of adolencent irresponsibility. It is not the problem but the symptom. Catching crackers will no more solve the problem than taking tylanol will get you over your cold faster. (all it does is make you feel better by treating symptoms)
"I opened my eyes, and everything went dark again"
Try Debian.
:)
Debian rarely gets broken into, for one reason: the ease at which you can keep packages updated. If a security exploit is found, you'll generally see an updated package appear within a day or less. In fact, I'm on bugtraq, and I often get the updated package a few hours before the announcement is even out.
How do you get this package, you ask? Well, once or twice a day, run two simple commands. It looks a bit like this:
[root@host] > apt-get update
[root@host] > apt-get upgrade
Anyways, its quick, easy, and works. If you keep up to date [which is REALLY easy], your chance of getting broken into is pretty damn low. Sure, it will never been 100% secure, but its closer than most other distros.
I used to use Slackware. After a few years of it, I got tired of not having package management, so I switched to Red Hat. After a while, I got tired of searching down packages through rpmfind, and switched to Debian. I haven't looked back since
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
So they go around telling their friends "I'm a hax0r! b0w!"
It's about image. They think they can prove themselves to their peers by cracking a box with a canned program. Exploration has nothing to do with it. If they wanted to explore, they would write the programs themselves. But instead, they take the lazy way out, and run a pre-made program.
Laziness and Exploration do NOT go hand in hand.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
Looks to me like they got that from somewhere else. They don't actually have those fields memorized, and probly couldn't tell you a damn thing about what those funny greater than signs are doing in that text.
I own a server on the Internet which basically serves my hobby stuff. Being a busy guy, I simply don't have time to deal with the various patches and such that I should be getting.
Jon Katz talks a lot about big corporations taking over the Internet and obliverating the little guys. Well, I'm a little guy who has a server with information on it of various types that many folks find useful.
When someone attacks the big companies, they have resources to deal with it.
When someone attacks my server, I'm effectively helpless - and that's pretty much burned me out on creating useful stuff and putting it there.
It seems to me that script kiddies are much more of a threat to "the little guy" than the big corporations that Katz fears. The corporations can't knock us offline, while a script kiddie killed off my server for a solid month.
I wish there was a way to convey to these people how much misery and anguish they cause on the other side, especially for servers run by individuals who really don't have any good options for protection.
I've read in this thread stuff like "script kiddies help the ecology of the net by eliminating clueless sysadmins". But what's so bad about being a clueless sysadmin? If I have something to share with the world, and can afford a server to share it with, well, surely I should be able to do it. Why should I have to spend hours of my time trying to keep up with nonsense like this?
To me, there's nothing more vile and contemptable than a script kiddie. Except, perhaps, the people who publish exploits for them to use.
Why on earth would someone do something like that?
D
----
Hopefully I didn't put any [] around my words.
Doesn't understanding Script Kiddies imply that they do what they do with some logical, understandable purpose?
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
BIND also has a "-t" flag, allowing you to chroot it (i.e. "named -u dns -g dns -t /home/dns"). This is also easy if you're a primary nameserver (unlike most chroot programs, you don't need to worry about copying libraries), it will take a bit more work if you're doing secondary DNS (there are HOWTOs available). If someone breaks into your system through a chrooted BIND, they won't be able to get root, since the chroot jail shouldn't have any setuid files in it.
I think a problem will arise as the media attempts to classify all "black hat" hackers by the actions of these "script kiddies." Even though the vast majority of "damage" is caused by people with little or no computer knowledge just for the "thrill," the script kiddies really pose little significant threat to organizations.
The real danger is those people who have a clearly defined agenda/ideology in mind when the crack/write viruses. After the outbreak of the "ILOVEYOU" virus, I began thinking about a virus that targets a particular organization and compromises *only* their systems (and copies internal documents, deletes files, etc.). Even though it could replicate with each machine it infects, it would seem completely innocuous until it finds computers that identify themselves within the target domain. It could target particular classes of domains (in the case of worms, for example) that would be more likely to be within fewer degrees of separation from the target--preventing widespread outbreak and collateral damage so as to avoid attention and publicity.
