Slashdot Mirror
ABC TV Does Two Major Cracker Stories
karma vs Dogma writes "ABC ran a couple of stories tonight on the "Evils of Crackers/Hackers". Read the summaries of the World News Tonight story and the 20/20 story. I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another."
Also imagine another scenario.
... and..
...ummm.. owned.
..lets say Amazon if their website gets defaced with a similar message as above?
An e-commerce website's home page gets defaced with the usual elite cracker message.
Insulting the sysadmin.
Shouts to the peeps.
Links to places
"Oh yea sysadmin, thanks for your customers' credit card numbers. I am gonna have some fun this month"
Just imagine how seriously this can hurt the business. People get informed that the website has been "owned by some elite hackers' and the credit card numbers they used to purchase stuff there are
No matter what the website does to re-assure the customers that vital data has not been broken into, it will still lose MANY customers.
Will you purchase from
Simpleguy
Besides, incorrectly routed packets still go *somewhere*, and icmp can still act as a return mechanism to indicate where these "hacking" attempts are being made so the admins can track it and temporarily assign static routes to the affected router(s). 30 minutes to take down, 30 minutes to bring back online. Again, this assumes the clueon index was particularily high at the affected backbones at the time of attack.... *cough* Not sprint *cough* ...
This doesn't preclude the possibility of a more long-term guerilla war being made on the backbones, but that wouldn't "take the whole 'net down in 30 minutes". It would make the evening commute more interesting though.. and I for one think it would give the community a solid kick in their complacency.
Personally, I wonder how many servers have been silently compromised inside these networks and are being used as relays for other attacks. If the cracker kept a low profile, such activity might remain undiscovered for some time. That is a much more serious risk IMO than some 30-minute orgasm of custom packets being thrown at the backbones.
I'm just saying, it isn't that farfetched, considering the software a lot of people using the Internet use. Remember, the fact that the Internet can (theoretically) survive a nuclear attack doesn't mean that this kind of sabotage won't work, remember the Morris Worm? This kind of sabotage operates on a completely different principal than physical damage.
Of course, it may be that things aren't as prone to this kind of sabotage as we may think, but I think that just as the Schlieffen Plan would've insured Germany's victory in WWI if it had played out the way they expected (i.e. Britain and the US stayed out of the war) it is possible to have a plan that could take out the Internet, whether it would work in real life or not.
All the creatures will die, And all the things will be broken. That's the law of samurai. (Jubai, 1605)
Second:Attrition.org
Of special note is the Attrittion Mirror of defaced sites. This will allow you decide how much "damage" is actuall done and how much "help" was actually done. Please not that this varies greatly by individual.
The problem that exists is that these people, often under 21, see big giant gaping holes in the security systems and this bothers them. If they report it, nothing happens because no one has, or ever will, listen to them. (Some sites have been defaced repeatedly, without ever having fixed the holes, even after the fix was placed in the HTML!)
So they make a mistake. They try to draw atttention to the fact before someone less kind, (for example a rival organization) uses the same holes to download actual sensitive information. (Warning, this kind of thought process can occurr to you when you've read too much cyberpunk.)
I'm older and wiser now. I realize that people REALLY DON'T care about security. Normally they just want something to rant about. The status quo is to lock your car door for security but if you lock the keys in your car you expect a locksmith to get them out in under a minute.
Think about it. If the locksmith can do it in under a minute, so can I.
They may not be adults, they may be fools, and they may annoy the computer professionals that are responsible for security but let's look at it this way.
If some kids can take down whitehouse.com, why couldn't Zhirinovsky hire someone to do the same, only with a lot more creativity and subtleness. (Wouldn't the media just love it if someone found a collection of porn jpegs on whitehouse.gov?)
They're criminals. They view themselves as unsung heros. In short, they're the Chicago Seven of a new generation. Even Richard Daley's famous quote could still apply:
"Gentlemen, let's get something straight. The police aren't in the streets to create disorder; they are in the streets to preserve disorder." -- Mayor Richard Daley
No Zen is good zen
Any "good" intruder can do a lot to cover his tracks, but all it takes is an admin watching network packets with the ISP of the source on the phone.
There's always a trail. It all boils down to who has the resources and time to follow it.
It amuses me how many l33t hax0r IRK kiddies there are that think they're indestructible, that the only kids that are ever caught are the ones they show on TV, that they'll never be discovered or prosecuted. And when the FBI raids their house and their parents are stuck losing their home and his college tuition money paying for damages, guess who's out there laughing his ass off.
And a $17 million dollar a day site? Less serious? What about a $0 dollar a day site, say a unicef.org or whyme.com?
I'm sick of money being equated with importance.
I have no respect for script kiddies that deface webpages randomly, launch pointless DoS attacks, etc. They all seem unproductive and malicious.
Though I do rather like those people over at the L0pht. :) Original, creative, and damn, they actually DO stuff, unlike 99% of them damn script kiddies.
Still, I'm sick of all these [hc]racker stories. The media does seem to be doing a slightly better job lately though. Well, sometimes.
Script kiddies bother the hell out of me.
