Slashdot Mirror
BusinessWeek on Hacker Hunters
prostoalex writes "You keep hearing about FBI, Secret Service or other law enforcement authorities involved in pursuing international cybercrime gangs, but who are those people and how does the cyberlaw enforcement work? Business Week talks about hacker hunters and people they're after. A large portion of the article is dedicated to describing the global scope of such activities with Russia, Eastern Europe and China leading the ranks for criminal hideouts."
Could we please try to restore the word "hacker" a more positive meaning on mainstream media?
http://www.dieblinkenlights.com
Looks like the Ruskis have this available as a course (if you want to go to Siberia) Hacker Hunter U,
"It's so convenient to have a system where everyone is a criminal" - A. Hitler
Isn't Brazil one of the world's biggest hideouts for hackerS?
We MUST put a stop to hacker hunting. Please join PETH today.
People for the Ethical Treatment of Hackers(PETH) is the hackers only hope. W0n'7 j00 h31p?
The alleged ringleaders went quietly, but one suspect jumped out a second-story window. Agents nabbed him on the ground.
Actually, I know the guy, and it wasn't the bust that did it.. he wasn't even aware of the encroaching officers.. he just failed AGAIN at getting a first post on slashy.
** "It's not my job to stand between the people talking to me, and the ones listening to me." -- Pego the Jerk
As someone who works in the security field and comes across hacked systems all the time, I'll believe they give a damn when they start returning my calls. Sounds like PR to get someone more funding. Trying to get someone at the FBI to care when you come across bot networks at an ISP, bank, or even a power company is next to impossible.
Im surprised that the FBI doesnt arrest the hacker hunters... they tend to like to arrest everything they can see doing anything that might be something they dont like....
Ive got my tin foil hat on again too..
My dad's office (law firm) was hacked about a year ago. Actually, it was more of their phone system that was hacked. It is somehow hooked into their computer system, I don't know the details. Anyways, they got a bill one day and there were tons of calls to the Middle East. They called the FBI and surprisingly an agent showed up. It probably had to do with the fact that the calls were to the middle east. They didn't do anything though other than take some notes. I expected more but I guess not having to pay for the calls was good enough.
McBride however is remembered as calling the resulting DOS attacks "the darker side of the Linux community we've been fighting."
The article is dated May 30.
"We don't stop playing games because we grow old; we grow old because we stop playing games.."
Could we please move on to things that matter a wee bit more?
Please help metamoderate.
Why do you feel such hard punishment shall be put on hackers. Hackers are normal people like me and you. They just try to improve their stuff. Sometimes breaking a couple rules here and there. I think what your talking about are texans.
17 billion dollars spent annually on Texan Medical. Approximately 5 billion spent on hackers. Its just a way to get rid of ignorance. Being a hacker (No, not a cracker) I went first because bullies at school were mean. To get away from all of this I took on computers. Realized computers are not bitches. For once something respected my love for it. An obsession was born. Maybe if you were nicer you would not have as many suicides, homicides, and rapes.
Retards: live with it.
The public's conception of 'hacker' has already been formed due to the media, both news and movies.
True, it may have been due to mis-information, but i doubt we can change that now.
---- Booth was a patriot ----
Firefox blocked it for me but I've noticed lately that I'm getting more and more popups. Make sure you upgrade to the latest release.
And as one of the "Hacker Hunters" (pffft), I can tell you that it's not the FBI (or any other LE agents) that don't care.
There's *no* point in an agent taking a case or even wasting his/her time returning your call (one of many every day) when he/she already knows that an Assistant United States Attorney (AUSA) won't take the case for prosecution. The threshold set by AUSAs can amazingly high for damages in most cases. Where I work, it is around $50,000 before they'll even talk to you. There's just too much already out there.
Criminal Investigations are all about prosecution. They all have too many cases as it is, all of which they hope to get prosecuted. There's no way an agent will waste their time on an unprosecutable intrusion.
Unprosecutable because:
1) damages don't meet the threshold.
2) the system was unpatched and "invited" the hacker in - I hate this the most.
3) the system was not bannered "..by clicking ok, you agree to give up your expectation of privacy"... - also a stupid reason, but the case law is there.