Threats like the above are what should frighten corporations and the government. After Oracle's recent attempt to purchase MS trash, the proliferation of corporate espionage has really been brought to the forefront by the media. The damage that could result from the release of proprietary information is far greater than what results when a web server is cracked or an e-mail server taken down. Nonetheless, most organizations have no infrastructure in place to deal with this type of threat. This is where the *real* danger lies.
ByteMyCode.com: A Web 2.0 code sharing community.
Part of my company was "hacked" a while back by a script kiddie. Behind our router I pretty much just use telnet and ftp because it simple, and everyone else is behind a firewall and cannot see the traffic in between the router and firewall. Also, the machines are just test boxes with no vulnerable data in any case.
/bin/.bin which is pretty easy to find, using, well, "find" looking files modified within a certain time period. He also left a log of him ftping the files from the seti@home box, which is how we tracked that one down in the first place.
/bin/.bin/sniffer directory, or whatever it was called and viewed his sniffer log. Well, guess what it showed besides our plaintext passwords and usernames? His username and password to his ISP as he logged into his own account to get more tools while the sniffer was running. Needless to say we caught up with him.
./hack 192.168.1.1. I mean as soon as you set up an IRC server to brag about your instruction following skills, you've lost all respect as a "hacker" as far as I'm concerned.
Well, some people in techsupport set up a linux box outside of the firewall to run seti@home, and left it completely wide open. A script kiddie got to that and fired up a packet sniffer. Then of course, strange things started happening on my test boxes as the script kiddie hacked into mine seeing my plaintext passwords, quite simple.
Why do I say this person has no skill? First, my box was running a firewall, so his IRC server was hitting the wall along with everything else he was trying to do, apparently he did not know how to disable ipchains, and I could see through netstat that he had these apps running. He replaced some apps like "ps", but left many others, like netstat. The old apps along with his packet sniffer and IRC server where moved to
Here's the beautiful part. When we found that the seti@home box was the root of all evil, we looked in the
What these people are thinking is beyond me. Maybe I'm just paranoid, but if would ever do something like this, I'd make sure I knew my sh*t and even then odds are you will still leave some sort of trail. So, people must be right, they really must not see any consequence in committing these acts. And then they brag about it like it took skill to type
Stupider like a fox! - H.S.
Secure systems don't have "root."
I disagree. Most of the script kiddies know what their doing once they reach a certain point.
I think that the web page didn't not give enough credit to the abilities of many. Sure, some are incompetent, but many have a clue and are intentionally and knowledgably malicious.
What this article really shows is the lack of good security and monitoring on allot of systems. (apparently not the authors, but if the number of boxes that one of the kiddie's had root was true this fact is inherently obvious)
If all system security was effectively monitored, kiddies would be sitting around bored, DoSing random IRC users.
You are right about the sense of unreality. But I don't think you are right about the curiosity.
My belief is that some people categorize the world into two groups: "People who are stupider than me" and "People who are smarter than me". These kiddies like to have as many entries as possible in list A and as few as possible in list B.
What does this explain and how?
They don't try to understand what they are doing. They can't admit to themselves that there are people smarter than themselves who could teach them about, say, TCP/IP. So they use scripts the found on the net and pretend to themselves that "I could have created this."
It also explains the motivation: If you break into someone's system, you have proved that person is on list A. The reasoning is: "Their automated defenses didn't keep out my automated attack, therefore I am smarter than they are." This is flawed, of course, but we already know the kiddies are a little...dim.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
>To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him.
Although this is a nice concept, the reality is as soon as the 'hacker wannabees' know you are watching, they either drop link, or type
cd /
rm -r * &
THEN drop link.
If the goal is exploration, the world is WAY different than the John Draper days of blue boxing.
386 computers that can run BSD are thrown in the trash. So access to computing resource is limited by electrcity. No need to break into systems to get CPU cycles.
The internet is FAR bigger than the old BellCore network. And the documentation that DRIVES the internet is all out in the open. No need to go dumpster dive the 'keepers of the network' to learn about the network. Or blue box about to map the network.
If it was said on slashdot, it MUST be true!
