Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Cracked Series Complete 131

Quite a number of people have written in recently with the news that the Cracked Series has come to close with Feature #7. The series has been pretty interesting from a storytelling perspective - check it out on rootprompt.
This discussion has been archived. No new comments can be posted.

Cracked Series Complete

Comments Filter:
  • by generic-man ( 33649 ) on Tuesday July 11, 2000 @04:42AM (#943238) Homepage Journal
    In my opinion, script kiddies aren't moral or immoral -- they're amoral. Systems are just toys to them. Just like software, music, and movies, they feel "entitled" to take control of any system they like, because hey, it's out there. Even the Wall Street Journal called their generation (Generation "Y") the "entitlement generation."

    The aura of arrogance that these kiddies have is really quite shocking. They have no perception of what it is like to actually run a system and defend it against real hackers/crackers. They just get their kicks by annoying hardworking people, and wasting their time and money.

    And don't argue that the problem is admins leaving their systems unsecured -- if you notice someone left their door unlocked, it's not your duty to go inside, rearrange all the furniture, and leave cryptic notes saying how you "0wn3d" his house.
  • by Gill Bates ( 88647 ) on Tuesday July 11, 2000 @04:43AM (#943239)
    ... someone who signed up for account number 2 but does nothing with it but troll?

    Hemos is not a troll!

    Or is he ... hmmm?

  • by killbill ( 10058 ) on Tuesday July 11, 2000 @04:44AM (#943240) Homepage
    The ethics are even more simple then that. If you are on or attacking a box you have not been invited to, you are acting unethically.

    I helped clean up when a cracker was discovered on static IP Linux box my Sister put up.

    The cracker was only doing "harmless exploration" (running bind scans against lots of other boxes on the local subnet and installing rootkits and trojans).

    This clean up cost me about 20 hours that I would rather have been spending with my wife and two year old son... which is the most precious thing I have.

    After the second crack, I told her to pull the plug. One less Linux server on the internet (she was using it for a bug tracking database for a startup company she was working with, her husband was using it to give free accounts for students at a local community college where he teaches).

    On less corporation Linux had penetrated, 20 fewer students every quarter that can have a free account to learn to create web pages on *nix based systems. Congratulations, cracker boy.

    I am a professional programmer, and in my spare time a humble open source developer (backburner, check freshmeat). Guess how many bugfixes have been released to backburner in the last year... Exactly 0. Why? Because I have had to spend all my time cleaning up cracked boxes and setting up firewalls just to keep my systems from being invaded, destroyed, or used to attack other systems (stealing precious time from others).

    If you want to explore, set up your own network. 486's are a dime a dozen, NIC's can be found for about $15 each.

    The moment you touch a system you have not been invited onto, you are stealing precious time from somebody, period. Somebody had to initially secure the system to keep you out, somebody has to monitor your crack attempts, and somebody has to respond to your actions.

    Next time you are on a system you don't own, think about the fact that you are not just exploring, but taking a VERY high chance that you will force somebody somewhere to respond to your actions, and thereby steal that persons time.

    I am telling you from personal experience, that theft REALLY hurts.
    Bill
  • Well yeah. I was kindof mad. However this was said after he had rm -rfed us and I thought that is what he was gonna continue doing if he got in again.

    Noel

    RootPrompt.org -- Nothing but Unix [rootprompt.org]

  • Ok, let me break this down, point by point:

    Your first point: Not having adequate backups. If you'd read the entire series, and read the entirety of #7 as well, you'd know that they aren't running a business, but donating their time and efforts, and using donated equipment. They can't exactly be choosy. They seem to have gotten webpage files and config files, but lost mailspools and most other user files. Not fun, but overall not the world's largest tragedy.

    Second point: This cracker showed up on the IRC server they run. Noel didn't go looking to talk to the guy, the cracker ended up coming to him. Also, when they were originally cracked, after moving all their equipment, they DID go through and rebuild EVERY machine from scratch, updating everything, restructuring, etc.

    Third point: See above. They did that the first time. They thought they were up to date enough that they wouldn't be vulnerable to something as stupid as a compromisable rpc.statd. Obviously they were wrong. They were overconfident, and it was a mistake. But they were trying.

    Final point: This cracker is smart enough to connect via several intermediate hosts. Makes him kinda harder to track. Once again, I say go back and read the ENTIRE series. You'll get a better idea of the situation.
    _____
  • Cracking is a bad thing. Ethnical cracking is otherwise known as "hacking". Such subtle differences in words are very important, at least to some people.

    The article at rootprompt is an re-attempt of The Cuckoo's Egg [amazon.com] by Clifford Stoll. Otherwise, nothing more.

    The only thing it teaches sysadm is that they have to be more clueful and no other technical value.

  • What terms are you unfamiliar with? setuid indicates a permission attribute that allows a file, when executed, to take on the UID (user ID number) of the file's owner instead of the user running it. statd is an RPC (remote procedure call) server for communicating file state information for NFS (network filesystem) volumes.

    If you have any others, reply to this post, or e-mail me personally, and I'll try to answer your questions.
    _____
  • When I asked PSU for help securing my machine, I was told to use a different operating system.

    I feel your pain in being cracked, etc., and I hope it never happens to me. But you have to understand by now that securing a *nix box isn't the kind of thing you could just relay to someone over the phone in 5 minutes, or even 1/2 hour. If you're not willing to go out and research this on your own, etc, you really have no business running linux. I don't mean this to sound snooty, it's just the amount of work it takes, if I was working a tech support line and someone asked me that, I'd probably tell them the same thing.
  • Why is breaking into and destroying systems so appealing to crackers and kiddies?

    Destruction is easy. People do it all the time by accident. If you think you're so cool, try improving something.

    You never see these twits producing anything useful. They don't make better applications. They don't come up with sophisticated new algorithms. They don't even figure out how to fix the bugs they find, they just work out how to trigger them, a far less complicated problem.

    How can that make them feel powerful?

  • You know, I am really getting tired of *BSD people saying "Linux is insecure". Linux isn't insecure, Linux is the kernel! Many Linux distros are insecure, but is Linux any less secure than the *BSD kernels? Let's start being correct: many Linux distros are less secure than the *BSD distros.

    Now, I will agree it is a shame that RedHad doesn't take more time to make the default installs secure....
  • ... but if you (or your sister) spent five hours securing, maybe you wouldn't have had to spend twenty cleaning up.

    Bullshit!

    If I break into your house and look through your stuff - even if I didn't damage anything, not even the locks - I bet you're going to be pissed off. And rightly so.

    I agree that if you want to put a system up on the internet you should learn about security and spend 5 hours securing the box. But I'm just so fucking sick and tired of the whole "blame the victim" mentality.

    I'd even be tempted to help out if any sysadmins were planning to pay a late night visit with a two-by-four to a cracker's house.

  • I love Slashdot and all, but recently I've been noticing that the summaries on the main page are horrible. I had NO clue what was going on here. Then after trying it, I'm glad that I did find that site, its nice.

    But please, leave more suggestive descriptions of the articles at hand.

    Mike Roberto (roberto@soul.apk.net [mailto]) -GAIM: MicroBerto

  • by AndrewHowe ( 60826 ) on Tuesday July 11, 2000 @04:48AM (#943250)
    OK then... Hands up who's got Slashdot UID #31337... Lucky bastard!
  • Hmm... looks like lots of people (but not all) are getting the +1. Looks like /. is undergoing beta testing at the moment (or the +1 limit has been lowered?).

