Slashdot Mirror
ABC TV Does Two Major Cracker Stories
karma vs Dogma writes "ABC ran a couple of stories tonight on the "Evils of Crackers/Hackers". Read the summaries of the World News Tonight story and the 20/20 story. I am just wondering where they keep getting these huge figures on the costs of replacing one html document with another."
Also imagine another scenario.
... and..
...ummm.. owned.
..lets say Amazon if their website gets defaced with a similar message as above?
An e-commerce website's home page gets defaced with the usual elite cracker message.
Insulting the sysadmin.
Shouts to the peeps.
Links to places
"Oh yea sysadmin, thanks for your customers' credit card numbers. I am gonna have some fun this month"
Just imagine how seriously this can hurt the business. People get informed that the website has been "owned by some elite hackers' and the credit card numbers they used to purchase stuff there are
No matter what the website does to re-assure the customers that vital data has not been broken into, it will still lose MANY customers.
Will you purchase from
Simpleguy
Second:Attrition.org
Of special note is the Attrittion Mirror of defaced sites. This will allow you decide how much "damage" is actuall done and how much "help" was actually done. Please not that this varies greatly by individual.
The problem that exists is that these people, often under 21, see big giant gaping holes in the security systems and this bothers them. If they report it, nothing happens because no one has, or ever will, listen to them. (Some sites have been defaced repeatedly, without ever having fixed the holes, even after the fix was placed in the HTML!)
So they make a mistake. They try to draw atttention to the fact before someone less kind, (for example a rival organization) uses the same holes to download actual sensitive information. (Warning, this kind of thought process can occurr to you when you've read too much cyberpunk.)
I'm older and wiser now. I realize that people REALLY DON'T care about security. Normally they just want something to rant about. The status quo is to lock your car door for security but if you lock the keys in your car you expect a locksmith to get them out in under a minute.
Think about it. If the locksmith can do it in under a minute, so can I.
They may not be adults, they may be fools, and they may annoy the computer professionals that are responsible for security but let's look at it this way.
If some kids can take down whitehouse.com, why couldn't Zhirinovsky hire someone to do the same, only with a lot more creativity and subtleness. (Wouldn't the media just love it if someone found a collection of porn jpegs on whitehouse.gov?)
They're criminals. They view themselves as unsung heros. In short, they're the Chicago Seven of a new generation. Even Richard Daley's famous quote could still apply:
"Gentlemen, let's get something straight. The police aren't in the streets to create disorder; they are in the streets to preserve disorder." -- Mayor Richard Daley
No Zen is good zen
And a $17 million dollar a day site? Less serious? What about a $0 dollar a day site, say a unicef.org or whyme.com?
I'm sick of money being equated with importance.
I have no respect for script kiddies that deface webpages randomly, launch pointless DoS attacks, etc. They all seem unproductive and malicious.
Though I do rather like those people over at the L0pht. :) Original, creative, and damn, they actually DO stuff, unlike 99% of them damn script kiddies.
Still, I'm sick of all these [hc]racker stories. The media does seem to be doing a slightly better job lately though. Well, sometimes.
Second, we must make the assumption that if one file has been altered, -any- file on the system could have been altered. Remember, don't use tripwire, or any similar tool, as this will eat into your damage assessments. Figure in the time of a complete deletion of the system, a fresh re-install of all applications, and finally a restore from your latest backup tapes.
Remember, system restoration should be put in as overtime, so your figures for damages should reflect this.
Then, you must factor in the cost of the system being down, in terms of time lost (wages) to all company employees over the entire day, even if they probably wouldn't have used the system at all. It's still a loss of potential, which is still a cost.
Then, you must factor in the cost of calling in the technical support people from the company you bought the system from, to fix the security hole. Even if you buy technical support, when you get the system, you're still using it, so there's still a cost -somewhere- in the system. Fixing the security hole yourself is a big no-no, as this would imply incompetency on the part of the technical staff. As technical staff are, by definition, competent, any hole that exists must be obscure and only known to the company that you bought the system from.
Then, consider the cost of loss of revenue from any banner adverts your site carries. That it's not your loss is irrelevent. It's still a cost of the damage. Assume everyone who enters your site follows a banner advert and purchases something. This may not be entirely accurate, but it's a possibility, so it's still a potential cost and therefore counts.
Finally, consider the cost of image. Any points lost on the stock market, that day, are potentially a result of the system crack, so you can estimate how much the company lost in value as a result. It's important to remember that, even when any other factor in the Universe seems more likely, always assume the worst possible case, for damages.
This completes your class in damage assessment and valuation. You are now qualified Public Relations officers, capable of handling the worst system cracks with dignity.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
-----------
"You can't shake the Devil's hand and say you're only kidding."
"They cite a webpage that's making $18 million per day. If it's down for a day, that's $18 million they just lost."
No, that's $18 million that they never made. There is a subtle but important difference. You can't lose money you never had.
________________________________
There was the usual nonsense, like confusing crackers and hackers and getting crack attempts and viruses all mixed-up. But otherwise, a few things really jumped out at me:
* Global Hell came across as extremely juvenile.
* The so-called leader of GH (Patrick something) was just a typical angst ridden teen. He couldn't elucidate his purpose or ideals; his philosophy pretty much broke down to "All the corporations of the world are trying to opress me in some unexplainable way, and, oh yeah, I'm really bored."
* The world "brilliant" was used several times in relation to crackers, as if they're working on things that require a PhD and sophisticated programming ability. I'd hardly put exploiting security holes into that category.
Interesting overall.
