It was sometime at or around this watermark that a Verizon engineer finally got to his flagged account, and tried to figure out what was going on.
After all, maybe he was infected, and his home machines were being used to stream MMA fights to Pakistan. Or maybe he was subleasing his bandwidth and servers to a CDN network.
Why are ISP's allowed to sell an 'unlimited' plan that has limits?
First, the plan isn't simply defined by a single word. The plan and your agreement to use the plan, is conditioned by paragraphs of words that make up a contract.
This contract grants you the ability to use unlimited bandwidth for personal use. They attempt to prohibit you from exploiting this resource by say leasing your bandwidth to a CDN network and running storage servers for them.
I forced refresh my WeatherBug so many times earlier this week. I'm in NYC, and I was dumb founded at how bad the weather reports/predictions were. At one point, I'm standing in the park, it's about 70 degrees, and weather bug says in an hour it's going to be 84 degrees. And hour later it was 71. It stayed under 75 the whole day.
The count of comments and the comment data themselves are cached at different times. It's quite possible immediately following an article being published, to see a difference between the count and the actual.
In NYC they don't want us calling 911. They want us calling 1-888-NYC-SAFE or 311.
I saw something odd walking down the street a few months back. I called 311, who talked to me about what I was seeing for about 30 seconds and then said, "ok, i'm going to bring in a 911 officer now and they will handle this".
I wasn't sure if what I was seeing was benign or not, which is why I would never have called 911 to report it.
I got called back later about the situation from a detective. It's a good thing I felt comfortable enough to dial 311.
It's no different than Google checking URL's for malware and warning you when you click a URL hosted on any of the Googleservices. Also, this:
even if they are HTTPS URLs and contain account information
that makes no sense. First, why would HTTPS be some sort of exception? It's not like SSL'ing a website is all that difficult. Second, why would you supposedly go through the trouble of using a 'secure' HTTP address if you are then going to pass in account credentials in the URL? I know the whole communication is encrypted, but why would you pass "https://user:secret@www.supersecurebank.com/something?foo=bar" via a Skype message if it was really the intention to be secure ( putting aside the absurdity of leaving credentials in the URL ).
Long story short, this looks like Skype looking out for the 99% of the internet, and the 1% are crying foul. I'd rather every link my family sends each other via Skype be threat checked.
Only new technical implementation is via the Torrent link, you can download his database which has the responses for different Ports. With a simple query of his DB, you can tell the vulnerability of an IP address...
Takes the guess work out of it really... That's something new, in the sense that the every day script kiddie didn't have this prior to this research release.
This wasn't a simple port scan. I RTFA, so let me help you out.
He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).
For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.
Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.
This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.
They didn't force the reboot. So they don't need to calculate for lost uptime. But they do concede what bandwidth they used and processing time. You could argue they used extra energy, CPU load, and bandwidth, and that equates to money.
What they really got 'lucky' on, is that they didn't code in a fatal flaw and accidentally create something that had a race condition that resulted in distributed DOS to every IP on the network. We've seen things come close to that in the past with worms. I put quotes around lucky, because I think these guys did their homework, and specifically validated their experiment in a limited environment before releasing it.
That said, your test environment is rarely a perfect simulacrum for the real world.
It's a very scary grey hat project. I thought this finding was interesting though:
So, how big is the Internet? That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450 Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could count as "in use". Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.
Based in their rather thorough analysis, only about half the IPV4 address space is being actively used.
I kind of feel this is a little akin to working with scientific research that comes from morally grey or even black experiments...
Another thing to consider about this, is based on the platform they built, they could go for the Black Knight approach, and rescue all the flawed devices without their consent. You could easily see taking this project and saying "How do we patch the devices in a way that causes the least amount of harm, and adds the most amount of security".....
Inoculation can kill though...
Fine line... very fine line. End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.
First off, the whole reason these guys got whacked by the judge is because they did the standard script-kid thing and went onto IRC and boasted about it, and talk about how they were going to take down AT&T, and make a name for their security company ( Goatse Security, obvious play on goat sex troll )
He didn't "break in". He sent requests to a publicly-accessible web server, and AT&T sent back private information. This wasn't hacking, or even a DOS attack. AT&T is at fault here.
By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished. You realize the number of vulnerabilities accessible via a well crafted GET URL? XSS, SQL Injection, tons of stuff. Ignore the fact HTTP is even involved here. This is no different than finding a weakness at any other level of the OSI model, the fact people can easily understand HTTP GET's doesn't make them any less serious and dangerous to an attacker.
