Understanding Script Kiddies 224
Kzip sent us an interesting paper on script kiddies. It basically follows a log of a box being cracked and rooted, and then has tons of IRC logs with the responsible folks. A lot of insight into the mentality, but more important, the novice skill level required to do serious damage to many systems.
my ideas... (Score:5)
A few months ago I saw a step by step instruction set on how to exploit a machine with the BIND vulnerability, and I have to admit, I was tempted to try it, to see if it'd work. Moreso, I was kind of like "wow, I could do all these steps even though I'm dumb", and I know if I had there would have for sure been a little buzz of delight.
I used to buy beer with fake ID before I was of age, and it was the greatest, there was a total high when it worked. That is sort of script kiddy-like, it's not like I dud anything clever or anything, I just showed the clerk my ID and bought it, but it still felt wicked, and I think that's the thing in play here: It's easy to say "oh those kids don't know anything, what they're doing requires no thought" etc, and it's true (reading these transcripts makes you realize how incredibly dumb they are, it's really sad), but it is irrelevant, because as long as breaking into a box gives them a little buzz and feeling of accomplishment, they aren't going to stop.
p.s. the part where the guy is talking about how fat he is, that is so priceless and hilarious. If it wasn't so pathetic I'd laugh till I cried
Re:Be the expert witness (a lawyer thinks aloud) (Score:1)
We've got something very similar in the UK as well, albeit that the Occupiers' Liability Acts rather negate the possible line of defence that the attractant wasn't visible from a lawful place.
Thing is, those occupiers' liability cases are more about the owner's liability where the kids get themselves hurt: what I want to get at is the owner's liability for what the kids do to others once they're in.
This, though, is probably a more useful analogy than my shot from the Rylands. v. Fletcher angle: rather than maintaining something dangerous, what we're looking at here is liability for something that attracts children of known propensity and capacity for damage. Since that risk is obvious, there ought to be liability for failure to take account of it? Discuss.
Re:It's pretty simple (Score:1)
A few of the commands they typed
echo "r:x:0:0:User:/:/sbin/sh" >>
echo "re:x:500:1000:daemon:/:/sbin/sh" >>
echo "r::10891::::::" >>
echo "re::6445::::::" >>
Looks to me as though they have all of the fields in
-Patrick
Re:Be the expert witness (Score:1)
Good points. On the other tentacle, what about the argument that script kiddies are like rats? A natural part of the web ecology, destructive and lacking in any moral sense (at least until they grow up, if they ever do)?
On that analysis their actions, being predictable consequences of poor security arising from creatures that are not moral agents, are something that the administrator of the compromised system should be responsible for preventing.
The argument about a scope-sighted rifle is a straw man. Nobody would expect someone to do that sort of thing to a domestic fuel supply; expecting the owner to guard against it is unreasonable. On the other hand, in a neighbourhood full of kids, it is reasonable to expect him to keep the thing locked up so the little buggers can't play with it. (Example from a real case: a bus depot didn't lock its gates at night, and had petrol lying about the place unsecured. Kids got in and began playing a game involving molotov cocktails, and dropping lit matches into buses' fuel tanks.)
Essentially, the argument is whether the risk of script kiddie attack is sufficiently foreseable that an owner ought to guard against it.
Re:the IRC logs (Score:1)
Re:It's pretty simple (Score:2)
At a start, look at chldren in the US versus other countries. In france or other European countries a 5 year old kid can sit through a formal diner. How many 5 year olds in the US can do the same?
You really think five year old children are that much different, be they European, American, Indian, Japanese or whatever? Do you really think the notion of proper behavior (which varies with the different cultures) has sulked in by that age? Or did you just have a bad experience with your table neighbour's children yesterday night?
We have stopped teaching our children responsibility and discipline.
This is a favourite of conservatives, people who long for the "golden days" and suchlike fools. Responsability is a word much used by them, but seldom understood. You're aware that it is more easily taught by example than by indoctrination, right? And discipline is worth nothing if not rationally accepted, and pondered about. Otherwise it is no different than dog training.
It is much harder to aquire discipline later in life than early. Hell I am 22 and just now starting to learn to discipline myself. Its NOT easy. Its a skill that needs to be taught young.
There we go again with the discipline harangue. Discipline is highly overvalued. It is not always necessary, because it restrains leisure, imagination and all easy going things that make life worth living. Sometimes it is crucial, but only if you conscientiously accept it with your intellect. Perhaps you'll understand it when you're thirty.
All in all, the problems you seem to attribute to society's unwillingness to inflict responsibility and discipline on the young, are actually IMHO, the consequence of people not using rational thought enough in their lifes. Like: buying a cheaper product, even though its production endangers the environment or the local economy.
Re:Understanding the kiddies (Score:2)
This may work with a few kiddiez, but overall it is a bad idea. You are not going to have a meaningful conversation with someone who just wants to screw with your box, and you could end up making yourself a target. The best defense is just to keep your machines as secure as possible. What's more inviting to some fourteen year-old wannabe, a mostly secure box where intrusions are efficiently detected and patched up, or one in which the admins drop in to say "hi?"
Stopping to chat just turns breaking&entering into more of a game than it already is. This is exciting for the kid, and a pain in the ass for you. For stopping everything from serious crackers all the way down to little kidz, the best policy is no retaliation, no dialogue of any kind.
--
Re:It's pretty simple (Score:1)
One year ago I would have told you you were full of shit.
Now I sit here, married to a beatiful, smart, funny gal that happens to think I'm just the coolest dude. And she is fully aware that I'm a geek. She met me when I worked on her computer for her (at work) and spends a lot of time avoiding my "home office" (a room with 8 computers in it). I think girls don't like geeks when they are young and idiotic (just like guys go through that young and idiotic stage), but once they mature they realize that those guys that were such geeks in school are pulling in some serious cash, and actually are quite responsible.
Food for thought for any teen-age girls in the audience.
Re:skill level? (Score:1)
Re:Understanding the kiddies (Score:1)
Funniest parts (Score:5)
[ Dick admits he isn't top of the class at creative writing.]
:D1ck
:D1ck
:D1ck
:D1ck
[Here we have a fancy debate on the mission statement. These guys take themselves a tad too seriously.]
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
[ Our l33t h4x0rs look for profound quotes to adorn their web site]
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
:Sp07
[Dick doesn't know what pot is, but tries to look l33t by claiming he has lots of it. Rather Clintonesque admission follows. Spo7 isn't impressed].
:Sp07
:Sp07
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
[Spo7 expresses skepticism about Dick's impressive fluctuations in mass. He tries to get to the bottom of it. Suspenseful stuff, this.]
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck :
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:D1ck
:Sp07
:D1ck
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
[Dick has forgotten he has said he smokes weed. A rare occasion when he admits not knowing something follows...]
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
[Dick, ever the crafty one, shocks Spo7 with a clever deceptive move. Spo7 almost has a heart attack, but dick clarifies the situation.]