Heh. Reminds me of a day at work a couple of months ago, when a colleagues' box was hacked into. The h4xx0r kid had run some kind of rootkit (although I'm not sure the box was actually rooted, but some kind of prepackaged kit was used), which cleaned out all the logs. Except, of course, for that tricky, well-hidden, hard-to-find, sneaky, known-by-gurus-only one known as .bash_history! ;^)
It was quite cool to see which commands had been run, etc. I think he actually started up an IRC server on the box, probably to serve warez... That, and the ObPortscan of course.main(O){10<putchar(4^--O?77-(15&5128 >>4*O):10)&&main(2+O);}
Nah, they've no idea what they're doing. You could replace them with an expect script and be more effective. Automate the whole process.
Basically the moral is, take care of basic security. Get rid of stuff you don't need on the box. Use tcpd. stop and comment out all unneeded services from inetd.conf.
Just take basic security measures.
Government of the people, by corporate executives, for corporate profits.
Although i'd have to argue w/some of your point. If you got shot b/c you didn't put up some protection WHEN YOU KNEW YOU WERE IN VERY DANGEROUS TERRITORY, then i'd have to place at least some of the blame on you. If your neighborhood has a high crime rate, i think you'd lock you door, right? Well the internet is a VERY hostile enviroment to be in, so yes you do take some of the blame if you have lax countermeasures.
You dont try and understand the ants in your kitchen, you find out where they are coming from and block it up. Same for a script kiddie. Keeping them out is just a matter of awareness on the part of the sysadmins and not doing silly things like running services you dont need or failing to keep the ones you do need patched. Much like blocking up the cracks the ants are coming through.
On the other hand, if a real expert cracker wants to smoke my systems then I may as well kiss my digital ass goodbye because I know my limitations and I know theres many folks out there who can find holes in systems that I never even knew were technically possible. The difference is that the real experts are usually more mature than the script kiddies and need some kind of reason to hit a system - and as far as I know they have no such reason to hit mine, theres nothing there that they need.
Just IMHO but as far as I'm concerned the only time I'd bother even trying to catch a script kiddie is if they are doing DoS attacks.. that upgrades 'em from an ant to a roach and I'll go out of my way to squish 'em. Otherwise I just close 'em out and ignore 'em.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
I had a
The amount of time spent by these kids online is amazing. Either rooting, downloading, playing games or chatting it up, they spend hours online doing nothing else. Where are their parents?
I think this is part of the misconception brought about by some of our more esteemed members of society; that a child constantly in front of a computer is preparing for the New Internet Age of IT Jobs or some other mantra. More rubbish than not if young people are only playing games, engaging in IRC or downloading exploits.
Having see firthand what happens when they get caught, I don't think these people realize the implications of their efforts. There is some belief out there that "hax0rs", after they do some high-profile breakins and DOS attacks, are hired to well-paying security jobs. *In most cases* it is quite the opposite.
Criminal records follow you throughout your life.
Seen that ? ;-)
ftp> get sun2.tar
200 PORT command successful.
150 Opening ASCII mode data connection for 'sun2.tar' (1720320 bytes).
No comments...
--
Trolling using another account since 2005.
Ever sat down at a box somebody's given you an account on and just poked around to see how it's organized? That's part of the script kiddie feeling - it's partly about exploring the system, seeing what you can do.
But there's something more behind that - it's a feeling of inconsequenciality (sp?!?) - that those boxen they're poking with are inconsequential to them and immaterial - they don't actually exist in their mind!
That's the problem that faces the sysadmin - the kiddies feel that you do not exist, and therefore it's okay to go off and exploit these systems! To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him. Make sure he knows that there are people behind these machines, and that they're not just machines to be played with.
With script kiddies, it becomes a foot race between the whitehats and the script kiddies. How quickly can you get to your box when your pager goes off with a bugtraq-alert message? Can you get back to your box before the script kiddies can?
Make no mistake, script kiddies may be novices, but they can do a heck of a lot of damage to an organization if they beat you on the foot race.
----
Remove the rocks from my head to send email
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Enjoy your new knowledge everyone.
--Ask a silly person, get a silly answer.
