Slashdot Mirror
Cyberterrorism Article in Jane's is Available
James McP writes "Guess what gang, we're published!
The cyberterrorism article we all helped with a while back is now available at
Jane's Intelligence Review. It's targeted for PC laymen but still does a decent job of getting the idea across. To be honest, it sounds like a Slashdot article. :)" If you are quoted, please e-mail me to arrange payment as promised here. It'll only be a token thing, I'm sure, but it's still kind of cool.
Because he at least tried... They posted a previous article for comments, and solicited help in fixing it.
They should have gone the next step, posting the finished article for proof reading... But, can't expect them to get it right the first time.
In spite of all factual errors, and the repeated phrases I liked the article, and there's no doubt it was an improvement on the original. I was wondering though, why are some of you so obsessed about getting paid? Journalist X phones up John Q. Expert for his opinion on Y - does he get paid, NO. I think the fact that Janes thanked the slashdotters who contributed to the article, and devoted a few paragraphs on pointing out the difference between crackers and hackers was commendable. Also distinguishing between crackers who do it for fun, and those who set out to do damage/make a profit was good, since this is something that is never mentioned in most main stream articles.
Well, ignoring the law breakings comment (which I assume was a joke,) while they might claim the right to use articles posted in a thread specifically created to solicit material for the new article, I highly doubt they would try (and it wouldn't work if they did) to claim ownership of those copyrights. Until, at least, the person who originally said those things contacts them and sells them the rights. (Which will probably be what their default argeement for compensation is.)
Well...
The moral of this story has to be something
like "dont use lamp shades". Some evil cracka
surely will hide an automatic buffer-overflow-tracker-IR-transmitter in there. But without the shade you are safe. Good point Jane, thankya. This is certainly more important than good backups.
Jane, c'mon give your readers some respect...
MONKEYJUMP.COM/anti-linux GO NOW!@$33333
They misunderstood the hacker ethic too:
there is a code of hacker ethics that precludes any profit from the activity -- the only motive is the activity itself
My understanding of the hacker ethic is that it doesn't preclude any profit from the activity - hackers gotta eat too - but more that it prohibits being malicious. Profiting by hacking may always be secondary to the joy of a good hack, and the determined hacker will hack even if there's no money to be made by it, but it's still okay to turn a profit. Money isn't evil - it's only a tool, and can be used for good or for evil. Like so many other things.
The ethical individual will not use his/her tools (be they money, brute strength, hacking skills, or magic spells) maliciously, but may still make a fair profit from them.
The minimum skill-set needed to be a 'script-kiddy' is simply the ability to read
English and follow directions.
Since when is English required? While I'm sure it helps, I doubt it's necessary. The article had a (tiny little) picture that was supposed to represent hackers in Germany. D'ya suppose they all used only English?
The most truthful line in the whole article is probably "Disinformation is easily spread". Sad to say, it's doing its share. Better luck with the later versions.
Naturally, the first one was the worst, and this one is only slightly better. I've never read Jane's (except to see the pictures), but if this is the level they aim for in their readers who are allegedly heads of states and the intelligence community, the lunatics are indeed running the asylum.
Misquotes, bad graphics, errors, bad info: everything is there. I need perl/java to be a sophisticated hacker? I suppose I can write the buffer overflows without any idea about assembler.
But the thing that bugs me most is the underlined text at the top of the article.. I bet someone still uses a typewriter to write.
Hi, I work as a writer/security type for SecurityPortal.com, I do a weekly column, a weekly newsletter, wrote a 200 page guide to Linux security, so I feel somewhat qualified to critique this article. That article is (I'm trying to think of a gentle word) bad. ---start--- According to hackers, 99% of cracking incidents can be blamed on so-called 'script-kiddies'. These are usually young people who manage to acquire some 'cracking tools' somewhere on the Internet and are keen try them. They choose a 'cool' target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established ---stop--- Pulling statistics out of thin air is a bad idea. I personally would put the percentage lower based on the types of attacks I have seen a lot of (ie bulk scans performed by worm like programs, not something a "script-kiddie" can write). ---start--- Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, puts the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. ---stop--- Are we talking about hackers (Linux kernel hackers) or crackers here? A mid-1990's estimate is horribly out of date by now, I don't think there is any remotely reliable way to peg it. Also you need to define it first. If a 14 year old decides to go to rootshell, gets an exploit, defaces a major website, gets away with it, but realizes how much trouble he might have gotten into, and never does it again, is he a cracker? Is someone who tries out a few exploits from rootshell on his ISP "for fun" once a cracker? ---start--- However, to launch a sophisticated attack against a hardened target requires three to four years of practice in C, C++, Perl and Java (computer languages), general UNIX and NT systems administration (types of computer platform), LAN/WAN theory,remote access and common security protocols (network skills) and a lot of free time. On top of these technical nuts and bolts, there are certain skills that must be acquired within the cracker community. ---stop--- No. Many "hardened" sites are not maintained properly, or even if they are (not hardened enough of course) there will be at least one time when a new exploit comes out and is not fixed for say 6 hours, a large windows of oppurtunity. Classic examples are bugs in Bind (DNS server software used by almost everyone), most DNS servers that are secured are secured quite well, however there have been several bugs that surfaced this year that pretty much nixed anything you could do to secure it (on most systems anyways). http://www.securityportal.com/closet/closet1999110 3.html http://www.securityportal.com/closet/closet1999112 4.html There are a lot more items in the article I take exception to. As far as social engineering goes you should make the author read Winn Schwartau's "Information Warfare" (actually he should read it in anycase, it's a pretty comprehensive book). You might also check out: http://www.sunworld.com/swol-07-1999/swol-07-secur ity.html Also in general the article is pretty messy, there is a bit on social engineering a few paragraphs before the social engineering section, I would seriously recomend removing it and having someone rewrite it from scratch. -Kurt Seifried
Yep. Glad to see someone caught the reference. :}
It makes me think of my handle... some people recognize it as a literary reference, and some think my name is actually Frank.
