Slashdot Mirror
Taking on an Online Extortionist
An anonymous reader writes "When an online exortionist comes a knocking, threatining a DDoS, do you pay or fight? For many, paying may seem like a sensible option when compared to going out of buisness. CSO Magazine has a riveting article about how an online gambling site and a DDoS specialist teamed up to take on such an extortionist. When everybody else was rolling over and paying, this company risked its very existence to fight back. From the article: '"The attack went to 1.5Gb, with bursts up to 3Gb. It wasn't targeted at one thing. It was going to routers, DNS servers, mail servers, websites. It was like a battlefield, where there's an explosion over here, then over there, then it's quiet, then another explosion somewhere else," says Lyon. "They threw everything they had at us. I was just in shock."'"
Presumably, they will give you some way to pay them (else what is the point?). Point the cops and or feds at that contact, and see what happens.
Extortion is extortion, be it physical or bandwidth.
If no joy from the authorities, I'm sure your local newsrag would be glad to shame the cops into doing something. Of course, if the extortionist is overseas, things might be a little difficult.
If they actually get money, they'll do it again and again.
Any measure of success will encourage more of the same behaviour.
What I don't understand about the Roland Piquepaille thing is why what anything he does is bad! He says "come look at my site!" instead of directing people elsewhere, even though his blog's content isn't all that spectacular.
How is that different from the entire rest of the internet? An awful lot of blogs link news stories with a bit of commentary and want people to read them. Slashdot submitters are free to submit their own sites. The problem is with slashdot editors accepting fairly dumb submissions. That seems to be the problem. Not that Roland Piquepaille is acting scandalously.
xkcd.com - a webcomic of mathematics, love, and language.
I would think in the situation that the e-mail was ignored, it would enrage the extortionist into firing a warning shot, one that would for SURE get the guy's attention. In fact, from the article, it looks like that is sort of what happened. He didn't respond, just first sought consultation and alerted his ISP. Then the extortionist sent a second threat, but not until he had crashed a few ISP servers to get some attention.
welcome our Windows zombie machines overlords. (food for thought).
I think the fuss was that he alledgedly pasted in 90% of an article on his site (but including a link to the original somewhere on his page), made one or two not-so-insightful comments and submitted his page to /. instead of the link he researched his story from.
When the slashdotting began, he made a lot off all the ads on his site.
People were cross that they were pointed to a 'version' of the story when they could have been pointed to the actual story itself, and that someone was profitting off that style of journalism (rightly or wrongly).
>> and everyone else at the company carry Glock 19's?
Please excuse my asking, oh well-armed-one, but WTF for?
The glock is a fine weapon, and being an admin for an ISP is a fine job, but I can't quite see the relationship between the two things...
http://request-header.info
Why is that sad??? That is one of the most awesome songs by Maiden... and if it taught you a little history (got you to learn more about Churchill maybe?) then it was entertaining and educational.
...and this new twist on the speech is good too...thanks for posting.
Heck... I used lines from Maiden and Judas Priest in my Junior Presentation in Arts and Lit... the teacher missed them but some of the kids in class picked up on them...
The problem is that many of the online gambling and online poker operations are not based in the United States, as it is against the low. More often that not then, the site operators establish their operations in small Caribbean islands and the Isle of Man. As a result, the small island governments are almost aways incapable of handling a large scale international investigation, but at the same time, the FBI cannot get involved because there was no crime committed on US soil. Now, the knee-jerk reaction is to say that the site operators are getting what they deserve for establing off-shore operations and not paying taxes, but that wouldn't be the whole story either. The true fact is that while practically all of the gambling operators are owned and run by US citizens, almost all of those operations want to be regulated by the government and pay taxes as well. Why? Because of exact situations like these with the DDoSers. Between loosing the shirt off your back and paying taxes, one of the options starts to look a lot more business smart. It's a weird world when one of the most profitable online industries that pays little to no tax is also the one most wants to be regulated and taxed at the end of the day. Given the context of the industry however, it can be easily summed up in one easy notion: protection fee. Having the protection of the laws of the US government far outweighs being knocked over, cheated or swindled by the legions of DDoSers, fraudsters and governments that the industry has to deal with. Ambiguities about the morals of gambling aside, if a $2 billion dollar industry that most believe is here to stay wants to come ashore and be taxed and regulated, as a US citizen, I for one would welcome the tax benefits.
