Slashdot Mirror
Cyberterrorism Article in Jane's is Available
James McP writes "Guess what gang, we're published!
The cyberterrorism article we all helped with a while back is now available at
Jane's Intelligence Review. It's targeted for PC laymen but still does a decent job of getting the idea across. To be honest, it sounds like a Slashdot article. :)" If you are quoted, please e-mail me to arrange payment as promised here. It'll only be a token thing, I'm sure, but it's still kind of cool.
Because he at least tried... They posted a previous article for comments, and solicited help in fixing it.
They should have gone the next step, posting the finished article for proof reading... But, can't expect them to get it right the first time.
Well, ignoring the law breakings comment (which I assume was a joke,) while they might claim the right to use articles posted in a thread specifically created to solicit material for the new article, I highly doubt they would try (and it wouldn't work if they did) to claim ownership of those copyrights. Until, at least, the person who originally said those things contacts them and sells them the rights. (Which will probably be what their default argeement for compensation is.)
They misunderstood the hacker ethic too:
there is a code of hacker ethics that precludes any profit from the activity -- the only motive is the activity itself
My understanding of the hacker ethic is that it doesn't preclude any profit from the activity - hackers gotta eat too - but more that it prohibits being malicious. Profiting by hacking may always be secondary to the joy of a good hack, and the determined hacker will hack even if there's no money to be made by it, but it's still okay to turn a profit. Money isn't evil - it's only a tool, and can be used for good or for evil. Like so many other things.
The ethical individual will not use his/her tools (be they money, brute strength, hacking skills, or magic spells) maliciously, but may still make a fair profit from them.
The minimum skill-set needed to be a 'script-kiddy' is simply the ability to read
English and follow directions.
Since when is English required? While I'm sure it helps, I doubt it's necessary. The article had a (tiny little) picture that was supposed to represent hackers in Germany. D'ya suppose they all used only English?
The most truthful line in the whole article is probably "Disinformation is easily spread". Sad to say, it's doing its share. Better luck with the later versions.
Yep. Glad to see someone caught the reference. :}
It makes me think of my handle... some people recognize it as a literary reference, and some think my name is actually Frank.
---
Maybe that's just the price you pay for the chains that you refuse.
Hand me that airplane glue and I'll tell you another story.
"Indeed, as a teenager Robert Morris accidentally launched a virus that shut down most of the Unix-based computers in the USA in the 1980s."
:)
This reads better if it becomes:
"Indeed, as a teenager Robert Morris Jr. accidentally launched a virus that shut down most of the Unix-based computers in the USA for several days in the 1980s."
The original statement would probably scare most people away from Unix if it was shut down for the 1980s
Oh, i'm hardly "whining" about getting paid. And at present, my remarks are directly quoted, but without quotes or attribution - technically, plagiarism, but Jane's has promised to pay its contributors.
:P
If i really wanted to be a hardcore Open Source advocate, i could have GPL'd my original statement, so they could not have quoted me in the article without GPLing the article itself.
---
Maybe that's just the price you pay for the chains that you refuse.
Hand me that airplane glue and I'll tell you another story.
Hi, I work as a writer/security type for SecurityPortal.com, I do a weekly column, a weekly newsletter, wrote a 200 page guide to Linux security, so I feel somewhat qualified to critique this article.
That article is (I'm trying to think of a gentle word) bad.
---start--- According to hackers, 99% of cracking incidents can be blamed on so-called 'script-kiddies'. These are usually young people who manage to acquire some 'cracking tools' somewhere on the Internet and are keen try them. They choose a 'cool' target (such as NASA, the Pentagon or the White House) and launch the tools. Older, more established ---stop---Pulling statistics out of thin air is a bad idea. I personally would put the percentage lower based on the types of attacks I have seen a lot of (ie bulk scans performed by worm like programs, not something a "script-kiddie" can write).