---
Maybe that's just the price you pay for the chains that you refuse.
Hand me that airplane glue and I'll tell you another story.
I remember trying to get an article on that submited to slashdot... Something about the winning team installing FreeBSD probably had something to do with the article getting rejected :>
Not a bad article, from Janes, but definitly needs a grammer/spelling/reality check done on it.
Yeah, i seem to remember he botched the code that limited it to only a couple instances per machine. I guess it was the world's first distributed denial of service attack.
---
Play Six Pack Man. I
"Indeed, as a teenager Robert Morris accidentally launched a virus that shut down most of the Unix-based computers in the USA in the 1980s."
:)
This reads better if it becomes:
"Indeed, as a teenager Robert Morris Jr. accidentally launched a virus that shut down most of the Unix-based computers in the USA for several days in the 1980s."
The original statement would probably scare most people away from Unix if it was shut down for the 1980s
Oh, i'm hardly "whining" about getting paid. And at present, my remarks are directly quoted, but without quotes or attribution - technically, plagiarism, but Jane's has promised to pay its contributors.
:P
If i really wanted to be a hardcore Open Source advocate, i could have GPL'd my original statement, so they could not have quoted me in the article without GPLing the article itself.
---
Maybe that's just the price you pay for the chains that you refuse.
Hand me that airplane glue and I'll tell you another story.
Hi, I work as a writer/security type for SecurityPortal.com, I do a weekly column, a weekly newsletter, wrote a 200 page guide to Linux security, so I feel somewhat qualified to critique this article.
That article is (I'm trying to think of a gentle word) bad.
---start--- According to hackers, 99% of cracking incidents can be blamed on so-called 'script-kiddies'. These are usually young people who manage to acquire some 'cracking tools' somewhere on the Internet and are keen try them. They choose a 'cool' target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established ---stop---Pulling statistics out of thin air is a bad idea. I personally would put the percentage lower based on the types of attacks I have seen a lot of (ie bulk scans performed by worm like programs, not something a "script-kiddie" can write).
---start--- Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, puts the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. ---stop---Are we talking about hackers (Linux kernel hackers) or crackers here? A mid-1990's estimate is horribly out of date by now, I don't think there is any remotely reliable way to peg it. Also you need to define it first. If a 14 year old decides to go to rootshell, gets an exploit, defaces a major website, gets away with it, but realizes how much trouble he might have gotten into, and never does it again, is he a cracker? Is someone who tries out a few exploits from rootshell on his ISP "for fun" once a cracker?
---start--- However, to launch a sophisticated attack against a hardened target requires three to four years of practice in C, C++, Perl and Java (computer languages), general UNIX and NT systems administration (types of computer platform), LAN/WAN theory,remote access and common security protocols (network skills) and a lot of free time. On top of these technical nuts and bolts, there are certain skills that must be acquired within the cracker community. ---stop---No. Many "hardened" sites are not maintained properly, or even if they are (not hardened enough of course) there will be at least one time when a new exploit comes out and is not fixed for say 6 hours, a large windows of oppurtunity. Classic examples are bugs in Bind (DNS server software used by almost everyone), most DNS servers that are secured are secured quite well, however there have been several bugs that surfaced this year that pretty much nixed anything you could do to secure it (on most systems anyways).
Protecting yourself from your software
Securing Bind
There are a lot more items in the article I take exception to. As far as social engineering goes you should make the author read Winn Schwartau's "Information Warfare" (actually he should read it in anycase, it's a pretty comprehensive book). You might also check out:
Sunworld article on social engineering
Also in general the article is pretty messy, there is a bit on social engineering a few paragraphs before the social engineering section, I would seriously recomend removing it and having someone rewrite it from scratch.