4) the hostile systems are difficult to obtain evidence from (read: overseas, unfrienldy).
5) the hostile is obviously a script kiddie (stupid warez, IRC, etc.). Experience shows that the effort put forth to go after these idiots is not worth the 30 days probation a juvenile gets in MOST cases - damage dependant.
Experience will tell you what kind of effort your phone call is worth to an investigator. After he delete's your message, there are probably 3 or 4 more waiting to make their own report.
The agency I work for forwards intrusion reports to us via e-mail. I ignore 90% of them. If I responded to them all (or even half), I'd NEVER have the time to go after the important ones. That's life.
Well, why not whine about that gay now mean homosexual and not jolly or that spam should only used to descripe some kind of food.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
This was a very interesting article, although long. It's good to know that law enforcement agencies are at least trying to do something to stop this crime, but as the article stated it is hard because of things like little available funding and difficulties inherent in dealing with foreign governments with lax cybercrime laws, like Russia, but still, they're trying.
I for one worry little about these government task forces spying on the rest of us. Sure, it might happen, but I would think that as long as we're not doing anything illegal we should be fine. I doubt that most people would be affected by this though.
The law enforcement cybercrime techniques are getting better, but they will always be behind the criminals I think, but at least they are putting a dent in their business.
Ass hats
A hacker is someone who loves hacking just for the thrill of it. AND Not for money. Haven't you heard about ParMaster, etc.?
"Doing what i can, with what i have." ~ Burt Gummer
So what's the point of shooting a deer with a BFG9000? Bring it down and cook it all at once, I guess?
Paleotechnologist and connoisseur of pretty shiny things.
You don't seem to understand the (valid) issue he brought up.
A hacker is an "explorer" and one who seeks to learn, or gather information.
A cracker is the same, but with malicious intent, and who often also hijack targeted systems by installing backdoors or trojans the first time they break into the system.
Hackers hacking into a system are harmless, beware of the cracker.
You described a cracker, NOT a hacker, I just felt I should make that clear.
how is babby formed?
"Lookey here! It looks like we've stumbled across a scriptkiddie! D'ya reckon it's a fella or a sheila? These are yung 'uns, and it's hard to tell. I've gotta be really careful, or it'll BITE me!"
SCO employee? Check out the bounty
Harmless? No. In either case, a compromised system should be fully audited and rebuilt, barring certainty about the limits of potential damage. Any information that passed through that system also has to be considered compromised with potentially widespread effect. That costs non-trivial time and money.
Only the dead have seen the end of war.
Anything but "crackers". "Crackers" just has no ring to it at all :-).
I almost added to the list:
Then I thought of a perfectly good reason to fight it. The script kiddeez and "Neo" wannabees hear the term "hacker" applied to black hat activity. They are led to think that messing with other people's systems is what is cool. One day they grow up and start doing something productive, while my time is wasted fighting their idiocy.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Return of the "USSS" defacement :-)
Archived site. It was even funnier when the Mission Impossible music played as the background sound.
Irene KHAAAAAAN!
One line blog. I hear that they're called Twitters now.
Harmless? No. In either case, a compromised system should be fully audited and rebuilt
The fact that your system is vulnerable to exploitation is neither the hacker's, nor the cracker's fault.
I believe the point the parent was trying to make is that you would probably prefer the "hacker" rather than the "cracker" in the system based on what they would supposedly do with said "compromised information."
ZEN is a prime number in base-36
Were they driving Volkswagen hatchback sport/racing pickup trucks? Was the house a four-story duplex ranch single-family apartment?
Exactly. Hackers draw their power from the light side of Force, while crackers use the dark side. Palpatine may have been right that knowing both sides is optimal, but i prefer the light side.
Who is John Galt?
This is not the case when a widget is reverse-engineered, or hacked to do something else than it's purpose.
Criminal Investigations are all about prosecution. They all have too many cases as it is, all of which they hope to get prosecuted. There's no way an agent will waste their time on an unprosecutable intrusion.
I suppose that's one point of view I hadn't given much consideration towards. But the fact is, I'll make a call to report an intrusion. If I get a response at all it's usually just "Fax us details". No one ever responds to the fax.
