Largest Hacking Scam in Canadian History

vieux schnock writes "Police raided several homes across Quebec on Wednesday and arrested 16 people in their investigation, which they say uncovered the largest hacking scam in Canadian history. (...) The hackers collaborated online to attack and take control of as many as one million computers around the world that were not equipped with anti-virus software or firewalls."

Really?

[ImprovGuy]

Are there that many computers without anti-virus software or firewalls on the Internet?

Re:Really?

[Brian+Gordon]

Are you serious? There are hundreds of millions of PCs in the world (billions?), and the vast majority of them aren't properly secured. Also the vast majority of them have 10 smiley toolbars and take 45 minutes to boot.

Re:Really?

[PrescriptionWarning]

Yes, there are that many Windows machines on the internet.

Re:Really?

[Divebus]

I think he was trying to be funny... weren't you, Bill?

Re:Really?

[TheRealMindChild]

It doesn't even really matter at this point. Let's be honest... the average computer user doesn't know the difference between U2-Somesong.mp3 and U2-SomeSong.exe. It doesn't take much to write an application that would be able to run in a restricted user account... just connect outbound on port 80 for coordination, and for payload delivery. The code would be simple enough that you could change the binary significantly enough that the fingerprinting that virus scanners use are practically worthless.

That doesn't even address the vector of replacing the setup.exe (or equivalent) on, say, an Office 2003 cd posted on thepiratebay. Obviously, the install has to run as admin, so you pretty much know, you are a shoe in for a compromised machine for anyone who tries to install it. And again, it would be such a trivial, simple application, that you could change the attacking binary pretty much at will.

Re:Really?

Darn! None of my ubuntu systems have anti virus or firewalls. Have I been hacked then?

Re:Really?

[GreatBunzinni]

It doesn't even really matter at this point. Let's be honest... the average computer user doesn't know the difference between U2-Somesong.mp3 and U2-SomeSong.exe.

To make matters worse, some attacks may even occur if you are dealing with safe file types, like a PNG or even PDF. Some security problems exist due to the user's ignorance or idiocy but "some" isn't exactly the same thing as "all".

Re:Really?

[CarpetShark]

That doesn't even address the vector of replacing the setup.exe (or equivalent) on, say, an Office 2003 cd posted on thepiratebay.

Why stop there? Most of the Windows OS torrents are slipstreamed. There's no reason to assume they didn't slipstream a few viruses, bots, and backdoors in there too.

Re:Really?

I truly hope you're not equating "anti-virus and firewall" with "properly secured". While perhaps good ideas for some, they are hardly neither required nor sufficient in many cases.

Re:Really?

[Anne+Thwacks]

the average computer user doesn't know the difference between U2-Somesong.mp3 and U2-SomeSong.exe.

The average user cannot tell there is a difference - because the Windows default is to hide the extension!

It may be criminally insane, but its the default.

Re:Really?

[Oktober+Sunset]

It may be criminally insane, but that's the Microsoft way!

Re:Really?

There's a web of trust on the piratebay with trusted uploaders. Installing an OS or running a keygen from a newbie uploader is virtually guaranteeing you to get a trojan downloader. I've been playing around with a few of the torrents from the piratebay and installing them on a separate vlan at home. It's very enlightening watching all the network traffic when the compromised OS calls home. I am pretty sure this is one of the primary "seeding" vectors for the nu-war storm network. I weekly find new morphed storm clients using these trojan downloaders and I always submit them to virustotal.com.

Moral of the story: Only trrrrust the pirates with the green skull. Arrrr.

Re:Really?

[ultranova]

To make matters worse, some attacks may even occur if you are dealing with safe file types, like a PNG or even PDF.

There are no safe file types. All files can be viewed as programs meant to run in a specialized virtual machine (the program which is used to open them). For example, a PNG file is a program which, when run, will compute an array of bytes (the image pixels). The same goes to PDF. In this view, since all files are programs, it is in principle possible that any of them could contain code which can result in unexpected behavior of the virtual machine executing them.

Of course some file types are easier to compromize than others, either due to sheer complexity or ambiguity of the specification or because they are Turing complete. However, it is impossible to guarantee that every viewer for any file type is free of defects. Anyone still remember ANSI codes for DOS, which could be embedded to text to change color but also to set macros to keyboard keys when the file was viewed ? And of course SQL injection attacks are based on formatting a text string so it will cause unexpected results, not to mention causing a buffer overflow with an overlong string.

I repeat: there are no safe file types. They all have a potential to contain malicious code, because there is no such thing as data which is not also a program. From a certain point of view, GIMP is simply a very specialized compiler...

Re:Really?

[Mister+Whirly]

"Let's be honest... the average computer user doesn't know the difference between U2-Somesong.mp3 and U2-SomeSong.exe."

Thank god I do. I would much rather have the malware ridden U2-SomeSong.exe than an actual MP3 by U2. That would just be awful.

Re:Really?

[Mister+Whirly]

It is the default because 95% of users don't care about file type/extensions. Why would any company cater to 5% of their customers? That would be insane.

Re:Really?

[irc.goatse.cx+troll]

I kind of have to wonder why nobody has proposed some kind of govt subsidized antivirus program. If we can spend tax dollars on Americas Army, why not buy out ESET or similar and allow all US residents (or the world, for good will) to get a good free antivirus?

The price of computers keeps coming down. Anyone can buy a $400 walmart pc if not a cheaper second hand one from someone upgrading. Not everybody is going to be willing to shell out $80/yr or so on an antivirus that they don't understand the point to. Yet at the same time due to the nature of worms and botnets, its in everyones best interest if these people are protected*. Note that this should be OPTIONAL as personally I would worry about the privacy aspects of it, but if all the big and cheap pc manufacturers shipped with it I think the internet might clean up a bit.

While I'm normally for smaller government and less spending, I think we're past the point of that being an option and would really rather see the money spent on a program like that than many other proposals.

* I know you or I don't really need an antivirus, but these people do.

Re:Really?

There are good "free" anti-virus software solutions for home users. AVG comes to mind. Why waste tax dollars?

Re:Really?

[nlitement]

Or get proper scene releases (even from public trackers) instead of silly little Piratebay torrents.

Re:Really?

[beckerist]

I know, right? At least the exe would give me a few minutes of entertainment...

Re:Really?

[operagost]

Kinda sounds like that guy who refuses to close his open SMTP relay and claims spam is everyone else's fault.

Re:Really?

[operagost]

Is a text file containing a single line of text followed by a carriage return a program? How about the standard input device? When I type at the console keyboard, is that a program feeding into a "virtual machine" created by the console driver? If not, why is a disk device different from another device?

Re:Really?

[operagost]

That's what we need: more government programs. Necessarily, since the government is providing "free" antivirus, 100% compliance by the subj... I mean citizens will be required-- just like universal health care. If you're running an OS unsupported by the socialized antivirus, you'll have to switch to a supported one "for your own safety".

Re:Really?

[ColdWetDog]

It may be criminally insane, but that's the Microsoft way!

It's also the default behavior for OS X.

You can check out any time you like, you just can never leave.

Re:Really?

[value_added]

The average user cannot tell there is a difference - because the Windows default is to hide the extension! It may be criminally insane, but its the default.

To the extent Windows reliance on extensions actually works. What's one to do with greetingcard.exe.pdf, to say nothing of more creative variations on the file naming scheme, or similar URL mechanisms in the context of an email client?

Add to the equation that it would be highly unusual if the majority of files on a typical user's hard driver weren't created with something akin to rwxrwxrwx. Good thing people have all those warning dialog boxes to warn them. People pay attention to those, right?

Re:Really?

[digitalaudiorock]

The average user cannot tell there is a difference - because the Windows default is to hide the extension!

It may be criminally insane, but its the default. That's one that's driven me crazy for years. I'm sure it goes back to early days of Windows and their attempt to look more like Mac OS 9 (which got the file type info from the resource fork). Any time I do something for anyone on their Windows machine and the extensions are hidden I just change the setting...I don't even ask if that's what they want.

Who else here has ever been trying to walk someone though a software install over the phone and said "Now double click 'Setup'"...and they respond "which one"...because of course there's setup.exe, setup.ini, etc etc...just awful.

Re:Really?

I think you're missing the fundamental theorem of modern computer science -- that "data" and "instruction" are completely interchangeable. See generally, the halting problem.

Re:Really?

[ultranova]

Is a text file containing a single line of text followed by a carriage return a program?

It can be. For example:

'; ROLLBACK; UPDATE users SET admin = true WHERE username = 'ultranova'; '

If the virtual machine which handles the username field of Slashdot login form naively passed this string to the database layer without specifically quoting it, this text string would make my account an admin account; well, actually, since I haven't studied Slashdcode, it propably wouldn't, but the point still stands: even text is not an inherently safe data format in all circumstances.

How about the standard input device? When I type at the console keyboard, is that a program feeding into a "virtual machine" created by the console driver?

The virtual machine in this case would be whatever program receives the input. And yes, the text you type is indeed a program being executed by that machine; each time it receives a keypress from you, that keypress instructs it to do something, right ? Even if that something is merely to output the letter (altought a text editor would also store the input internally, of course). And that is what a program is: a list of instructions.

If not, why is a disk device different from another device?

It isn't.

Re:Really?