The first quote of the story: "Young cyber whizzes with knowledge to infiltrate the most secure computer systems in the world are growing in numbers and ability," should really be changed to say "Young cyber whizzes with knowledge to download freely available exploits that anybody with a minimal sense of security should be able to patch."
The worst part is that the media is the only thing that feeds the so-called 'intelligence' of most people. I guess thats why the world seems to be in a downward spiral. It'd be cool if journalists would ask for expert opinions from people who know something about the subject, but I think they teach you not to do that in Journalism101 or something.
-- toolie
"...the members of L0pht see what they do as neither good nor bad."
""We feel we're actually making a difference," says one L0pht member."
Is it just me or do those two phrases seem to contradict each other?
If anyone is seriously interested in this topic I suggest learning the BGP routing protocol paying close attention to the authentications mechanisms or lack thereof. Then study the network topology of the backbone provider interconnection points (the NAPs and MAEs). Then learn how to craft your own packets with a library like libnet. Then do some long nights of experimenting (on your own equipments of course).
If you don't want to do all that work yourself you are going to have to trust us. :-) Remember, things never work like they are supposed to. If they did there wouldn't be nearly so much hacking!
weld@l0pht.com
Second, we must make the assumption that if one file has been altered, -any- file on the system could have been altered. Remember, don't use tripwire, or any similar tool, as this will eat into your damage assessments. Figure in the time of a complete deletion of the system, a fresh re-install of all applications, and finally a restore from your latest backup tapes.
Remember, system restoration should be put in as overtime, so your figures for damages should reflect this.
Then, you must factor in the cost of the system being down, in terms of time lost (wages) to all company employees over the entire day, even if they probably wouldn't have used the system at all. It's still a loss of potential, which is still a cost.
Then, you must factor in the cost of calling in the technical support people from the company you bought the system from, to fix the security hole. Even if you buy technical support, when you get the system, you're still using it, so there's still a cost -somewhere- in the system. Fixing the security hole yourself is a big no-no, as this would imply incompetency on the part of the technical staff. As technical staff are, by definition, competent, any hole that exists must be obscure and only known to the company that you bought the system from.
Then, consider the cost of loss of revenue from any banner adverts your site carries. That it's not your loss is irrelevent. It's still a cost of the damage. Assume everyone who enters your site follows a banner advert and purchases something. This may not be entirely accurate, but it's a possibility, so it's still a potential cost and therefore counts.
Finally, consider the cost of image. Any points lost on the stock market, that day, are potentially a result of the system crack, so you can estimate how much the company lost in value as a result. It's important to remember that, even when any other factor in the Universe seems more likely, always assume the worst possible case, for damages.
This completes your class in damage assessment and valuation. You are now qualified Public Relations officers, capable of handling the worst system cracks with dignity.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Wow! I'm not sure if those articles could have been more devoid of content, yet still so sensationalist.
We have a group of hackers (crackers? smackers? ugh...) who claim they can crack any password in seconds and bring down the entire Internet in, what was it? 30 minutes? And the 'reporter' just lets the statements stand! He didn't question (seem to) question them on how feasible this really was or go and talk to security professionals for their take on the claims. Without any attempt to refute or prove their boasts, you'll have even more people scared of the awful hackers. Sigh...
Dana
Did anyone else notice the Battlezone arcade game in the background? Hey, these hackers have TASTE.
-----------
"You can't shake the Devil's hand and say you're only kidding."
Note that they do not claim replacing one page with another costs millions of dollars, but that they claim shutting down a website of a company making millions of dollars is a crime.
Suppose someone took down index.html at www.amazon.com for an hour. That coulde easily run into high losses for them, since their business is web based. I wouldn't know about index.html at www.cocacola.com, though. Do they make any money with their site ?
superblog.org: all your favourite blogs on o
It's the lack of background and CONTEXT that really detracts from the credibility of these mass media news reports (this applies to places like zdnet and c|net also). They never mention the types of computer services (aside from web servers) that are attacked, or even begin to hint at the general methods which are employed. This inability to provide real information seems to indicate that these articles are nothing more than fear mongering dollar grabbers.
I've read in a few posts here on /. that the target audience of these stories is not interested in the technical details. I will agree to a point, but only because I can't recall ever seeing real information ever being presented to the masses and it's never been tested. Until such a time as when they actually present a frame of reference for their stories, this amounts to nothing besides fear mongering.
What I'd like to see is an article on the damaging effects of fear mongering on businesses. How many dollars a year are lost due to uneducated pontification and agenda furthering FUD campaigns? How many businesses have lost money because a panicked executive heard from a friend of a friend that X problem is at hand and emergency procedures ,costing millions of dollars in capital and man-hours, must be put into place, only to find out later that it was not good information?
Stop knee-jerk reactions. Put a muzzle on poor journalism. Educate, don't pontificate.
-- kwashiorkor --
Leaps in Logic
should not be confused with
Jumping to Conclusions.
I don't see why anyone would consider these crackers (sorry, the misuse of hacker really peeves me) to be dangerous, since most of them don't actually know crap about computers (the exception being L0pht, who I would place more into the hacker category anyway). They're just downloading exploits from Bugtraq and trying them out. If you keep you stuff up to date and are smart with your initial configuration (ssh2 and sftp access only, tripwire, logcheck, etc) any attacks that aren't prevented outright should be noticed right away.