---start--- Global estimates vary, but a JIR extrapolation based on mid-1990 estimates by Bruce Sterling, author of The Hacker Crackdown: Law and Disorder on the Electronic Frontier, puts the total number of hackers at about 100,000, of which 10,000 are dedicated and obsessed computer enthusiasts. ---stop---Are we talking about hackers (Linux kernel hackers) or crackers here? A mid-1990's estimate is horribly out of date by now, I don't think there is any remotely reliable way to peg it. Also you need to define it first. If a 14 year old decides to go to rootshell, gets an exploit, defaces a major website, gets away with it, but realizes how much trouble he might have gotten into, and never does it again, is he a cracker? Is someone who tries out a few exploits from rootshell on his ISP "for fun" once a cracker?
---start--- However, to launch a sophisticated attack against a hardened target requires three to four years of practice in C, C++, Perl and Java (computer languages), general UNIX and NT systems administration (types of computer platform), LAN/WAN theory,remote access and common security protocols (network skills) and a lot of free time. On top of these technical nuts and bolts, there are certain skills that must be acquired within the cracker community. ---stop---No. Many "hardened" sites are not maintained properly, or even if they are (not hardened enough of course) there will be at least one time when a new exploit comes out and is not fixed for say 6 hours, a large windows of oppurtunity. Classic examples are bugs in Bind (DNS server software used by almost everyone), most DNS servers that are secured are secured quite well, however there have been several bugs that surfaced this year that pretty much nixed anything you could do to secure it (on most systems anyways).
Protecting yourself from your software
Securing Bind
There are a lot more items in the article I take exception to. As far as social engineering goes you should make the author read Winn Schwartau's "Information Warfare" (actually he should read it in anycase, it's a pretty comprehensive book). You might also check out:
Sunworld article on social engineering
Also in general the article is pretty messy, there is a bit on social engineering a few paragraphs before the social engineering section, I would seriously recomend removing it and having someone rewrite it from scratch.
-Kurt Seifried - my sig deleted
It was one of the best articles I have seen for quite long. Hope Jane's will keep it the philosophy that gave birth to it.
It has flaws, it lacks a few important points, it makes some not so correct interpretations. But it is a real article and it is almost correct. Frankly I think that even we would make mistakes very near to those that exist over the article. Let us think on Morris. How many people were here when the thing happen. Well I had my dad lost on the tsunami on that day. But even having a so near testimony didn't help to know a lot of very interesting details of that event. Besides I still remember the call I made to my father a few minutes after the wave hit their computers (by pure coincidence, I wanted to know who would catch my brothers from school). He dropped the whole dictionary of low, high and holy slang over the phone and said it was too busy. That someone has made a BIG mistake and the whole net was in shambles... Even a few hours later many people and my father didn't know what was really going on. And even he realized the dimensions and the reasons of the problem some days later. And it seems that he didn't know for everything. Besides in relation to one comment here. Their comps went so bad that they lost information on the disks. I still remember that they had to restore two-three disks that were working at that moment.
So I consider these mistakes something that no one can avoid. They are the result of our limitations of seeing reality. That don't degrade the value of the article. It is a great piece of journalism anyway. Something that we are lacking a lot.
Rather than spoofing a lamp, replace one of the ubiquitous router boxes scattered throughout the lab with one with a little more `capability'. That would eliminate the `why in the heck does this lamp have an Ethernet connection' giveaway.
Spoofing only refers to packets in our context, that of network types.
But, a spoof (a hoax) is a trick of any type to substitute something fake for something real. You could spoof packets, or spoof a driver's license, etc.
And, spoofing control signals from a server to the clients would likely be done with a spoofed packet.
But it's just a problem of looking at the application of a term in our context rather than the larger meaning of the term.
It's written in English, rather than the polysylabic buzzword mumble that had me throwing the printout of the earlier version across the room. It might actually be understood by human beings; this is a good thing. Lots of people read that polysylabic babbling, gain nothing from it, and think they've learned something. Some of them can even remember it, and quote it, but still don't manage to derive any understanding from it.
It still has errors. :(
It will always have errors. This is a newsmagazine, remember, not an O'Reilly & Associates book on the history of hacking and cracking and the consequences thereof.
It covers a much smaller topic than the original paper, but (in my opinion) it actually illuminates a tiny part of that little corner of the world, rather than pointing at the boogeyman that might be hiding there. Before we can convince "them" to "clean up their act", they have to become able to hear us, and the article goes a long way to doing that.