Makes you look less geeky.
I'm not tense. I'm just terribly, terribly, alert.
I especially liked the ending. Finally a legal criminal that really delivers :P
Don't bother - it summarizes Shining Hero Californian defeats Evil Russian DDOS attacker. By the time I had finished reading the article, all my 'this is all complete BS and astroturf' posts were ignored.... Sure, this is impressive. Sure, it's nice that he might have done these things. However, this is more an epic story / advertisement than actual information or news.... This looks like a bunch of unbacked and unsupportable drivel to me. Who on earth bothers hacking an ICQ account? These vicious scary uber-powerful Russians with 10,000 + computers at their fingertips that can knock out even online gambling sites... Pay this man, and he will not only make them go away, but have them arrested in their dark, shabby apartments in the middle of freezing St. Petersburg.
My little site.
The lesson is also that if you pay, they'll know you'll pay more.
There's a point where they keep coming back with higher numbers. If you look, they only guaranteed the protection for a year.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
i can't read the story, but a lot of comments suggest contacting the FBI
stoopid question but:
what law did they break?
if they used their own bandwidth, then they just sent packets to your public website, right?
This is kind of like some spammer emailing me saying "i currently spam you lots and lots and lots, if you give me *money* i'll stop spamming". Ironically, this is just one more piece of spam in my inbox. Why would this spam be criminal, and the thousands of XXX VIAGRA CIALIS XXX be fine?
Over 200 comments and only a handful seem to suggest that Windows insecurities play a big role in these incidents? I'd love to see some numbers from Prolexic about how many of the zombies they've discovered are unpatched Windows boxes sitting on cable modems and dsl lines. To be fair, yes, it may very well include some buggy Linux boxes also. We all know which OS is really targetted the most, though.
When are governments going to step in and start placing reasonable requirements for software security? When are they going to start punishing the companies that ship the buggy software that is entirely responsible for the existence of the online extortionist industry?
Fix bugs, no zombies.
No zombies, no botnet.
No botnet, no DDoS.
No DDoS, no extortion.
I don't know... I found the last paragraph grated against his super-hero image:
That's right. Lyon is one of the good guys. Still, Lyon's heroics weren't possible without Mickey Richardson's resolve. It's easy to forget that as Lyon worked to save him, Richardson considered paying off the extortionists. Now Richardson has a better option. Pay Lyon $50,000 a year and he's protected. He doesn't have to worry about paying extortionist's protection fees.
I've always found there to be a rather fine line between insurance and extortion. If the story is true, he probably is one of the good guys, but he's merely tapped into the revenue stream the extortionists created.
A steaming cup of soykaf would be real wiz right now.
And if it wasn't for ze Russians the Europe would have been the 3rd Reich today. Its amazing how much the West underestimates that Russians went all the way to Berlin to Hitler's bunker. I guess with the Cold War, the Russians just had to be evil, and while the Soviets defintely sugar-coated the history in their favor, I would not have expected that the "free" and "democtratic" US would also do it. Yeah I know, the Americans helped plenty,they gave the Ruskies Jeeps and other vehicles. But the still it those the Russians that died from Hiltler's and Stalin's hand.
I guess I could have been more clear. By having that equipment, and those type of customers, and that location, we had multiple reasons to be concerned for our lives. Just like any other time, being armed serves two purposes:
- To act as a deterrent
- To defend one's life, should someone disregard #1.
I absolutely repsect the sanctity of life. I just respect the sanctity of my life slightly higher than everyone elses. (except for my kids, of course)But first we have to get over this strange idea that because it's The Internet, everyone should be allowed to use it, without any traceability or responsibility for their actions whatsoever, regardless of the harm it may cause others.
The sad thing is you could prevent 99% of the hijacking attempts against your (windows) machine by doing just two things:
- don't use IE; and
- install ZoneAlarm
This isn't exactly rocket science. And it doesn't require draconian legislation requiring that all communication from every machine be traced and logged.
Max
My god carries a hammer. Your god died nailed to a tree. Any questions?