Honestly, this has been argued over the Ping of Death back in the day. I mean, your simply sending an ICMP packet via a ping command, it's not like your hacking.
In the end it's about context. Exploiting a weakness is by definition hacking. Just because the hack isn't enigmatic, doesn't mean it's not a hack. Look at Jon Draper and a plastic whistle that happened to hit 2600hz easily.
"But it's just a guy blowing a whistle into a phone, it's not hacking".
These guys crafted a specific HTTP GET request that returned private data. The key in this request was generated by them based off a known flaw in ATT's systems (using ICC-ID as a semi private key). Then they shared that data with a news organization.
Sure, those of us in the industry can shake our head at how stupid AT&T was, but at the same time most of us recognize the line these two guys crossed. It's one thing to send an e-mail to AT&T and copy a security mailing list with a simple example, it's another to write a program and automate the extraction of over 120k e-mails and then package the data and send it to Gawker, while boasting about it on IRC channels.
Auernheimer likened his actions to walking down the street and writing down the physical addresses of buildings, only to be charged with identity theft.
I could make the same argument for randomly trying passwords against accounts. "I'm just checking to see if this key happens to work in this door...."
I'm pretty confused as well, and I read the whole thing.
I think it might be a slash ad for some site we all are supposed to know ( never heard of propublica ) hiring new devs, or taking old ones that google doesn't want...
honestly, i know I've only had a sip of coffee so far today, but this makes no sense to me.
I'm so with this guy, i gave up mod'ing him up just to give credence to his point.
WTF Guys? Seriously? We're going to keep playing this game? OMG, my Samsung Galaxy has more power than then entire processing power of every satellite in orbit. THIS MEANS SOMETHING, I SWEAR IT DOES...
Selective responses from the end of the Wired article....
It's just another industrial zone being set up around Kashgar, this one near the airport. They're all the rage there, now that the city has been prioritized as a special economic zone.
Large population center to the south and west and lots of agriculture to the south and east. Most likely ag processing.
There's a large reservoir just to the right (East) of the site. Also, if you scan out further you'll see that the whole area is agricultural / dairy. You certainly couldn't have all that farming without a LOT of water.
My main point is this location is not of sensitive nature, being that all foreign satellite topography imagery for public use is heavily screened. This ex-CIA agent knows this, and just fed Wired a hollow bone
Yeah, that U-shaped thing looks like the normal open-air agricultural storage thing. We have them all over the west and midwest.
The Ask Toolbar is integrated with the Java download. During the installation of Java, users are presented with an option of downloading the Ask Toolbar
Also, although it's fixed now, for a time, you couldn't direct link to the Win x64 JRE. It forced you through a page, that would check your browser and give you a x32 if your browser was 32bit. I used to have to fire up IE 64 on Server 2008 to grab a JRE to install on my 64bit os.
I don't think anyone died in NYC. I heard someone got electrocuted in Queens, but haven't heard of any fatalities in the city proper.
It really was just a flood event. The wind didn't do much to the infrastructure ( other than increase the surge ). I saw a pretty large tree in half out back of the Natural History Museum, but not much else around me in the city.
I know it's cynical of me, but I find it a bit sad that we can better plan data centers then medical factilities.
I know all the colocation facilities I've been to in Manhattan have generators above the 6th floor ( sometimes in addition to generators in the basement). A few had them on the roof with some special setup that allows fuel to be flown by helicopter for worse case scenarios.
Not sure what version of windows had this last, but I remember being bale to tile all open windows, and they would take up all available screen real-estate. It wasn't a horizontal tile, wasn't a vertical tile, and wasn't a cascade. It may have been arrange, but I remember doing it once with 10 excel windows open on like 640x480, and they each took up so little space you could only see the control bars.
To fix it, we're going to need to work on social justice and rethinking how we live and work and relate to each other. Geek toys like self-driving cars and augmented reality sunglasses won't fix it. Social networks designed to identify you to corporations so they can sell you more stuff won't fix it. Better ad targeting or content matching algorithms definitely won't fix it
My wife and I are re-modeling my in-law's 3000 sq foot single-level house, and we're both very wired, tech-savvy individuals. We will both have offices, as well as TVs in the bedroom and dining room.
Am I the only one scratching my head on this? Are they doing this for his in-laws? Why would they both have offices at her parents house? Is it their house now? Why call it her parents? Did they not pay for it?
Put a digital clock in each room, call it a day, and invest the money in a high yield bond, until you can afford your own home.
