Slashdot Mirror
Security Experts Doubt SCO's Claims of DoS
devilkin writes "As a recent Slashdot story indicates, SCO claims their website was the target of a DoS (Denial of Service) attack. Was it really? The people at Groklaw think otherwise..."
← Back to Stories (view on slashdot.org)
If it's true that SCO is lying or too inept to know what's happening then somehow this has to make it to the mainstream press. That would do more damage to their stock value than any DDoS.
Trolling is a art,
liars.
Stupid people make stupid things profitable.
or at least, not necessarily, so the fact that the FTP server is up is not necessarily a pointer to the fact that SCO are lying through their teeth. (They may still be, but ...)
The thing that's odd is that they think it disrupted their intranet - who in their right mind merges the public internet server and internal intranet server ???
Simon
Physicists get Hadrons!
Can I get some cheese with that whine?
People say I'm crazy, I got diamonds on the soles of my shoes...
I thought Groklaw was more of an expert in law.
Read through the groklaw page earlier, and it was really based heavily upon lots of speculation and in some cases, as was pointed out by other posters, misinformation and lack of technical knowledge.(Stuff like: I can ping the ftp server, but not the www server, and their IP addresses are only off by 1 number, that means it is fake!)
Now, it may or may not be true, but it is total and absolute speculation at this point and some people seem to have already accepted it as fact.
Casual Games/Downloads
Uhh... check the times
Grub's post was at 18:13
The AC was at 18:18
Like others have stated, this would be a twist of fate pushing for the end of SCO. If they have to lie that the community or linux community as they put it is DDoS'ing there network then this could very well be the most damning story against SCO yet. It would be amazing to prove the lack and misunderstanding of IT, Linux and Intellectual property SCO has by getting a headline on national news "SCO lies about networking attacks".
A Simple title like that would take the competency out of any IP lawsuite around simply on the grounds you couldn't tell what the company was telling the truth on or not. (Well, to geeks its easy to say they're lying, but this brings it to the forefront that any CTO/CIO or CEO would understand for that matter).
Has anyone been able to get any further comments from upstream providers or ISP's around them?
I wonder if i will ever see the code to smurf.c as "a special F**K you to SCO".. I always laughed when i saw the code and recognized old Fnet admins being the brunt, would be funny to see sco action (although, i'm with RMS - don't do anything illegal.. just keep on emailing them and expressing your opinions!)
In the Internet industry, all sorts of companies use DOS/DDOS or claims that worm-related traffic is to blame for a plethora of problems that are often internal blunders. This shouldn't come as a surprise to anyone who has ever managed a server online.
I don't doubt their claims, they are clearly lying. Instead of discussing the obvious, that they are not under a DDoS attack, we should be asking ourselves why they are faking an attack.
Some people have pointed out that they are doing it to remove self incriminating evidence from their website. Very likely.
Another plausible speculation is that they are going to use this fake attack as an excuse to delay showing the evidence the judge demanded. I wouldn't be surprised if they go as far as saying that some "evil free software hugger" performed the attack to erase the evidence from all their computers, and use that as an excuse to insist that IBM should show their code first.
And no, these are not conspiracy theories, because the evidence is enough to prove they are faking the attack. They are doing it for a very good reason.
The most probable explanation - they recompiled apache so it doesn't reveal the host OS, made all the other changes, and fubar'd the update. rather than admit it, they claimed a DoS attach.
Yesterday i noticed that SCO stock was down to 14$ today its at 15$. i wounder what would happen if you plotted a function of sco stock prices to their press releases.
That, or the Dow went down yesterday and is up today though about 1pm.
-t
http://unmoldable.com W:"No one of consequence" I:"I must know" W:"Get used to disappointment"
The absolutely best hypothesis is that they're doing it to purge the bad news off the newssites. There was news about the motion to compell hearing (which wasn't SCO's finest hour. Read the transcript here. Check p55 if you're in a hurry) and about the SCO - Boies - Investor-relationship which also was very bad news for SCO, because they want people to belive Boies is on a continguency (apparently that implies 'faith in the lawsuit').
Where is that now? Gone.
Instead we have stories about poor, poor SCO being attacked by those evil linux users.
How many companies release Press Releases about being under attack?! On the same day, no less!
Belief is the currency of delusion.
Most members of the press are as interested in the truth as Darl McBride is, and they are equally compentent in technology matters.
Face it a bunch of angry hackers attacking SCO makes a better story than the truth. Especailly using the 10 word headline format that is so prevelant in the US.
So Long and Thanks for all the Fish.
Honest Dad, I didn't forget to put oil in it (as the father drains the pristinely-clean golden-colored oil from the locked up engine)...
Honest Dad, I had a blow-out (as the father examines the tire with a 4 inch puncture would that shows the core pushed inside the tire)...
Can you say busted?
I think we should have an informal fund raiser for groklaw.