I think Jane's audience (remember, we're not the designed audience) will be well served by this article, and in the long run, we will be too.
Compared to what is being put forth by other media outlets, the article is brilliant. Sure, lotsa goofs, but consider-- these people are spook reporters, not computer reporters. I only hope that it has an impact on its intended readership: Intelligence professionals. Anyone here with a military background, will realize after about one second of reflection, that the people who do IT work in the intelligence field have almost certainly got their bosses completely baffled with BS, inflating their own importance and value, by grossly exaggerating the power of their adversaries, and the dangers they are "holding at bay".
Why is Janet Reno on record with the view that computers are "weapons of mass destruction"? Because that is what her IT employees are telling her, in hopes of bigger better everything-- promotions, offices, toys, etc. I *really* hope that senior FBI management reads Jane's.
Maybe the Jane's/Slashdot atticle will knock a tiny little dent in the problem. I sure hope so. I sweated over my post, and it got used in the "summing up".
The article puts the case like this:
"small computer, itself connected to the main network, into the base of a lamp with an infra-red port (network connection) aimed out the window of an office or linked to a mobile phone."
The lamp is acting as a bridging transceiver. If the LAN was a 'sensitive' network, it would not be eg. wireless ethernet in the office. You would have a segment or twisted-pair, thin-coax, or twinax plugged into this lamp.
On the other hand, if it were a secured LAN there would be no live unallocated cable run. The required splitter would be detected. Not a likely situation all around.
Wargames was based on Kevin Mitnick's exploits? Probably not.
Heh! Did we drive that point home or what. :) They then go about for a paragraph on how a cracker and a hacker are different concepts. Too bad they thought Wargames was based on "Kevin Mitnick"'s exploit. That's a great big mistake for Jane.
"...ever since Hollywood produced 'Wargames', based on Kevin Mitnic's cracking activities..."
No kidding? Why didn't I hear about this? They even got his name wrong.
I'm sorry, but I had to stop reading it after I got to the part that said (to paraphrase):
"A computer could be embedded into the base of a lamp, with an infrared port pointing out the window transmitting information."
Ok... um... If I saw a network cable coming from my *DESKLAMP*, I think I'd suspect something. Especially if the base of the lamp *also* had this little red plastic filter strategically pointed right up close to and out of a window.
Is this guy SERIOUS about this article? He doesn't give *any* background to anything, (except a *little* about the hack/crack debate), and expects GOVERNMENT SECURITY PROFESSIONALS to relate to this???
Wow.
Makes me worry a *LOT* less about Eschelon... It's probably a bunch of radio shack scanners connected to old Ampex reel tape recorders!!!
mindslip
is that kevin not only commited every crime in the book, but also whistled trunk tones so perfectly from the pay phone in jail that he was able to remote hack a commodore vic-20 tape drive into spinning its rewind cogs fast enough to reverse time and commit various exploits that allowed him to at one point play global thermonuclear war with WOPR and thusly almost destroy the world. He turned down thwe chance to play himself claiming he hated tab so much that he would rather see ferris beuller in the role. With an evil giggle he then used a beowulf cluster of slide rules to ping flood god and return himself to his cozy record breaking pre-trial confinement.
if you guys watched more tv you'd know that.
I didn't see a lot of actual quotes in this article, and most of them were from Big Names. Were a lot of these Slashdot quotes simply paraphrased? Also, does the Slashdot team have a list of the people Jane's claims were quoted, or is there indeed such a list?
--The basis of all love is respect
Well, Wargames was released in the same year that Mitnick turned 19. He wasn't even arrested until ten years later, and the acts attributed to Kevin do not even mildly resemble the acts depicted in Wargames. This report embodies the biggest problem that the computer security industry has: misinformation. I'm sorry, but this article needed some serious editing before it was released. This one major flub makes me wonder how many errors exist in parts of the article that I'm less familiar with. Put frankly, I'm sick of journalistic incompetence in dealing with computer security issues. When will they learn?