    P.S. - turning off +1 for this OT post

  • Have to admit that it looked to me like there are more "installments" to come.
  • Alfred E. Newman was always goofier looking than Melvin the janitor guy.

    Besides, I always liked Don Martin and Sergio Aronges.
  • All OS distributors be damned for enabling services by default. If I hear one more %^#$^ story about how somebody's box got r00ted because foobard was running and they didn't know it I'm going to boot all my boxen to ROM basic and make my nic's into wind chimes!

    A new user by default, is not ready to accept the responsibility of running services. Hence, by default, do not start the fucking services. Just because someone you offer Joe Newbie the pleasure of INSTALLING a web server does not mean you should turn it on. Complete idiots will still turn everything on themselves but this will save many people with a moderate clue!
  • What we need is (-1, Stupid). There's a lot of stuff that fits in that category better than Troll or OT.
  • The ethics are even more simple then that. If you are on or attacking a box you have not been invited to, you are acting unethically.

    That's your personal ethics. Are you willing to impose them on the others? Are you willing to convert them into law?

    Guess how many bugfixes have been released to backburner in the last year... Exactly 0. Why? Because I have had to spend all my time cleaning up cracked boxes and setting up firewalls just to keep my systems from being invaded, destroyed, or used to attack other systems (stealing precious time from others).

    Now that's a bullshit argument. If you are dealing with computer security at work, this is your job and how intense it is has nothing to do with posting bugfixes for your project which you do in your spare time. If you tell me all your spare time is taken by cleaning up cracked boxes, I'll tell you that (1) I don't belive you, and (2) you should learn to prioritize your time.

    The moment you touch a system you have not been invited onto, you are stealing precious time from somebody, period.

    So? An inept clerk at a store is stealing my time. A person who stopped me to ask for directions is stealing my time. Windows' registry being fucked up steals my time and a lot of it. IRS steals huge chunks of my time every April.

    My point is that engaging in activities has costs, and one of those costs is time. If you are running a publicly-accessible server, time to secure it and deal with vandals is one of the costs. Sure it would be nice not to have to deal with it. But think of the alternatives. We already have the War on Drugs where being caught with a bag of pot can land in your jail for many years. Do you want to live in a society where being caught at portscanning will lead to same results?


    Kaa
  • Well, it could even go beyond security! We (umm, geeks in general) have been for a long time leaning on Moore's Law and saying "we'll fix x in software" because cpu cycles are becoming cheaper all the time. But that may not be the best way to solve some problems even though it may be fastest and cheapest. Thanks.

    WWJD -- What Would Jimi Do?

  • I was expecting to just get an article on cracking, instead I find it was written by someone I know about the system I cut my teeth on. The community network he referrs to was the network that first gave me internet access. I even used the same mail program exploit the cracker used to bypass the menu system. It was my first exposure to a *nix system. I remember the "service outages" and the whole process, but hadn't been paying attention so never realized that they were to recover. Noel is a good sysadmin. He works his ass off for little pay (I actually believe he gets *NO* pay, though don't quote me on this.) I'm glad he was there during the whole set of incidents because I doubt many people would have put as much effort into it as he did.
  • hacking == cracking
    it's all the same in the eyes of the general populus and therefore in fact. since the general public doesn't get the difference trying to push it just confuses stuff more.
  • by Kaa ( 21510 ) on Tuesday July 11, 2000 @04:59AM (#943260) Homepage
    [Sysadmins] got computers that they need to defend, and they have every right to be suspicious even of an 'act of curiosity.'

    No problem. They do have the right to be suspicious and to take measures to defend their systems.

    However some people are taking the next step which I am uncomfortable with, that is: if sniffing around (pinging, portscanning) is causing busy hardworking people to waste their time and worry too much, why then, just make it illegal. Make portscanning a federal crime and add War on Hackers (yes, hackers) to War on Drugs. Sure, that will make sysadmins' life easier. I also think that this would be a very Bad Thing to happen.

    If I see sombody sitting in a car outside my house observing it, I may walk up to him and talk to him, I may walk out and stare at the guy through binoculars, I may call the cops. I am NOT going to lobby for a new law forbidding people to sit in parked cars outside other people's houses.


    Kaa
  • by borzwazie ( 101172 ) on Tuesday July 11, 2000 @05:04AM (#943261) Homepage
    I used to be a student as Penn State. One of the benefits to on-campus residence is an ethernet port and a legit IP.

    Some time after I moved in, I discovered Linux, and Unix. (Mostly from working on SGI's. I wanted to be able to run ANSYS without going down to the labs.)

    VERY soon after I discovered Linux, I discovered what rootkits were. I woke up about 7 in the morning because my cdrom drive (an old noisy Mitsumi) was going nuts. I was certainly no guru at this point, and I had no idea what was going on. I did a ps aux, but I didn't see anything happening, so I just took the cdrom out and went back to bed.

    Two days later I noticed that my ethernet connection wasn't working anymore. I called down to the computer center and was informed that my connection had been shut off and that there were charges pending against me for "cracking" attempts on PSU's servers. It took me 3 months to get my connection back.

    When I asked PSU for help securing my machine, I was told to use a different operating system.

    In addition to my own machine being cracked, my friend who was also running linux for the first time got cracked (probably thru my machine) and had nasty emails sent from his machine to a couple of government agencies. He and I were both in some deep shit for a while, and had done NOTHING.

    So, cracking DOES hurt. I'd like to extend a big FUCK YOU to the kind of people who think that getting others in trouble is funny. Another big F*** You to every little clone virus writer who make life for tech support a living hell. You don't advance knowledge. You aren't doing anyone any favors. You prove nothing except that you are the same as vandals with a can a spraypaint. God help you if I ever find one of you.

  • by FascDot Killed My Pr ( 24021 ) on Tuesday July 11, 2000 @05:04AM (#943262)
    Crackers are just like schoolyard teases. They feel important when someone pays attention to them. Talking to the cracker didn't gain the admin any info and it made the cracker's day.

    You might respond "but maybe you can befriend the cracker and set him straight". Yeah, maybe. Or maybe he'll start realizing you are getting too close and he'll lash out by typing "rm -rf /"--which is just what happened in this example. In any case, don't risk your precious time and money on your so-so psychology skills.

    BTW, Slashdot trolls are the same way. Don't moderate them (esp down past 0), don't respond to them (even "just once"). Just ignore. Like your mother said "eventually they will get bored and leave you alone". And this isn't theory. I've gone through several cycles of trolls (or one troll with many names) targetting me for idiotic responses or unfair moderation (which reminds me, could we have some meta-mod power over "underrated" and "overrated"?). Once I realize what's going on, I don't even bother reading the responses. 24-48 hours later the "attack" is over.
    --
  • I found it very interesting, and useful, that the author specified that the sploit used was fixed in open source versions of statd before the attack but Digital UNIX took another 6 months.

    I am currently involved in major battles with my line manager who seems to have this idea that Open Source = Unsupported. He doesn't realise that a product that is supported by thousands of developers who have a vested interest in solving problems is going to be better supported than one whose only backup is a handful of developers whose managers not only have a vested interest in hiding any flaws found but also want them involved in adding the newest whizz-bang features.

