Usually, the C&C server is a rented virtual server, hosted on a "cloud provider" with little regard to identity verification. Those servers are always paid for with money from an untraceable source (like Webmoney or Western Union). This makes very difficult to track identities from the server to the money, and from the money to the owners of it.
VPS providers running Linux are plenty out there. And a remote Linux server is easier to manage than a remote Windows server [citation needed]. Deploying the C&C server infrastructure on Linux, using stolen SSH passwords with bots is way easier than do the same using rdesktop to deploy the infrastructure on hacked Windows servers.
So, probably the server is a virtual Linux server sitting on a datacenter, and the owners of the datacenter may not be aware of the fact that they host a C&C Server.
On the client side, they are surely running Windows. Compromising a Windows user is easier than a Linux user. Linux users generally does not run SSH, Apache, MySQL et al. Linux servers do. On the other side, there's a massive amount of pirated versions of Windows XP vulnerable to a wide range of local and remote exploits. Sending a threatening email with a link is a very easy way to get a user hit a site hosting an exploit pack and get infected. From there, the computer is owned and the user is owned as well.
It can be a directed phishing. If someone had access to the bank's client list, they can send a very convincing email with real data, and get a lot of customers infected. If they send a generic email to a lot of unrelated people, someone will notice and probably inform the bank of the attack.
Looks like you know nothing about mainframes and "aged technology". I work with mainframes. zVM, DASD, DirMAINT, RACF and other buzzwords are in my resume, along with Linux, Java, PHP, XML, jQuery, MariaDB, HTM5, Eclipse and others.
Mainframes are not aged technology. They are perceived as such by small companies and people. Big companies with big bucks know a lot about mainframes. They know mainframes are the most reliable hardware platform on the market today, and I guess it will continue as so for a couple of years, because mainframes were made from the start to be reliable. Other platforms got they reliability implanted on them. Mainframes were designed reliable and resilient.
Mainframes today runs Linux too, not only the "aged mainframe operational systems." And here we have mainframes running hundreds of Linuxes with jBoss. They are about to be orchestrated by OpenStack, so managing all this "aged technology" will be done in brand new Android and iOS tablets.
Job prospects in my area, at least for the next decade, are very good. Half the openings in my area are still open, paying for a intermediate zVM administrator almost twice what a senior Java programmer or MCSE will receive. And there's no people applying!
But if the mainframe job market have a problem, is lack of people. Mainframes are not user friendly, and youngsters are not likely to devote two or three years learning something from the grannies, on a very harsh learning environment, with a step learning curve, when all their peers are talking about creating a new app and selling to Google for a gazillion dollars.
Peer pressure is a greater force than job prospects. I faced this pressure when I talked to my peers that I was learning mainframe and everybody laughed at me. Now I earn 3 times what they do, and I am training some of them to work with me.
Not only that, it says "can be compiled for Linux, Mac, and Android". What about Windows?
The front-end is HTML5/Javascript. The daemon is written in C++, using a few open source libraries. It would only require a good C++ developer to port it to Windows.
And the entire protocol is opensource, the core technologies are opensource, so anyone with a good knowledge in C++ and any other language can port it to anything...
They have a small, experimental tower, and users can saturate it quickly. Limiting each call to 5 minutes means that even on a saturated situation, everybody can use the system. You get dropped and enter the queue, and you can be sure that you can get access again later. If there's no such rule, some users could talk 4 hours straight and deny access to every other user.
Here in Brazil we have dropped calls every few minutes and almost everybody accepts this as normal, so I guess the Mexican folks can handle that fine.
Let's pretend you have a million bucks on some bank (do you have, don't you?). The bank says it will protect your money with their lives, and everything is secure. Someday you hear that one researcher (or troll, or terrorist) went to the parking next to the bank, started a sniffer, and discovered that your bank uses unencrypted WIFI networks, so he added a private IP address to its network card and could access all bank servers and read data from any account.
Who would you blame? The bank or the guy?
I still think that Weev is not a saint, but AT&T is to be blamed here. AT&T had to get a hefty fine for gross negligence, putting hundreds of thousands of customers in danger. Weev must be fined too, but serving 41 months of jail time is too much, IMHO.
No, Weev is not an independent security researcher, he is a troll. BUT he used the same tools the researchers uses. It's like passing a law outlawing the use of lockpicks. Surely all thieves would be affected, but it would affect locksmiths too.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
Even Weev being a troll and thinking on making profits over the AT&T mistake, the problem is shifting the blame for exposing the innocent victims from AT&T to Weev. The way this is going, looks like AT&T did everything right, responsible, blameless, and a evil hacker with super-human powers hacked their NSA-grade secured servers and stole the data, when what really happened was that AT&T didn't even bothered to protect the data in any way.