:D1ck! :do this 'df' :and paste me :and then df -k :wait :.Filesystem 1k-blocks Used Available Use% Mounted on :./dev/hda8 1935132 878956 957780 48% /
:J4n3! :./dev/hda7 23302 2650 19449 12% /boot :./dev/hda1 2064032 1230496 833536 60% /mnt :oki :mkdir /win; mount -t vfat /dev/hda2 /win :wait, what is /dev/hda7 :?
:J4n3! :linux swap partition :ok
:D1ck!
:D1ck!
:J4n3!
:J4n3!
:J4n3!
:J4n3!
:D1ck!
:D1ck!
:D1ck!
:D1ck!
:D1ck!
hmm... without my r00tkit, i'm just a luser
The supply of script kiddies is, for all intents and purposes, infinite.
The question is, what can we do with them?
To answer this kind of question, I usually start by asking, what are they made of?
Script kiddies are made of meat.
So the next time your system is compromised by a script kiddie, track him back to his lair, and get a fresh freezer-fill of long pork.
If you lack the butchering skills, please contact my organization: 31337 |\/|337 Enterprises, and let us take care of the messy details.
(sung to a 50's jingle tune)
"If you've got a H/\X0R1NG problem that's got you beat,
we'll do the hacking at 31337 |\/|337."
Young men spend a lot of time chasing illusions of power, young women typically chase the illusion of control. Script kiddies do destructive things because it gives them an illusion that they are powerful. It is the same illusion that a vandal gets by throwing paint onto an existing masterpiece: 'See, I'm a painter also'. It is almost always easier to destroy than to create; it is a very difficult job to write a program which works well and is useful. It is easy to crash such a program; just pull the power cord. People who crack into systems, and virus writers, both get the same illusion of power; "see how mighty I am, look at this chaos I caused".
The truth is that real power feels like nothing. You do something, things happen, and you get no feel that you did anything; all of the force of your effort goes into the target. The less you feel, the more the target responds. This is disappointing to men who want 'the feeling of power'.
Eventually most script kiddies outgrow the sort of adolescent thinking that causes them to do destructive things. Young people everywhere have a 'golden glow' about their existence. It is obvious to them that the old people like me don't get it. However, that is not what is going on; we get it, we just know that 'special glow' is an illusion. Real maturity arrives when you can see the illusions of youth for what they are.
Does this mean that I want 13 year olds to behave like 50 year olds? NO, making mistakes is the only way to learn anything; if you don't make any mistakes you haven't learned anything - you already knew how to do what ever it was that you were doing. Youthful indiscretions are an essential part of growing up - if you are lucky, they don't get you killed or sent to prison for a long time - eventually you do something that scares you enough to cause you to learn something.
Young people expect the same reasonableness from government authority figures that they have experienced from the authority figures in their life while they grow up; but that is a false expectation. Government, and the criminal justice system are giant, impersonal machines. When you get caught up in the gears of that machinery you will be ground into hamburger meat by it. All of your dreams, fears, and hopes are meaningless to the impersonal machinery of government; it grinds the good as finely as it does the evil.
Of course there is a secondary reason for trouble making; some people are searching for attention, and to them even punishment if better than being ignored.
I actually find it more puzzling understanding the other side, i.e, those who are responsible for preventing security breaches. These script kiddies are just teenagers trying to be cool, but what about the admins/managers/etc., who sometimes spend millions on security and fail to even plug well known holes?
For instance, take the case of the Australian govt., which put up info on thousands of business with their business number clearly visible on a CGI thingie on the URL. Guess what, changing the number gave you immediate access to the bank accounts and tax info of the relevant company. Couldn't they have even bothered to scramble the thing in the URL?
It reminds me of the story in Cliff Stoll's excellent book "The Cuckoo's egg" (a must read for hackers), in which he details how military depts. spent millions on security and left guest access open on the very machines they were supposed to protect. Or Richard Feynman's account of how mega-expensive safes guarding nuclear secrets were left with the default combination lock setting.
There was a flap some yrs ago when Dan Farmer scanned various banks for security and published the results, and it turned out many had not bothered applying even rudimentary, known fixes for problems known for years.
