Slashdot Mirror
Cyber Vigilantes
Fang wrote in to send
us a link to an interesting article talking about Denial of Service
attacks and Cyber Vigilantes.
The internet is turning into more of a warzone every day. This
is an interesting summary article to read. Worth your time.
Take the > off the end of your link, and it might be easier to find. Great article though.
Winn Schwartau, noted Grateful Dead groupie and wannabe security expert, is universally noted for having very little idea what he's talking about. While the facts of the article are fairly relevant, the "interview" with "Lou Cipher" and the off the record comments of police provide the finely tuned hysterical tone that Winn does so well.
Can you protect a network without resorting to offensive capabilities? Without a doubt. Are you resorting to the level of a punk kid IRC w4rrr10r when you use them? By and large, yes.
This whole article is a good look at where FUD hits the security world, and it's only appropriate that it should come from the pen of Mr. Schwartau.
LINUX RULZ !!!!!!!!!!!!!!!!
:):):)
The little hacker kiddies from irc went mainstream. You wouldn't believe the number of people who use Linux just to DoS people. Blech.
"Cipher, the baseball-bat-bearing vigilante, is all for new approaches.
"Personal persuasion is always more effective than electronic persuasion," he
says. "Personal persuasion virtually guarantees that a hacker will see the
error of his ways, scamper to please and turn over a new leaf." "
Uhh, thats a quote from Acius, c318b.c. "Let them hate so long as they fear."
Wonder how many days it is before this guy gets shot? Seven point six two millimeter...Full Metal Jacket.
jmr
Maybe if the gov't law enforcement agencies didn't have to deal with morons with baseball bats, they might be able to spare the time and resources to deal with computer crime.
The Pentagon, consciously or not, did just that, responding to a DoS attack with a DoS attack on the very system and tools used to attack them, and in automatic response to the EDT attack. And no more. Not a bad example. But then, the military is full of people who understand the use, and limits, of force.
A system administrator I know puts it best:
"Break into my house, you will get shot."
"Break into my system, expect similar treatment."
Just when will they learn that cracker!=hacker...
A couple of weeks ago the network of the university i worked for was scanned on imap and pop-2 ports. After me and a friend took a look at the computer that was doing it, we saw that it was an isp in turkey and that the cracker left a port wide open for root access. We decided to telnet into the computer, got root, and saw that he was scanning all, or most of, the universities (.edu's, at least) in the US. We shut off the port scanner, cleared the scanner logs and left the cracker a little note instead. The ISP has taken that computer off the network. I'm sure they got flooded with complaints from angry sysadmins.
If the logs hadn't been cleared i bet a lot of computers would have been hacked the next day. What would the law have done in this case? Nothing.
So if I live in Washington and a corporation sends me spam I can break into their offices and destroy their equipment with a baseball bat?
"Then word gets around, and we're left alone. That's all we want, to be left alone."
Hell, I like this Cipher guy. He can come over and fuck my sister.
heh. great. vigilantism is terrorism; the fact that it's generally intended to be directed against actual malefactors is nice, but hardly a justification.
as for schwartau, he's a professional self-promoter and that's all. he has no other skills or interests.
Finally, some people who use their brains.
Is it just me, or was there a time when
/. didn't suck so much?
I dunno, I'd guess that you'd scare off a large percentage by simply letting them know you're watching. Packet-sniffing your way into their IRC session is effective... and I suppose the BSOD would be as well.
This is starting to look like an RPG game. I wonder what'll come next, since that clueless newbie gave an excuse (if they can, why not me?)
If you strike back against a scriptkiddy he is going to call his friends and then they are going to FUCK YOUR WORLD. What do they have to loose? Not a damn thing. You just fought back. The next thing you know, you are going to be sitting dead in the water under a storm of UDP packets with forged headers off of some poor bastards redhat 5.0 box with all the ports open that just got port 143 exploited for root and had papasmurf.c compiled on it. There is absolutely NO WAY to win this war after you start it dumbass. Ask any of the IRCops and Admins on EFnet. Most of them are now kissing the asses of the smurfpups and packet monkeys because they don't have a choice.
IT'S THE PROTOCAL STUPID.
Until ipv4 gets upgraded, things will continue to be this way and there isn't ANYTHING that can be done about it.
Retailiate? GREAT FUCKING IDEA.
What if that kid happened to launch his attack of off a machine that he just hacked that just happens to be a server used for something important at a hospitol? It would be really fucking great to be responsible for the death of someone because of your stupid fucking need to be a INTERNET JOCK and flex your more expensive corporate muscles. I can't wait to hear about the first time one of these intelligent war-firewalls fucks up and someone gets really hurt.
