ABC TV Does Two Major Cracker Stories

karma vs Dogma writes "ABC ran a couple of stories tonight on the "Evils of Crackers/Hackers". Read the summaries of the World News Tonight story and the 20/20 story. I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another."

Re:Saw part of this, Noticed the bloated cost too.

[grumpy_geek]

Not having seen that actual broadcast, the summaries don't mention any actual costs, only that if you deface a website making $18mill a day you are commiting a serious crime (didn't say it cost them over $5 dollars).

Hacker/cracker I don't know anybody who came from that era that cares about that.

My opinion: all the newbies complaining and whining don't have much of a leg to stand on when they moan about a phrase that came before their time; when the people who originally used it, have resolved that it really doesn't matter anymore.

Note: spelling and grammar checking off because I don't care

Re:$$$

Maybe what they mean is $300k to hire in a consultant or temp-admin, who actually knows how to FIX the goddamn problem, then change the sysadmin's diapers and hand the keys to the server back to him to go louse up again.

Fear of messages.

[simpleguy]

Also imagine another scenario.

An e-commerce website's home page gets defaced with the usual elite cracker message.
Insulting the sysadmin.
Shouts to the peeps.
Links to places ... and..
"Oh yea sysadmin, thanks for your customers' credit card numbers. I am gonna have some fun this month"

Just imagine how seriously this can hurt the business. People get informed that the website has been "owned by some elite hackers' and the credit card numbers they used to purchase stuff there are ...ummm.. owned.

No matter what the website does to re-assure the customers that vital data has not been broken into, it will still lose MANY customers.

Will you purchase from ..lets say Amazon if their website gets defaced with a similar message as above?

Simpleguy

Re:Bogus Figures

No, of course not. But if you're a web site pulling in a fairly steady stream of money, say $1000 a day, and I shut you down for a day, you can make a convincing argument that you would have made $1000 if not for my actions. Your income at the end of the year is $1000 lower. Its real money you won't have. Shouldn't I be held accountable for it?

Looked at another way, if I'm a drunk driver and run you down causing you to be unable to work, do you think you're entitled to the money you would have earned if you could work (as lost income), or only what it costs you to survive?

Re:I'm really sick of this attitude

[adamsc]

I really hate it when people go off bashing the administrators when they haven't necessarily done anything wrong or incompetantly at all. These guys are the victims. The script kiddies that mount these downloadable attacks are the people we need to be fighting here.

I quite agree. However, there are two points which the original poster made which were quite good:

• Ludicrously inflated costs - $300K to clean up a server? Does it really take 4 man-years? Personally, I think this is a case of management choosing to hide costs in something they won't take political heat for. I expect Y2k will have similar abusers...
• A non-trivial number of sites that are broken into had not been patched in months or years. This really isn't excusable for a system with a full-time admin and, I'm sure you'd agree, is quite different from being one of the "lucky" front-liners when some new attack appears.

Cost of disruption leaves them unprotected

[adamsc]

They cite a webpage that's making $18 million per day. If it's down for a day, that's $18 million they just lost.

• An $18,000,000 site should have backup servers, frequent backup tapes and so forth.
• What about disaster recovery - how were they planning to handle things if there was a hurricane, earthquake, fire, etc. Lose $18M/day until Sun ships them a new box?
• If they're making that kind of money, shouldn't they have at least one full-time security guru?
• If they didn't do any of the above (necessary to claim the kind of damage they're [fraudulently] claiming) aren't they going to be liable for some sort of share-holders lawsuit, just like I would be if I set up a huge shopping mall and was too cheap to buy locks or hire guards? (Note that the cost of everything abouve would be under 5% of a single days revenue, if their figures were true (unlikely))

Beefing up security isn't due to being cracked

[adamsc]

While the figures cited are somewhat bloated, there's a lot more cost associated with something like this than simply putting the cracked page back up. I've worked in organizations where this has happened (not my fault, though ;>) and it usually leads to 1-2 weeks of beefing up security to prevent the same thing from happening again.

This isn't something that can be blamed on the crackers, though. Beefing up security is something that should have been done anyway. It's like buying a lock for the front door after someone walked in...

Shut down the Internet? No.

[Signal+11]

Sorry, I don't buy it. You'd only disrupt the backbones, and little else - most small/medium-sized ISPs use static routes. Backbones do use protocols like BGP, but not all of them (use the same protocol). And I would certainly expect that they would not be allowing rogue packets past their border routers - especially routing (from icmp, bgp, dhcp, or anything of the sort). I am willing to listen if you have actually been inside these networks and seen that such packets make it onto their internal network - I have neither the time nor inclination to try something like this. Maybe you're more bored than I am and have actually looked around. Anyway, while you can certainly raise cain on a network that relies on such dynamic protocols, the problem would disappear as quickly as it appeared - ie: about 30 minutes (assuming high clueon radiation in the NOC).

Besides, incorrectly routed packets still go *somewhere*, and icmp can still act as a return mechanism to indicate where these "hacking" attempts are being made so the admins can track it and temporarily assign static routes to the affected router(s). 30 minutes to take down, 30 minutes to bring back online. Again, this assumes the clueon index was particularily high at the affected backbones at the time of attack.... *cough* Not sprint *cough* ...

This doesn't preclude the possibility of a more long-term guerilla war being made on the backbones, but that wouldn't "take the whole 'net down in 30 minutes". It would make the evening commute more interesting though.. and I for one think it would give the community a solid kick in their complacency.

Personally, I wonder how many servers have been silently compromised inside these networks and are being used as relays for other attacks. If the cracker kept a low profile, such activity might remain undiscovered for some time. That is a much more serious risk IMO than some 30-minute orgasm of custom packets being thrown at the backbones.

Re:Shut down the Internet? No.

[Caspuh]

Surely you arent suggesting that 60 minutes without any internet backbone would be no big deal?

Re:Shut down the Internet? No.

Sorry, I don't buy it. You'd only disrupt the backbones, and little else

You're right. Breaking the internet into a bunch of separate unconnected LANs wouldn't be that bad.

Must pay those anti hacking personnel

[Inspector]

I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another.

Well, don't you know that the salaries of all the SysAdmins, web designers, programmers, and consultants that happen to be working during the hour it takes them to fix the page all need to be paid. I mean, it's not as if they wouldn't have been there working anyway if the "hack" had never happened ;)

Broken Fence Repair

[B.B.Wolf]

This is how it works:
If my fence is broken and the neighbors mutt gets
into my yard. When I sue him, I can recover the
cost of fixing my fence, plus some overhead, and
lets see - oh my labour is worth $50/hour. Isn't
it obviouse, that the damned neighbors dog caused
the expense, never mind that I built the fence out
of rotted scrapwood.
I hope I am wrong in the assesment of the logic
being used in these cases, but I don't think I am.

Re:Broken Fence Repair

[smack.addict]

While this is not a great analogy, it actually harms you :)

First of all, if the dog does do damage to your yard, you can sue for the damage to your yard. Your ability to collect damages, however, is mitigated by the broken fence. But only because it is damned obvious that you have a broken fence, and not because there is a way in.

If, for example, your neighbours child starts throwing rocks over a solid fence and breaks a window, the neighbours are fully responsible for those damages. Even though you failed to fully isolate your house from such damage.

Now, computer security is much harder than building a fence. Recognizing holes is very hard. And just because someone has a computer on the internet does not mean that they have the time or the skill to make their fences into fortresses.

Anyone who understands security at all knows that the only way to completely secure your computer is to turn it off and lock in a safe. The minute you turn it on and take it out of the safe (not necessarily in that order), you are opening it up to security risks. Putting it on a closed network opens it up to more risks. And putting it on the Internet opens it up to even more risks.

If we expect every computer on the internet to have top notch security, then we are seriously limiting who can have computers on the internet. We therefore need to vigorously punish those who would exploit the complicated nature of computer security.

Re:Figures

[DukeofURL]

probably ones like amazon, onsale, ebay,etc...

Re:Shut down the Internet?

[ronfar]

I'm thinking about ways it could be done, didn't Melissa do a lot of damage? It occurs to me that the big problem with Melissa was that it propagated so quickly that it tied up a lot of servers. Now, if the Melissa virogen had written it with the intent of taking down the Internet, could he have figured out a way to make it propagate even more quickly? I know Melissa wasn't a very sophisticated virus (it just took advantage of one of the many security holes in Micros~1 product line) but it seems to me that if someone really knew what they were doing they could create a worm or virus that was much more devestating.

I'm just saying, it isn't that farfetched, considering the software a lot of people using the Internet use. Remember, the fact that the Internet can (theoretically) survive a nuclear attack doesn't mean that this kind of sabotage won't work, remember the Morris Worm? This kind of sabotage operates on a completely different principal than physical damage.

Of course, it may be that things aren't as prone to this kind of sabotage as we may think, but I think that just as the Schlieffen Plan would've insured Germany's victory in WWI if it had played out the way they expected (i.e. Britain and the US stayed out of the war) it is possible to have a plan that could take out the Internet, whether it would work in real life or not.

crontab's, checksum's, backup's? (Was: Re:Figures)

[K'tohg]

I'm realy confused why a company which makes that much money (ok a signifigant amount) would even have a problem with fudged webpages like that.

Haven't there employees heard about checksums, backups and crontabs? I'm mean have a cron job check the checksums of the web site files every 20 minutes and if there off page the sysadmin or automatically restore from backup and recycle the webserver/servlet engine. This way the company would lose 40 minuts of business at the most.

Am I off here? anyone care to point out my oversights?

Re:For what it's worth, I believe him -- Yeah righ

Ok, lets break this down and cut through the bull****. No one can "bring down" the Internet in 30 minutes. The Internet isn't a building, or even a network, it's gotten so big that you can't really classify it like that anymore. It's almost---alive! I have no doubt that with large (or even not-so-large) flooding of key points that a person (or group) given enough time skill and bandwidth could disrupt things for a little while. BUT lets face it; l0pht isn't the only group that might possibly have a clue how to do this. If someone really knew how to do this, they would do it. Since this hasn't been done it's but an un-tested theory and doesn't amount to jack. I say take down the Internet if you can, lets re-build it right!

Dell

They sell $18M/day to consumers alone through their website.

Re:Dell

[anonymous+cowerd]

Maybe so; if I want to buy something from Dell and my Internet connection is down (which seems to happen reasonably often, for reasons which I suspect have little to do with "hacking") I just pick up the telephone and dial up their 1-800 number. I can't help feeling that anybody who runs a business entirely on the Internet and expects he will get the same 24/7 reliability as he can get from the telephone network is kind of deluding himself.

Not that that exactly justifies script kiddies maliciously breaking into anyone's system and running rm -rf as root, far from it. It seems to me that a judge should make a distinction between hacks that are basically harmless, such as Melissa, hacks that require a little cleaning up, like replacing the FBI home page with a parody, and hacks which do permanent damage, like the guy who wiped One38.org's entire web server. A judge would certainly make an analogous distinction between trespassing, burglary and armed robbery. To threaten all hackers indiscriminately with a longer jail sentence for diddling somebody's essentially meaningless home page than they would serve if convicted of assault with a deadly weapon isn't justice, it's hysteria.

Yours WDK - WKiernan@concentric.net

PS: Hey! I can't help noticing, there must be a cookie on this PC because when I went to compose this reply, I was automatically logged in under my /. ID. What a unique, brilliant innovation! Isn't it time that CmdrTaco patented "one-click posting"?

You're wrong.

The l0pht makes a point of doing tests and experimentation on their *own* machines. This is, in my mind, what separates them from crackers.

Cracking Groups like Global Hell play with other people's hardware without permission. L0pht, though, is not a cracking group. Duke was talking about the l0pht when he made his analogy, which I find to fit rather well with what they do.

Then Lets DO it!

Lets do it, bring down the Internet (*cough).. Then maybe we can rebuild it right!

Of course it is going to implode on itself eventually. Be it from lack of IP space or routing tables that have grown out of control, the Internet as it is today was NEVER designed to be this big, fast or spread out.

L0pht or whomever, lets get to it. If you have the code/knowledge/skill to do this, lets see it. In fact, if you don't want to for fear of legal consequences, send the needed information/code/resources to me and I'll do it. I don't think you guys are serious, I don't think you guys expect anyone to believe you. You could be right, you might be right, who knows. I repeat. Let's SEE IT.

Anyoen that can do this, put your idea/implementation where your mouth (or finger) is.

Corrections and clarifications

[bons]

First: L0pht

Second:Attrition.org

Of special note is the Attrittion Mirror of defaced sites. This will allow you decide how much "damage" is actuall done and how much "help" was actually done. Please not that this varies greatly by individual.

The problem that exists is that these people, often under 21, see big giant gaping holes in the security systems and this bothers them. If they report it, nothing happens because no one has, or ever will, listen to them. (Some sites have been defaced repeatedly, without ever having fixed the holes, even after the fix was placed in the HTML!)

So they make a mistake. They try to draw atttention to the fact before someone less kind, (for example a rival organization) uses the same holes to download actual sensitive information. (Warning, this kind of thought process can occurr to you when you've read too much cyberpunk.)

I'm older and wiser now. I realize that people REALLY DON'T care about security. Normally they just want something to rant about. The status quo is to lock your car door for security but if you lock the keys in your car you expect a locksmith to get them out in under a minute.

Think about it. If the locksmith can do it in under a minute, so can I.

They may not be adults, they may be fools, and they may annoy the computer professionals that are responsible for security but let's look at it this way.
If some kids can take down whitehouse.com, why couldn't Zhirinovsky hire someone to do the same, only with a lot more creativity and subtleness. (Wouldn't the media just love it if someone found a collection of porn jpegs on whitehouse.gov?)

They're criminals. They view themselves as unsung heros. In short, they're the Chicago Seven of a new generation. Even Richard Daley's famous quote could still apply:

"Gentlemen, let's get something straight. The police aren't in the streets to create disorder; they are in the streets to preserve disorder." -- Mayor Richard Daley

Re:oooo a challenge

[Fastolfe]

Any "good" intruder can do a lot to cover his tracks, but all it takes is an admin watching network packets with the ISP of the source on the phone.

There's always a trail. It all boils down to who has the resources and time to follow it.

It amuses me how many l33t hax0r IRK kiddies there are that think they're indestructible, that the only kids that are ever caught are the ones they show on TV, that they'll never be discovered or prosecuted. And when the FBI raids their house and their parents are stuck losing their home and his college tuition money paying for damages, guess who's out there laughing his ass off.

Re: Inflating Costs in one easy lesson

Grammar and spell check off because I could care less.

Heheh. The intentional irony here is wonderful. My Spanish teacher hated that. Drove him bonkers. He did teach me that the Smurfs in Spanish are called "Los Pitufos."

Re:$$$

Install the service packs that should have been installed anyway? I can't see how you can charge that to the intruder. Might as well charge the cost of adding cheesy javascript rollovers while you're at it.

If I were that "head of network security" that they quoted as saying it cost "hundreds of thousands of dollars" to fix a simple web page tagging, I sure as hell wouldn't show my face on national TV. Why didn't he hang a sign around his neck saying: "I am an idiot who is unqualified to do my job?"

The same "expert" talked about how much he feared what would happen when the cracker got out of jail, and wanted revenge. The cracker was using win98 on his MOTHER's computer! This was not someone any competent admin needs to fear.

Re:$$$

This is nothing compared to what the police do after a drug bust. "We captured the drug-lord with 20 pills of ecstacy, with an estimated street value of 6.4 million dollars." Reality is it was some fucked up party kid with some pills for him and his friends, worth about $200-250.

Maybe they were reading

Taking down the internet in 30 minutes for DUMMIES. (insert rimshot)

Sigh

[tpck]

"If you deface a Web site of a company that is making $18 million dollars a day, you are committing a pretty serious crime," says Assistant U.S. Attorney Matthew Yarbrough.

And a $17 million dollar a day site? Less serious? What about a $0 dollar a day site, say a unicef.org or whyme.com?

I'm sick of money being equated with importance.

I have no respect for script kiddies that deface webpages randomly, launch pointless DoS attacks, etc. They all seem unproductive and malicious.

Though I do rather like those people over at the L0pht. :) Original, creative, and damn, they actually DO stuff, unlike 99% of them damn script kiddies.

Still, I'm sick of all these [hc]racker stories. The media does seem to be doing a slightly better job lately though. Well, sometimes.

Re:Sigh

[Fastolfe]

The punishment should be proportional to the amount of damaged caused. If a kid caused 100M$ of damage, he obviously can't pay 100M$ any more than he can pay 10k$, and it isn't quite fair that he serve the same prison sentence (if any) for both crimes. I think it's perfectly fair to base severity on damage.

You also have the funding factor. If you cause a huge company damage, they're probably going to unleash quite a team of lawyers upon you, unlike some non-profit web site that would barely be able to bring civil charges of its own.

Re:Sigh

[leiz]

"If you deface a Web site of a company that is making $18 million dollars a day, you are committing a pretty serious crime," says Assistant U.S. Attorney Matthew Yarbrough.