[cylcyl]

It may be criminally insane, but that's the Microsoft way!

It's also the default behavior for OS X.

You can check out any time you like, you just can never leave.

Are you referring to file extensions or criminal insanity? I ran OS X 10.4 and 10.5 with default settings (I'm a noob to Macs) and I always see file extensions...

Re:Really?

[Arterion]

I'm with you on this. I know there may be a True Computer Science definition that makes the GP true, but I don't tend to think of data as a program. Some binary data could be considered code to execute, but surely not text files that are parsed?

Okay, sure, there are scripts, but they have special parsers that turn the text into Real Code that CAN execute. I don't think notepad can turn a text document into Real Code.

Re:Really?

[Bronster]

Our mx servers have a list of over a million machines which are blocked from talking SMTP to us for three days thanks to past bad behaviour. In a single hour nearly 200,000 of them tried multiple SMTP connection attempts.

Yes, I'd believe those numbers.

Re:Really?

[nopainogain]

and the repair of these poorly maintained PCs paid for my tuition and beer in college.
Long live idiots, for without them, being smart means nothing, and pays less.

Re:Really?

[nopainogain]

personally,
i think running windows is criminally insane, but i'm certain to incite a flame war among the microsoftskulls. I know it isn't perfect but i have never had to panick over a critical patch on one of my Linux based machines.

Re:Really?

The OP has suggested a view that I have often thought about myself, although I have rarely found anyone who quickly grasps the concept.

Think of notepad since you have mentioned it. When notepad opens a file it looks at the contents and does certain things depending on the content of the file. If the first character is hex 61 then notepad will display an "a" in the first character location on the screen. OK, so that is because hex 61 is ascii "a" but that is an arbitrary choice that has been standardised. You can if you like look at notepad as if it is an interpreter for a rather strange and limited language where 0x61 is one of the commands. In some ways it is rather like those old interpreted basics since it is responding both to the file you have opened and to the keys you press on the keyboard. There have been attempts to make languages where instead of typing in commands you select icons with a GUI and join them up in a flowchart like sequence. The ones I saw were interpreted but there is nothing to stop them being a compiled language and thus eventually resulting in real code in a binary file. It is only a small step from there to looking at say photoshop as being a sort of real time mode interpreted language. (Real time in the sense that the commands execute straight away, like the mode in the old basics.)

In some ways this insight is interesting, although not necessarily very useful. But it should serve to remind us that much of our thinking about computers is based on elaborate analogies which the computer itself has no knowledge of. So the distinction between data and code is purely arbitrary. This tends to be more obvious when you play around with assembly, where the machine will happily let you attempt to execute data. For example you can set up a jump into a block of what is meant to be data and the machine will not object in the slightest. The results will of course be unlikely to have any meaning in terms of the analogies we have set up for ourselves, but the machine neither know nor cares since it has no means of doing so.

So Notepad will in fact execute certain real code in response to both the contents of the data file and the keyboard actions of the user. That is fine and good and need not be of any concern to the user, unless what it does is not what we expected in terms of the intended behaviour. An example of this sort of thing would be a buffer overflow allowing an external person to push what should (in terms of our analogies) be data into a place where it will get executed as if it was code.

Re:Really?

This is the case for Von Neumann machines because they have a single memory area for programs and data. An attacker only has to move the current program control flow to some compromised place in the data (say some lines of machine code hidden in a corrupt bitmap) and the processor will happily compute those instructions. In other architectures, namely Harvard architecture, there are physically seperate memory locations for programs and data and the processor WILL not carry out instructions "hidden" in data. A shift towards seperate memory architectures is required to secure computers. Unfortunately a paradigm shift at this level is all but impossible in general purpose computing.

Re:Really?

[kesuki]

Windows firewall doesn't count, as it is the only firewall in history to score a 0 (out of 9,625 points) without actually being Malware. http://www.pcworld.idg.com.au/index.php/id;159719021

so yes, there are more than 1 million PCs without Working firewalls, or working anti-virus.

Re:Really?

[ultranova]

In other architectures, namely Harvard architecture, there are physically seperate memory locations for programs and data and the processor WILL not carry out instructions "hidden" in data. A shift towards seperate memory architectures is required to secure computers. Unfortunately a paradigm shift at this level is all but impossible in general purpose computing.

No, but whatever program is running on the processor and interpreting the data will. SQL database, Python interpreter, Mozilla... all of these are based on treating text (data) as a list of instructions (program). It is obvious in the case of Python, since that is openly a programming language, but HTML itself can be considered a series of instructions for building the DOM tree, which then gets rendered, as dictated by default rules and those given by optional CSS; and of course there is always Javascript.

It is impossible for a general purpose computing to be immune for this class of attacks. Not just "all but impossible", but flat out impossible due to a logical flaw: the very ability to simulate different machines which treat data as a list of instructions - program - is what makes it a "general purpose" computer. If you can program it, you can program it to misbehave when it reads a suitably malformed PDF/PNG/HTML/SQL/whatever file. The only way around that would be for the computer to be intelligent and capable of common sense, so it could understand that the programmer propably didn't mean for it to execute any random piece of SQL someone feeds into a Web forum login box; but then it would be vulnerable to social engineering.

Re:Really?

[palegray.net]

What are you talking about? Windows comes with a fantastic firew#@$@%$%@@@#$@xs982_227s7 [NO CARRIER]

Re:Really?

[macdaddy]

Out of curiosity, what tools or methods are you using to detect bad behavior and then block it? I'm always on the lookout for new tools for my toolkit. I use Fail2ban for SSH scanners. I've used Port Sentry for port scanners. I haven't found any good tools for blocking SMTP bots guessing email addresses with Rumplestilskin attacks, though I would love to employ one. Currently I'm in search of a method to tie such tools into my RTBH trigger router to blackhole bad hosts at my network edges. I could script something together but I'd at least be interested in looking at an existing tool if for no other reason than to get ideas.

Re:Really?

[Bronster]

The biggest is connecting and then failing to complete an SMTP transaction. There's also enumeration and some heuristics based on reverse lookups and netblocks. I don't know how much of it's readily sharable, it's all internal stuff that we put together over the years at FastMail, and like most of our internal systems, it has deep and ugly hooks into everything. We use open source packages, and contribute quite a bit back to those projects, but I doubt anyone wants to see the perl duct tape that holds it all together, and we don't really want to share it all because unfortunately security-through-obscurity still helps in the anti-spam arms race!

Re:Really?

[macdaddy]

That's understandable. I've been in the anti-spam race for a long time now. I wish I had as much time to contribute to the fight as I one did. For my MTA I use Canit-Pro. That gives me a good window in the SMTP dialog as it's happening thanks to good old Sendmail's milter options. I'm needing something that's more network-centric though. I need something that can listen on a promisc port and listen for network reconnaissance scans and actual network-based attacks so it can alert me and I can react. I was watching traffic on a couple span ports tonight between my ISP core and the border routers. Based on relatively simple observations I saw malicious horse shit and added the sources to our RTBH. If only I could automate that process...

Re:Really?

[Bronster]

Yeah, we have a wodge of perl that sits there scanning logs, getting stats out of the policy daemon (Postfix policy daemon is very handy) and generally making educated guesses as to the probability that a site really is nothing but a spam source. Once it's satisfied, they go into the early block list which doesn't even get a reverse DNS lookup, just accept and then drop. We're thinking of moving to accept and teargrub actually, assuming we can do it in a way that doesn't overload the machine with idle processes.

You just know it'll be disappointing..

[Brian+Gordon]

Largest "x" in Canadian history!

Spot the key words

[Silver+Sloth]

The hackers collaborated online to attack and take control of as many as one million computers around the world that were not equipped with anti-virus software or firewalls

Police won't reveal what the information was used for but investigators estimate that the network profited by as much as $45 million. Hmm... as many as, as much as, or maybe they're inflating the figures to show what macho investigators they are.

Re:Spot the key words

[powerlord]

Nah, nothing so covert. Its simply that, "as many as", sounds a lot better than, "three computers we know about, but we really have no clue" or "we found 5 million deposited in their bank accounts in the last month, but the accounts have been open for nine months, so who knows how much money they could have collected previously".

Alternatively they probably have a pretty good idea of the ranges involved, but hey, high numbers make a better press release.

Re:Spot the key words

[Skeet112]

If they are trying to be macho, that's probably not the only thing they are "inflating".

Re:Spot the key words

[Otter]

I dunno -- is a million nodes especially large for a botnet? It seems consistent with the various botnet stories linked here, and quite conservative compared to the usual estimates here of the prevalence of compromised Windows systems (i.e. all of them, if not more).

Re:Spot the key words

[Tony+Hoyle]

1 million machines in a network talking to each other would probably consume more bandwidth in network overhead than useful work. Even instructing 1 million independent machines to do the same thing would take a considerable amount of time/bandwidth (eg. send a spam email to each one plus a list of targets so they can begin spamming... that's a million emails you've got to send - might as well send the spam yourself).

Re:Spot the key words

[Otter]

At any rate, I was mistaken -- while some of the wilder claims of botnet size are in the millions, realistic estimates put even the largest in the low six figures. So the OP is correct that the figure given here is rather improbable.