    Based on articles I've read it looks like the equation is really Open Source = Secure and Supported.
  • A proud tradition begun in The Hitchiker's Guide to the Galaxy.

    At least they did add, "increasingly inappropriately named," to the trilogy reference.
  • I wonder if he's reading this, as well as the whole 7-part series. I'd pretty much have to believe so, as you say, for the ego trip.

    But I wonder what he makes of the general disapproval. This especially comes from cracking a community system. Kind of like robbing a soup kitchen. He picked the wrong target.
  • I know now that securing a *nix box isn't a 5 minute explanation. At the time, however, I didn't even know that you could crack a box like that. I was THAT new to unix security. I was at the point where I figured that unless you could snoop the wire (which you couldn't, I was on a switched port) or knew the passwords, you were home free. That's how much I knew about it. Linux distributions at the time (I was using Slackware 2.0) didn't talk much about security either.

    Essentially, I didn't even know I had to secure anything. I would have been happy with a decent source of information, but I didn't even get that from PSU security.

  • I think one of the major causes of this problem is that RedHat (and others) do not go to much effort to make their distribution secure. RedHat could be considerate and do the following:

    • No unneeded services running by default. This means, for example, there should not be a network service of lpd needed just so someone can print a file. Any services running should be services the user specifically asks for during the install.
    • The default version of X should not bind to port 6000-6020, or, in a default system, ports 6000-6020 should be ipchained off.
    • Programs with more than a given number of reports on Bugtraq should not be installed by default. What percent of new RedHat Linux users are going to actually run mh? Why does RedHat insist on having mh installed in the default install, despite the number of patches this has in a desperate attempt to make mh's suids not local root holes.
    • ftpd-BSD, IMHO, should be the default ftp server (my version [samiam.org] a patch that makes the default umask something sane). If not ftpd-BSD, at least anything besides wu-ftpd.
    • Come September 20, RedHat will be able to make OpenSSH part of their distro. Hopefully, this will mean that they don't run telnet unless the user asks for it.
    Little things like this would do much to make it so people just struggling to learn Linux and Unix don't have to worry about securing their systems at the same time.

    - Sam

  • Get root on my box and I find you? I am looking at a BUNCH if time looking for rootkits and backdoors regardless if you have installed them or not.

    And thats only if you're not healthily net-paranoid... get root on my box and I find out then I'm not looking for anything but read-only install media and a fresh download of all patches from a trusted source.

    # human firmware exploit
    # Word will insert into your optic buffer
    # without bounds checking

  • I'm unclear by about what you're saying here when you state you cleaned up. Unless you did a completely fresh re-installation from a cdrom or some other medium that is known to be safe and cannot be altered you did not clean anything up.

    Before going back on the network you should:

    Perform fresh install, then disbale all unnecessary services. Perform a suid audit and determine which suids are needed and which aren't. Consider changing the umask on the system to something a bit more secure. A umask of 027 will yield the following permissions rwxrw---- for newly created files.

    Set up your hosts.deny to ALL:ALL Configure IP Chains to do what you want them to do. I believe gfcc [www.suse.de] is a nice gui frontend to make this easier.

    For a company based implementation maybe even another step further and have another box in front of this one as a dedicated firewall.

    Never assume you have gotten everything cleaned up on a cracked box unless you have wiped the disk, or even better backed the disk up then wiped the original for re-use. Go back and look at the old disk in a safe environment to see what went wrong.

    Installing tripwire is also a good idea so if it happens again you know what was touched.

    Might even be beneifical to have a sniffer out there to see what's going on on your network.

    And of course there's always the obvious:

    No telnetd and ftpd
    USE SSH!!!

    Portscan your box before others do and remove the unecessary daemons running on your system.

    I completely removed inetd form the equation after I read up on why it's bad for people like me who don't need ***ANY*** of the services it provided.

    And as always good strong encryption and frequent password changes will increase the likelihood of not getting cracked.

    Remember, the crackers are always one step ahead of you, stay on your toes and get all the latest security fixes and releases when they come out.

    Nothing is foolproof, so even after you do all this, prepare to be cracked and provide your system with a method of recovery should such an event happen. This means keeping a secure immutable backup of the system somplace safe and updating frequently enough for it to be useful.

    Laters, Dan O'Shea

  • I'm not justifying anyone's actions here, but I for one think it is a good thing that there are some people out there 'poking around where they don't belong'. Most of these types are more curious than they are hostile and will usually leave your system unchanged (save for a l33t message about how you were had). It's the kind of thing that pushes the security business along and makes it harder for would-be evil-doers to do some serious damage. Provided that no irreparable damage is done -- restore some backups, fix the hole, and walk away a bit wiser (and hopefully with a more secure system). At the very least it keeps you on your toes.
  • by Hard_Code ( 49548 ) on Tuesday July 11, 2000 @11:50AM (#943271)
    "That's your personal ethics. Are you willing to impose them on the others?"

    Um yes.

    "Are you willing to convert them into law?"

    Yes, I believe "Laws" are what imposing ethics onto people is called.

    "Now that's a bullshit argument. If you are dealing with computer security at work, this is your job and how intense it is has nothing to do with posting bugfixes for your project which you do in your spare time. If you tell me all your spare time is taken by cleaning up cracked boxes, I'll tell you that (1) I don't belive you, and (2) you should learn to prioritize your time."

    Who said anything about work? I thought this was for his wife or something? And in any case, just because you are PAID to do a job, doesn't mean it is ok for people to burn your time unnecessarily. If I'm preventing somebody from getting real work done, then I *should* be ignored.

    "So? An inept clerk at a store is stealing my time."

    Well, not really. He, and the store, is providing YOU a service. If you don't like that service go to a different store. If anything, the inept clerk is stealing the company's time by pissing you off.

    "A person who stopped me to ask for directions is stealing my time."

    Yes. Because you are not mandated to provide that service to him. Are we perhaps getting it now?

    "Windows' registry being fucked up steals my time and a lot of it."

    Yup, bitch to MS or switch operating systems. Same deal as the inept clerk. You just now have an inept OS.

    "IRS steals huge chunks of my time every April."

    Ditto. Bitch to government and try to change the situation.

    "My point is that engaging in activities has costs, and one of those costs is time. If you are running a publicly-accessible server, time to secure it and deal with vandals is one of the costs."

    Of course, but that doesn't make it acceptable for vandals to eat up your time. You have to weigh the benefit of the service to the cost of maintanence. Apparently the service the wife was providing just cost too much in security risk.

    "Do you want to live in a society where being caught at portscanning will lead to same results?"

    No, but are you saying that cracking into a system (secure or not), and destroying data or using it as a base for DOS attacks is acceptable? I sure as hell hope not. If you do that you *should* be thrown in jail (albiet probably with not so large a sentence as many of the criminals that have been made "examples" of *cough* Mitnick *cough*)
  • Thats the idea. It would make a good curse; doomed to forever expand the acronym.
  • It's very hard to ignore someone who brazenly appears on your IRC channels and tells users that their sysadmins are lamers. It's even harder when said person has the system cracked and tells the users as much (See Chapter 6).