Of course, it's not an ideal world, blah, blah, blah, but anyway my point is that people should be protecting their computers with real security, not laws that only "solve" the problem after the fact.
I caught the end of it. They kept referring to this group of script kiddies as a "virtual gang", I guess in effort to conjure up images of drugs and violence and organized crime. Which is of course what the script kiddies want, right, it makes them look dangrous and powerful. They really drove it home at the end of the segment, when they mentioned that one of the kids might go to jail for a time, and questioning "is the right thing to do?" They then got some human prop to say just how dangerous and pissed-off this kid is going to be after serving time. Give me a break!
Oh, and that's not the best part. The very next story was about a poor little sick dog who goes around the hospital giving sympathy to the poor little sick children.
This is blatant propoganda. Meaningless emotional arguments designed to focus our hate and fear. Those kids are so dangerous. And the puppies are so cute! What if those dangerous kids hurts one of the puppies! Heavens no! I hate those dangerous kids!
So let's recap. Kids with computers: BAD! Puppies in hospitals: GOOD! Now take your soma and let's all sing "I love Big Brother!"
I thought these two articles were relatively well-done considering the intended audiences. There's a big difference between the average ABC News viewer and the average /. reader. ABC News shouldn't have the same depth of complexity, as the whole point of TV news is to take a complicated issue and explain it in terms that the average Joe can understand. This can be done poorly, but sometimes it can be done well. I think these two articles are done relatively well. In particular, the World News Tonight article gave a good summary of the good/evil qualities of h/cracking (i.e., cracking reveals security flaws that can be fixed).
Yes, the majority of media coverage about hackers/crackers is really paranoid, but this one wasn't so bad.
"They cite a webpage that's making $18 million per day. If it's down for a day, that's $18 million they just lost."
No, that's $18 million that they never made. There is a subtle but important difference. You can't lose money you never had.
________________________________
I read it as, "a web site that makes the company $18M/day." If they're pulling in $18M of revenue from their web site alone, and that web site is out put of commission for a day, they will not make $18M that day. Thus, the outage cost them $18M in lost revenue.
It's just not that simple. There's no doubt that most of these monetary claims are vastly exaggerated, but it's not just a matter of replacing an index.html file. If someone broke into your house and spray painted a tag on your bathroom wall, would you just shrug it off, clean it, shut your doors, and continue on with life? No. You'd beef up your security.
That's irrelevant to the cost of replacing the web content.
This is the cost to fix your security holes; it has nothing to do with the web site at all. If there are security holes, then it's the administrator's job to fix them, and this can't honestly be counted against repairing the website; these are two different things. (The cost for a sysadmin's time is already paid for - it doesn't matter if he's doing it adequately or not.)
Fact is a lot of these sites may be "asking for it" with their poor admins and shaky security, but that doesn't make it right.
Nobody is saying that it does make it right - but that has nothing to do with calculating the cost of restoring a website from a backup.
But what can I expect from an AC.
You can have a perfectly competant sysadmin, one that performs his job 100% correctly, 100% accurately, and applies patches and security fixes exactly 0 seconds after they're announced and STILL BE VULNERABLE TO ATTACK.
It's not infrequent that a vulnerability will be discovered and exploited *before* it's announced on the major security mailing lists and web sites. There's also the possibility that it's announced at 3AM and the company silently rooted by 3:05AM. What are you going to do, have all your admins get paged at any hour of the day every time an e-mail comes to Bugtraq?
I won't disagree that some admins shouldn't carry the title. More often than not, a vulnerability is exploited long after it's been released, but THIS IS NOT ALWAYS THE CASE.
I really hate it when people go off bashing the administrators when they haven't necessarily done anything wrong or incompetantly at all. These guys are the victims. The script kiddies that mount these downloadable attacks are the people we need to be fighting here.
With viruses available for downloading from the Web, extensive computer language knowledge is no longer needed
Hmm...sounds like they're talking about script kiddies to me. I find it interesting that ABC focuses on the the 3vi1 h@x0rz as opposed to the lack of responsible security measures on the part of those who get cracked. Maybe these companies "making $18 million dollars a day" should shell out a few bucks for some decent firewalls, intrusion detection, and the IT people to run that show.
Keep your servers patched up, run them on UNIX boxen with extra security measures, and for god's sake, don't short-change your people for equipment or personel. It's really not that difficult.
I was particularly impressed that they chose the l0pht, which *is* a legitimate hacker group. I'm not so sure about GH, but they've made enough news to be worth mentioning.
The sentence makes a lot more sense if we read it as saying that the company makes $18M a day, not the website. It means: "It is a crime to make fun of people who make money", and it is scary. Very scary.
JM
There was the usual nonsense, like confusing crackers and hackers and getting crack attempts and viruses all mixed-up. But otherwise, a few things really jumped out at me:
* Global Hell came across as extremely juvenile.
* The so-called leader of GH (Patrick something) was just a typical angst ridden teen. He couldn't elucidate his purpose or ideals; his philosophy pretty much broke down to "All the corporations of the world are trying to opress me in some unexplainable way, and, oh yeah, I'm really bored."