It's really amazing how utterly clueless and irresponsible the people in charge of security are. Generally, they tend to be suits impressed by buzzwords or mega $$$ security firms. Nobody really understands the real issues or even the basics. You can never prevent script kiddies from existing in this world. What you can do is take steps to prevent cracking.
Take another example of general hysteria and cluelessness - after the flap over the I LOVE YOU virus, almost none of the mass media coverage was about the fact that it was spreading via VBscript on outlook. MS must have been counting its lucky stars that nobody thought of pointing out this remarkable common factor.
And so history repeats itself...nobody fixes the root of the problem. Maybe somebody should write up an analysis of the mentality of people behind a typical insecure installation. But then, that would be too boring.
PHB1: Should we consider DoS attacks?
PHB2: What, DOS? Didn't we upgrade to Windows?
PHB1: Not sure...my team wrote something about DoS. OK, you're right, we probably don't need to worry about DOS. I think we have everything covered now.
PHB2: Good, now let's write up the status report.
w/m
OK, here's something to discuss, but first some background:
In the real world (ie. the UK - I understand the US follows this one mostly), if you have something dangerous on your land and it escapes to a neighbouring piece of land, you have to pay for the damage. The case that set this rule was Rylands v. Fletcher, in which the owner of a badly-maintained reservoir got taken to court by the neighbour he flooded out.
Also in the real world, if you sell a product that doesn't do something the customer can reasonably expect it to do, you're liable for some or all (depending on circumstances) of the harm that results.
Bearing in mind those radically simplified statements of the law, consider the following:
Got all that? Now, applying your skill and knowledge of what a responsible and prudent owner of a box-connected-to-the-net and a responsible and prudent installer of OSs and software on such boxes ought to know and do, give your opinion as to the following propositions:
No, I don't have a case on these facts running at the moment. Yes, I think proposition 1. is more interesting - 2. is pretty much a no-brainer as far as I'm concerned - as it might be a stick with which to beat management into paying for better security.
Ignore license disclaimers for present purposes.
Other interesting background: failure to keep personal data adequately secured against unauthorised access is potentially a criminal offence here in the UK, and it can certainly get you on the wrong end of nastiness from the Data Protection Registrar.
-- AndrewD
A Maze of Twisty Little Laws, All Different.
And I don't think I'm alone in thinking that script kiddies, while annoying, are a natural resource, who play an important ecological role in thinning the herd and weeding out the week among sysadmins (who are too lazy/stupid to maintain the latest bugfixes) and their servers. Let's make sure that as law-enforcement efforts are stepped up, the EPA, the Forestry Services, and the Fish and Wildlife Services establish some refuges to preserve the species as others try to drive it to extinction.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
I read this article yesterday... just recently got hooked on RootPrompt.org... Though their name is an obvious homage to rootshell.org, their content is quite original... Easily more enjoyable than the actual IRC logs shown are the descriptions of each day's activities:
Day 5, June 08
D1ck asks J4n3 to take out three systems for him. D1ck and his elite buddy Sp07 try to figure out how a sniffer works "umm doesnt it have to be the same network?".
Been doing sysadmin/security work for a while now, and I've gotta say, they pretty much hit the nail on the head with regards to how little knowledge the majority of the crackers out there really have. Not to say that all crackers are script kiddies -- far from it -- but a lot of them are, and I'd wager the majority of them are. People who take an interest in security and want to actually learn stuff generally find out they can learn much more by trying to fight the good fight and lock down a system than they can by downloading and running scripts... Even the more malicious types who have a clue tend to spend more time writing custom exploits and publishing them than actually cracking boxes themselves. These are the guys that security firms try to pick up -- they know how the cracker mindset works, but they are more mature than the typical script kiddie, and they REALLY know their stuff.
--
NeoMail - Webmail that doesn't suck... as much.
Okay, this isn't intended to be flamebait. When I was immature and had the "M4D SKILLZ" and virtually unlimited free time on my hands in High School it was fun to try and get into machines. It started by hacking games like Dungeons of Kairn; but it developed into trying to access other machines (ie Emulex/2 BBS software). This isn't a justification for this behavior, but I hope it does provide some reasonable insight into the logic behind it. There's something inherent (this can be argued) about being a teenager and being seen as "bad". The "James Dean" effect if you will. Now, the formula reads as follows:
Immaturity+M4DSKillZ(basic softwareknowledge)+a desire to prove yourself to your peers(linked to immaturity)==Silly Script Kiddie (scripts are for kids!)