    Reading earlier chapters tells you that they avoided blowing the whistle for as long as they could, in a bid to secure the system before the cracker realised they were discovered. This cracker was on a power trip long before they started talking to him(her?), and he/she was obviously better at *nix than the average script-kiddie (very few kiddies bother writing their own rootkit). If I was that cracker, I'd have probably played dumb for a bit, rather than laying all the aces down so early.

    Yes, malicious cracks are usually the work of sad, bored individuals, but I don't think that boosting their esteem will cause them to commit more damage. Usually, damaging the system is de rigeur after discovery, and most malicious crackers have it as part of their post-busted MO. I suspect that asking for a sanctioned set of platforms to continue spoofing and cracking was a stalling tactic while the rm's were being planted. The cracker knew that the system was being locked down, and that they only had one exploit left (statd). This cracker had a good thing going before they were shut down, and wanted to be remembered after they were.

    Just my 2 pence....

  • Well, the plus one bonus is gone from normal accounts and back only to the karma whores. The user info number thing is very interesting too - for instance, it's possible to tell that I'm not really siggy because my user number isn't 7608. (Bonus points to the first person who can read well enough to tell that my user name is different).
  • Don't smack my karma down, please -- I'm just playing devil's advocate. ;-)

    Just like many warez d00dz argue that their existence is what pushes the demand for increasing bandwidth and computing power, couldn't the cracker argue that A) their existence pushes the demand for increasingly better security models, and B) they keep many network admins employed?

    I do tech support, and while I'll never stop complaining about all the users I have to deal with, at the same time I realize that without them, I'd be out of a job.

  • by dpilot ( 134227 ) on Tuesday July 11, 2000 @05:32AM (#943276) Homepage Journal
    By the time I get high-speed access, I hope to have learned enough to run that ethernet adapter from diald, whether id's DHCP or PPPoE. I'd like the convenience of high-speed access when I want it without 24x7 vulnerability. I have a reasonably tight firewall, but I'm sure the right person can get through it. At the moment, even if I had a simple single input input rule on that interface of "-j DENY", I suspect that there are those who could get through even that.

    The only truly safe interface is either offline, or disconnected.
  • This works for the static parts of the OS, but not for any user directories or /tmp. Remember that on the system in question users could log in and use shell commands, save files, etc.

    Granted, this should prevent any rootkits from finding their way onto the system, but it's not an end-all beat-all, and a malicious cracker could still wipe out all the user directories (as did the guy in this story).

  • After installing the OS, he pulls the write-protect jumper.

    I used to think this was a pretty secure solution until I ran a VB install that wrote on my write-protected disk. Sure, that was WIN31, but it's the same hardware that any other OS could run on.

    Just because there's a hardware piece involved doesn't mean that it's really a hardware implementation.
  • In my opinion, 90% of unix sysadmin is intentionally arcane for the job security of sysadmins

    and the black helicopters came and swooped up Elvis and JFK just before the aliens landed in Area 51. But no one knows anything about that because its all been covered up by the Proctor and Gamble corporation because it jacks with their plans to turn the entire world over to a satanic cult. It doesnt matter though because the NSA controls most of the US population through subliminal messages and will put an end to all that mess as soon as the Chinese take over the world.



    Jason
    www.cyborgworkshop.com [cyborgworkshop.com]
    ...and the geek shall inherit the earth...
  • It's not the level of skill, or lack thereof, of the script kiddies, it is the lack of time on the part of system administrators. Security is a low priority for most organizations. Why spend $50,000 to secure your computing facilities when you can spend that on a choice advertisement spot on tomorrow's evening news?

    Justify security expenditures to management and you'll solve the internet's "security problem" lock, stock and barrel.

  • I also think there should be laws against attepmting to crack someones box, even if it is for curiosity.

    The "attempting" part there worries me, where do you draw the line? I portscan hosts every once in a while, I don't think it's wrong or bad - yes I do it.. hell sometimes I telnet to an open smtp port, and try to fake mail.. is this a bad thing? If someone does the same to me, I don't really care. Is this an attempt to crack into a box?

    I also use a portscanner (Ostrosoft internet tools) at work a LOT. I use this to check duplicate IP addresses out (ie - our printers have ftp enabled - no workstations have nt enabled, this is a quick check to see if maybe a printer snagged a workstations IP addy). I also use it when we get a new application on line - new server, hmm, lets see what's open. I've used a service account to retrieve a passwd file - it wasn't shadowed, cracked it, never touched the accounts. I used this same service account to retrieve the default shell script that runs on login for the account (we don't get a shell prompt) and see what it does. There are unix machines we access to reset passwords, supposed to type command to get the shell script to walk us through it, I poke around the directories of those servers. We use Reflection X to access a different application, I open an xterm and poke around there. Never once have I caused a system problem, nor have I ever done anything to change the default behaviours.

    Are these cracking attempts?
  • Hell yes!

    Why don't RedHat (and MicroSoft) ship these things with everything turned off? The box should be unable to respond to any command from the outside world.

    I am serious. People are willing to follow directions to mess with config files in order to get something they need turned on. Why? Because it is intuitively obvious when they need to turn something on (because something they want to do does not work) and it is intuitively obvious when they have suceeded (because that thing is now working). Also, they need to do this to get the box to work the way they want.

    But turning something off, knowing that they need to turn it off, and confirming it is off, are all much more difficult and opaque, even if the instructions are no more complicated. And the complex instructions are likely to make them give up, even if they ever attempt it, because the box "works" without doing this.

  • With Windows what's to hack? I mean, how is that even the least bit exciting? "Look ma! I hacked a Windows box! I can download their pitiful Starcraft high scores and post them to usenet!"

    Besides, it's so much easier to write a trojan that uses the e-mail program or the paperclip "assistant" to foul the network or erase the drive.

    I know, I know, you specifically mentioned the server OSes, but I couldn't resist.
  • I'm not justifying anyone's actions here, but I for one think it is a good thing that there are some people out there 'poking around where they don't belong'. Most of these types are more curious than they are hostile and will usually leave your system unchanged (save for a l33t message about how you were had).

    Out of curiosity, what do your comments have to do with this story? This is a story about a cracker who had compromised several of their machines, were using them to launch attacks and gain access to who knows how many other systems, and ultimately ended up doing an 'rm -rf /' because the admins pissed him off by not giving in to his demands for access.

    Granted, this guy Noel made some mistakes and had some unfounded assumptions, and paid dearly for them. (The moral I learned from this story? Don't bother trying to communicate with the person who cracked your system; just secure and/or rebuild your systems and plug the holes that they got in before.)

    But your comments about "oh, some people are poking around because they're curious and don't mean any harm" just don't apply to this situation. As someone else said, if you want to learn how systems work, buy a PC, install Linux (or the *BSD of your choice) on it and use that for testing. If you meddle around in machines that you don't have legitimate access to, you deserve whatever punishment you get.

    Jay (=
  • I have to raise some points of what you have said, people may not think they are valid, or infact they may not like them.

    I think that cracking should be illegal full stop (but this would be hard to police accross the world). I also think there should be laws against attepmting to crack someones box, even if it is for curiosity.

    Analogy Alert!!!!!