"Spoofed packets make j.c bradford take out nasa.com"
I would laugh my ass off.
I feel for all the insecure college servers that get hacked all the time and are used to launch attacks. A little while ago Harvard servers got hacked and were used to smurf EFnet irc servers.
I'm truly surprised that I haven't heard about any cases of packet extortion with someone demanding money be sent to a foreign account or they will continually smurf the target. It's not like it's hard to get away with this type of thing again and again and again.
Just my thoughts........
Cyber this, cyber that. I expect "paradigm" will show up soon :-| Whatever happened to News for Nerds? Any self-respecting Nerd would rather hang himself with a couple of meters of UTP cable before uttering the phrase, "Cyber Vigalantes."
All excellent points. I agree with your summary
of the article.
No automated response system is foolproof. Just
look at loops between SMTP auto-responders.
If you strike back against a scriptkiddy he is going to call his friends and then they are going to FUCK YOUR WORLD. What do they have to loose? Not a damn thing. You just fought back. The next
thing you know, you are going to be sitting dead in the water under a storm of UDP packets with forged headers off of some poor bastards redhat 5.0 box with all the ports open that just got port 143
exploited for root and had papasmurf.c compiled on it. There is absolutely NO WAY to win this war after you start it dumbass. Ask any of the IRCops and Admins on EFnet. Most of them are now
kissing the asses of the smurfpups and packet monkeys because they don't have a choice.
IT'S THE PROTOCAL STUPID.
Until ipv4 gets upgraded, things will continue to be this way and there isn't ANYTHING that can be done about it.
Retailiate? GREAT FUCKING IDEA.
What if that kid happened to launch his attack of off a machine that he just hacked that just happens to be a server used for something important at a hospitol? It would be really fucking great to be
responsible for the death of someone because of your stupid fucking need to be a INTERNET JOCK and flex your more expensive corporate muscles. I can't wait to hear about the first time one of
these intelligent war-firewalls fucks up and someone gets really hurt.
"Spoofed packets make j.c bradford take out nasa.com"
I would laugh my ass off.
I feel for all the insecure college servers that get hacked all the time and are used to launch attacks. A little while ago Harvard servers got hacked and were used to smurf EFnet irc servers.
I'm truly surprised that I haven't heard about any cases of packet extortion with someone demanding money be sent to a foreign account or they will continually smurf the target. It's not like it's hard
to get away with this type of thing again and again and again.
Just my thoughts........
Automated returned attacks? Baseball bats? Hackers? Isn't it nice to read responsible ojective reporting? I'm amazed that they didn't mention sending killer electrons through the phone lines to short out the offensive computer.
/. effect. When someone discovers that their site has crashed under the weight of the /. effect, they can then send their goons out searching for CmdrTaco (or Sengan, or Hemos). Now all I have to do is find the right site and get /. to post the requisite article/link.
On a lighter side (I think), this article did make me think of one possible scenario. As oppose to DoS, there is another more insidious form of attack; Distributed DoS aka the
BTW, have you seen the new IBM commercial that feature the "Hackers"? Real nice. The cracker is able to send e-mail of sensitive info to everybody almost immediately after breaking in. I bet the updated commercial will have dark suited, white shirt, clean-cut goons immediately rushing in and wailing away with their bats.
I manage a small network of ~20 computers, however, the information being transferred is sensitive so I don't take any type of attack lightly.
Although I've never taken a plane across the country to kick some 15 year old's ass, I have used offensive tactics to have a bit of fun.
For example, almost every DoS or attempt to exploit an old daemon has come from a RedHat 5.x machine on a cable modem. Obviously, these versions have numerous security holes so often times I'll write down the IP and use the same damn exploit on their machine to take their machine out of commission. It's quite a fun time filler when the Win9x boxes are behaving.
Ciao!
I took out my crappy day on you.
I'll go into a little more detail......
So say I want to seriously mess up someone for a while.
The first thing I do is hop on IRC and do a
/who *RHS*
I'll do it right now and paste the output:
#punk cub` H ~jmack@chwk-port36.imag.net (RHS Linux User)
There is my target. More than likely someone that just installed an old version of redhat and has a mess of ports open.
Chances are that this person doesn't have tcpdump or anything else running to detect a portscan. Just to be safe, I'll use ftp-scan to find out what ports are open. ftp-scan uses an anonymous ftp server to do my work for me.
I do an nslookup to find out what the IP is of host chwk-port36.imag.net, or I simply use the
/dns IRC command. 204.244.71.36 is the IP.
