Slashdot Mirror
Cracked Series Complete
Quite a number of people have written in recently with the news that the Cracked Series has come to close with Feature #7. The series has been pretty interesting from a storytelling perspective - check it out on rootprompt.
In my opinion, script kiddies aren't moral or immoral -- they're amoral. Systems are just toys to them. Just like software, music, and movies, they feel "entitled" to take control of any system they like, because hey, it's out there. Even the Wall Street Journal called their generation (Generation "Y") the "entitlement generation."
The aura of arrogance that these kiddies have is really quite shocking. They have no perception of what it is like to actually run a system and defend it against real hackers/crackers. They just get their kicks by annoying hardworking people, and wasting their time and money.
And don't argue that the problem is admins leaving their systems unsecured -- if you notice someone left their door unlocked, it's not your duty to go inside, rearrange all the furniture, and leave cryptic notes saying how you "0wn3d" his house.
For more information, click here.
Hemos is not a troll!
Or is he ... hmmm?
The ethics are even more simple then that. If you are on or attacking a box you have not been invited to, you are acting unethically.
I helped clean up when a cracker was discovered on static IP Linux box my Sister put up.
The cracker was only doing "harmless exploration" (running bind scans against lots of other boxes on the local subnet and installing rootkits and trojans).
This clean up cost me about 20 hours that I would rather have been spending with my wife and two year old son... which is the most precious thing I have.
After the second crack, I told her to pull the plug. One less Linux server on the internet (she was using it for a bug tracking database for a startup company she was working with, her husband was using it to give free accounts for students at a local community college where he teaches).
On less corporation Linux had penetrated, 20 fewer students every quarter that can have a free account to learn to create web pages on *nix based systems. Congratulations, cracker boy.
I am a professional programmer, and in my spare time a humble open source developer (backburner, check freshmeat). Guess how many bugfixes have been released to backburner in the last year... Exactly 0. Why? Because I have had to spend all my time cleaning up cracked boxes and setting up firewalls just to keep my systems from being invaded, destroyed, or used to attack other systems (stealing precious time from others).
If you want to explore, set up your own network. 486's are a dime a dozen, NIC's can be found for about $15 each.
The moment you touch a system you have not been invited onto, you are stealing precious time from somebody, period. Somebody had to initially secure the system to keep you out, somebody has to monitor your crack attempts, and somebody has to respond to your actions.
Next time you are on a system you don't own, think about the fact that you are not just exploring, but taking a VERY high chance that you will force somebody somewhere to respond to your actions, and thereby steal that persons time.
I am telling you from personal experience, that theft REALLY hurts.
Bill
Mathematically impossible requirements are technically not against policy.
OK then... Hands up who's got Slashdot UID #31337... Lucky bastard!
[Sysadmins] got computers that they need to defend, and they have every right to be suspicious even of an 'act of curiosity.'
No problem. They do have the right to be suspicious and to take measures to defend their systems.
However some people are taking the next step which I am uncomfortable with, that is: if sniffing around (pinging, portscanning) is causing busy hardworking people to waste their time and worry too much, why then, just make it illegal. Make portscanning a federal crime and add War on Hackers (yes, hackers) to War on Drugs. Sure, that will make sysadmins' life easier. I also think that this would be a very Bad Thing to happen.
If I see sombody sitting in a car outside my house observing it, I may walk up to him and talk to him, I may walk out and stare at the guy through binoculars, I may call the cops. I am NOT going to lobby for a new law forbidding people to sit in parked cars outside other people's houses.
Kaa
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
Some time after I moved in, I discovered Linux, and Unix. (Mostly from working on SGI's. I wanted to be able to run ANSYS without going down to the labs.)
VERY soon after I discovered Linux, I discovered what rootkits were. I woke up about 7 in the morning because my cdrom drive (an old noisy Mitsumi) was going nuts. I was certainly no guru at this point, and I had no idea what was going on. I did a ps aux, but I didn't see anything happening, so I just took the cdrom out and went back to bed.