The Cheryl paragraph, and another sentence later ("Some people collect baseball cards...") were probably "scare quotes" in the print version of the article - those little sidebar-like things with the large fonts, usually offset from the rest of the article somehow, designed to get you to read the rest of the article.
Sadly, the article contains many factual errors and editing slip-ups such as repeated and misplaced sentences.
Definitions are suspect and inconsistently used. For example, their use of the term "spoofing" does not match my understanding of the word. Doesn't it usually refer to forging packets? But I might be wrong.
Some of the arguments seem incoherent, and many statements are unsubstantiated.
For example, in the "Beyond the hype" section, an argument is made that terrorist attacks on the infrastructure might not be effective because the infrastructure fails often anyway. This ignores the significant difference between normal failure modes and a planned terrorist attack. They could have done better - I wrote some comments on physical infrastructure attacks in the original Slashdot article, and other comments from people with more knowlege than I did as well.
The statement "Any system put together in the last few years will have been implemented with security in mind" is simply false, with many counterexamples available.
Really, the commentary on the original Slashdot article asking for input was more interesting and informative. I expected Janes to go beyond that with some really interesting research.
Disappointing.
Torrey (Azog) Hoffman
Torrey Hoffman (Azog)
"HTML needs a rant tag" - Alan Cox
1) War games was 10 years before Kevin, and they misspelled his name.
2) The Morris worm didn't erase anything, just propogate itself too quickly thus creating a Denial of Service attack.
3) The social engineering phone conversation is duplicated.
4) Dividing attacks into DoS/Erasing/Spoofing seemed pretty arbitrary. It would probably be more appropriate to discuss attacks in security terms (accessibility, correctness, privacy), for example see the duckling protocol paper.
There were many other minor glitches as well, such that if you were to print it out and proofread it it would be fairly marked up.
This is an odd bit from the article. The only reason that one would use those square brackets is to indicate an addition to a quote, but the sentence is not quoted. Did Jane's perhaps forget to quote and attribute some things that should be?
Greg
For example, their use of the term "spoofing" does not match my understanding of the word.
I think I'm going to have to take my lumps on this one. I was using a generalised concept of spoofing as meaning any attempt to create false messages to a system, and it got lifted without noting that it wasn't the generally used sense of the word.
Oh well.
jsm
This is a much better article that the one first proposed. I know a lot of people here won't like it and think that it is too basic/simplistic/misses the point.
Remember that the target audience of this publication are not up on highly technical aspects of this genre. This article will make them think and hopefully move them to realising exactly what the future holds.
If it makes life easier for systems admins to get the backing to secure systems properly, this can only be a good thing.
I like the way you say "the layman is smarter than you give him credit for" and yet your signature says
:-)
"Never underestimate the power of human stupidity." - Lazarus Long"
So which one is it? Are we smart or stupid?
Both. Such is the paradox of existence.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
--
Advertisers: If you attach cookies to your banner ads,
Time is Nature's way of keeping everything from happening at once... the bitch.
Not to start accusing Jane's, but they clearly plagiarized my post to Slashdot and did not provide credit. Here is a snippet of the Jane's article:
As pointed out by Clifford Stoll in The Cuckoo's Egg, automated 'data mining' techniques can be used to search for useful patterns in vast stores of insecure and seemingly unrelated data. A bank may assume its electronic fund transfer system is the most vital system to protect, but a terrorist may only want access to the financial records of persons or groups that are the bank's customers. This may not even involve destruction of data, as the pure information is often much more valuable than simply destroying random records. Reconnaissance attacks such as these are difficult to stop but extremely damaging. In the long-term banking scenario, the terrorist may simply choose to track sources of funding based on deposit records to harm the person or group who is the target. In a situation like this, going into the bank to destroy the information is only a temporary setback and will raise attention. Why destroy a valuable point of information gathering by doing something short-term like disrupting operations?