Now I find an anonymous ftp server to do the scan.
ftp-scan ftp.someserver.com 204.244.71.36 1 150 [130]
230 Guest login ok, access restrictions apply.
21 connected.
23 connected.
25 connected.
53 connected.
79 connected.
80 connected.
110 connected.
111 connected.
113 connected.
143 connected.
Lets see, should I use the pop3, bind, or the imap exploit to obtain a remote root shell on this machine?
Once I'm in, I might as well have never been there and I can do anything to anyone I want with absolutely no fear of being caught. If I'm a total loser, I can delete the whole system. What I'd be more likely to do though is install a rootkit so that I can use this person as well as 60 others when they pop up on my notify on IRC. I'd also make sure not to use a denial of service attack that doesn't spoof packets UNLESS I'm 100% sure that the target machine is effected by the attack, and I don't mind losing this patsy for my evil doing.
Or, I cant have my 10,000 back orificed clients start pinging the crap out of whoever I want.
I want to see an intelligent firewall defend against an attack from 1,000,000 unique IP addresses.
There is a fundemental stupidity in any company that uses a firewall as their only line of defense. Too many companies rely on the old tried and true DMZ/bastion server/internal network setup. They will do something stupid like run an old ass apache or bind or pop3 or use imap on a bastion server then someone will get in that machine, and follow another route right into the internal network. Or they can just hang out and sniff packets all day until they have a mess of passwords. Chances are they won't even have to do that since most sites are stupid enough to use the EXACT SAME ROOT PASSWORD on their internal machines that they use on their bastion servers. They will get compromised. This isn't magic folks. This isn't something only highly skilled people can do. Anyone that can type 'make' can go to rootshell.com and use their very convenient search engine to look up exploits for specific services and exploit them on machines run by morons that do not follow bugtraq.
And how about these killer firewalls. I think it's going to be funny as hell when someone gets a whole mess of them to attack one another.
You can't win this war. I speak from being an ex-IRCop. I finally got sick of the BS and quit.
Oh, btw.... The information at the top of this post is accurate, but it's been fabricated to protect the stupid. And I'm not an evil hacker or a packet monkey myself. I just decided to find out exactly how this shit is done so I could understand that our collective stupidy make fighting this type of war futile.
just my 25,000 dollars worth. -- what I normally charge for a full security audit.
I'm truly surprised that I haven't heard about any cases of packet extortion with someone demanding money be sent to a foreign account or they will continually smurf the target.
Well, there was something similar (sp?) last year in a south american country, but instead of smurf they used winnukes...
Security problems solved. :^)
People (especially those as uninformed as many in the news media) often mix up Java and Javascript, since the names are so similar, and they both can pop up windows in their IE/Netscape.
It's usually pretty easy to crash a PC with Javascript, if you let the page keep loading, and popping up windows, etc.
WOPR... then some kid will dial into it, and launch an attack on some innocent server in Russia.
Let me wade into this with a pin on my nose.......
n s.on.some.pathethic.internet.jocks.netwo rk.com
"There's a very fundamental problem with this attitude.. If you believe you can't win........."
Win? what the fuck are you talking about? There is nothing to win here. This isn't a fucking football game son.
"with their k0o1 smurf attacks, are you going to simply volunteer root on your system instead of facing their ph34rs0m3 wr4tH?"
Hook me up with the smurf exploit code that hacks root. I wanna see that.
"Your comments could lead one to believe that if a network is threatened by these same socially-inept spermbots it's easier/better to just give them what they want."
Sure!! I suppose if you were a fucking moron you could give them what they want, which is confrontation. They want a war. These kids spend 16 hours a day learning this stuff on pages set up all over the damn place with surprisingly accurate information. These kids also know MORE about what's going on most of the time than the people they are attacking.
"don't personally see a problem with selective counterstrikes. especially if they are directed against machines named smurf"
If the machine is named smurf, then they probably hacked the piss out of your old ass resolver already and the machine could be anything. How do you think they get cool hostnames like I.am.yet.anothing.fucking.moron.that.hacked.the.d
I usually end up doing a traceroute and a whois -h arin.net on the IP to try to find out who they are, and it's usually a sprint CIDR block IP.
But you go right ahead and attack a machine that could be any machine. The net really needs all the extra packets. It's your civil fucking duty to accomplish absolutely nothing.
"As far as hacked systems being used to launch these attacks, network admins have got to maintain their networks integrity, if they can't, there are others that will. Having pity on them isn't the solution. Tightening up their systems is."