Re:Spot the key words

[somersault]

Why would they be talking to each other rather than just a single controller? Or one of several controllers. IANAbotnetwriter, but I don't really see the need for them to communicate with each other, unless it's through an attempt to obfuscate the original source of a command sent to the network. The internet has several million machines in a network and it seems to do okay for itself.

Re:Spot the key words

[tlhIngan]

1 million machines in a network talking to each other would probably consume more bandwidth in network overhead than useful work. Even instructing 1 million independent machines to do the same thing would take a considerable amount of time/bandwidth (eg. send a spam email to each one plus a list of targets so they can begin spamming... that's a million emails you've got to send - might as well send the spam yourself).

Except that a good botnet doesn't have to have machines talking to each other. Each compromised machine just needs to find a few others to get its orders from, who gets its orders from someone higher in the chain, etc.

There doesn't have to be communications back to the server.

For spamming, each machine gets a list of a bunch of usernames from a peer who shares its list, and gets other addresses from other peers. That's why you can end up with multiple copies of the same spam in your inbox - the spammers don't care if you get 1000 copies of the same email. And the spambots don't bother marking off an email as sent to a specific address and tell everyone, they just run through their own lists.

This way, the only real communication happens top down, fire-and-forget method. If someone buys 1,000,000 emails, spammer can send out more just to ensure that 1,000,000 people got it. But since they're scammers, it doesn't matter if it went to 10,000 people 100 times.

Re:Spot the key words

[ultranova]

Why would you instruct them all yourself ? Send the instruction into 10 machines (or even a single one). They each send it to ten other machines, they each to 10 and so on. While some machines will of course receive the same instruction twice, it still won't take long to cascade the instruction through the network.

Re:Spot the key words

[Bob+Loblaw]

Hmm... as many as, as much as, or maybe they're inflating the figures to show what macho investigators they are. It just sounds a lot "better" than "no more than" which is logically equivalent but not spinly equivalent.

Re:Spot the key words

GOOD and FUCK THEM, it should say:

The hackers collaborated online to attack and take control of as many as one million MICROSHIT WINDOWS computers around the world that were not equipped with anti-virus software or firewalls."

Um, this is Slashdot...

[GameboyRMH]

The hackers collaborated online to attack and take control of as many as one million computers around the world that were not equipped with anti-virus software or firewalls. You're stating the obvious and preaching to the choir.

Re:Um, this is Slashdot...

[techpawn]

that were not equipped with anti-virus software or firewalls.

Hardware or software firewalls? After XP SP1 the windows "firewall" would count for most users.
Still recommend to install more than the paper tiger at the gate if you get that chance, but, anything is better than nothing for most users yes? If they mean hardware firewalls, I know very few home users that have one...

Re:Um, this is Slashdot...

In my limited world view, I know of at least 20 people who are still running Windows98FE,SE, and WindowsME. Not everyone buys a new computer or OS just because they can. Most of the typical users I know will wait until their machine dies (can't surf the internet or send email) before trying to fix it. Buying a new computer is a last resort.

Re:Um, this is Slashdot...

[JasterBobaMereel]

Thanks to wireless Broadband in the UK a lot of people have a hardware firewall (mostly running Linux) in their homes without them even knowing it ....

Re:Um, this is Slashdot...

[Thelasko]

When I setup my parent's DSL they received a "free" router from AT&T that came with a NAT firewall. A few years later and my future Mother-in-law orders DSL from AT&T and she gets a DSL modem and nothing else. Every time I visit her it's like playing whack-a-mole with worms and viruses. I installed a software firewall but she always removes it because it's "annoying" and slowing down her computer.

Re:Um, this is Slashdot...

[techpawn]

The wireless router setup I've got has integrated firewall, still have windows firewall enabled and a third party firewall on my and my girlfriends machines.
I know we're reaching the point of overkill with all the security in place (and bragging about it, even as vague as I have, damages the security of the whole operation... I know) but we live in an urban area and I want to make it as difficult as possible for potential hackers in the area, especially with wireless.

Re:Um, this is Slashdot...

[Z34107]

So... take away her admin account?

It's kinda unfair to expect you to keep fixing her computer when she keeps uninstalling the firewall.

Re:Um, this is Slashdot...

[Thelasko]

Taking away admin privileges for someone else's computer just seems wrong to me. Although, I have done it to my parent's machine, they live relatively close to me so I can stop over there if they need something installed, etc. My parent's also seem to understand the threats that exist on the internet better than my future mother-in-law. They used to be afraid of the computer, when I took away their admin privileges I told them I set it up so they can't break it and they are very happy.

Obligatory:

[powerlord]

Blame Canada! ... eh?

Re:Obligatory:

+1, original

Re:Obligatory:

fuck you, estie tabarnak!

So which is it?

[red+star+hardkore]

Police raided several homes across Quebec on Wednesday and arrested 16 people in their investigation...
The 14 suspects arrested Wednesday...

Re:So which is it?

[Shadow_139]

2 of them are now probably in Guantanamo Bay so there for not people anymore..... Oh it not america or Canadea, near mind....

Re:So which is it?

It's 16 Canadian people, or 14 Americans... it's just the exchange rate.

Re:So which is it?

[Iphtashu+Fitz]

Both.

16 people were arrested.

14 of those 16 were arrested on Wednesday.

Re:So which is it?

[red+star+hardkore]

Read the article, it all happened on Wednesday.

And the point I was making (but didn't elaborate enough on) was if they can make a mistake on reporting such a small number, what is the error margin on 1 million and 45 million?

Re:So which is it?

Uhh.. obviously, 14 suspects and 2 rats

Thats the only way canadian police can catch anything

Re:So which is it?

[Iphtashu+Fitz]

If you read it carefully it says that they raided a number of homes on Wednesday and "arrested 16 people in their investigation". It doesn't specifically state that all 16 were arrested on Wednesday, although that's what it implies. It only says "The 14 suspects arrested Wednesday are between the ages of 17 and 26".

I read this as the investigation led to raids on Wednesday that led to 14 arrests. Two others were likely arrested before those raids but still as a result of the same investigation.

Re:So which is it?

[hsdpa]

Well actually.. Err.. Maybe it's the other way around ;)

Re:So which is it?

[elrous0]

If I've said it once, I've said it a thousand times: French Canadians should get baths, not mod points.

Re:So which is it?

[ajcham]

Or 16 were arrested on Wednesday, but 2 are no longer suspects.

Re:So which is it?

[denisbergeron]

I always wonder why english canadian are so stupid and racist like you !

Re:So which is it?

[Poltras]

Or maybe not. Depending on WHEN you ask :)

Re:So which is it?

[smtrembl]

Apart from the fact that I don't get this comment about baths, it doesn't seem I get modded much either.

Re:So which is it?

I shouldn't laugh.. really I shouldn't... AHAHAHAHA

Re:So which is it?

French isn't a race, you dumbass.

Bigot, maybe. Racist, no. Read a fucking book once in a while, it'll help you control these silly kneejerk reactions.

Re:So which is it?

[theheadlessrabbit]

I always wonder why English Canadians are so stupid and racist like you !

there. fixed it for you.

Good job demonstrating that it's the English who are the stupid ones.

Re:So which is it?

[mgabrys_sf]

Woah - I'm seriously surprised how far down I had to scroll to find this joke. What is wrong with Slashdot these days. Tsk Tsk. And I haven't seen one post about tinfoil hats! WTF is up with THAT?

Re:So which is it?

More like 16 Canadians are 15.8 Americans by value (thanks you GWB). However, the exchange rate by weight...

Re:So which is it?

[SpiderClan]

How many languages do you speak and write in perfectly?

Re:So which is it?

[Mister+Whirly]

"It only says "The 14 suspects arrested Wednesday are between the ages of 17 and 26".

Is it really that much of a mental leap to conclude the other 2 suspects were not between the ages of 17 and 26?

Re:So which is it?

Because they can't all make intelligent, sensitive, well thought out comments like yours.

Re:So which is it?

[elrous0]

Well, I certainly didn't mean to insult the French Canadian race.

Re:So which is it?

[Iphtashu+Fitz]

Is it really that much of a mental leap to conclude the other 2 suspects were not between the ages of 17 and 26?

But then the article would have phrased it as something like "14 of the suspects arrested Wednesday are between the ages of 17 and 26". Since it started off as "The 14 suspects arrested..." means that 14 suspects were arrested and the modifier "are between the ages..." applies to all of those arrested.

Re:So which is it?

Both, 16 people were arrested, of which 14 were suspects, and 2 spoke French?

Re:So which is it?

[Mister+Whirly]

Then why wasn't it phrased "All of the 14 suspects arrested" if they didn't want to make it confusing?

Re:So which is it?

[Iphtashu+Fitz]

Then why wasn't it phrased "All of the 14 suspects arrested" if they didn't want to make it confusing?

The actual sentence from the article is this:

"The 14 suspects arrested Wednesday are between the ages of 17 and 26, and face charges related to the unauthorized use of computers."

What's confusing about that? 14 suspects were arrested on Wednesday. They were all between the ages of 17 and 26. They all face charges related to unauthorized use of computers. Simply adding "All of" to the beginning of that sentence doesn't change it in any way.

Re:So which is it?

[Mister+Whirly]

It is confusing because in TFA it was stated "Police raided several homes across Quebec on Wednesday and arrested 16 people in their investigation", and then a few paragraphs down, in the same article, it states "The 14 suspects arrested Wednesday are between the ages of 17 and 26". Just in case you were not aware - 16 != 14, and this to some, is confusing. They never explained this discrepancy in the article anywhere.