Now I suppose they might not respond because they don't think a single system or DMZ compromise is worth investigating, but honestly it never even gets to that point. I've seen credit card numbers being traded between folks in the US and Russia, I've seen IRC proxies that could be used to track back the sources of a 1000+ server bot net, but no one even bothers to investigate.
As a former hacker myself I'm loathe to exaggerate damages like the FBI encourages folks to do. I'm not going to claim a hack incident that the company could only afford to pay me 5 hours to investigate actually caused $500,000 in damages. My hourly rates aren't that high and the hackers shouldn't have to fight off spurious claims like that. The point is, no matter how inconsequential it may seem that a single bank DMZ was hacked and a few CC#'s were stolen.. it can very well lead to a giant cartel that has hacked 100 banks around the world. I don't have the authority to investigate to that extent, and no one in the FBI or the SS bothers to get the details.
I always thought that somewhere in the FBI worked some geek that couldn't really accomplish anything, but for some reason, they couldn't just fire him. So when they realized that he's a computer geek, they gave him a computer and said, "Here, go after cyberhackers." What they didn't realize was that he'd actually take it seriously. So now there's a geek in some dark room at the FBI going after 1337 h4x0rz. And the FBI talks about it as if they have a department of 6,000 professional MSCE's tracking evil hackers out there.
With Firewall Kazowie (plug plug) doing sound effects from the ZoneAlarm logs, it's pretty entertaining on the first post of the day with a new IP address.
One line blog. I hear that they're called Twitters now.
The actual exploitation, however, is the fault of the person who actually takes advantage of said vulnerability, much the same way that the mere vulnerability of your average car to theft does not in any way excuse the actual act of doing so.
/do/ know that if he had malignant intent, he could have done a variety of things; and if he managed root/adminstrator access, you have a very large problem on your hand.
From the victim's point of view, barring taking the system apart and comparing it with a known uncompromised version, it's damn near impossible to ensure that further damage wasn't done. Even if the machine isn't listening on any ports at all, for instance, it doesn't mean that a program couldn't have been modified to open up a back door several months later. An e-mail client could have been modified to auto-execute instructions from certain attachments. Or so forth. You can't really prove that the intruder was a theoretically benign 'hacker' instead of somebody with more malign intent, but you
Ideally, you would prefer that the vulnerablity not have been exploited at all, but that the person sharp enough to notice such would bring it to the attention of those in a position to do something about it -- notifying the authors of the relevant software, for instance. If you notice that your garage door opener opens numerous garages in your neighborhood, you should probably mention this to the manufacturers or your neighbors rather than notifying them of the problem by visiting their garages when they're not expecting it.
Only the dead have seen the end of war.
Quite irrelevant to my post. If you re-read mine, you'll see quite clearly that I suggested that the evaluation of an act should focus on its consequences, not on its motive. The mindset that "it's for thrills, not for money, and therefore it's not wrong" is absurd.
As for "do something else than it's purpose", that's very vague. Again, it depends on the consequences. It might be considered unethical, for instance, to release a program which let people easily unlock everybody's cars with their cell phones (not that it's likely to be possible), since the likely consequence of an increase in auto theft would probably not outweigh any "helping people who locked themselves out" business. That'd be the case even if the tool were produced and released merely because it seemed to be a nifty bit of technology.
Only the dead have seen the end of war.
Yes. Chosing SCO as a target seemed to me to have the following motivations for the crackers:
1: Advertising. They had a bot net that they wanted to demonstrate the power of. "Behold the might of our bots! It takes down SCO and Microsoft! Now pay protection money or your online casino is out of business."
2: Social engineering against administrators. Linux-users are more likely to be administrators and have other network-related jobs. The crackers might think that attacking SCO and Microsoft would gain them symphaty from some of the administrators.
3: The crackers don't like Microsoft. The security updates are a hindrance to them.
4: The crackers don't like Linux/BSD. Microsoft's saving graces, in the cracker's eyes, is that they at least used to make insecure software, and they made a monoculture fertile to malware. By casting the blame on "linux fans", they might hurt the image of the FOSS community.
Irene KHAAAAAAN!