:Sp07
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:Sp07
:Sp07
:Sp07
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:Sp07
:D1ck
:D1ck
:D1ck
Re:Be the expert witness (Score:2)
When a script kiddie breaks into your system could it not also be like someone entering your house (or business) through an open door and using all the tools (the phone, for instance) in your house to call up old ladies and defraud them of their life savings? Open door or not, in most common law countries, entering someone's house without permission to commit a crime is still break and enter (and at the very least trespass). Does that mean that people who left the door open are liable for having their home burglarized? What if the door was not open, just unlocked? Or locked but the key hidden under the mat? See what I mean.
In a real court of law, I suspect Bert would be seen as a victim as well and thus not held liable. Al maybe liable if he told Bert that the box was secure when in fact it wasn't (to follow my analogy, the lock company that installed a defective deadbolt could probably get sued). And I don't think there is any legal ground for holding me even partly responsible if a third party uses my property (phone, car, what ever) to commit a crime. In my above example, I could not be held liable even in civil court for the losses of the bilked old ladies.
The "law" probably won't work in this case.
That's not to say that that security isn't every sysadmin's responisiblity. But if I leave my door open I shouldn't be surprised if I'm burglarized.
And my niegbours won't talk to me or do business with me if they get affected by it.
Translation? (Score:1)
Re:I agree, let us exploit this resource. (Score:2)
Is that my... (Score:1)
:J4n3! :.Filesystem 1k-blocks Used Available Use% Mounted on
:J4n3! :./dev/hda8 1935132 878956 957780 48% /
:J4n3! :./dev/hda7 23302 2650 19449 12% /boot
:J4n3! :./dev/hda1 2064032 1230496 833536 60% /mnt
:D1ck! :oki
:D1ck! :mkdir /win; mount -t vfat /dev/hda2 /win
:D1ck! :wait, what is /dev/hda7
:D1ck! :?
:J4n3! :linux swap partition
:D1ck! :ok
How sad is that..
Re:Misconception (Score:2)
By far, the most debilitating aspect of the script kiddies is that they are unorganized and unfunded. It is the difference between an army and a group of thugs--as long as there is little collaboration (not that many of them possess significant knowledge or ability), then chaos reigns and isolated cases or damage are more common than coordinated assaults on vital systems. Right now, it is a game of craps--if they happen to hit an important system, it is not through any planning on their part. The danger comes when specific, critical systems are targetted.
Script Kiddies pose little threat because they are easily deterred. If the sysadmin installs all of the latest patches and is diligent about dealing with known issues, then the script kiddies "favorite utils" will not work. Since they have no need to crack *that particular system,* they will move on. It is just like when a common thief sees that a house is protected by a burglar alarm, he will just move on in favor of more vulnerable targets. In the case of script kiddies, they do not possess the knowledge to crack a well-protected system even if they tried, so the threat is further reduced.
In a worst case scenario, script kiddies manage to delete all files on the main file server. The organization may experience 1-2 days of downtime and a few $100,000s - $1,000,000s in lost productivity. Eventually, the system will be restored and the people will return to work. Now, imagine that there is a coordinated assault against *your* server. You are a publicly traded company that is scheduled to report its quarterly earnings in a week; suddenly, hackers enter your system and seem to just delete all of your files. Almost immediately, your shares lose 1/3 of their value as one of your largest institutional shareholders sells its entire holdings in "anticipation" of your earnings report. Executives lose lots of money and you may be subject to an SEC investigation and shareholder lawsuits alleging insider trading. Which is more of a threat to your organizations long-term stability?
Re:skill level? (Score:1)
Generally, vicitimizing the victim by making him pay would be looked down upon. How about this? I break into your house, paw through your laundry, eat your food, and then leave without damaging anything. Should you be required to pay me for your lack of security?
Granted computers are different since you can launch attacks on other people from compromised computers, and you can't do that from houses. But the point is that making victims pay because they were victimized is going to piss off a LOT of people.
Re:It's pretty simple (Score:5)
> tells boys that they need to be "macho and
> manly"? Sort of how society tells girls they
> need to be "skinny and beautiful"?
I think its more than that. People always want to blame drug abuse, violence, etc as "the problems" when really, I think they are symptomes of larger, and more fundamental, problems with our societies social structures...specifically they are rotting.
At a start, look at chldren in the US versus other countries. In france or other European countries a 5 year old kid can sit through a formal diner. How many 5 year olds in the US can do the same?
We have stopped teaching our children responsibility and discipline. In fact, we have taught them that they can be irresponsible...its expected of them.
Now as for firearms...they ARE a buzz enhancer in a way. I have used them...holding a gun is a high in and of itself. The realization that YOU now can decided life or death at a whim. Its power.
Does that make them bad? No. It, like anything, is something a person must be taught to control. I have cousins who have owned firearms since they were 11. They are some of the safest people I know with guns. They were taught the simple rules from extremely early ages.
You NEVER point a gun unless you intend to fire it. You NEVER point a gun at a person unless your life is in danger. You ALWAYS treat every gun as if its loaded (even if you have the firing pin in your pocket!). Its all about respect for the power of the tool and for basic life.
It is much harder to aquire discipline later in life than early. Hell I am 22 and just now starting to learn to discipline myself. Its NOT easy. Its a skill that needs to be taught young.
All in all I don't think our society breeds healthy life attitudes. Its a much harder problem to solve than just being reactionary and trying to solve the symptomes (like prohibition of drugs, drunk driving penalties, etc etc) but raising responsible people with healthy life attitudes will solve these at the source.
System cracking is just an extension of adolencent irresponsibility. It is not the problem but the symptom. Catching crackers will no more solve the problem than taking tylanol will get you over your cold faster. (all it does is make you feel better by treating symptoms)
Re:Awareness of security issues (Score:3)
Debian rarely gets broken into, for one reason: the ease at which you can keep packages updated. If a security exploit is found, you'll generally see an updated package appear within a day or less. In fact, I'm on bugtraq, and I often get the updated package a few hours before the announcement is even out.
How do you get this package, you ask? Well, once or twice a day, run two simple commands. It looks a bit like this:
[root@host] > apt-get update
[root@host] > apt-get upgrade
Anyways, its quick, easy, and works. If you keep up to date [which is REALLY easy], your chance of getting broken into is pretty damn low. Sure, it will never been 100% secure, but its closer than most other distros.
I used to use Slackware. After a few years of it, I got tired of not having package management, so I switched to Red Hat. After a while, I got tired of searching down packages through rpmfind, and switched to Debian. I haven't looked back since
An important part (Score:1)
Seriously, these kids will spend almost all the time they're not exploiting playing starcraft.
Re:Understanding the kiddies (Score:5)
So they go around telling their friends "I'm a hax0r! b0w!"
It's about image. They think they can prove themselves to their peers by cracking a box with a canned program. Exploration has nothing to do with it. If they wanted to explore, they would write the programs themselves. But instead, they take the lazy way out, and run a pre-made program.
Laziness and Exploration do NOT go hand in hand.
-- Give him Head? Be a Beacon?
Re:It's pretty simple (Score:5)
Re:Awareness of security issues (Score:2)
If you are a competent admin, Debian can be a great tool. It simplifies the process of keeping your system up to date with the latest security patches.
