Slashdot Mirror
Chad Davis May Be the Next Kevin Mitnick
19-year-old Chad Davis, of Green Bay, Wisconsin, made the front page of The Washington Post today. The story that features him says, "During [a] June 2 search, Davis admitted that he belonged to a notorious hacking gang that calls itself Global Hell, and the FBI agents let him know they were cracking down on the group. On June 28, Davis allegedly struck back: He replaced the Army's Internet home page with the message: 'Global Hell is alive. Global Hell will not die.'" The article reads like a chapter from The Hacker Crackdown, and it looks like Chad Davis may be used as an example of what the feds can do to crackers who mess with government sites. Mainstream news stories about Global Hell started appearing in May. I expect to see many more in upcoming months. Mitnick redux? Could be.
I don't think it's terribly hard at all, but what makes you think this machine is used only for the web site? Maybe they do e-mail on it too? All it takes is one exposed vulnerable service.
Even if they did split the tasks between servers, all it'd take is one exposed vulnerable service on one exposed system to make everything else behind that firewall exposed.
If you run some vulnerability scan against an entire subnet, find a system you can get into, it doesn't take much more work to proceed again to a system that you ordinarily wouldn't be able to reach. In many cases, those "firewalled" systems tend NOT to have the latest patches and fixes installed, simply because the admins don't feel that there's much of a risk, since the firewall will protect them.
I don't think his point was that technology is the culprit here. I think he was trying to say that they aren't doing all of this investigating and they aren't having such a hard time tracking these guys down because they're GOOD; the suspects simply have access to programs/scripts (written by someone else) that make it difficult to track them.
He was just pointing out that they're not dealing with super-sleuths, just kids with access to "technology."
A criminal is going to jail? Oh what a shame. I am deeply concerned about the welfare of script kiddies. Yeah, right.
On the other hand, if you are a hacker and find a security loophole on the same sort of sites and quietly let the owners of the site know about that, you should be able to report that without fear of being prosecuted.
Unfortunately there's a fine line here and it's rather hard to define. Maybe we need to have people join a Hackers Union to allow them ethical hacking privaledges.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Mitnick screwed himself over. He waived his right to a speedy trial. I get so sick of seeing people talk about how Mitnick didn't get a speedy trial. He waived his right, it took a while, it's his problem.
-matt
It's all about the Pentiums, baby
Uhh, uh-huh, yeah Uhh, uh-huh, yeah
It's all about the Pentiums, baby
It's all about the Pentiums, baby
It's all about the Pentiums!
It's all about the Pentiums!
(Yeah!!)
What y'all wanna do?
Wanna be hackers? Code crackers? Slackers
Wastin' time with all the chatroom yakkers?
9 to 5, chillin' at Hewlett Packard?
Workin' at a desk with a dumb little placard?
Yeah, payin' the bills with my mad programming skills
Defraggin' my hard drive for thrills
I got me a hundred gigabytes of RAM
I never feed trolls and I don't read spam
Installed a T1 line in my house
Always at my PC, double-clickin' on my mizouse
Upgrade my system at least twice a day
I'm strictly plug-and-play, I ain't afraid of Y2K
I'm down with Bill Gates, I call him Money for short
I phone him up at home and I make him do my tech support
It's all about the Pentiums, what?
You gotta be the dumbest newbie I've ever seen
You've got white-out all over your screen
You think your Commodore 64 is really neato
What kinda chip you got in there, a Dorito?
You're using a 286? Don't make me laugh
Your Windows boots up in what, a day and a half?
You could back up your whole hard drive on a floppy diskette
You're the biggest joke on the internet
Your database is a disaster
You're waxin' your modem tryin' to make it go faster
Hey fella, I bet you're still livin' in your parents' cellar
Downloadin' pictures of Sarah Michelle Gellar
And postin "Me too!" like some brain-dead AOL-er
I should do the world a favor and cap you like Old Yeller
You're just about as useless as jpegs to Helen Keller
It's all about the Pentiums!
It's all about the Pentiums!
It's all about the Pentiums!