Nothing that the might checkinstall package cannot solve. Install it on your compiling machine,./configure && make && checkinstall make install
It will create a shinny native package, compatible with your distro, ready to be installed with dpkg, yum, or whatever package manager you happen to have...
And Microsoft is dangerously passing the message "don't buy now, wait until we give you all a huge discount later" for its customers.
Zune? Flop. Discounted and still flopped...
Windows Mobile Phones? Flop. And Lumia is even behind Blackberries
Surface? Flop. Give it for free to say we have marketshare.
Xbox One? Walking down the flop path, but some hope still exists...
If the system is running fine for decades, what is the chance that it would suddenly die for no reason next week?
It's a very good hardware platform, made to last for centuries. Is different from your brand new GPU card that will fail and die in 4 years. Mine have not failed yet, but will soon.
Almost all the banking business in the world runs on COBOL, compiled almost 40 years ago, and that keeps running and running. Why replace the core COBOL with Java or.NET, if they are working just fine?
Rest assured, the trusthy PDP-11 will keep the nuclear plant running safe, as it has been done in the past couple decades.
The Amish are not thinking on the billions, they are thinking on their land. They rarely rely on money anyway, so the billions would not be that compelling to them. But frackle their soil and wreck their land, and they will be deeply concerned.
Is very easy to create a perfect, 100% accurate progress bar that works on all situations:
1 - During the first part of the job, show the words "Estimating time. Please wait."
2 - Do all the job, maintaining the "estimating" thing...
3 - After the job is complete, make up some numbers (e.g. "45 seconds left").
4 - Keep decrementing the time as accurately as possible. The user can't know that the job is already complete and you are wasting his time.
5 - The user will be pleased to see that your 45 seconds took exactly 45 seconds.
And it's not lame. They are doing an amazing piece of hardware, and even if it's pricey today, it is a start. I am pretty sure the price will go down in the following years, and more and more people will be able to use it.
As the time of writing, they have already passed $34k, and I am sure they will hit the $100k mark soon. I don't have that much money to invest on them, otherwise I would already been waiting for my unit to come.
And I am not a researcher nor a dedicated hobbist...
I started with Conectiva, a Brazilian distro. The installation killed my entire disk, and my Windows partition was killed along with my backups. And it was a good thing, because I was forced to use Linux. And without internet connectivity, restarting my Windows life would take a lot of time and floppy disks.
From there, a Mandrake. It was the first distro with drivers for my alien extraterrestrial ultra powerful soundcard. Even on Windows I had never ever heard anything from it. Until that rainy day, 3am, alone home, in the dark, and after booting Mandrake for the first time. I had two big speakers on a nice setup, plugged to the computer, and mute. But when the KDE login sound blasted through them, I almost fell of the chair.
Things changed, I migrated to RedHat. And I was happy. Until the day the them-CIO of RH told everybody that end users should use Windows, Linux was intended for servers. And I found RH9 clumsy and crippled. And I migrated to Ubuntu Warthog.
I was happy with Ubuntu, until I saw the speed of a Gentoo box. And I tried Gentoo. And for some time I was happy. Until a friend asked me "why Gentoo?" and I realized I was shaving milliseconds of time to run the programs, and spending hours to download and build them. Back to Ubuntu.
Then a friend shows me SuSE. It was full of whistles and bells, a very nice setup, and I tried. For a month... And back to Ubuntu.
Ubuntu forever! Ubuntu is the best! Ubuntu will rule the entire world! What the heck is Unity? Is a joke? Time to change again...
My totally non-technical inclined wife asked me to replace that crappy OS running on her computer, and asked me for a Linux. And I installed Mint for her. And she was very pleased. I was too. And I installed Mint. And liked.
Mint forever! Mint is the best! Mint will rule the entire world!
But I maintain servers too, not only my desktop.
My servers started with Conectiva, migrated to RedHat, migrated to OpenBSD for a long time, and some stays OpenBSD.
My clients today uses RedHat Enterprise, SuSE Enterprise, and Debian.
Or use a mainframe running lots of Linuxes... Can cut the power to 10% while delivering the same computing power. Mainframes have a very good power management this days.
