DHS Injects Itself With DDoS

An anonymous reader writes "Here's a story about what can happen to any enterprise IT department that overestimates the intelligence of its users. Only in this case, the enterprise in question is the U.S. Department of Homeland Security. The spokesman says there's no Jack Bauer mentality. No kidding!"

DDoS?

[siddesu]

sounds like a bad case of misconfiguration to me.

Re:DDoS?

[omeomi]

Yeah, a mailing list with a lot of people hitting "reply all" really isn't the same as a DDoS attack...it's just a mailing list with a lot of people hitting "reply all"

Re:DDoS?

[E+IS+mC(Square)]

a mailing list with a lot of people hitting "reply all" really isn't the same as a DDoS attack

May be not in this case, but thats exactly what happened when network came to standstill and exchange servers melted down for exactly the same reason for very large company I work for.

It started with a very creative admin creating a mailing list "to-all". Within 3 hours, somebody who had a lot of time on his hand found it out and sent out some naive message to the list. The classic snowball effect followed with "remove me"s and "stop replying to all"s - and within next 3 hours, it became so bad that the only option left was to purge queues and shut down all the email servers, which resulted in hundreds of emails bounced and lost - internal as well as external (which I am sure also resulted in loss of revenue directly or indirectly). And I guess thats what DDoS means.

It was funny and sad at the same time - you can't stop laughing at stupidity of people and their ability to do better than any other virus sending bulk emails to all in your addressbook.

Re:DDoS?

[jbengt]

We encountered a pretty stupid configuration issue where I work once.
A guy who was going on vacation set up an out-of-office reply, but set it up to reply to "all employees".
"Reply only once" was not set, and apparently automatically replying to the group "all employees" includes sending a reply to the sender who then receives the reply and sends a response to everyone, including himself. So the system entered an infinite loop.
I got into the office early and could actually still log in; I had about 100 e-mail messages at the time. Within 5 minutes the email system bogged down completely, so it was shut down manually. After an hour or so of figuring out what had happened, the offending account was modified, the mail boxes were wiped clean, and the previous night's backup was restored.

Listserv Idiocy

[astrotek]

lol, happened at college all the time

you get 5-6 idiots that reply to all
then you get 50-60 idiots telling them not to reply to all
and 50-60 more idiots trying to have a conversation to the first 5-6 idiots

Re:Listserv Idiocy

[MillionthMonkey]

OK, guys, stop posting, or thousands of people are going to cumulatively spend hours reading your post and wasting their time! STOP WRITING POSTS EVERYONE!

Re:Listserv Idiocy

OK, guys, stop posting, or thousands of people are going to cumulatively spend hours reading your post and wasting their time! STOP WRITING POSTS EVERYONE!

Reply All: OK

Re:Listserv Idiocy

[Beryllium+Sphere(tm)]

Try thousands.

Microsoft had an email storm that took down companywide email

Re:Listserv Idiocy

plz UNSUBSCRIBE me from this website.

Re:Listserv Idiocy

[MillionthMonkey]

Well now that I have everyone's address I might as well send this out... has anyone seen my pencil sharpener?

Re:Listserv Idiocy

[mjsottile77]

Or the other favorite, the single moron who doesn't know how to unsubscribe and sends "unsubscribe" to the list, followed by others who do the same, followed by people sending instructions to unsubscribe, followed by more "unsubscribe" messages by those who can't follow instructions.

Re:Listserv Idiocy

[2Bits]

Godwin's Law is a more efficient way :)

Ok, I invoke it now.

Re:Listserv Idiocy

[MLease]

Only a Nazi would deliberately try to invoke Godwin's Law!

-Mike

Re:Listserv Idiocy

[Rebelgecko]

Im a little scared about clicking a link to a website called "m sex change team.com"

Re:Listserv Idiocy

[Mr.+Freeman]

I have no information on the whereabouts of your pencil sharpener. However, I believe you have my stapler. It's a red swingline, I kept it because it doesn't bind up as much as the new ones.

Re:Listserv Idiocy

[mcrbids]

lol, happened at college all the time

What college did you go to? Because it seems that some of those "idiots" now work for the State Dept. of Education! Seriously, in my line of work, I get notices from SDE (State Dept. of Educ.) and in nearly every case, ALL THE RECIPIENTS ARE ON THE TO LINE.