They (that guy?) does a lot for the good of the world (fighting evil (sco) is not just good for linux, it's good for "right").
So, I'll donate $5 to his paypal, and I highly recommend that everyone else do the same. $5 isn't much, but * slashdot it's a lot. Surely we've spent a lot of their money on bandwidth, not to mention the free research time they've spent.
.sigs are for post^Hers.
SYN floods are so 1990s. Most modern OSes have some measures to prevent this sort of crap.
But try telling the press that. They believe everything Darl says without question. One single person do this. In fact, the probability of it being one single person is enormous. Yet it's reported as an attack by the Linux *community*.
How come the press never similarly reports that "the Windows community unleashed a virus today..."?
Don't blame me, I didn't vote for either of them!
Hmph... A frigging 28.8k modem could SYN flood a machine.
You don't NEED to distribute the attack, per se, it'd be done that way to completely cover their tracks...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I've dealt with huge synflood attacks, in the wild.
Most of the things you say you think you know here are simply not true, I'm sorry.
Tools to mitigate synfloods only help to a marginal degree if the attack is done correctly.
First, bandwidth is an issue. Determined hackers can bring GIGABITS of syn requests in... NO, I'm not exaggerating in the least. if you aren't colo'd somewhere with massive bandwidth in the first place, all the "mitigation tools" you want won't help you, as you will be out of bandwidth. Completely. The days of 1Kbps synflood shutting you down may be gone.. but nowadays when attackers want to hit you, they hit you with tens of megabits, to start with.. so not only is it a syn flood, it's just plain a FLOOD.
Provided you DO have enough bandwidth, you need a way to differentiate between valid syns and attacker syns.. which is a fundamental problem. If the attacker has enough hosts he can do full source address spoofing from, you are just plain screwed.. your attack prevention device won't do anything at all, as there is NO way to differentiate between good and bad traffic, fundamentally.
Syncookies increase the rate at which you can deal with syns, but they are by no means a solution to the synflood problem, the problem still exists with or without syn cookies. Let me say that again.. syncookies do NOT solve the synflood problem.. they just lighten the load on the machine, and let it deal with more requests at once.
Putting a box out front that can sink LOTS of syn requests, and only pass valid, established connections through to the real servers HELPS.... but only to a point. only as long as it can keep up with the flood.. which when we are takling about gigabit speeds, is tough.
IN short, if your servers are colo'd at a really, really fast network, and you have really, really good equipment, and people who know how to deal with it, you can deal with this kind of attack, most of the time. You can absolutely build a system or setup that is basically immune to this.... but tha'ts far more engineering and resources than many even very large companies throw at their stuff.
It's nowhere near as trivial as you are making it out to be, and considering the number of attacks I've seen in the last six months, in person, I have no trouble at all believing sco is getting trashed. well, except that everything they say is generally bullshit, but that's a different matter entirely.
Second, when PR people start talking about "can't access the intranet, etc" they may mean "can't access it from outside" or something like that.. give it a rest. Intranet has different meanings to different places..
And you should know, how things SHOULD be designed is rarely how they ARE designed, even by people who should and do know better.
I realize this is offtopic, but something just struck me... Lets look at the possible outcomes of the lawsuit
A) SCO wins, Linux does in fact contain code that was copyrighted.
- So now the Linux community is in shock. However if SCO wants to release ANY Linux software they will have to GPL the code or remove it - thus revelaing it to the rest of the community allowing them to remove the offending code and making the lawsuit a moot point.
B) SCO loses, the code doesn't exist, or was previously GPL'd by SCO.
- SCO loses its entire customer base (never trust a traitor, not even one you create). And closes its doors or is sold on the cheap.
C) Someone bails SCO out, buys everything before the lawsuit ends.
- SCO doesn't sell cheaply, Daryl gets out with millions in "severance pay", Linux community moves on.
You tell me where the lawsuit is going.
-Coach
"Never upset a goalie, getting hit with a blocker is an unpleasent experience - facemask or not." -Me
It is natural for criminals to group together. Why? Because they've committed so many heinous acts that they only feel comforted by others who are just as bad. The other side of this is, criminals figure that because they're crooks, the rest of the world must be, too. So when SCO's servers start acting up, their first reaction, being such criminals as they are, is to assume that someone else is doing exactly what they do--launch an attack, attempting to destroy or deface the competition. And thus, it must be someone in the evil Open Source community who is doing it, or maybe just maybe IBM.
Well assuming that it is a hoax (and, being the cautious type, I do have to concede the possibility that it may be legitimate - stranger things have happened), I honestly don't find myself terribly surprised that they have taken this route.
If you really look at it, SCO has been trying to create an atmosphere of fear - all of which was brought to an abrupt end when the judge commanded them to put up or shut up, essentially. I don't know if they could issue another press release about how their IP is in Linux without irritating the judge, which would destroy any chance they have of actually winning the case.
So, how do you continue to remain active and relevent?
