Slashdot Mirror
SCO Group Web Site Attacked Again
FreeLinux writes "With not much SCO news today, it seemed that this story was needed - Reuters is reporting that, SCO is again suffering under a DDoS attack that has crippled their web site and email system since Wednesday morning. For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system. The denial-of-service attack started at 6:20 a.m. EST Wednesday and continued through the day, said Blake Stowell, spokesman for the Lindon-based company."
...and the happy folks at Groklaw already have a statement up with arguments to effect that SCO is fibbing. They think the attack could be a hoax.
You say
...by Eric S. Raymond.
He makes it clear that SCO is attacking everyone, but he opposes DOS'ing them saying that "the open source community must use the truth, not criminal methods, as its weapons." Nicely done
The Army reading list
There's been a ton of discussion of this on Groklaw today -- consensus is that either this is no attack, or their network is run by doofuses.
It certainly was effectively used by the spammers to crush their enemies. I forget the name, but one of the major anti-spam websites was forcibly closed because of DDoS, and nobody was prosecuted.
You can lead a horse to water, but you can't make it dissolve.
http://www.groklaw.net/article.php?story=200312101 63721614
If it is a DDoS attack, SCO are incompetent for not blocking it. Or it is just more FUD.
Head over to Netcraft News and see how this server "died". If this is a DDOS attach I am Queen of Spain.
Help fight continental drift.
...a Slashdotting?
Crybabies!
This Like That - fun with words!
This is a load of rubbish. See Groklaw for a much deeper and more insightful look at what really happened, a full explanation of the technicalities of the DDOS attack (claimed as a SYN attack that took up all the bandwidth and flattened their e-mail - and yet you can still get to ftp.sco.com (on same subnet), smtp.sco.com all other XO.net fed servers. Groklaw also noticed that the machine was down well before the press release claims and that it went straight down - no hiccups or other indications of a DDOS attack, just a straight gone - switched off or unplugged most likely.
See the netcraft stats for that little bit. If SCO make any claim that this is a DDOS, they are lying through their teeth and the evidence was collected as it happened - see the members zone at Groklaw for the raw Traceroute returns.
An infinite number of monkeys will eventually come up with the complete works of
> Grow up. Settle it by the law.
Yes. SCO should do that instead of lying about their downtime
RST
It's all of those corporate Linux users beating down their door to buy licenses. Hurry and get yours today before they're all gone!
As seen on Wired: Get a free desktop PC
I expect the blatient misuse of hacker as a synonym for computer criminal in the mainstream press, but I woulda hoped that Slashdot would do better.
"Mission Accomplished" -- George W. Bush May 1, 2003
Hell, *I* use Linux and dislike SCO, but this is just a tad unprofessional. OK, I'm kinda disgusted by this behavior - it destroys a moral "high ground" that might be useful to have shortly.
C|N>K
I don't think that DDoS and cracking is the solution, but unfortunately, the law is not always helpful either.
Look at what the use of the law did for the abuse of monopoly power by MS. It was a slap on the wrist for MS and their continued monopolistic practices.
According to Groklaw, not only is it implausible that this is a real attack, it's not even competently done. SCO blames a SYN flood, which is trivial to ignore. Their ISP hasn't had anything to do about it. While they say their email server was down, it actually wasn't. Their FTP server on the next IP over (and on the same block of addresses) had no problems. Their internal network almost certainly isn't anywhere near their Web server, network wise, and, if it was, it would almost certainly have a firewall that's not the web server.
It's clear that SCO's run out of technical people; not only are they faking technical problems, they can't even make up a technically sound attack on their own systems.
From the article header:
For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system.Where in the article did it say this? I certainly can't find it.
Slashdot editors might want to RTFA before approving a post. The submitter of this one got a wee bit overzealous.
Karma: Frotzed (mostly due to the Frobozz Magic Karma Company)
I work in the Canopy Group office buildings at another (non-evil) company. We're all serviced by Center7 and the last time there was the confirmed/acknowledged DDOS attack we felt it hard. Getting to hosts outside of the building was very difficult all day.
No hiccups today. Center7 did promise last time that they could and would isolate everyone else from SCO, so there is another explanation, but...
Tweet, tweet.
I would like to suggest that, once this case is finally settled, Slashdot begin using the caldera systems icon for "Laugh, it's Funny" instead of the Monty Python foot. I know I already associate that blue and red C with a good humourous story.
Jedidiah.
Craft Beer Programming T-shirts
Easy:
ncftpget ftp://ftp.sco.com:/pub/scox/scoxdevcd.iso
Grow up. Settle it by the law.
/.
or atleast taking down the site the old fasion way... by posting it on
www.sco.com
wud
It is highly suspect that a company who's web site was felled by an ancient and easily defended 'attack' was able to so expertly and swiftly identify the cause in time to write up and distribute a press release before the close of business.
I've been folowing this story all day and the last thing I expected to see on /. was a regurgitation of "facts" with a 'questionable heritage'.
Several sites (groklaw, lwn) have already pointed out that the claims of being hacked should be viewed with a liberal ointment of skepticism for any of the following reasons;
one better than mcleodeight
This is getting just annoying. As has already been pointed out, the facts point to this being another hoax. However, as not everyone else in this community knows much about Security, let me add my few years of experience in to help those who don't understand.
I should point out, this has pretty much been covered by Groklaw already and my methods don't vary too much from those already posted by them.
SCO claims their email and web servers are unavailable because of a DDoS attack that has also infiltrated their Intranet and affected helpdesk services as well as other internal services. If this is the case, then it is more than just a DDoS they're suffering, or they are negligent in the highest order for failing to take simple steps to ensure a risk mitigated environment for conducting business within.
Lets start with their Mail Server.