    Think about it you leave your car in the street. Someone comes along and thinks, "I might be able to break into that, Even though I don't want to rob his wallet or the radio, let give it a try...No can't pick the lock, but I can put this brick though his window". You later come back to your car, you see that some one has tried to get in, the first thing you is to worry and check every thing is OK.

    This is the same thing the sys admin will do, he will check his logs, see that some one has attempted to break into his system, he/she will then have to do alot of checks to make sure that no harm has been done, even if the person was just curious. The cracker has then essentially caused enough trouble, because they have wasted the admins time in forcing them to do the checks, possibly causing disrubtion to the end user.

    Hope I have made my point clear.

    Paul Kinlan


    -
  • Cracking a system without permision is wrong, just plain wrong, regardless what you do in there. Especially since there are many security firms that have systems which you are invited to crack, in order for them to learn the exploits and counter them. For one thing, there is much more phun in breaking into a tightly secured box owned by a security firm than an obscure mail server somewhere in a company. Add to that the fact that you have no risk of meeting your new fiance Spike in prison, and you have a pretty sweet deal. For the cherry on top, many companies will even pay rewards of yup to 3 grand for a successfull crack.

    There is an incomplete list on this site [happyhacker.org]

  • I've had enough of working in telephone support and testing, and need to find some means of getting into plugging security holes full time. Reading articles like this, and playing with tools such as Nessus has convinced me that there are a lot of exploitable platforms out there. My home machine is secure, the only possible hole being my X server which I'm going to fix tonight.

    I've seen how lax many major organisations are when it comes to security (hey, we'll install a firewall, that will fix it), having worked with some sites that were a nightmare. Getting some customers to install ciritical patches was impossible until we refused to take any more telephone calls until they planned an upgrade.

    Unfortunatly, there's not much scope in the security field at my current place of work (too much NT). Anyone with any ideas on how to progress - BTW I'm based in Yorkshire, England.

  • I understand your position but I do have a question.. When your sisters linux box was cracked the first time I presume you helped her make sure that it was operating a "default deny" type of access control - that the system wasnt running services she didnt need etc - did the cracker get in the second time by exploiting an unpatched hole in one of the services she did need or by a back door you'd missed in the first cleanup? If everything needed was patched to current and everything else was closed off then you were right to tell her to pull the plug - if not then perhaps it was the wrong advice and helping her fix the underlying problem would have been more appropriate.

    Other than that I have to agree with you on every point.


    # human firmware exploit
    # Word will insert into your optic buffer
    # without bounds checking

  • I don't know jack about Linux, cracking, or whatnot, but the whole series was very enjoyable (a shame that Noel's systems had to suffer in order to produce such a well-written story). He didn't bother to explain what terms like setuid and statd meant, because he obviously was writing for a Linux-smart crowd, but even me in my ignorance of the Most Holy OS could understand the plight of a sysadmin facing down a cracker like that. I understood most of the terms in context, though. Very well done series in all!!
    -ryry
  • openbsd.org [openbsd.org]

    Three years without a remote hole in the default install! Two years without a localhost hole in the default install!

    .sigs are dumb!

  • Just out of curiousity (really, i'm not being a jerk here), what do you think is a 'real' security model?

    file level? system-wide? more like linux (BSD, NT, QNX, ad infinitum)?

    Rami James
    Guy that's curious
    --
  • ELEED Elastic Low-Energy Electron Diffraction

    From dictionary.com [dictionary.com] and acronym finder [acronymfinder.com].

    (I REALLY should get back to work.)

    Rami James
    Guy with too much work
    --
  • I think the other part of it is the idea that, by using this jargon, someone is "one of us" rather than "one of them." Jargons serve two purposes in linguistics:

    1. Shorthand for concepts. I mean, we could say "someone who enjoys figuring out how things work, or is a good coder or adept at coming up with solutions to problems," but we say "hacker" instead.

    2. Differentiation from the masses. To geeks phrases like "I don't have the bandwidth to read fiction these days" or "How should I know how to put the swingset together? RTFM" make sense, but to the outsider they can be as unintelligible as Cockney slang. (Misuse of jargon is also a red flag that someone doesn't belong, or is trying too hard to fit in.)

    So 31337 5P34k is both of the above for the script kiddie. However, in this case, there's a third dimension to it -- marking someone as a sad, pathetic individual who thinks that being able to read and write a simple substitution cipher and click a couple of buttons in a pre-built dialog box is a substitute for technical mastery of a computer and its operating system.
    --
  • Have you ever noticed how when it comes to hacking/cracking that it all comes back to a Unix variant of some form or another? Why is it the media (be it web based or otherwise)is always portraying Unix/Linux systems as being constantly hacked into or cracked? Why is it we never hear about all the NT or Win 2k boxes that get broke into? Too much emphasis is being placed on past mistakes rather than ways to fix them. Every OS has it's security issues (as does the majority of software on the market today). But yet the emphasis is always on script kiddies and the sys admins that were not prepared for them. And this type of attention gets the whole spotlight...rather than the positive things that make up the systems we love. With all of this kind of negative attention, people are getting so that they automatically equate Linux with kids that hack, or systems that are not secure, rather than looking at the systems strengths. It seems that when it comes to security, we have two type of admins. Those that don't care and those that are so paranoid it is pathetic (alarms going off when pinged??? isn't that a bit much?). The fact is that the Unix variant boxes don't get hacked anymore than NT or Win 2k boxes. The fact is that people who run these systems look for these intrusions more than the NT or Win 2k admins because of all of the attention regarding security within the Unix community. And rather than look at the positive aspects of a break in, people just complain about it. Which in part is understandable due to the time it takes to cover your bases. But at the same time, wouldn't it have been interesting to be Noel in this case? Hell...I'd love to track down the people who broke into my system. That would be one of the most interesting parts of system administration. And that is one of the best ways to continue ones education. Is by constantly being challenged. I'm just sick of Linux and other Unix type systems being frowned upon for "security" reasons.
  • I don't understand what Noel was thinking. The first thing to do when you are cracked is _not_ to leave your system open! He should have disconnected from the net (perhaps leaving a secured mail box running), and immediately backed up the home directories. He should have _verified_ the backups. Since the only irreplaceable data on a well-maintained unix system is in the home directories, it should be trivial to back it up properly.

    I can only assume that you haven't read the whole series. The system Noel works on is a heavily used collection of machines needed round the clock. While attempts to assess the damage were done early, the major cleanup (and securing) of the machines was done during a relocation, including backups - sometimes even though you have been cracked, you have to sit on your hands a little while you work out how to fix it. In an environment where lots of people need those machines for real work, pulling the plug on everybody is not going to make you friends and may leave you with a Cracker who knows that he/she/it has been spotted. That might (as Noel feared) bring about damaging action sooner rather than later.

    This brings up several interesting problems though for a network sysadm. Just when is the situation so serious that you have to disconnect and stop everyone else working? In a software company, losing the servers is a massively expensive problem - you effectively stop 90% of the possible work straight away, and you are going to have a large workforce twiddling their thumbs while the system is off-line. If this downtime is repeated or extended, the sheer number of working hours lost for a workforce of 1000 people can get very pricey very quickly.

    Assuming that your back ups are up to date, you can to a certain extent run the risk of 'rm -rf /' and only lose at worst a days work. From the system admins perspective, things only get really bad when you are being used as the launch platform for the next attack. At that point, even finding a sniffer could be sufficient reason to pull the plug, and finding a Trinoo or TFN master server or client would definitely be time to consider that disconnection.