There's a special kind of brain that can play pianos. Another kind can do math by thinking. Another transforms recipes into delicious cookies. Give me the best cookie recipe and I can tranform it into smoking charcoal in no time. Give a map to my wife go North of home, and she will end up lost. I can drive almost anywhere even without a map.
So, there's a special kind of brain that can code. Ask around if people can imagine an 5-dimensional array. I can. It is easy for me. My wife can't. My brother can't. But my wife is very good at a lot of things where I suck.
The appeal is that with almost the same price as an Arduino you can have a Linux PC. Or the same price you pay for a Ethernet shield for that arduino, you have ethernet and USB connectivity.
And it's hacker friendly, but depends on what kind of hacker you are thinking. I am the kind of hacker that will get one RasPi, put a Linux on it, install OpenVPN, Transmission, ssh, plug a usb-wifi dongle, a external disk, and forget it on some corner of my house. And I will be happy.
If you are the kind of 'network security' hacker, you got covered too. With a USB dongle, a cellphone battery and a small circuit to drive the power to the RasPI, you will have a very small pentesting device, and you can conceal it as about anything: a book, a Starbucks cup, a Mc Donalds fries box, a toy. And you will have enough CPU power to crack any WEP connection. Add a 3G dongle, and you will have remote connectivity. Tape it under any desk, and you are done.
High altitude photography hacker? Good too. Put a pack of batteries on it, a decent sized SD-Card, a UD USB webcam, your favorite Helium balloon, a 3G dongle and a GPS dongle, and you will have beautiful pictures of the Earth from near space. And as soon as it lands, the coordinates can be sent to you by SMS.
But if you are a kernel hacker, or want to change the memory, or access the GPU for some crazy-fast simulation, you are out of luck. For that cases, buy a TI OMAP.
Useless? No, I don't think so... It's indeed very very useful for a price you pay for your dinner...
Slashdot Mirror
Ok, let's elaborate...
Usually, the C&C server is a rented virtual server, hosted on a "cloud provider" with little regard to identity verification. Those servers are always paid for with money from an untraceable source (like Webmoney or Western Union). This makes very difficult to track identities from the server to the money, and from the money to the owners of it.
VPS providers running Linux are plenty out there. And a remote Linux server is easier to manage than a remote Windows server [citation needed]. Deploying the C&C server infrastructure on Linux, using stolen SSH passwords with bots is way easier than do the same using rdesktop to deploy the infrastructure on hacked Windows servers.
So, probably the server is a virtual Linux server sitting on a datacenter, and the owners of the datacenter may not be aware of the fact that they host a C&C Server.
On the client side, they are surely running Windows. Compromising a Windows user is easier than a Linux user. Linux users generally does not run SSH, Apache, MySQL et al. Linux servers do. On the other side, there's a massive amount of pirated versions of Windows XP vulnerable to a wide range of local and remote exploits. Sending a threatening email with a link is a very easy way to get a user hit a site hosting an exploit pack and get infected. From there, the computer is owned and the user is owned as well.
It can be a directed phishing. If someone had access to the bank's client list, they can send a very convincing email with real data, and get a lot of customers infected. If they send a generic email to a lot of unrelated people, someone will notice and probably inform the bank of the attack.
The C&C server probably runs Linux. The stolen victims problably runs Windows.
Looks like you know nothing about mainframes and "aged technology". I work with mainframes. zVM, DASD, DirMAINT, RACF and other buzzwords are in my resume, along with Linux, Java, PHP, XML, jQuery, MariaDB, HTM5, Eclipse and others.
Mainframes are not aged technology. They are perceived as such by small companies and people. Big companies with big bucks know a lot about mainframes. They know mainframes are the most reliable hardware platform on the market today, and I guess it will continue as so for a couple of years, because mainframes were made from the start to be reliable. Other platforms got they reliability implanted on them. Mainframes were designed reliable and resilient.
Mainframes today runs Linux too, not only the "aged mainframe operational systems." And here we have mainframes running hundreds of Linuxes with jBoss. They are about to be orchestrated by OpenStack, so managing all this "aged technology" will be done in brand new Android and iOS tablets.
Job prospects in my area, at least for the next decade, are very good. Half the openings in my area are still open, paying for a intermediate zVM administrator almost twice what a senior Java programmer or MCSE will receive. And there's no people applying!
But if the mainframe job market have a problem, is lack of people. Mainframes are not user friendly, and youngsters are not likely to devote two or three years learning something from the grannies, on a very harsh learning environment, with a step learning curve, when all their peers are talking about creating a new app and selling to Google for a gazillion dollars.