Ya think? that's like saying the number one thing you can do to keep your car running reliably is to make sure you don't run out of gas. I'll chock that up to a collective NO SHIT. Smurfing the piss out of their machines is really going to help a lot. How about a fucking email with detailed information? I usually get all the information I can and send it to anyone I can on the system that hit me. that could be:
1 finger information
2 open ports
3 tcpdump output
4 smurflog output
5 times for anything that isn't stamped
6 the timezone I'm in (very important one)
7 Useful URL's for things like smurf information, or the address of the exploit used to carry out the attack it it's obvious.
8 address of all known messed up machines.
A good example was that several machines on mailstart.com kept trying to hack my pop3. So I gathered up a shitload of information and sent it off to root, postmaster, the address of the technical contact on the domain, etc. The attacks stopped later. Imagine that. Of course, I guess I could have just been a lazy fuck and smurfed the piss out of them. Personally, I think educating the people responsible for the machines makes more sense in the long run.
The problem here is that people do not want to take the time to educate themselves on this stuff. How freaking hard is it to have one person follow bugtraq and let everyone know what needs upgraded or tossed away? How freaking hard is it to set your network up so that smurfed packets can't be sent out of your network, and set it up so that it can't be used as a smurf amplifier?
I guess all that is just way to damn hard. I hate suggesting actual thought here, but when are we all going to get our shit together? How hard would be be for Cisco and other router and switch manufacturers to have their routers set up by default to not allow smurfed packets to travel outside their network, and not allow the network to be used as a smurf amplifier?
Well fuck all that. Lets just reduce the net to the old west. With a bunch of fucking morons out there shooting at each other. That's what it's all really about right? I can't honestly believe that grown adults would would advocate this bullshit instead of DOING THEIR FUCKING JOBS.
This all boils down to being clueful instead of being a dumbass.
I would not hesitate to strike back with baseball bats against anyone who, just for fun, makes me waste lots of time and money. Just because law cant do anything about that doesnt mean theses assholes shouldnt get punished. Trust me, with both legs broke someone usually dont fight back.
4) If you make a point of sending out goons to pound on the doors of suspected hackers and threaten them with physical violence, what's to stop the crackers from being prepared for the goons... with something more than just baseball bats? (Like for instance, video cameras taping you saying "Hello, we're from XYZ corporation and we're here to beat the snot out of you!" Can you say "Civil lawsuit?" I knew you could!) Remember, you're at a BIG disadvantage on someone else's home field, where they may or may not be the son of the local police chief!
Not a Civil, but a Crimimal case - breaking into someone's house and stealing their computer is a criminal offense, and so is assault.
It's more than obvious the poeple here trying to 'discuss' security and DoS attacks know nothing about what they are talking about. "Striking back against a smurf". All I can say to that, is 'Oh-kay'. I'd like to see a retaliation against a machine USED to send the spoofed icmp echo requests to the broadcast host. The first part is finding the box(es) that spoofed the ping packets. The second part is finding the kid who rooted the box used to do it. 'Retaliations' just are not going to happen -- sorry.
(Against real hackers or clever script kids)
as for cgi-penetrators and phf warriors, well, crash their netscape for all i care, they're no real threat
Totally stupid idea. I hope that if any Fortune 500 companies really do this sort of stuff, their CEOs are aware that they could go to jail as accessories to the acts performed under their counteroffensive policies. If anyone gets tricked into "counter-attacking" a system or network I manage, they can count on getting prosecuted to the fullest extent of the law.
Also, as a sysadmin I will not ever volunteer any assistance or cooperation to someone who is known to use counter-attacks. I would rather protect a (cr|h)acker on my network than be a party to vigilantism.
Finally, if any baseball bat wielding corporate thugs show up at my office, at my house, or in my community, I will defend myself, my loved ones, and my neighbors to whatever degree the law allows. With very fast, 9mm diameter bits of hot lead, whenever legally possible.
You pull that shit on one of my systems, Mr. Man, I'll put your ass in jail faster than you can say "spoofed IP address".
Good lord. Go fuck a wallsocket. All I'm saying is viewing something like this as a war is fucking stupid. It's not a war. It's a network situation to deal with in a professional manner. If you want to play hopalong cassidy then go hang out on IRC with the rest of the leet0 wannabe's. The fact of the matter is that launching a retaliatory attack is plain fucking stupid. If ANY of my admins EVER do this type of shit they WILL get walking papers. They have been warned.
The guy is dumb. The other guy uses to much profanity, but he seems to know his stuff. They are both really annoying. But the dumb guy is more annoying because he isn't really saying anything.