* The world "brilliant" was used several times in relation to crackers, as if they're working on things that require a PhD and sophisticated programming ability. I'd hardly put exploiting security holes into that category.
Interesting overall.
By the way, something just now occurred to me concerning amazon.com's patented technology. Does amazon.com require the user to enter a password as well as the cookie info? and if the latter, doesn't that add up to more than Just One Click(tm)? I regularly shop at a couple of web stores which store at least your account name in a cookie, so when you jump to the "Checkout" page your name is already filled in, even including your credit card number (which is displayed as "xxxx-xxxx-xxxx-1234"). But to get to the "Checkout" page you have to present your password first. At any rate, that certainly wouldn't be new or unique (that is, patentable) technology for amazon.com to do it that way.
But if the everything you need for ordering is already stored in cookies, doesn't that present a king-size security hole? Suppose, for example, one of my co-workers orders something from amazon.com with their web browser. And suppose I want to play a mean trick on this co-worker. So I copy his cookies file. Now if all the customer info is keyed off the cookies in the user's PC, I can't exactly steal anything; even if I order something, it will get sent to the original shipping address. But as harassment, I can order up, say, twenty copies of "Mein Kampf" or "The Joys of Enema Sex" or something obnoxious like that on his credit card, with Just One Click!(tm). Is that possible?
I'm almost tempted to break the boycott to experiment. It would be easy enough; just make an actual purchase from one PC, copy the cookie file to a second PC, and see if I can make a second order with Just One Click!(tm).
amazon.com has got a LOT of customers. If there really is such a big, obvious security hole in their patented technology, then maybe these news magazines could make themselves really useful to their readers by warning them away, rather than blathering about the Dire Threat to American Security posed by a few industrious security hackers and a bunch of dumbass script kiddies.
At any rate I hope I'm wrong, and there is a mechanism which forestalls illegitimate ordering. amazon.com and Jeff Bezos can certainly go to Hell for all I care, but I'd hate to see all those innocent customers getting screwed.
Yours WDK - WKiernan@concentric.net
Second, we must make the assumption that if one file has been altered, -any- file on the system could have been altered. Remember, don't use tripwire, or any similar tool, as this will eat into your damage assessments
Do you honestly think that companies stating they've suffered 10M$ in damages ever actually get paid 10M$ by the attacker?
Companies have to weigh costs. There's the additional cost of implementing and maintaining something like Tripwire (which, as another poster mentioned, doesn't do crap for data) against the potential cost of a system intrusion. If your company has the funding for it, they've probably implemented a modest amount of security mechanisms (including things like Tripwire).
If your company doesn't have this funding, compromises must be made. Does that make this company irresponsible, incompetant, or "asking" to be rooted? Hell no.
For those types of companies (read: most), you HAVE to make the assumption that the system has been compromised in more than one way, with back doors in place and that the intruder has access to your internal systems as well. You need to cut off the network, locate the exploit used to break into the system, and totally re-build the OS and applications on the affected systems (probably ones even suspected of being rooted as well). Not taking these steps would be far more irresponsible of the admins than ignoring security bulletins in the first place (assuming they even did, and that if they hadn't, it would have helped them, which isn't always the case).
Remember, system restoration should be put in as overtime, so your figures for damages should reflect this.
Yep. Damages accumulate as network or web sites stay unreachable. The costs of overtime would presumably be less than the costs of staying offline. If this weren't the case, it wouldn't be worth it and it could probably wait until normal business hours. (Of course, I'd still physically disconnect the machines from the Internet during this time.)
you're still using it, so there's still a cost -somewhere- in the system.
If I get 10 free hours of tech support from a vendor, and I use all of that up as the result of an attack, you're damn right I should be compensated.
Fixing the security hole yourself is a big no-no
Apparently you're under the delusion that all corporate environments are using Linux on all of their mission-critical systems.
For those of us in the real world, we have to wait for vendor patches and upgrades, or we have to implement workarounds. Fortunately, major vendors tend to be quite helpful in emergency situations like this.
It's an ILLEGAL INTRUSION.
If you want to break into systems to learn how security works, be able to examine code, etc., GO TO COLLEGE. Most universities have some very EXCELLENT network security courses where the students do precisely this, and have access to all sorts of very interesting hardware. Do not use my systems for your stupid games or "education", whatever it is you want to call it. How am I supposed to know you didn't touch anything vital? If you break into a bank vault just to "learn", and the cops come to your house the next morning, do you think they're going to care or believe you if you said, "But I didn't take any money!"
And just because a system isn't 100% impenetrable to your l33t hax0r skilLZ does not necessarily mean the admin is remotely incompetant. What if the exploit was made available before an announcement/fix/workaround was made? What if both were released at 3AM? Is the admin incompetant because his pager isn't set to wake him up every time an e-mail message is posted to Bugtraq? Is the company *deserving* of an attack just because they don't spend 80% of their meager revenue on network security?
If you break into my system illegally, REGARDLESS of your intentions, I will prosecute you and you will go to jail. Period.