Two days later I noticed that my ethernet connection wasn't working anymore. I called down to the computer center and was informed that my connection had been shut off and that there were charges pending against me for "cracking" attempts on PSU's servers. It took me 3 months to get my connection back.
When I asked PSU for help securing my machine, I was told to use a different operating system.
In addition to my own machine being cracked, my friend who was also running linux for the first time got cracked (probably thru my machine) and had nasty emails sent from his machine to a couple of government agencies. He and I were both in some deep shit for a while, and had done NOTHING.
So, cracking DOES hurt. I'd like to extend a big FUCK YOU to the kind of people who think that getting others in trouble is funny. Another big F*** You to every little clone virus writer who make life for tech support a living hell. You don't advance knowledge. You aren't doing anyone any favors. You prove nothing except that you are the same as vandals with a can a spraypaint. God help you if I ever find one of you.
"We apologize for the inconvenience."
Crackers are just like schoolyard teases. They feel important when someone pays attention to them. Talking to the cracker didn't gain the admin any info and it made the cracker's day.
/"--which is just what happened in this example. In any case, don't risk your precious time and money on your so-so psychology skills.
You might respond "but maybe you can befriend the cracker and set him straight". Yeah, maybe. Or maybe he'll start realizing you are getting too close and he'll lash out by typing "rm -rf
BTW, Slashdot trolls are the same way. Don't moderate them (esp down past 0), don't respond to them (even "just once"). Just ignore. Like your mother said "eventually they will get bored and leave you alone". And this isn't theory. I've gone through several cycles of trolls (or one troll with many names) targetting me for idiotic responses or unfair moderation (which reminds me, could we have some meta-mod power over "underrated" and "overrated"?). Once I realize what's going on, I don't even bother reading the responses. 24-48 hours later the "attack" is over.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I found it very interesting, and useful, that the author specified that the sploit used was fixed in open source versions of statd before the attack but Digital UNIX took another 6 months.
I am currently involved in major battles with my line manager who seems to have this idea that Open Source = Unsupported. He doesn't realise that a product that is supported by thousands of developers who have a vested interest in solving problems is going to be better supported than one whose only backup is a handful of developers whose managers not only have a vested interest in hiding any flaws found but also want them involved in adding the newest whizz-bang features.
Based on articles I've read it looks like the equation is really Open Source = Secure and Supported.
"Don't write down to your readers, the only people less intelligent than you can't read" - Sign on Newspaper Office Wall
I think one of the major causes of this problem is that RedHat (and others) do not go to much effort to make their distribution secure. RedHat could be considerate and do the following:
- No unneeded services running by default. This means, for example, there should not be a network service of lpd needed just so someone can print a file. Any services running should be services the user specifically asks for during the install.
- The default version of X should not bind to port 6000-6020, or, in a default system, ports 6000-6020 should be ipchained off.
- Programs with more than a given number of reports on Bugtraq should not be installed by default. What percent of new RedHat Linux users are going to actually run mh? Why does RedHat insist on having mh installed in the default install, despite the number of patches this has in a desperate attempt to make mh's suids not local root holes.
- ftpd-BSD, IMHO, should be the default ftp server (my version a patch that makes the default umask something sane). If not ftpd-BSD, at least anything besides wu-ftpd.
- Come September 20, RedHat will be able to make OpenSSH part of their distro. Hopefully, this will mean that they don't run telnet unless the user asks for it.
Little things like this would do much to make it so people just struggling to learn Linux and Unix don't have to worry about securing their systems at the same time.- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
"That's your personal ethics. Are you willing to impose them on the others?"
Um yes.
"Are you willing to convert them into law?"
Yes, I believe "Laws" are what imposing ethics onto people is called.
"Now that's a bullshit argument. If you are dealing with computer security at work, this is your job and how intense it is has nothing to do with posting bugfixes for your project which you do in your spare time. If you tell me all your spare time is taken by cleaning up cracked boxes, I'll tell you that (1) I don't belive you, and (2) you should learn to prioritize your time."