-Kurt Seifried - my sig deleted
Ahh, you just need to do a bit of scrolling, my boy, they're there.
I'll offer my own critique later on tonight when I get a chance to read the whole thing.
It was one of the best articles I have seen for quite long. Hope Jane's will keep it the philosophy that gave birth to it.
It has flaws, it lacks a few important points, it makes some not so correct interpretations. But it is a real article and it is almost correct. Frankly I think that even we would make mistakes very near to those that exist over the article. Let us think on Morris. How many people were here when the thing happen. Well I had my dad lost on the tsunami on that day. But even having a so near testimony didn't help to know a lot of very interesting details of that event. Besides I still remember the call I made to my father a few minutes after the wave hit their computers (by pure coincidence, I wanted to know who would catch my brothers from school). He dropped the whole dictionary of low, high and holy slang over the phone and said it was too busy. That someone has made a BIG mistake and the whole net was in shambles... Even a few hours later many people and my father didn't know what was really going on. And even he realized the dimensions and the reasons of the problem some days later. And it seems that he didn't know for everything. Besides in relation to one comment here. Their comps went so bad that they lost information on the disks. I still remember that they had to restore two-three disks that were working at that moment.
So I consider these mistakes something that no one can avoid. They are the result of our limitations of seeing reality. That don't degrade the value of the article. It is a great piece of journalism anyway. Something that we are lacking a lot.
Rather than spoofing a lamp, replace one of the ubiquitous router boxes scattered throughout the lab with one with a little more `capability'. That would eliminate the `why in the heck does this lamp have an Ethernet connection' giveaway.
They are keen, try them!
Spoofing only refers to packets in our context, that of network types.
But, a spoof (a hoax) is a trick of any type to substitute something fake for something real. You could spoof packets, or spoof a driver's license, etc.
And, spoofing control signals from a server to the clients would likely be done with a spoofed packet.
But it's just a problem of looking at the application of a term in our context rather than the larger meaning of the term.
It's written in English, rather than the polysylabic buzzword mumble that had me throwing the printout of the earlier version across the room. It might actually be understood by human beings; this is a good thing. Lots of people read that polysylabic babbling, gain nothing from it, and think they've learned something. Some of them can even remember it, and quote it, but still don't manage to derive any understanding from it.
It still has errors. :(
It will always have errors. This is a newsmagazine, remember, not an O'Reilly & Associates book on the history of hacking and cracking and the consequences thereof.
It covers a much smaller topic than the original paper, but (in my opinion) it actually illuminates a tiny part of that little corner of the world, rather than pointing at the boogeyman that might be hiding there. Before we can convince "them" to "clean up their act", they have to become able to hear us, and the article goes a long way to doing that.
I think Jane's audience (remember, we're not the designed audience) will be well served by this article, and in the long run, we will be too.
Compared to what is being put forth by other media outlets, the article is brilliant. Sure, lotsa goofs, but consider-- these people are spook reporters, not computer reporters. I only hope that it has an impact on its intended readership: Intelligence professionals. Anyone here with a military background, will realize after about one second of reflection, that the people who do IT work in the intelligence field have almost certainly got their bosses completely baffled with BS, inflating their own importance and value, by grossly exaggerating the power of their adversaries, and the dangers they are "holding at bay".
Why is Janet Reno on record with the view that computers are "weapons of mass destruction"? Because that is what her IT employees are telling her, in hopes of bigger better everything-- promotions, offices, toys, etc. I *really* hope that senior FBI management reads Jane's.
Maybe the Jane's/Slashdot atticle will knock a tiny little dent in the problem. I sure hope so. I sweated over my post, and it got used in the "summing up".
In my years of hacking/cracking, I have never seen a more fair article. Perhaps there are some factual slipups, but the social implications of hacking/cracking/cyber* was well done. I've been out of it longer than most of you people have been into it and it seems to me that the media is finally getting the message that most computer tampering is done by teenagers playing pranks as opposed to "cyborterrorists" or the organized crime. Hell, when I got raided, the feds thought you were working for the CCCP or east german intelligence. Perhaps this sort of document will make some law makers wake up and create some more appropriate legislation. Sending teenagers to jail for HTTP grafitti is a waist of time and money. Meanwhile the people that you don't hear about are the people they should be looking into. ;-)
Or, as the article puts it, 'élite hacking groups'.
:)
Doesn't have quite the same ring to it, does it...
Tedious Bloggy Stuff - hooray?
Actually this could be made to work, if the network cable could be sufficiently hidden, ie. painted brown and run behind some furnature. It would also be possible to have a IR transmitter inside the lamp bulb, and have a network interface that connects to the power cord of the lamp, broadcasting over the short distance of the power cable.