Peer pressure is a greater force than job prospects. I faced this pressure when I talked to my peers that I was learning mainframe and everybody laughed at me. Now I earn 3 times what they do, and I am training some of them to work with me.
Not only that, it says "can be compiled for Linux, Mac, and Android". What about Windows?
The front-end is HTML5/Javascript. The daemon is written in C++, using a few open source libraries. It would only require a good C++ developer to port it to Windows.
And the entire protocol is opensource, the core technologies are opensource, so anyone with a good knowledge in C++ and any other language can port it to anything...
Yes, and you can use it as an excuse when you "mustype" something:
-It was the keyboard! It's a typo!
Is in Rio de Janeiro, were the heat is setting off sprinklers.
How this ended up on /. frontpage is still a mystery to me...
They have a small, experimental tower, and users can saturate it quickly. Limiting each call to 5 minutes means that even on a saturated situation, everybody can use the system. You get dropped and enter the queue, and you can be sure that you can get access again later. If there's no such rule, some users could talk 4 hours straight and deny access to every other user. Here in Brazil we have dropped calls every few minutes and almost everybody accepts this as normal, so I guess the Mexican folks can handle that fine.
Let's pretend you have a million bucks on some bank (do you have, don't you?). The bank says it will protect your money with their lives, and everything is secure. Someday you hear that one researcher (or troll, or terrorist) went to the parking next to the bank, started a sniffer, and discovered that your bank uses unencrypted WIFI networks, so he added a private IP address to its network card and could access all bank servers and read data from any account.
Who would you blame? The bank or the guy?
I still think that Weev is not a saint, but AT&T is to be blamed here. AT&T had to get a hefty fine for gross negligence, putting hundreds of thousands of customers in danger. Weev must be fined too, but serving 41 months of jail time is too much, IMHO.
No, Weev is not an independent security researcher, he is a troll. BUT he used the same tools the researchers uses. It's like passing a law outlawing the use of lockpicks. Surely all thieves would be affected, but it would affect locksmiths too.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
Even Weev being a troll and thinking on making profits over the AT&T mistake, the problem is shifting the blame for exposing the innocent victims from AT&T to Weev. The way this is going, looks like AT&T did everything right, responsible, blameless, and a evil hacker with super-human powers hacked their NSA-grade secured servers and stole the data, when what really happened was that AT&T didn't even bothered to protect the data in any way.
Nothing that the might checkinstall package cannot solve. Install it on your compiling machine, ./configure && make && checkinstall make install
It will create a shinny native package, compatible with your distro, ready to be installed with dpkg, yum, or whatever package manager you happen to have...
Or go full source and get a Gentoo distro...
And Microsoft is dangerously passing the message "don't buy now, wait until we give you all a huge discount later" for its customers.
Zune? Flop. Discounted and still flopped...
Windows Mobile Phones? Flop. And Lumia is even behind Blackberries
Surface? Flop. Give it for free to say we have marketshare.
Xbox One? Walking down the flop path, but some hope still exists...
If the system is running fine for decades, what is the chance that it would suddenly die for no reason next week? .NET, if they are working just fine?
It's a very good hardware platform, made to last for centuries. Is different from your brand new GPU card that will fail and die in 4 years. Mine have not failed yet, but will soon.
Almost all the banking business in the world runs on COBOL, compiled almost 40 years ago, and that keeps running and running. Why replace the core COBOL with Java or
Rest assured, the trusthy PDP-11 will keep the nuclear plant running safe, as it has been done in the past couple decades.
No, it's not plain and simple cruelty. It can be later used to fix people with tetraplegia. Or a lot of neurological diseases.
They are not making it for the sake of having "remote controlled bugs".
The Amish are not thinking on the billions, they are thinking on their land. They rarely rely on money anyway, so the billions would not be that compelling to them. But frackle their soil and wreck their land, and they will be deeply concerned.
You should reconsider staying online on next April 1st...
Is very easy to create a perfect, 100% accurate progress bar that works on all situations:
1 - During the first part of the job, show the words "Estimating time. Please wait."
2 - Do all the job, maintaining the "estimating" thing...
3 - After the job is complete, make up some numbers (e.g. "45 seconds left").
4 - Keep decrementing the time as accurately as possible. The user can't know that the job is already complete and you are wasting his time.
5 - The user will be pleased to see that your 45 seconds took exactly 45 seconds.
As Cypher said once, "Ignorance is bliss."
First, define "a few"...