Who said anything about work? I thought this was for his wife or something? And in any case, just because you are PAID to do a job, doesn't mean it is ok for people to burn your time unnecessarily. If I'm preventing somebody from getting real work done, then I *should* be ignored.
"So? An inept clerk at a store is stealing my time."
Well, not really. He, and the store, is providing YOU a service. If you don't like that service go to a different store. If anything, the inept clerk is stealing the company's time by pissing you off.
"A person who stopped me to ask for directions is stealing my time."
Yes. Because you are not mandated to provide that service to him. Are we perhaps getting it now?
"Windows' registry being fucked up steals my time and a lot of it."
Yup, bitch to MS or switch operating systems. Same deal as the inept clerk. You just now have an inept OS.
"IRS steals huge chunks of my time every April."
Ditto. Bitch to government and try to change the situation.
"My point is that engaging in activities has costs, and one of those costs is time. If you are running a publicly-accessible server, time to secure it and deal with vandals is one of the costs."
Of course, but that doesn't make it acceptable for vandals to eat up your time. You have to weigh the benefit of the service to the cost of maintanence. Apparently the service the wife was providing just cost too much in security risk.
"Do you want to live in a society where being caught at portscanning will lead to same results?"
No, but are you saying that cracking into a system (secure or not), and destroying data or using it as a base for DOS attacks is acceptable? I sure as hell hope not. If you do that you *should* be thrown in jail (albiet probably with not so large a sentence as many of the criminals that have been made "examples" of *cough* Mitnick *cough*)
It's 10 PM. Do you know if you're un-American?
By the time I get high-speed access, I hope to have learned enough to run that ethernet adapter from diald, whether id's DHCP or PPPoE. I'd like the convenience of high-speed access when I want it without 24x7 vulnerability. I have a reasonably tight firewall, but I'm sure the right person can get through it. At the moment, even if I had a simple single input input rule on that interface of "-j DENY", I suspect that there are those who could get through even that.
The only truly safe interface is either offline, or disconnected.
The living have better things to do than to continue hating the dead.
Cracking may or may not be a bad thing. Like so many other things, it depends on the ethics involved. (That may be overly broad, I can't think of anything that doesn't depend on the ethics.) Cracking can be an innocent act of curiosity, 'can I enter the system'. On the other hand, using the authority of a sys admin for any but legit purposes is at least immoral and should be illegal. It's a pity our laws don't correspond to such simple ethics.
So long and thanks for all the fish . . . !!!
It's just like I tell people who are being stalked online, NEVER talk to the person, just ignore them. If you ignore them, they don't know what effect their actions are having on you, and whether they are succeeding in pushing your buttons or not.
This isn't a substitute for securing your own systems, of course.
Articles like this one and my own efforts to wade through inconsistent documentation on how to secure a unix box make me question the whole unix security model.
This model needs to be rethought from the ground up - perhaps retaining some of what exists but scrapping most of it becasue it is indeed worthless. In my opinion, 90% of unix sysadmin is intentionally arcane for the job security of sysadmins. The so-called "elite club" of unix sysadmins resembles more than anything the "tech men" in Asimov's Foundation. They understand little and innovate not at all, but carry on a tradition of maintaining their own power and restricting access to this arcande mumbo-jumbo among others.
Some things like the method of authenticating users with passwords, the useleness of keeping unix systems built around a core of remote shell account logins which 99% of users never employ, though they once did in the old telenet days, etc., and the list goes on. Sendmail is a prime example of a program which has been patched and patched beyound recognition, and each patch or fix or enhancement is likely to create new exploits and bugs which don't show up until later. Why is sendmail the default even on single user boxes for home users? I think it is to create work for sysadmins who have "learned the ropes" and thereby justify their positions to employers and/or to clients for whom they do consulting work.