Wait, aren't many web companies losing money? from yesterday's articles, someone said Amazon.com loses money on every book sold. So if someone hack their site and stop the business transactions, wouldn't the cracker be saving the company money?
=)



_______________________________________________
There is no statute of limitation on stupidity.

Re:Sigh

[tpck]

Hehehehe. Damn, Score:1? Someone should moderate this up. :)

If someone hacked Amazon.com, say, they could potentially save the company (hundreds of?) thousands of dollars! Thats probably the most paradoxical thing I've heard in a long time. Heh. But for some reason, I highly doubt Amazon.com or the courts would see it that way. :)

Re:Yet another script kiddie story... But

[toolie]

Script kiddies bother the hell out of me.

The first quote of the story: "Young cyber whizzes with knowledge to infiltrate the most secure computer systems in the world are growing in numbers and ability," should really be changed to say "Young cyber whizzes with knowledge to download freely available exploits that anybody with a minimal sense of security should be able to patch."

The worst part is that the media is the only thing that feeds the so-called 'intelligence' of most people. I guess thats why the world seems to be in a downward spiral. It'd be cool if journalists would ask for expert opinions from people who know something about the subject, but I think they teach you not to do that in Journalism101 or something.

WNT Article Contradicts Itself

[�nubis]

From the World News Tonight article:
"...the members of L0pht see what they do as neither good nor bad."
""We feel we're actually making a difference," says one L0pht member."

Is it just me or do those two phrases seem to contradict each other?

Re:WNT Article Contradicts Itself

The two statements don't logically contradict each other, unless you presume that any difference someone makes is necessarily good or bad. That, of course, rests upon a lot of other philosophical suppositions.

Anyway, though, I take your point. One would think that the members of l0pht *must* think that what they're doing is a good thing, else why would they continue doing it?

I don't think news reporters are particularly careful about verbal accuity and logical coherency. They're more concerned with telling a good story for the audience. Ultimately, their goal is to get attention and ratings without pissing off their corporate sponsors -- which is easy enough, if you're willing to throw out fairness and accuracy.

Don't tell the Man!

[anonymous+cowerd]

I read that first article about the secretive shadowy sinister L0pht gang, and laughed so hard I spilled my coffee. Oooh yeah, L0pht is a big top secret all right. I'm sure I can rely on the rest of the /. readers, insiders and conspirators one and all, to not publicly reveal the location of their top-secret underground web site at, just guess, yep you got it, www.l0pht.com, 'cause if the Man finds out, whooey!

If the major media could stop kissing Jeff Bezos's ass for just a few minutes they'd see that amazon.com's fraudulent patent is a bigger threat to the Internet than all the hackers in the world put together. But Bezos is a billionaire, and Americans - rich ones, at least, like the management of the mass media - don't seem to be able to think clearly in the overwhelming presence of billionaires, whom they worship, unreflectively, disgustingly, just like a crackhead worships a big old chunk of crack.

Yours WDK - WKiernan@concentric.net

Re:Don't tell the Man!

Hey idiot, they were talking about where they are physically, not their web site. Duh. Maybe if you actually looked at something other than your computer screen once and a while you would know that a place is not always synonymous with a web site. Yes, beleive it or not, the world is not one big web site and its actually good to go outside once and a while.

Re:Don't tell the Man!

[anonymous+cowerd]

No doubt you (and ABC) are trying to convey the notion that the physical location of l0pht's office is some big dark secret, utterly unknown to the FBI and that like, like the geographical coordinates of Osama Bin Laden's current hideout. Yeah, sure it is.

Yours WDK - WKiernan@concentric.net

Re:Shut down the Internet?

[weld]

We did not go into details about taking down the net in 30 minutes because we don't all need another script kiddie attack. See we can't win. If we tell the world how to do it we are just bad guys enabling malicious hackers. If we don't tell the world we are just clueless boasters.

If anyone is seriously interested in this topic I suggest learning the BGP routing protocol paying close attention to the authentications mechanisms or lack thereof. Then study the network topology of the backbone provider interconnection points (the NAPs and MAEs). Then learn how to craft your own packets with a library like libnet. Then do some long nights of experimenting (on your own equipments of course).

If you don't want to do all that work yourself you are going to have to trust us. :-) Remember, things never work like they are supposed to. If they did there wouldn't be nearly so much hacking!

weld@l0pht.com

Inflating Costs in one easy lesson

[jd]

Ok, class, today we learn about how to wildly inflate the cost of repairing cracker damage. First, we need to think of it -as- damage. That, in itself, is a powerful psychological tool to help inflate the costs.

Second, we must make the assumption that if one file has been altered, -any- file on the system could have been altered. Remember, don't use tripwire, or any similar tool, as this will eat into your damage assessments. Figure in the time of a complete deletion of the system, a fresh re-install of all applications, and finally a restore from your latest backup tapes.

Remember, system restoration should be put in as overtime, so your figures for damages should reflect this.

Then, you must factor in the cost of the system being down, in terms of time lost (wages) to all company employees over the entire day, even if they probably wouldn't have used the system at all. It's still a loss of potential, which is still a cost.

Then, you must factor in the cost of calling in the technical support people from the company you bought the system from, to fix the security hole. Even if you buy technical support, when you get the system, you're still using it, so there's still a cost -somewhere- in the system. Fixing the security hole yourself is a big no-no, as this would imply incompetency on the part of the technical staff. As technical staff are, by definition, competent, any hole that exists must be obscure and only known to the company that you bought the system from.

Then, consider the cost of loss of revenue from any banner adverts your site carries. That it's not your loss is irrelevent. It's still a cost of the damage. Assume everyone who enters your site follows a banner advert and purchases something. This may not be entirely accurate, but it's a possibility, so it's still a potential cost and therefore counts.

Finally, consider the cost of image. Any points lost on the stock market, that day, are potentially a result of the system crack, so you can estimate how much the company lost in value as a result. It's important to remember that, even when any other factor in the Universe seems more likely, always assume the worst possible case, for damages.

This completes your class in damage assessment and valuation. You are now qualified Public Relations officers, capable of handling the worst system cracks with dignity.

Re: Inflating Costs in one easy lesson

[grumpy_geek]

Tripwire won't do squat for you verifying the integrity of the data, name a single large website that only does static data that never changes the data during the day... what you mean tripwire can't verify the integrity of the data in my database?

Look how much bad data cost buy.com when they advertised monitors at below cost due to a typo; now imagine how much a company could lose by changing data within a database. Now think how many man hours it would take to verify that data by hand, restoring isn't a cake walk either to restore an Oracle database we have here on site took 36 hours (restoring from tape, replaying the redo logs, etc.) that database is big (talking in the t's as in terabyte). This is where big-time costs come in, how do I know that friendly intruder didn't modify my data that changes every minute or every second?

Reading through the rest of your post you are saying:

1) that tripwire will check everything and I should not worry. Hmm guess I don't use any dynamic data... that's real cool website

2) that only one machine could be penetrated not any others. Guess that same exploit wouldn't work agains any others.

3) that attacks only happen during the day. Isn't that nice how they only do that during normal working hours.

4) that wages lost due to downtime really are a freebie to the company. I wonder if I can convince my boss that giving me a $100k raise would actually equal $0 cost to the company.

5) that the stock market doesn't really care about bad news. Tell that to whoever at Microsoft said tech stocks are overvalued since his porfolio lost a few mill that day when the stock went down a point or two. (ok, that's pushing it but it's true)

You might want to add that my time working on a compromised box is free time since that other project wasn't important anyway (hey they pay me to fund my pepsi habit, not because I have any real work to do)


Grammar and spell check off because I could care less.

Re:Read the article

Get a clue ya moron. Amazon is losing money because they are investing their revenues in advertising and branding..etc. If Amazon wanted to turn a profit they certainly could. I'm not sure how much of a profit, maybe not enough to justify the stock value... but I'm sure they will be able to show a profit when wall street starts to demand it.

Cost of Replacing One Page

[JoePyro]

While the figures cited are somewhat bloated, there's a lot more cost associated with something like this than simply putting the cracked page back up. I've worked in organizations where this has happened (not my fault, though ;>) and it usually leads to 1-2 weeks of beefing up security to prevent the same thing from happening again. This will usually include generating new passwords for all users in the system and phoning them to get the new passwords out. For public/non-profit organizations this can mean several thousand dollars and a couple hundred man-hours of personnel time which could be spent doing more important things.

Re:Cost of Replacing One Page

First off, you shouldn't NEED to "beef up security" - security should always be "beefed up" if it's not, then that's not a cost that can be associated with cleanup.

Look at it this way: if someone was renting server space from me, and a cracker managed to deface their site because of a security hole in the software, do I have the right to send them a bill to fix the security hole? (If your answer is yes, please tell me your name and place of work, because I REALLY want to be your ISP!)

Second, I doubt that most web servers for large corporations have normal users logging in to them. Just an administrator and technical staff for that department. There isn't a big list of people. If more than a few people have access, it's a mistake in planning.

Poor reporting

[DanaL]

Wow! I'm not sure if those articles could have been more devoid of content, yet still so sensationalist.

We have a group of hackers (crackers? smackers? ugh...) who claim they can crack any password in seconds and bring down the entire Internet in, what was it? 30 minutes? And the 'reporter' just lets the statements stand! He didn't question (seem to) question them on how feasible this really was or go and talk to security professionals for their take on the claims. Without any attempt to refute or prove their boasts, you'll have even more people scared of the awful hackers. Sigh...

Dana

Re:Poor reporting

[Stonehand]

It's not like the much of the rest of the competition -- namely, evening "in-depth" news programs -- provides more than fluff, emotional manipulation, and the occasional biased piece of news.

See the Accuracy in Media site, which includes interesting articles such as a piece on "journalism" with an agenda, and one on the Food Lion incident, which was perpetrated by another ABC "news" program -- PTL.

Re:Poor reporting

[whoop]

Your confusing reporting with journalism and assuming the media is unbiased. The key with especially television is getting viewers. You best do that by tapping into the fears of the general public.

Given that everyone out there doesn't know how to set the VCR clock, they avoid learning anything about technology. This avoidance leads to unjustified fears. People assume snakes are slimey and do nothing but bite/constrict everything they encounter. So they have great fear of what they do not know.

People love feeding their fears. So, what better way than to have 30 minutes of world-ending hoopla? It's entertainment, more than information. They aren't looking to tell you "It's ok, you will be able to flush the toilet on Jan 1," but instead, "Look at what these kids can do to the Pentagon, imagine if they turned on the local sewage treatment plant! Ahhhhhhhhhh!!!"

Sure it'd be nice if they asked whoever they report on who/what/where/when/why/how, but those days are gone. You take one person's statement, then go to the other side and ask, "How do you intend to stop this person from taking over the world?" They say something like, "Your person is a wacko, you can't take over the world with a a spork and packet of hot sauce from Taco Bell." And then go back to the news desk, where the anchor says, "There you have it, the President is doing nothing about this impending coup."

hacker fud !

[serialk]

yet again the terms hacker and cracker are

confused !

what a surprise ?!

oh yeah the showdown of "government vs. hackers"

One word for you...BACKUP

[lyrabas]

This guy about the computer virus is stupid. Obviously he has never heard of a backup. "All of its gone forever." PLEASE!!!

definitely interesting.

[Juln]

that was a very intriguing article.
i want the uswest database of numbers being monitored by the police!
actually, i wanted it 3 years ago when I was dealing. Now, it wouldnt be nearly as exciting.

Re:capability != intent

[Scudsucker]

And if you had any wits you might have guessed that that's where I got the idea from. Have a young person take you to a doctor for senility and overt crankiness.

Re:better reporting would be nice

[ronfar]

I does occur to me that the news media seems to pick stories based on their "sexiness" rather than their relevance. I mean I read somewhere online that a group of crackers in Thailand used the fact that a guy was paying for things on Amazon.com with his ATM card to empty the guys account. I don't know how they did it, but it seems to me that this would be a lot more useful information to the general public, and is a lot more dangerous crime, than a group of crackers who put grafitti up on the White House web site. (Oooh, scary!) I mean it would even contain a useful bit of information for semi-computer literate people out there, "don't use your ATM card to buy things online."

Of course, I hate the way they do these types of stories anyway, and that FBI guy was the stiffest, most humorless and least charming guy I've seen on TV in a long time.

Re: Yeah right

[bee]

If someone really knew how to do this, they would do it. Since this hasn't been done it's but an un-tested theory and doesn't amount to jack. I say take down the Internet if you can, lets re-build it right!

Let's translate this into a real world analogy, and the absurdity will be evident.

Some group says "This bridge that is the main route into or out of this large city is hazardous; all it would take is a large truck to ram the right spot on it and the whole thing would collapse."

''If someone really knew how to do this, they would do it''

Wrong. Not all people who investigate security holes are malicious. In fact, probably very few are, which is why we don't have more break-ins and such than we already have.

''Since this hasn't been done it's but an un-tested theory and doesn't amount to jack. I say take down the Internet if you can, lets re-build it right!''

So you're going to blow up a perfectly usable bridge, causing another to be built at great expense, just because you can? I suppose you're going to volunteer your time to help re-build what you so carelessly destroyed? No? You don't know how to build bridges? Maybe you shouldn't be so eager to tear them down, then.

Safety groups in the real world are all the time pointing out how dangerous products are. Why is it when a group does the same about computer security, they get roundly flamed no matter what they say or how they say it?

Re:I'm more amused by ...

[karb]

Does this mean companies like McDonalds or Microsoft deserve greater protection than some mom and pop site?

Umm, this is like saying "Does Fort Knox deserves greater protection than a convenience store?"

The risk and potential damages are much greater to a big corporation, so it would be kind of stupid to afford it no extra protection. (duh)

And better yet...

...right after that, he explained how he was so intimidated that he started paying protection money to the crackers so they wouldn't do it again.

Saw part of this, Noticed the bloated cost too..

[RollTide]

My guess is the network just listened to what the company said, and didn't research just how difficult it is to restore from tape :-) Also, here we go again with the hacker/cracker debate...I wonder if any media will ever get that one right????

Ethical?

[karb]

A guy from the one hacked company had hired one of the global hell hackers as a consultant after he was hacked.

The security guy's justification was that if he had turned the hacker in, he would have become a target of global hell.

Furthermore, he felt that since he had paid one global hell hacker, he wouldn't be attacked by anyone else in the group.

Two Thoughts:

1. Holy racketeering batman. Say what you want about whether or not hacking systems is ok, but doing it to extort money from people is unjustifiable.

2. Stupid sysadmins who pay hackers are idiots. This is like paying off the mafia and keeping your mouth shut about it. Sure, you'll probably be safe. But you've just encouraged them to use the same tactics against other companies,insured their existence FOREVER, and you're going to have them on your a** that whole time.

Yeah.

[AtariDatacenter]

Did anyone else notice the Battlezone arcade game in the background? Hey, these hackers have TASTE.

Re:Yeah.

[tpck]

Um, I'm not seeing this Battlezone game? The L0pht article at http://www.abcnews.go.com/onair/WorldNewsTonight/w nt_991220_CL_L0pht_feature.html? All I see is a pic of some code?

Re:Yeah.

Yeah, it works .... @ the last l0pht open house many people got to play with it. Only problem is ithe tank pulls to the left.

Re:Figures

[jawad]

Dell pulls in a lot of money per day (over $10M/day, definately), and in response to "Our Man In Redmond", the company doesn't necessarily have to make their $18M/day all year round -- Most websites sales go up in (*gasp*) December due to holiday shopping.

Anyway, the $18M/Day is probably gross sales, not net profits.

capability != intent

[Scudsucker]

Both of those stories were annoying, but what bothered me the most was ABC's general attitude that hackers will do malitious cracks because they can.

It's like saying the FBI should keep a close watch on Alan Cox because he convievably could add a backdoor hack to the Linux kernel allowing him to break into any system that used it.

Re:capability != intent

If the FBI did so, they'd show that they learned from history. Have an adult tell you sometime about Ken Thompson and what he did with login(1).

Re:Shut down the Internet? Yes

[Edward+Kmett]

You don't even need that really. What you need is the ability to lie about the AS that you belong to and start flooding peers of that AS with bogus routes until the peer runs out of memory.

Routers don't like it when they run out of memory, especially Ciscos. I ran into similar issues when I was implementing OSPF and accidentally killed a dozen Ciscos, a few Ascends and Portmasters with some miscrafted packets. Its harder to do with MD5 authentication in place though.

Figures

[Foogle]

They explain the high cost (to a point) in the synopsis. It's not the actual cost of replacing the file... that's pretty minimal. No, it's lost income because of the disruption. They cite a webpage that's making $18 million per day. If it's down for a day, that's $18 million they just lost. There aren't *too* many pages that pull in $18 million a day, are there? Well, the point remains anyway.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Figures

[Fastolfe]

It could also be 18M people spending $1 a day on their site. $1 isn't much, and most people would be quite happy buying whatever $1 product this is from a competing site, or not at all.

The lost revenue figures are quite valid and the point still stands. Companies sue and prove these kinds of damages *very* regularly (not necessarily Internet-related either), so this is not a new concept.

Re:Figures

[Frodo]

Well, it could be $18M/day, if they sell real-estate via the web, for example (and there's an idiot that would by it from the web), so one sale of $18M per day will do. However, they won't lose $18M from the downtime then - the person that is determined to spend $18M on you won't leave so easily :)

Re:Figures

[CausticPuppy]

yes-- 3 seconds for the new server to kick in, with the same security hole that the cracked server had.