More often than not, the weak link in the chain is the administrator. Human error and laziness is more likely to get your system broken into than anything else. However, if you are diligent about it, you greatly reduce the risk of breakins. Debian helps out a lot with this, and makes it easier.
People who deploy systems and then forget about them are the worst type of administrator, for when you assume that you are infallible, you set yourself up to be shown how wrong you really are.
Re:It's pretty simple (Score:2)
> much different, be they European, American,
> Indian, Japanese or whatever?
In some ways. by 5 years old children are much more developed mentally than most people give them credit for. They are certainly capable of learning to sit still through a diner by that age.
> Do you really think the notion of proper
> behavior (which varies with the different
> cultures) has sulked in by that age?
Only partially. The beginings of moral development are in place around 7. (there is an old saying "give me a 7 year old boy, and ill give you a man" or some similar confuguration of words) In fact the whole concept of "childhood" is relativly new (few hundred years old...maybe as many as 500).
Certainly by age 5 they are able to learn more than they are taught.
> This is a favourite of conservatives, people who
> long for the "golden days" and suchlike fools.
I tend to agree. I also tend to think that no such "golden days" ever existed. Every era has had its problems.
However, change does happen. Culture changes, society changes. Just because "conservatives" often argue something, doesn't make it wrong (just because they are often very wrong). I believe that people are less disciplined today, in our culture, then they have been in the past. I think our society ENCOURAGES this.
> ou're aware that it is more easily taught by
> example than by indoctrination, right?
Actually indoctrination can work wonders in the right setting...but yes example is how children learn. Many adults arn't much better than their children.
> There we go again with the discipline harangue.
> Discipline is highly overvalued. It is not
> always necessary
Perhaps you miss what I mean by discipline. Discipline is internal. It is the ability to consiously make a decision and stick with it. The ability to supress desire when needed. Control over ones own mind. The ability to say "Ok I have to do this" and go do it.
Take meditiation. It is the ULTIMATE form of discipline. The ability to sit down quietly and just sit there for even 5 mins without stiring, without looking around and doing physical things. To be able to say "I am going to just sit here in an upright position with my eyes closed for at least 5 mins" and then to actually do it....that is discipine. (and yes I realize there is more to meditation than that)
> re actually IMHO, the consequence of people not
> using rational thought enough in their lifes.
I definitly agree. Rational thought is important. It is a discipline! Its is about controling oneself. Supressing emotional desires and bias and using rational thought to solve a problem and make a decision.
> Like: buying a cheaper product, even though its
> production endangers the environment or the
> local economy.
Well no. "cheaper" may be a necessity. How about buying the flashy SUV even though its use endangers the environment, worldwide oil supply and 99% of your driving is JUST you back and forth to work with no cargo.
Look at the car commercials. They play on emotions. Like the recent "Dodge" adds where they constantly mix the words "Dodge" and "Different" to try to connect the two. This advertising has nothing to do with trying to get you to make a rational decision.
Re:amusing... (Score:2)
;)
-Waldo
Re:It's pretty simple (Score:2)
The problem with script kiddies (Score:3)
Jon Katz talks a lot about big corporations taking over the Internet and obliverating the little guys. Well, I'm a little guy who has a server with information on it of various types that many folks find useful.
When someone attacks the big companies, they have resources to deal with it.
When someone attacks my server, I'm effectively helpless - and that's pretty much burned me out on creating useful stuff and putting it there.
It seems to me that script kiddies are much more of a threat to "the little guy" than the big corporations that Katz fears. The corporations can't knock us offline, while a script kiddie killed off my server for a solid month.
I wish there was a way to convey to these people how much misery and anguish they cause on the other side, especially for servers run by individuals who really don't have any good options for protection.
I've read in this thread stuff like "script kiddies help the ecology of the net by eliminating clueless sysadmins". But what's so bad about being a clueless sysadmin? If I have something to share with the world, and can afford a server to share it with, well, surely I should be able to do it. Why should I have to spend hours of my time trying to keep up with nonsense like this?
To me, there's nothing more vile and contemptable than a script kiddie. Except, perhaps, the people who publish exploits for them to use.
Why on earth would someone do something like that?
D
----
But, you see, exploitation ensures supply! (Score:2)
The real threat of script kiddie extinction comes from those who consider them worthless pests, and would undertake campaigns of wholesale extermination. We, on the other hand, consider ourselves the stewards of this tasty natural resource.
Yes, 31337 |\/|337 Enterprises is environmentally friendly. We run a script kiddie breed and release program based on artificial insemination (even under ideal breeding conditions, the poor creatures seem to lack the basic instincts for reproduction, but gathering the necessary samples has never been a problem).
(Okay, so we just spam AOL accounts with links to |-|/\X0R1N@ +001Z sites, but the end result is the same; would you want to handle script kiddie genetic material?)
It's pretty simple (Score:2)
Making a difference to a script-kiddies life. (Score:2)
I tried very hard once to convince some script kiddies to put their talent where it would do some good. At the time I was an IRC Operator and had occassion to chat with the kids often. Unfortunately they could think of nothing else except making our lives on IRC as miserable as possible; biting the hand that feeds them, essentially, by performing never-ending DoS attacks on the IRC network. No amount of complaining to ISPs would do much good--they had so many rooted boxes it was impossible to provide any compelling evidence.
One day I heard chat of some of the kids bragging about hacking into NASA. NASA, as many of us know, might as well be considered a honeypot network built solely to test script kiddies' abilities. They compromised a web server at the Goddard Space Flight Center and replaced its web content with yet another Mitnick release demand. (note: no offense intended to administrators at NASA. I suppose they have a huge burden maintaining such a large network of UNIX machines. Dunno).
On the web page they put up were IRC nicknames I recognized. I thought for some time and concluded some of the kids needed a tough lesson, and now was the time for them to learn it while they were still minors. So, I contacted NASA. To make a long story short, I assisted them in gathering enough evidence for them to investigate. Keep in mind that I did all this while connected to IRC as a plain ol' user, never using oper commands. It wasn't tough; the idiots bragged and lambasted NASA in their public IRC channel!
Since the main suspect was a minor, I wasn't told what punishment was eventually handed down, nor his real name, of course. I do know his computer was confiscated for a period of time. He knew it was me that ratted him out, and he asked me why. I really don't think I was successful in convincing him that I didn't have any anymosity toward him personally, but that I merely believed his actions, both personally witnessed by me and many others, and what I knew of his exploits, I found appaling.
So, would he have eventually grown out of it like the script-kiddie mentioned in the post I quoted? Or, would he have continued to hack and hack until finally someone caught him after he turned 18? All I knew was that he was a menace to NASA and to our IRC network, but I truly hope he has squared himself away. I felt a tiny bit sorry for the kid at the time, having never had any desire to rat anybody out, but I don't feel that way any longer.
I wonder if that kid reads /. Heh.. probably!
Do people really talk like that? (Score:3)
Understanding? (Score:3)
No control (Score:2)
My opinion is that thier parents never taught them respect or to value anything. I don't think they even concider the effect their DOS attacks can cause to other people besides just the one they are attacking. An attack on a web site that is being hosted with others effects all the sites hosted there.