Unfortunely the article didn't give a link to Electronic Disturbance Theater, so I will give one http://www.nyu.edu/projects/wray/CHRON. html - This give a record of previous EDT actions including the one mentioned in the article. The incident was not really a hacker attack, it was a coordinated effort by people around the world basically reloading the web pages of the Pentagon, Mexican President Zedillo and the Frankfurt Stock exchange not as a means to do harm, but to publicize and display their displeasure about the situation with the Zapatistas in Chiapas, Mexico. YA BASTA!
>The correct response to an attack is to 1) Filter >out the offending packets 2) alert all upstream >ISPs to the problem 3) working with the ISPs, try >to trace the problem back to it's source 3) shut >off the connection as close as possible to the >source.
Much easier said then done. This was no traditional hacker attack. There was no single source. It was a coordinated action of civil disobedience by thousands of people across the world.
Contrary to the popular belief, there indeed is no God.
Well, I'd rather have the IRC script kiddies around than these not-quite-grown-up script kiddies with jobs who hire thugs to go break into people's houses.
Breaking and entering, theft, and assault are all serious charges, and "they tried to break into our computers" is not going to cut it as a defense in court. I hope this Cipher guy gets in jail for a long time.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Those Red Hat boxes on a cable modem were probably *already* cracked. More likely than not, their owners are not the ones attempting to exploit your system, just the unwitting proxies in an attack on your system by somebody else who compromized their system first.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Java runs in a sandbox, which (assume it works) limits what you can do to attack.
However I really wonder how effective any attack can be that relies on java enabled browser. Can we say overhead? I can program in C something that will allow my 386 to do more damage. I was going to say more but then I realised that the script idiots who do these attacks would use my idea for ill. I'm not a military supporter (Mind you I'm not anti-military, I agree we need them, but I would rather be an isolationist.) but anything they do to counterattack these kids is good in my book. Better of course would be to try them as adults and send them to prison for a few years.
Parents, pay attention to what your kids are doing. Parenting is hard work, and you don't dare slack off, some of the nicest kids I've known have turned out to be crooks while the nose ring and tatoo kids have turned out to be honest once in a while. (I went to high school with both types. Both groups had about an equal amount of crooks)
bluGill, I don't know if this log in thing is working or now.
I thought it was pretty interesting, myself. Dunno about the fella who wrote it - a poster above seems to give him less than sterling credentials. But I think from a technical pov, it's kind of a neat concept.
Sure, the best defense is a good admin with up-to-date info and the latest patches for the server/router/firewall. If the kiddies can't get in, they can do no harm. If they can't dos or hjack you, you're cool. But it's still kind of tempting, I would think, to stick some reactive armor out there.
"shop smart:shop s-mart" ash
or call their parents...
This bugs the heck out of me for two very simple reasons:
1. Floods don't just flood the target system; they increase load (sometimes dramatically) on all the routers and links between the flooder and the target. While many DoS attacks are not floods, a lot of the simpler ones (e.g. ICMP directed-broadcast amplified ping flooding, aka "smurf" attacks) are.
2. I administer Linux and Unix systems for a small college. If some freshman IRChead here decides to do stupid things to some remote site, I would much prefer that the remote sysadmin send me logs and ask nicely for the problem to be solved, rather than trying to attack my systems.
When I find a system here being portscanned, I don't start plotting revenge against the evil hAx0rZ. I do a reverse DNS on the originating site, get the admins' addresses from whois, send them the appropriate log clippings, with a nice note saying "I think you're harboring a cracker; please do something about it."
This gets results.
I'm *certain* it gets better results than smurfing the offending site back.
The group that originally organized the attack against the Pentagon utilized Java applets on a page someplace. They had all of their buddies/members load the page and let the Java applet there perform the actual attack (I believe by spawning one or more windows pointing to the Pentagon site and having them continuously refresh).
When the Pentagon put their "counter-attack" applet up (which detected the presence of the attacking applet and then started spawning new browser windows uncontrollably), it basically caused all of the attacking computers to run out of resources.
It's really rather amusing. I don't really consider it a "vigilante" type of attack. In my opinion it was very effective and neutralized the attack.
Most of the kids doing these attacks don't just target one company. They tend to be repeat offenders and attack anyone and everyone that pisses them off. They are deluded into thinking they're untouchable behind that computer screen and for that reason, none of them would think about setting up video surveillance as you described.
Typically, they're nothing more than your average adolescent anti-social IRC script kiddie. If they were really anything more (any sort of threat to corporate thugs), they would be doing something better with their time.
I totally agree that breaking into homes and (even threatening) assault shouldn't be done, but I do sympathize with the companies who are victims of this type of Internet abuse. They usually have little (if any) affordable legal option.
I sent the story to slashdot when it happened, but it was apparently deemed unimportant.