Perhaps it takes some time to find and plug the leak?

Re:Figures

[Stonehand]

I take it you've never known anybody that had a cracked system -- either that, or they didn't care a whit about their data.

I used to have a box on a dorm network. The expectation was that all communication was sniffed, that all other machines were possible hostiles, and that being port-scanned was just part of the usual routine. These expectations hold for the office machines; one of my daemons serves as a crude portscan detector, because a) it's on an unusual port, and b) because it's utterly non-critical and non-privileged, it's simply designed to terminate based on any unexpected (out-of-protocol) traffic.

Most of the cracking attempts apparently come from bozos who'd basically replace a few binaries with backdoors, start a sniffer, and log onto IRC. However, some try things like 'rm -rf /' when they're done, which tends to render the log files not particularly useful in finding out WHAT was the vulnerability, and thus what needs to be updated, reconfigured, repaired or removed. In addition, for those that actually employ subtlety, you might not find out about the penetration immediately -- which can be an issue if you do frequent backups.

Re:Figures

[cephalopod]

$18m a day - pretty hefty. That'd make them a company which got $6.5 billion year in revenue just from their website.

Does anyone know of a company which gets even close?

Matt

Re:Figures

[Rob+the+Roadie]

I can't think of any web sites that take anywhere near $18m/day. Maybe Amazon.com is close but not now that we are boycotting it...

Re:Figures

[inburito]

Yes, but how do you value the service that the web site is providing to its users. I don't mean direct revenue but technical support, product announcements, general information. Companies can pretty much put their own pricetags to these services and then complain when the site goes down that we we're just unable to provide $18 million worth of service because of some punk with a script.

This is partly true too. Imagine the additional cost if everyone using the microsoft(okay, a lame choice) site for technical support and information would have to call them instead of just few clicks in the browser. In that case even the slightes disruption would result in huge 'damage'. And in cases like yahoo the revenues just from advertisement are probably astronomical.

It is the same way that the federal government can put a pricetag to it's "valuable" public service websites. It's like disabling library doors so that nobody can get in..

Re:Figures

[garethwi]

I don't see how this figure of $18 million could ever be true. If I had a cash cow of a web site that was earning me that much every day, then I wouldn't just have a backup tape, I would have a complete back up web server which could be activated at the flick of a switch, with a total downtime of about 3 seconds from when the change was noticed to the new server kicking in.

Then that cost would work out at something like the following;

Lost business During downtime of 3 seconds: $28,800

1 tech person to fix the problem $1,200

Total cost $30,000

I really don't see how it could be more.

Re:Figures

[Our+Man+In+Redmond]

Mr. Calculator tells me $18 million a day equates to $6,570,000,000 a year. If there was a web site making that much money we'd be hearing about it. OTOH for a company to be making a mere $100 million a year they would only have to take in somewhere on the order of $275,000 a day which is still a significant amount of money to see lost just because someone wanted to prve how 1337 they are.
--

Re:For what it's worth, I believe him -- Yeah righ

i think you are misunderstanding what he is saying. the explanation is not a DoS (denial of service) but a routing corruption. the internet would still technically exist, except only as fragmented networks. example: to get to 'A' from B, go to C, then D, then A. however, if someone inserts go to C (or go to B) into the route after D but before A, you could never get to 'A', since the route never actually gets there (it loops back on itself. it could just as easily point to 'G' instead). like he said, there is no security on the route advertising in BGP4. a similar thing, though i believe it won't work (well, not anymore, they finally have security on this stuff) is corrupting the DNS tables by saying the ip address of www.foo.bar is 0.0.0.0 when its actually something else. if that propogated (which it would except for the trusted source and other such checks) then www.foo.bar just fell off the 'net. now, scale that up. fill the entire DNS table with everything's IP address being 0.0.0.0, and once it propogates, the only way to reach something is via its IP address (which 90% of people using the net don't know.)

Read the article

[Dilbert_]

Note that they do not claim replacing one page with another costs millions of dollars, but that they claim shutting down a website of a company making millions of dollars is a crime.

Suppose someone took down index.html at www.amazon.com for an hour. That coulde easily run into high losses for them, since their business is web based. I wouldn't know about index.html at www.cocacola.com, though. Do they make any money with their site ?

Re:Read the article

[jackalope]

Get a sense of humor, and get a name to post under.

Re:Read the article

[jackalope]

If they shutdown amazon.com's index.html for a couple of hours it might actually save Amazon some money. Seems like if they are doing business they are loosing money...so stop them from doing business and they might make money.

Disrupted White House comms for 2 days??

[348]

Did anyone notice that they said the White House comms were disrupted for two days while the web environment was restored.

The comms are run out of Ft. Richie in Cumberland MD, and not even remotely connected to the Web site.

Also, the Web site is just brochureware, there is no gateway to anything important.

Re:Disrupted White House comms for 2 days??

[Bios_Hakr]

As a military sysadmin, I am sometimes diverted from an important job in order to work on a high-profile job. So, yes, communications can be disrupted while I am reloading a server.

makes me scratch my head

[kwashiorkor]

How come when you hear about cracker/hacker groups , their exploits are always related to web servers? Are there no other forms of critical computers connected to the 'net at large? What's hacking? What's cracking?

It's the lack of background and CONTEXT that really detracts from the credibility of these mass media news reports (this applies to places like zdnet and c|net also). They never mention the types of computer services (aside from web servers) that are attacked, or even begin to hint at the general methods which are employed. This inability to provide real information seems to indicate that these articles are nothing more than fear mongering dollar grabbers.

I've read in a few posts here on /. that the target audience of these stories is not interested in the technical details. I will agree to a point, but only because I can't recall ever seeing real information ever being presented to the masses and it's never been tested. Until such a time as when they actually present a frame of reference for their stories, this amounts to nothing besides fear mongering.

What I'd like to see is an article on the damaging effects of fear mongering on businesses. How many dollars a year are lost due to uneducated pontification and agenda furthering FUD campaigns? How many businesses have lost money because a panicked executive heard from a friend of a friend that X problem is at hand and emergency procedures ,costing millions of dollars in capital and man-hours, must be put into place, only to find out later that it was not good information?

Stop knee-jerk reactions. Put a muzzle on poor journalism. Educate, don't pontificate.

Re:Yeah. It was l0pht. Nice one, too.

L0pht Heavy Industries had the Battlezone full upgright arcade game. It looked to be in very nice condition, but it was not powered on. No doubt, an elite hacking tool. (Real programmers go for those vector screens -- raster is way too easy to code for.)

Re:Anyone else notice...

What the heck are they supposed to do if they need a multi-processor server? OpenBSD can't hack that and they have NO plans for multi-processor OpenBSD.

Email?

[Pyrrus]

I was going to (politely(maybe)) inform them of the difference between hacker and cracker after I saw it, but the cowards don't post their email adress from their website. Does anyone know what it is?

Re:Email?

[ronfar]

Hmm, let's see, I think you can send an Email to them at this address:

2020@abc.com which I got out of this feedback form, which is of course how they want you to send the Email ;-)

Good luck though, trying to explain to TV news magazine shows the difference between hacker and cracker is like telling them AD&D isn't a form of devil worship. They'll smile, nod and say, "So, how long have you been a Satan worshiper anyway?" Whether it's because of true stupidity or because they know the truth won't garner ratings, I don't know.

Re:A better analogy...

This post is not insightful, its untruthful. L0pht does their work on their OWN machines. Go listen in on the NPR interview they did a few months ago. They make a direct qoute/phrase addressing your allegations.
The lack of fact-checking is what has everyone so upset at the reporters.

Doesn't Make Sense

[randombit]

I don't see why anyone would consider these crackers (sorry, the misuse of hacker really peeves me) to be dangerous, since most of them don't actually know crap about computers (the exception being L0pht, who I would place more into the hacker category anyway). They're just downloading exploits from Bugtraq and trying them out. If you keep you stuff up to date and are smart with your initial configuration (ssh2 and sftp access only, tripwire, logcheck, etc) any attacks that aren't prevented outright should be noticed right away.

Of course, it's not an ideal world, blah, blah, blah, but anyway my point is that people should be protecting their computers with real security, not laws that only "solve" the problem after the fact.

Re:Doesn't Make Sense

[Stonehand]

They may not be directly dangerous to you.

However, Joe the New Sysadmin might not have much experience with whatever system he's running; or, perhaps, it's a small operation -- for now -- and so the thinking is "Grow now, security later". Students, for instance, tend to spend more time worrying about their coursework, research, Slashdot, and so forth than fanatically reading Bugtraq and the various vendor-specific alert lists. These folks may get burned -- and if you do business with them, you may also get burned. It shouldn't happen, but look at even the more commercialized Linux distros, for instance -- they tend to ship with many, many services enabled by default.

For instance, if Amazon.com's customer databases were somehow accessed by an intruder, they could get names, (shipping) addresses, and credit card numbers -- as well as purchasing history, most likely. It doesn't matter if one of these customers is the most godly of sysadmins; it's Amazon.com's sysadmins that matter, but a LOT of people could feel the pain.

It's similar to the rest of life. You don't even have to be driving to be the victim of somebody else's horrific driving, and even if you're driving a PzVG -- which probably doesn't have to worry about Geo Metros -- the fellow next to you on a motorcycle is still endangered by others, such as the Geo Metros of Doom.

Re:Doesn't Make Sense

[randombit]

Students, for instance, tend to spend more time worrying about their coursework, research,
Slashdot, and so forth than fanatically reading Bugtraq and the various vendor-specific alert lists.

Hey, I object to your stereotype of students! The only thing on your list that I worry about is /.! Course it helps that I admin ~13 machines and don't give a crap about my classes, but hey!

It shouldn't happen, but look at even the more commercialized Linux distros, for instance -- they tend to ship with many, many services enabled by default.

Couldn't agree with you more. Linuxconf, anyone?

Re:It's not that simple

[mcrandello]

It takes ONE mailing list to find out about these problems in advance most of the time. If their sites are worth so much money to them why can't the invest the 2-45mins each day to check this stuff out!!??

I think that's one of the crackers' points. If you browse through the attrition mirrors you notice a lot of the defacements actually leave a hotmail address telling the admin to email them for what is wrong, or stating the address of where they left the original index.


mcrandello@my-deja.com
rschaar{at}pegasus.cc.ucf.edu if it's important.

Don't be dissin' RobinH!

[RobinH]

In that same morally ambiguous way, the members of L0pht see what they do as neither good nor bad. More akin to Robin Hood, whose merry band of outlaws used unorthodox ways to help.

Hey! I resent that!

Did anyone else notice that they used the word 'crack' a couple of times, rather than 'hack'? Are things looking up?

Re:Shut down the Internet?

[348]

Personally, I thought you guys did well last night. Raised some awareness. This seems to be the goal in general. I think L0pht did make gains in this effort.

They were clear, concise and stayed well away from the impressions that all hackers are script kiddie punks.

Good Job!

Re:Total smear job.

[0xdeadbeef]

I caught the end of it. They kept referring to this group of script kiddies as a "virtual gang", I guess in effort to conjure up images of drugs and violence and organized crime. Which is of course what the script kiddies want, right, it makes them look dangrous and powerful. They really drove it home at the end of the segment, when they mentioned that one of the kids might go to jail for a time, and questioning "is the right thing to do?" They then got some human prop to say just how dangerous and pissed-off this kid is going to be after serving time. Give me a break!

Oh, and that's not the best part. The very next story was about a poor little sick dog who goes around the hospital giving sympathy to the poor little sick children.

This is blatant propoganda. Meaningless emotional arguments designed to focus our hate and fear. Those kids are so dangerous. And the puppies are so cute! What if those dangerous kids hurts one of the puppies! Heavens no! I hate those dangerous kids!

So let's recap. Kids with computers: BAD! Puppies in hospitals: GOOD! Now take your soma and let's all sing "I love Big Brother!"

Re:Anyone else notice...

[Criterion]

Actually I noticed one of the guys running E. You could just see the bottom right of the screen, but I could see an iconbox and other stuff, enough to know immediately what it was.

Re:better reporting would be nice

[thal]

I thought these two articles were relatively well-done considering the intended audiences. There's a big difference between the average ABC News viewer and the average /. reader. ABC News shouldn't have the same depth of complexity, as the whole point of TV news is to take a complicated issue and explain it in terms that the average Joe can understand. This can be done poorly, but sometimes it can be done well. I think these two articles are done relatively well. In particular, the World News Tonight article gave a good summary of the good/evil qualities of h/cracking (i.e., cracking reveals security flaws that can be fixed).

Yes, the majority of media coverage about hackers/crackers is really paranoid, but this one wasn't so bad.

Bogus Figures

[Stiletto]

"They cite a webpage that's making $18 million per day. If it's down for a day, that's $18 million they just lost."

No, that's $18 million that they never made. There is a subtle but important difference. You can't lose money you never had.
________________________________

Re:Bogus Figures

So I can sue DB Alex Brown for $50000 Canadian because it was their fault I didn't make that much money on the VA Linux IPO? Come on, that's silly.

Re:Bogus Figures

[CausticPuppy]

No, it's money lost, unless the company also stops paying all expenses for a day (including employee paychecks) which isn't likely to happen.
The amount of money actually lost would be considerably less than 18M, but it's still money lost. It's not the kind of loss that a 18M per day company won't easily recover from, though.

Re:Bogus Figures

[Zan+Thrax]

Ah, but that's one of the many glaring flaws in modern economic theory... They haven't lost $18M. They've lost whatever their daily fixed costs are. $18M is what their daily profit would have been. You can not lose what you do not have.

Re:Bogus Figures

[Yaruar]

The loss is the opportunity cost. If they have a potential to make 18 million the loss is the shortfall of the money from wha they should earn. In this case it would be seen in a loss of profits (or more likely in e-commerce a greater negative income...)

It was on the *TV SHOW*

The game was shown in the *offline* version of the article (aired on TV).

Re:It was on the *TV SHOW*

[tpck]

Oh.

Re: The web is brochureware...

[alexjp]

Last spring I developed a site for a small business using OpenMarket's ShopSite. It sells for $495, and has a great backend for keeping track of products and orders. It's quite flexible, though it could be more flexible. Overall, it's a really good product - easy to use for the client, and I haven't had many callbacks for support, though they have done a substantial amount of business.

-Alex

Costs...

From the unabridged article:

One web designer was quoted as saying "Of course we have backups - what does that have to do with it? Just because our servers can continue running for 30 minutes in a blackout, how does that help us get our website back?"

At that point his trainer hit him across the nose with a rolled-up newspaper, and confiscated his copy of frontpage, saying he had to use notepad for the rest of the week.

Re:A better analogy...

L0pht doesn't do their testing on other people's systems. They're a relatively respected group. Even Congress likes them.

For what it's worth, I believe him

[bee]

Think about it: there are lots fewer people out there that know about routing protocols than know about, say, Unix. How would even your average slashdot reader know what their vulnerabilities are, much less the general public? It's easy to make fun of what you don't understand; most of us should understand that from experience. Given the track record of these guys, I tend to believe them when they say that something like this can be done. I just hope that the people responsible for the various pieces of the backbone listen and fix holes.

Re:Not like it's a big deal

But, elvis isn't dead.

Sheesh, you people will beleive anything 20/20 says.

Better still..

[Fastolfe]

I read it as, "a web site that makes the company $18M/day." If they're pulling in $18M of revenue from their web site alone, and that web site is out put of commission for a day, they will not make $18M that day. Thus, the outage cost them $18M in lost revenue.

It is that simple...

[schon]

It's just not that simple. There's no doubt that most of these monetary claims are vastly exaggerated, but it's not just a matter of replacing an index.html file. If someone broke into your house and spray painted a tag on your bathroom wall, would you just shrug it off, clean it, shut your doors, and continue on with life? No. You'd beef up your security.

That's irrelevant to the cost of replacing the web content.

This is the cost to fix your security holes; it has nothing to do with the web site at all. If there are security holes, then it's the administrator's job to fix them, and this can't honestly be counted against repairing the website; these are two different things. (The cost for a sysadmin's time is already paid for - it doesn't matter if he's doing it adequately or not.)

Fact is a lot of these sites may be "asking for it" with their poor admins and shaky security, but that doesn't make it right.

Nobody is saying that it does make it right - but that has nothing to do with calculating the cost of restoring a website from a backup.

"Squaring Off With `Global Hell'"

[TomG]

Been there. Done that. I have had the displeasure of meeting most of the members of 'Global Hell'. Let me describe them to you. It's a bunch of kids, and a bully. Very simple. Mosthated, who is the leader of the Global Hell, is the bully, and mostly everyone else is a kid. The kids hang around the bully because they _need_ the vindication of being cool, of having a peer group. These kids have no self esteem or self worth. The amount of control Mosthated shows over them is quite disgusting. He says something, they all agree. He laughs, they laugh. I did get the opportunity to tell Mosthated that he was more cracker than hacker, and he didn't agree. But he did...decide...that he'd better leave me alone. I guess even Global Hell fears common sense.