What I'd like to know is why the programmers creating these scripts don't keep them to themselves...
One solution (Score:2)
Re:The problem: root (Score:2)
Exactly. For example, the only part of mail handling that needs anything unusual in file system access is the final step of appending the mail to a local user's mailbox. That should be handled by a privileged program about 100 lines long, and nothing else in mail handling should have extra privileges. If Sendmail had been built that way, hundreds of thousands of break-ins would have been prevented.
Re:Why do "hackers" eat their young. (Score:2)
ANYONE can download a script/root kit from the 'Net and use it to compromise a variety of Unix flavors. Script kiddies do not need to learn anything about networking or system administration to utilize these tools.
From a script kiddie's introduction to the world through his eventual departure, any knowledge gained from these compromises is negligible. They're not getting their "start" here. They're installing Linux at home, maybe learning a little here and there about Unix, and then immediately letting that go to their head (nobody else at school can do this, so I must be smarter than all of them, which means I'm smarter than most everyone in the world!), and they strive to let the world know this. So they attack systems, break in to networks, rack up the numbers and then share their conquests with their l33t-0 IRC friends so everyone else can see what a l33t hax0r they are.
It has nothing at all to do with learning or self-education and everything to do with adolescent aggression.
I'm not denying that a certain percentage of these kids will indeed mature, grow up, get educated and get a real job in a similar field. I don't, however, think that this percentage is significantly higher than any other computer-literate group. Script kiddies are just a subset of the "high school computer geek" crowd, and I'd bet you'd find a percentage of any high school computer geek crowd finding a respectable IT job is probably the same across the board.
Exactly (Score:2)
If I really wanted to keep Evil Burgler out of my home, I would put in bulletproof glass, steel doors, thousands of dollars of security systems and probably a few armed patrols. Realistically, this isn't feasible for my lowly home. It might be for some areas that desperately need to be secured, but *I* can't afford it. So, I'm acknowledging the fact that an evil visitor could kick down my door and remove the contents of my home, but I've taken what I consider are relatively reasonable precautions to reduce that risk. Sure, I could spend more and reduce the risk even further, but would it be worth it?
Similarly, you can spend millions of dollars for state-of-the-art hardware, 5 levels of firewalls, intrusion detection software and a staff of IT folks constantly patrolling network traffic looking for any sign of attack or intrusion. For major IT companies, even this may be excessive, but for the lowly server-in-the-garage type, it's obscenely unrealistic.
Not everyone that wants/needs a server can or will a) get a degree in computer engineering just so he can know enough to properly secure his systems and networks; or b) hire a staff to do the same job
There's no such thing as a perfectly secure machine. It all comes down to what the administrator is willing to spend (in time, resources and money) to support and maintain his setup, weighed against the risk involved.
Re:Script Kiddies (Score:2)
What they learned her is totally irrelevant and completely unrelated to their attacks/compromises. They could/should/probably would have learned this same bit of information if they'd installed Linux at home and decided to goof around with it.
Well for me how a script kiddie differs from an expert hacker (or whatever we may choose to call him ) is education.
I agree, just as a convicted arsonist serving the last few months of his prison sentence differs from a highly paid explosives expert only by the education he's undertaken while in the slammer and by the experience and training he hopes to receive after he gets out.
Re:IRC HAQRZ 3XPOSED!!! (Score:2)
ROFL!
That's worth the whole price of admission.
Is there anyone else out there who remembers this? I think Slashdot must contain a bunch of ex-1337 people.
BIND doesn't need root (Score:3)
BIND also has a "-t" flag, allowing you to chroot it (i.e. "named -u dns -g dns -t /home/dns"). This is also easy if you're a primary nameserver (unlike most chroot programs, you don't need to worry about copying libraries), it will take a bit more work if you're doing secondary DNS (there are HOWTOs available). If someone breaks into your system through a chrooted BIND, they won't be able to get root, since the chroot jail shouldn't have any setuid files in it.
Re:It's pretty simple (Score:2)
Really? Look at just about any movie (esp action). The 'hero' most of the time will blowup/kill etc all the bad guys etc, with no reguard for little else. It doesn't matter that the car with the bad guy in it that you just blew up goes crashing into the department store, making that blow up as well. The bad guy is dead. Just look at T2; the terminator was a black leather biker look, and he was the hero. Yet he seemed pretty bad ass to me.
Slight clarification (Score:2)
I see no "white hat" use for those at all.
D
----
Misconception (Score:5)
The real danger is those people who have a clearly defined agenda/ideology in mind when the crack/write viruses. After the outbreak of the "ILOVEYOU" virus, I began thinking about a virus that targets a particular organization and compromises *only* their systems (and copies internal documents, deletes files, etc.). Even though it could replicate with each machine it infects, it would seem completely innocuous until it finds computers that identify themselves within the target domain. It could target particular classes of domains (in the case of worms, for example) that would be more likely to be within fewer degrees of separation from the target--preventing widespread outbreak and collateral damage so as to avoid attention and publicity.
Threats like the above are what should frighten corporations and the government. After Oracle's recent attempt to purchase MS trash, the proliferation of corporate espionage has really been brought to the forefront by the media. The damage that could result from the release of proprietary information is far greater than what results when a web server is cracked or an e-mail server taken down. Nonetheless, most organizations have no infrastructure in place to deal with this type of threat. This is where the *real* danger lies.
Here's why: (Score:2)
Besides - the kiddies are feeding their egos off the mythology. The more people realize that the exploits are pathetic, the less incentive.
Our secret is gamma-irradiated cow manure
Mitsubishi ad
True, most have no skill what-so-ever. Example... (Score:5)
Well, some people in techsupport set up a linux box outside of the firewall to run seti@home, and left it completely wide open. A script kiddie got to that and fired up a packet sniffer. Then of course, strange things started happening on my test boxes as the script kiddie hacked into mine seeing my plaintext passwords, quite simple.
Why do I say this person has no skill? First, my box was running a firewall, so his IRC server was hitting the wall along with everything else he was trying to do, apparently he did not know how to disable ipchains, and I could see through netstat that he had these apps running. He replaced some apps like "ps", but left many others, like netstat. The old apps along with his packet sniffer and IRC server where moved to
Here's the beautiful part. When we found that the seti@home box was the root of all evil, we looked in the
What these people are thinking is beyond me. Maybe I'm just paranoid, but if would ever do something like this, I'd make sure I knew my sh*t and even then odds are you will still leave some sort of trail. So, people must be right, they really must not see any consequence in committing these acts. And then they brag about it like it took skill to type
The problem: root (Score:5)
Secure systems [ncsc.mil] don't have "root."
Re:Be the expert witness (a lawyer thinks aloud) (Score:2)
Nice points, but it's worth considering that in at least one recent case (96, if memory serves), a landowner was held liable for poor physical security that allowed vandals to break in and open the valves on a tank of toxic chemical that proceeded to escape (they didn't have a proper bund around the tank either) and pollute a stream in, if memory serves, Wales.