    Cheers,

    Toby Haynes

  • Advocacy: And may I just take this moment to say: "OpenBSD: Like a Rock."
  • To a point, I would assume. While it's true that it's just not possible to stop a synchnoized flood-DoS attack, well-secured *NIX boxes seem to be much more secure (but also much more dangerous if they /do/ get in) than well-secured Windows-Whatever boxes.
  • By the same argument, Unix permissions are so complicated nobody (to a first approximation) uses them well either. Although the front-emd of Unix-style might be more streamline, having to create an "arbitrary" number of directories and groups doesn't sound less complex to me.
  • Have you ever noticed how when it comes to hacking/cracking that it all comes back to a Unix variant of some form or another? Why is it the media (be it web based or otherwise)is always portraying Unix/Linux systems as being constantly hacked into or cracked?

    I think it is because when an WinNT or Win00 box is hacked (Don't let anyone tell you they arn't being hacked.) the box crashes, and is then reinstalled. *nix boxes have extensive logging right from the moment you start the install process, so you have a way to find out what happened.

  • This (turning everything off) is pat (a small part) of why OpenBSD is more secure. Unlike other systems, the default OpenBSD install has just about everything disabled, and almost no optional programs installed

    This is also part (a big part) of why people will claim that OpenBSD is difficult to install and use. If you want 'dangerous' third-party software and services, you have to actively choose to install them.

  • Write the o/s to a bootable cd. THAT is something even VB can't muck up :)
  • If you have any others, reply to this post, or e-mail me personally, and I'll try to answer your questions.

    How do you set/unset the setuid bit? Is it something that's compiled in, or a mode you can (un)set as a superuser?

    For all of the information I can find on the internet for Linux, there seem to be some intersting holes...

    Jay (=
  • Perhaps this is more accurate:

    90% of unix sysadmin is accidentailly arcane, and nobody has ever bothered to fix it because it has indirectly brought about profitable support contracts and the job security and loyalty of sysadmins (who incidentally tie up their mastery of Unix with their personal self-worth).
  • Noel - Lots oh skill it takes to type rm -rf

    Translation into k1dd13 sp33k: "C'mon, I dare you to rm -rf me!"

    The mistake? Talking to him at all.
  • I disagree that kiddies drive the marketplace. The whole idea is fundamentally flawed: simply stated, companies don't market to 14-year-old kids downloading GaMeZ on their parents' Compaqs. If they did, we'd have seen services like ISDN becoming a lot more affordable many years ago. Instead, getting an ISDN line in, say, 1994 cost upwards of $80 per month plus per-minute charges, even for local calls! Yes, I'm buying into buzzword hype, but it appears that technologies like digital audio and video on demand are the reason why broadband access is taking off so well. (Like many aspects of the Internet, this started out on the high-speed networks of large universities.)

    These kiddies are not pushing the limits of security: more often than not, they merely write (or leech) scripts that exploit weaknesses that are publicly known. Perhaps one might conclude that this encourages admins to download the latest security patches, but it is very rare to see a script-kiddie-induced attack trigger a major security breach.

    Network admins will always be necessary, if only to meet the demands of constantly upgrading software and dealing with user and technical problems. (Some programs break without any script intervention, thank you very much.) Script kiddies keep network admins frustrated and angry, something I think we can all live without.
  • If you lack the alphanumeric knowledge to type like a script kiddie, you can now summon the vast powers of the Internet to immediately transform yourself into one of the chosen few.

    Ah, there it is.... [unc.edu]

    Enjoy. And use your powers wisely. :)

    w/m
  • Does it bother anyone else that the author of the article doesn't seem to be much of a sysadmin anyway? The first and most glaring indication of this is that he had no idea what state his backups were in. "The first problem we found with the tapes was that the disk space in use had exceeded the space available on the tape and not all of the home directories were on the recent tapes. The second was that not all of the old tapes worked. I had manually made a few backups of all the users configuration files and their public_html directories in a tar file and this was still on some of our tapes. So almost all of the users web pages were recovered. On the down side most of the mail in the mail spool was gone and some users had lost almost all their files." Seems like a pretty poor administration job from the start. As an admin on a multiuser service, your first responsibility has to be the data integrity of your users. Secondly, it appears that all he did was patch the hole that allowed the cracker in in the first place and started restoring the system. "Once we had the hole secured by turning statd off we connected back to the Internet and turned our services back on as we installed/configured." Maybe I'm paranoid, but if a system I'm running is compromised it doesn't get placed back on the network until it's been completely wiped and rebuilt. I'm yet to encounter a cracked box that didn't have numerous trojans and backdoors installed. Of course, without good backups it's an arduous task to rebuild the machine.
  • Just realised that you may look at my nick and think, "Ha! He is one to talk". Actually, 'wooly mammoth' and all the sane variations thereof were already taken. Thus it was that I had to embark upon the nick seeking journey which would lead to this moment of irony.

    I repeat, I am not an elite hacker. I'm simply an extinct mammal. Wait, that's even cooler. Hmm...

    w/m
  • i agree. but the point is people dont want to waste those 5 hours. heres an opportunity for all those distros out there - make a distro thats secure by default (replace wuftpd with the anonftpd read only daemon, replace sendmail with qmail etc etc), easy to install (think redhat), has all necessary services hardened, has a simple firewall set up be default and is compiled with stackguard as much as possible. im sure people would buy - hell i would. and i spend more than 20 hours a week hardening my boxes/checking logs etc.
  • Am I the only one who has the feeling that the Cracked story was published on the net before? I didn't remember the details but I knew was what going to happen all along.
  • by JJ ( 29711 ) on Tuesday July 11, 2000 @04:15AM (#943316) Homepage Journal
    Cracking may or may not be a bad thing. Like so many other things, it depends on the ethics involved. (That may be overly broad, I can't think of anything that doesn't depend on the ethics.) Cracking can be an innocent act of curiosity, 'can I enter the system'. On the other hand, using the authority of a sys admin for any but legit purposes is at least immoral and should be illegal. It's a pity our laws don't correspond to such simple ethics.
  • by Anonymous Coward
    Cracked is my favorite magazine, what do you mean it is complete.
  • by cowscows ( 103644 ) on Tuesday July 11, 2000 @04:22AM (#943321) Journal
    That's all fairly relative, take for example the recent story of that company pinging every computer that they find. The pings themselves aren't a threat to any networks, they aren't using them enmass to DoS, but admins everywhere are pissed off because it's setting off their alarms. Are the admins being a little paranoid? Sure, but it's their job to be. They've got computers that they need to defend, and they have every right to be suspicious even of an 'act of curiosity.'
  • ...was that of actually talking with cracker via IRC. From what I read in the series, about the only thing it did was to give the cracker a power trip and stressed out the poor sysadmins who had to deal with him.

    It's just like I tell people who are being stalked online, NEVER talk to the person, just ignore them. If you ignore them, they don't know what effect their actions are having on you, and whether they are succeeding in pushing your buttons or not.

    This isn't a substitute for securing your own systems, of course.

  • Sure if your windows get smashed, the window making industry will have more business, but it means _you_ have fewer resources to spend on other more productive/pleasant things.