Most likely they will outgrow this and move into security careers or get caught via tougher legislation and learn from thier mistakes.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
Justify security expenditures to management and you'll solve the internet's "security problem" lock, stock and barrel.
I remember hacking into the US AI mainframe accidentally when trying to get some games. Pretty cool system though. After the first connect, the thing called me back.
Went pear shaped when I nearly cause World War three of course. Still, all worked out okay in the end.
I was riding a late N-Judah train home some months ago, and a kid got on at the Embarcadero station. He looked kind of nervous and was carrying a rucksack with an SFO luggage tag on it. I asked him if he needed directions, and he turned out to be going almost as far out as I. So I told him where his stop was. He sat next to me and we talked a little.
After a few minutes of conversation (Where ya from, whatcha do...) he laughed and said, "I'm a hacker." I replied, "Yeah? What have you done?" He told me about some DoS stuff. I told him I wasn't all that impressed, that basically any system can be cracked, given time and ingenuity. I told him that what really impressed me was creative, constructive work. He then told me that he and a couple of buddies had gone into security consulting, setting up defenses against "hackers" like him. I told him that was a lot more impressive, that by contributing something real, by making people's lives better, he'd get real respect.
I don't know if what I said made any real difference -- certainly, he'd already started to walk away from script-kiddie stuff -- but I think that the search for recognition and respect was a significant factor in his life; I think that as he finds acknowledgement for constructive behavior, he's going to be less and less interested in k1dd13dom.
Oh, go on, check out my job.
What's really sad is that people of this skill level have rooted so many boxes.
I think there's a major lack of interest from management in allocating resource and budgets to prevention - a well trained admin could probably close off at least 99% of these holes given enough time.
I think that we need to promote awareness of these issues to a much greater degree than it currently is.
Al.
Cannot join channel #warez: Banned From Channel << Sh1t, bann3d..
/join #hack << Lets see if the haqrz know about
TOPIC FOR #hack: WE BLOW FOR SCRIPTZ. << Neato Topic
U4eA (U4EA@BOW.ORG) has joined channel #hack.
> y0y0y0y0 eYe n33d th3 scr1pt f0r
You have been kicked off channel #hack by chasin (GET OUT LAMER!)
^^^^^^ note the sense of hostility.
[BoW] will g3t chas1n f0r th1s!
/load n00k
/n00k chasin << eYe h0p3 1t w0rkz (hehehehe)
NUKED.
/whois chasin
CHASIN: NO SUCH NICK OR CHANNEL << 1t w0rk3d (bahaha)
*chasin* im mailing your sysadmin loser!! << m0r3 fan ma1l 3l33+
/nick chas1n
U4EA is now known as chas1n.
Signon by visionary detected. << 3l33+ TRAXST3R!!!
/msg visionary N4RQ!!!
*visionary* yo, im not narc, can we talk about this? << DEJA VU?
Visionary invites you to #speechcard.
/join #speechcard
TOPIC FOR #speechcard:
chas1n (U4EA@BOW.ORG) has joined channel #speechcard.
> y0y0y0y0y0 whatz up N4RQZ???
<visionary> whats up with this u4ea? anyone got his info?
<grayarea>
update on u4ea in there..
^^^^^^ W3 MUST 1NF1LTR4T3 TH1S VMB!!!
<ddrew> chas1n = u4ea << f01l3d aga1n by tymnet jan1t0r
<erikb> any1 know who this rhakim loser is who keeps msging me?
<chas1n> ddr3w: I'll trad3 y0u 0day 4 s0m3 nUa'z!!
*chasin* stop imitating me or I will use my sendmail script on
you!!! Then you will be sorry!!
/msg chasin [BoW] will get you n1g.
/n00k chasin
NUKED.
/whois chasin
CHASIN: NO SUCH NICK OR CHANNEL << Bahahahahha eYe g0t h1m!
/nick chasin
chas1n is now known as chasin.