Anyway, I think a distinction can be drawn between your analogy and the vulnerable box, and it's one that was used by the court in the pollution case I mentioned above.
It's this: residential burglary is a fairly rare crime, media scare stories to the contrary, and in breaking in and using the phone the burglar didn't get access to anything he couldn't have done in a public phone booth.
The important thing there is that your example is of a low-probability occurrence which doesn't significantly enhance the criminal's capability over what he would have had anyway.
The vulnerable box is going to get found by script kiddies. They can automate their search for vulnerable systems and they're like rats in a grain warehouse on the net: there's thousands of the little bleeders.
By cracking a system that's got special access privileges, or passwords and the like stored on it, they gain access to things they wouldn't otherwise have had. It's as if your hypothetical burglars broke in, found an unsecured firearm, and went out and shot someone with it.
Because the probability is high and the potential harm obvious, surely there ought to be some obligation on the owner of a system to make sure he was ratproof?
Perhaps Bert would be regarded as a victim, though, if he could show he was totally reliant on Al.
Thing is, you see, that there's pretty much no decided authority on this anywhere (or at least that I've been able to find) so until there is, we're both right.
What I'm trying to get at here is a "sniff test" - what answer "feels right" to the community as a whole?
Re:Understanding the kiddies (Score:3)
I think that the web page didn't not give enough credit to the abilities of many. Sure, some are incompetent, but many have a clue and are intentionally and knowledgably malicious.
What this article really shows is the lack of good security and monitoring on allot of systems. (apparently not the authors, but if the number of boxes that one of the kiddie's had root was true this fact is inherently obvious)
If all system security was effectively monitored, kiddies would be sitting around bored, DoSing random IRC users.
Re:Understanding the kiddies (Score:5)
My belief is that some people categorize the world into two groups: "People who are stupider than me" and "People who are smarter than me". These kiddies like to have as many entries as possible in list A and as few as possible in list B.
What does this explain and how?
They don't try to understand what they are doing. They can't admit to themselves that there are people smarter than themselves who could teach them about, say, TCP/IP. So they use scripts the found on the net and pretend to themselves that "I could have created this."
It also explains the motivation: If you break into someone's system, you have proved that person is on list A. The reasoning is: "Their automated defenses didn't keep out my automated attack, therefore I am smarter than they are." This is flawed, of course, but we already know the kiddies are a little...dim.
--
Re:Understanding the kiddies (Score:3)
Although this is a nice concept, the reality is as soon as the 'hacker wannabees' know you are watching, they either drop link, or type
cd /
rm -r * &
THEN drop link.
If the goal is exploration, the world is WAY different than the John Draper days of blue boxing.
386 computers that can run BSD are thrown in the trash. So access to computing resource is limited by electrcity. No need to break into systems to get CPU cycles.
The internet is FAR bigger than the old BellCore network. And the documentation that DRIVES the internet is all out in the open. No need to go dumpster dive the 'keepers of the network' to learn about the network. Or blue box about to map the network.
Re:amusing... (Score:5)
Heh. Reminds me of a day at work a couple of months ago, when a colleagues' box was hacked into. The h4xx0r kid had run some kind of rootkit (although I'm not sure the box was actually rooted, but some kind of prepackaged kit was used), which cleaned out all the logs. Except, of course, for that tricky, well-hidden, hard-to-find, sneaky, known-by-gurus-only one known as .bash_history! ;^)
It was quite cool to see which commands had been run, etc. I think he actually started up an IRC server on the box, probably to serve warez... That, and the ObPortscan of course.Re:It's pretty simple (Score:2)
:D1ck
:D1ck
:J4n3
:D1ck
:J4n3
:J4n3
:J4n3
:J4n3
:J4n3
:J4n3
:D1ck
:J4n3
I'm just t00 lazy to look in the r00tkit User Guide
Um. cut ... paste (Score:5)
Basically the moral is, take care of basic security. Get rid of stuff you don't need on the box. Use tcpd. stop and comment out all unneeded services from inetd.conf.
Just take basic security measures.
Replace them with a small shell script. (Score:2)
I think that I would have to if I were to become an 31337 h4x0r. because I sure as hell cant type like that
Re:script kiddies not the main problem (Score:3)
Re:Awareness of security issues (Score:2)
The problem is that admins don't bother to keep track of problems and fix them. It does not matter how easy or hard it is.
For example, I had this idiot come in and tell me he likes *BSD (Any of them) because he can set them up and "forget about them". When I asked him how he fixed problems, he stated that he did not since they were so secure. I just about died.
Re:Understanding the kiddies (Score:2)
Have you actually used OpenBSD? The install has sendmail and portmap running by default. You have to manually remove this services.
All the bragging about OpenBSD being SO secure does is give the admin a false sence of security. EVERY machine can be compromised. EVERY ONE. The job of a good admin is to constantly raise the bar; to make it more and more difficult for a cracker to get in.
Besides: if a cracker can social engineer someone into giving him their password, then the system security doesn't mean shit. Humans are ALWAYS the weakest link in any security policy.
You have to assume these people are out there. (Score:2)
My favorite comparison to the ILOVEYOU problem is: if you built a subway system that broke down whenever some kid painted graffiti on any of the walls, who would be responsible? The ignorant kid who commits an act of vandalism which takes little effort and can be done in secret? Or the responsible adults who knowingly built a system that can't tolerate graffiti?
Any system which can be destroyed by the petty vandalism of a child was effectively destroyed by its designers.
In a world with billions of people, you have to assume that a certain percentage will do damage just for the fun of it, if it's easy enough. If you're responsible for security and you don't make it too hard for them to do it, you're as much to blame as the person who does it.
Re:It's pretty simple (Score:2)
kwsNI
Re:Awareness of security issues (Score:2)
Security is going to be much more important as more and more people get on the net, and it's time to start addressing it.
Re:skill level? (Score:2)
Too many people think that all networks are the small, easily managed size that characterizes small to medium size businesses. But networks that serve 260,000 employees and countless vendors/contractors are a beast of a different magnitude.
Why the need to understand them? (Score:3)
You dont try and understand the ants in your kitchen, you find out where they are coming from and block it up. Same for a script kiddie. Keeping them out is just a matter of awareness on the part of the sysadmins and not doing silly things like running services you dont need or failing to keep the ones you do need patched. Much like blocking up the cracks the ants are coming through.
On the other hand, if a real expert cracker wants to smoke my systems then I may as well kiss my digital ass goodbye because I know my limitations and I know theres many folks out there who can find holes in systems that I never even knew were technically possible. The difference is that the real experts are usually more mature than the script kiddies and need some kind of reason to hit a system - and as far as I know they have no such reason to hit mine, theres nothing there that they need.
Just IMHO but as far as I'm concerned the only time I'd bother even trying to catch a script kiddie is if they are doing DoS attacks.. that upgrades 'em from an ant to a roach and I'll go out of my way to squish 'em. Otherwise I just close 'em out and ignore 'em.