Everyone has a backup mail server, usually hosted by a 3rd party to ensure that if your primary mail server is offline for any reason, mail can still be delivered successfully. The fact that SCO claimed their mail servers were unavailable suggests they either failed to purchase this extremely basic service or their setup is absolutely wrong by anyones standards. The purpose of multiple MX records is for this exact situation. You start with a high priority MX record (say 10) and work your way down the order (usually in steps of +10, so the secondary is usually 20).
Their Web Server
Their webserver is hosted on exactly the same subnet as their ftp server. However, during this attack, their FTP server has been available to anyone thats tried to connect to it. If they were suffering a DDoS attack of the proportions that SCO claims, this server would also have been affected and taken offline. Yet this is not the case. This blows open entirely the philosophy of a DDoS attack without any of the further evidence.
SCO has alluded to the fact that the attack is a basic SYN Flood. A very simple and old attack that has been blockable by nearly every appliance and OS for the past 3 years at least. Yet if they are suffering as they claim, then they are guilty of negligence for failing to apply patches or even configure their platforms correctly. Its very easy to turn the SYN Cookies on in Linux (sysctl isn't rocket science) and just as easy in something like a Cisco Router/PIX Firewall or a Checkpoint Firewall.
The claims that this has adversely affected their intranet suggests that the intranet is in some way exposed to the Internet. Even more alarming is the fact that it disabled their Helpdesk services for a period as well. This would suggest that their network has absolutely no perimeter protection of any kind. The smallest flaw in a product they use could apparently be used to access their core network infrastructure. Isn't that where their source code and IP documentation are kept? I'd start getting very worried about now if I were an investor.
Due diligence is a core principle of any company. That includes ensuring that the services relied upon are securely and properly setup and maintained. If SCO truly has been affected by an attack of any kind on the magnitued they're claiming, then they should be legally responsible for the results of their failure to perform due diligence. (However, IANAL so don't quote me on legalities, especially given I live in NZ, not the US).
In short, the supposed attack on SCO does not add up at all. In fact, if they are being attacked this time round, they are in serious legal trouble themselves if their reports are accurate.
I would also question why they have released this to the press as a Press Release instead of getting on with fixing the problem as quickly as possible. Also, how is it that their mail services are now restored, their FTP server never offline, yet their website remains offline? Surely, a DDoS would affect both.
Not to mention the fact that it would affect SCOs upstream provider who, when contacted last time, saw absolutely no evidence of an attack in progress at a
so does that mean they can sue themselves?
Darl McBride, stumbling drunk (as usual) around SCO's headquarters, accidently tripped over the server's power cord.
SCO's technicians are busy working to fix the problem.
---
Never criticize religion on Slashdot. You will be modded down for "Troll" no matter how factual it is.
ftp.sco.com is 216.250.128.13. www.sco.com is 216.250.128.12. They are on the same network segment. However, the first is completely and normally responsive, while the second is entirely unresponsive. This is not in any way characteristic of any sort of modern flood-type denial-of-service attack -- that is, a DDoS aimed at flooding the network itself. Whatever is disturbing SCO, it is not a DoS of the sort they evidently believe it to be.
Unfortunately, SCO has taken the "cargo cult security" measure of blocking pings, so it is not possible to gather any information about their disturbance in that fashion. I suspect that the best method to gather information about SCO's disturbance is, in fact, for SCO to fully and legally respond to IBM's discovery requirements.
("SYN flood" is obviously wrong. Although some firewalls and IDS still report TCP-based DoS floods as "SYN floods", the condition that used to be associated with SYN floods has been fixed in current operating systems. Unless they are running a system old enough to be called grossly negligent, they aren't susceptible to TCB starvation. The current unavailability of www.sco.com looks more like someone tripped over the Ethernet cable.)
Careful.
There is a decent chance that their claims are designed to inflame.
Claim the Open Source community is behind it and you get a bunch of people who have already been accused starting to think they may as well commit the 'crime' for which they are being blamed.
Sure the claims made by SCO have always been seen to be ridiculous, from a technical POV. But their point has never been to convince the geeks. They are playing to a larger audience and seen in that light their bumbling and fumbling, technically, starts to look a little more deliberate.
Call me paranoid, but SCO could be trying to create the incident they claim is ocurring right now.
WARNING: I'm going to vector some rumours here. Feel free to slap them down if inaccurate, as I'm too damned lazy/tired to investigate myself right now.
There are some rumours floating around the Yahoo SCOX message board that several directories containing Linux source code, such as patches and updates, are now missing from SCO's ftp server. Months ago, many people pointed out that SCO itself continued distributing copies of the kernel in support and updates directories on their ftp server. There is also speculation the strangely internal nature of this so-called DDoS attack may be part of an Ollie North operation to prevent certain evidence from falling into IBM's hands via discovery.
SCO's execs need to read The Boy Who Cried Wolf a few times, and learn the lesson within. Darl, unlike Ken Lay, does not have close friends in the White House, and probably would not escape prosecution for any illegal acts being committed under his watch at SCO.
Someday, you're going to die. Get over it.
Can we get an edit for the groklaw link on the mainpage? Anyone who just skims the headlines is going to get a very skewed impression of todays events.
The public has no idea what a email blacklist is, or why they're important for fighting spammers.
As a member of the public, I want you to know that I am offended by your use of the term "blacklist".
It is offensive to all African-Americans and other People of Color. Why must "black" always be equated with "bad", when exploitative White male colonizers are the source of all evil in the world?
You might as well perpetuate the culture of oppression by referring to some disk drives as "Master", and some as "Slave".
I will petition the Los Angeles City Council to ban the use of these "blacklists" altogether!
I urge my fellow easily offended perpetually victimized knee-jerk progressives to join me in this vitally important crusade.
Opinions on the Twiddler2 hand-held keyboard?