Basically, a group of people wrote a Java applet that allowed their friends/members to use their browsers to constantly load pages from the Pentagon servers. They could just start up this applet and go eat dinner while their computer helped in this massive collaborative DoS effort.
The Pentagon, in response, put a Java applet on their own page that detected when visitors were using the attacking applet. When detected, the Pentagon's applet would then start spawning windows uncontrollably until the attacking PC's resources were eaten up.
I thought it was a rather clever response. I don't feel they were being very "vigilante" about it at all. It was actually pretty amusing, and neutralized the attack very effectively.
It doesn't take a clever person to get a shell password from someone off of IRC, telnet to it, and run "./smurf victim.com". The "clever" part of the attack (spoofing IP addresses, the attack itself) is all built into the pre-packaged DoS program for the convenience of idiots everywhere.
Though I do agree that actually tracking down people doing the smurfing is difficult, but it isn't impossible.
You simply need to have the swift, clueful cooperation of every Internet provider at every hop the spoofed packet takes before it arrives at one of the reflector networks. So long as they're willing to help you out and provide you with information about what uplink *they're* receiving the spoofed packets from, you can track it back to the source. If the attack lasts long enough, this can be achieved.
There's a close-angle-bracket at the end of the URL, otherwise it works fine. Please remove this post when it's fixed.
It isn't too surprising that some companies hire former script kiddies to manage their security. This is just the sort of macho capitalist move that large corporations love-- "we can buy out our enemies!" Bad move, but not surprising. There's no way for these companies to get rid of workers like that, and an admin who uses tactics discussed in the article can probably extort whatever sort of salary he or she wants from the company.
This is basic, first-day-of-school security-- beware the disgruntled employee.
I think this represents a minority of the security community, though. There are CTOs that can make intellegent hiring decisions, and a good security person can handle their *personal* insecurities.
The Constitutions guarantees us (well some of us) the right to keep and bear arms. This particular clause has come under fire recently under the argument that it was created during a time when such rights were necessary because law inforcement was inadequate if not responsible for many crimes.
Since this same government has has classified cryptography as munitions does not each citizen have the right to outfit their system with the most advanced security and counteroffensive technology they can afford. And if we are given the right to maintain such arsenals are we not justified in using them when law inforcement is inadequate or responsible? But if everyone is bandying around such firepower the internet could get pretty spicey in the next few years.
Maybe I was unclear in my post. I'm not arguing weather guns or encryption should be illegal. I'm taking a guess at the future.
My first point was that we are guaranteed the right to keep and bear arms.
Second, the government has already set a president for information to be classified as a weapon. If we conceed that a weapon does not need to cause physical harm but is anything which potentially give you power over your fellow men, then alot of technology could be considered weapons, including counteroffensive technology.
Througout history those who controlled the weapons, the warrior class, had the power to do alot of damage to the populace. But in just about any culture I can think of such power was tempered by a code of conduct, which usually included the idea that you can blast away at other soldiers but leave the civillians alone. Maybe it's time for such a code to develope for todays warrior class?
I do beleive that companies should strike back. If some kid is giving you a DoS attack then, striking back will slap him in the face and make him realize that he is being an idiot. Not necessarly just adding his IP to the firewall, cause he'll just dial back in and start again.. You have to hit the stupid bugger so he'll learn.
On the other hand I think that you have to be really careful with this sort of stuff. Say I'm trying to connect to some corprate web site and the info isn't getting through, so I keep on hitting the reload button. Hopefully the software is set up in such a way that it will only 'strike back' in the most dire of needs.
"We had to resort to baseball bats. That's what these punks will understand."
Riiiight. I meet tons of ubermacho-sysadmins (yeah, that's a common mix) every day who fly across the world threatining hackers/crackers with baseball bats. Nice reporting work. Wonder why the source is anonymous.
I'm putting together a response to this article and could use some help pulling together facts. This is the rough so far, and I'll be working on it today. I intend to submit it to wired, salon, cnn, Mr. Katz and call in to CNN Live tomorrow 1/14/99.
m l
Lando
I've just finished reading Winn Schwartau's article Cyber-vigilantes hunt down hackers and I seriously question Mr. Schwartau's technical knowledge in this matter and knowledge of the cyber-community.
My credentials are as follows. I am a systems administrator/analyst working on high end UNIX systems and have been in my current position for 2 years. I have been working on the internet since 1991 and before that was actively involved with bbs systems since the early 80's. I currently have 12 years of systems administration experience and over 20 years programming experience. I work within the computing field, however computers are my hobby and after I leave work it is not unusual from me to spend 4-6 hours pouring over code and working on personal projects. I am familiar with elite/cracking proceedures and have worked with several hackers in the past in order to improve the security of my systems.