Annother trick would be to plug a small computer (Heck a NetWinder would work) into a data jack. Then you could have all your nifty cracking and intrusion tools right on the local network, bye bye firewall! This would be great if the jack was hidden behind furnature, or in some other unused area where it wouldn't be noticed. IIRC some NetWinders even have IR ports--see paragraph 1.
-- Remember: Wherever you go, there you are!
And the bottom of all the pages here says "All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster"
-- these are only opinions and they might not be mine.
Most of this was hashed out in the origional thread. And remember folks, the posts on the origional thread were intended for the paid use by Jane's. This, for that thread only, superceded the standard "Comments are owned by the Poster" clause.
If they used any of your work, please point it out to them and receive your check, or remain anonymous, your choice.
-- Remember: Wherever you go, there you are!
Is anyone else annoyed by the tiny charts that aren't linked to larger versions?
--
Wage Slave Journal
Well, if you're going to bother with all that, why not just modulate the LAMP itself! I mean, putting in a tiny IR transmitter is kinda dumb if you have a 100W broadband emmitter/light bulb there already! :)
I like the way you say "the layman is smarter than you give him credit for" and yet your signature says
"Never underestimate the power of human stupidity." - Lazarus Long"
So which one is it? Are we smart or stupid?
Benno
The article puts the case like this:
"small computer, itself connected to the main network, into the base of a lamp with an infra-red port (network connection) aimed out the window of an office or linked to a mobile phone."
The lamp is acting as a bridging transceiver. If the LAN was a 'sensitive' network, it would not be eg. wireless ethernet in the office. You would have a segment or twisted-pair, thin-coax, or twinax plugged into this lamp.
On the other hand, if it were a secured LAN there would be no live unallocated cable run. The required splitter would be detected. Not a likely situation all around.
I've never seen a more error-ridden, paranoic piece of sensationalist trash.
The exploits of the true hacking elite are obviously unknown to you slashdotters and the media. It's the fourth-rate dilletantes like Mitnick that you peons read about. Think about it.
Well, time to examine your credit and medical histories. If I'm in an evil mood, I'll make your toaster explode.
_.......................__
||.....__...._._||_..||-\\..._...._._||_
||......_\\.(/_'..||....||-//.//.\\.(/_'..||
||__((_||_,_/).||_..||....\\_//.,_/).\\_
HAHA! LAST POST! Anything following is redundant.
"The layman is smarter than you give him credit for..." I believe George Carlin once said something like, "You know how stupid the average person is, now realize that HALF the people are stupider than that!" Laymen are dumb.
"If i really wanted to be a hardcore Open Source advocate, i could have GPL'd my original statement, so they could not have quoted me in the article without GPLing the article itself." And just like most companies, they would have refused your GPL work and opted for commercial closed-source stuff instead. -thomas
compared to the amount of rubbish that's written on this subject by mainstream journalists, this is pretty good
hi. i don't know if you realize this. jane's is supposed to be not mainstream press but instead one of the leading political, intelligence, defence and economic updates around. it is a bit surprising the mistakes make in the piece, both technical and editorial. it reflects badly on janes.
jose nazario jose@biocserver.cwru.edu
...and I'll be Arthur Dent. Nope, too lame, I'll be Zaphod Beeblebrox :).
This is one of the best main stream articles I have read. It seems most people who post on /. aren't able to say positive things.
Were a lot of these Slashdot quotes simply paraphrased?
I think so. I got a kind of sense of deja vu reading the text outside quote marks.
jsm
Wargames was based on Kevin Mitnick's exploits? Probably not.
Heh! Did we drive that point home or what. :) They then go about for a paragraph on how a cracker and a hacker are different concepts. Too bad they thought Wargames was based on "Kevin Mitnick"'s exploit. That's a great big mistake for Jane.
"...ever since Hollywood produced 'Wargames', based on Kevin Mitnic's cracking activities..."
No kidding? Why didn't I hear about this? They even got his name wrong.
I'm sorry, but I had to stop reading it after I got to the part that said (to paraphrase):
"A computer could be embedded into the base of a lamp, with an infrared port pointing out the window transmitting information."
Ok... um... If I saw a network cable coming from my *DESKLAMP*, I think I'd suspect something. Especially if the base of the lamp *also* had this little red plastic filter strategically pointed right up close to and out of a window.
Is this guy SERIOUS about this article? He doesn't give *any* background to anything, (except a *little* about the hack/crack debate), and expects GOVERNMENT SECURITY PROFESSIONALS to relate to this???
Wow.
Makes me worry a *LOT* less about Eschelon... It's probably a bunch of radio shack scanners connected to old Ampex reel tape recorders!!!
mindslip
This is a good article for laymen. Why /. wanted it posted (except to boost their own ego) is beyond me. Why the author even touched on Wargames remains a mystery. I guess he though to get good sources from the credits or something
-- The Wages of Sin are unreported.
That Cheryl chapter was there _twice_. I guess proofreading is out these days.