Re:So which is it?

They could of just said that as many as 2/3 of Canada's population was arrested for this crime.

Re:So which is it?

[denisbergeron]

Why some one put a racist comment here and get moded up and someone who put a comment about this racist comment get moded for TROLL !!!!

From TFA:

[Jurily]

[...] and face charges related to the unauthorized use of computers.

Surely they must mean unauthorized use of other people's computers?

Re:From TFA:

I'd assume you're always authorized to use your own computer.

Then again, in today's climate, maybe not...

Re:From TFA:

[morgan_greywolf]

I'd assume you're always authorized to use your own computer. Nope. There are times when I'm not authorized to use my own computer. Just ask my wife! ;)

Re:From TFA:

[somersault]

XP won't let me kill certain tasks even while I'm an admin (actually I should try killing stuff after using that hack to get system privileges). I hate how the damn system idle task is always sucking up my CPU usage. No wonder I can't run HL2 at 1900x1200 at a decent framerate :(

Re:From TFA:

[Qfour20]

Nope. There are times when I'm not authorized to use my own computer. Just ask my wife! ;)

Or ask the RIAA, or the MPAA, or ...

-q

Re:From TFA:

[RobinH]

It seems to stop being my computer whenever another Sims 2 expansion pack comes out... funny how that works!

Elaboration on my previous post

[red+star+hardkore]

What I meant was, if they can make a mistake on reporting such a small number, what is the error margin on 1 million and 45 million?

Re:Elaboration on my previous post

[jjm496]

It means 2 people were arrested on a day other than Wednesday. Not that complicated. 16 arrested, 14 on Wednesday.

why does law enforcement inflate numbers?

[circletimessquare]

whenever they seize some methamphetamine or cocaine, it's always "street value estimated as 20 billion dollars!"

now we have some yahoos in canada who controlled "1 million computers and made $45 million in profit!"

up next: "the police looked in the suspect's glove compartment and found a small bag of marijuana, with an estimated street value as high as the GNP of Australia! additionally, the suspect's cellphone was found to have cracked and controlled the computer networks of the NSA and Los Alamos! he used this vast network of hacked machines to make $20 brazilian dollars by cheating stay at home moms in a get-rich-quick scam! the suspect is also believed to be al qaeda's number 2 commander in iraq!"

Re:why does law enforcement inflate numbers?

What we have to read is 45$M estimated dammage around the world. Damage can be calculated in loss of time, stolen information etc. There is a big difference betweeen "profit" and "damage" !

Re:why does law enforcement inflate numbers?

[t33jster]

Anybody who has seen an episode of Law and Order knows that filing charges against a person is ofte the equivalent to initiating a negotiation. The inflated charges lead to a plea to a lesser charge. Those of us who pay taxes don't mind this, as the bad guys still get punished (although usually not as severely as they might), and we don't have to pay all the overtime to the DA, public defender, judge, baliffs, etc.

Re:why does law enforcement inflate numbers?

[grub]

whenever they seize some methamphetamine or cocaine, it's always "street value estimated as 20 billion dollars!"

They use the smalled unit of sale and work from that. It sounds better when they take the gram price of pot and apply that against a 200 kg seizure when everyone with a quarter of a brain knows that the 200 would be sold in huge lots elsewhere. Who buys grams?

Re:why does law enforcement inflate numbers?

Don't forget that they are assuming these apparent 1+million computers owners are all 'charging' the same for the use of their system. And of course if money (or any at all) is retained from these kids they will of course apportion it to those victimized.

Hardly the first time Canada has caused problems

[elrous0]

Let us not forget Bryan Adams.

Profitable

[theshowmecanuck]

In Canada they will probably server a couple years in prison if that, be forced to eat a Big Mac, and then set free. The judges and the justice system in Canada suck big time.

1) Go to prison for some short time.
2)Then dived 45 million dollars Canadian (now worth more than the US green back... but what isn't these days) by 16.
3) Profit

This time we can fill in the blank(s).

Re:Profitable

[tecmec]

The judges and the justice system in Canada suck big time.
Compared to who? The states? Ha! riiight...

Re:Profitable

[calebt3]

they will probably server a couple years Someone needs more coffee.

Re:Profitable

A Big Mac? I thought it was American's that were over weight.

Re:Profitable

[Internalist]

You *know* you're reading a geek site when the typos look like this:

[...] they will probably server a couple years in prison [...] And why do you think the justice system is so bad up here? I mean, granted, Mafiaboy didn't do much time, but I've read tonnes of comments here lamenting the blown-out-of-proportion sentencing for "computer crimes" in the States.

Re:Profitable

[eyeb1]

let's try and be a little more precise in our terminology eh! ..

it's the political\Legal System ..

justice has very little if anything to do with the modern Political\Legal System .. and IMPO never has ..

gain power through a Simple Majority (read: 51% of the people being able imposing their will on 49% of the people}.. which can be achieved in canada with 10 to 20% of the electorate .. which represents about 50% of the population ..

then ..

pass laws .. create a criminals ..

then ..

through organized religion .. public education and mass media project that breaking a law is some kind of moral issue .. so people can feel self-righteous for being good Law abiding citizens .. or at least as far as they don't get caught themselves ..

rhetorical question:

why do so many people persist and insist on trying to making the LAW a moral issue ..

through organized religion .. public education and mass media (read: mass brainwashing) me thinks ..

but it does give one hope .. when only 16 organized free thinking and acting people can have that much of an impact ..

There, fixed it for you

Are there that many Canadian computers [...] on the Internet?

OK it hardly looks like what you said now, but you mean to say they got both of them?

Sounds like advertising.

[TwoToeWilly]

This is one way for the anti-virus companies to stay in business.

Re:Sounds like advertising.

[TheHorse13]

Antivirus companies don't need this little incident to stay in business when far more people believe that they are fully protected *only* when an AV product is installed on their systems. Remember, AV is magical and that means it is good.

So What Happens Now?

[flyneye]

Will Canada be liberal about this and give them a swat or two and take away their computers or will it do the right thing and prosecute them to the extent of the worlds anger and rocket the offenders to the core of the sun?
(k, I'm tired from insomnia and kinda grumpy,but still...)

Re:So What Happens Now?

[ahodgson]

Murderers barely serve jail time up here. Don't hold your breath.

Re:So What Happens Now?

What? There aren't murders in Canada. It's entirely us crazed gun-wielding violent USAans.

Re:So What Happens Now?

You folks don't have a monopoly on murders. They definitely occur in Canada -- at a rate of about 1.85 per 100,000 people, actually. However, this still pales in comparison to the 5.9 per 100,000 people that you "crazed gun-wielding violent USAans" do.

Re:So What Happens Now?

[flyneye]

I watch the weather,you've got no excuse except it's too cold to go out murdering anyone.
One look at a thermometer and you stay home to clean your weapon by the fire and wait for hunting season.

Eh?

[lbmouse]

I moved here from Canada and they think I'm slow, but I'm really an über-hacker, Eh?

Re:Eh?

Thanks for the Tim Hortons.

That's a lotta denim...

[drewmoney]

Police won't reveal what the information was used for but investigators estimate that the network profited by as much as $45 million.

Damn! You know how many Canadian Tuxedos that will buy!?!

Re:Hardly the first time Canada has caused problem

[the_fat_kid]

hey, how many more times do they have to appoligise for that.
besides, do you realy think he was as bad as 45 Billion dollars?
or even Alanis...

Re:Hardly the first time Canada has caused problem

[elrous0]

Well, at least Alanis was hot--except for her live performances (where she always looked like she was having some sort of epileptic seizure).

45m?

[Robert+Goatse]

I guess crime pays! Is that US or CA dollars?

That summary needs fixing.

[Shados]

The hackers collaborated online to attack and take control of as many as one million computers around the world that were not up to date with patches and didn't have users with common sense.

There, thats better.

Re:That summary needs fixing.

[zakeria]

slight correction: The hackers collaborated online to attack and take control of as many as one million MS Windows computers around the world that were not up to date with patches and didn't have users with common sense.

Re:That summary needs fixing.

[Shados]

Indeed :) Though an heaily unpatched Linux machine is probably just as easy to take control of. Just less of em out there, haha. (I spent my spare time in college years rooting random Linux servers and changing the text that says "Welcome to blah blah Linux Redhat blah blah" to "Welcome to blah blah Windows ME blah blah....". That was fairly amusing, and harmless to boot.

Re:That summary needs fixing.

[VorpalEdge]

Common sense? Really? Most people, when they buy their first computer, expect it to "just work." They expect everything to be fine as it is, and for the patches (if they've ever heard of them) to be nice, but unnecessary.

After all, what they were sold is good enough, right? They didn't exactly buy the "turn your computer into a botnet zombie" feature (bad jokes featuring MS aside). They still expect companies to have integrity, and to make products that actually work, and that don't explode when you turn around. Common sense in this situation would be "companies can't ship products with security holes, they'd get sued!"

And yeah, I am aware that the parent is probably joking, but someone modded it insightful. :(

Re:That summary needs fixing.