Hm. Makes one wonder if there's any way that corporate IP people would consider sharing information.
Seems unlikely, since companies don't like admitting that they've been compromised (unless forced to do so -- there's a relevant California law regarding customer data, IIRC), but if they pooled information on this sort (e.g. attack methods, pwn3d machines that they were attacked through, any apparent targets, etc) they might be able to better judge when it's worth spending resources on pursuing some possible ring. It might then be easier to hand off a dossier to the FBI and convince 'em that there's something going on.
Only the dead have seen the end of war.
Firewall Kazowie reads ZoneAlarm logs and plays sounds effect wavs in real time depending which port was hit. On my box, I have a Star Trek themed sound effect on each port that Slashdot hits in sequence. Useless but entertaining.
One line blog. I hear that they're called Twitters now.
If you don't like the port scanning or can't stand to wait to post, don't post to Slashdot.
As for 'Firewall Kazowie', here is the blurb about it:
Agreed, but the "hacker" could be an employee who managed to discover the vulnerability before anyone on the outside. In such a case, the "non-trivial time and money" cost is inevitable, but I wouldn't necessarily consider it a "harm." In the same respect, the employee might be a malicious "cracker," and this is where the lines are drawn.
ZEN is a prime number in base-36
Unprosecutable because:
1) damages don't meet the threshold.
2) the system was unpatched and "invited" the hacker in - I hate this the most.
3) the system was not bannered "..by clicking ok, you agree to give up your expectation of privacy"... - also a stupid reason, but the case law is there.
4) the hostile systems are difficult to obtain evidence from (read: overseas, unfrienldy).
5) the hostile is obviously a script kiddie (stupid warez, IRC, etc.). Experience shows that the effort put forth to go after these idiots is not worth the 30 days probation a juvenile gets in MOST cases - damage dependant.
Can you post some links from a
Not Crackers,
Corn Bread!
There are exactly 42,935,718 letter sized sheets in a square mile.
Quite true.
For institutions in which maintaining customer faith in the security of their information is extremely critical, it might actually make sense to have IT people working with their software vendors and specifically looking for vulnerabilities before anybody else finds them. If your online banking system has a flaw, it's best if you or the vendor finds it before anybody else does in case that somebody else does something which sends your customers fleeing in droves and worrying about identity theft.
Of course, an employee might want to reconsider searching for vulnerabilities in his workplace system if it's not remotely part of his job, unless he's on sufficiently good terms with his boss and IT department to the point that they'll believe that it was for the good of the company and not so that he can sell the payroll information or whatever...
Only the dead have seen the end of war.
The article claims that shadowcrew is out-on-bond, and that the case is not even over yet. These guys (shadowcrew) will probably get an attorney who will explain that the Feds are nothing but a bunch of 'blow-hard-bastards', and that they should take the case all the way to court(s).
If this a case the Feds are 'proud' to give to BusinessWeek, I'd hate to see the ones they are *not* so proud to show us.
After all, the Feds don't even know where to look for these people.
I mean, they claim that alot of the so-called 'bad-guys' are in foreign countries like Russia, when even I know that they are in a place called *CyberSpace*.. :)
-- Don't hate me cuz I'm ugly
I will gladly loose all of life's battles.. in order to win the war..
So, in loose translation, the FBI doesn't have to/want to do their jobs with regard to cyber-crime because the Ass't. US Attorney won't do theirs unless it's just so glaring that the negative press might actually affect their mutual self-esteem? Net effect, the job doesn't get done, the average tax-paying citizen sees zero return on that fraction of the tax dollars we're paying (not quite zero, we get a shrug, "That's life."), oh, and by the way, both agencies are requesting MORE funds???
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
I hate this self indulgant crap.
Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...
Bores you, or you're too stupid to learn. School isn't just about math and english, it's social skills.
Yes, I am a criminal. My crime is that of curiosity.
No, your crime is breaking the law and attacking people who you don't know for no other reason than you're bored.
News flash: being able to compile some script you got off IRC, using linux, or tricking someone does not make you a smart person.
Read it again and think of how a complete generation is becoming 'criminals' as we speak. Don't get caught up in the nonsense of the text.