I didn't even bother to read it all.
Why Jane insisted BO2K is only good for cracking NT when M$ also selling the same 'remote admin' tools for $1000 more? This is one distasteful, hypocritical argument.
is that kevin not only commited every crime in the book, but also whistled trunk tones so perfectly from the pay phone in jail that he was able to remote hack a commodore vic-20 tape drive into spinning its rewind cogs fast enough to reverse time and commit various exploits that allowed him to at one point play global thermonuclear war with WOPR and thusly almost destroy the world. He turned down thwe chance to play himself claiming he hated tab so much that he would rather see ferris beuller in the role. With an evil giggle he then used a beowulf cluster of slide rules to ping flood god and return himself to his cozy record breaking pre-trial confinement.
if you guys watched more tv you'd know that.
I didn't see a lot of actual quotes in this article, and most of them were from Big Names. Were a lot of these Slashdot quotes simply paraphrased? Also, does the Slashdot team have a list of the people Jane's claims were quoted, or is there indeed such a list?
--The basis of all love is respect
Well, Wargames was released in the same year that Mitnick turned 19. He wasn't even arrested until ten years later, and the acts attributed to Kevin do not even mildly resemble the acts depicted in Wargames. This report embodies the biggest problem that the computer security industry has: misinformation. I'm sorry, but this article needed some serious editing before it was released. This one major flub makes me wonder how many errors exist in parts of the article that I'm less familiar with. Put frankly, I'm sick of journalistic incompetence in dealing with computer security issues. When will they learn?
http://jir.janes.com/images/thumbs/s0070098.jpg
Am I the only one here who wonders what this bar graph is about? It's not labeled, nor is it a thumbnail for a clearer, normal-sized one. (along with the others)
Well, looks like the purple team beat out the others that last year, huh? =)
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
ey! is this subject a reference to better off dead? a must see movie.
This IS just like a slashdot article. Complete with typos and all. :)
Nicely written article that didn't dwell on fearmongering, and just stated the facts as they were. It identified rumors as such, and while it laid out some potential catastophic circumstances, it also identified the fact that these events are unlikely.
The flow, however, was a little erratic. Seems that some of the topics were thrown together in no particular order. Otherwise, decent article.
-Restil
Play with my webcams and lights here
I've never seen a more error-ridden, paranoic piece of sensationalist trash.
The exploits of the true hacking elite are obviously unknown to you slashdotters and the media. It's the fourth-rate dilletantes like Mitnick that you peons read about. Think about it.
Well, time to examine your credit and medical histories. If I'm in an evil mood, I'll make your toaster explode.
_.......................__
||.....__...._._||_..||-\\..._...._._||_
||......_\\.(/_'..||....||-//.//.\\.(/_'..||
||__((_||_,_/).||_..||....\\_//.,_/).\\_
HAHA! LAST POST! Anything following is redundant.
Sadly, the article contains many factual errors and editing slip-ups such as repeated and misplaced sentences.
Definitions are suspect and inconsistently used. For example, their use of the term "spoofing" does not match my understanding of the word. Doesn't it usually refer to forging packets? But I might be wrong.
Some of the arguments seem incoherent, and many statements are unsubstantiated.
For example, in the "Beyond the hype" section, an argument is made that terrorist attacks on the infrastructure might not be effective because the infrastructure fails often anyway. This ignores the significant difference between normal failure modes and a planned terrorist attack. They could have done better - I wrote some comments on physical infrastructure attacks in the original Slashdot article, and other comments from people with more knowlege than I did as well.
The statement "Any system put together in the last few years will have been implemented with security in mind" is simply false, with many counterexamples available.
Really, the commentary on the original Slashdot article asking for input was more interesting and informative. I expected Janes to go beyond that with some really interesting research.
Disappointing.
Torrey (Azog) Hoffman
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
1) War games was 10 years before Kevin, and they misspelled his name.
2) The Morris worm didn't erase anything, just propogate itself too quickly thus creating a Denial of Service attack.
3) The social engineering phone conversation is duplicated.
4) Dividing attacks into DoS/Erasing/Spoofing seemed pretty arbitrary. It would probably be more appropriate to discuss attacks in security terms (accessibility, correctness, privacy), for example see the duckling protocol paper.
There were many other minor glitches as well, such that if you were to print it out and proofread it it would be fairly marked up.
Hmmmm...
I wonder what operating system(s) most employees use?
penguinicide... when jumping out a window just won't do.
This is an odd bit from the article. The only reason that one would use those square brackets is to indicate an addition to a quote, but the sentence is not quoted. Did Jane's perhaps forget to quote and attribute some things that should be?