I'm really sick of this attitude

[Fastolfe]

But what can I expect from an AC.

You can have a perfectly competant sysadmin, one that performs his job 100% correctly, 100% accurately, and applies patches and security fixes exactly 0 seconds after they're announced and STILL BE VULNERABLE TO ATTACK.

It's not infrequent that a vulnerability will be discovered and exploited *before* it's announced on the major security mailing lists and web sites. There's also the possibility that it's announced at 3AM and the company silently rooted by 3:05AM. What are you going to do, have all your admins get paged at any hour of the day every time an e-mail comes to Bugtraq?

I won't disagree that some admins shouldn't carry the title. More often than not, a vulnerability is exploited long after it's been released, but THIS IS NOT ALWAYS THE CASE.

I really hate it when people go off bashing the administrators when they haven't necessarily done anything wrong or incompetantly at all. These guys are the victims. The script kiddies that mount these downloadable attacks are the people we need to be fighting here.

Re:I'm really sick of this attitude

[Lord+of+the+Files]

I believe his point wasn't that if a site is broken into the administrator is incompetant. It sounded more like "if it costs you 300k to fix a defaced web page you must be incompetant." Yes, patching holes takes a lot of time and effort, but 300k is also a lot of money.

The Media still reads 0 on the cluemeter...

[RenQuanta]

With viruses available for downloading from the Web, extensive computer language knowledge is no longer needed

Hmm...sounds like they're talking about script kiddies to me. I find it interesting that ABC focuses on the the 3vi1 h@x0rz as opposed to the lack of responsible security measures on the part of those who get cracked. Maybe these companies "making $18 million dollars a day" should shell out a few bucks for some decent firewalls, intrusion detection, and the IT people to run that show.

Keep your servers patched up, run them on UNIX boxen with extra security measures, and for god's sake, don't short-change your people for equipment or personel. It's really not that difficult.

Re:The Media still reads 0 on the cluemeter...

[Fastolfe]

You're right, it does sound like script kiddies. Script kiddies are who are responsible for 99% of the publicized "cracks" and web site defacements, so it's only natural to mention them.

With respects to shelling out money for better security measures, most businesses have to make compromises in this respect. Is the cost of adding firewalls, maintaining high-security systems and the necessary IT training to keep things up to date and running securely more or less than the cost of one noticable intrusion a year?

Just because you think you're capable of running such a setup doesn't automatically mean it's cheap for companies to do so. Just because they make compromises in this respect, does that mean they're incompetant or *deserving* of an attack?

And of course for those systems that *are* exposed in some fashion, it isn't uncommon for exploits to vulnerabilities to be published/brought into use by script kiddies *before* an announcement is made and fixes/workarounds made available. There are frequently windows of vulnerability for even the most competant and secure administrators and networks.

Re:better reporting would be nice

[Col.+Panic]

I agree - these articles were better than average and even mentioned that script kiddies had tools to make it easier to do more damage with less knowledge.

I was particularly impressed that they chose the l0pht, which *is* a legitimate hacker group. I'm not so sure about GH, but they've made enough news to be worth mentioning.

Re:Saw part of this, Noticed the bloated cost too.

[Edward+Kmett]

One of the reports mentioned one breakin to some website costing the company $700,000.

I could see that if it was a big time e-retailer or Ford or something, but not at the scale of the outfit they were describing.

Not the Web page...

[Yogurtu]

The sentence makes a lot more sense if we read it as saying that the company makes $18M a day, not the website. It means: "It is a crime to make fun of people who make money", and it is scary. Very scary.

JM

L0pht advertisement?

[348]

Did anyone feel this was just an advertisement for L0pht?

They spent a lot of time with them, a couple of days, researching I guess. and most of the content seemed to center around "We are the Sekurity experts".

I read something a while back that L0pht was formally incorporated and purchased by a "parent" company.

Comments on the 20/20 piece

[Junks+Jerzey]

There was the usual nonsense, like confusing crackers and hackers and getting crack attempts and viruses all mixed-up. But otherwise, a few things really jumped out at me:

* Global Hell came across as extremely juvenile.
* The so-called leader of GH (Patrick something) was just a typical angst ridden teen. He couldn't elucidate his purpose or ideals; his philosophy pretty much broke down to "All the corporations of the world are trying to opress me in some unexplainable way, and, oh yeah, I'm really bored."
* The world "brilliant" was used several times in relation to crackers, as if they're working on things that require a PhD and sophisticated programming ability. I'd hardly put exploiting security holes into that category.

Interesting overall.

Re:Comments on the 20/20 piece

[CausticPuppy]

To non-technical people, anything computer geeks do seems "brilliant." Some people are absolutely amazed, and in awe of my divine gift, when I do a TRACERT from a Windoze box!
Of course, the l0pht people play on this when it comes to the media, and make statements like "We can take down the entire internet in 30 minutes."

Re:Comments on the 20/20 piece

Yes, he must be "brilliant" in the eyes of the other gH memebers if he does NOT use win98 to run his canned exploits. I was laughing so hard about how they made gH look like a bunch of scary d00dz. They put graffiti on web sites. I'm more concerned about jerks who screw up important services like 911 and air-traffic at little tiny air-ports. Why is the security for these important services lax?

Re:Comments on the 20/20 piece

[Junks+Jerzey]

Actually, the "brilliant" comment was from one member of GH to another.

JAFPHiB

Just
Another
Fscking
Perl
Hacker
in
Bankok

;)

Speaking of amazon.com's security...

[anonymous+cowerd]

By the way, something just now occurred to me concerning amazon.com's patented technology. Does amazon.com require the user to enter a password as well as the cookie info? and if the latter, doesn't that add up to more than Just One Click(tm)? I regularly shop at a couple of web stores which store at least your account name in a cookie, so when you jump to the "Checkout" page your name is already filled in, even including your credit card number (which is displayed as "xxxx-xxxx-xxxx-1234"). But to get to the "Checkout" page you have to present your password first. At any rate, that certainly wouldn't be new or unique (that is, patentable) technology for amazon.com to do it that way.

But if the everything you need for ordering is already stored in cookies, doesn't that present a king-size security hole? Suppose, for example, one of my co-workers orders something from amazon.com with their web browser. And suppose I want to play a mean trick on this co-worker. So I copy his cookies file. Now if all the customer info is keyed off the cookies in the user's PC, I can't exactly steal anything; even if I order something, it will get sent to the original shipping address. But as harassment, I can order up, say, twenty copies of "Mein Kampf" or "The Joys of Enema Sex" or something obnoxious like that on his credit card, with Just One Click!(tm). Is that possible?

I'm almost tempted to break the boycott to experiment. It would be easy enough; just make an actual purchase from one PC, copy the cookie file to a second PC, and see if I can make a second order with Just One Click!(tm).

amazon.com has got a LOT of customers. If there really is such a big, obvious security hole in their patented technology, then maybe these news magazines could make themselves really useful to their readers by warning them away, rather than blathering about the Dire Threat to American Security posed by a few industrious security hackers and a bunch of dumbass script kiddies.

At any rate I hope I'm wrong, and there is a mechanism which forestalls illegitimate ordering. amazon.com and Jeff Bezos can certainly go to Hell for all I care, but I'd hate to see all those innocent customers getting screwed.

Yours WDK - WKiernan@concentric.net

Re:What about the benefits??

[jormurgandr]

Good reference. I like it. But there are some hackers that are not just trying to cause trouble. Myself for example. I have "cracked" a few websites in my day, and my only intentions were to prove I could do it, and learn a little in the process. I have always left a message for the admin, and most times I receive a return message from him/her thanking me. Sounds corny, but its true.
=======
There was never a genius without a tincture of madness.

Re:What about the benefits??

[jormurgandr]

There are good hackers out there. Don't assume that just because you are not one, or do not know one that they don't exist. I have had my share of cracking systems, and I have never done it will bad intentions. I am mearly curious, and I want to learn more about the system and security systems. I always leave a note, and most times I actually receive a reply from the admin.
=======
There was never a genius without a tincture of madness.

Do you think companies get COMPENSATED?

[Fastolfe]

Second, we must make the assumption that if one file has been altered, -any- file on the system could have been altered. Remember, don't use tripwire, or any similar tool, as this will eat into your damage assessments

Do you honestly think that companies stating they've suffered 10M$ in damages ever actually get paid 10M$ by the attacker?

Companies have to weigh costs. There's the additional cost of implementing and maintaining something like Tripwire (which, as another poster mentioned, doesn't do crap for data) against the potential cost of a system intrusion. If your company has the funding for it, they've probably implemented a modest amount of security mechanisms (including things like Tripwire).

If your company doesn't have this funding, compromises must be made. Does that make this company irresponsible, incompetant, or "asking" to be rooted? Hell no.

For those types of companies (read: most), you HAVE to make the assumption that the system has been compromised in more than one way, with back doors in place and that the intruder has access to your internal systems as well. You need to cut off the network, locate the exploit used to break into the system, and totally re-build the OS and applications on the affected systems (probably ones even suspected of being rooted as well). Not taking these steps would be far more irresponsible of the admins than ignoring security bulletins in the first place (assuming they even did, and that if they hadn't, it would have helped them, which isn't always the case).

Remember, system restoration should be put in as overtime, so your figures for damages should reflect this.

Yep. Damages accumulate as network or web sites stay unreachable. The costs of overtime would presumably be less than the costs of staying offline. If this weren't the case, it wouldn't be worth it and it could probably wait until normal business hours. (Of course, I'd still physically disconnect the machines from the Internet during this time.)

you're still using it, so there's still a cost -somewhere- in the system.

If I get 10 free hours of tech support from a vendor, and I use all of that up as the result of an attack, you're damn right I should be compensated.

Fixing the security hole yourself is a big no-no

Apparently you're under the delusion that all corporate environments are using Linux on all of their mission-critical systems.

For those of us in the real world, we have to wait for vendor patches and upgrades, or we have to implement workarounds. Fortunately, major vendors tend to be quite helpful in emergency situations like this.

Re:Do YOU practice safe computing?

[ShamrockHoax]

Practice Paranoia:

Don't go anywhere near the internet or any network
of any kind, they are the devil

Chances are you got a virus, if you see a screen
popup that has a window on it and displays the word Windows 9x

Turn your computer off ppl are probably looking at
your 'leet files right now

Remember hackers are tricky; even if you don't
have an internet connection and your
computer is off there is still a chance that
they could be screwing with your system
right now, better just set on it fire with
gasoline and a flame thrower

Finally, kill everybody, you gotta be thorough

Re:Defending the Indefensible

[Fastolfe]

It's an ILLEGAL INTRUSION.

If you want to break into systems to learn how security works, be able to examine code, etc., GO TO COLLEGE. Most universities have some very EXCELLENT network security courses where the students do precisely this, and have access to all sorts of very interesting hardware. Do not use my systems for your stupid games or "education", whatever it is you want to call it. How am I supposed to know you didn't touch anything vital? If you break into a bank vault just to "learn", and the cops come to your house the next morning, do you think they're going to care or believe you if you said, "But I didn't take any money!"

And just because a system isn't 100% impenetrable to your l33t hax0r skilLZ does not necessarily mean the admin is remotely incompetant. What if the exploit was made available before an announcement/fix/workaround was made? What if both were released at 3AM? Is the admin incompetant because his pager isn't set to wake him up every time an e-mail message is posted to Bugtraq? Is the company *deserving* of an attack just because they don't spend 80% of their meager revenue on network security?

If you break into my system illegally, REGARDLESS of your intentions, I will prosecute you and you will go to jail. Period.

Re:Saw part of this, Noticed the bloated cost too.

so basically the cost of security checks, which should have been done BEFORE ever running a server.

Re:$$$

The repair is expensive. Try proving that there is no weakness. You have to install the service packs that you didn't get around to doing yet, then look at the configuration and hope you closed everything.

It's like catching a thief with jewelry outside a store which locks its cases. It's expensive to repair any damaged cases, have a locksmith examine the locks for damage, repair damaged locks, replace any locks which are of a type which is now known to be easy for a lock picker, have a consultant recommend theft alarm possibilities, have an architect recommend security changes for exits, pay the higher insurance premiums, everyone in the area gets a little higher tax rate because the police were a little busier that day and manpower costs increase...

Re:Shut down the Internet?

[CausticPuppy]

Hell, I can't write C worth a crap, and I could take down much of the internet in only *TEN MINUTES.*

All I'd need is a backhoe.

Re:Not like it's a big deal

[Pfhreakaz0id]

Well, anyone who gets their "news" from TV is ignorant, in the truest sense of the word. Unfortunately, that is most people today.

Someone will try it

[peter303]

Either out of ego, evil, or error,
(take that J.J.!) someone will try it
and we'll have a crisis for a few days.
Its human nature.

Re:Someone will try it

Someone like IRAQ sponsored terrorists paying $100,000 to hackers?

Or Bin Laden and his buddies.

y2k is a signal.

Re:Shut down the Internet?

[Battra]

While I am not privy to the L0pht's plans, it is not too hard to imagine a scenario that would take down the Internet. Think of an exploitable bug in BGP4 that would allow you to poison the routing table or a self-propagating virus for Cisco IOS. If you take out all the Cisco gear, or find a way to more or less break BGP4, the Internet would pretty much go poof.

I did not see either program, but I did read the summaries. When they said that the members of the L0pht have the ability to break into systems, what they somehow neglected to mention was that they get *PAID* to do this as part of a security audit! There has never been any indication that members of the L0pht go around randomly cracking machines.

Argh!! Run for the hill, the world is ending!!

[whoop]

I expect we'll see more of these in these last couple weeks of life. If Russia's nukes don't go off and burn over New York, Chicago, California, the end of the world is bound to come via 14yr olds shutting down everything.

A few things in the 20/20 piece struck me as odd. First, the head punk of this Global Hell didn't come across as anything more than your average script kiddie. He basically just cracks into places because he's bored. One thing he said in the very beginning was that he loves his computer more than "anything in the world." Not his mom (there was no dad in the interview, hmm), or anything of real importance, but an electronic box. This is the first stage in social disorders like this.

Then he got his computer taken away in a police raid, and what happens? His mother, seeking nothing but making the boy happy, goes out and buys another one the next day. No discipline or anything, but "Oh honey, here's a new computer. Will you love me now?" Now in my day, the parents would have thrown a fit over the police raiding our house and I wouldn't get out of the dungeon for weeks. Has anything changed in just ten years since I was a teen, or was it because my parents didn't need to try so hard for the kids to like them?

Then there was that goofball at the American Retirement Company or whatever saying he's hired this guy as a "consultant" to prevent him from sicking all the other kiddies on the company. Wasn't there some law back when the mob did these things which made it just as illegal to pay off these sort of extortionists?

One funny part in it was when they talked about the virus due to explode next year. They said it was spread by Microsoft's email program. Sounds to me the way to cure that is to not use MS Outlook.

Oh. And I have just lost $500,000 typing this post using the media's magical calculator.

Re:Argh!! Run for the hill, the world is ending!!

That was my take. And remember in the beginning the mom admitted he was hard to handle. Duh! No father, no dicipline. He's nineteen...he's a grown man. Kick him out the house. Oh, but I guess he's probably supporting mommy with that protection money he's getting when he's not running credit card scams or something.

Oh yeah, mom also says that her boy's not a troublemaker, but "trouble just seems to follow him." Right--keep that denial up. I just LOL at the news agencies that think they are sooo on the cutting edge. They got the public going on that hackers in the same league with those who write email bombs. Gee it all has to do with the internet so it must be the same thing! With all the money they have, can't they get a decent tech consultant.

I agree the loss numbers were inflated. Sounds like advertising/marketing got involved in those estimates.

Re:Argh!! Run for the hill, the world is ending!!

[Captain+Sarcastic]

...Now in my day, the parents would have thrown a fit over the police raiding our house and I wouldn't get out of the dungeon for weeks....

My parents liked Mark Twain's idea about taking a teenage boy and stuffing him in an empty barrel (providing him food and water through the hole in the side), and keeping him there until his eighteenth birthday, upon which a suitable ceremony was performed during which the parents would decide whether to let the boy out... or plug up the hole.

How much did my parents like Mark Twain's idea? Well, let's just say that for two months after my eighteenth birthday, I had to wear dark glasses to help my eyes adapt... :) How well did it work? Well, we had a grand total of 0 (zero) police raids on our house during my teenaged years, and the same number of confiscated computers.

Perhaps Mark Twain should be required reading among parents of script kiddies....

Then there was that goofball at the American Retirement Company or whatever saying he's hired this guy as a "consultant" to prevent him from sicking all the other kiddies on the company....

In the days of the Viking raids, sometimes the Danes would exact tribute from cities in return for their "protection" from being plundered. This was called "Danegeld," and a funny thing about it -- the amount required tended to get bigger each year as the reavers returned. A common saying was the "Once you start paying Danegeld, you can't get rid of the Dane."

Perhaps a reading of medieval history should be a requirement for corporate managers.

Re:Quoting Welds post. answers your question

[DanaL]

I wasn't suggesting a 'Trashing the Internet HOWTO' (or would it be a mini-HOWTO because it only takes 30 minutes :) )

My point was that the reporter took no steps to verify their (your?) claims. Even if the boasts aren't far-fetched, it's reporting like this that spread confusion and panic.