Hell, I can't write C worth a crap, and I could take down much of the internet in only *TEN MINUTES.*
All I'd need is a backhoe.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Well, anyone who gets their "news" from TV is ignorant, in the truest sense of the word. Unfortunately, that is most people today.
DO NOT DISTURB THE SE
I expect we'll see more of these in these last couple weeks of life. If Russia's nukes don't go off and burn over New York, Chicago, California, the end of the world is bound to come via 14yr olds shutting down everything.
A few things in the 20/20 piece struck me as odd. First, the head punk of this Global Hell didn't come across as anything more than your average script kiddie. He basically just cracks into places because he's bored. One thing he said in the very beginning was that he loves his computer more than "anything in the world." Not his mom (there was no dad in the interview, hmm), or anything of real importance, but an electronic box. This is the first stage in social disorders like this.
Then he got his computer taken away in a police raid, and what happens? His mother, seeking nothing but making the boy happy, goes out and buys another one the next day. No discipline or anything, but "Oh honey, here's a new computer. Will you love me now?" Now in my day, the parents would have thrown a fit over the police raiding our house and I wouldn't get out of the dungeon for weeks. Has anything changed in just ten years since I was a teen, or was it because my parents didn't need to try so hard for the kids to like them?
Then there was that goofball at the American Retirement Company or whatever saying he's hired this guy as a "consultant" to prevent him from sicking all the other kiddies on the company. Wasn't there some law back when the mob did these things which made it just as illegal to pay off these sort of extortionists?
One funny part in it was when they talked about the virus due to explode next year. They said it was spread by Microsoft's email program. Sounds to me the way to cure that is to not use MS Outlook.
Oh. And I have just lost $500,000 typing this post using the media's magical calculator.
I wasn't suggesting a 'Trashing the Internet HOWTO' (or would it be a mini-HOWTO because it only takes 30 minutes :) )
My point was that the reporter took no steps to verify their (your?) claims. Even if the boasts aren't far-fetched, it's reporting like this that spread confusion and panic.
I remember reading about one of the first high-profile hacker busts (was it Mitnick?) that said the prison officials wouldn't let him use the phone while he was in jail because everyone thought he could make one call and start a nuclear war.
When the general public becomes misinformed, it gives the government excuses to pass regulatory laws. If thousands of average at-work net surfers read the article and start worrying that every 14 year old kid who owns a computer and wears glasses can destroy the internet, the government will helpfully pass all sorts of laws to limit use and what not.
Won't happen? Remember all the stories about Geek Profiling and metal detectors in schools? Youth violence has plummeted since the early 90s and is still falling, but thanks to the media, people *percieve* that kids [esp. geek kids] are getting more and more violent so school officials can now get away with expelling people for playing Quake.
I guess a summary of my point is: Lousy reporting has really annoying consequences.
Dana
Melissa's a good beginning example to show the weakness of the internet, but all Melissa did was become a "cholesterol," if it were, to the "arteries" of the internet. Once it was cleaned out, everything got back up and running.
h tm.
As it was suggested, I did some looking into BGP, because quite frankly, it'd be pathetic for me to blabber on about something that I didn't understand. The only problem is, you need a pretty good understanding of IP to understand how BGP works, and there isn't much documentation out there that sums it up in a dime. Here's the easiest explination I can get for how BGP works (the whole document that goes in to far greater detail can be found at http://www.netaxs.com/~freedman/bgp.html) :
The primary purpose of BGP4 (as we're studying it here) is to advertise routes to other networks ("Autonomous Systems").
An AS, or Autonomous System, is a way of referring to "someone's network". That network could be yours; a friend's; MCI's; Sprintlink's; or anyone's. Normally an AS will have someone or ones responsible for it (a point of contact, typically called a NOC, or Network Operations Center) and one or multiple "border routers" (where routers in that AS peer and exchange routes with other ASs), as well as a simple or complicated internal routing scheme so that every router in that AS knows how to get to every other router and destination within that AS.
Layman's terms: Every personal network out there (company networks, school networks, government networks) works in it's own little private world. BGP (BGP4 is just the current version of BGP) is the protocol (acronym stands for Border Gateway Protocol) that allows all these networks to talk to each other. The protocol is utilized by Cisco's routers, and since Cisco currently has the majority share of internet routers currently in use, if l0pht (or anyone else who knows how to do it) creates specific scripts that break these bonds between the network, the majority, not all the internet, but the good majority of it, will fall like the giant it is.
How can you bring it down? Well, due to my ignorance, I'm not completely sure, but I believe the web site I quoted earlier sheds some light on it:
When you "advertise" routes to other entities (ASs), one way of thinking of those route "advertisements" is as "promises" to carry data to the IP space represented in the route being advertised. For example, if you advertise 192.204.4.0/24 (the "Class C" starting at 192.204.4.0 and ending at 192.204.4.255), you promise that if someone sends you data destined for any address in 192.204.4.0/24, you know how to carry that data to its ultimate destination. The cardinal sin of BGP routing is advertising routes that you don't know how to get to. This is called "black-holing" someone - because if you advertise, or promise to carry data to, some part of the IP space that is owned by someone else, and that advertisement is more specific than the one made by the owner of that IP space, all of the data on the Internet destined for the black-holed IP space will flow to your border router. Needless to say, this makes that address space "disconnected from the 'net" for the provider that owns the space, and makes many people unhappy...Anyway, the bottom line: Test your configs and watch out for typos. Think everything that you do through in terms of how it could screw up.