I've been SO TEMPTED to reply all with the message: "Do you realize that the State Department of Education has provided me with your Email address, and if the computer of any of these kazillion recipients is infected with a virus, you'll soon be inundated with lots of SPAM regarding the size of your genitalia, don't you? So, next time you get a p3niz p1llz email, don't blame me!" except that since most of the recipients of the email are my clients or potential clients, I would never, ever, ever, do that.

Maybe I could get away some with inane comment about the message, maybe a point of clarification? Dunno. When your income/job/career is on the line, you'll (not) do amazing things to keep everything on course...

But it's fun to think about...

Re:Listserv Idiocy

[tardis]

My husband was once asked to design the website for a home electronics reseller:
electronicsexchange.com
Sadly, it appears to now be squatter-meat.

Re:Listserv Idiocy

[laejoh]

How friggin dare anyone out there write posts after all this website has been through.

/. lost her bandwidth, /. went through a slashdot effect. /. had two friggin sharks with lasers on their heads.

Her administrator turned out to be a user, a cheater, and now /. going through a ddos. All you people care about is..... readers and making money off of her.

/.'s A WEBSITE! What you don't realize is that /. is making you all this money and all you do is write a bunch of crap about her.

/. hasn't performed on the web in years. /. songs is called "give me hotgrits" for a reason because all you people want is MORE MORE MORE MORE MORE.

LEAVE /. ALONE! You are lucky /. even performed for you BASTARDS!

LEEEAVE /. ALLLLLONE!.....Please.

Cowboy Neal talked about professionalism and said if kdawson was a professional he would've pulled it off no matter what.

Speaking of professionalism, when is it professional to publically bash someone who is going through a hard time.

Leave /. Alone Please.... Leave /. alone...right now....I mean it.

Anyone that has a problem with /. you deal with me, beacuse /. is not well right now.

leave /. alone/p

Re:Listserv Idiocy

[telchine]

http://www.therapistfinder.com/
http://www.speedofart.com/
http://www.penisland.net/
http://www.whorepresents.com/

DHS

[Lobster+Quadrille]

Well, I'm taking the DHS off my list of government organizations to be scared of. Considering recent news regarding the DoD, It's pretty much down to the CIA and the NSA, and I have my doubts about their competence.

My tinfoil hat may be unnecessary after all.

Re:DHS

[Garridan]

Or is it all just a ruse, to lull you into a false sense of security?

Re:DHS

[ScrewMaster]

Well, as others have pointed out it's better (from a civil liberties perspective) to have these people be wasteful and incompetent than highly effective and dangerous.

Re:DHS

[tftp]

Unfortunately, they can be incompetent and dangerous at the same time, like a drunk driver.

Re:DHS

[JonathanR]

It's Allhu Akbar, you imposter.

(A idiomatic translation of which is embossed/printed on all US currency)

Re:DHS

[Dishevel]

Security is not nearly as important as Freedom. I mean hell. We might as well let everyone go aboard aircraft with knives and scissors and such. Never again will a few semi-armed men be able to take control of an aircraft again. Passengers will not let it happen. We only need security at the borders and the ports. The Air is safe.

Re:DHS

[KDR_11k]

"It's a trap!"

Re:DHS

[Bearhouse]

"Or is it all just a ruse, to lull you into a false sense of INsecurity?"

Fixed that for you.

Drugs are bad, Mmmmmkay?

[dangitman]

DHS Injects Itself With DDoS

I yearn for the simpler days, when DOS came on floppy disks, rather than medical instruments.

Re:Drugs are bad, Mmmmmkay?

[Lobster+Quadrille]

You can't get the full effect by taking it in floppy form though. Once you've mainlined the stuff, you'll never want to go back.

Wrong character

[charlesbakerharris]

Sounds more like they could use a Chloe mentality. She, at least, never overestimates the intelligence of other users.

Re:Feel Safer?

October 2007
November
December
January 2008
February
March
April
May
June
July
August
September
October
November
December
January 2009

Looks like 16 months to me. Of course, I graduated before No Child Left Behind.