    You will in fact be spending more resources on just repairing stuff.

    Would you prefer to have a stupendously huge window making industry, or rather have lots more people/industries doing fun and useful stuff?

    Yes, most glass windows are insecure, but people have got better things to do than ensure that all their windows are vandalproof.

    If your windows get broken regularly it means your neighbourhood is going down the drain, not that you are a poor houseowner.

    If I do come across an insecure system (I've seen many), I don't break stuff. I notify the owner, sometimes show them how its done and how to fix things and perhaps how to better do things.

    I believe that's the difference between being a good neighbour and a vandal.

    But one must be aware that there is a danger of being prosecuted for trepassing if you try to change stuff.

    There's a difference between seeing a door is open (through legitimate access), and walking down the footpath and actually shutting the door without the owner's permission. If you know the owner, then you could get away with that.

    But if you are strangers it is best to just notify the owner ("Anyone home?" "Your door's unlocked"), or the landlord/police. If not touchy people could prosecute you. Heh, not nice to lock someone out of their own house too ...

    In this day and age it is more and more evident that we are all neighbours. Most of us here are just seconds away from each other at most.

    I suppose living in a nice friendly village is out of the question but do we want to live in a War Zone? I suppose we can put up with a few nosey neighbours, but I don't think we should tolerate vandals going around burning down houses and kicking doors in. It's too late to say "no need for better security", but it's not too late to say : Vandalism is wrong, and we will not tolerate it.

    Remember: first it's vandalism. Then it often goes on to theft, robbery or worse.

    Cheerio,
    Link.
  • Well I typed my nick with a broken shift key on my Amiga. What's your excuse? ;-)

    (Note:This was a few years back on UK BBS's. The broken shift key-ism just seemed to stick.......

  • > If I see sombody sitting in a car outside my house observing it, I may walk up to him and talk to him, I may walk out and stare at the guy through binoculars, I may call the cops.

    Call a friend with a big black car and have him come park behind them and pretend he's talking on a handset.

    --
  • Look, I'm sorry that you got cracked, but if you (or your sister) spent five hours securing, maybe you wouldn't have had to spend twenty cleaning up. If you don't know how, then what business do you have putting systems on the Internet anyway? The world is a dangerous place. Better to recognize that fact in advance than to act like a naive mooncalf and then get mad at other people because reality got shoved in your face.

    The simple fact of the matter is that other people wasted his time by snooping around property that wasn't theirs. He wasn't railing against the laws of physics, so having "reality" shoved in his face is pointless.

    There is always someone smarter, who knows more or has a better exploit -- saying that it's simply "reality" that they will break into your system and waste your time unless you spend 24 hours a day securing your personal web server is at best offensive and at worst actively destructive to our society.

    Take some damn responsibility -- if you're cracking a system you're being an asshole and wasting other people's time and property. Reality has jack to do with it, and we shouldn't have to unplug our computers to satisfy your elitist view of who should and shouldn't be "allowed" to connect to the internet.

    The poster's original point was that there is no such thing as "harmless" hacking when it involves someone else's system. Even if he'd been totally secured, you still waste his time and network resources with vain attempts, and if you do succeed you waste even more...

    I'm an investigator. I followed a trail there.
    Q.Tell me what the trail was.
  • by Anonymous Coward on Tuesday July 11, 2000 @06:16AM (#943333)
    Articles like this one and my own efforts to wade through inconsistent documentation on how to secure a unix box make me question the whole unix security model.

    This model needs to be rethought from the ground up - perhaps retaining some of what exists but scrapping most of it becasue it is indeed worthless. In my opinion, 90% of unix sysadmin is intentionally arcane for the job security of sysadmins. The so-called "elite club" of unix sysadmins resembles more than anything the "tech men" in Asimov's Foundation. They understand little and innovate not at all, but carry on a tradition of maintaining their own power and restricting access to this arcande mumbo-jumbo among others.

    Some things like the method of authenticating users with passwords, the useleness of keeping unix systems built around a core of remote shell account logins which 99% of users never employ, though they once did in the old telenet days, etc., and the list goes on. Sendmail is a prime example of a program which has been patched and patched beyound recognition, and each patch or fix or enhancement is likely to create new exploits and bugs which don't show up until later. Why is sendmail the default even on single user boxes for home users? I think it is to create work for sysadmins who have "learned the ropes" and thereby justify their positions to employers and/or to clients for whom they do consulting work.

    While I do not particularly care for the methods and lifestyles of crackers and script kiddies who contribute little of value to the community, at least they contribute one thing. They usually can beat sysadmins at their own game with ease and even without much knowledge or skill.

    If the unix security model and other aspects of unix system administration were really well designed, much of what sysadmins do would be unnecessary. It is a crying shame that Linux and other open source systems mimic the flawed model of commercial unix instead of doing really innovative things to change it. Well, they have done a few things, but progress seems to move at a snail's pace.

    Perhaps I have been overly critical. Some sysadmins are very knowledgeable and do care about meeting the needs of their users. But even these don't seem to be doing much to change the entire nature of unix system administration, which requires active efforts to work with those who develop systems, not just patching this or that vulnerability in the systems they administer personally.

    I am sure some people have thought hard about this and come up with ways to modify unix at a deeper level to make it a more robust and sleek and easier to administer as well. Have specific suggestions for change in the unix standard arising from such studies ever been taken seriously?

  • The first crack was a gimme... they were running an old version of bind for which there were known exploits. It was a script kiddie... they even used "pico" as their editor of choice, so that tells you something...

    After that, I did what I could to clean house, and am pretty sure I found everything, and removed all back doors. The system was clean for a month or two, and used /etc/hosts.deny to shut down access from all but three trusted hosts, and installed the latest greatest patches.

    Then we got a serious crack by some sort of pro. To this day, I have no idea how they got in, and we only spotted them because their rootkit was defective (and ls -l showed /bin/login was last modified tomorrow! Yikes!).

    I told her to pull the plug until I set up a firewall for her. It is hard enough to set up a secure firewall, much less try and set up a full secure server. I said pull the plug because it was eating too much of our time.

    I would much rather have spent all the time devoted to the whole thing developing open source software, but until I can secure my systems effectively, everything else is on hold.

    Bill
  • by darkith ( 183433 ) on Tuesday July 11, 2000 @06:16AM (#943335)
    I dunno, I'd sure as hell get mad if somebody jiggle the locks on my house until he found a weak one, and then walked in and started poking "harmlessly" through my stuff just to see "if he could".

    Invasion is invasion. Perhaps he could have worked a little more proactively at security (no numbers, so I don't think anybody should make presumptions), but even if he didn't, that doesn't give anybody the right or excuse to crack the system.

    "If you don't know how, then what business do you have putting systems on the Internet anyway?"
    This is disturbing, I consider it akin to stating to a rape victim "You were wearing sexy clothes, so you were asking for it."
    Yes, people should take adequate precautions when exposing a system to any sort of connectivity, but hacking/cracking is still an unwanted invasion.

    There still seems to be an underlying acceptance of hacking for curiosity with the geek community. I think this is partly the problem with the lack of success in tracking and prosecuting hackers/crackers. Until it is truly accepted that any attempted breakin should be punished, the situation will likely not improve. As an analogy, most of the locks on doors and windows in my last few apartments have been shit. Fortunatly, I have not had to install the latest and greatest dead-bolts, because B&E is actually recognized as a crime by all parties. Nobody blames the victim of a B&E and says "Well, if you don't know how to install a 6" Deadbolt, you have no business living in an apartment..."