Layman's terms: Say someone wanted to shop at Amazon.com. Their computer says "take me to Amazon.com". If my computer saw the request "take me to Amazon.com," and I wanted to stop the request, I could say "Sure, I know where it is... follow me!" Then I'd lead him to a cliff edge and tell him it's right over the cliff. Poof, end of request. If I wanted my computer to direct everyone who asked for Amazon.com to someplace OTHER than Amazon.com, I'd just stick an arrow sign by the cliff that said "Amazon.com -->", directing them over the cliff.
Even Lamer Layman's terms: remember the good old Looney Toons cartoons where Wil'E'Coyote would repaint the road and dashed-yellow line, directing it to the face of a cliff? If the Road Runner was a packet of information traveling pretty fast on a network (the roads), and you "tweaked" the network and told it that this new route (repainted road) went somewhere, when infact it ends abruptly (cliff wall), you're going to loose the information (aka "SPLAT!").
For man with no mind: "Oh, you want to know where New York is? Try looking in Russia."
Another place that explains the BGP protocol and actually makes the technicalities of it easier to understand (diagrams and simple numbers), the address is http://www.alliancedatacom.com/cisco-bgp-routing.
Say you can shut down the Internet for a prolonged period of time. What purpose would that serve? What has the "Internet" community done more harm than good any group of people? (I've seen almost EVERY minority/majority use the Internet to spread their word. Its cheap, annoymous, use almost any media (pictures/words) and can reach a worldwide audience.)
Could you imagine the amount of pressure law-enforcement departments would have to capture those responsible? Could you imagine the laws that would be enforced/enacted to prevent this thing from occuring again? Could you imagine the BigBrother mechinicms then put into place?
Wouldn't this be a BIG step backwards for the Internet?
And what would it prove? Is it worth it?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
As noted in previous discussions, no sysadmin worth the name is simply going to restore-and-forget. Any that would? Fire 'em.
They're probably counting the costs of the full security audit, including lost business due to downtime -- since it's a BAD idea to not bring the system down for a full check if some loser's obtained root access. At the very least, one needs to eliminate the possibility of remaining backdoors (probably a full re-install if possible), lock it down, and preferably try to figure out the points of entry and anything, such as database records, that may have been affected.
Only the dead have seen the end of war.
You know, if a group of physicists really put their minds to it, they could devise a way to vaporize the entire planet in a millisecond. I guess that makes them brilliant. If I tell the world how to do it I am just a bad guy enabling malicious evil scientists. If I don't tell the world I am just a clueless boaster.
:-) Things never work like they're supposed to, but if this DOES work, you risk destroying your lab equipment, your house, Earth, the sun and eight other planets, Proxima Centauri, and roasting any planets that happen to be orbiting nearby stars. But you'll prove to everybody how smart you are by demonstrating a serious flaw in the existing version of our universe.
If anyone is seriously interested in this topic, I suggest studying up on M-theory, and pay close attention to the energy potential regarding De Sitter space. Then you just have to spend some long nights experimenting with the correct particle interactions (use your own equipment, of course) until you finally create your own Type 1A supernova explosion.
If you don't want to do all that work yourself you are going to have to trust me.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Among all the hacker vs. cracker comments here, I might have missed something, but did anyone else notice the end of the 20/20 article? The article was about hacking & cracking, but the tips they gave at the end were about viruses! I can understand the media's (ongoing) hacking/cracking confusion, but can't they tell the difference between that and a virus?!
Note: the "you" in this post is a general "you" and not a reference to the original poster or any other poster in this thread.
Whether it is $5/day or $18 million/day, the fact remains that people who hack other people's computers are violating others. There is no justification for that. Getting into an argument over exactly how much it costs takes away from that fact.
Here are the general reasons I here cracker dorks and script kiddies give for their asshole behavior:
Bullshit. If you wanted to do them a service, you would email the sys admin the hole being exploited. Breaking into their web site is, at best, a way of publically damaging the reputation of the web site in question as well as doing damage that can range from inconvenience to, yes, millions of dollars a day. It is very similar to breaking into your neighbours house and spray painting the walls because they forgot to lock the front door. Finally, it is very difficult to secure an NT or a UNIX machine. Punishing people because they are not the experts you think you are (but likely are not) is pathetic.
And that makes it OK? I don't care if it is Microsoft, it is still just as wrong as doing it to an individual.
Again, so what? That does not make the act of breaking into a web site any more justified.
It always costs them something. It may not be $18 million/day. It may be giving up a weekend after having worked a month without getting a weekend. It may not be anything you value at all. But it is certainly something valued by someone associated with the target site. And no one has any right to force that person to incur that cost.