# human firmware exploit
# Word will insert into your optic buffer
# without bounds checking
Good and bad (Score:3)
I think this is part of the misconception brought about by some of our more esteemed members of society; that a child constantly in front of a computer is preparing for the New Internet Age of IT Jobs or some other mantra. More rubbish than not if young people are only playing games, engaging in IRC or downloading exploits.
Having see firthand what happens when they get caught, I don't think these people realize the implications of their efforts. There is some belief out there that "hax0rs", after they do some high-profile breakins and DOS attacks, are hired to well-paying security jobs. *In most cases* it is quite the opposite.
Criminal records follow you throughout your life.
amusing... (Score:5)
ftp> get sun2.tar
200 PORT command successful.
150 Opening ASCII mode data connection for 'sun2.tar' (1720320 bytes).
No comments...
--
Understanding the kiddies (Score:5)
Ever sat down at a box somebody's given you an account on and just poked around to see how it's organized? That's part of the script kiddie feeling - it's partly about exploring the system, seeing what you can do.
But there's something more behind that - it's a feeling of inconsequenciality (sp?!?) - that those boxen they're poking with are inconsequential to them and immaterial - they don't actually exist in their mind!
That's the problem that faces the sysadmin - the kiddies feel that you do not exist, and therefore it's okay to go off and exploit these systems! To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him. Make sure he knows that there are people behind these machines, and that they're not just machines to be played with.
Script kiddies (Score:3)
Make no mistake, script kiddies may be novices, but they can do a heck of a lot of damage to an organization if they beat you on the foot race.
----
Remove the rocks from my head to send email
Another log of script kiddies who fell for Honey.. (Score:2)
Re:Understanding the kiddies (Score:2)
H0\/\/ \/\/3 D00 I7! (Score:5)
Enjoy your new knowledge everyone.
t00 1337 4 U (Score:5)
:D1ck!
:D1ck!
:J4n3!
:J4n3!
:J4n3!
:J4n3!
:D1ck!
:D1ck!
:D1ck!
:D1ck!
:D1ck!
hmm... without my r00tkit, i'm just a luser
Sue 'em All and Let God Sort 'em Out (Score:2)
And then, as they would say in their defense, the whole economy crashes... but maybe not.
I agree, let us exploit this resource. (Score:5)
The question is, what can we do with them?
To answer this kind of question, I usually start by asking, what are they made of?
Script kiddies are made of meat.
So the next time your system is compromised by a script kiddie, track him back to his lair, and get a fresh freezer-fill of long pork.
If you lack the butchering skills, please contact my organization: 31337 |\/|337 Enterprises, and let us take care of the messy details.
(sung to a 50's jingle tune)
"If you've got a H/\X0R1NG problem that's got you beat,
we'll do the hacking at 31337 |\/|337."
The illusion of power (Score:5)
Young men spend a lot of time chasing illusions of power, young women typically chase the illusion of control. Script kiddies do destructive things because it gives them an illusion that they are powerful. It is the same illusion that a vandal gets by throwing paint onto an existing masterpiece: 'See, I'm a painter also'. It is almost always easier to destroy than to create; it is a very difficult job to write a program which works well and is useful. It is easy to crash such a program; just pull the power cord. People who crack into systems, and virus writers, both get the same illusion of power; "see how mighty I am, look at this chaos I caused".
The truth is that real power feels like nothing. You do something, things happen, and you get no feel that you did anything; all of the force of your effort goes into the target. The less you feel, the more the target responds. This is disappointing to men who want 'the feeling of power'.
Eventually most script kiddies outgrow the sort of adolescent thinking that causes them to do destructive things. Young people everywhere have a 'golden glow' about their existence. It is obvious to them that the old people like me don't get it. However, that is not what is going on; we get it, we just know that 'special glow' is an illusion. Real maturity arrives when you can see the illusions of youth for what they are.
Does this mean that I want 13 year olds to behave like 50 year olds? NO, making mistakes is the only way to learn anything; if you don't make any mistakes you haven't learned anything - you already knew how to do what ever it was that you were doing. Youthful indiscretions are an essential part of growing up - if you are lucky, they don't get you killed or sent to prison for a long time - eventually you do something that scares you enough to cause you to learn something.
Young people expect the same reasonableness from government authority figures that they have experienced from the authority figures in their life while they grow up; but that is a false expectation. Government, and the criminal justice system are giant, impersonal machines. When you get caught up in the gears of that machinery you will be ground into hamburger meat by it. All of your dreams, fears, and hopes are meaningless to the impersonal machinery of government; it grinds the good as finely as it does the evil.
Of course there is a secondary reason for trouble making; some people are searching for attention, and to them even punishment if better than being ignored.
Re:my ideas... (Score:2)
and talk to a mail server. (many years ago) It was
the thrill of doing something (seemingly) illicit.
Of course, the real trick if you're after that sort of thrill from breaking into machines, is to get good, get a job, and do it for a living.
script kiddies not the main problem (Score:5)
For instance, take the case of the Australian govt., which put up info on thousands of business with their business number clearly visible on a CGI thingie on the URL. Guess what, changing the number gave you immediate access to the bank accounts and tax info of the relevant company. Couldn't they have even bothered to scramble the thing in the URL?
It reminds me of the story in Cliff Stoll's excellent book "The Cuckoo's egg" (a must read for hackers), in which he details how military depts. spent millions on security and left guest access open on the very machines they were supposed to protect. Or Richard Feynman's account of how mega-expensive safes guarding nuclear secrets were left with the default combination lock setting.
There was a flap some yrs ago when Dan Farmer scanned various banks for security and published the results, and it turned out many had not bothered applying even rudimentary, known fixes for problems known for years.
It's really amazing how utterly clueless and irresponsible the people in charge of security are. Generally, they tend to be suits impressed by buzzwords or mega $$$ security firms. Nobody really understands the real issues or even the basics. You can never prevent script kiddies from existing in this world. What you can do is take steps to prevent cracking.
Take another example of general hysteria and cluelessness - after the flap over the I LOVE YOU virus, almost none of the mass media coverage was about the fact that it was spreading via VBscript on outlook. MS must have been counting its lucky stars that nobody thought of pointing out this remarkable common factor.
And so history repeats itself...nobody fixes the root of the problem. Maybe somebody should write up an analysis of the mentality of people behind a typical insecure installation. But then, that would be too boring.
PHB1: Should we consider DoS attacks?
PHB2: What, DOS? Didn't we upgrade to Windows?
PHB1: Not sure...my team wrote something about DoS. OK, you're right, we probably don't need to worry about DOS. I think we have everything covered now.
PHB2: Good, now let's write up the status report.
w/m
Re:my ideas... (Score:2)
Re:script kiddies not the main problem (Score:2)
If I shoot you, it is not your fault that you didn't place yourself behind a wall that would stop the bullet.
These people are bullies, and exhibit the bully mentality in the only realm that they are able. Remember, a bully doesn't want to fight you, he just wants to beat you up.
Speaking of which, I'd love to show up at the door of one of these guys, just for the look on their face...anyone have any stories like that?