Here is a quote from the original thread with my (long) post:
"For instance, a bank may assume their electronic funds transfer system is the most vital system to protect, but a terrorist may only want access to the financial records of persons or groups that are the bank's customers. This may not even involve destruction of data (which is what most people think is the end goal but isn't always), rather the pure information which is often much more valuable than simply destroying random records. Reconnaissance attacks like these are difficult to stop but extremely damaging. In the case of the bank, the terrorist may simply choose to track sources of funding based on deposit records to harm the person or group who is the target. In a situation like this, going into the bank to destroy the information is only a temporary setback and will raise attention. Why completely destroy a valuable point of information gathering by doing something silly like disrupting operations? It's rare that a single offensive has any lasting effect, you must attack from different levels and leverage all available resources for maximum impact. Only dispose of resources that you need to. "
I assume it is a case of inappropriate referencing. However, they didn't even bother to put quotes around the paragraph indicating it as a direct quote. Instead they just did a cut and paste. I don't want to be rude, but this is not very professional. I can only hope it was a mistake on the author's part. I would hope they would at least offer a retraction/correction for this.
While we are on the topic of information terrorism, I would welcome comments from the /. community on this article entitled "Information Terrorism: Can You Trust Your Toaster?".
suntzu.pdf
We are thinking about updating it and would welcome any feedback.
Matt
Is this a preliminary article? This looks like it's in a seriously unfinished state.
:-) Although there's better ways to do it, the writer was trying to say that there's an large number of ways to spy on you that you wouldn't even think of, but an evil cracker might.
Several sentences were repeated (whole paragraphs even). Some factual information was incorrect (wargames/Mitnick? hahahahha!). There weren't many quotes, although I saw some paraphrasing.
Frankly, I could write a better article.
Still, it gets the gist of the idea right. Thank god Jane's noticed the hacker/cracker difference. I wish they point out the importance of that more.
Although it has some stupid examples (IR in a lamp? WTF?), they're mainly used to make a point. The point being that a good hacker thinks outside the lines, to some extent. I don't normally check my lamps for hidden transmitters, do you?
A bit stupid all in all. C'mon Janes, go for the gusto. Get a bit technical. Don't be afraid of having to write for a layman. The layman is smarter than you give him credit for. Use analogies (sp?). Make it interesting for crying out loud.
ah well...
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
This is a good attempt on the part of Jane's. While there are some editing gaffes, overall, it does a splendid job of getting the point across to the folks that aren't in the industry. One finds, of course, in the slashdot comments, a lot of whiners pissing and moaning about the writing, the vast majority of whom have enough trouble putting together a complete sentence on their own. Get a clue, guys, you're only perpetuating the stereotype that slashdot readers are a bunch of whiners.
The accident wasn't in releasing the worm ... he planned on doing that. The internals of the software checked a new system to see if it had been installed, and didn't install itself again if it had. The accident was that he wrote the code in such a way that every 6th or 7th time the worm saw itself, it would copy itself anyway, which caused massive resource drain on the systems it inhabited once it spiralled out of control. He just wanted a quiet worm, and accidentally took down large chunks of the net.
good. fast. cheap. (pick any two, you can't have all three)
Secondly, again, no matter what anyone else's critisism may be, I felt that the article gave a good, solid introduction to the CONCEPTS involved. The "facts" used are not, IMHO, all that important, as it's not aimed at security specialists, but people outside the field.
Lastly, I felt that it was a great first step, in the CO-OPERATION between journals and specialists, in which neither was trying to feed off the other, but rather co-exist in a mutually supportive way.
Personally, I'd say ignore any glitches and look at what's been gained, by all sides.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Come on, guys - compared to the amount of rubbish that's written on this subject by mainstream journalists, this is pretty good. OK, so if you can't find any really major problems with it, you can always look closer to find smaller and smaller ones, but I think they deserve congratulating on producing what seems to be a pretty good summary of the current situation.
When it comes down to it, small things like the fact that Wargames wasn't, in fact, based on what Kevin Mitnick did is not important. The important thing is that they seem to have got most of their facts right.
I would say Slashdot's input has managed to create the most sensible and accurate piece of journalism on crackers and their activities written by a mainstream journalist that I have ever read.
Gerv
I was quoted pretty extensively (the intelligence-gathering section). I assume this means I will be getting paid.
This is cool, but not nearly as cool as a $2.56 check from Donald Knuth would be.
---
Maybe that's just the price you pay for the chains that you refuse.
Hand me that airplane glue and I'll tell you another story.