This was a tie, at best. It still cost you time and money so you still came out a loser on that score; you just didn't lose as much, perhaps. As it stands now, they can attack someone else with impunity, and probably have. It's only a win if they are identified, prosecuted, and their zombies shut down. Everyone has to start thinking that way. It's only a win when they actually lose something, their anonymity, a few years of freedom and or money in fines, and their zombie network.
From a purely economic standpoint, it makes me wonder who's the real "extortionist"...
Have fun: Join D.N.A. (National Dyslexics Association)
No no no, Russians sell stolen hacked ICQ accounts because everyone wants either an easy to remember ICQ# or a really low ICQ#.
I frequent these Russian forums frequently where they are giving away 5 digit ICQ# to the first person to read the post.
However, the most amazing thing is, if I had the ability to direct 10,000 zombie systems to attack websites for extortion money, you could bet that every type of online communication I engaged in would be done thru no less than 5 different proxies, for every type of service, with an excrypted tunnel between me and the first proxy, and with complete control of that first proxy to erase full logs afterward.
You think that these guys are brilliant, but they're really just a bunch of stupid script using kidhacks.
I would be interesting to know what percentage of the zombie machines were windows...
So that's what someone's life is worth now? A "few hundred thousand dollars"?
In Texas there is no lower limit. You can shoot someone in the back who is running away from you and is no longer on your property, as long as they stole from you and you can expect that you won't see it again if they make off with it and you would be at risk if you caught them. That's pretty much a blank check to shoot a robber in the back.
The very idea of killing someone over something so trivial as a router makes me sick.
I'm a raving liberal when it comes to most things, but I seem to be on the rabid conservative side for this one issue. Why is their right to steal from me greater than my right to stop them? I have the right to be secure in my person and property. They do not have the right to be secure in my property, only their own.
Using deadly force to stop a felony seems quite reasonable. Using deadly force to stop a car chase seems quite reasonable. Deadly force should be used to stop crimes in progress and to stop those after crimes are committed if failure to do so would result in them getting away. If you don't like it, quit committing felonies.
Learn to love Alaska
Along with IPS in general, I think a lot of the devices out there have some pretty good rate-limiting and SYN flood mitigation, however, they all seemed to miscalculate the sheer amount of processing power it takes to do deep packet inspections and protocol verification. Prolexic's network is currently representing about 10 Terahertz of processing ability just for the DPI, so hoping a single FPGA based hardware device will do the trick may be a bad idea. Also, most devices can not handle out-of-state TCP based attacks (see: Riverhead), so keep your eyes out on that too.
Prolexic often gets new customers when the TopLayer, Tipping Point, and Riverhead gear fails, so I don't see how anyone could be comfortable with just a single unit to save the day when there are people out there that will take down DNS servers, router serial interfaces, carriers, do long lived TCP sessions to slow down web servers, HTTP connection floods, and anything else they can think of to just hurt the network (75k machines all doing random searche quries on a cgi, etc.)
Further, a box does not have much of a turn-around time, so just call Tipping Point at 2 AM on sunday when the network failed and nobody has any clue with what is going on. Then wait for their one good programmer to fix the FPGA issue and a week later cross their fingers that whatever they did can stop the botnet that is causing someone's business to fail.
I may just be a little beat up from all the traffic we deal with, but it's a little isane to say things like, "we have box X, its magic will fix everything."
-Barrett
I see this argument as hypocritical. Why are the police entitled to use force when you aren't in defense of your property? Why is a cop permitted to shoot a perp who is fleeing arrest? What makes his moral judgement superior? The way I look at it is this: When a criminal steals your router he makes an implicit statement, "My life is worth risking to steal your property." The civilized have no obligations towards barbarians.
If a similar principle applied to the Internet, with minor offences attracting a polite warning up to running a grossly insecure system that causes widespread inconvenience to other netizens getting you completely blocked, people would soon learn to respect the technology and others using it.
While that's a nice idea in concept, I don't think it would work in The Real World, for a couple of reasons:
1. A license is only required for driving on public property (ie roads). Most of (US) internet access traverses private utility lines (phone/cable), so there's a question of jurisdiction.