While I do not particularly care for the methods and lifestyles of crackers and script kiddies who contribute little of value to the community, at least they contribute one thing. They usually can beat sysadmins at their own game with ease and even without much knowledge or skill.
If the unix security model and other aspects of unix system administration were really well designed, much of what sysadmins do would be unnecessary. It is a crying shame that Linux and other open source systems mimic the flawed model of commercial unix instead of doing really innovative things to change it. Well, they have done a few things, but progress seems to move at a snail's pace.
Perhaps I have been overly critical. Some sysadmins are very knowledgeable and do care about meeting the needs of their users. But even these don't seem to be doing much to change the entire nature of unix system administration, which requires active efforts to work with those who develop systems, not just patching this or that vulnerability in the systems they administer personally.
I am sure some people have thought hard about this and come up with ways to modify unix at a deeper level to make it a more robust and sleek and easier to administer as well. Have specific suggestions for change in the unix standard arising from such studies ever been taken seriously?
Hugh Daniel showed me once exactly how to limit the damage a script kiddie can do, once he's cracked your host and gotten a root shell.
Hugh's systems are all built with at least two drives. The boot volume is read-only. (I don't mean it's mounted read-only, I mean it's READ ONLY. After installing the OS, he pulls the write-protect jumper.)
Right now, the machines that the FreeS/WAN project are hosted on are configured with a very clever device: it's a toggle switch. In one position, the boot volume is R/W. In the *other* position, the ethernet connection is live.
A big part of the problem in trying to secure UNIX is that we keep trying to solve issues in the wrong domain.
-jcr
I don't understand what Noel was thinking. The first thing to do when you are cracked is _not_ to leave your system open! He should have disconnected from the net (perhaps leaving a secured mail box running), and immediately backed up the home directories. He should have _verified_ the backups. Since the only irreplaceable data on a well-maintained unix system is in the home directories, it should be trivial to back it up properly.
Only when a complete, verified backup has been made should he reconnect to the net (after cleaning up the cracks). The mere fact that he didn't check the backups first, when data hadn't been deleted, makes him liable for the damage. Quite simply, he didn't take obvious and common-sense measures to ensure his customer's data integrity.
Am I wrong here?
They're obviously demonstrating the amount of redundancy in our alphabet and numeric system by showing just how few characters you can use whilst still remaining intelligible (just!). Rather than being "childish" they are in fact demonstrating a deep and intuitive understanding of information theory and entropy, one which we, as foward thinking people, should admire and indeed emulate!
Or maybe not :)
---
Jon E. Erikson
Jon Erikson, IT guru
Included are useful details from somebody who could secure his machines to keep out the script kiddies, but instead choose to leave a few otherwise-unused machines undefended and log the results.
I do not deploy Linux. Ever.
Oh, come now. When DDOS attacks were hitting major web sites, they took down sites regardless of OS. And if you read Slashdot frequently, you'll notice many news stories about vulnerabilities, exploits, and security holes in Windows NT.
The main reason why UNIX-like systems are featured in stories like this is because there's an element of suspense as the cracker types many commands, and the superuser can look at every move he makes. Even NT's Event Logger doesn't catch every damaging command, and from the exploits I've seen it's possible to take down a poorly safeguarded NT box without even logging into it.
The scene of watching and dealing with a cracker is good drama, at least to Slashdot-reading geeks like myself.
For more information, click here.
IIRC it started as a way of getting around swear-filters on chat systems(while 'fuck' would not appear, 'phuX0R' would), and sort of permeated the BBS community, and then IRC. I'm not sure why it still exists. It seems to be used as more of a parody than anything else these days. Even the guy on 'Cracked' only seems to use it once, and he's using it to prove his advanced humour 'look everyone, I can do self-parody!). Most of the coders I know (around London) seem to use it sarcastically these days. 'Man, u r so '1337' tends to mean that what they've done is obvious, or a horrendous kludge.
- "How do we do it? Volume!" - The Bursar of Unseen University.