It's a horrible article. It's really trying to make out like it was some cloak and dagger, crypto-cracking fu used by this 'mathmatician' against the founders of Google. He mentions ( many times, like The Lady Doth Protest Too Much, methinks... ) that he thought it was an elaborate test. I read his take on this to be a defensive argument, in case they choose to go after him for spoofing e-mails. Which is what he did.
Slashdot Mirror
He wasn't limited to 77 TB.
It was sometime at or around this watermark that a Verizon engineer finally got to his flagged account, and tried to figure out what was going on.
After all, maybe he was infected, and his home machines were being used to stream MMA fights to Pakistan. Or maybe he was subleasing his bandwidth and servers to a CDN network.
First, the plan isn't simply defined by a single word. The plan and your agreement to use the plan, is conditioned by paragraphs of words that make up a contract.
This contract grants you the ability to use unlimited bandwidth for personal use. They attempt to prohibit you from exploiting this resource by say leasing your bandwidth to a CDN network and running storage servers for them.
This is wise of them.
I forced refresh my WeatherBug so many times earlier this week. I'm in NYC, and I was dumb founded at how bad the weather reports/predictions were. At one point, I'm standing in the park, it's about 70 degrees, and weather bug says in an hour it's going to be 84 degrees. And hour later it was 71. It stayed under 75 the whole day.
The count of comments and the comment data themselves are cached at different times. It's quite possible immediately following an article being published, to see a difference between the count and the actual.
In NYC they don't want us calling 911.
They want us calling 1-888-NYC-SAFE or 311.
I saw something odd walking down the street a few months back. I called 311, who talked to me about what I was seeing for about 30 seconds and then said, "ok, i'm going to bring in a 911 officer now and they will handle this".
I wasn't sure if what I was seeing was benign or not, which is why I would never have called 911 to report it.
I got called back later about the situation from a detective. It's a good thing I felt comfortable enough to dial 311.
This.
Gods man. Can't you just keep your opinions to yourself and try to act like a reporter.
It's no different than Google checking URL's for malware and warning you when you click a URL hosted on any of the Googleservices.
Also, this:
that makes no sense. First, why would HTTPS be some sort of exception? It's not like SSL'ing a website is all that difficult.
Second, why would you supposedly go through the trouble of using a 'secure' HTTP address if you are then going to pass in account credentials in the URL?
I know the whole communication is encrypted, but why would you pass "https://user:secret@www.supersecurebank.com/something?foo=bar" via a Skype message if it was really the intention to be secure ( putting aside the absurdity of leaving credentials in the URL ).
Long story short, this looks like Skype looking out for the 99% of the internet, and the 1% are crying foul. I'd rather every link my family sends each other via Skype be threat checked.
You're only human...
http://www.telegraph.co.uk/science/science-news/9989623/Feeling-of-being-watched-hardwired-in-brain.html
Only new technical implementation is via the Torrent link, you can download his database which has the responses for different Ports. With a simple query of his DB, you can tell the vulnerability of an IP address...
Takes the guess work out of it really... That's something new, in the sense that the every day script kiddie didn't have this prior to this research release.
He uploaded a binary to 'insecure' devices, to run his code and build his own 'ethical' botnet.
This isn't just checking ports and default logins and reporting back.
This wasn't a simple port scan. I RTFA, so let me help you out.
He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).
For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.
Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.
This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.
They didn't force the reboot. So they don't need to calculate for lost uptime.
But they do concede what bandwidth they used and processing time. You could argue they used extra energy, CPU load, and bandwidth, and that equates to money.
What they really got 'lucky' on, is that they didn't code in a fatal flaw and accidentally create something that had a race condition that resulted in distributed DOS to every IP on the network. We've seen things come close to that in the past with worms. I put quotes around lucky, because I think these guys did their homework, and specifically validated their experiment in a limited environment before releasing it.
That said, your test environment is rarely a perfect simulacrum for the real world.
It's a very scary grey hat project. I thought this finding was interesting though:
Based in their rather thorough analysis, only about half the IPV4 address space is being actively used.
I kind of feel this is a little akin to working with scientific research that comes from morally grey or even black experiments...
Another thing to consider about this, is based on the platform they built, they could go for the Black Knight approach, and rescue all the flawed devices without their consent. You could easily see taking this project and saying "How do we patch the devices in a way that causes the least amount of harm, and adds the most amount of security".....
Inoculation can kill though...
Fine line... very fine line. End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.