I remember reading about one of the first high-profile hacker busts (was it Mitnick?) that said the prison officials wouldn't let him use the phone while he was in jail because everyone thought he could make one call and start a nuclear war.

When the general public becomes misinformed, it gives the government excuses to pass regulatory laws. If thousands of average at-work net surfers read the article and start worrying that every 14 year old kid who owns a computer and wears glasses can destroy the internet, the government will helpfully pass all sorts of laws to limit use and what not.

Won't happen? Remember all the stories about Geek Profiling and metal detectors in schools? Youth violence has plummeted since the early 90s and is still falling, but thanks to the media, people *percieve* that kids [esp. geek kids] are getting more and more violent so school officials can now get away with expelling people for playing Quake.

I guess a summary of my point is: Lousy reporting has really annoying consequences.

Dana

Re:Settled the hacker/cracker debate for me

Many people "in the scene" refer to it as hacking. They refer to the reverse engineering of software as 'cracking.' Emmanuel Goldstien (sp?), editor of 2600 refered to the effort to call malicious hackers 'crackers' "misguided." So yes, 'hacker' is the appropriate word. I think that the whole 'hacker' vs 'cracker' debate is about as dumb as the 'geek' vs 'nerd' debate...

Try rereading it! (flamebait)

"If you deface a Web site of a company that is making $18 million dollars a day, you are committing a pretty serious crime,"

Can no one who has commented on this posting READ? No where does it say that it is a website making '$18 million a day'. It says, rather plainly, that the company is making $18 million (via whatever means they do it) a day, and the hackers are defacing that particular company's web site. They're not trying to say that the website is making $18 million.

Geeze... Get real. Go back to your English classes: "..that is making..." referrs to "..a company..", not "..a Web site..". :)

Re:Try rereading it! (flamebait)

[Microlith]

But see, most people would get the connotation of what she's saying, that a website that is (impossibly) making $18M a day that is cracked is bad.

Cost of defacing a web page

[Peyna]

While I do agree that it doesn't cost millions of dollars to rename and HTML file, there is the posibility with alot of larger companies to show lost customer base due to embarrassment, as well as losing potential customers who may have visited during that time; however, I wouldn't say that any great amount of money is ever lost, maybe in the thousands or so. You do have to admit however, that companies do lose money when they lose customers to others acts as such.

Re:WHY would you want to take down the Internet??

[Stonehand]

If you wanted to render a population incommunicado -- that is, a large-enough and spread-out-enough population so that cutting the power, the links, and jamming any packet-radio frequencies wouldn't be feasible -- then that's one of the targets you'd want to add to the list, along with the phone exchanges. If you wanted to prevent ANY messages being sent -- including one-way -- you'd also have to stop radio / TV broadcasts as well, of course.

{shrug}

Might be useful if you want to cause sufficient confusion and distraction to increase your odds of getting away with a random terrorist act -- or impose martial law (choose your conspiracy at will. {shrug} Feh.). Alternately, if somebody's an utter punk who seeks naught but notoriety, this would definitely do it. Why? There are a few billion people in the world; a goodly number are twisted enough to consider something like this. Most don't have the means, yet.

As for practicality... there was an incident involving the "Florida Interent Exchange" (a small ISP) claiming via BGP that it was the best route for a rather large portion of the world, resulting in a bit of chaos for hours -- and that was just an accidental misconfiguration at a single site, not sabotage. Getting multiple routers to do something like that simultaneously could cause some significant issues, unless BGP's been rejected or fixed.

Re:better reporting would be nice

ABC didn't even have to hire someone to ask questions. We have a large IS department, and some of us even have a clue (Unlike the reporters). We heard about the story on Friday

Re:Selling Fear

[pingflood]

I'm rather surprised you didn't mention the ever-hyped-by-the-press school shootings. Really, does anyone believe all of them would have occurred had the media not hyped the first one(s) like they did? Hey, the press may be responsible for a buncha dead kids. Whoopee.

-p

Melissa, BGP, etc...

[Pollux]

Melissa's a good beginning example to show the weakness of the internet, but all Melissa did was become a "cholesterol," if it were, to the "arteries" of the internet. Once it was cleaned out, everything got back up and running.

As it was suggested, I did some looking into BGP, because quite frankly, it'd be pathetic for me to blabber on about something that I didn't understand. The only problem is, you need a pretty good understanding of IP to understand how BGP works, and there isn't much documentation out there that sums it up in a dime. Here's the easiest explination I can get for how BGP works (the whole document that goes in to far greater detail can be found at http://www.netaxs.com/~freedman/bgp.html) :

The primary purpose of BGP4 (as we're studying it here) is to advertise routes to other networks ("Autonomous Systems").

An AS, or Autonomous System, is a way of referring to "someone's network". That network could be yours; a friend's; MCI's; Sprintlink's; or anyone's. Normally an AS will have someone or ones responsible for it (a point of contact, typically called a NOC, or Network Operations Center) and one or multiple "border routers" (where routers in that AS peer and exchange routes with other ASs), as well as a simple or complicated internal routing scheme so that every router in that AS knows how to get to every other router and destination within that AS.

Layman's terms: Every personal network out there (company networks, school networks, government networks) works in it's own little private world. BGP (BGP4 is just the current version of BGP) is the protocol (acronym stands for Border Gateway Protocol) that allows all these networks to talk to each other. The protocol is utilized by Cisco's routers, and since Cisco currently has the majority share of internet routers currently in use, if l0pht (or anyone else who knows how to do it) creates specific scripts that break these bonds between the network, the majority, not all the internet, but the good majority of it, will fall like the giant it is.

How can you bring it down? Well, due to my ignorance, I'm not completely sure, but I believe the web site I quoted earlier sheds some light on it:

When you "advertise" routes to other entities (ASs), one way of thinking of those route "advertisements" is as "promises" to carry data to the IP space represented in the route being advertised. For example, if you advertise 192.204.4.0/24 (the "Class C" starting at 192.204.4.0 and ending at 192.204.4.255), you promise that if someone sends you data destined for any address in 192.204.4.0/24, you know how to carry that data to its ultimate destination. The cardinal sin of BGP routing is advertising routes that you don't know how to get to. This is called "black-holing" someone - because if you advertise, or promise to carry data to, some part of the IP space that is owned by someone else, and that advertisement is more specific than the one made by the owner of that IP space, all of the data on the Internet destined for the black-holed IP space will flow to your border router. Needless to say, this makes that address space "disconnected from the 'net" for the provider that owns the space, and makes many people unhappy...Anyway, the bottom line: Test your configs and watch out for typos. Think everything that you do through in terms of how it could screw up.

Layman's terms: Say someone wanted to shop at Amazon.com. Their computer says "take me to Amazon.com". If my computer saw the request "take me to Amazon.com," and I wanted to stop the request, I could say "Sure, I know where it is... follow me!" Then I'd lead him to a cliff edge and tell him it's right over the cliff. Poof, end of request. If I wanted my computer to direct everyone who asked for Amazon.com to someplace OTHER than Amazon.com, I'd just stick an arrow sign by the cliff that said "Amazon.com -->", directing them over the cliff.

Even Lamer Layman's terms: remember the good old Looney Toons cartoons where Wil'E'Coyote would repaint the road and dashed-yellow line, directing it to the face of a cliff? If the Road Runner was a packet of information traveling pretty fast on a network (the roads), and you "tweaked" the network and told it that this new route (repainted road) went somewhere, when infact it ends abruptly (cliff wall), you're going to loose the information (aka "SPLAT!").

For man with no mind: "Oh, you want to know where New York is? Try looking in Russia."

Another place that explains the BGP protocol and actually makes the technicalities of it easier to understand (diagrams and simple numbers), the address is http://www.alliancedatacom.com/cisco-bgp-routing.h tm.

Please get a job in security!

I've been thinking of becoming a cracker, and I'd love it if you and Roblimo would get jobs as the security personnel at the sites I want to crack. Here's how it works:

You come in one day and find your site defaced. Oh well, that's no big deal - you and Robin both know that all these costs of recovery are exaggerated. You'll restore index.html from the backup, smile at a job well done, and go home.

Meanwhile, since I've trojaned telnet, ftp, and ssh, I'll have every password on your server (not that it matters, since you never bothered to fix the root shell exploit I compromised in the first place); the new ftp server I've installed will do a great job of distributing warez and MP3s to all my leet friends; and the backdoor I've put in place will mean that I'll own your entire network sometime when I get bored.

Oh, please say you'll take your expertise and put it to work for me!

reporting easier with this

[kimihia]

'Hackers' attack Major WebSite

<?php

$a[] = "Young cyber whizzes with knowledge to infiltrate the most secure computer systems in the world are growing in numbers and ability.";
$a[] = "Faced with growing security threats to government and commercial Web sites, the Justice Department is no longer sitting by idly.";

$b[] = "Brian Ross takes a look at some members of "Global Hell," an online gang of several dozen of the most active and notorious teenage computer hackers on the Net, and the FBI's efforts to delete these hackers from cyberspace.";
$b[] = "\"I don't understand why they look at us as such bad people,\" 19-year-old Patrick Gregory says. Gregory is the one of Global Hell's founders.";
$b[] = "\"We can't treat this problem as if it's just kids. Everyone has to start taking this very seriously.\"";


$c[] = "\"If they penetrate a computer system with intent to defraud, or the intent to sabotage it or, or to steal proprietary information, yes, that's a federal crime\"";
$c[] = "\"That's correct,\" one L0pht member responded. "It would definitely take a few days for people to figure out what was going on.\"";
$c[] = "\"Well, if we can find it,\" says Space Rogue of the L0pht, \"somebody else can find it.\"";

srand( ((double)microtime())*1000000.0 );

for ($i = 0; $i < 5; $i++)
echo $a[rand(0, count($left)-1)] . " "
. $b[rand(0, count($cent)-1)] . " "
. $c[rand(0, count($righ)-1)] . " "
;

?>

(using patented StoryCreationTM technology in use at over 50 different media outlets)

Hello Moderators?

Please read the post this is attached too. Notice it is currently marked as "insightful", when the post contains incorrect (and slanderous) information. Please find the facts at L0pht's site and make amends.

Re:Hello Moderators?

I have to admit that "L0pht are the good guys, just read L0pht's PR" isn't a very convincing argument. Do you have independent proof?

Re:Hello Moderators?

[Duke+of+URL]

Do you have proof that L0pht Heavy Inds. do hack individual or business computers for which they do not have permission to? That would be a criminal offense, requiring proof of their guilt, not innocence.

If you look at the past history, their reputation, and listen and read their interviews you will gather that L0pht Heavy Inds. does not hack others non-owned computers. They gather their own gear and set up their own labs. With their positive reputation they have earned I feel stupid even bothering to reply to this, "They're hackers so they must be bad" crap. L0pht is more of a lab/think tank. Some shady characters may affiliate themselves with L0pht in one way or another, but L0pht stays out of trouble in that regard.

I'll provide you with a good interview, but I'm sure it won't convince you anyway. Its pretty difficult to prove a negative anyways.

The Connection Interview

Re:Hello Moderators?

[watching the point fly way over your head, its wings flapping faintly]

I'm holding L0pht to the same standard that prevents me from walking around saying "Golly, Microsoft does deserve the freedom to innovate! It says so at www.microsoft.com! Amazon did innovate! It says so in this email from amazon.com! And L0pht are the good guys! l0pht.com says so!"

Now, if that makes things any clearer for you, can you provide some independent proof of your statement?

WHY would you want to take down the Internet??

[GoofyBoy]

Say you can shut down the Internet for a prolonged period of time. What purpose would that serve? What has the "Internet" community done more harm than good any group of people? (I've seen almost EVERY minority/majority use the Internet to spread their word. Its cheap, annoymous, use almost any media (pictures/words) and can reach a worldwide audience.)

Could you imagine the amount of pressure law-enforcement departments would have to capture those responsible? Could you imagine the laws that would be enforced/enacted to prevent this thing from occuring again? Could you imagine the BigBrother mechinicms then put into place?

Wouldn't this be a BIG step backwards for the Internet?

And what would it prove? Is it worth it?

One Billions dollars to right hackers?

[ZipperHead99]

"Because of the growing threat of cyberterrorism, the federal government has committed more than a billion dollars to go after computer hackers" Quoted from the 20/20 Article. I wonder how much of that money is spent on securing web sites, instead of putting 18 year old hackers in jail.

Re:Saw part of this, Noticed the bloated cost too.

[Stonehand]

As noted in previous discussions, no sysadmin worth the name is simply going to restore-and-forget. Any that would? Fire 'em.

They're probably counting the costs of the full security audit, including lost business due to downtime -- since it's a BAD idea to not bring the system down for a full check if some loser's obtained root access. At the very least, one needs to eliminate the possibility of remaining backdoors (probably a full re-install if possible), lock it down, and preferably try to figure out the points of entry and anything, such as database records, that may have been affected.

Re:better reporting would be nice

[Cushman]

I only saw the ABC piece, but they could have been a little more accurate in their statements about what was broken into. ABC News made it sound like the Whitehouse and FBI critical systems had been cracked, when it was only the webservers that were attacked. They also made it sound like the attack disrupted Whitehouse communications with other nations (probably referring to a media news page).

Another overblown story to make people fear the internet and computers.

-M

Re:Shut down the Internet?

[CausticPuppy]

You know, if a group of physicists really put their minds to it, they could devise a way to vaporize the entire planet in a millisecond. I guess that makes them brilliant. If I tell the world how to do it I am just a bad guy enabling malicious evil scientists. If I don't tell the world I am just a clueless boaster.

If anyone is seriously interested in this topic, I suggest studying up on M-theory, and pay close attention to the energy potential regarding De Sitter space. Then you just have to spend some long nights experimenting with the correct particle interactions (use your own equipment, of course) until you finally create your own Type 1A supernova explosion.

If you don't want to do all that work yourself you are going to have to trust me. :-) Things never work like they're supposed to, but if this DOES work, you risk destroying your lab equipment, your house, Earth, the sun and eight other planets, Proxima Centauri, and roasting any planets that happen to be orbiting nearby stars. But you'll prove to everybody how smart you are by demonstrating a serious flaw in the existing version of our universe.

Hmmm. Article starts with, "young cyber whizzes"

[phlake]

Gack.

Quoting Welds post. answers your question

We did not go into details about taking down the net in 30 minutes because we don't all need another script kiddie attack. See we can't win. If we tell the world how to do it we are just bad guys enabling malicious hackers. If we don't tell the world we are just clueless boasters. If anyone is seriously interested in this topic I suggest learning the BGP routing protocol paying close attention to the authentications mechanisms or lack thereof. Then study the network topology of the backbone provider interconnection points (the NAPs and MAEs). Then learn how to craft your own packets with a library like libnet. Then do some long nights of experimenting (on your own equipments of course). If you don't want to do all that work yourself you are going to have to trust us. :-) Remember, things never work like they are supposed to. If they did there wouldn't be nearly so much hacking! weld@l0pht.com

What about the benefits??

[jormurgandr]

Why hasn't anyone done a story about the "good" hackers out there? The ones that simply crack a site and leave a note for the admin about how to tighten their security. Those guys SAVE the company a fortune. Rather than having to hire some BS company to examine their system, some little scriptkiddie comes along and does it for them. I think that more than makes up for a few defaced web pages (which really didnt cost anywhere near that much to replace).
=======
There was never a genius without a tincture of madness.

Re:What about the benefits??

[grumpy_geek]

I not contesting the fact that there aren't any "good hackers", but that I'm not willing to stake my job on a text file someone left behind.

e.g. Can you tell me for sure from this one post whether or not I'm male or female, even if I say I'm female, but also I say that I like to lie also. Would you be willing to stake some money on your decision????

Would you let me into your network if I were to say "I'm not going to do anything, I'm just kind of curius, (even though you've never heard of or met me before) I assure you; I'm one of the good hackers, let me behind your firewall..." any Sys/Netadmin should be screaming bloody murder right now, common sense should be kicking in. Or how about emailing me your credit card number I can get you that part real cheap but only I can do it, of course we've never met but I'm a good person you can trust me, how many alarms are going off right now?

The entire point I'm trying to get at, you can't trust that a person is good only because they say they are, if you do you are just waiting to get burned.

You may truely be a "good hacker" as you say, but that doesn't mean you aren't a "bad hacker" either.

Re:What about the benefits??

[grumpy_geek]

But would you actually BELIEVE that's all that they did. Whoever came in may have the best intentions at heart... OR they may have the evilest intentions at heart.

When your CEO comes up to you and acts why your website is down again, are you gonna say, I only closed the hole the mentioned in the html file, I thought that was it. Whoops guess that cracker decided to play with you and make you look REALLY bad; fool me once shame on you, fool me twice I get fired.

I never quite understood how intelligent people would be so gullable to believe that scriptkiddies have a companies best interest at heart. Repeat that out loud a couple of times if it doesn't sink in. If they were so honest why the hell don't they first contact the admin and say, do you mind if I try to break into your box. If admin doesn't answer and email where the hell is it in the rule books that says they have some divine right to show people how crappy their security is?