I mean, come on. Does ABC really have that much influence on legislators? 20/20 is nothing more than a video tabloid and World News Tonight ought to be renamed "Weekly World News Tonight - Now In Full Colour!" or something sensationalist along those lines. Oh, I hear you. "But, Count Spatula, people really do take notice of programs like this one, and politicians get their cues from these newscasters!" Drek. The people who take these programs seriously also think their cats are actually their children and buy the Enquirer because "Elvis isn't really dead, just hiding in Poughkeepsie". As far as politicians go, the more criminalization that occurs, the better. It makes them look good at election time.
-- Count Spatula: The Culinary Vampire "...because my cooking sucks."
> Also, the Web site is just brochureware, there is no gateway to anything important.
That's starting to change. Remember the web pages of three years ago? Hi! We're here! We sell stuff! Visit us in the real world! Nothing more than a billboard on the side of the highway. Now corporations are starting to use their webpages for something useful.
But brochureware is going down the wayside. What we REALLY need right now is one of the self-proclaimed "e-commerce" commanies to build a real online store app for mom and pop. (Or a rentable service.) Of course, it would also make a REALLY USEFUL open source project.
But as we get away from brochureware, boy, it is going to be Christmas time for the crackers.
I saw this last night but couldn't submit a link since 20/20 was inaccessible.
It was ridiculous.
I got the impression that those kids threatened ABC so they could spend sometime grandstanding.
Every single person who spoke sounded like a complete idiot. Cripes, the White House might have secure internal systems, but cracking the web site should be a trivial task. When it was done, the site was probably being run by a secretary using NT. [Point, Click, white-out]
What was it that sysadmin said? "It cost us hundreds of thousands of dollars to reboot and repair those servers." Maybe I should hack my own site at work and tell my boss I need $300,000 to reboot the servers. Can you say new house? :)
_______
2B1ASK1
Granted, I didn't see the program(s), and I'm not a security expert... but if someone is able to break into a web site by whatever exploits, they presumably have figured out one or more username/password pairs. Since many companies would likely use these names/passwords on more than one of their machines (I know, not a very bright idea), then there would be the cost of "changing all of the locks" so to speak. Plus the costs of beefing up security to prevent it from happening again (even if "lax security" wasn't the cause of the break-in)
- Mike
I saw that on ABC last night and read another artic le on ABCNEWS.com from and interview with L0pht saying they can take down the Internet in 30 minutes. I've thought about it and couldn't come up with anything off the top of my head. Is this a group just boasting or is there any fact to it? Wasn't the decentrailzed nature of the Internet designed to avoid going down during war and the like?
What kind of hacker wouldn't have an install of the most widely used software on the net? Would he want to limit himself to being able to only break into *nix systems? Hackers need to know every operating system they can.
And the easiest thing to make someone afraid of is something they are dependent on, but can't control or don't understand. Fear is a great hook--you're watching Friends or whatever and all of a sudden some talking heads pop up and says, "Why bottled water may be bad for you, tonight on the 11AliveCast." So you watch the 11AliveCast and they keep teasing you along until 11:26PM, when they tell you bottled water isn't fluoridated so please for ghod's sake brush.
And the next week bottled water sales are down. They really are. Air travel drops a small but significant amount after airline crashes, and boy-oh-boy do those ever grab airtime. The irony is that lots of those panickers end up driving, which is far more dangerous than flying.
Or one sociopath goes and puts cyanide in Tylenol capsules in Chicago in 1982. The press went absolutely batshit over that one, and within a month seven local poisonings became 270 copycats poisonings nationwide, and every bottle of Tylenol in the U.S. had to be taken off the shelf. Within a year all OTC pharmeceuticals were repackaged to be tamper resistant, for over $1.3 billion per year in direct costs, never mind the indirect costs of making otherwise harmless medicines impossible for elderly people to open.
Sending the population into a panic also makes governments adopt hasty, poorly thought-out measured to remedy what their citizens are convinced are terrible, terrible problems. Does anybody remember the plastic handgun scare of 1985? Huge panic, many laws passed, product did not exist and is still technologically unfeasible.
Whipping up a frenzy of concern and fear may not be responsible journalism, but it brings in readers and viewers, consequences be damned. Speaking of hasty government actions, read about W.R. Hearst's interest in the Spanish-American war some time, if you're ever curious about the lengths people have gone to to sell papers.
Moral: The manipulation of public perception can turn minor problems into major problems, not the least of which will be the public perception itself.
--
This is not my sandwich.
"I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another."
Well., that simple really. There are 3 main areas of cost to the hacked company that need to be taken into account:
The 3rd point is of course the most important one, these managers can get seriously disterbed and ofton spend days away from their more productive work of playing windows solitaire.
On a more serious note, these figures tend to also include figures such as hireing security people to come in and 'beef up security', run risc assesments ecetera. The other key factor is that figures are always overstated, particaly to help with the end of year figures and also to help push law enforcement to do something about it (How good a response do you think the FBI give when you complain you lost $5?). The final issue is of course lost credability.
There are additional things to be taken into account. Companies have been known to fake hack attempts at their own websites for the exposure it gains them. I wonder if any of these hacked websites would ever be willing to declare a negative cost to the whole thing?
