We like our visualizers. Our router guy has created 2. They are both GPL. We use them every day. I suppose you could consider them late Beta.
The IPVisualizer: https://it.wiki.usu.edu/IPVisualizer gives us a real-time overview of our entire IP address space. It is particularly good for revealing reconnaissance attacks.
The Organic IP Visualizer: https://it.wiki.usu.edu/OIP provides a focused view of the activity of a subset of our network.
I do computer and network security for a university.
This distributed SSH password guessing is not a new tactic. We have seen and tracked this tactic off and on for over a year.
If this tactic was a game changer, we would have seen it ramp up before now. It would occur all the time. But it doesn't. It only seems to occur during holidays.
At it's heart, this tactic is not any more effective than non-distributed password guessing. Either way, the attacker has to enumerate the same number of guesses before finding a hit. If a machine is vulnerable, it will be successfully attacked by either approach to password guessing. If it is not vulnerable, neither approach will work.
Modern hacking is a economic activity. It must balance risk and reward. This attack doesn't offer any more reward than conventional password guessing. It's main feature is to try to change the risk side of the equation.
Conventional SSH password guessing is noisy. One machine will portscan for TCP/22. Then it rapidly guesses passwords against everything that responds. That one machine is usually lost to the attacker. Automated defense systems block it. Also, defenders report it to the owning ISP. The only way this works for the attacker is if he can harvest more that he loses.
The distributed guessing attack is also noisy, but in a different way. Currently, we see the attacker start by sacrificing 1 computer to do a TCP/22 portscan. At this point, he has already risked as much as a conventional password guessing attack. Then he feeds the results to a bunch of bots. Each bot then takes turns guessing passwords. Each bot guesses 1 password at a time. However, each bot guesses against multiple SSH servers at the same time.
This attack is inherently more risky that conventional password guessing. The attacker exposes many of his computers. If we can detect and respond, this attack is not as cost effective as conventional password guessing.
It is easy for my university to detect and respond to these attacks. We detect it in three different ways. 1) Each attacker has a distinctive network behavior pattern. We can automate detection by looking at aggregate Cisco netflow data. 2) It is trivial to pick off this attack using a SSH honeypot. 3) We use a network visualization tool to watch aggregate SSH activity. This password guessing is obvious on our visualization tool.
Once we have detected the attackers, we respond to them in the normal way. We block them. We inform our peer institutions and the authorities. We inform the owning ISP.
The main difference in this situation is that detection and response is easy if you have access to aggregate traffic or multiple SSH servers. It is difficult if you only manage 1 SSH server.
I don't expect this form of attack to last much longer. I am sure that everybody else is adapting. Once the defenders adapt, this tactic is too expensive to be used.
I do IT and network security for a university. One of my big concerns is deprogramming all the proto hackers that are coming to us from the secondary schools.
You need filters in elementary ed. You still need some filters in secondary ed, but you have to be very careful how you do it. Teenagers start off smart and rebellious. From that starting point, it is easy to turn a high school into a factory for creating talented hackers.
Every semester, a university has to deprogram these people. It is well worth the effort. They turn into our most valuable thinkers. And, if you can't get them back, you end up in a world of hurt.
Every time, it's the same thing: - Honest! We have no filters. - No, we don't care what you look at. Just be ethical and don't hurt others. - Yah, you can look at pron. But it doesn't get the homework done. And it is not as satisfying as going out with people or creating stuff. - Yah we detected your attempt to hack the routers or do IP MITM. Honest! You don't need to do this crap to get to the internet here.
This used to be easier. But lately the kids are getting more paranoid.
This is not a game changing tactic. My institution has documented these style attacks on several past occaisions. There was some of this going around near the 4th of July. There was an extended bout this time last year. The attackers only use this tactic a few times a year. We have come to expect it on major holidays.
Economics can not be ignored. This attack must balance reward and risk.
In a normal SSH password guessing attack, the attacker risks a handful of computers. The committed computers do very noisy attacks and are probably lost to him.
In this SSH attack, the attacker risks hundreds of computers. This only pays off if the possibility of detection is greatly reduced or if the reward is greatly increased.
Fortunately, it is easy to detect this attack, and identify the attacking computers. You can use Cisco netflow data to characterize and identify the attackers. You can also identify the attackers with a SSH honeypot.