2. Risk to free speech - who defines what constitutes an "offense"? Ok, a zombie/spam-relay is against the rules, right? What about a mass-distributed opt-in mail list? What about a targeted marketing email sent to people a user has a "previous business relationship" with? What about P2P? Some P2P use is legal, some is not. Does Big Brother have to watch we're downloading? Or what about political activity? How do you prevent Big Brother from deciding that "questioning the President's decisions constitutes terrorism, hereby revoking your Internet License"?
3. The internet is a global network, so you have the same old issue of making a such in institution as "internet licensing" work across a multitude of laws & cultures. How do ensure that the Russians, British, or Italians enforce the same sort of internet-license policy that we'd create here in the states?
4. Finally, there's the question of efficiency. Plenty of things are already illegal (spam, hacking computers, etc.). That doesn't stop people from doing it, just like people don't stop speeding or driving drunk just because its illegal. It's a question of making policies, and having the resources to enforce them. Since we're talking about computers, there's a lot that can be automated which reduces the manual resource need, but it doesn't eliminate it. There's already a lot of issues regarding RBL's and trying to get legit mail lists off an RBL - scaling that up to accidently (aka based on a false positive) denying internet access to people randomly doesn't seem like a great idea, unless you have the resources in place to resolve those, and that costs $$.
I am myself a gun owner and a vocal proponent of the Second Amendment, and I have to say I could not disagree more with what you are saying. It's this kind of testosterone-driven false bravado and thoughtless remarks that give real firearm enthusiasts a bad name.
Deadly force is a last-resort measure that should be employed only when there is direct risk to your life or the lives of others. If someone else is threatening or attacking you with a gun, or if someone comes at you with a knife or something, or someone is subjecting another person to such a threat, you are justified in shooting them. But how can you justify taking someone's life because they're about to make off with your hubcaps or your computer?
The power to take a life carries a tremendous responsibility to use that power only when it is necessary in order to protect the lives of others. Anyone who says otherwise clearly does not understand the responsibility that comes with wielding deadly force, and the sooner the crackpots who kill some poor kid to save their property are hauled off to prison, the better.
Your post smacks of the attitude of a kid who's never actually held a gun, much less been in a situation where it was necessary to use it. I haven't had to fire upon another human being either, but I know people who have; my father's gun saved his life on several occasions, and a friend of mine is a police officer. Think before you speak, maybe.
P.S: I have to say I do agree that sometimes deadly force should be used to stop a car chase. If the suspect represents a direct threat to innocent life, or the moment they make an assault with their vehicle, any measure required to stop them should be employed. However, in a pursuit situation, the best option is to simply let the suspect get away - unless you know that they do in fact pose an immediate threat (say, they're an escaping murder, or they have a hostage, or something of that magnitude), it's simply not worth the risk to public safety that is involved in a high-speed pursuit. It's sad the number of times innocent people have been injured or killed because the cops didn't want to let a drug dealer or two-bit robber get away.
could be usefully forged.
Unless ISPs got off their asses and implemented egress filtering for packets leaving their networks. Cable modem in Florida spewing packets addressed from China? Holy shit, I think they're bogus! The closer you filter these bogus packets to the source, the less traffic any given filter has to deal with, PLUS the smaller network size it has to accept packets from, leading to a reduced chance of dropping or allowing the wrong packets.
If I have been able to see further than others, it is because I bought a pair of binoculars.
sing deadly force to stop a felony seems quite reasonable. Using deadly force to stop a car chase seems quite reasonable. Deadly force should be used to stop crimes in progress and to stop those after crimes are committed if failure to do so would result in them getting away. If you don't like it, quit committing felonies.
...and what if there are no witnesses? Sounds like a good way to commit murder to me! (I swear he was running off with my wallet when I shot him in the back).
So you trust the person who shoots you to determine your innocence or guilt? Last I checked that was for a judge and/or jury.
what if what they're "making off with" turns out to be theirs and only looks like something you own?
No, I think the use of deadly force should be restricted to when yourself or your family/friends come under attack directly. I do however think it's ridiculous that you can be charged and then sued for a burgular tripping over your rug in some places. Frankly I think if a burglar gets held by force (and suffers minor injuries) that's fair enough. If a burgular gets to go home in a coffin that's a bit too much.
These posts express my own personal views, not those of my employer