What annoys me most about all these "hacker" stories (and most other stories too) in the news is that the reporter never ever has a friggin clue about the subject. I'm sure that l0pht and maybe GH to some extent have some legit hacking/cracking abilities, but for all I know it could just be another article glorifieing script kiddies. I bet that if ABC interviewed some random 13 year old script kiddie in place of these groups, the article would pretty much be the exact same. We'd probably read something like, "Using these advanced password cracking programs, a skilled hacker like l33tb0y13 could break into even the most secure computers in the world" or some such inane tripe.
I notice how most of the articles never really deal with the methods the crackers use. Instead what I see are quotations of the hackers boasting, and of the writer fearfully agreeing. Throw in some quotes from a paranoid and clueless law enforcement official and you got yourself an article.
I wish ABC would have hired someone who knew what he was doing to interview those "hackers." Get an authentic security expert (and not someone like Vranesevich) and have ask some technically oriented questions. I wouldn't mind seeing some big time cracker group exposed as a band of script kiddies or even seeing a real legit group's skills be verified by a competent source. As it stands, every hacker article appears to be FUD and needless paranoia written and advertised by someone who cant tell a telnet port from his ass. I want to see facts and commentary by someone who understands what he is talking about rather than seeing so many broad, unfounded statements rubber stamped and published.
Do you want a miracle or something?
... Jeez, I can't /wait/ to see what new script kiddies this has spawned.
.. A few days to notice that a website is down? PLEASE. If slashdot takes longer than 8 seconds to load, I experience withdrawl symptoms.
.... Are they legitimizing destructive behavior?" .. Jeez..
:-P
"Hackers (sic), now with their own conventions and magazines,"
Defcon 7.0, and soon 8.0. 2600 and Phrack are both > 5 years old. NOW!? These people think at the speed of a dead elephant. I'm sure they get up each day, do exactly the same thing, go to sleep, and dream exactly the same dreams they've had for the past 20 years.
I mean, I regularly seem to be probed by some script kiddie program that brute force checks phf, convert.bas, some Front Page things, etc. It's annoying, yes. Dangerous? No. If I don't securely lock and check on my building when I leave work, and don't buy a security system, I won't be insured. I wish "website insurance" would come out so adjustors could go, "Windows NT you say. How's 1,000,000 a month for a premiun?" Maybe then we'd finally see some professionalism forced past those PHBs and clueless MCSEs.
"With viruses available for downloading from the Web, extensive computer language knowledge is no longer needed." I remember having to deal with the Stoned Monkey virus in 1994 at a computer lab. It was more because clueless 12 year olds didn't know much about computers. Thankfully, the lab had a good teacher (I was just a TA checking on the machines). Professionalism is, again, a solution. Know your job, and do your job.
On to the second article..
"Their code name is "The L0pht,""
Their group name. Double moron points for showing ddd or some visual debugger at work in the image there.
"They are the elite of hackers, whose notoriety brought them before Congress a year ago."
"20/20 says hackers are reeel cool d00ds! I want to be one now!"
"That's correct," one L0pht member responded. "It would definitely take a few days for people to figure out what was going on."
"On no, the internet is down again.."
"What they do is try to break into programs we're led to believe are secure."
"But MS said that this Exchange server was mission critical, even though it doesn't have any relay protection, forces us to use LookOut!, and has many obvious holes!"
"They refer to each other by nicknames. By not revealing their real names, they protect themselves from lawsuits by companies and individuals."
They're too young to have lawsuits pressed against them.
"hey say it's to remind us how we've become reliant on computers for more than just communicating;
"Look, you rely too much on Oxygen. When I strangle you, you die! Stop relying on Oxygen so much!"
It's clear that both the reporter's poor understanding, and L0pht's annoying boasting, have contributed to bad, bad articles. Seconds to crack a password? Well, if your root password is "rootpwd," I should hope so!
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
A better analogy would be that they go out and pick locks on other people's houses or cars, but then instead of stealing anything, they hang a big sign on the door saying "Company X builds sh*tty locks, see?"
I'll be the first one to admit, the companies whose executives use their first names as passwords deserve to be publically embarrassed when they determine security policies and methods without knowing anything about the subject, but even the more benign hackers are not exactly Consumer Reports. They do not "buy" the locks, they test other people's.
The most disturbing thing about the two stories is the fact that the U.S. Attorney wonk they interviewed basically implied that the richer the person you mess with, the more serious the crime: "If you deface a Web site of a company that is making $18 million dollars a day, you are committing a pretty serious crime," says Assistant U.S. Attorney Matthew Yarbrough
[command INSERTWITTYQUIP failed: insufficient wit]
Remember that at the end of the year the amount and quality of news is significantly less that any time during the rest of the calendar year. That is why there are so many "scary" Y2K stories and now Cracker/Hacker stories. The News departments know that most people that continue to watch these news/entertainment prime-time programs are middle-class 35-60 Americans w/kids that don't understand the Internet and if they do they think it starts with "You've got mail!!". It is sad when journalist enlist attention starved individuals (so called Crackers) to make a segment of productive, hard working people (Hackers but I hate that word) look bad.
i spoted mumbo jumbo about the FCC and interstate laws but for the most part I really didn't know.
Why isn't page defacement classified as breaking and entering?
More race stuff in one place,
than any one place on the net.