My institution takes the effort to document these attacks and report the attacking computers to their ISP's. It doesn't always work, but it works often enough to change the economics of attack. And each reported attacking machine is a possible pointer back to the hacker. Plus, it is the right thing to do.
I hope you get this. I was unable to find an email address on your web site.
I have been waiting for Spore for years. However, now I will not buy it. It still appeals to me. I've got the money all ready and waiting, however I will not deal with the restrictive DRM. Not on Spore. Not on Red Alert 3. I have better uses for my time and money.
Seems to me that one of the best ways to combat un-desired police behavior is via economic pressures. Going the PR route is a good one if the likely outcome is a reduction in the police budget. However, selling the devices is not likely to be effective, unless it is part of an effective PR campaign.
If you don't wish to go the PR route, perhaps the best way to approach this is to attack the police tracking budget directly. Destroy the devices in a non-obvious way. Perhaps by opening them up and soaking them in salt water. Rinse well. Reattach. When police replace, repeat. It won't take long to run out the police budget.
The law is not an end to itself. Nor does the law only exist to support lawyers.
The law must support the people. The people must understand the law. It must exist in their hearts. It must resonate with them.
Without the support and understanding of the people, the law is just tyranny.
I believe that this is the whole intent of jury trials and Jury Nullification (http://en.wikipedia.org/wiki/Jury_Nullification) It exists to keep the law and the people in sync.
Ultimately, I believe we will find that it is going well beyond communications where one side is 'al qaeda' and the other side is in the U.S.
The administration is being extremely sneaky with their words. You have to realize that there are at least 3 seperate sets of actions being discussed:
What actually happened.
What they want to justify.
What they intend to do in the future.
Notice how they describe this as 'terrorism survelience'. They say, they want to know when 'al-Qaida' calls. The problem is, from a constitutional perspective, the only way they can claim that 'al-Qaida' is calling is if the call originates from the US penal system.
What they really seem to be doing is monitoring calls from: "Might be al-Qaida" to "Less likely to be al-Qaida".
The gotcha is, everybody in the USA fits somewhere in this range, AND they have discarded all the legislative and judical safeguards.
Don't worry. As long as you can rat out 3 other 'terrorists' when they come for you, you will get off easy...
Then, about 40 years later, it seems like the US had to explore just how bad things could get during the abuses of Operation Shamrock.
Now, 40 years later AGAIN, we appear to be doing it all over again.
Then, as now, the government appeared to have the best of intensions. Then, as now, the government violated the law in order to perform the wiretaps.
Back in 1928, Associate Justice Louis Brandeis clearly anticipated our current situation. His words back then are extremely relevant today:
Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. [SNIP] Decency, security, and liberty alike demand that government officials shall be subjected to the same rules of conduct that are commands to the citizen. In a government of laws, existence of the government will be imperiled if it fails to observe the law scrupulously. Our government is the potent, the omnipresent teacher. For good or for ill, it teaches the whole people by its example. Crime is contagious. If the government becomes a lawbreaker, it breeds contempt for law; it invites every man to become a law unto himself; it invites anarchy. To declare that in the administration of the criminal law the end justifies the means-to declare that the government may commit crimes in order to secure the conviction of a private criminal-would bring terrible retribution. Against that pernicious doctrine this court should resolutely set its face.
How do you hope to preserve a lasting legacy of game design?
In order to leave a legacy, future game designers must have access to your work. Future game designers will have to overcome both legal and technical obstacles to access your work. The legal obstacles are not going to go away.
I have purchased copies of Xcom1, Master of Orion, Master of Magic, Civ 1-3, and so on. However, this is no longer possible. Several of these are not for sale anywhere. We have seen the Linux variant of the Planetary Pack totally disappear.
These works (and yours) will still be copyrighted by somebody long after my grandson is dead of old age.
How do you hope to preserve a lasting legacy of game design?
Slashdot Mirror
We like our visualizers. Our router guy has created 2. They are both GPL. We use them every day. I suppose you could consider them late Beta.
The IPVisualizer:
https://it.wiki.usu.edu/IPVisualizer
gives us a real-time overview of our entire IP address space. It is particularly good for revealing reconnaissance attacks.
The Organic IP Visualizer:
https://it.wiki.usu.edu/OIP
provides a focused view of the activity of a subset of our network.
Miles
I do computer and network security for a university.