I missed your point, on purpose. Can you see how the issue might seem to someone who does not have your unique vantage point? There's too much work, so you choose the high-profile cases. There's too much work, so you let the small fry continue to break the law. There's too much work, so you need more funding... All of this is more than likely true, however: My point is, to the eye of an average tax-paying citizen, me, it seems very much as if, because the average tax-paying citizen doesn't have large enough businesses or large enough losses, we don't rate any protection at all, and only those who pay larger amounts in taxes or sustain larger losses (regardless of relative ability to *bear* such losses) get their issues even heard, much less addressed. Beyond a massive education initiative so that the people affected are better-prepared to protect themselves (hence reducing the amount of work your beleaguered department has), how would you recommend solving this dilemma? And, really, do we want citizens knowing that we must protect ourselves because the people in the agencies we pay to protect us are so overworked? Methinks that way may lie vigilantism, which seems to get prosecuted much more vigorously for some reason.... Maybe we average folks don't get to see nearly enough of what's going on - maybe some network exec could follow a day/week/month in the life of a law enforcement official in yet another reality show, bring it home that it's not all doughnuts and jaywalkers, but meantime, there's still that pesky problem of appearances. I'm just letting you know how it looks from out here...
Take the 90-Day Challenge! http://rwmurker.bodybyvi.com/
The cops admit they can't rely on technology alone, they have to get back to basics: gumshoe work, people-on-the-ground, infiltration of the bad guys.
Good for them. Now will lawmakers begin to realize that Law Enforcement for the most part already has all the tools they need to fight crime? There is no need to keep ramping up the powers they are granting to the cops every damn year that directly or indirectly erode personal liberty in this country?
I'm not holding my breath.
Er, a large generation /might/ be becoming criminals, but with respect to computer crime that's a separate issue mostly -- file trading (and IIRC, many of them are probably only liable for civil suits so far since the bar for it becoming a criminal matter is fairly high). That's a lot more common of an offense than anything that might be considered hacking by even the most generous definitions.
As for the manifesto itself, it's absurd and incredibly egocentric. "Judging people by what they look like"? No; we're going to judge you by your actions, if you get caught trying to manipulate somebody else's bank account. A suspect's age, or lack thereof, is irrelevant other than one might actually get *leniency* if the court thinks that the accused is just a temporarily stupid kid who'll grow out of it if given another chance. A 43-year-old man of sound mind who should damn well know better by his age is probably more likely to get the book thrown at him.
Doesn't matter if you're fat or an athlete; precocious or not; curious or, er, not; living in your parent's basement like an impoverished vampire, or bedding every prom queen in a three-state area. The ethics and consequences of an act don't fundamentally change. Figuring out how one's DVD player handles CSS or figuring out how to update the data in your car's navigation system is still pretty spiffy, but spending one's time releasing worms that consume bandwidth and memory while forcing victims to figure out whether the worm could have installed any backdoors is still damaging -- and the more intelligent one is, the less excuse there is for not having thought of the consequences.
*snort*
Yet more rambling could take apart the whole "bored with school" line, as well. I knew a bloody lot of people who excelled academically; the most extreme might have been a person who (by the finish of her high school years) mastered calculus by about 13 or so, was fluent in multiple languages from different linguistic families, also played a musical instrument IIRC, and still somehow found the time to be a competent athlete. The 'smarter than her teachers' claim that often radiates from somewhat bright youngsters might actually have been true in her case, but instead of using this an obnoxious "I'm smart enough that your ethics don't apply to me" card, she and her parents simply raised the bars very, very high.
Only the dead have seen the end of war.
I subscribe to businessweek, and I was totally underwhelmed by the story. The entire thing centers around the breakup of the shadowcrew. No technical means were employed to do this. It happened because someone rolled on the organization. They used the informant to tell everyone to come online for a meeting and busted down their respective doors in traditional FBI style. How is this a group of elite FBI hackers? It's traditional law enforcement!
People who think they know everything really piss off those of us that actually do.
All this clearly is not acceptable. If there aren't enough officers to handle this, it is up to the authorities to secure better funding so they can handle what is clearly a massive problem.