Greg
This artical is a lumbering horror out of Dr. Frankensteins nightmares. While it does hit on many topics, providing a wide breadth of information, it is basically a cut & paste job from the Slashdot without much effort put into fact checking and coherency. Supporting paragraphs from parts of arguments are left dangling without the rest of the argument. The prose is terrible, with it jumping from one writing style to the next on a paragraph by paragraph basis. Some important information was not fleshed out completely (Info on Script Kiddies is not well written and incomplete) while many precious words were wasted on trivialities (The Hacker/Cracker White-Hat/Black-Hat stuff is not THAT important. A single paragraph could explain it eloquently.)
/sample directory, hopefully this is a draft and hasn't actually gone into print. With a little touchup, and fact checking, this could be a _really_ good article for the Jane's readership. I see much potential here.
Ultimately the article is functional, one would be more clued by reading it than say watching TV, "Y2K: The Movie" anyone? I noticed that it is loacated under the
Oh, and claim your quotes that were purchased by Jane's, it's payday!
-- Remember: Wherever you go, there you are!
For example, their use of the term "spoofing" does not match my understanding of the word.
I think I'm going to have to take my lumps on this one. I was using a generalised concept of spoofing as meaning any attempt to create false messages to a system, and it got lifted without noting that it wasn't the generally used sense of the word.
Oh well.
jsm
I would thick that with all the "Open Source" advocates on Slashdot there wouldn't be so much whinning and snivleing about getting paid. Just like with software, You were posting to a thread that was to be used as reference material for an article. You were contributing information instead of source code, but for the same basic reason, "To Contribute Your Expertise To The Computing Community".
Now attributting is another thing. Giving credit, where credit is due. etc...
seems like someone here lives too close to Redmond. if somebody goes after a system that controls power-grids and what not, they don't choose the program controlling load balancing on the power grid. if i can get root by exploiting [suid] programs, then i will pick a well-known but still essential element first and hope the sysadmin is a lamer that doesn't know what bugtraq is and didn't buy the customer service contract with the security patches, etc. complexity is hardly a defense. it allows the possible attack avenues to go undetected. the attacker only needs to find one, the defender has to close them all. what crap, even from a logical standpoint.
Hmm...small point...wouldn't having 10 weeks of backups each with only a single byte (or even a few) of randomness be pretty easy to recover? Assuming the backed up files don't change too much, you simply take the most frequent byte value as the correct one. Since the backups do change, it requires a bit more trickiness, but still, it doesn't seem too hard. Anyone with experience in this area?
-----------------------------------------------
how much bandwidth has been wasted by this sig?
This is a much better article that the one first proposed. I know a lot of people here won't like it and think that it is too basic/simplistic/misses the point.
Remember that the target audience of this publication are not up on highly technical aspects of this genre. This article will make them think and hopefully move them to realising exactly what the future holds.
If it makes life easier for systems admins to get the backing to secure systems properly, this can only be a good thing.
I like the way you say "the layman is smarter than you give him credit for" and yet your signature says
:-)
"Never underestimate the power of human stupidity." - Lazarus Long"
So which one is it? Are we smart or stupid?
Both. Such is the paradox of existence.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Simultaneously.
Also, it is much easier to complicate than to simplify.
This is a media piece aimed at the general
public. It is not meant for people who are
in the know.
This is an ambitious article. It is trying
to explain to John Q. Point'n'Drool why the
idea of cyberterroism is real, and why its not
AS bad as the Legions of Gloom and Doom are
telling them.
It is an attempt to explain the state of things,
who is doing malicious hacking now, how it could
be used, and whats stopping it.
I find the power grid idea partularly amusing...
since just yesterday I found out that all the
pole distribution transformers here in my area
of the country are radio controlled on/off.
Of course while these types of attacks could be
used for terrorism, they need not be. Terrorism
implies attacks designed to strike fear into the
general populous. In reality this is just another
tool. It can be used during a military campagin,
for terrorism, or just to make money.
Just terming it a "terrorism" is itself a device
to scare people. To that end I think "The Seige"
is one of the best movies on the subject
The terrorists in that movie succeded. They
brought about martial law and effectively brought
life to a halt.
So basically, while the article was dumbed down
a bit (for the sake of explaining to idiots) I
have to say that I agree with its conclusions.
The current impact of "Cyberterrorism" is almost
non-existant, but it could easily be used as a
tool to make other attacks more devstating.
"I opened my eyes, and everything went dark again"
The same way crackers read security advisories in order to crack unprotected system, sysadmins can learn from phrack and the likes.
I mean if I read an article about a CGI/perl bug that allows cracking of websites, next thing I do is go over my scripts to make sure I'm not cracked by the 50,000 kids that will read it next.
Ballerinas have fins that you'll never find
The article states:
In theory, cyberterrorism is very plausible, yet in reality it is difficult to conduct anything beyond simple 'script-kiddy' DoS attacks. Terrorists attempting to sway a populace by fear would therefore be less interested in such an attack unless they could carry out an extremely damaging one on a repeatable basis or unless they used it to augment the effects of a physical attack.