[Shados]

We're in 2008. Even non-software products now get recalled, blow up, fall apart, are defective by design, are made in china (lol), all over the place. Go to Bestbuy and buy a headset at random (close your eyes and pick one), go up, and try it. 9 to 1 that thing will break within 2 weeks, sound will be crap, and it will be barely usuable.

All but the fanciest grocery stores will have expired stuff on the shelves if you look well enough. You have to be selective in what food you pick, make sure to read the expiration date, cook your meat to 160-170 degrees, etc.

Nothing works out of the box anymore. The only difference is that software doesnt always have to be recalled, it can be patched. But if you don't say informed, the ground beef you have in your fridge that got recalled...you'll never know it was. Thats "common sense" in this day and age.

Re:That summary needs fixing.

[tixxit]

Not sure if you're joking either. Integrity has nothing to do with it. If MS was to ship Windows with no security holes, and had an infinite amount of money, it would still never be released. You can never guarentee software is 100% correct. The common sense thing to do would be for MS to make updates as unobtrusive as possible, and make sure users install them in a timely fashion. Right now, installing an update in Vista requires about 30 minutes of downtime (download, install, configure, etc), which is kind of ridiculous.

Re:That summary needs fixing.

[khton]

It reminds me I never got a refund for that dead parrot

Haha

[ViralInfection]

From the ages of 17-26.

Wouldn't you say the RCMP is just hunting down script kiddies?

Re:Haha

[tecmec]

Calling them script kiddies based solely on their ages? As a 19 year old, that offends me. How many real (not script kiddie) hackers are 40-something or 50-something?

Re:Haha

[jjackson]

Not many - but how many 40 or 50 year olds had access to a PC when they were in their teens?

I am personally at an age that had I been born much earlier, I would not have had the option of learning to code a virus for a PC in my teens. I am 34 and easy access to PC hardware was a new concept when I was in my early teens. Home computer networks and mass adoption of the Internet didn't start until the early 90's... about the time I was your age.

All that being said, it is in the vast majority of teens' natures to take risks and seek attention. A computer crime, particularly an Internet crime has a reach that far exceeds anything my father could dreamed of. There is very little a 15 year old could have done in there parents basement in the US that would have affected someone in Australia (geographical locations are arbitrary) when he was a teen.

Last but not least, when I was a teenage and wrote my first PC virus (yeah, yeah... I did it too) that completely baffled the system administrators at my high school - I was supposedly one of the world's "elite". The statistics stated that perhaps only 10,000 people in the world had the knowledge to do so... reading that statistic was what actually inspired me to see if I could. So, I bought several books on x86 assembly language and got my hands on as many viruses as possible, printed reams of disassembled virus bytecode, and stepped through countless lines of instructions in DOS's debug.exe to watch them in action. After a few months was able to craft a completely unique virus that was prolific as hell and slipped right through the Antivirus applications' (of that day and time) scanners.

Now I hear my kids' friends talking about how they write viruses... I had an entertaining discussion with a 14 year old at one point claiming he was one of the reasons that I have a job (I own a small PC security consulting company), yet from the remainder of the discussion it was pretty clear that he wouldn't know a PCI slot from DIMM socket if he was put on the spot to identify them.

I guess my point is - the bar has been drastically lowered for entry into the virus writing world. About anyone with the ability to use notepad and search google can write a VBScript app that will spread itself via Email (or a Perl script for those who would like to jump on the down-with-windows bandwagon). This being the case, it fits into the teenage rebel without a clue mentality quite nicely. The percentage of kids that are actually gifted programmers hasn't really changed but the number of kids tinkering with scripts and programming certainly has - which is precisely where the stereotype of the teen script-kiddie comes from. (The word "kiddie" has a basis in reality as well).

Don't get me wrong - I am not putting you down. For all I know you could have an IQ of 200 and have graduated high school at 12. However, the vast majority of people are complete idiots - with the level of skill needed to write viruses and the average computer user now being part of that majority. By the time people are in their 20's/30's there are slightly more important things to do (job, family, etc) than try to mess with the computer of someone halfway across the globe to gain a +1 to e-peen size. So, yes, it is a pretty safe assumption that script kiddies will be in their teens.

Re:Haha

[Schnoodledorfer]

I wouldn't care if they were 17-26 months old if they managed to cause anything like $45M in damages while making their up to $45M in profits. It sounds like they were doing stuff that was more sophisticated than just running scripts, too.

Re:Haha

[tecmec]

I don't disagree with anything you have said. But the point I was trying to make was that it doesn't seem right to assume that they were "script kiddies" rather than "skilled hackers" just because of age.

As per the wikipedia definition of script kiddie: In hacker culture, a script kiddie (occasionally script bunny, skidie, script kitty, script-running juvenile (SRJ), or similar) is a derogatory term used for an inexperienced malicious cracker who uses programs developed by others to attack computer systems...

Re:Haha

That's rather ignorant. Just because they're young doesn't mean that they're script kiddies.

When I was 13 I was in a hacker group known as "ViRii" on the Undernet IRC network (this was back in the mid 90s). We had a bunch of extremely talented hackers in our group and we were all between the age of 13 and 21.

One fellow hacker went by the name "VallaH". I first met him when he was 16 or 17 and he was already writing remote BSOD exploits for Windows 95. Microsoft eventually hired him to work on Windows NT. He was later fired by Microsoft after an FBI raid.

And then there was "Analyzer". He hacked the Pentagon and hundreds of other systems by the age of 18.

And Calldan

The suspected leader of a group of computer hackers who broke into the network of a NASA laboratory has been arrested, officials of the agency said today.

In addition to hacking into NASA's computer system, the agency's investigators believe that Calldan Levi Coffman, 20, of Carson, Wash., infiltrated the networks of corporations, universities and other government agencies.

Mr. Coffman is suspected of leading the group ''ViRii.'' National Aeronautics and Space Administration officials started looking into the group last June.

The Analyzer, who is 18 years old, was placed under house arrest today in Jerusalem after being accused of infiltrating the Pentagon's computer system.

The youth is suspected of being the mentor of two California teen-agers who have been questioned by the F.B.I. in connection with penetrating the Pentagon's computer system and university research computers.
 
Back on topic. You could be right, maybe these 17-26 year olds were script kiddies, but I doubt it. I'm guessing these guys knew what they were doing.

Re:Haha

[necro2607]

You're joking, right? Younger people not only have more free time to pursue the motivation to hack & crack, but also tend to have more drive to do so, and less ethical reservations about doing so. You know how a lot of techie guys say "yeah, I used to be into that, but i grew out of it", well, that's generally the case with the vast majority of "hacker types" with malicious intent, except that a fair number of them actually pursue those motivations to a much further extent than others.

I used to hang out in chat rooms with guys who were developing their own exploits in C on netBSD machines they set up on their own, etc. etc.. (mid to late 90s).. They were all in their late teens, average of around 17 or 18 years old, no joke. There were a couple guys in college who were 20 or 21 or so, but really, the teens and early 20s is pretty much the prime time to delve into 'questionable' types of endeavours in the high-tech realm.

Oh, by the way, for a little personal anecdote, I cracked/hacked/obtained/whatever the admin password for our Mac lab in my elementary school when I was 9 years old, in grade 3 or 4 (and got banned from the lab for a while of course). Then again, I used utils I found on the net (a keylogger IIRC), but I still think that required a lot more knowledge and investigation than most 9 year olds are willing to pursue. Actually, I created a custom HyperCard stack that let me execute any program I had on a floppy disk - it just had to match the same type/creator code as any of the programs that were available in At Ease. That's pure hack-mindedness at work, and no outside help was consulted. ;)

Re:Haha

[necro2607]

Oh and BTW, I am in western Canada. ;)

Re:Haha

[ViralInfection]

No, solely on their methods. I'm 20, live with it.

Re:Haha

[ViralInfection]

Not many - but how many 40 or 50 year olds had access to a PC when they were in their teens? Tell me if you find out.

I am personally at an age that had I been born much earlier, I would not have had the option of learning to code a virus for a PC in my teens. I am 34 and easy access to PC hardware was a new concept when I was in my early teens. Home computer networks and mass adoption of the Internet didn't start until the early 90's... about the time I was your age. All that being said, it is in the vast majority of teens' natures to take risks and seek attention. A computer crime, particularly an Internet crime has a reach that far exceeds anything my father could dreamed of. There is very little a 15 year old could have done in there parents basement in the US that would have affected someone in Australia (geographical locations are arbitrary) when he was a teen. I don't think they planned for attention. PS: In Canada milk comes in bags.

Last but not least, when I was a teenage and wrote my first PC virus (yeah, yeah... I did it too) that completely baffled the system administrators at my high school - I was supposedly one of the world's "elite". The statistics stated that perhaps only 10,000 people in the world had the knowledge to do so... reading that statistic was what actually inspired me to see if I could. So, I bought several books on x86 assembly language and got my hands on as many viruses as possible, printed reams of disassembled virus bytecode, and stepped through countless lines of instructions in DOS's debug.exe to watch them in action. After a few months was able to craft a completely unique virus that was prolific as hell and slipped right through the Antivirus applications' (of that day and time) scanners. You've said something to impress me.

Now I hear my kids' friends talking about how they write viruses... I had an entertaining discussion with a 14 year old at one point claiming he was one of the reasons that I have a job (I own a small PC security consulting company), yet from the remainder of the discussion it was pretty clear that he wouldn't know a PCI slot from DIMM socket if he was put on the spot to identify them. That was for attention. PS: In Canada milk comes in bags.