> 3l33+
<ddrew> chasin = u4ea << f01l3d aga1n by tym3n3t jan1t0r..
Stoll invites you to #bugz << 3l33+, now we have f00l3d th3m!!
/join #bugz
chasin has left #speechcard
TOPIC FOR #bugz: SPAFF FOR PREZ
chasin (U4EA@BOW.ORG) has joined #bugz
<stoll> chasin ^*($#@(*$&(*#@&$*(#@&$(*@!!!!!
mode change #bugs +ooo chasin chasin chasin by Thackory.
> y0y0y0y0 eYe n33d th3 scr1pt f0r
*pluvius* STOP MAKING PASSES AT MY WOMAN YOU LOD LAMER)$#@*()$*@#
/msg pluvius Its me u4ea, im doing some undercover [BoW] w0rk.
*pluvius* hehee sorry dude.. << PLUVIUS l0v3s LYDIA TSK TSK..
stoll has been kicked off channel #bugz by Pengo (N4RQ!!!)
DCC SEND REQUEST (rhosts.txt) FROM bUgd00d.
/dcc get bUgd00d <<< 3l33+ W3 n0w HAV3 th3 INPH0!!!!!
1f th1s w3r3 t0 fall 1nt0 th3 wr0ng handz
1t c0uld b3 v3ry dang3r0us!!
/signoff f00l3d y0u!!!!
$
$ ls
rhosts.txt
$ cat rhosts.txt
#DONT LET THE HAQRZ GET THIS ONE, COULD BE VERY DANGEROUS
#HERE IS HOW IT WORKZ:
GOTO IRC... CHANGE YOUR NICK TO SOME DUMB BLONDE SOUNDING NAME,
THEN FIND AN UNSUSPECTING VICTIM AT THE TARGET SITE. MESSAGE THEM
THAT YOU ARE TRYING TO FIGURE OUT A COMMAND, BUT IT DOES NOT SEEM
TO WORK. AND ASK THEM TO TRY IT TO SEE IF IT DOES ANYTHING FOR THEM.
ASK THEM TO SEE WHAT OUTPUT THEY GET FROM:
WHEN THEY SAY THAT NOTHING HAPPENED, SAY THANKYOU, AND EXIT IRC.
NOW RLOGIN INTO THEIR ACCOUNT, AND YOU HAVE EXPLOITED THE
VULNERABILITY.
# MAKE SURE THIS DOESN'T GET INTO THE WRONG HANDS, THE INTERNET WOULD
# CRUMBLE IF HAQRZ GOT THEIR HANDS ON THIS ONE.
$ << hmm, will have to try this out.
$ irc
/nick bambi
/who *victim.com*
#bolo _RED_ I am stupid stupid@victim.com
END OF WHOIS LIST.
/join #bolo
TOPIC FOR #bolo: We are stupid
bambi (U4EA@BOW.ORG) has joined #bugz
/msg _RED_ Hi, how are you?
*_RED_* I'm fine, and yourself?
/msg _RED_ well, I'm having some problems with IRC...
*_RED_* Really? Maybe I can help you out.. what is the problem
/msg _RED_ well.. no.. i feel silly.. I'll try and figure it out
*_RED_* No, seriously, I don't mind.. ask away
/msg _RED_ well, I am trying to run this command, but it doesn't seem
to work properly.. maybe you can try it out for me?
*_RED_* Sure! What is the command?
/msg _RED_
/msg _RED_ but it doesn't seem to do anything!
*_RED_* Hold on, I'll try it out..
*_RED_* Hmmm.. you seem to be right... wierd..
/msg _RED_ ahh well.. I guess I'll just have to go without.. thanks for
your help!
*_RED_* No problem.. hey, where are you from?
/signoff gotta go... bye!
$ rlogin victim.com -l stupid
Welcome to victim.com, specializing in example security vulnerabilities!
$ hostname
victim << n3at0! W3 R 1n!!!#)@&
$ whoami
stupid << elite! We have exploited the
$
those IRC logs gave me a fucking headache trying to read them. and if i see the word 'leet' one more time, i'm going to find those kids and beat them.
okay. i'm calm again.
"I hope I don't make a mistake and manage to remain a virgin." - Britney Spears