Disclaimer: The opinions represented here are my personal opinions and observations. They do not represent any corporate opinion or policy within my current employer. Portions of this message were developed and expanded by reading the comments section of Slashdot(1)
Introductions having been completed, I'd like to point out several problems with the news article posted by Mr. Schwarau. I believe this article was created propagate fear and anxiety. I feel that the article is inaccurate and contains misrepresentation by Mr. Schwartau. Though it is of the opinion of some of my colleges that inaccuracy in technical matters is the norm, I feel that this article goes beyond acceptable limits.
My primary objection is regarding the testomonial statements by Lou Cipher. To me these statements lack the ring of a professional system administrator. Refering to a post by Jabber on Slashdot(1)
The fact that CNN would release a story in which it claims that a senior security manager at one of the country's largest financial institutions would actually say "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves", and incriminate himself by adding "We've broken in, stolen the computers and left a note: 'See how it feels?' and "We had to resort to baseball bats. That's what these punks will understand" is an absolute joke. No one in "that" position would speak to the media this way and expect to be taken seriously.
The remainder of the article seems Kosher enough, but the Lou Cipher bit begs the question of where CNN gets it's information. Our CIO may be Beelzebub himself, but as far as I know, he doesn't have a KooL NiCk.
Jabber's opinion mirrors my own. As I see it the Lou Cipher character is one of three things, ie someone in IRC chat that was having "fun" with Mr. Schwarau who accepted that the other was a system administrator without verifying credentials, or Lou Cipher is a young computer buff who feels he knows more than most about computer systems and was hired by promoting himself as a "hacker" to the financial company, though he probably is not a senior security manager, or Lou Cipher is a fabrication.
In recent months various news organizations have been "caught" creating the news rather than reporting the news, this article and the Lou Cipher character bring to mind another article where the newspaper published a supposedly true story of a hacker demanding money, etc from a corporation.
As I said, the Lou Cipher character is the most blatent problem I see.
Other notes of interest include,
The news article is presented as current day fact and happenings, whereas the DOD attack and response were
That out of the way, I'd like to point out several problems with the news article posted by Mr Schwartau, specifically I believe this article was created not as a news article, but more of a sensationalist article made to provoke fear and anxioty.
(1) Slashdot
Homepage: http://slashdot.org
Section referenced: http://slashdot.org/articles/99/01/12/1524230.sht
http://www.nyu.edu/projects/wray/memo.html
http://www.nyu.edu/projects/wray/Sept26.html
http://www.nyu.edu/projects/wray/CHRON.html September 10th
http://www.thing.net/~rdom/ecd/ecd.html Homepage Electronic Civil Disobedience
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
It's soooooo tempting to find two of these active firewalls and point them at each other. Look at all the grief that comes from "smurfed" pings, and those packets are supposed to be friendly!
This has to be the stupidest idea since nuking accounts for 3 incorrect passwords.
--
An Object at rest CANNOT BE STOPPED! -The Evil Midnight Bomber What Bombs at Midnight
I have a feeling this should be from the "everyone-sent-me-this-URL" dept.
Please, the last thing I want is a bunch of politicians trying to define what an attack is - the tought of this scares the hell out of me. What's even more scary is all the other legislation they'd try to pass along with it. Besides, the real problem would be enforcing the laws. I can't imagin the FBI taking time away from murder cases and the like to go to someone's house that's been scaning ports. The government is not the answer (since when has the government done anything well except the military and maybe the US Mail), nor is violence or physical action the answer (as the artical talks about 'stealing' hackers machines and using baseball bats). Companies on the net should work together to get these punks off the net. Most of them are probably on their parents accounts and if company were sent a letter or email and got the account canceled, problem solved. For those that use an account at college, same story.
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
"The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash."
Why would anyone run this as an applet on the server? But an even better question is, how many serious hackers out there would lanch an attack from a browser? This really makes me question the reliability of this artical.
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
numbers 2 and 3 basically kill counter attacks all together.
"4) If you make a point of sending out goons to pound on the doors of suspected hackers and threaten them with physical violence, what's to stop the crackers from being prepared for the goons... with something more than just baseball bats? (Like for instance, video cameras taping you saying "Hello, we're from XYZ corporation and we're here to beat the snot out of you!" Can you say "Civil lawsuit?" I knew you could!)Remember, you're at a BIG disadvantage on someone else's home field, where they may or may not be the son of the local police chief! "
Better yet I'd have my gun pointed at thier head as soon as the door opened! I wouldn't let any goon threaten my in my house, and if I felt that my family was in danger (as I might if someone where to break down the door with bats) I wouldn't hesitate to act.