This is all well and good to say "There isn't a real problem, unless 'they' dedicate men and material for an attack at the same time", yet earlier it was stated:
Whilst alarmist, precedents do exist, as evidenced by Gail Thackaray, recognised as one of the premier cracker-catchers in the business: "One hacker shut down a Massachusetts airport, 911 emergency service and the air traffic control system while playing with the municipal phone network, and another hacker in Phoenix invaded the computer systems of one of the public energy utilities, attaining 'root' level privileges on the system controlling the gates to all the water canals from the Grand Canyon south.".
Doesn't the ability to open all the water canals from the Grand Canyon south, thereby flooding out a lot of land (potentially residential areas as well), constitute a physical attack achieved via cracking? And doesn't the fact that "These examples involved individuals rather than organised groups" show just how vulnerable the systems are to a terrorist organization intent on creating damage and loss of life?
What about an attack on a nuclear reactor or a directed assault on air traffic computers?
The potential for physical attacks via a computer is very real.
Oh, and the editor for this article should be covered in walnuts, chained to a tree, then eaten to death by a group of rabid squirrels.
Just my $0.02.
-NYFreddie
Barbie of Borg - She doesn't just Assimilate, She Accessorizes too!
--
Advertisers: If you attach cookies to your banner ads,
Time is Nature's way of keeping everything from happening at once... the bitch.
Robert Morris Jr. could hardly have designed a multiple-vulnerability exploit by accident. Sorry to nitpick :-)
SEAL
Critical programmes [...], are usually custom-written, making them twice as difficult to attack.
...And are ten times as likely to have weaknesses.
Well, while he got [cr|h]acker right, the open source concept he cannot grasp.
Not to start accusing Jane's, but they clearly plagiarized my post to Slashdot and did not provide credit. Here is a snippet of the Jane's article:
As pointed out by Clifford Stoll in The Cuckoo's Egg, automated 'data mining' techniques can be used to search for useful patterns in vast stores of insecure and seemingly unrelated data. A bank may assume its electronic fund transfer system is the most vital system to protect, but a terrorist may only want access to the financial records of persons or groups that are the bank's customers. This may not even involve destruction of data, as the pure information is often much more valuable than simply destroying random records. Reconnaissance attacks such as these are difficult to stop but extremely damaging. In the long-term banking scenario, the terrorist may simply choose to track sources of funding based on deposit records to harm the person or group who is the target. In a situation like this, going into the bank to destroy the information is only a temporary setback and will raise attention. Why destroy a valuable point of information gathering by doing something short-term like disrupting operations?
Here is a quote from the original thread with my (long) post:
"For instance, a bank may assume their electronic funds transfer system is the most vital system to protect, but a terrorist may only want access to the financial records of persons or groups that are the bank's customers. This may not even involve destruction of data (which is what most people think is the end goal but isn't always), rather the pure information which is often much more valuable than simply destroying random records. Reconnaissance attacks like these are difficult to stop but extremely damaging. In the case of the bank, the terrorist may simply choose to track sources of funding based on deposit records to harm the person or group who is the target. In a situation like this, going into the bank to destroy the information is only a temporary setback and will raise attention. Why completely destroy a valuable point of information gathering by doing something silly like disrupting operations? It's rare that a single offensive has any lasting effect, you must attack from different levels and leverage all available resources for maximum impact. Only dispose of resources that you need to. "
I assume it is a case of inappropriate referencing. However, they didn't even bother to put quotes around the paragraph indicating it as a direct quote. Instead they just did a cut and paste. I don't want to be rude, but this is not very professional. I can only hope it was a mistake on the author's part. I would hope they would at least offer a retraction/correction for this.
While we are on the topic of information terrorism, I would welcome comments from the /. community on this article entitled "Information Terrorism: Can You Trust Your Toaster?".
suntzu.pdf
We are thinking about updating it and would welcome any feedback.
Matt
Is this a preliminary article? This looks like it's in a seriously unfinished state.
:-) Although there's better ways to do it, the writer was trying to say that there's an large number of ways to spy on you that you wouldn't even think of, but an evil cracker might.
Several sentences were repeated (whole paragraphs even). Some factual information was incorrect (wargames/Mitnick? hahahahha!). There weren't many quotes, although I saw some paraphrasing.
Frankly, I could write a better article.
Still, it gets the gist of the idea right. Thank god Jane's noticed the hacker/cracker difference. I wish they point out the importance of that more.
Although it has some stupid examples (IR in a lamp? WTF?), they're mainly used to make a point. The point being that a good hacker thinks outside the lines, to some extent. I don't normally check my lamps for hidden transmitters, do you?
A bit stupid all in all. C'mon Janes, go for the gusto. Get a bit technical. Don't be afraid of having to write for a layman. The layman is smarter than you give him credit for. Use analogies (sp?). Make it interesting for crying out loud.
ah well...
