SCO Group Web Site Attacked Again 564
FreeLinux writes "With not much SCO news today, it seemed that this story was needed - Reuters is reporting that, SCO is again suffering under a DDoS attack that has crippled their web site and email system since Wednesday morning. For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system. The denial-of-service attack started at 6:20 a.m. EST Wednesday and continued through the day, said Blake Stowell, spokesman for the Lindon-based company."
A classy move last time this happened... (Score:5, Interesting)
He makes it clear that SCO is attacking everyone, but he opposes DOS'ing them saying that "the open source community must use the truth, not criminal methods, as its weapons." Nicely done
Re:Come on guys... (Score:5, Interesting)
Re:And groklaw... (Score:5, Interesting)
It happens (Score:2, Interesting)
That being said, SCO is probably revelling in this, even if it is genuine. In fact, DDoS is probably one of the perks to this whole thing - it makes everybody but them look bad, and they come out perfectly clean to the media. Playing the innocent little child who got their candy stolen, I dare say.
Improper use of DDoS - kinda (Score:5, Interesting)
That being said *IF* the DDoS is coming from compromised machines without there owners permission that is criminal but if it is otherwise (read: users permission coordinated demonstration) then calling it criminal seems a bit harsh. Digital Civil Disobedience seems more accurate.
SCO's Hack Attacks A Complete Lie (Score:5, Interesting)
I should point out, this has pretty much been covered by Groklaw already and my methods don't vary too much from those already posted by them.
SCO claims their email and web servers are unavailable because of a DDoS attack that has also infiltrated their Intranet and affected helpdesk services as well as other internal services. If this is the case, then it is more than just a DDoS they're suffering, or they are negligent in the highest order for failing to take simple steps to ensure a risk mitigated environment for conducting business within.
Lets start with their Mail Server.
Everyone has a backup mail server, usually hosted by a 3rd party to ensure that if your primary mail server is offline for any reason, mail can still be delivered successfully. The fact that SCO claimed their mail servers were unavailable suggests they either failed to purchase this extremely basic service or their setup is absolutely wrong by anyones standards. The purpose of multiple MX records is for this exact situation. You start with a high priority MX record (say 10) and work your way down the order (usually in steps of +10, so the secondary is usually 20).
Their Web Server
Their webserver is hosted on exactly the same subnet as their ftp server. However, during this attack, their FTP server has been available to anyone thats tried to connect to it. If they were suffering a DDoS attack of the proportions that SCO claims, this server would also have been affected and taken offline. Yet this is not the case. This blows open entirely the philosophy of a DDoS attack without any of the further evidence.
SCO has alluded to the fact that the attack is a basic SYN Flood. A very simple and old attack that has been blockable by nearly every appliance and OS for the past 3 years at least. Yet if they are suffering as they claim, then they are guilty of negligence for failing to apply patches or even configure their platforms correctly. Its very easy to turn the SYN Cookies on in Linux (sysctl isn't rocket science) and just as easy in something like a Cisco Router/PIX Firewall or a Checkpoint Firewall.
The claims that this has adversely affected their intranet suggests that the intranet is in some way exposed to the Internet. Even more alarming is the fact that it disabled their Helpdesk services for a period as well. This would suggest that their network has absolutely no perimeter protection of any kind. The smallest flaw in a product they use could apparently be used to access their core network infrastructure. Isn't that where their source code and IP documentation are kept? I'd start getting very worried about now if I were an investor.
Due diligence is a core principle of any company. That includes ensuring that the services relied upon are securely and properly setup and maintained. If SCO truly has been affected by an attack of any kind on the magnitued they're claiming, then they should be legally responsible for the results of their failure to perform due diligence. (However, IANAL so don't quote me on legalities, especially given I live in NZ, not the US).
In short, the supposed attack on SCO does not add up at all. In fact, if they are being attacked this time round, they are in serious legal trouble themselves if their reports are accurate.
I would also question why they have released this to the press as a Press Release instead of getting on with fixing the problem as quickly as possible. Also, how is it that their mail services are now restored, their FTP server never offline, yet their website remains offline? Surely, a DDoS would affect both.
Not to mention the fact that it would affect SCOs upstream provider who, when contacted last time, saw absolutely no evidence of an attack in progress at a
Embarrassing files missing? (Score:5, Interesting)
There are some rumours floating around the Yahoo SCOX message board that several directories containing Linux source code, such as patches and updates, are now missing from SCO's ftp server. Months ago, many people pointed out that SCO itself continued distributing copies of the kernel in support and updates directories on their ftp server. There is also speculation the strangely internal nature of this so-called DDoS attack may be part of an Ollie North operation to prevent certain evidence from falling into IBM's hands via discovery.
SCO's execs need to read The Boy Who Cried Wolf a few times, and learn the lesson within. Darl, unlike Ken Lay, does not have close friends in the White House, and probably would not escape prosecution for any illegal acts being committed under his watch at SCO.