This distributed SSH password guessing is not a new tactic. We have seen and tracked this tactic off and on for over a year.
If this tactic was a game changer, we would have seen it ramp up before now. It would occur all the time. But it doesn't. It only seems to occur during holidays.
At it's heart, this tactic is not any more effective than non-distributed password guessing. Either way, the attacker has to enumerate the same number of guesses before finding a hit. If a machine is vulnerable, it will be successfully attacked by either approach to password guessing. If it is not vulnerable, neither approach will work.
Modern hacking is a economic activity. It must balance risk and reward. This attack doesn't offer any more reward than conventional password guessing. It's main feature is to try to change the risk side of the equation.
Conventional SSH password guessing is noisy. One machine will portscan for TCP/22. Then it rapidly guesses passwords against everything that responds. That one machine is usually lost to the attacker. Automated defense systems block it. Also, defenders report it to the owning ISP. The only way this works for the attacker is if he can harvest more that he loses.
The distributed guessing attack is also noisy, but in a different way. Currently, we see the attacker start by sacrificing 1 computer to do a TCP/22 portscan. At this point, he has already risked as much as a conventional password guessing attack. Then he feeds the results to a bunch of bots. Each bot then takes turns guessing passwords. Each bot guesses 1 password at a time. However, each bot guesses against multiple SSH servers at the same time.
This attack is inherently more risky that conventional password guessing. The attacker exposes many of his computers. If we can detect and respond, this attack is not as cost effective as conventional password guessing.
It is easy for my university to detect and respond to these attacks. We detect it in three different ways.
1) Each attacker has a distinctive network behavior pattern. We can automate detection by looking at aggregate Cisco netflow data.
2) It is trivial to pick off this attack using a SSH honeypot.
3) We use a network visualization tool to watch aggregate SSH activity. This password guessing is obvious on our visualization tool.
Once we have detected the attackers, we respond to them in the normal way. We block them. We inform our peer institutions and the authorities. We inform the owning ISP.
The main difference in this situation is that detection and response is easy if you have access to aggregate traffic or multiple SSH servers. It is difficult if you only manage 1 SSH server.
I don't expect this form of attack to last much longer. I am sure that everybody else is adapting. Once the defenders adapt, this tactic is too expensive to be used.
Miles
I do IT and network security for a university. One of my big concerns is deprogramming all the proto hackers that are coming to us from the secondary schools.
You need filters in elementary ed. You still need some filters in secondary ed, but you have to be very careful how you do it. Teenagers start off smart and rebellious. From that starting point, it is easy to turn a high school into a factory for creating talented hackers.
Every semester, a university has to deprogram these people. It is well worth the effort. They turn into our most valuable thinkers. And, if you can't get them back, you end up in a world of hurt.
Every time, it's the same thing:
- Honest! We have no filters.
- No, we don't care what you look at. Just be ethical and don't hurt others.
- Yah, you can look at pron. But it doesn't get the homework done. And it is not as satisfying as going out with people or creating stuff.
- Yah we detected your attempt to hack the routers or do IP MITM. Honest! You don't need to do this crap to get to the internet here.
This used to be easier. But lately the kids are getting more paranoid.
Miles
This is not a game changing tactic. My institution has documented these style attacks on several past occaisions. There was some of this going around near the 4th of July. There was an extended bout this time last year. The attackers only use this tactic a few times a year. We have come to expect it on major holidays.
Economics can not be ignored. This attack must balance reward and risk.
In a normal SSH password guessing attack, the attacker risks a handful of computers. The committed computers do very noisy attacks and are probably lost to him.
In this SSH attack, the attacker risks hundreds of computers. This only pays off if the possibility of detection is greatly reduced or if the reward is greatly increased.
Fortunately, it is easy to detect this attack, and identify the attacking computers. You can use Cisco netflow data to characterize and identify the attackers. You can also identify the attackers with a SSH honeypot.
My institution takes the effort to document these attacks and report the attacking computers to their ISP's. It doesn't always work, but it works often enough to change the economics of attack. And each reported attacking machine is a possible pointer back to the hacker. Plus, it is the right thing to do.
Miles
Dear EA,
I hope you get this. I was unable to find an email address on your web site.
I have been waiting for Spore for years. However, now I will not buy it. It still appeals to me. I've got the money all ready and waiting, however I will not deal with the restrictive DRM. Not on Spore. Not on Red Alert 3. I have better uses for my time and money.