  • I'd blame the sys admins. As many other here do also. Why?

    First he did not have adequate backups. While I know that this happens at many sites, I personally have backups of my home system. At most I'd have to reinstall, but most of my config files I back up often enough that reconfiguring my system would be at most a few hours. Granted I have one system, and he has many, but that being the case is just more of a reason to make sure that you have adequate backups of your system.

    Second why did he talk to the hacker in the first place? He should have just started going through machine by machine and make sure that they were secure. Checking ALL of the software and looking to see what he was using that may have exploits. Yes a good place to go to find this info is on the net as the hacker said, but that is probably where the hacker went to find this out.

    Thirdly the sys admins should have been rebuilding and updating their system when they first found out they had been hacked. Box by box.

    Lastly if they did not catch this hacker and lock him away, I am sure that they have not heard the last of him, and if they are not careful they are going to get hacked again.

    send flames > /dev/null

  • by Anonymous Coward on Tuesday July 11, 2000 @06:19AM (#943338)
    Hugh Daniel showed me once exactly how to limit the damage a script kiddie can do, once he's cracked your host and gotten a root shell.

    Hugh's systems are all built with at least two drives. The boot volume is read-only. (I don't mean it's mounted read-only, I mean it's READ ONLY. After installing the OS, he pulls the write-protect jumper.)

    Right now, the machines that the FreeS/WAN project are hosted on are configured with a very clever device: it's a toggle switch. In one position, the boot volume is R/W. In the *other* position, the ethernet connection is live.

    A big part of the problem in trying to secure UNIX is that we keep trying to solve issues in the wrong domain.

    -jcr
  • by ywwg ( 20925 ) on Tuesday July 11, 2000 @06:28AM (#943339) Homepage
    I don't understand what Noel was thinking. The first thing to do when you are cracked is _not_ to leave your system open! He should have disconnected from the net (perhaps leaving a secured mail box running), and immediately backed up the home directories. He should have _verified_ the backups. Since the only irreplaceable data on a well-maintained unix system is in the home directories, it should be trivial to back it up properly.

    Only when a complete, verified backup has been made should he reconnect to the net (after cleaning up the cracks). The mere fact that he didn't check the backups first, when data hadn't been deleted, makes him liable for the damage. Quite simply, he didn't take obvious and common-sense measures to ensure his customer's data integrity.

    Am I wrong here?
  • EXCELLENT idea.

    A big part of the problem in trying to secure UNIX is that we keep trying to solve issues in the wrong domain.

    Dang, ain't that true? If a fraction of the energy devoted to overclocking / fps / video hardware & driver issues by the community was devoted instead to hardware-based solutions to security problems, a lot of the software problems might be a lot easier. Cool.

    WWJD -- What Would Jimi Do?

  • Was that supposed to be a lesson in 'how not to admin a network?'

    Backups that weren't backing everything up? And the admin wasn't aware?

    Dissimilar tape drives? Donated tape drives?

    Must not be a very serious business..
  • by Jon Erikson ( 198204 ) on Tuesday July 11, 2000 @04:29AM (#943345)

    They're obviously demonstrating the amount of redundancy in our alphabet and numeric system by showing just how few characters you can use whilst still remaining intelligible (just!). Rather than being "childish" they are in fact demonstrating a deep and intuitive understanding of information theory and entropy, one which we, as foward thinking people, should admire and indeed emulate!

    Or maybe not :)



    ---
    Jon E. Erikson
  • I noticed this earlier. Is it perhaps a precursor to a feature that will allow filtering out of comments with a UID above a specific number(eg 50000)? Could be interesting...

    So because some of us lurked for a lot longer before signing up for an account, we're somehow less qualified to comment than someone who signed up for account number 2 but does nothing with it but troll?

    interesting logic going on there...

  • It was kid in mentalaty, but he "showed" to know more that just running some scripts. Unless call writing c program also a script. But a "hey you earned it" was not a good thing to do. Ddos that hacker (a port scan of noel already gave him a log of lag) But if he was that good he better pursued some other goals than rm -f. -Some media hype things like "crack yahoo" -Go for the money. Either by getting it from banks CCards or earning it by cracking for money("security audits") by the way, it became a little bit predictive after story #5. somy already wrote it was statd.
  • Lance Spitzner's excellent five part trilogy, Know your Enemy [enteract.com], gives details from actual attacks on a honeypot [enteract.com].

    Included are useful details from somebody who could secure his machines to keep out the script kiddies, but instead choose to leave a few otherwise-unused machines undefended and log the results.

  • by generic-man ( 33649 ) on Tuesday July 11, 2000 @07:58AM (#943355) Homepage Journal
    Oh, come now. When DDOS attacks were hitting major web sites, they took down sites regardless of OS. And if you read Slashdot frequently, you'll notice many news stories about vulnerabilities, exploits, and security holes in Windows NT.

    The main reason why UNIX-like systems are featured in stories like this is because there's an element of suspense as the cracker types many commands, and the superuser can look at every move he makes. Even NT's Event Logger doesn't catch every damaging command, and from the exploits I've seen it's possible to take down a poorly safeguarded NT box without even logging into it.

    The scene of watching and dealing with a cracker is good drama, at least to Slashdot-reading geeks like myself.
  • Read the entire article series. this was NOT a business... it was a free service provided by volunteers. In other words, everyone had day jobs, and nobody had extra cash to do things "right."

    I still don't blame the sysadmin. Sure, he could have done a better job, but thats sort of like telling a victim of a mugging "Hey, it's your fault because you coulda learned karate."

    Let's not absolve the cracker of his obvious guilt by "blaming" the sysadmin.

  • You are right I should have verified the backups at least during the move.

    I can only plead inexperience and that I was a part time volunteer with a real job and a family.

    In hindsight I see many things I should have done differently.

    Noel

    RootPrompt.org -- Nothing but Unix [rootprompt.org]

  • Is it me, or does it looke like it's notcomplete?
  • It has all of a storyline for a television soap drama. At the end of the season there is also always something dramatic happening, like someone shot down. - read drive with bas backups rm -rf'd. This makes the series too dramatic to be true 100%. at least what I'm thinking....
  • by TuRRIcaNEd ( 115141 ) on Tuesday July 11, 2000 @04:36AM (#943367)
    IIRC it started as a way of getting around swear-filters on chat systems(while 'fuck' would not appear, 'phuX0R' would), and sort of permeated the BBS community, and then IRC. I'm not sure why it still exists. It seems to be used as more of a parody than anything else these days. Even the guy on 'Cracked' only seems to use it once, and he's using it to prove his advanced humour 'look everyone, I can do self-parody!). Most of the coders I know (around London) seem to use it sarcastically these days. 'Man, u r so '1337' tends to mean that what they've done is obvious, or a horrendous kludge.
  • As long as OSs don't use a REAL security model, we'll still hear some sad stories like this for a loooonng time.

    I don't know if EROS will ever become mainstream, but it's capability model sure looks interesting.

There is no royal road to geometry. -- Euclid

Working...