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
"Encryption is freely useable. Patent restrictions are about intellectual property rights, a completely different story altogether."
In other words, encryption is regulted IN the US. Just because the status quo regulates something it doesn't mean that these laws are constitutional. The US has overturn laws that have been in effect for years because they were later ruled as unconstitutional (ie "Jim Crow laws").
"your use of encryption has no affect on me"
Actually, if a company is using little or no encryption (ie because of US export laws) to transmit sesitive data around the world, this could have an effect of you, more so if the data is _your_ personal info.
\forall code \in C, \frac{\Delta readability(code)}{\Delta t} < 0
I've had these kiddies scanning my machines (I'm sure we all have) and it is sometimes interesting to do the same to them. Most of the time their machines are wide open, and even if you can't break in, you can do a lot of annoying things because they don't really know enough to figure out what is going on!
The really sad thing about this is that CNN is becoming about as objective as PCMagazine.
The fact that CNN would release a story in which it claims that a senior security manager at one
of the country's largest financial institutions would actually say "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves", and incriminate himself by adding "We've broken in, stolen the computers and left a note: 'See how it feels?' and "We had to resort to baseball bats. That's what these punks will understand" is an absolute joke. No one in "that" position would speak to the media this way and expect to be taken seriously.
The remainder of the article seems Kosher enough, but the Lou Cipher bit begs the question of where CNN gets it's information. Our CIO may be Beelzebub himself, but as far as I know, he doesn't have a KooL NiCk.
-- What you do today will cost you a day of your life.
It's not that hard to do a denial of service attack with an applet. Display a lot of graphics, allocate tons of memory, ..., and your standard wimpy OS won't have the ability to stop it properly.
Here's a nice little real-world application of the "retaliation defense".
I am a sysadmin for a medium sized (300-500 million annually) multi-national corporation. Approximately 4 months ago, our firewall was DoS'ed and taken down. Fortunately, it illustrated an open port that I hadn't noticed. Even more fortunately, when I checked the logs, I found that the DoS attack came from a MUCH larger company.
Upon futher investigation, it was found that their sysadmin, in his infinite wisdom, felt the need to attack a spoofed address, hitting us.
In short, our lawyers had a field day earning our company MUCH money (read: millions) in a nice settlement, and the sysadmin found himself out a job, and more than likely looking at a bit of difficulty getting another job in the same niche.
So please, go right ahead, fuck around and retaliate people. I look forward to getting another sizeable raise for "earning" a large amount of extra income for my company.
-Pheonix
1) Who the heck uses a browser for a Denial of Service attack??? Methinks the author of the article must be near clueless...
2) What happens when your automatic strike-back firewall accidentally targets another automatic strike-back firewall?
3) Doesn't strike-back invite a whole new brand of DoS attach, wherein one fakes a route to goad a company into "striking back" against an innocent party?
4) If you make a point of sending out goons to pound on the doors of suspected hackers and threaten them with physical violence, what's to stop the crackers from being prepared for the goons... with something more than just baseball bats? (Like for instance, video cameras taping you saying "Hello, we're from XYZ corporation and we're here to beat the snot out of you!" Can you say "Civil lawsuit?" I knew you could!) Remember, you're at a BIG disadvantage on someone else's home field, where they may or may not be the son of the local police chief!
5) Doesn't use of force always beget use of force? If you claim a my attack justifies your attack, can't I claim your counter-attack justifies a counter-attack from me? Isn't this sort of stupid, short-sighted think exactly what causes minor disagreements to escalate into wars, or Hatfield-and-McCoy-style feuds that go on for generations?
Overall, I found the article to be blatant sensationalism, without the slightest hint of being based in research of facts. Even the poll about the correct response didn't have ANY reasonible choices! The correct response to an attack is to 1) Filter out the offending packets 2) alert all upstream ISPs to the problem 3) working with the ISPs, try to trace the problem back to it's source 3) shut off the connection as close as possible to the source.
Yes, I did once work for a firewall company that considered active counter-measures -- and then quickly discarded the idea for obvious reasons.
"Freedom means freedom for everybody" -- Dick Cheney
Yes, you've got a right to defend yourself (with arms if necessary). But you DON'T have a right to go firing off shotguns when you have no idea what you're hitting. I would argue that on the Internet, it's never quite certain that the IP address you're retaliating against is in any way connected to the actual culprit you want to "get". Start blasting away at muggers and hit innocent bystanders, and you're likely to be staring down the barrel of a VERY expensive lawsuit...
"Freedom means freedom for everybody" -- Dick Cheney