Re:Improper use of "Hacker" (Score:3, Interesting)
Zombie armies are probably most often built w/ auto-rooters -- "tools" that get passed around and modified. E.g. a script-kid may just have to specify which DCOM hole in which Service pack to attack, and then what irc server/channel he/she wants to command them all from. Then he/she installs it on joe user's 24/7 cable-connected box and lets 'er rip. Rinse and repeat 'til you've got 2,000 systems under your thumb.
So yes, it takes a *little* work, but NO skill.
Re:Improper use of "Hacker" (Score:5, Interesting)
How secure are these undead nets?
Well, once someone does gain control over the machine, by way of a Windows with a blank administrator password, they set the machine policy to prompt the user to enter a pass the next time the machine is logged into. And make a different account for themselves to log back on the compromised machine. If the user doesn't freak out about the password prompt, they are all set.
So, to answer your question, I suppose they are about as secure as an unfirewalled/unpatched windows box, since the last thing the 'hacker' will do is put a firewall on the machine for you.
Is SCO counting on /. effect? (Score:2, Interesting)
All this looks rather dodgy. Maybe they just hope to get slashdotted and then claim that this was the DDOS attack...
Re:Improper use of "Hacker" (Score:3, Interesting)
"Computer hacking" is defined as "operating a computer in a manner inconsistent with it's designed intent". Thus a DDoS fits perfectly. It's much more accurate than your other suggestions:
Criminal: Entirely free of content. You'd have to be more specific. Also, computer tampering is not illegal in all jurisdictions, so not every hack is a crime (far from it)
Script kiddie: Implies knowledge about the modus operandi that you can't possibly have (without being an accomplice). Do you know the assailant is an amateur who can barely run the kits he downloads?
Script monkey: Makes a rather ludicrous suggestion of the perpetrator's species.
Some people would likely suggest cracker. That is not correct for all DoS attacks, because cracker (as a person, not a food) is someone who penetrates security. However, a DDoS normally involves taking over several other computers beforehand, so cracker is likely to be appropriate.
Re:Improper use of "Hacker" (Score:4, Interesting)
A lot of the emails don't make it to a system that can be infected, aren't opened by someone dumb enough, and so on. However, like the numbers involved in spamming, they just need a very small percentage to be dumb enough.
Re:Embarrassing files missing? (Score:5, Interesting)
Yahoo SCOX Thread [yahoo.com].
Re:Come on guys... (Score:2, Interesting)
Re:Is SCO counting on /. effect? (Score:2, Interesting)
The Age [theage.com.au] reports that Cisco routers would block the SYN flood attack SCO claims to suffer from (I think there is some discussion of this on groklaw as well). Anyways, the guys at The Age appear to have a clue.
The second link is to the Google cache of the most recent SCO page [google.com]. It takes forever to load (I wonder why), but examination of the source file reveals (surprise!) a link to Rob Enderle's anti-Linux propaganda from www.technewsworld.com [technewsworld.com]...
I think that the people reading this thread and possessing the necessary technical knowledge should store the evidence contradicting SCO's "explanations" of today's events in the case SCO claims that the information the judge demanded "got lost because of the vile Linux hacker attack."
Re:And groklaw... (Score:4, Interesting)
"email"? SMTP? POP3? IMAP? All of these are TCP-based, and are therefore vulnerable to SYN flooding.
My guess is a little less conspiracy theory oriented. Some IT guy at SCO royally screwed up and took down an important server. He tried to fix it, but got yelled at by management before he could resolve things. He made up an "oh, hackers did that" story to cover his ass.
Just because it makes the open source community look bad and they thought that they *were* under attack, SCO execs handed out a press release.
Re:SCO's Hack Attacks A Complete Lie (Score:4, Interesting)
Now we get this 'quick fix' press release that gets to paint the Linux community as a bunch of criminals and thugs. They know full well the press won't bother to check facts, and it should be enough to distract from the negative things that have been happening. They get to look like a victim in the press, and they can do so without any proof what so ever.
The /. story should be updated stating the hoax... (Score:4, Interesting)
Therefore, I would like to know what are the
I wouldn't be surprised if SCO issues a press release tomorrow saying that the evidence they were going to show in January 5 was destroyed.
This is just too much. I thought "evil corporations" existed only on comic books, and hollywood movies.
per groklaw: adjacent hosts are fine (Score:5, Interesting)
Lets wait... (Score:3, Interesting)
To destroy logs related to the attack or backup tapes that may contain evidence would be criminal at this point. If backups and logs don't exist, there will likely be inquiries on SCO's execs.
On a personal note, I must admit that this looks "fishy", but it'll all come out in the wash...
Re:Improper use of DDoS - kinda (Score:2, Interesting)
Doubts on SCO, Groklaw in the mainstream press (Score:4, Interesting)
No, Rock Paper Scissors is quite alive, thank you. (Score:2, Interesting)
www.worldrps.com [worldrps.com]
Need I say more?