And it's not lame. They are doing an amazing piece of hardware, and even if it's pricey today, it is a start. I am pretty sure the price will go down in the following years, and more and more people will be able to use it.
As the time of writing, they have already passed $34k, and I am sure they will hit the $100k mark soon. I don't have that much money to invest on them, otherwise I would already been waiting for my unit to come.
And I am not a researcher nor a dedicated hobbist...
I started with Conectiva, a Brazilian distro. The installation killed my entire disk, and my Windows partition was killed along with my backups. And it was a good thing, because I was forced to use Linux. And without internet connectivity, restarting my Windows life would take a lot of time and floppy disks.
From there, a Mandrake. It was the first distro with drivers for my alien extraterrestrial ultra powerful soundcard. Even on Windows I had never ever heard anything from it. Until that rainy day, 3am, alone home, in the dark, and after booting Mandrake for the first time. I had two big speakers on a nice setup, plugged to the computer, and mute. But when the KDE login sound blasted through them, I almost fell of the chair.
Things changed, I migrated to RedHat. And I was happy. Until the day the them-CIO of RH told everybody that end users should use Windows, Linux was intended for servers. And I found RH9 clumsy and crippled. And I migrated to Ubuntu Warthog.
I was happy with Ubuntu, until I saw the speed of a Gentoo box. And I tried Gentoo. And for some time I was happy. Until a friend asked me "why Gentoo?" and I realized I was shaving milliseconds of time to run the programs, and spending hours to download and build them. Back to Ubuntu.
Then a friend shows me SuSE. It was full of whistles and bells, a very nice setup, and I tried. For a month... And back to Ubuntu.
Ubuntu forever! Ubuntu is the best! Ubuntu will rule the entire world! What the heck is Unity? Is a joke? Time to change again...
My totally non-technical inclined wife asked me to replace that crappy OS running on her computer, and asked me for a Linux. And I installed Mint for her. And she was very pleased. I was too. And I installed Mint. And liked.
Mint forever! Mint is the best! Mint will rule the entire world!
But I maintain servers too, not only my desktop.
My servers started with Conectiva, migrated to RedHat, migrated to OpenBSD for a long time, and some stays OpenBSD.
My clients today uses RedHat Enterprise, SuSE Enterprise, and Debian.
Or use a mainframe running lots of Linuxes... Can cut the power to 10% while delivering the same computing power. Mainframes have a very good power management this days.
There's a special kind of brain that can play pianos. Another kind can do math by thinking. Another transforms recipes into delicious cookies. Give me the best cookie recipe and I can tranform it into smoking charcoal in no time. Give a map to my wife go North of home, and she will end up lost. I can drive almost anywhere even without a map. So, there's a special kind of brain that can code. Ask around if people can imagine an 5-dimensional array. I can. It is easy for me. My wife can't. My brother can't. But my wife is very good at a lot of things where I suck.
I liked the script, but I think sha256 is way too much overkill. CRC32 will suffice.
The appeal is that with almost the same price as an Arduino you can have a Linux PC. Or the same price you pay for a Ethernet shield for that arduino, you have ethernet and USB connectivity. And it's hacker friendly, but depends on what kind of hacker you are thinking. I am the kind of hacker that will get one RasPi, put a Linux on it, install OpenVPN, Transmission, ssh, plug a usb-wifi dongle, a external disk, and forget it on some corner of my house. And I will be happy. If you are the kind of 'network security' hacker, you got covered too. With a USB dongle, a cellphone battery and a small circuit to drive the power to the RasPI, you will have a very small pentesting device, and you can conceal it as about anything: a book, a Starbucks cup, a Mc Donalds fries box, a toy. And you will have enough CPU power to crack any WEP connection. Add a 3G dongle, and you will have remote connectivity. Tape it under any desk, and you are done. High altitude photography hacker? Good too. Put a pack of batteries on it, a decent sized SD-Card, a UD USB webcam, your favorite Helium balloon, a 3G dongle and a GPS dongle, and you will have beautiful pictures of the Earth from near space. And as soon as it lands, the coordinates can be sent to you by SMS. But if you are a kernel hacker, or want to change the memory, or access the GPU for some crazy-fast simulation, you are out of luck. For that cases, buy a TI OMAP. Useless? No, I don't think so... It's indeed very very useful for a price you pay for your dinner...
Being guilt is very different than be forced to pay $670k for 31 files. Even the Goldman-Sacks source code are cheaper!
It is hard to go after the linking sites, they are way too much. The storage sites are just a few, and is easy to go after them.