Like saying just thought I'd break your car window to show you how crappy your security is... (I hate anaolgies, but oh, well). Please people at least try to use your intelligence once in awhile.

Re:What about the benefits??

[jormurgandr]

The whole point is that I know of "good hackers" (such as myself), who don't believe that they're "entitled" to have access to some server or a firewall, nor am I going to ask for it. I take it, and I prove myself trustworthy by not abusing the knowledge that I have gained. I just think that the media is too hyped up on the "bad hackers" and their dam manifesto (whoever wrote that just shot the hacker community in the foot), and they need to look at the advantages they bring. For instance, AT&T used to have terrible security on their calling card system. The numbers were sequential for goodness sake! Well, some hackers came along, and rather than selling those numbers to some really dangerous people, who would rack up a bill large enough to put AT&T out of business, they ran up a "small" bill, and taught AT&T a lesson. Some groups actually promote computer security by breaking that security. In a fashion, computer security has become self evolving. Programmers create a new security system, it is tested by the hackers, and if it survives, it flurishes. If it fails, everyone knows about it and it dies off.
=======
There was never a genius without a tincture of madness.

Re:What about the benefits??

[BriK]

LOL! I'm sorry, just had to say that this is the best sarcastic comment I've seen on /. in a while.. I'm still laughing..

Re:What about the benefits??

Er, you break into things that do not belong to you, and use other people's property.

That's a pretty damn good proof you are completely untrustworthy.

Re:What about the benefits??

[Dionysus]

Why don't anyone do a story about the "good" intruders? The one that breaks into your house, but only leaves a note on your bed, telling you how they got in?

I know I would feel so much safer, when I see a note on my bed, telling me someone has been in my house without my permission.

Re:Not like it's a big deal

[whoop]

After the recent news, ABC isn't one you want to say doesn't have influence. :) From the John Cochran dinner with old chum Algore, to the staged McCain/Bradley handshake. They're in the business of pushing what helps them get viewers. And, we all know the end of the world is near, so people will watch and see how kiddies will break into their computer come Jan 1. Hype + hippie liberals = News.

Did anyone notice...

[mmmmbeer]

Among all the hacker vs. cracker comments here, I might have missed something, but did anyone else notice the end of the 20/20 article? The article was about hacking & cracking, but the tips they gave at the end were about viruses! I can understand the media's (ongoing) hacking/cracking confusion, but can't they tell the difference between that and a virus?!

Defending the Indefensible

[smack.addict]

Note: the "you" in this post is a general "you" and not a reference to the original poster or any other poster in this thread.

Whether it is $5/day or $18 million/day, the fact remains that people who hack other people's computers are violating others. There is no justification for that. Getting into an argument over exactly how much it costs takes away from that fact.

Here are the general reasons I here cracker dorks and script kiddies give for their asshole behavior:

• I am doing them a service by exposing their vulnerability!
  Bullshit. If you wanted to do them a service, you would email the sys admin the hole being exploited. Breaking into their web site is, at best, a way of publically damaging the reputation of the web site in question as well as doing damage that can range from inconvenience to, yes, millions of dollars a day. It is very similar to breaking into your neighbours house and spray painting the walls because they forgot to lock the front door. Finally, it is very difficult to secure an NT or a UNIX machine. Punishing people because they are not the experts you think you are (but likely are not) is pathetic.
• It's a company!
  And that makes it OK? I don't care if it is Microsoft, it is still just as wrong as doing it to an individual.
• They did XXX (where XXX is some supposedly evil act).
  Again, so what? That does not make the act of breaking into a web site any more justified.
• And, of course, the implied argument of this thread, "it doesn't cost them anything".
  It always costs them something. It may not be $18 million/day. It may be giving up a weekend after having worked a month without getting a weekend. It may not be anything you value at all. But it is certainly something valued by someone associated with the target site. And no one has any right to force that person to incur that cost.

Re:Defending the Indefensible

Try this one:

Computing is an electronic fronteir (pardon the reference to the EFF). Like any fronteir, it's dangerous.

Some admins learned their skills by breaking into other people's computers and trying not to otherwise harm anything. It's a risk that some people take in order to gain knowledge. How else would a 15 year old kid get access to a Sun Ultra or a Cray? The world would be deprived of a lot of technical talent, if it weren't for this.

That's life. If you get owned, suck it up and take it like a grownup.

Re:Defending the Indefensible

[smack.addict]

I think this is another terrible argument. First of all, there is no need for a 15 year old to get computer knowledge by damaging other people's intellectual property. This is akin to saying drive-by-shootings need to be tolerated otherwise where would people pick up the skills needed to join the army?

In short, we would not be deprived of much technical talent at all. It really shows that you place no value on my time, my money, or my property to ask me to "suck it up" and deal with losing time and money because some 15 year old is bored--or worse, because they want to hurt me somehow by making me look like a fool or intentionally costing me that time, money, or property.

Re:Defending the Indefensible

[mindstrm]

Okay. Even telling them can be bad. Example.
A friend of mine, he finds that some unix machines used to run some financial stuff for the local university/college (which he was currently attending) had a flaw in it.. he was pokin away at it from the lab one night. Now, he did NOTHING. He did NOT deface anything, or change anything.
He did plant one file in a directory, simply to show that it could be done.
The next morning (when people were at work again) he notified the computer services people about the security problem, and told them to look in such-and-such a directory and to look at the file permissions to demonstrate.

The end result was, people's egos were bruised the wrong way, and though they didn't kick him out, they 'mutually agreed' that he would drop out of school (comp. sci) and they wouldn't persue the matter any further.

Re:Defending the Indefensible

I am doing them a service by exposing their vulnerability! Bullshit. If you wanted to do them a service, you would email the sys admin the hole being exploited. Breaking into their web site is, at best, a way of publically damaging the reputation of the web site in question as well as doing damage that can range from inconvenience to, yes, millions of dollars a day. It is very similar to breaking into your neighbours house and spray painting the walls because they forgot to lock the front door. Finally, it is very difficult to secure an NT or a UNIX machine. Punishing people because they are not the experts you think you are (but likely are not) is pathetic Im sure that groups like 'the l0pht' email the companys explaining the vuln, but im also sure that these companys react like the following: security group: Hey, we'de like to inform you of a vulnerability in your 'so-and-so light 1.20' program. We will help you if you need a fix made. company: So you're the only ones who know about this? security group: yes. company: good keep it that way. Alot of companys react that way, and then the group releases the vulnerability.

Re:Defending the Indefensible

[smack.addict]

He hacked the machine!!!

He could have simply told them without the associated break-in. How would you feel if you woke up to find someone in your living room "just to show that it was vulnerable"?

While I think the punishment was excessive in this example, your friend was wrong and the people in question were right to react negatively.

Re:Defending the Indefensible

Breaking into a computer, looking around, and perhaps even (gasp) using it to learn how to code, doesn't really destroy any intellectual property that I can see. Defacing web pages is another story, but that's not really hacking by any definition.

Also, I don't see why I should value the time, effort, etc. of any proven to be negilgent sysadmin.

I know it doesn't get a lot of coverage, but there
really are a lot of really talented people in the tech industry (some in some pretty prominent positions) who had to do this to gain knowledge. Way back in the day before Torvalds, Stallman, and a host of other heroes set us free, most people didn't have access to Unix boxes. If you wanted to learn how computers/networks worked, and you couldn't go to college for whatever reason (or maybe your school didn't allow that kind of access) this was really the only way to get first hand knowledge.

If you can become an expert on OS internals purely from reading books, good for you, but the rest of us need some hands on experience.

Re:Settled the hacker/cracker debate for me

The whole debate is silly and disturbing. First of all, there are racist conotations. As we all know, a cracker is a poor white person, and the stereotype of a computer security enthusiast is that of a white male. Additionally, you could consider breaking into a machine as some sort of redistribution of wealth (wealth being measured in terms of access to computers here)... I don't think the cracker/cracker thing is a coincidence. Also, why all the fuss about calling someone who is generally dedicated to computers a "hacker?" Just because the area of computing they dedicate themselves to happens to be questionable in some people's eyes, doesn't make them any less then anybody else or even very different. Please note, I'm not talking about script kiddies, as they do not matter. Not all of the people who break into computers are script kiddies.

Re:better reporting would be nice

[whoop]

Come now, you aren't putting on your offical media paranoia cap.

These people do nothing less than completely shutting down the Dept of Defense, Pentagon, and every nuclear sub. I mean, what else is there besides web sites and email? And they don't stop at government agencies. Every bank in the world has been cracked and now every cracker knows you withdrew $20 on June 16th at 5:03pm at the ATM next to WalMart. With this sort of information, they will withdraw all your money from your account and spend it on more computers.

Why, with these sort of tools, they could crack into the stop lights at some major intersection, turning them all red, causing traffic jams 100 miles long as no one knows better than to just go.

You see, this January is going to be some serious business. And the only way out is to stockpile propane and cheese whiz in the bunker, never to emerge until March.

Heh, I suppose it's all relative.

Yea I love that. As someone that tests software and has worked on security tools, I know first hand that so much of the software out there is poop.

I suppose they might be "cyber whizzez" considering...

1> The numerous bugs in security software
2> Poor if any implemntation
3> Lack of properly trained personel
4> Lack of any site monitoring
5> Millions of nodes on the net. The laws of probability alone is in thier favor.
6> Some people just never learn. Why is it the same sites again and again get hacked into?

etc.....

Not like it's a big deal

[Count+Spatula]

I mean, come on. Does ABC really have that much influence on legislators? 20/20 is nothing more than a video tabloid and World News Tonight ought to be renamed "Weekly World News Tonight - Now In Full Colour!" or something sensationalist along those lines. Oh, I hear you. "But, Count Spatula, people really do take notice of programs like this one, and politicians get their cues from these newscasters!" Drek. The people who take these programs seriously also think their cats are actually their children and buy the Enquirer because "Elvis isn't really dead, just hiding in Poughkeepsie". As far as politicians go, the more criminalization that occurs, the better. It makes them look good at election time.

Re:Not like it's a big deal

[randombit]

"Elvis isn't really dead, just hiding in Poughkeepsie"

But he is alive! I saw him just the other day! :)

Re: The web is brochureware...

[AtariDatacenter]

> Also, the Web site is just brochureware, there is no gateway to anything important.

That's starting to change. Remember the web pages of three years ago? Hi! We're here! We sell stuff! Visit us in the real world! Nothing more than a billboard on the side of the highway. Now corporations are starting to use their webpages for something useful.

But brochureware is going down the wayside. What we REALLY need right now is one of the self-proclaimed "e-commerce" commanies to build a real online store app for mom and pop. (Or a rentable service.) Of course, it would also make a REALLY USEFUL open source project.

But as we get away from brochureware, boy, it is going to be Christmas time for the crackers.

Total smear job.

[Greg+Merchan]

I saw this last night but couldn't submit a link since 20/20 was inaccessible.

It was ridiculous.

I got the impression that those kids threatened ABC so they could spend sometime grandstanding.

Every single person who spoke sounded like a complete idiot. Cripes, the White House might have secure internal systems, but cracking the web site should be a trivial task. When it was done, the site was probably being run by a secretary using NT. [Point, Click, white-out]

Simple explanation.....

[sharkey]

.....20/20 can explain how easy it is to (h)crack just such a million dollar article about (h)cracking to point a helpless, unsuspecting populace under attack by the sadistic, evil (h)crackers who want people to think that anti-virus software available from will protect them from "The Evil People With Odd Names" who have already (h)cracked the anti-virus website (since it is sooooooo easy-to-do, remember? We already reported that. Did we mention that our article, and the anti-virus webpages are worth one million smackers? And they are so big, they take a whole day to upload. And they're state of the art, we use MS Word 2000 and MS Frontpage so they're good.) to trick you into hacking your own PC so that they can look at your sweet, virginal and innocent letters to Grandma in your My Documents folder. They're everywhere!

$$$

[eyeball]

What was it that sysadmin said? "It cost us hundreds of thousands of dollars to reboot and repair those servers." Maybe I should hack my own site at work and tell my boss I need $300,000 to reboot the servers. Can you say new house? :)

Another side effect with costs...

[Snard]

Granted, I didn't see the program(s), and I'm not a security expert... but if someone is able to break into a web site by whatever exploits, they presumably have figured out one or more username/password pairs. Since many companies would likely use these names/passwords on more than one of their machines (I know, not a very bright idea), then there would be the cost of "changing all of the locks" so to speak. Plus the costs of beefing up security to prevent it from happening again (even if "lax security" wasn't the cause of the break-in)

Yet another script kiddie story... But

[funkman]

The 20/20 did have an interesting proposition that one of the script kiddies responsible got hired as a consultant instead of being turned in to the Feds. The reason... the victim did not want to feel the wrath of the script kiddie after he served his jailed time.

Looks like the potential makings of a new "high tech" mafia.

Re:Yet another script kiddie story... But

[whoop]

Don't you go bringing your "facts" into this important "story." These kiddies are "intelligent" when you compare them to the average couch potato who is too scared to find the "power button" on a "computer". With this knowledge of power, they will take over the world. Just you wait and see...

Cost

[yzorderex]

If they talk about the actual cost then they are into shoplifting territory
You need a lot more to get into felony range which is what they want.

Re:Anyone else notice...

[Caspuh]

Anyone who breaks into NT without ever having run it on a system must be a script kiddie. How can you know all the complicated in's and out's of a windows system without ever seeing them?

Just wondering

[LinuxMacWin]

Disclaimer: These are the 2 names which come to my mind. I do not have any specific interest in using these names.

Would it not be interesting if Barnes and Noble hacked Amazon's web page and redirected their customers to BarnesAndNoble website? If you design the redirected site as a copy of Amazon, people may not even notice for quite some time, except for the guy monitoring credit card money inflow.

Has something like this already happened???

Shut down the Internet?

[GreyyGuy]

I saw that on ABC last night and read another artic le on ABCNEWS.com from and interview with L0pht saying they can take down the Internet in 30 minutes. I've thought about it and couldn't come up with anything off the top of my head. Is this a group just boasting or is there any fact to it? Wasn't the decentrailzed nature of the Internet designed to avoid going down during war and the like?

Re:Shut down the Internet?

Oh, so you know about Calabi-Yau manifold #129387?

Re:Shut down the Internet?

[God+I+hate+mornings]

While the inet is decentralized, there are some ways to make it inaccessable to the majority of the population. IF they were to hack into hub routers for the major backbones and redirect the traffic, can you imagine what havok that would produce?

Re:Shut down the Internet?

[weld]

If you think we do what we do to prove how smart we are then you have clearly missed the point.

I am just happy that we have documented vulnerabilities in the infrastructure and let the people who run the infrastructure know. The public also has a right to know so we tell the press.

weld@l0pht.com

Re:Shut down the Internet?

[Count+Spatula]

Is this a group just boasting or is there any fact to it?

I was listening to Art Bell a couple weeks ago and heard an old broadcast, I think from June or July of 98, with a few "hackers" on there that said they were dead serious about being able to take down the Internet in 20 minutes. I chuckled.

Re:Anyone else notice...

[WillBlair]

Actually multiple processors is the next big thing planned for OpenBSD now that OpenSSH is being included. And if they need multi-processors then they should learn better security practices.

"We now have a complete, secure and stable system to work from, and we're looking to tackle some large projects like SMP"
-Theo de Raadt, OpenBSD project leader

Re:It's not that simple

[BinxBolling]

Fact is a lot of these sites may be "asking for it" with their poor admins and shaky security, but that doesn't make it right. If a tourist gets mugged because they're seen carrying large amounts of money is that right? If a person is wearing "suggestive" clothing and gets assaulted, is that right?

This is true. Nonetheless, attention needs to be paid to the role that poor security plays, to prevent a public overreaction. To continue with your analogy: How would you like it if, after your neighbor leaves his front door unlocked and his house is cleaned out, a police state is instituted to prevent it from happening again?

I haven't seen any real moves towards an online police state, yet. But sensationalistic articles like these that fail to mention that many of these 'hackers' are exploiting easily repaired security flaws could easily lead to a public outcry for the institution of a police state.

Re:Anyone else notice...

In all fairness, what I saw was the guy trying to show his Mom some stuff on her computer. Most moms don't run Linux.

Do YOU practice safe computing?

[BlueCalx-]

I read the 20/20 story and I just had to repost this :)

Do You Practice Safe Computing?
Here are a few tips on keeping your computer safe from computer viruses:

Use anti-virus software and be sure regularly to update the software from the vendor's Web site.
Don't open files sent to you via e-mail from unfamiliar sources. Check with colleagues and associates before opening files they send you without notification.
Be aware of how viruses operate and watch for the telltale signs.
Don't download anything from unfamiliar Web sites.

How about these:
AOL employees will never ask for your screen name or password.
Never go into private rooms "leet" or "warez" or "coldice."
NEVER, EVER, EVER say "yes" when someone asks you to "cyber" them!!

Re:Anyone else notice...

[Caspuh]

What kind of hacker wouldn't have an install of the most widely used software on the net? Would he want to limit himself to being able to only break into *nix systems? Hackers need to know every operating system they can.

Web pages defacing is for pussys.