I guess my point is - the bar has been drastically lowered for entry into the virus writing world. About anyone with the ability to use notepad and search google can write a VBScript app that will spread itself via Email (or a Perl script for those who would like to jump on the down-with-windows bandwagon). This being the case, it fits into the teenage rebel without a clue mentality quite nicely. The percentage of kids that are actually gifted programmers hasn't really changed but the number of kids tinkering with scripts and programming certainly has - which is precisely where the stereotype of the teen script-kiddie comes from. (The word "kiddie" has a basis in reality as well). Security is a modern day myth, and thinking of the idea of having it is almost a joke.

Don't get me wrong - I am not putting you down. For all I know you could have an IQ of 200 and have graduated high school at 12. However, the vast majority of people are complete idiots - with the level of skill needed to write viruses and the average computer user now being part of that majority. By the time people are in their 20's/30's there are slightly more important things to do (job, family, etc) than try to mess with the computer of someone halfway across the globe to gain a +1 to e-peen size. So, yes, it is a pretty safe assumption that script kiddies will be in their teens. Your points are well stated, however they are still script kiddies, maybe I don't follow the sought after wikipedia description, but too me, these kids annoyed thousands and we're caught, maybe it is a call for attention, but should we really be spending time debating about it or getting out there and stopping it?

Re:Haha

[ViralInfection]

So it's right to assume they're "skilled hackers"?

Re:Haha

[ViralInfection]

SELECT sum(profitted_amount) FROM press_release WHERE truth LIKE '%fishy%'; UPDATE flames SET flmCNT = flmCNT + 1 WHERE uid = 1221188;

Re:Haha

[jjackson]

As for the number of 48-50 year olds that had access to PC's in their teens - zero. The PC was released in 1980. Prior to that, I don't know and really don't care - it was just a statement to illustrate a point. Besides, the PC was 10k in '80... doubt all that many people had access to them. My guess is that ready access to them wasn't available until people were within +/- a couple years of my own age bracket.

Security is a modern day myth, and thinking of the idea of having it is almost a joke. I'd have to disagree with this. While I make no assumptions that what I do is 100% secure, there are always things that you can do to greatly reduce your risk.

The point I always stress when consulting for various customers is that the amount of time and effort you need to put into security is directly proportional to the value of the information you are looking to protect. If the information you are attempting to protect is worth millions, you better be willing to spend a good chunk of time and money to protect it... if it is the value of a small, personal coin collection, a $50 safe and a "free puppies" sign is all you need to seek out. Can someone take a baseball bat to your dog and an acetylene torch to your safe after breaking a window out of your house - sure... but that is (unfortunately) the screwed up, random chance you take in being a member of the human race.

Your points are well stated, however they are still script kiddies, maybe I don't follow the sought after wikipedia description, but too me, these kids annoyed thousands and we're caught, maybe it is a call for attention, but should we really be spending time debating about it or getting out there and stopping it? I have actually spent several year of my life dedicated to just that effort. I am the author of a pair of Linux firewall distributions (Coyote Linux and Wolverine VPN Firewall) and regularly consult for companies to help them adapt to the ever-changing landscape of Internet based threats. In addition, I do what I can to educate my own children about the dangers and risks of being exposed to the Internet and the possible ramifications of "script kiddie" behavior.

During my youth and period of arrogant idiocy, I got myself in enough trouble to have a couple sit-down conversations with the Feds. I have no doubt that similar behavior to my own would turn out VERY bad for today's youth... when it comes to Virus writing - just don't do it :P

Re:Haha

[ViralInfection]

During my youth and period of arrogant idiocy, I got myself in enough trouble to have a couple sit-down conversations with the Feds. I have no doubt that similar behavior to my own would turn out VERY bad for today's youth... when it comes to Virus writing - just don't do it :P I can't agree with that, without virus writing what pressures companies to actually secure and protect your data. Without the bad, there will be no good. White hats may hate black hats, but without them there is no balance. I'm glad to see you're doing your best in educating and passing the best word to others. And yes, security can't be 100%, that's why there is insurance.

Re:Haha

[tecmec]

Not necessarily. It wouldn't be right to assume one way or the other

Re:Haha

[tecmec]

What's with all the milk comments? They aren't even completely accurate. In Canada, sure, you can get milk in bags...but most people don't. I've only known two people who buy their milk in bags...and those were both 10-15 years ago. I don't even know if you can still get it in bags. Why are you spreading rumors that us Canadians are weirdos who drink our milk from bags?

Re:Haha

[ViralInfection]

Humorous method to highlight the link in between paragraphs and relative nature of the topic on "attention".

Sensationalism

scam Slang
n.
A fraudulent business scheme; a swindle.

tr.v. scammed, scamming, scams

To defraud; swindle.

So, who was defrauded or swindled in this case ?

"Script Kiddies Busted" would have been more appropriate.

Crackers, not hackers (EOM)

[objekt]

EOM because I don't like NT.

Re:Crackers, not hackers (EOM)

[Anonymous+Psychopath]

Crackers, not hackers While technically you're correct, you're also like those Japanese soldiers living in caves in the 1970's, still fighting a war that's been over for a long time. The definition of "hackers" has changed.

Re:Crackers, not hackers (EOM)

[onkelonkel]

Trekkies not Trekkers!

Or was that the other way around? I forget now.

Is this a RIAA Press Release

[N8F8]

The numbers confuse me.

Re:Hardly the first time Canada has caused problem

[garett_spencley]

South Park was playing nice ...

If you REALLY want to hit Canada where it hurts you need to bring up Celine Dion.

Of course they will DENY, DENY, DENY ... but you will have taken a piece of them forever by reminding them of their biggest skeleton they just can't seem to hide no matter how hard they try.

Urgh, I feel dirty for just bringing it up ...

"backbacon" Tag

[aquatone282]

Why RTFA when you have /. tags?

The Unwritten Story...

[Panaqqa]

These arrests were in Quebec. What they are not telling us is that the arrests were REALLY for not hacking into the boxes using both official languages.

Re:The Unwritten Story...

[KJE]

It's more likely that the Office quebecois de la langue francaise (OLF), aka the Language Police, would be more upset with the fact that they used English at all.

Quebec is NOT a bilingual province, the only official language is French. New Brunswick is the only constitutionally bilingual province.

Check out the very recent bruhaha caused by an Irish Pub in Montreal having Guinness posters on the wall that didn't have French on them. I'm a anglophone born and raised in Montreal, who has since moved down the river to Ottawa, and man, I don't miss that shit.

Re:The Unwritten Story...

[bidule]

I'm a anglophone born and raised in Montreal, who has since moved down the river to Ottawa, and man, I don't miss that shit. I can understand. If I took shit and it made me move down the river to Ottawa, I wouldn't do it again. I'd be too scared to end up in Timmins.

Re:The Unwritten Story...

[khton]

Well, it really is a pity for you, but did you realize that Ontario was also officially bilingual ? No ? Maybe this is because french speakers in Ontario get even less rights thant an english speaker in Quebec... And this is also why Quebecers fight so much for their language (and yes it can get quite stupid some times). I am very sorry that you felt it necessary to leave your home place, but frankly, the bilingual people in Quebec don't really miss your kind of people...

Re:The Unwritten Story...

[KJE]

Well, it really is a pity for you, but did you realize that Ontario was also officially bilingual?
Quebec's Bill 22 of '74 and of course Bill 101 of '77 state Quebec's official language as French, and the Canadian Charter of Rights and Freedoms states that New Brunswick is bilingual. Ontario has the French Language Services Act, stating provincial services are to be available in the parts of Ontario where there is a large French-speaking population, as well as legislation declaring French an official language of the courts, but afaik, the province is not officially bilingual. If you've got a reference to Federal or Provincial legislation regarding Ontario's official language that I've missed, please let me know.

I am very sorry that you felt it necessary to leave your home place, but frankly, the bilingual people in Quebec don't really miss your kind of people...
I am very sorry that you feel the need to finish with a comment like this. This is the sort of divisive and unfortunate comment that plagues this issue, and issues like this around the world. I don't know what you meant by your kind of people, but there is no responding to generalizing statements like that.

Re:The Unwritten Story...

[halcyon1234]

You mean emacs AND vi?

Re:The Unwritten Story...

[khton]

Yeah, I recognize that my last sentence was out of place... But could you please tell me what was the need to go Quebec-bashing once again ? I am not even a quebecer, I am french (living in MTL), and I am not really prejudiced over this whole situation. Personnaly, I would like Quebec to be more bilingual, and I recognize English speakers ar an essential part of Quebec... And I also think that all english and french speaking people who have the capacity to do so should make the effort to speak both language. It really didn'ty come out well when I wrote "your kind of people". What I really mean is people who are not willing to make the effort to make this all work, and who prefer to take a leave... But, hey, I'm not in your shoes, so this is your decision :)

Hey now!

[X3J11]

I'm more ashamed of our country unleashing Celine Dion than Adams. Oh, and kd lang...

However, the shame is offset by William Shatner. He's The Shat afterall!

Re:Hey now!