Hell, I can't write C worth a crap, and I could take down much of the internet in only *TEN MINUTES.*
All I'd need is a backhoe.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
You know, if a group of physicists really put their minds to it, they could devise a way to vaporize the entire planet in a millisecond. I guess that makes them brilliant. If I tell the world how to do it I am just a bad guy enabling malicious evil scientists. If I don't tell the world I am just a clueless boaster.
:-) Things never work like they're supposed to, but if this DOES work, you risk destroying your lab equipment, your house, Earth, the sun and eight other planets, Proxima Centauri, and roasting any planets that happen to be orbiting nearby stars. But you'll prove to everybody how smart you are by demonstrating a serious flaw in the existing version of our universe.
If anyone is seriously interested in this topic, I suggest studying up on M-theory, and pay close attention to the energy potential regarding De Sitter space. Then you just have to spend some long nights experimenting with the correct particle interactions (use your own equipment, of course) until you finally create your own Type 1A supernova explosion.
If you don't want to do all that work yourself you are going to have to trust me.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Among all the hacker vs. cracker comments here, I might have missed something, but did anyone else notice the end of the 20/20 article? The article was about hacking & cracking, but the tips they gave at the end were about viruses! I can understand the media's (ongoing) hacking/cracking confusion, but can't they tell the difference between that and a virus?!
Note: the "you" in this post is a general "you" and not a reference to the original poster or any other poster in this thread.
Whether it is $5/day or $18 million/day, the fact remains that people who hack other people's computers are violating others. There is no justification for that. Getting into an argument over exactly how much it costs takes away from that fact.
Here are the general reasons I here cracker dorks and script kiddies give for their asshole behavior:
Bullshit. If you wanted to do them a service, you would email the sys admin the hole being exploited. Breaking into their web site is, at best, a way of publically damaging the reputation of the web site in question as well as doing damage that can range from inconvenience to, yes, millions of dollars a day. It is very similar to breaking into your neighbours house and spray painting the walls because they forgot to lock the front door. Finally, it is very difficult to secure an NT or a UNIX machine. Punishing people because they are not the experts you think you are (but likely are not) is pathetic.
And that makes it OK? I don't care if it is Microsoft, it is still just as wrong as doing it to an individual.
Again, so what? That does not make the act of breaking into a web site any more justified.
It always costs them something. It may not be $18 million/day. It may be giving up a weekend after having worked a month without getting a weekend. It may not be anything you value at all. But it is certainly something valued by someone associated with the target site. And no one has any right to force that person to incur that cost.
What was it that sysadmin said? "It cost us hundreds of thousands of dollars to reboot and repair those servers." Maybe I should hack my own site at work and tell my boss I need $300,000 to reboot the servers. Can you say new house? :)
_______
2B1ASK1
And the easiest thing to make someone afraid of is something they are dependent on, but can't control or don't understand. Fear is a great hook--you're watching Friends or whatever and all of a sudden some talking heads pop up and says, "Why bottled water may be bad for you, tonight on the 11AliveCast." So you watch the 11AliveCast and they keep teasing you along until 11:26PM, when they tell you bottled water isn't fluoridated so please for ghod's sake brush.
And the next week bottled water sales are down. They really are. Air travel drops a small but significant amount after airline crashes, and boy-oh-boy do those ever grab airtime. The irony is that lots of those panickers end up driving, which is far more dangerous than flying.
Or one sociopath goes and puts cyanide in Tylenol capsules in Chicago in 1982. The press went absolutely batshit over that one, and within a month seven local poisonings became 270 copycats poisonings nationwide, and every bottle of Tylenol in the U.S. had to be taken off the shelf. Within a year all OTC pharmeceuticals were repackaged to be tamper resistant, for over $1.3 billion per year in direct costs, never mind the indirect costs of making otherwise harmless medicines impossible for elderly people to open.
Sending the population into a panic also makes governments adopt hasty, poorly thought-out measured to remedy what their citizens are convinced are terrible, terrible problems. Does anybody remember the plastic handgun scare of 1985? Huge panic, many laws passed, product did not exist and is still technologically unfeasible.
Whipping up a frenzy of concern and fear may not be responsible journalism, but it brings in readers and viewers, consequences be damned. Speaking of hasty government actions, read about W.R. Hearst's interest in the Spanish-American war some time, if you're ever curious about the lengths people have gone to to sell papers.
Moral: The manipulation of public perception can turn minor problems into major problems, not the least of which will be the public perception itself.
--
This is not my sandwich.
What annoys me most about all these "hacker" stories (and most other stories too) in the news is that the reporter never ever has a friggin clue about the subject. I'm sure that l0pht and maybe GH to some extent have some legit hacking/cracking abilities, but for all I know it could just be another article glorifieing script kiddies. I bet that if ABC interviewed some random 13 year old script kiddie in place of these groups, the article would pretty much be the exact same. We'd probably read something like, "Using these advanced password cracking programs, a skilled hacker like l33tb0y13 could break into even the most secure computers in the world" or some such inane tripe.
I notice how most of the articles never really deal with the methods the crackers use. Instead what I see are quotations of the hackers boasting, and of the writer fearfully agreeing. Throw in some quotes from a paranoid and clueless law enforcement official and you got yourself an article.
I wish ABC would have hired someone who knew what he was doing to interview those "hackers." Get an authentic security expert (and not someone like Vranesevich) and have ask some technically oriented questions. I wouldn't mind seeing some big time cracker group exposed as a band of script kiddies or even seeing a real legit group's skills be verified by a competent source. As it stands, every hacker article appears to be FUD and needless paranoia written and advertised by someone who cant tell a telnet port from his ass. I want to see facts and commentary by someone who understands what he is talking about rather than seeing so many broad, unfounded statements rubber stamped and published.