Be the expert witness (Score:5)
OK, here's something to discuss, but first some background:
In the real world (ie. the UK - I understand the US follows this one mostly), if you have something dangerous on your land and it escapes to a neighbouring piece of land, you have to pay for the damage. The case that set this rule was Rylands v. Fletcher, in which the owner of a badly-maintained reservoir got taken to court by the neighbour he flooded out.
Also in the real world, if you sell a product that doesn't do something the customer can reasonably expect it to do, you're liable for some or all (depending on circumstances) of the harm that results.
Bearing in mind those radically simplified statements of the law, consider the following:
Got all that? Now, applying your skill and knowledge of what a responsible and prudent owner of a box-connected-to-the-net and a responsible and prudent installer of OSs and software on such boxes ought to know and do, give your opinion as to the following propositions:
No, I don't have a case on these facts running at the moment. Yes, I think proposition 1. is more interesting - 2. is pretty much a no-brainer as far as I'm concerned - as it might be a stick with which to beat management into paying for better security.
Ignore license disclaimers for present purposes.
Other interesting background: failure to keep personal data adequately secured against unauthorised access is potentially a criminal offence here in the UK, and it can certainly get you on the wrong end of nastiness from the Data Protection Registrar.
Re:amusing... (Score:2)
Script kiddies are a natural resource (Score:5)
Re:It's pretty simple (Score:2)
Re:Understanding the kiddies (Score:4)
Recently one of my boxes was exploited. I screwed up and didn't block telnet on the firewall, and some kiddie found the system, and decided to use it in a DoS attack. Funny thing: the box is sitting on a slow DSL line, so it isn't exactly the king at sending out high speed denial of service attacks...
When I found the attack (because my DSL modem was lit up like a christmas tree), I logged into the system, and told the kiddie to get the fuck off my system. And to find a system on a bigger pipe than a home DSL for his DoS attacks. While he attempted to wipe out my hard disk by doing a 'rm -r
Funny thing: I think I scared the crap out of him when I told him to get the fuck off my system. All I know is that I watched him try to do a 'talk' back to me for several seconds before he blew out of there with his piss poor attempt to erase root.
Aside from the usual IP address sweeps, I haven't been visited by a script kiddie since. Probably because they realize that a DoS doesn't work from a slow Pentium-based Linux box on a DSL...
Informative, and hilarious at the same time (Score:5)
Day 5, June 08
D1ck asks J4n3 to take out three systems for him. D1ck and his elite buddy Sp07 try to figure out how a sniffer works "umm doesnt it have to be the same network?".
Been doing sysadmin/security work for a while now, and I've gotta say, they pretty much hit the nail on the head with regards to how little knowledge the majority of the crackers out there really have. Not to say that all crackers are script kiddies -- far from it -- but a lot of them are, and I'd wager the majority of them are. People who take an interest in security and want to actually learn stuff generally find out they can learn much more by trying to fight the good fight and lock down a system than they can by downloading and running scripts... Even the more malicious types who have a clue tend to spend more time writing custom exploits and publishing them than actually cracking boxes themselves. These are the guys that security firms try to pick up -- they know how the cracker mindset works, but they are more mature than the typical script kiddie, and they REALLY know their stuff.
--
NeoMail - Webmail that doesn't suck... as much.
Re:script kiddies not the main problem (Score:2)
hah! Predators eat prey. Tell me the ones that are killed are strengthened because of it.
If I leave my keys in my car, I am guilty of carelessness (not a crime). If you steal my car, you are guilty of theft.
To make some better analogies to computers: If you try every key combination possible to steal my car you are the one at fault. If you try your key on every car in every lot, you are the one at fault. If you find out that you can simply break the window of a car, cross a couple wires, and drive off with my car, you are again at fault.
Hmm...seems cars aren't built to defend these sorts of attacks. Why do we hold computers to such a different standard?
Just because they can be attacked with anonymity, doesn't mean its the fault of the victim for being in a place to be a victim.
You are asking to defend the rapist that claims "She was asking for it."
Been there... (Score:3)
Immaturity+M4DSKillZ(basic softwareknowledge)+a desire to prove yourself to your peers(linked to immaturity)==Silly Script Kiddie (scripts are for kids!)
Most likely they will outgrow this and move into security careers or get caught via tougher legislation and learn from thier mistakes.
Too bad (Score:2)
---
---
skill level? (Score:3)
Justify security expenditures to management and you'll solve the internet's "security problem" lock, stock and barrel.
more about kidies than scripts. (Score:2)
Fact is a script kiddy is a graffiti kiddy with a laptop or a joy riding kiddy with a few root kits.
If you are really worried about script kiddies you should find productive uses for those idle hands as early as possible. The other approach being taken by authority now is just begging for disaster. You can't make them "unlearn" these techniques. Banging a few of them around and preventing them from earning a living ( Kevin ) will just give the rest a reason to seek revenge.
At the very least we have yet another generation of disaffected young men with dangerous skills and it's a whole lot simpler to get rid of the disaffection than to get rid of the dangerous ( if somewhat limited ) skills.
It was so much better before script kiddies. (Score:5)
Went pear shaped when I nearly cause World War three of course. Still, all worked out okay in the end.
Comment removed (Score:3)
Re:The problem: root (Score:2)
The thing that convinced me of this was the recent Linux bug (actually not a bug but a design error, I think) where a program would lose the ability to give up abilities! It could then continue on thinking it was unable to cause damage, and be even more dangerous than a program that was written assumming it is setuid root.
However Unix has far too many programs that are setuid root for no reason. The small job needed (like checking a password) should be put in little programs that are easily confirmed as not having a hole.
Reducing the set of possible privledges to "all" and "nothing" should force people to figure out ways to get things done with "nothing", rather than rely on complex capabilities.
I would also modify Unix so that a setuid program just has the ability to setuid(0), but it starts out with normal privledges. This will encourage bracketing the necessary parts with set/reset uid calls, rather than doing everything like that.
Re:It was so much better before script kiddies. (Score:2)
Re:The problem with script kiddies (Score:2)
I've subsequently upgraded my DNS (why on earth did they change the configuration file format so much, anyway?), but the scars from the experience still sting.
D
----
Tales of Muni (Score:4)
I was riding a late N-Judah train home some months ago, and a kid got on at the Embarcadero station. He looked kind of nervous and was carrying a rucksack with an SFO luggage tag on it. I asked him if he needed directions, and he turned out to be going almost as far out as I. So I told him where his stop was. He sat next to me and we talked a little.
After a few minutes of conversation (Where ya from, whatcha do...) he laughed and said, "I'm a hacker." I replied, "Yeah? What have you done?" He told me about some DoS stuff. I told him I wasn't all that impressed, that basically any system can be cracked, given time and ingenuity. I told him that what really impressed me was creative, constructive work. He then told me that he and a couple of buddies had gone into security consulting, setting up defenses against "hackers" like him. I told him that was a lot more impressive, that by contributing something real, by making people's lives better, he'd get real respect.
I don't know if what I said made any real difference -- certainly, he'd already started to walk away from script-kiddie stuff -- but I think that the search for recognition and respect was a significant factor in his life; I think that as he finds acknowledgement for constructive behavior, he's going to be less and less interested in k1dd13dom.