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I'm sorry, but this would fail Journalism 101. Hell, this would fail a high school newspaper class.
This is a good attempt on the part of Jane's. While there are some editing gaffes, overall, it does a splendid job of getting the point across to the folks that aren't in the industry. One finds, of course, in the slashdot comments, a lot of whiners pissing and moaning about the writing, the vast majority of whom have enough trouble putting together a complete sentence on their own. Get a clue, guys, you're only perpetuating the stereotype that slashdot readers are a bunch of whiners.
There are actually planning a movie based round Kevin Mitnic's activies called "Takedown", there's also a book too which was writed by the NYT writer who brought so much attention (and reason behind his stiff sentencing). Anyway, from what I understand the movie is in the can, however there's legal issues regarding it's release, because Mitnic cannot profit from his activities. As far as I know, Wargames was totally fictional. More info on the movie can be found here...
There are actually planning a movie based round Kevin Mitnick's activies called "Takedown", there's also a book too which was writed by the NYT writer who brought so much attention to this story (and reason behind his stiff sentencing). Anyway, from what I understand the movie is in the can, however there's legal issues regarding it's release, because Mitnick cannot profit from his activities. As far as I know, Wargames was totally fictional. More info on the movie can be found here...
Slashdot's link to the article must be an early, unrefined version. If they published that article, someone would get fired.
:)
BTW, Highschool students, this is an excellent oppurtunity to snag that article and hand it in as a highschool report on cyber terrorism.
The article they linked to is an old version, in the document it states: "Document created: 21 OCTOBER 1999".
Still, it gets the gist of the idea right. Thank god Jane's noticed the hacker/ cracker difference. I wish they point out the importance of that more. Yea, they noticed it for one paragraph, and then ignored the comments that they had made by mis-using hacker and hack for the rest of the article.
-- The act of censorship is always worse than whatever is being censored. Always.
I heard he's upped the amount to $10.24 to account for inflation. That $2.56 price was so70's.
yes agreed, but I bawked a bit at the following couple of lines....(the bold emphasis is mine)
what urks me is that it appears to reinforce stereo-typical profile of the lone social misfit with low self esteem, male who deviates from the norm. In fact the this form of electronic warfare is more likely to be done with assorted teams of white collar specialists for the regular work and the lone character stereotype portrayed in the article for those *irregular* assignments.
This is the only flaw I can find (sans errors, but this is an old article.) in an otherwise excellent article. It's the kind of quality you would expect from Janes/JIR.
peterrenshaw ~ Another Scrappy Startup
If I remember my history well, kevin was also the guy who broke into the japanese decoding machine, thus forcing them to reboot the machine (a 24 hour job back then) and preventing the japanese declaration of war from being decoded and delivered before the attack.
Also, Jane missed the other movie inspired by kevins activities, 2001. It is wildly known in the roght circles that the NASA secret mission to Jupiter was aborted under undisclosed circunstancies, after he managed to invade the in-ship mission control AI. Kubrik and Clark just left the most secret parts out of the script.
If I remember my history well, kevin was also the guy who broke into the japanese decoding machine, thus forcing them to reboot the machine (a 24 hour job back then) and preventing the japanese declaration of war from being decoded and delivered before the attack.
Also, Jane missed the other movie inspired by kevins activities, 2001. It is wildly known in the right circles that the NASA secret mission to Jupiter was aborted under undisclosed circunstancies, after kevin managed to invade the in-ship mission control AI. Kubrik and Clark just left the most secret parts out of the script.
Secondly, again, no matter what anyone else's critisism may be, I felt that the article gave a good, solid introduction to the CONCEPTS involved. The "facts" used are not, IMHO, all that important, as it's not aimed at security specialists, but people outside the field.
Lastly, I felt that it was a great first step, in the CO-OPERATION between journals and specialists, in which neither was trying to feed off the other, but rather co-exist in a mutually supportive way.
Personally, I'd say ignore any glitches and look at what's been gained, by all sides.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Come on, guys - compared to the amount of rubbish that's written on this subject by mainstream journalists, this is pretty good. OK, so if you can't find any really major problems with it, you can always look closer to find smaller and smaller ones, but I think they deserve congratulating on producing what seems to be a pretty good summary of the current situation.
When it comes down to it, small things like the fact that Wargames wasn't, in fact, based on what Kevin Mitnick did is not important. The important thing is that they seem to have got most of their facts right.
I would say Slashdot's input has managed to create the most sensible and accurate piece of journalism on crackers and their activities written by a mainstream journalist that I have ever read.
Gerv
I was quoted pretty extensively (the intelligence-gathering section). I assume this means I will be getting paid.
This is cool, but not nearly as cool as a $2.56 check from Donald Knuth would be.
---
Maybe that's just the price you pay for the chains that you refuse.
Hand me that airplane glue and I'll tell you another story.