It's all about the Pentiums!
Now, what y'all wanna do?
Wanna be hackers? Code crackers? Slackers
Wastin' time with all the chatroom yakkers?
9 to 5, chillin at Hewlett Packard?
Uh, uh, loggin' in now
Wanna run wit my crew, hah?
Rule cyberspace and crunch numbers like I do?
They call me the king of the spreadsheets
Got em all printed out on my bedsheets
My new computer's got the clocks, it rocks
But it was obsolete before I opened the box
You say you've had your desktop for over a week?
Throw that junk away, man, it's an antique!
Your laptop is a month old? Well, that's great
If you could use a nice, heavy paperweight
My digital media is write-protected
Every file inspected, no viruses detected
I beta tested every operating system
Gave props to some, and others? I dissed 'em
While your computer's crashin', mine's multitaskin'
It does all my work without me even askin'
Got a flat-screen monitor, 40" wide
I believe that yours says "Etch-A-Sketch" on the side
In a 32-bit world, you're a 2-bit user
You've got your own newsgroup, alt.total-loser
Your mother board melts when you try to send a fax
Where'd you get your CPU, in a box of Cracker Jacks?
Play me online? Well, you know that I'll beat you
If I ever meet you I'll control-alt-delete you
What?
It's all about the Pentiums!
It's all about the Pentiums!
It's all about the Pentiums!
It's all about the Pentiums!
What y'all wanna do?
Wanna be hackers? Code crackers? Slackers
Wastin' time with all the chatroom yakkers?
9 to 5, chillin' at Hewlett Packard?
What??
"when i needed you most, when i needed a friend, you let me down now, like i let you down then."
If you just keep your system up to date with patches and updates, it will take somebody with serious skills to get in.
Serious skills or an early release of whatever exploit-of-the-week that ends up getting developed. Quite a few of these advisories come out after an exploit has been written and demonstrated, or at the same time. There's always a window of vulnerability in these cases.
As far as firewalls go, all it takes is one exposed vulnerable service to allow a script kiddie to get behind it. At that point, machines ordinarily shielded by the firewall (thus more likely to have complacent admins) become easier targets.
But yah, I do agree that if you keep up with the latest patches and fixes it makes things significantly harder for script kiddies. That still doesn't mean the script kiddies should get off the hook, though.
Sorry just had to say that out loud.
(for those scratching their head, think football....)
Ohhh...yeah!
Blech. Signatures.
Mitnick waived his right to a speedy trial. It's his own damned fault he was in jail for so long.
-matt
Why has mitnick become a god in the (h,cr)acking community? He had no skill. He could social engineer, but IMHO social engineering isn't that great of a skill.
-matt
I do not know of this football of which you speak.
-matt
hello i am a script kiddie (i even got in my jr high school newspaper!!!) and i would like to tell you how to crack into a system in these 8 simple steps
1. spend lots of time on IRC! cuz its fun and l33t! i talk to all of my k00L hacker friends all the time in our password-protected IRC channel. sure i get bad grades in school but thats ok cuz i will just find a job doing tech support where i can IRC from work too!
2. download all of the exploits people mention on IRC
3. download all of the volnurability scannerZ people mention on IRC
5. pick a bunch of systems (or just pick IP's randomly!) and run all of your scanner softwares on it. if everything just times out then their probably behind a firewall cuz they are LAME#!! just move on and use another IP.. or if you want to hit a government sites just download this file GOVT.TXT that lists a tonZ of hi profile government web server IP's and plug it into your scanners
6. when u find a system that has a hole, run the exploits on them! they will give u a root shell!!!!! then u can uze your other l33t scripts to set up trojins and back doors but if u dont know how to do that then just find the web space and mess up they're web page!!!
7. dont worry about getting caught or anything cause everyone running systems is just DUM like they dont know how to fix there security holes so they surly wont be able to track you!!!
----
And you honestly think it takes skill to do this sort of thing? It's nearly impossible for any system administrator to be 100% up to date on all vulnerabilities and patches. Frequently exploits are discovered and released a little while before it's been made aware to the security community. There ARE windows of opportunity there, and they don't necessarily arise out of negligence on the part of the administrator.