Awareness of security issues (Score:3)
What's really sad is that people of this skill level have rooted so many boxes.
I think there's a major lack of interest from management in allocating resource and budgets to prevention - a well trained admin could probably close off at least 99% of these holes given enough time.
I think that we need to promote awareness of these issues to a much greater degree than it currently is.
Al.
IRC HAQRZ 3XPOSED!!! (Score:5)
Cannot join channel #warez: Banned From Channel << Sh1t, bann3d..
/join #hack << Lets see if the haqrz know about
TOPIC FOR #hack: WE BLOW FOR SCRIPTZ. << Neato Topic
U4eA (U4EA@BOW.ORG) has joined channel #hack.
> y0y0y0y0 eYe n33d th3 scr1pt f0r
You have been kicked off channel #hack by chasin (GET OUT LAMER!)
^^^^^^ note the sense of hostility.
[BoW] will g3t chas1n f0r th1s!
/load n00k
/n00k chasin << eYe h0p3 1t w0rkz (hehehehe)
NUKED.
/whois chasin
CHASIN: NO SUCH NICK OR CHANNEL << 1t w0rk3d (bahaha)
*chasin* im mailing your sysadmin loser!! << m0r3 fan ma1l 3l33+
/nick chas1n
U4EA is now known as chas1n.
Signon by visionary detected. << 3l33+ TRAXST3R!!!
/msg visionary N4RQ!!!
*visionary* yo, im not narc, can we talk about this? << DEJA VU?
Visionary invites you to #speechcard.
/join #speechcard
TOPIC FOR #speechcard:
chas1n (U4EA@BOW.ORG) has joined channel #speechcard.
> y0y0y0y0y0 whatz up N4RQZ???
<visionary> whats up with this u4ea? anyone got his info?
<grayarea>
update on u4ea in there..
^^^^^^ W3 MUST 1NF1LTR4T3 TH1S VMB!!!
<ddrew> chas1n = u4ea << f01l3d aga1n by tymnet jan1t0r
<erikb> any1 know who this rhakim loser is who keeps msging me?
<chas1n> ddr3w: I'll trad3 y0u 0day 4 s0m3 nUa'z!!
*chasin* stop imitating me or I will use my sendmail script on
you!!! Then you will be sorry!!
/msg chasin [BoW] will get you n1g.
/n00k chasin
NUKED.
/whois chasin
CHASIN: NO SUCH NICK OR CHANNEL << Bahahahahha eYe g0t h1m!
/nick chasin
chas1n is now known as chasin.
> 3l33+
<ddrew> chasin = u4ea << f01l3d aga1n by tym3n3t jan1t0r..
Stoll invites you to #bugz << 3l33+, now we have f00l3d th3m!!
/join #bugz
chasin has left #speechcard
TOPIC FOR #bugz: SPAFF FOR PREZ
chasin (U4EA@BOW.ORG) has joined #bugz
<stoll> chasin ^*($#@(*$&(*#@&$*(#@&$(*@!!!!!
mode change #bugs +ooo chasin chasin chasin by Thackory.
> y0y0y0y0 eYe n33d th3 scr1pt f0r
*pluvius* STOP MAKING PASSES AT MY WOMAN YOU LOD LAMER)$#@*()$*@#
/msg pluvius Its me u4ea, im doing some undercover [BoW] w0rk.
*pluvius* hehee sorry dude.. << PLUVIUS l0v3s LYDIA TSK TSK..
stoll has been kicked off channel #bugz by Pengo (N4RQ!!!)
DCC SEND REQUEST (rhosts.txt) FROM bUgd00d.
/dcc get bUgd00d <<< 3l33+ W3 n0w HAV3 th3 INPH0!!!!!
1f th1s w3r3 t0 fall 1nt0 th3 wr0ng handz
1t c0uld b3 v3ry dang3r0us!!
/signoff f00l3d y0u!!!!
$
$ ls
rhosts.txt
$ cat rhosts.txt
#DONT LET THE HAQRZ GET THIS ONE, COULD BE VERY DANGEROUS
#HERE IS HOW IT WORKZ:
GOTO IRC... CHANGE YOUR NICK TO SOME DUMB BLONDE SOUNDING NAME,
THEN FIND AN UNSUSPECTING VICTIM AT THE TARGET SITE. MESSAGE THEM
THAT YOU ARE TRYING TO FIGURE OUT A COMMAND, BUT IT DOES NOT SEEM
TO WORK. AND ASK THEM TO TRY IT TO SEE IF IT DOES ANYTHING FOR THEM.
ASK THEM TO SEE WHAT OUTPUT THEY GET FROM:
WHEN THEY SAY THAT NOTHING HAPPENED, SAY THANKYOU, AND EXIT IRC.
NOW RLOGIN INTO THEIR ACCOUNT, AND YOU HAVE EXPLOITED THE
VULNERABILITY.
# MAKE SURE THIS DOESN'T GET INTO THE WRONG HANDS, THE INTERNET WOULD
# CRUMBLE IF HAQRZ GOT THEIR HANDS ON THIS ONE.
$ << hmm, will have to try this out.
$ irc
/nick bambi
/who *victim.com*
#bolo _RED_ I am stupid stupid@victim.com
END OF WHOIS LIST.
/join #bolo
TOPIC FOR #bolo: We are stupid
bambi (U4EA@BOW.ORG) has joined #bugz
/msg _RED_ Hi, how are you?
*_RED_* I'm fine, and yourself?
/msg _RED_ well, I'm having some problems with IRC...
*_RED_* Really? Maybe I can help you out.. what is the problem
/msg _RED_ well.. no.. i feel silly.. I'll try and figure it out
*_RED_* No, seriously, I don't mind.. ask away
/msg _RED_ well, I am trying to run this command, but it doesn't seem
to work properly.. maybe you can try it out for me?
*_RED_* Sure! What is the command?
/msg _RED_
/msg _RED_ but it doesn't seem to do anything!
*_RED_* Hold on, I'll try it out..
*_RED_* Hmmm.. you seem to be right... wierd..
/msg _RED_ ahh well.. I guess I'll just have to go without.. thanks for
your help!
*_RED_* No problem.. hey, where are you from?
/signoff gotta go... bye!
$ rlogin victim.com -l stupid
Welcome to victim.com, specializing in example security vulnerabilities!
$ hostname
victim << n3at0! W3 R 1n!!!#)@&
$ whoami
stupid << elite! We have exploited the
$
Re:Understanding the kiddies (Score:2)
Won't this give him/her the impression that your respectfull or afraid of his/her 'skillz'?, I would suggest that this just boosts the ego of these sad little f**ks and prompts them to persue it more, but I wouldn't boot him off stright away either, find out how he got in, close that door and then boot and ignore.
BTW, this has been at Root Prompt [rootprompt.org] for a while, it's part of a series of episodes that detail an actual crack from the SA point of view. Check it out.
Re:BIND doesn't need root (Score:2)
the IRC logs (Score:5)
okay. i'm calm again.
Which Pisses Me Off More (Score:2)