Goodbye,
Miles Johnson
Seems to me that one of the best ways to combat un-desired police behavior is via economic pressures. Going the PR route is a good one if the likely outcome is a reduction in the police budget. However, selling the devices is not likely to be effective, unless it is part of an effective PR campaign.
If you don't wish to go the PR route, perhaps the best way to approach this is to attack the police tracking budget directly. Destroy the devices in a non-obvious way. Perhaps by opening them up and soaking them in salt water. Rinse well. Reattach. When police replace, repeat. It won't take long to run out the police budget.
Bottom line:
Microsoft failed in it's attempt to buy a 'YES' vote from Sweden.
Microsoft successfully used it's money to turn Sweden's 'NO' vote into an 'ABSTAIN' vote.
Miles
This outlines another, deeper problem.
The law is not an end to itself. Nor does the law only exist to support lawyers.
The law must support the people. The people must understand the law. It must exist in their hearts. It must resonate with them.
Without the support and understanding of the people, the law is just tyranny.
I believe that this is the whole intent of jury trials and Jury Nullification (http://en.wikipedia.org/wiki/Jury_Nullification) It exists to keep the law and the people in sync.
Miles
> "A U.S. federal jury found that Microsoft Corp. infringed audio patents held by Alcatel-Lucent and should pay $1.52 billion"
^^^^^^
You misspelled feral.
There is just no way to implement this stupid idea. Maybe this stupid idea is not meant to be implemented. Maybe it is just meant to be a distraction.
Miles
The administration is being extremely sneaky with their words. You have to realize that there are at least 3 seperate sets of actions being discussed:
Notice how they describe this as 'terrorism survelience'. They say, they want to know when 'al-Qaida' calls. The problem is, from a constitutional perspective, the only way they can claim that 'al-Qaida' is calling is if the call originates from the US penal system.
What they really seem to be doing is monitoring calls from: "Might be al-Qaida" to "Less likely to be al-Qaida".
The gotcha is, everybody in the USA fits somewhere in this range, AND they have discarded all the legislative and judical safeguards.
Don't worry. As long as you can rat out 3 other 'terrorists' when they come for you, you will get off easy...
Miles
It is eerie how clearly these crisis were anticipated by the first US Supreme Court to fully grapple the wiretap issues.
t ates
c ourt=us&vol=277&invol=438
It happened back in 1928. It is well worth reading.
The case was OLMSTEAD v. U.S., 277 U.S. 438 (1928)
There is a wikipedia article discussing this case at:
http://en.wikipedia.org/wiki/Olmstead_v._United_S
The decision is available on Findlaw at:
http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?
Then, about 40 years later, it seems like the US had to explore just how bad things could get during the abuses of Operation Shamrock.
Now, 40 years later AGAIN, we appear to be doing it all over again.
Then, as now, the government appeared to have the best of intensions. Then, as now, the government violated the law in order to perform the wiretaps.
Back in 1928, Associate Justice Louis Brandeis clearly anticipated our current situation. His words back then are extremely relevant today:
Experience should teach us to be most on our guard to protect liberty when the government's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding.
[SNIP]
Decency, security, and liberty alike demand that government officials shall be subjected to the same rules of conduct that are commands to the citizen. In a government of laws, existence of the government will be imperiled if it fails to observe the law scrupulously. Our government is the potent, the omnipresent teacher. For good or for ill, it teaches the whole people by its example. Crime is contagious. If the government becomes a lawbreaker, it breeds contempt for law; it invites every man to become a law unto himself; it invites anarchy. To declare that in the administration of the criminal law the end justifies the means-to declare that the government may commit crimes in order to secure the conviction of a private criminal-would bring terrible retribution. Against that pernicious doctrine this court should resolutely set its face.
In order to leave a legacy, future game designers must have access to your work. Future game designers will have to overcome both legal and technical obstacles to access your work. The legal obstacles are not going to go away.
I have purchased copies of Xcom1, Master of Orion, Master of Magic, Civ 1-3, and so on. However, this is no longer possible. Several of these are not for sale anywhere. We have seen the Linux variant of the Planetary Pack totally disappear.
These works (and yours) will still be copyrighted by somebody long after my grandson is dead of old age.
How do you hope to preserve a lasting legacy of game design?