There needs to be a web site / message forum like Slashdot but dealing entirely with local/regional political matters. Something your state and federal representatives wouldn't be afraid to visit and contribute to. Organize the board by geographical area (or whatever political boundaries) and organize threads by issues, complete with informal polls.
Even without a congressperson's presence, it could be a great place to learn about your congressmen, about potential candidates in your area (all we ever hear about is what's on TV -- and that's usually at a national level). WITH a congressperson's presence, it could be an invaluable tool for communication/virtual *conversation* between your representatives and constituents.
Does anything like this exist?
I think sublime put it best, "Even though he now takes it in the behind, I have no sympathy for men of his kind."
-matt
Hrm...last time I got a ticket, I signed the thing, plead not guilty, went to court, was found not guilty in under 30 seconds (a minute if you count the lecture from the judge about being careful), and went home. All before about 10am. Sure I had to wait about 2 months before the trial happened, but during that two months I was not inconvienced in the slightest bit.
-matt
Murder, rape, and child molestation are far more serious crimes, and deserving of far more punishment than fscking up someone's web page.
Crackers should be treated more like kids who spraypaint their crap on walls. For messing things up, their punishment is to clean things up. Give crackers shovels and put 'em out to clean up the subway walls, or interstate embankments.
Is Chad going to be placed in solitary confinement until he "voluntarily waives" his rights to preliminary hearings, like Kevin?
Is Chad going to be charged in the farthest point away from WI, in the continental US, like Bill Cheek?
Is Chad going to have to rot in a "pre-trial" facility for 4.25 years until he "voluntairly pleads" to some of the charges?
Have the Feds created $multimillion in damages yet?
Yea, screwing with a web site should be punished, at about the same level as littering. NOT to the same level as murder.
Eve Fairbanks says I drive a hybrid!LOL
So in other words if you happen to forget to lock the door to your abode I can feel free to walk out with your computer, tv set or anything else that catches my eye? What was your address?
Agreed. Violent criminals should rank higher on the FBI's lists than mere vandals, even computerized ones.
And, your suggestion for punishment is a good one, IMO. The ego-driven cracker/vandal would be appropriately punished in a way that diminishes their prestige and matches the crime.
Meanwhile, there would be room in the prisons for longer sentences for murderers and rapists... Unfortunately, those evil pot-smokers are sucking up so many cells as to make this cracker problem vanishingly small.
Geeky modern art T-shirts
I agree. Script kiddies should not be compared with anything except pond scum. What Kevin did was not right, but at least it took some intelligence to do it. Now a 9 year old who found out about the 'net a week ago can download the crap to become a script kiddie. Would they be compared to Kevin too?
-- toolie
First, defacing websites is a crime - duh. But it shouldn't be a felony to do so - it should be a misdemeanor just like the realworld equivalents of "damage to property" and "vandalism". The government is deathly afraid of a medium that it can't control - which neatly explains the outrageous legislation being passed right now.
Second, this story will get sensationalized. Again, another obvious "duh!". The media loves scaring people - and the idea of some guy involved in a hacker crime ring hell bent on overthrowing the evil capitalistic system will be raised no less than 2^32 times. Jesse Burst may even comment on it.
Third, the you're-guilty-otherwise-they-wouldn't-have-arreste d-you dogma will also come to bear in the next few hours on slashdot. May I remind you that unless you disagree with the constitution - it's guilty until proven innocent.
I would also like to point out that the "setting an example" method of enforcing laws has been proven to be ineffective. We legislated the death penalty.. and the murder rate didn't change. We took it away.. the murder rate didn't change. That is one example, but their are case studies replete with more.
So what does this accomplish? It gives law enforcement good publicity (makes them look like they're doing their job instead of snacking down donuts and violating people's civil liberties), and it gives everybody the shaft because it's one less right that you have in our legal system.
constructive criticism appreciated - flames to /dev/null.