Slashdot never ran this article, so you can come to your own conclusion about that. This article was only on the front page of the Wall Street Journal & CNN's page. If you got nuts, you do stuff like this. Who cares about web pages? Until you break the $1 million dollar mark, I don't wanna hear anything about your "/-/aX0rin6 Sk1llZ".

How an FBI Cybersleuth Busted a Hacker Ring

By JOHN SIMONS
Staff Reporter of THE WALL STREET JOURNAL

DALLAS -- In a federal courtroom here, Calvin Cantrell stands
silently, broad shoulders slouched. His lawyer reads from a short
letter he has written:

"My parents taught me good ethics, but I have departed from some of
these, lost my way sometimes," the letter states. "I was 25 and living
at home. No job, and no future. All I ever really wanted was to
work with computers."

Mr. Cantrell certainly did work with computers -- both his own, and,
surreptitiously, those of some of the largest companies in the
world. He was part of a ring of hackers that pleaded guilty here to
the most extensive illegal breach of the nation's telecommunications
infrastructure in high-tech history.

And sitting behind him in court as he was sentenced two weeks ago was
the accountant-turned-detective who caught him: Michael Morris. A
decade earlier, Mr. Morris, bored with accounting work, left a $96,000
job at Price Waterhouse and enrolled in the FBI academy, at $24,500 a
year. Mr. Cantrell's sentencing was the final act in a five-year drama
for Mr. Morris, and secured his reputation as the FBI's leading
computer gumshoe.

The tale of Mr. Morris and Mr. Cantrell is among the first cops-and-
robber stories of the New Economy, involving, among other things, the
first-ever use of an FBI "data tap." It illustrates how the nation's
law-enforcement agencies are scrambling to reinvent their profession
in a frantic effort to keep pace with brilliant and restless young
hackers.

The story also shows that hacking's potential harm is far more ominous
than theft of telephone credit-card numbers. Mr. Cantrell was part of
an eleven-member group dubbed "The Phonemasters" by the FBI. They were
all technically adept twenty-somethings expert at manipulating
computers that route telephone calls.

The hackers had gained access to telephone networks of companies
including AT&T Corp., British Telecommunications Inc., GTE Corp., MCI
WorldCom (then MCI Communications Corp.), Southwestern Bell, and
Sprint Corp. They broke into credit-reporting databases belonging to
Equifax Inc. and TRW Inc. They entered Nexis/Lexis databases and
systems of Dun & Bradstreet, court records show.

The breadth of their monkey-wrenching was staggering; at various
times, they could eavesdrop on phone calls, compromise secure
databases, and redirect communications at will. They had access to
portions of the national power grid, air-traffic-control systems and
had hacked their way into a digital cache of unpublished telephone
numbers at the White House. The FBI alleges, in evidence filed in
U.S. District Court for the Northern District of Texas, that the
Phonemasters had even conspired to break into the FBI's own National
Crime Information Center.

Unlike less-polished hackers, they often worked in stealth, and
avoided bragging about their exploits. Their ultimate goal was not
just fun, but profit. Some of the young men, says the FBI, were in the
business of selling the credit reports, criminal records, and other
data they pilfered from databases. Their customers included private
investigators, so-called information brokers and -- by way of
middlemen -- the Sicilian Mafia. According to FBI estimates, the gang
accounted for about $1.85 million in business losses.

"They could have -- temporarily at least -- crippled the national
phone network. What scares me the most is that these guys, if they had
had a handler, whether criminal or state-sponsored, could have done a
lot of damage," says Mr. Morris. "They must have felt like cyber-gods."

With the exception of Mr. Cantrell, none of the defendants in the
Phonemasters case would comment on the matter. Others are thought to
remain at large. This is the story of Mr. Cantrell and two accomplices,
largely put together from federal district court records and FBI interviews.

Mr. Morris first learned of the group in August 1994, when he got a
phone call from a Dallas private investigator, saying Mr. Cantrell had
offered to sell him personal data on anyone he wished. He even offered
a price list: personal credit reports were $75; state motor-vehicle
records, $25; records from the FBI's Crime Information Center, $100.
On the menu for $500: the address or phone number of any "celebrity/
important person."

Mr. Morris immediately opened an investigation. Only 33 years old at
the time, he had taken an annual pay cut to join the FBI just five
years earlier. He had been a tax consultant at Price Waterhouse, and
despised the work. "I was young and making the big bucks, but every
morning I would think 'God, I don't want to go to work.' "

Tall, square-jawed and mustachioed, Mr. Morris began working white-collar
crimes when he arrived at the Dallas FBI field office. He took on a
few hacker cases and realized he liked the challenge. "These guys are
not the kind who'll rob the convenience store then stare right into
the security camera," he says. "Trying to be the Sherlock Holmes of
the Internet is hard when the fingerprints on the window can be so
easily erased."

Mr. Morris convinced the private investigator to meet with Mr. Cantrell
while wearing an audio taping device. After reviewing the tapes, he
was certain that he was onto something big. He applied for and received
court authority to place a digital number recorder on Mr. Cantrell's
phone lines, which would log numbers of all outgoing calls. It showed
that Mr. Cantrell frequently dialed corporate telephone numbers for
AT&T, GTE, MCI, Southwestern Bell and Sprint. Mr. Cantrell had also
placed calls to two unlisted numbers at the White House, which further
piqued Mr. Morris's interest.

So, late that summer, Mr. Morris took an unprecedented step. He began
writing a 40-page letter to the FBI's Washington headquarters, the
Department of Justice and the federal district court in Dallas. Recording
Mr. Cantrell -- now his central suspect -- while on the phone wasn't
sufficient for the job that faced him, he believed. Instead, he needed
new federal powers. He asked for Washington's permission to intercept
the impulses that traveled along Mr. Cantrell's phone line as he was
using his computer and modem.

"It's one of the hardest techniques to get approved, partly because it's
so intrusive," says Mr. Morris, who spent the next month or so consult-
ing with federal authorities. "The public citizen in me appreciates
that," he says. Still, the long wait was frustrating. "It took a lot
of educating federal attorneys," he says.

Once authorities said yes, Mr. Morris faced another obstacle: The
equipment he needed didn't exist within the FBI. Federal investigators
had experimented with a so-called data-intercept device only once
before in a New York hacker case a year earlier. It had failed miserably.

Mr. Morris and technicians at the FBI's engineering lab in Quantico,
Va., worked together to draft the specifications for the device Mr.
Morris wanted. It would need to do the reverse of what a computer's
modem does. A modem takes digital data from a computer and translates
it to analog signals that can be sent via phone lines. Mr. Morris's
device would intercept the analog signals on Mr. Cantrell's phone line
and convert those impulses back to digital signals so the FBI's
computers could capture and record each of a suspect's keystrokes.

While waiting for the FBI to fit him with the proper gear, Mr. Morris
contacted several of the telephone companies to alert them that they
had been victimized. The reception he got wasn't always warm. "It's
kind of sad. Some of the companies, when you told them they'd had an
intrusion, would actually argue with you," he said.

GTE was an exception. Mr. Morris discovered that Bill Oswald, a GTE
corporate investigator, had opened his own Phonemasters probe. Mr.
Oswald and Mr. Morris began working together and uncovered another of
Mr. Cantrell's schemes: He and some friends had managed to get their
hands on some telephone numbers for FBI field offices. They entered
the telephone system and forwarded some of those FBI telephones to
phone-sex chat lines in Germany, Moldavia and Hong Kong. As a result
of the prank, the FBI was billed for about $200,000 in illegal calls.

Mr. Morris also learned that on Oct. 11, 1994, Mr. Cantrell hacked
GTE's computer telephone "switch" in Monticeto, Calif., created a fake
telephone number and forwarded calls for that number to a sex-chat
line in Germany. The FBI isn't sure how Mr. Cantrell convinced people
to call the number, but court records show that Mr. Cantrell received
a payment of $2,200 from someone in Germany in exchange for generating
call traffic to the phone-sex service.

In early December 1994, Mr. Morris's "analog data intercept device"
finally arrived from the FBI's engineering department. It was a $70,000
prototype which Mr. Morris calls "the magic box."

On Dec. 20, Mr. Morris and other agents opened up their surveillance
in an unheated warehouse with a leaky roof. The location was ideal
because it sat between Mr. Cantrell's home and the nearest telephone
central office. Mr. Morris and nine other agents took turns overseeing
the wiretap and data intercepts. The agents often had to pull a tarp
over their workspace to keep rain from damaging the costly equipment.

As middle-class families go, the Cantrells seem exemplary. Calvin's
father, Roy, was a retired detective who had once been voted "Policeman
of the Year" in Grand Prairie, the suburb west of Dallas where they
live. His mother, Carol, taught Latin and English at Grand Prairie
High School, where Calvin graduated in 1987 with above-average
grades. As a student, he was no recluse. He had a small circle of
friends who shared his love of martial arts, video games, and spy
movies. Mr. Cantrell's longtime friend, Brandon McWhorter, says Calvin
was always a fun-loving guy, but there was one thing about which he
was very serious.

"He would always talk to me about religion," says Mr. McWhorter. "He
held very strong religious beliefs."

After high school, Mr. Cantrell continued to live at home while taking
classes at the University of Texas at Arlington and a local community
college.

He held a series of odd jobs and hired himself out as a deejay for
weddings and corporate parties. Mr. Cantrell balanced, school, work,
family and friends even as he began hacking more often. His parents
became suspicious, but said nothing. The family had three phones;
Calvin stayed on his 15 hours a day.

"They'd go in my room and see all the notes and the phone numbers.
Even though they couldn't put it together technically, they knew
something was up," says Mr. Cantrell. "They were kind of in denial. My
parents were pretty soft."

Mrs. Cantrell says Calvin had been so well behaved that she never
suspected his computer activities were more than fun and games. "I
wish I had known what was going on. Unfortunately, my son was smarter
than I was." (Calvin's father passed away last year.)

At 8:45 on the night of Dec. 21, just four days before Christmas, Mr.
Cantrell went online. Using an ill-gotten password, he entered a
Sprint Corp. computer, where he raided a database, copying more than
850 calling-card access codes and other files, court records in the
case show. The Phonemasters often got passwords and other key inform-
ation on companies in a low-tech approach called "Dumpster diving,"
raiding the trash bins of area phone firms for old technical manuals,
phone directories and other company papers. This often allowed
Mr. Cantrell to run one of his favorite ruses -- passing himself off
as a company insider.

"I'd call up and say, 'Hi, I'm Bill Edwards with systems administration.'
I'd chat with them for a while, then I'd say 'We're doing some network
checkups today. Can you log off of your computer, then tell me every
character you're typing as you log back on?' A lot of people fell for
that," Mr. Cantrell says.

After hacking into the Sprint database that evening, Mr. Cantrell
talked to another hacker, Corey Lindsley, over the phone. He'd 'met'
Mr. Lindsley, and another hacker, John Bosanac, in 1993 while surfing
the murky world of hacker bulletin boards. Mr. Cantrell then sent the
copied files to Mr. Lindsley, who was a student at the University of
Pennsylvania in Philadelphia.

Mr. Morris's equipment captured everything -- voice and data. It was
an FBI first. "We're sitting in this place that looked liked a bomb
pit, but the atmosphere was really exciting," says Mr. Morris. "We
were ecstatic."

As the days passed, the FBI wiretap generated stacks upon stacks of
audiotapes and data transcripts. Some was just idle talk among
friends, the occasional call to finalize dinner plans, lots of
workaday chatter. But the incriminating evidence mounted. "It's great,
you know. I really love fraud," joked Mr. Bosanac, a Californian who
was musing with Mr. Cantrell about the various technical methods of
using other people's cellular telephone accounts to place free
calls. "Fraud is a beautiful thing."

Family conversations even entered the investigation. On Jan. 7, for
instance, Mr. Cantrell called his mother from a friend's house and
asked her find an MCI Corp. manual on his shelf. He then asked her to
read him a set of directions for accessing MCI's V-NET computer
system. Mrs. Cantrell read the material but asked her son whether he
was supposed to have the book, citing warnings that stated its
contents were restricted to MCI employees. Mr. Cantrell just avoided
his mother's question. The FBI data-tap captured every word.

Still, the process took its toll on the FBI team, especially coming
during the holidays. "It was stressful that the wiretap was going 24
hours a day, seven days a week. I had to write up the legal documents
and it's tough making people work through Christmas," Mr. Morris
said. On top of that, he had to keep records of his findings, and
every ten days he had to reapply to the court to prove that his
wiretap was yielding evidence.

By late January, the FBI had begun to get a clear profile of Mr.
Cantrell and his hacker friends. Mr. Lindsley, it appeared, was the
group's acerbic leader, directing much of the hacking activity. Over
phone lines, the FBI heard him bragging about how he had given a
Pennsylvania police department "the pager treatment" in retaliation
for a speeding ticket he received. Mr. Lindsley had caused the police
department's telephone number to appear on thousands of pagers across
the country. The resulting flood of incoming calls, Mr. Lindsley
bragged, would surely crash the department's phone system.

They also enjoyed collecting information about film stars, musicians
and other famous people. Mr. Cantrell has admitted that he broke into
President Clinton's mother's telephone billing records in Arkansas to
obtain a list of unpublished White House numbers. The men, says the
FBI, even made harassing phone calls to rock star Courtney Love and
former child actor Danny Bonaduce using pilfered numbers.

They weren't without fear of getting caught. On the evening of Jan. 17,

for instance, there was a clicking on the phone line as Messrs. Bosanac,
Cantrell, and Lindsley shared a three-way conference call. "What the
hell happened?" asked Mr. Bosanac, according to an FBI transcript of
the conversation.

"That was the FBI tapping in," laughed Mr. Cantrell.

"Do you know how ironic that's gonna be when they play those tapes in
court?" Mr. Lindsley said. "When they play that tape in court and
they got you saying it was the FBI tapping in?"

On Jan. 18, the FBI overheard Messrs. Cantrell, Bosanac and Lindsley
on another conference call. With the other two men giving directions,
Mr. Cantrell dialed his computer into Southwestern Bell's network and
copied a database of unlisted phone numbers. The three men then
discussed plans to write a computer program that could automatically
download access codes and calling-card numbers from various telephone
systems. They also talked about the chance that the FBI would one day
track them down.

"Just remember, nobody f-- rats anybody out," said Mr. Lindsley to the
others. "No deals."

"Yeah, no deals is right," replied Mr. Bosanac.

"No deals. I'm serious. I don't care what your f-- lawyers tell you,"
said Mr. Lindsley.

Mr. Cantrell said nothing.

Later that morning, between 5:09 a.m. and 7:36 a.m., Mr. Cantrell
entered Sprint's computer system and downloaded about 850 Sprint
calling-card codes. He then transferred those codes to a man in
Canada. The codes would allow anyone who purchased them to place free
international phone calls. Mr. Morris would later learn that a contact
in Canada paid Mr. Cantrell $2 apiece for each code, court records
show. The Phonemasters most likely did not know -- or care -- where
the codes ended up, but the FBI traced them and found some ended up in
the hands of a Sicilian Mafia operative in Switzerland.

On Jan. 23, while probing a U S West telephone database, Mr. Cantrell,
Mr. Bosanac, Mr. Lindsley and others stumbled over a list of telephone
lines that were being monitored by law enforcement. On a lark, they
decided to call one of the people -- a suspected drug dealer, says
Mr. Morris -- and let him know his pager was being traced by the police.

On Jan. 27, the group was clearly feeling paranoia about being caught,
prompting Mr. Lindsley to tell his accomplices to pull as many Sprint
codes as quickly as they could. Mr. Cantrell began to have reservations.

"What if I stopped before all of y'all?" Mr. Cantrell asked Mr. Lindsley.
"Would you applaud my efforts?"

"No," said Mr. Lindsley. "I don't think there's any reason to stop.
What are you worried about?"

"Uh, I'm not worried about anything. I'm just saying, uhm. There might
... There might come a time here where I don't have time for this."

He added a little later: "I, you know, really like it. But, I don't
know, I just ... Eventually, I don't see myself doing a lot of illegal
things."

Mr. Lindsley continued to prod Mr. Cantrell to speed up the download
of stolen codes by spending more time online and using two phones.

"I'm telling you, you run two lines around the clock," Mr. Lindsley
said.

"You can't run them around the clock," said Mr. Cantrell.

"Why not?"

"Oh, come on. I think that's pushing it too hard."

"I think you just got a weak stomach there, boy."

By late February, things began to get tense. One of Mr. Cantrell's
hacker friends informed him that his number had shown up in a database
of phone numbers being monitored by the FBI. In all the excitement of
burglarizing databases and rerouting phone calls, the Phonemasters had
neglected to check their own phone lines for any signs that law enforce-
ment might be listening in.

Mr. Morris hastily arranged for an FBI raid. On Feb. 22, 1995, agents
raided Mr. Cantrell's home, Mr. Lindsley's college dorm room, and
burst into Mr. Bosanac's bedroom in San Diego.

For Mr. Morris, the climactic raid was only the start of a long battle
to bring the hackers to justice. Because of the complicated nature of
his evidence gathering, it took him more than two years to compile the
most salient portions of the wiretap transcripts and data-tap evidence.
"All the documents and tapes from this case could fill a 20-by-20
room," Mr. Morris explains. "And at the time, I was the only computer
investigator for all of Texas."