First off, the whole reason these guys got whacked by the judge is because they did the standard script-kid thing and went onto IRC and boasted about it, and talk about how they were going to take down AT&T, and make a name for their security company ( Goatse Security, obvious play on goat sex troll )
By that rationale, any request on a web server via the HTTP GET or POST that could escalate privilege or divulge private data should go unpunished. You realize the number of vulnerabilities accessible via a well crafted GET URL? XSS, SQL Injection, tons of stuff. Ignore the fact HTTP is even involved here. This is no different than finding a weakness at any other level of the OSI model, the fact people can easily understand HTTP GET's doesn't make them any less serious and dangerous to an attacker.
Honestly, this has been argued over the Ping of Death back in the day. I mean, your simply sending an ICMP packet via a ping command, it's not like your hacking.
In the end it's about context. Exploiting a weakness is by definition hacking. Just because the hack isn't enigmatic, doesn't mean it's not a hack. Look at Jon Draper and a plastic whistle that happened to hit 2600hz easily.
"But it's just a guy blowing a whistle into a phone, it's not hacking".
These guys crafted a specific HTTP GET request that returned private data. The key in this request was generated by them based off a known flaw in ATT's systems (using ICC-ID as a semi private key). Then they shared that data with a news organization.
Sure, those of us in the industry can shake our head at how stupid AT&T was, but at the same time most of us recognize the line these two guys crossed. It's one thing to send an e-mail to AT&T and copy a security mailing list with a simple example, it's another to write a program and automate the extraction of over 120k e-mails and then package the data and send it to Gawker, while boasting about it on IRC channels.
I could make the same argument for randomly trying passwords against accounts. "I'm just checking to see if this key happens to work in this door...."
I'm pretty confused as well, and I read the whole thing.
I think it might be a slash ad for some site we all are supposed to know ( never heard of propublica ) hiring new devs, or taking old ones that google doesn't want...
honestly, i know I've only had a sip of coffee so far today, but this makes no sense to me.
They are. You are getting all shares cashed in for 13.65 a share.
I'm so with this guy, i gave up mod'ing him up just to give credence to his point.
WTF Guys?
Seriously? We're going to keep playing this game? OMG, my Samsung Galaxy has more power than then entire processing power of every satellite in orbit. THIS MEANS SOMETHING, I SWEAR IT DOES...
it means nothing
nothing
you lose
good day sir
Selective responses from the end of the Wired article....
They still do it. See here: http://www.java.com/en/download/faq/ask_toolbar.xml
From Java.com:
I don't think anyone died in NYC. I heard someone got electrocuted in Queens, but haven't heard of any fatalities in the city proper.
It really was just a flood event. The wind didn't do much to the infrastructure ( other than increase the surge ). I saw a pretty large tree in half out back of the Natural History Museum, but not much else around me in the city.
At 100 Williams Street, http://www.nyistatus.com/
My server and connections have been up non stop.
I know it's cynical of me, but I find it a bit sad that we can better plan data centers then medical factilities.
I know all the colocation facilities I've been to in Manhattan have generators above the 6th floor ( sometimes in addition to generators in the basement). A few had them on the roof with some special setup that allows fuel to be flown by helicopter for worse case scenarios.
Not sure what version of windows had this last, but I remember being bale to tile all open windows, and they would take up all available screen real-estate. It wasn't a horizontal tile, wasn't a vertical tile, and wasn't a cascade. It may have been arrange, but I remember doing it once with 10 excel windows open on like 640x480, and they each took up so little space you could only see the control bars.
I don't think MS is going to have a problem with this: http://asset0.cbsistatic.com/cnwk.1d/i/tim/2012/10/31/SurfCast_patent_application_610x587.png
Holy rant...
Here's another idea, it's not broke.
Am I the only one scratching my head on this? Are they doing this for his in-laws? Why would they both have offices at her parents house? Is it their house now? Why call it her parents? Did they not pay for it?
Put a digital clock in each room, call it a day, and invest the money in a high yield bond, until you can afford your own home.
It's a horrible article. It's really trying to make out like it was some cloak and dagger, crypto-cracking fu used by this 'mathmatician' against the founders of Google. He mentions ( many times, like The Lady Doth Protest Too Much, methinks... ) that he thought it was an elaborate test. I read his take on this to be a defensive argument, in case they choose to go after him for spoofing e-mails. Which is what he did.
According to amazon, it's not an outage, it's a "performance disruption". My guess is, this will negate costly concessions based on SLA's.