[p0tat03]

Don't apologize for Celine, she serves a useful purpose! It concentrates all the people with bad musical taste in the middle of the desert, for easy disposal if we feel like :) And think of Vegas as a quarantine... desert all around... seal off the roads and the rest of the world remains safe from her voice...

Re:Hey now!

[elrous0]

I always figured that Atlantic City served a similar purpose: Guido bait.

H33Z 4 S00P3R H4X0R!

[Chas]

Because it makes them look like they actually did something important.

Canada ?

[Griff-GW]

With 45 million why on earth would you stay in Canada ? /BookItOutOfCanada

Script Kiddis Horah!

[poormanjoe]

"Eh, check 'er out Uper! A Newfoundland!"

Canadian Scam

[up2ng]

What's that all Aboot ?

Re:Hardly the first time Canada has caused problem

[i_ate_god]

As with a lot of our other trash, we simply shipped Celine Dion to America. Now she's your problem, enjoy.

Outdated security setups?

[antdude]

"... many as one million computers around the world that were not equipped with anti-virus software or firewalls."

How about outdated software/updates (e.g., virus definitions)? What are the statistics for those?

Non-Clarification

[lordshipmayhem]

1) There's a link on the site to report typos. I submitted the 14 vs. 16 issue there.
2) On http://www.theglobeandmail.com/servlet/story/RTGAM.20080221.whacker21/BNStory/National/home, they're saying it's 17, and being consistent throughout the article.

I don't know which is correct at this point in time.

Canadian Prisons

[Detritus]

Does Canada have any strict regime prisons? It certainly has the geography for it. Why not ship the script kiddies off to a work camp in the middle of nowhere for a few years.

Re:Canadian Prisons

[Pig+Hogger]

Does Canada have any strict regime prisons? It certainly has the geography for it. Why not ship the script kiddies off to a work camp in the middle of nowhere for a few years.

Why bother? The **WHOLE** country is already in the middle of nowhere...

Re:Canadian Prisons

[lordshipmayhem]

Canada has one (1) strict regime prison - for the military, for crimes committed by military servicemen considered "salvageable".

Other than that, no, not really.

Re:Canadian Prisons

Well, yeah, but we call it treeplanting.

Re:Canadian Prisons

[Rary]

There's a couple prisons just outside of Winnipeg. That's pretty much the middle of nowhere. As cold as Siberia and nowhere to run to except Regina.

Re:Hardly the first time Canada has caused problem

[Farmer+Tim]

Well, at least Alanis was hot

Perhaps I'm showing my age, but I find that somewhat disturbing.

Kumputers Dur

[mgabrys_sf]

I love these articles if only for the first 200-300 words repetitively describing what a "botnet" is. What - the editor didn't want to devote another 500 words explaining WTF a computer is - or the "interwebs" (it's pipes I've heard!).

What century is this again? We still gots them "horseless carriages" and "flying machines" right?

You're kidding, right? (Re:Really?)

[myvirtualid]

Here I was, planning to mod this discussion, but I can't believe what you just wrote.

I... wonder why nobody has proposed some kind of govt subsidized antivirus program... why not buy out ESET or similar and allow all US residents (or the world, for good will) to get a good free antivirus?

You're kidding, right?

Please, tell me you are kidding!

Why in the name of GFSM or whatever deity you care to insert would anyone in their right mind do or propose this? It boggles my mind since what you propose is already available! And has been for years.

To forestall certain trollish and flamish responses (oo, woe is me to think this might work), if this really was a good idea, one could promote these services far more cost effectively than actually funding/buying them.

But of course it is a terrible idea, for any of the following reasons:

1. The US government would not likely do any such thing, given that these services are in competition with American corporations.
2. The money would be far better spent funding better OS research and development, for example the Programatica project and its work on House and Osker (PDF WARNING)
3. The money would be better spent on improving existing alternatives to Windows. Personally, I like Ubuntu (YMMV), but I don't know that they need the money (sure, everyone would like more $$, but Canonical has pretty deep pockets, no?).

But for now it simply doesn't matter - too many users are ignorant of the fact their OS comes from a vendor who simply doesn't give a damn and/or wants to squeeze yet more $$$ from the pockets of its beloved customers, whom it loves and respects dearly (either for its own bank accounts or those of its incestuously intertwined corporate "partners")....

Moral of the story

[billcopc]

The moral of this story is: don't "hack" machines in your own country.

If they hadn't attacked Canadian computers, things would have been far more difficult for law enforcement as the damages would have been outside their jurisdiction. That's why Russians and Koreans attack USA machines... if they root their neighbor's box, it's a whole different ballgame.

More Canadian Ripping...

[Notquitecajun]

Don't wanna be a Canadian Idiot...don't wanna be a beer-swilling hockey nut...

Props to Weird Al!

Canada

[Teflon_Jeff]

I didn't even know they had maple syrup powered computers up there, eh? Seriously, though, It's a bit strange up there, a few of my friends are Canadian, and they tell me there's not a lot of enforcement over things computer related infractions. Reminds one of them of an apathetic Sweden.

Re:Hardly the first time Canada has caused problem

[Mister+Whirly]

So what you are saying is the airbrushed/photoshopped pics of Alanis looked good, but in reality she did not look nearly as good. Sounds about right.
(For the record I have always thought she was nothing special to look at, and neither was her music.)

Not enough coffee again.

[ColdWetDog]

Murderers barely serve jail time up here. Don't hold your breath.

I read it as Moderators ...

For one brief second, I thought there was real justice Up There.

Time to crank the espresso machine up again.

As a Canadian....

[FreakerSFX]

I am glad to see that we're finally getting a little bit back on the electronic crime industry. We don't have an NSA (though arguably that's a good thing from a certain perspective) and we don't have an FBI. CSIS is our "CIA" and it's woefully underequipped for its actual purpose, which is watching for foreign threats.

That leaves the RCMP and local city police forces. That's not what these guys are trained for. When a "hacker" broke into several government systems 6 years ago, we blew the whistle on him One police officer in all of BC was assigned to cybercrime. It took over a year to go to trial and then because our laws weren't up to the task, he was given a probationary sentence. He didn't do a lot of damage but the point was the best that we could hope for even if he'd raped our internal databases, was a slap on the wrist.

It's encouraging to see a little progress is being made here. I guess as long as we have regionalized police forces and no central oversight (or limited central oversight and almost no cooperation between regions) there will be no significant nation-wide cybercrime division - it's too bad.

Then again, there so many damned police, government and paramilitary organizations in the USA fighting for jurisdiction, I don't expect that model is a whole lot better.

We all need less ignorant government reps, better laws and a lot more cooperation nationally and internationally before we can expect to make any ground on this problem. CSIS and the RCMP pay so little, I would never be able to work there even if the work was interesting.

Re:As a Canadian....

[LazyBoyWrangler]

Crap. Uninformed crap.

NSA == CSE (Communications Security Establishment)
CIA == CSIS (Canadian Security Intelligence Service)
FBI == RCMP (Royal Canadian Mounted Police)

These organizations have very good co-ordination of data - and work co-operatively with their NATO counterparts. There are exchanges of staff and information on a regular basis with the NSA etc. I have friends working there.

As far as pay goes, the RCMP and other groups pay reasonably well. I live in a neighborhood of these folks and nobody is out spare-changing when not at work. Pensions, benefits etc. are better than private industry. The government isn't going to pay you in share options that never mature, and they'll never go out of business like nine out of ten tech startups.

The reason you never hear about these people is that they do not advertise, they do not talk and they are actively encouraged to not talk about their work. They are not by nature braggers, talkers or blabbermouths. Those folks never make it through screening.

Success in what they do is never advertised, and every cyber-failure in Canada gets blamed on them. The above poster obviously believes what they read, and the only material they read is from people who have no idea what actually goes on.

He should have to spend one day at Canadian Forces Station Leitrim spouting his nonsense and see what the people really doing this work think of him.

As far as laws go, do a little reading on Michael Geist's blog about Internet law and Canadian positions and you'll have a very different viewpoint quickly. Canada has plenty of laws, and is in the process of adopting more and more - many completely inappropriate in response to American leverage from the RIAA and the MPIA. I do not advocate theft in any form (I pay for everything in use on my networks), but I do believe in fair use and civil liberties as well as innocent until proven guilty.

Re:As a Canadian....

[FreakerSFX]

First, I'd like to make a general observation. You exhibit a typical behavior of a fairly poor debater. Those disagreeing with you are obviously "full of crap" and "uninformed". That's pretty poor technique and fairly immature.

Second - you're completely out of context with your reply. My post, this thread and the article are discussing cybercrime and script-kiddies. You're talking about espionage and government surveillance.

These establishments you mention (2 of which were mentioned in my post) are fairly toothless when it comes to cybercrime.

I've seen too many commercial scams go unpunished or uninvestigated - it doesn't sound like the Canadian Forces Station Leitrim has ANYTHING to do with financial crime. What does the CSIE have to do with cybercrime? Do they go after Nigerian scammers or identity thieves? Do they take down spam networks running on unprotected mail servers?

Did you RTFA?

What does a CSIS drone make on entry level? What does a senior data expert in the RCMP make? Do they pull in 6 figures? That's what you can expect to pay for someone who really knows their stuff from a forensic standpoint. I bet their civilian contractors do but they're not out to stop cybercrime.