I am not a robot. I am a unicorn.
His mom's basement doesn't count?
That's just it... The thresholds are high - not because those are the glamerous cases (the vast majority are sensitive enough NOT to make it to the press), but because they have the greatest impact on our society, and hence, the taxpayers. For example:
a) A Government contractor housing sensitive information is compromised. The cost to the taxpayer is not obvious, but it *is* there. And it's a greater cost than you might imagine. Compromised technology and data exfiltration -- funded by taxpayers like you.
b) your company's website is brutalized, and perhaps the customer database is somehow compromized. The cost in rebuiding the servers is (if it's really big) around $10,000 in man hours. Explain to me how a price will be put on the customer database. This will have to be done by the already overworked prosecuter in court (assuming it ever gets there). Prosecution and sentencing are based on damage to society, in most cases.
Which one do you think the FBI is most interested in (for the sake of the taxpayer)? In the case of the first, *all* taxpayers bear a burden. In the case of the second... not so much.
Understand this. Cybercrime investigators are overworked well beyond what you can imagine. A threshold *has* to be established. If you fall below that threshold, I'm sorry. Secure your systems.
The days of sending out the fire department to get little kitty out of the tree are over. This has nothing to do with "ignoring the little guy". It's economy of resources.
I wish I could. That list is based on plain old experience. There's no way they'd ever admit to that. Although, as you can see from the other comments, it pretty obvious.
Those are not "documented" requirements. They are plain realities.
First, that's not in every jurisdiction. Just in some of the more overworked ones. The threshold is not just a total of what was stolen, it includes man hours (for recovery and [non LE] investigation), along with other resources.
Second, it's still a federal offence. Speeding is still speeding, even if you pass a cop doing 65 in a 55. But does he stop you? If the cop tried to stop eveyone doing 65 in a 55, he'd never get the guy doing 80 (and the real danger).
I agree. And I'm willing to take donations.
But I'm running 1.0.1.4. (I guess I should update the build and description. :)
One line blog. I hear that they're called Twitters now.
translation: Commit multiple $50,000 crimes across multiple jurisdictions, and there are no consequences?!?!?
Actually I would prefer neither a Hacker or Cracker in my system. Either way if I found out who did it, I would ensure that they get slammed as hard as possible with any criminal charges that can be placed against them.
Just because you can get in doesn't mean you should. Now if a Hacker did come to me saying there may be a possibility of a vulnerability and that, with my permission of course, they would like to do a security audit I may be more amenable. Especially if they are willing to tell me what vulnerabilities they think there may be.
At that point I wouldn't consider them a Hacker as essentially they are getting paid for their work. Course that doesn't mean they have lost the "thrill"
LOL
Im sure thats why the freedom loving arabs are attacking us, because we threaten their democracies hahahahhaha.
But reverse-engineering does have negative consequences. It dilutes the value of that company's intellectual property, which does have monetary value. It can also lead to a company, and thus its stockholders, being deprived of profits. Sure, not everyone copying something would have bought it if they couldn't copy it, but there are some that would have. It may be very hard to measure the exact loss, but that doesn't mean it doesn't exist.
Everytime I hear someone say "That's gay!" it makes me cringe. How's that for brainwashing the young?
> Why do you hate our troops?
... not win a popularity contest.
Because I don't live in your country.
Why do your troops occupy so much of the globe when no war is declared?
Why do you even need troops, if your lifestyle is so good, why would you ever need to use deadly force to convince others you're right?
If you don't read Lenin books, how can you know you don't agree with him?
Well those are really rhetorical questions, but here's an interesting question:
Do you, your troops, or your government care that half your population and most of the rest of the world hate them? Last I heard the job of your troops was to protect the interests of your government (and in theory, you)
A croporation abusing of it's monopoly surely deserves to be ripped-off; this is what reverse-engineering does, and as such, shall be entirely protected by law, simply as a message to potential abusive monopolists.
We're not talking about protecting a company's profit, we're talking about preventing someone from outright stealing something. By reverse-engineering something, you are stealing profits from that company. Or would you rather have the government decide what forms of theft are morally right?
(hint: in my country, the Supreme Court has decided that sharing music online isn't theft).