In the meantime, as federal prosecutors slowly geared up for a trial,
Mr. Cantrell tried to get on with his life. "I spent the first few
weeks after the raid being paranoid and wondering what would happen,"
he says. Occasionally, Mr. Morris and other agents would call him,
asking questions about some of the systems he had hacked. By the
summer of 1995, at the urging of his mother, Mr. Cantrell started
attending church again. He scored the first in a string of professional
computing jobs, doing systems-administration work for a company called
Lee Datamail in Dallas. He neglected to tell his employers about the
FBI case. "It's been mental torture for the last four years, not
knowing," says Mr. Cantrell. "Can I go to school, move to another
state? That kind of thing messes with your head."

Over time, Mr. Cantrell says he had come to seriously regret what he
had done and the $9,000 he says he made from selling codes wasn't
worth the trouble. "Looking back, it was all crazy. It was an
obsession. I wanted to see how much I could conquer and a little power
went to my head." Mr. Cantrell notes that he has since tried to make
amends, even helping the phone companies plug their security holes and
helping the FBI gather more information on some of the group's members
who haven't yet been apprehended.

The matter finally seemed near conclusion this March when Mr. Morris
was able to play "a couple of choice tapes" in separate meetings with
Messrs. Cantrell, Bosanac and Lindsley. Afterward, all three agreed
to plead guilty to federal charges of one count of theft and possession
of unauthorized calling-card numbers and one count of unauthorized
access to computer systems. Chief Judge Jerry Buchmeyer ordered a
presentencing investigation.

During a hearing on the matter, Mr. Lindsley's attorney tried to argue
that the FBI had wildly overstated the $1.85 million in losses that
her client's hacking had allegedly caused. But in the end, Judge
Buchmeyer rejected the argument and sentenced him to 41 months in
prison. Mr. Bosanac, in the meantime, has asked that his sentencing
hearing be moved to San Diego, where he lives.

As for Mr. Cantrell, Judge Buchmeyer lauded his "acceptance of guilt."
He could have been sentenced to three years in federal prison; instead
he was given two. He reports to federal prison in January of next
year.

Mr. Morris, meanwhile, has used his data-tap method in several other
cases; he also travels around the country and the world advising
law-enforcement agencies on how to conduct state-of-the-art investi-
gations of hacker crimes.

Selling Fear

[theonetruekeebler]

Fear sells. This has been a major tenet of yellow journalism and of publishing in general for some time.

And the easiest thing to make someone afraid of is something they are dependent on, but can't control or don't understand. Fear is a great hook--you're watching Friends or whatever and all of a sudden some talking heads pop up and says, "Why bottled water may be bad for you, tonight on the 11AliveCast." So you watch the 11AliveCast and they keep teasing you along until 11:26PM, when they tell you bottled water isn't fluoridated so please for ghod's sake brush.

And the next week bottled water sales are down. They really are. Air travel drops a small but significant amount after airline crashes, and boy-oh-boy do those ever grab airtime. The irony is that lots of those panickers end up driving, which is far more dangerous than flying.

Or one sociopath goes and puts cyanide in Tylenol capsules in Chicago in 1982. The press went absolutely batshit over that one, and within a month seven local poisonings became 270 copycats poisonings nationwide, and every bottle of Tylenol in the U.S. had to be taken off the shelf. Within a year all OTC pharmeceuticals were repackaged to be tamper resistant, for over $1.3 billion per year in direct costs, never mind the indirect costs of making otherwise harmless medicines impossible for elderly people to open.

Sending the population into a panic also makes governments adopt hasty, poorly thought-out measured to remedy what their citizens are convinced are terrible, terrible problems. Does anybody remember the plastic handgun scare of 1985? Huge panic, many laws passed, product did not exist and is still technologically unfeasible.

Whipping up a frenzy of concern and fear may not be responsible journalism, but it brings in readers and viewers, consequences be damned. Speaking of hasty government actions, read about W.R. Hearst's interest in the Spanish-American war some time, if you're ever curious about the lengths people have gone to to sell papers.

Moral: The manipulation of public perception can turn minor problems into major problems, not the least of which will be the public perception itself.

--

Settled the hacker/cracker debate for me

[xjerky]

The only thing that the 20/20 piece did for me was determine that the true term is now 'hacker', no matter what the Slashdot community is trying to cling to. I mean, up until the end I was with you guys: I even kept on saying the word 'cracker' out loud everytime they used the word 'hacker'. But then the head of Global Hell even referred to himself as a 'hacker', and if somebody were to get the term right, it would have been him. I guess it's finally time to realize that the definition has changed with the times. After all, who wants to be called gay when they're happy (well, heterosexuals at least) anymore?

Amen

brother. See this all the time.

Re:better reporting would be nice

[Duke+of+URL]

My wife knows very little about l0pht, only the 3 or 4 sentances I told her about them before the interview started. After the l0pht story finished she commented that ABCnews did a crappy job explaining l0pht's purpose(s) if what I said was true. (and all I said is they're like a lab, that goes down to the hardware store, buys the dead-bolts and locks, and then runs tests on them and publishes the findings.)

I'm more amused by ...

I found the following quote to be fairly indicative of where the government stands: "If you deface a Web site of a company that is making $18 million dollars a day, you are committing a pretty serious crime," says Assistant U.S. Attorney Matthew Yarbrough, a member of the federal government's Cyber Crimes Task Force. Does this mean companies like McDonalds or Microsoft deserve greater protection than some mom and pop site? And what if the company is losing that much per day? If I go and fuck up Amazon.com, is that actually a GOOD think in the DoJ's eyes?

www.l0pht.com

Hmm... ever since that 20/20 story, I have not been able to get to www.l0pht.com or www.hackernews.com. Have these sites, in effect, been slashdotted? Hmm... 20/20ed? Anyone else notice this?

Re:not to be a tool of the establishment, but..

cracking, whether it is just snooping in a person's or company's private files or something more malicious like taking down a web site or server, is a crime. it is a crime no different than breaking and entering a business or a home would be. sure it takes intelligence, skill and perseverance to crack a major site. that does not make it OK.

Ok, dad.

Re: yea i can't access l0pht either

hmm

Re:Anyone else notice...

[WillBlair]

Those punks were Cult of the Dead Cow. And if you looked closely a lot of the computers were running NT, which is still pretty bad. Also they butchered the attrition.org defacment mirror with the Global Hell logo at the bottom. Also on the those admins that got cracked I'd list the losses as $30, the cost of buying an OpenBSD cd set, and if they are running OpenBSD then it's time to look for a new admin.

Data, backups, and Crackers

[statichead]

I wish I knew the specifics of costs. 20/20 seems full of BS most of the time. But as Everyone here knows data that is not backed up is in danger of being lost. Did theses hackers destroy the backup too? Sounds like whoever was breeched needs a security policy. Eric Burns..."ordered by a judge not to touch a computer for three years" I would go batty! A person with this punishment might have to resort to phreaking or maybe real terrorism.

Anyone else notice...

[billyt007]

That that Global Hell member was running Windows? And who can verify that those people really are the crackers they say they are?

Re:Anyone else notice...

They don't need win98 to break into win98. (Back Orifice, etc.) Unless file-sharing is up, messing with win98 remotely is a pain in the neck.

I run win98 at home (dual-boot, must have TFClassic) on a DSL connection. I have BlackICE defender running and several times a week I get a PeeCeeAnywhere scan, Whatsup scan, or a scan looking for an old NT box w/o service patches (looking at the ports they're scanning).

The majority of real hackers with any skill, skill that ABCsnooze says gH has, needs to have Unix skills. Running nmap like progs and other stuff on Windows is possible, but the win98 progs just aren't as good and flexible as the unix ones. Even crazy ol' Meinel knows that.

Re:Anyone else notice...

[348]

Also they had severl shots of a "convention" with punks breaking what looked like old erma terminals etc. They cut to a sshot of 10 or so hooking up laptops and If you looked closely several were running Win95. Pretty 'leet eh??

It's not that simple

[/dev/niall]

I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another.

It's just not that simple. There's no doubt that most of these monetary claims are vastly exaggerated, but it's not just a matter of replacing an index.html file. If someone broke into your house and spray painted a tag on your bathroom wall, would you just shrug it off, clean it, shut your doors, and continue on with life? No. You'd beef up your security.

Fact is a lot of these sites may be "asking for it" with their poor admins and shaky security, but that doesn't make it right. If a tourist gets mugged because they're seen carrying large amounts of money is that right? If a person is wearing "suggestive" clothing and gets assaulted, is that right? These crackers are breaking the law, plain and simple, and we need to stop pointing our fingers at the victims for blame.
Even if they are stupid. It's amazing that script kiddies can even find sites to crack, I mean come on! It takes ONE mailing list to find out about these problems in advance most of the time. If their sites are worth so much money to them why can't the invest the 2-45mins each day to check this stuff out!!??

not to be a tool of the establishment, but..

[gonar]

cracking, whether it is just snooping in a person's or company's private files or something more malicious like taking down a web site or server, is a crime.

it is a crime no different than breaking and entering a business or a home would be.

sure it takes intelligence, skill and perseverance to crack a major site. that does not make it OK.

I do believe, however, that instead of prosecuting the skillful ones, they should be taught to use their powers for good, then given jobs, not thrown in prison.

[FLAMEBAIT]

script kiddies however, should be thrashed unmercifully.

as far as the hacker/cracker thing goes, it is a lost battle. the general public does not know or care that there are different meanings. get over it and move on.

[/FLAMEBAIT]

Re:not to be a tool of the establishment, but..

[348]

I work in security and my wife and I watched both broadcasts last night. Her comment was "Why isn't this the same as breaking and entering".

i spoted mumbo jumbo about the FCC and interstate laws but for the most part I really didn't know.

Why isn't page defacement classified as breaking and entering?

Expense or Profit?

[JamesSharman]

"I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another."

Well., that simple really. There are 3 main areas of cost to the hacked company that need to be taken into account:

1. Paying a student $5 to upload a new html file
2. Lost earnings/buisness on the website (sometimes long term)
3. Lost productivity on the 12 managers/directors running around sreaming 'hacked! we have been hacked! dont panic!

The 3rd point is of course the most important one, these managers can get seriously disterbed and ofton spend days away from their more productive work of playing windows solitaire.

On a more serious note, these figures tend to also include figures such as hireing security people to come in and 'beef up security', run risc assesments ecetera. The other key factor is that figures are always overstated, particaly to help with the end of year figures and also to help push law enforcement to do something about it (How good a response do you think the FBI give when you complain you lost $5?). The final issue is of course lost credability.

There are additional things to be taken into account. Companies have been known to fake hack attempts at their own websites for the exposure it gains them. I wonder if any of these hacked websites would ever be willing to declare a negative cost to the whole thing?

Re: The web is brochureware...

[348]

Agreed,

But I was only refering to the White House site. My kids go there often to click links and get little photos and form letters from the president and bill. Cool for kids, but useless for adults.

I think the "crackers" are out in force already on e-commerce. We just dont hear that much about it. If cracker X has expolit X and is seamlessly getting in and around some retailer with access to card info, product shipping and the revenue stream in general, he/she would never deface a page and claim "j00 i5 0wn3d" or some crap like that. They will keep it their little secret.

And the retailer will most often never even report it if the have a breech, too much bad press.

I beleive that in the March, April time frame we will start hearing a lot about how bad e-commerce got ripped off during the 1999 Christmas season. Then by the 2000 Christmas ruch it will all be a distant memory.

better reporting would be nice

[Ater]

What annoys me most about all these "hacker" stories (and most other stories too) in the news is that the reporter never ever has a friggin clue about the subject. I'm sure that l0pht and maybe GH to some extent have some legit hacking/cracking abilities, but for all I know it could just be another article glorifieing script kiddies. I bet that if ABC interviewed some random 13 year old script kiddie in place of these groups, the article would pretty much be the exact same. We'd probably read something like, "Using these advanced password cracking programs, a skilled hacker like l33tb0y13 could break into even the most secure computers in the world" or some such inane tripe.

I notice how most of the articles never really deal with the methods the crackers use. Instead what I see are quotations of the hackers boasting, and of the writer fearfully agreeing. Throw in some quotes from a paranoid and clueless law enforcement official and you got yourself an article.

I wish ABC would have hired someone who knew what he was doing to interview those "hackers." Get an authentic security expert (and not someone like Vranesevich) and have ask some technically oriented questions. I wouldn't mind seeing some big time cracker group exposed as a band of script kiddies or even seeing a real legit group's skills be verified by a competent source. As it stands, every hacker article appears to be FUD and needless paranoia written and advertised by someone who cant tell a telnet port from his ass. I want to see facts and commentary by someone who understands what he is talking about rather than seeing so many broad, unfounded statements rubber stamped and published.

A clue about the subject?

[Inoshiro]

Do you want a miracle or something?

"Hackers (sic), now with their own conventions and magazines,"

Defcon 7.0, and soon 8.0. 2600 and Phrack are both > 5 years old. NOW!? These people think at the speed of a dead elephant. I'm sure they get up each day, do exactly the same thing, go to sleep, and dream exactly the same dreams they've had for the past 20 years.

I mean, I regularly seem to be probed by some script kiddie program that brute force checks phf, convert.bas, some Front Page things, etc. It's annoying, yes. Dangerous? No. If I don't securely lock and check on my building when I leave work, and don't buy a security system, I won't be insured. I wish "website insurance" would come out so adjustors could go, "Windows NT you say. How's 1,000,000 a month for a premiun?" Maybe then we'd finally see some professionalism forced past those PHBs and clueless MCSEs.

"With viruses available for downloading from the Web, extensive computer language knowledge is no longer needed." I remember having to deal with the Stoned Monkey virus in 1994 at a computer lab. It was more because clueless 12 year olds didn't know much about computers. Thankfully, the lab had a good teacher (I was just a TA checking on the machines). Professionalism is, again, a solution. Know your job, and do your job.

On to the second article..

"Their code name is "The L0pht,""
Their group name. Double moron points for showing ddd or some visual debugger at work in the image there.

"They are the elite of hackers, whose notoriety brought them before Congress a year ago."
"20/20 says hackers are reeel cool d00ds! I want to be one now!" ... Jeez, I can't /wait/ to see what new script kiddies this has spawned.

"That's correct," one L0pht member responded. "It would definitely take a few days for people to figure out what was going on."
"On no, the internet is down again.." .. A few days to notice that a website is down? PLEASE. If slashdot takes longer than 8 seconds to load, I experience withdrawl symptoms.

"What they do is try to break into programs we're led to believe are secure."
"But MS said that this Exchange server was mission critical, even though it doesn't have any relay protection, forces us to use LookOut!, and has many obvious holes!"

"They refer to each other by nicknames. By not revealing their real names, they protect themselves from lawsuits by companies and individuals."
They're too young to have lawsuits pressed against them.

"hey say it's to remind us how we've become reliant on computers for more than just communicating; .... Are they legitimizing destructive behavior?"
"Look, you rely too much on Oxygen. When I strangle you, you die! Stop relying on Oxygen so much!" .. Jeez..

It's clear that both the reporter's poor understanding, and L0pht's annoying boasting, have contributed to bad, bad articles. Seconds to crack a password? Well, if your root password is "rootpwd," I should hope so! :-P
---

oooo a challenge

so tough guy, what are you gonna do when someone breaks into your system and you cant track him down? any real hacker can compromise your system without leaving you clue to who he was.

Re: what bout telcos?

So if the ISP looses its connection for 1hour, i can sue them for $800,000 ???

Or if the telco cuts a fibre?

Why isnt the telco equaly lyable as a hacker

Re:Saw part of this, Noticed the bloated cost too.

[B.B.Wolf]

If you are saying that no one cares about the diff
of hacker-cracker, you are out of it.

Last month when I told my son that I had to "hack"
some code, he got *very upset*. I had to explain to
him the difference. There is one and the diff does
matter.

A better analogy...

[Lurker187]

A better analogy would be that they go out and pick locks on other people's houses or cars, but then instead of stealing anything, they hang a big sign on the door saying "Company X builds sh*tty locks, see?"

I'll be the first one to admit, the companies whose executives use their first names as passwords deserve to be publically embarrassed when they determine security policies and methods without knowing anything about the subject, but even the more benign hackers are not exactly Consumer Reports. They do not "buy" the locks, they test other people's.

The most disturbing thing about the two stories is the fact that the U.S. Attorney wonk they interviewed basically implied that the richer the person you mess with, the more serious the crime: "If you deface a Web site of a company that is making $18 million dollars a day, you are committing a pretty serious crime," says Assistant U.S. Attorney Matthew Yarbrough

No News @ End of Year

[Woodrow]

Remember that at the end of the year the amount and quality of news is significantly less that any time during the rest of the calendar year. That is why there are so many "scary" Y2K stories and now Cracker/Hacker stories. The News departments know that most people that continue to watch these news/entertainment prime-time programs are middle-class 35-60 Americans w/kids that don't understand the Internet and if they do they think it starts with "You've got mail!!". It is sad when journalist enlist attention starved individuals (so called Crackers) to make a segment of productive, hard working people (Hackers but I hate that word) look bad.