Well, if they can demonstrate that this attack came from the open source community, they can gain some public support, which puts pressure on IBM (as they are representing open source), all without even mentioning the oft-repeated "SCO IP is in Linux" line.
It could even be elegant, if SCO hadn't blown the case out of proportion with their press blitz and threats earlier.
Robert B. Marks
Author, Demonsbane in Diablo Archive
While a Denial of Service attack may cause SCO some hassles, it really does not damage them seriously, and only gives them fuel for their attack on Open Source. They can say "see what these crazy hacker types that promote Open Source will do to your business!".
The best way to deal SCO is to hit them where it counts - in the pocket book. How do you do that?
Well here is a list of the major institutional shareholders of SCO:
TOP INSTITUTIONAL HOLDERS
Holder Shares % Out Value* Reported
Capital Guardian Trust Company 1,177,800 8.51 $16,288,974 30-Sep-03
Integral Capital Management Vi, LLC 316,600 2.29 $4,378,578 30-Sep-03
Royce & Associates, Inc. 1,441,200 10.41 $19,931,796 30-Sep-03
Integral Capital Management V, LLC 246,730 1.78 $3,412,275 30-Sep-03
Empire Capital Partners LP 205,000 1.48 $1,961,849 30-Jun-03
Barclays Bank Plc 174,686 1.26 $2,415,907 30-Sep-03
Bjurman, Barry & Associates 160,000 1.16 $2,212,800 30-Sep-03
ING Investments, LLC 143,100 1.03 $1,979,073 30-Sep-03
Oberweis Asset Management Inc. 112,000 0.81 $1,548,960 30-Sep-03
Whitney Asset Management LLC 76,967 0.56 $1,064,453 30-Sep-03
While this only amounts to about 30% of the outstanding shares of SCO - most seem to be privately held - it is a good place to start. A letter writing campaign to these companies would be one method. Let them know in civil, adult terms that you do not approve of companies who practice business in the way SCO does, and that you plan to help organize a boycott of these companies for helping SCO. If you have any investments with these companies threaten to take your business elsewhere. Also tell them that if they do not respond then you plan to target other companies they do business with a similar boycott. And let them know that you plan to be very vocal with your protests - bad publicity can really hit a company in the pocketbook.
Most of the shares of SCO seem to be owned by individuals, but they can be targeted also. With a little time and research of SCO's SEC postings those individuals can be sorted out. Now many of them are officers of SCO, but they and other individual investors maybe officers or large shareholders of other companies. Those companies would be a good target for a boycott too. Also anybody doing business with David Boles and his lacky legal firm would be good targets. Lexus-Nexus would be a good way to research that.
You may think this is silly, or won't work, but in the USA - as the saying goes "bullshit talks, but money walks". Take a look at what is going on with Abercrombie & Fitch. They annoyed a lot of people and now a boycott of their business is being organized. Their stock price is down and they are having to change they way they do business.
We could wait for the courts to sort it out, but that just gives more money to the damn sharks - whoops, I meant lawyers.
In the good old USA the $$$ rules - and that is not necessarily a bad thing, you just got to know how to play the game. Use the power of your money wisely!
Thank you, Your Honor.
Frankly, we can appreciate the intention of the Court based on the submissions and understand the basis for it. We think, Your Honor, however, that in a few minutes this morning we can convince you that the more appropriate path is to follow a rule or an outline of the rule in Rule 3 3 that basically says that because the issues involved in this discovery involve a complex interplay between facts and law, that instead of granting the motion, what the Court should simply do is put the motion on hold until very specific discovery has been identified and produced and then make a ruling. And before I address this -- [judge interrupts] yes, Your Honor?
THE COURT:
No.
What I was going to say, Mr. McBride, is that in reviewing all the submissions and reviewing the pertinent case law, it appears to me that what is happening is somewhat circular in that defendant indicates that it cannot answer plaintiff's interrogatories until plaintiff has identified the source codes, et cetera, but the manner in which those have been submitted make it, I believe, unduly burdensome on the defendants and so we go 'round and 'round.
And I find also that it appears to me that if there's any argument to be made on the failure to confer under Rule 37 that -- that there has been a good faith effort to comply, but that because we can't get off the ground because of this circular problem, that I would not find that a sufficient basis for, you know, further postponing.
There are hours of argument you can read through, in which SCO proposes novel legal theories under which they don't have to specifically identify infringing material. The judge doesn't buy this at all.
I suspect that SCO will not produce specific infringing material in thirty days. That will lead to an appeal from the magistrate judge to the district judge. Then it gets complicated. SCO may try to litigate their concept of discovery at the appeals court level before proceeding to trial. That's usually not allowed, but there are exceptions to that rule and some of what SCO's lawyers are saying hint that they may try to go in that direction.
Fundamentally, once SCO's novel theory of vague infringement gets knocked down, it's all over for them. So we'll see all sorts of maneuvering to keep it alive. But so far, they lost the first round.