Re:SCO's Hack Attacks A Complete Lie (Score:3, Interesting)
RBC, who, along with Baystar, invested $50 million into SCO has begun looking at the contingency fees SCO will pay to their lawyers if SCO is bought out.
I agree, I find the whole RBC situation extremely amusing. Especially the fact that RBC now has veto powers over any action that could result in the legals getting 20% of any given resulting transaction. :-) That to me was probably one of the best things any investor of recent times could've done. Finally someone is making SCO stop and think before it does something. More than that, its also making SCO more responsible for any action they might take.
They get to look like a victim in the press, and they can do so without any proof what so ever.
This is one of the things that has bothered me about modern reporters. They no longer take the time to verify a press releases accuracy and instead build an entire article without confirming any of the facts. Its not just online press agents that do it. ZDNet/ZDTV (by extension, CNET) are also guilty of it as are organisations like TimeWarner and NYTimes (should I really go there?) ;-)
The problem that presents itself however, is that the public rarely question anything mentioned in the media any longer. They take for fact almost any article published by someone like the Associated Press. This is something many of us have complained about.... The problem however, is those of us writing to the editors are such a minority that the editors rarely take notice any longer and just put it straight into the trash. Accountability for factual representation of the news seems to no longer matter.
Still, what can we do? So few individuals take the time to point out the false. More people need to stand up and make the editors take notice. Then again, that would require action. Who wants to act when its so much easier to just accept whats presented to us? ;-)
One day the truth will finally become important in the mainstream again. Sites like Groklaw (in the case of SCO) are starting to get so much momentum behind them that they can't be ignored or just brushed off as a radical wing of a minority group. When people actually take the time to point out the wrongs, it makes it easier for the journalists. <G>
Re:Come on guys... (Score:5, Interesting)
1. give the site a bit of a revamp. It's different, and content has changed.
2. Switch operating systems. http://uptime.netcraft.com/perf/graph?site=www.sc
Now, you're in the middle of what you claim is a network attack. You say your site is down, email is down, support is down, and you're working hard to get these things going again... so instead of actually trying to get the network up again, you revamp the site and change the OS of the server
SCO is so full of shit, and the mainstream media is licking up their bullshit press releases. Blah.
Re:per groklaw: adjacent hosts are fine (Score:2, Interesting)
it depends what is being attacked, and how.
A SYN flood attack *CAN* indeed "clog" the bandwidth. It's been done. Been there, seen it, move on... a flood like any other flood can "clog" bandwidth, people don't typically attack this way any more though, because the resources at the attackers side have to exceed the targets side.
There are actually attack tools (albeit old ones) that do this, they are now obsolete, actually public at ths point (well, as public as such things get), about as public as winnuke code at this point...
So saying a SYN flood wouldn't do this is just flat-out wrong. Because it can, and it has, and it probably will again.
Cisco routers are actually highly susceptible to this kind of thing as well, so in another sort of SYN attack, it's possible to send very little traffic while causing ALL connections from the router to be unreachable, effectively shutting down ALL bandwidth (without actually "flooding" it). Which would appear to be a flood attack, but not be.
So in either of the above cases, all the servers on the lan (same switch, etc) would be unreachable, that being in a true attack. But this wasn't the case.
I notice their mail server (which the also seem to have claimed) isn't on the same subnet.
Anyone who thinks SCO is being honest about anything with such statements is simply insane.
I like how you misrepresent things and immediately are "prepared to accept that SCO is telling the truth". This sort of thing has to stop. They lied last time, the network admins at their upstreams seem to have claimed nothing was wrong this time either.
Who are you going to believe? the evidence doesn't even suggest there was a real attack. Their ISP admins seem to be saying there was no attack. People looking at this, monitoring it see no evidence of any sort of attack.
Nope, sorry, not buying SCOs BS today...
A SYN Flood? More likely by SCO. (Score:5, Interesting)
There are only a few possibilities:
1: SCO's IT department doesn't know what syn cookies are and how they relate to Linux (which the DO run their site on). They evidently don't know how to configure CISCO routers in order to block syn floods either. In this case SCO is incompetent...
2: SCO is deliberately not protecting their networks in order to draw attention to themselves.
3: SCO is sabotaging their own networks.
4: The ctber-attack story is completely made up and has no truth value.
The Groklaw story is worth reading:
http://www.groklaw.net/article.php?story=20031210
Re:A classy move last time this happened... (Score:2, Interesting)
I think they both do some good work.
I also think that the FSF's contributions to "the community" in general an Free *NIX in particular are woefully under-appreciated.
I corresponded with RMS on one occasion and the whole "GNU/Linux" thing came up. He was totally reasonable about it, in stark contrast with his (apparently undeserved) reputation.
The guy is an idealist. I think that's a rare and wonderful thing in such a cynical world. I wonder how all the anti-RMS sentiment out there started.
-Peter