My original post could have been clearer but you're busy defending against the "attack" on Canada. I wasn't attacking our country. We, like every other country in the world have a long way to go on protecting information and financial assets from technically advanced criminals. It's nice to see that you know something about our government activities and that they are pursuing a program to protect our nation. Now how about protecting our identities and money?

Re:Hardly the first time Canada has caused problem

[Selfbain]

Now now, the Canadian government has apologized for Bryan Adams on several occasions.

Prison...really?

[ALimoges]

It's funny because now it's all over the news here in Québec, and pseudo-experts are trying to explain *how* to secure one's computer. Don't you guys understand that Windows *is* insecure!

The people who got hacked are facing a maximum of 10 years in prison but with Québec's system, they really do 1/6 of this time so it's not that bad..

Re:Prison...really?

[post.scriptum]

Usually it's half of their sentence, no?

Oh and about Celine Dion you jerkoffs

[FreakerSFX]

Britney Spears does not speak for all Americans. Michael Jackson assuredly does not represent all things american...(not criticizing his music though I am not a fan but he's about as deviant as they get)...

Amy Winehouse is not the speaker for all British people or representative of the British values....

Do you really want to compare who has the worst celebrities?

Oh - by the way - it's interesting to note where Celine Dion got most of her money...

From Wikipedia in regards to Celine Dion moving to Vegas from 2003-2007:

"According to Pollstar, Dion sold 322,000 tickets and grossed US$43.9 million in the first half of 2005, and by July 2005, she had sold out 315 out of 384 shows.[79] By the end of 2005, Dion grossed more than US$76 million, placing sixth on Billboard's Money Makers list for 2005.[80]"

Tell your parents to stop buying her CDs, DVDs and going to her shows and maybe, just maybe she'll go away.

Sucky Moderation

[FreakerSFX]

Other people's comments about Celine Dion and general insults about Canada are modded funny or left at +2 so you mod my factual response to these posts down to a zero and leave the originals at +2.

Every time I have any hope for the moderators to be reasonable, I am unpleasantly surprised. Did you read all of the comments? Did you just decide you didn't like the attack on the US? It wasn't even an attack - it was a factual response to a comment on this thread that was not considered offtopic.

Re:Sucky Moderation

[brkello]

Then maybe you should try replying to that thread instead of making your own? Most of the insults are jokes derived from movies and are not meant to be serious. You may take offense to them, but they are funny to most people. Your post was fairly pointless and lacked any context. You have to understand that even if you are right, there are some things that just aren't going to go over well. But despite the fact that this site is dedicated to worshiping Macs, Nintendo, and Libertarians, if you actually post something reasonable against them and back it up you stand a decent chance of getting modded up. Your post may have contained facts, but you didn't reply to the thread that offended you. Not was it really needed since people aren't serious and no one really cares about Celine Dion or celebrities in general on this site.

Re:Hardly the first time Canada has caused problem

[elrous0]

I don't blame Canadians for Celine Dion. That's Satan's doing.

The "$45 million" profit claim is highly unlikely

[Master+of+Transhuman]

This sounds like the usual inflation of profit that law enforcement agencies love to do.

Most of the large-scale botnet scams I've heard of don't yield anywhere near that kind of money. The botnet operators maybe pull down $3-10,000 a month renting out the botnets. Even large-scale identify theft rings are reaching for anything like $45 million.

Unless these guys were targeting rich people, I don't see it. And since most of the alleged compromised computers were in South America, I doubt they hit a lot of rich people.

I can't see this article from China

http://www.cbc.ca/technology/story/2008/02/20/qc-hackers0220.html
This link and all of cbc.ca is inaccessible from China.

I've tried anonymouse.org, hidemyass.com, shysurfer.com, www.privax.us to no avail.
Even worse it's been about a month since I can't even listen to the cbc radio streams via ogg vorbis.
http://vorbis.nm.cbc.ca/cbcr1-toronto.ogg
http://vorbis.nm.cbc.ca/cbcr2-toronto.ogg

Any suggestions would greatly be appreciated.

Cheers and keep up the Cowboy awsomeness :)

Re:The "$45 million" profit claim is highly unlike

Thats ZW$45million (approx US$5.50).

http://newzimbabwe.com/

Posting anon for good reason.

Why not?

[hadaso]

> ... since most of the alleged compromised computers were in South America,
> I doubt they hit a lot of rich people.

How is the location of the hijacked PC hosting the fake website relevant?
The people that respond to phishing attempts don't have to reside in the same country where the hijacked PC that hosts the fake site does. The aim of the phishers is that the fake site, the attacker and the victim would be in different jurisdictions.

Anyway, I've seen an Israeli financial services advertise services aimed at "rich people only) using botnet based spam. The service was advertised for people that have "over 350,000NIS to invest" (that's almost $100,000). The service was advertised repeatedly using what looks as botnet based spam: spam arrives from IP addresses located all over the world. Of course headers were forged. But the continued advertising this way so I guess they were getting clients through their spam campaigns. It was not a fake phishing operation. It was a well known financial service handling investment portfolios for rich clients, a subsidiary of a big corporation.

So there were people whose PCs were hijacked and formed into a botnet. The botnet herder sold services to spammers. The spammers solds services to advertising agencies. The advertisers sold their services to their clients, including financial organizations. The botnet operators made money. Clean money made its way from the legitimate market all the way to the botnet operators. I have the IP addresses of infected PCs sending this spam. I have the details of whoever paid to use their hijacked PCs. I can use spamcop to report to the ISPs hosting those PCs. I have no way I know of to get to the people who own these PCs and to let them know who is paying for the use of their PCs. I have no way of asking these people whether the use of their PCs was with or without consent. I have provided the Israeli police with information about the activity of this spammer that is operating openly. They can do nothing on this basis. They need actual evidence about the infected PCs. Just sending email from many computers all around the world is not illegal, and there's nobody complaining to the police that their PC has been hijacked.

When one's home has been broken into one calls the police. Perhaps they can do nothing but still they are called and they collect the evidence. Later they might be able to connect the evidence to other evidence. When one's computer has been broken into one does not involve the police, and no evidence is collected. The evidence is destroyed. There's plenty of evidence available that includes those that pay the botnet operators (the spammers) - information that exist in spam, which computers they use - it's in the spam headers. The missing link is getting the evidence from the owners of hijacked PCs and connecting it to the other evidence. The connection is trivial: match IP addresses. Then the evidence can be passed to the proper jurisdiction were the spammer acts. It doesn't have to be the one that controls the botnet. The one that hires the use of the botnet can be prosecuted.

And while I'm at it: noipmail.com is an email service that offers to hide the IP address of the sender. I tried it and it looks as if it is an interface to some kind of botnet. The headers show that email I send using that service to my other email accounts is sent using various PCs in different countries. They also offer some kind of software to use their service to send bulk mail. I can read email headers but I don't have the skills to test their software in a controlled environment to see what it does. I wonder if someone reading this might want to tst this. If it is doing something that is illegal in Israel (such as obtaining unauthorized access to computers) then I know exactly who to call in the Israeli police (the registrant of that domain name seems to an ex-prisoner that served a 3.5 year sentence on a computer related crime).

Re:Why not?

[Master+of+Transhuman]

Yes, all of that is very standard in botnets.

My point was that every botnet operation I've heard of wasn't making $45 million in revenue. As much as several million perhaps, for the largest botnet operations I've read about. But no where near $45 million.

It's much more likely that the police were overestimating - particularly because of all the reasons you cite why it would be hard to prove who did what.

If the cops find $45 million worth of bank assets or records indicating that much revenue went through the botnet operators accounts, then I'll buy it. But until then, there's no evidence these guys made that much.

OTOH, I wouldn't be surprised if a $45 million operation wasn't in the cards at some point, since the botnets are getting bigger, targeting wealthier people and getting bigger in scope and becoming more organized.

I'm just saying it would surprise me if these guys in Canada had that big an operation going at this point in time.

Re:O Canada...We loved you for what you were

Sadly, Canada isn't a police state like it's Big Brother to the south (pun intended).

BLAME CANADA FOR EVERYTHING, it's easy because they're polite and won't fight back, although they might throw snowballs or pies.

Now for a serious rant:

WOW, two whole news stories about Canadian organized crime taking advantage of Americans. CLAP, CLAP. Give this man a pulitzer. Two whole stories, dated 5 months apart, to paint the picture of a country tumbling down a slippery slope. Call in the fucking marines!

Further adding to my ire and how obviously is ignorant you are is that both articles quoted site interviews with Canadian authorities admiting that there is a problem and that they're being investigated, not exactly what I'd call a haven.

It's easy to quote a bunch, oh wait, sorry, not a bunch, two sensational(ized?) news stories and then blame Canada for all of your woes. How about looking back at your own country to see if some of the blame doesn't lie there.

Maybe if the US war on drugs hadn't FAILED MISERABLY the street value of drugs would never have been pushed so high that it's become such a lucrative and attractive business to organized crime. Maybe if your education system hadn't failed it's elderly and instilled them with a sense of invulnerability they would have the common sense not to give their money to strangers, desperate or not. I don't know, I'm not a prophet. Anyway, your best course of action is to go stand on a street corner wearing tattered rags and holding a cardboard sign declaring impending doom at the hands of the Crazy Canucks, you'd fit in better. Asshole.