Damn it, Chloe

[patio11]

Drop the personality disorder and patch me through.

---

I liked Chloe so much that I have a Cygwin alias for ssh into my VPS. It is, of course, damnitchloe. Really its more like damTAB but I get a chuckle every time I see it.

I can also watch Season 7 of 24 in a command line, due to an extremely efficient homebrew compression scheme. Observe:

ruby -e "(24 * 6).times do puts 'Damn it'; end"

I meant, "Who hasn't..."

[Valdrax]

Stop!
Grammar time.

I'm on that ListServe...

[StickyWidget]

The issue wasn't with a DDoS, the issue was that when you sent an email to the listserve, it was sent with your email in the "To:" header. Which means that all the out of office messages came back directly to the sender. I saw several SIPRNET and NIPRNET addresses in the contact information for these people. Even better were the "I'm out of the office until November 15th, please forward all billing questions to So and So".

Several were group email accounts at Security Operations Centers, NOCs, and I think I saw a few power plants as well(one woman said that is was the "Command Center", speaking about the operations center at a major insurance company. Not to mention I'm still getting unanswerable emails back from email servers giving me the exact email address. I'd estimate I have around 1000 sets of contact information for people in the security industry, how many of those are actual LOGINS as well?

I'll put up a page with a breakdown of the information in the next week, then maybe Slashdot will put up my submission "DHS Email List Exposes Private User Data".

~Sticky
/Grousing about rejected submissions is typically offtopic.
//Which is why I said some other stuff first.

It was hilarious

[gumbo]

This was too funny, I was reading these messages all morning. So many completely stupid people sending messages out with their title, agency, often phone numbers, etc. Some having fun with it and a whole bunch going "stop sending e-mails!" The best was the official reply that came a few hours in, which said "please don't use 'reply all.'"

Even better was that anyone in the world could send to the mailing list, it didn't even check to see if you were subscribed before sending your message out. Trust me, I tried it. You also get a few hundred more e-mail addresses and all kinds of internal company details from the out-of-office replies (e.g., "I'm on medical leave, contact so-and-so at x1234").

Now, it was no big surprise, I do security in the federal government and so I know how clueless so many of my coworkers are. But it was hilarious to watch it all play out so publicly and persistently; it just kept going throughout most of the day.

Re:Feel Safer?

[phantomlord]

I recently pointed this out to a friend of mine... here's the full list:

President       Highest office served, executive preferred
GWB             Governor
Clinton         Governor
GHWB            Vice President
Reagan          Governor
Carter          Governor
Ford            Vice President
Nixon           Vice President
LB Johnson      Vice President
Kennedy         Senator
Eisenhower      General (Supreme Commander of Allied Forces)
Truman          Vice President
FDR             Governor
Hoover          Secretary of Commerce
Coolidge        Vice President/Governor
Harding         Lt. Governor
Wilson          Governor
Taft            Governor, Chief Justice
TR              Vice President, Governor
McKinley        Governor
Cleveland       President
Harrison        Senator
Cleveland       Governor
McArthur        Vice President
Garfield        General, US Representative
Hayes           Governor
Grant           General
A Johnson       Vice President
Lincoln         US Represenative
Buchanan        Secretary of State, Senator
Pierce          General, Senator
Fillmore        Vice President
Taylor          General
Polk            Governor
Tyler           Vice President, Governor
Harrison        General, military Governor
Van Buren       Vice President, Governor
Jackson         General, military Govneror
JQ Adams        Secretary of State, Senator
Monroe          Governor
Madison         Secretary of State, numerous founding documents
Jefferson       Vice President, Governor, that whole Declaration thing
John Adams      Vice President, lots of pre-Revolution stuff
Washington      Uh, General who won our independence

Vice President or Governor: 29 (including the last 8 Presidents)
General: 6
Non-VP cabinet member: 4
Congressman with no executive experience: 3

That's a 3/42 (7.14%) historical chance of a Senator being elected
President with no executive experience.

Yeah, side note before I get called out on it... there have been 43 presidents, but Cleveland served as two different numbers (22 and 24) so his previous experience only counts once.