--
"It is not that these are super whiz kids; it is the technology that gives them the ability to cover their tracks enough that you can have a hard time making a criminal case against them," said a senior federal investigator.
It's about time the media started relaying this crucial bit of information. These gimps are nothing more than IRC script/packet kiddies that were shown how to use a few of those l33t exploits that appear every week or two.
They're not smart (obviously in this case); they aren't "skilled members of the hacker community." They're CHILDREN that aren't supervised enough by their parents.
The kids deserve what they get, and their parents deserve to be held accountable for the monetary damages.
I mean how stupid can you be? If you're going to break into a government system, don't do it straight from your dialup account! Again, he deserved it. I have no sympathy. In fact, I just wish the number of arrests for this type of thing (including more of the DoS-type of attacks) increased by an order of magnitude.
Based on what I know, briefly... The FBI told him they were on to him & his group. He went out of his way to taunt them by defacing a military site. For that, HE'S NOT GONNA GET JUST A SLAP ON THE WRIST.
Simply defacing a site, who cares? I mean, anyone in the world should have a tape backup somewhere that they can grab and restore. When you start talking gov't & military sites, though, the action is taken much more seriously. Just like if you spray paint something on a building, that's vandalism, but if someone spraypainted something on the Vietnam Memorial, they'ed be lynched either in or out of jail...
For those that invariably keep repeating that punishments for computer crimes seem excessive compared to other violent crimes, WRITE YOUR CONGRESSMEN.
If you folks would spend HALF the time actually writing letters as you do whining on Slashdot, I'm tempted to say we'd see a difference in the behaviors of some of our congressmen and thus, our nation.
I bring this up every once in a great while, and every time I get somebody responding that says I'm naive, that our government isn't OUR government at all, but acts in its own best interests (which, "obviously," aren't our own). Do you have any idea how many letters your congressmen get? I know my state representatives somehow find time to individually read and respond to my letters in just a few days. My national representatives usually have somebody else going through the mail first, but each of my letters have been hand-signed and written *by* the person I wrote (and yes, I can tell the difference between an aide-written letter and one written by The Man himself). If these guys can find the time to do this sort of thing in addition to their duties as our state and nation's lawmakers, perhaps they aren't hearing enough from their constituents? Hell, most (all?) of them now have e-mail addresses that are given just as much priority as postal messages.
I wish you doomsayers would stop sulking under this dark cloud of opression and figure out that this is YOUR government. These are YOUR elected leaders. Do you guys honestly believe that each of your elected leaders just somehow automatically get inducted into some secret club hell-bent on destroying the lives of the citizens that elected them in the first place?
I didn't realized he'd already been found guilty and sentenced yet.
In the future, wait until the guy's actually been SENTENCED before you go comparing his sentence to that of other types of criminals, and remember: Just because the law provides a MAXIMUM penalty of "..." rarely means the offender will actually get that sentence.
If the legal system takes the stance that unless you take adequate precautions any theft or damage done to your property is not a crime chaos will ensue. Any legal prohibitions against theft or intrusion will be moot since by definition if you've been intruded on you didn't take adequate precautions against that particular intruder.
You put a dead bolt on your door and religiously lock it, you make sure all your windows are closed and locked. I throw a brick through your window and steal your prized lint collection. Since you had the audacity to have windows on your dwelling you are therefore not worthy of being protected by the law. I walk away without a blemish on my record.
The truth is just about all computers exposed to the internet at large take adequate precautions to justify protection. Unless they leave the site up without password protection and post notices that intrusion is explicitly allowed they're afforded protection by the law.
Insurance companies and the stock holders are of course entitled to more stringent measures. If a lack of these more stringent measures results in theft of services and intellectual property or a loss of service then they are entitled to make the company pay. They do this by either not honouring their insurance policy or dumping their stock and deflating the value of the company. The company is still entitled to seeing any criminals rot in jail.
To borrow and extend a rather colourful phrase from Neal Stephenson's Cryptonomicon: If you don't want to be the wife of the convict with the most cigarettes, don't do the crime.