Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

Cyber Vigilantes 69

Fang wrote in to send us a link to an interesting article talking about Denial of Service attacks and Cyber Vigilantes. The internet is turning into more of a warzone every day. This is an interesting summary article to read. Worth your time.
This discussion has been archived. No new comments can be posted.

Cyber Vigilantes

Comments Filter:
  • Unfortunely the article didn't give a link to Electronic Disturbance Theater, so I will give one http://www.nyu.edu/projects/wray/CHRON. html [nyu.edu] - This give a record of previous EDT actions including the one mentioned in the article. The incident was not really a hacker attack, it was a coordinated effort by people around the world basically reloading the web pages of the Pentagon, Mexican President Zedillo and the Frankfurt Stock exchange not as a means to do harm, but to publicize and display their displeasure about the situation with the Zapatistas in Chiapas, Mexico. YA BASTA!
  • >The correct response to an attack is to 1) Filter >out the offending packets 2) alert all upstream >ISPs to the problem 3) working with the ISPs, try >to trace the problem back to it's source 3) shut >off the connection as close as possible to the >source.

    Much easier said then done. This was no traditional hacker attack. There was no single source. It was a coordinated action of civil disobedience by thousands of people across the world.
    1. If the attack was done with browsers, and it can be shut off just by sending back large files, we are probably dealing with people who wrote software for Yorktown at one side, and warez kiddies on the other. However most likely people had a bit more clue, and attack was automated while response was just a ping flood. Not smart, but above the complete idiocy, described in the article.
    2. One must protect his system by properly configuring it. I have seen a lot of people who got their boxes cracked because they configured them improperly, ignored advisories and updates, etc. -- this is the equivalent of having a house with no locks.
    3. If someone launches the attack from vulnerable system he must expect that his vulnerability will be exploited, and it's pretty reasonable for attacked sysadmin to do that. However causing DoS for the whole ISP where the attacker's box is connected is stupid and irresponsible.
    4. DoS by plain excessive use is a kind of attack, a lot of things are vulnerable to. In some cases it should be expected, and server should be just large enough to survive it unharmed. In some cases there is a need to respond to it by disabling requests from the source -- such attack often requires large resources and can't change the source easily. DoS of other kind may expose OS and applications insecurity, and then it may be necessary to replace both things -- but this is life.
  • Well, I'd rather have the IRC script kiddies around than these not-quite-grown-up script kiddies with jobs who hire thugs to go break into people's houses.

    Breaking and entering, theft, and assault are all serious charges, and "they tried to break into our computers" is not going to cut it as a defense in court. I hope this Cipher guy gets in jail for a long time.
  • Those Red Hat boxes on a cable modem were probably *already* cracked. More likely than not, their owners are not the ones attempting to exploit your system, just the unwitting proxies in an attack on your system by somebody else who compromized their system first.
  • Java runs in a sandbox, which (assume it works) limits what you can do to attack.

    However I really wonder how effective any attack can be that relies on java enabled browser. Can we say overhead? I can program in C something that will allow my 386 to do more damage. I was going to say more but then I realised that the script idiots who do these attacks would use my idea for ill. I'm not a military supporter (Mind you I'm not anti-military, I agree we need them, but I would rather be an isolationist.) but anything they do to counterattack these kids is good in my book. Better of course would be to try them as adults and send them to prison for a few years.

    Parents, pay attention to what your kids are doing. Parenting is hard work, and you don't dare slack off, some of the nicest kids I've known have turned out to be crooks while the nose ring and tatoo kids have turned out to be honest once in a while. (I went to high school with both types. Both groups had about an equal amount of crooks)

    bluGill, I don't know if this log in thing is working or now.

  • Personally, I don't see any problem with this sort of thing. Now, going on the offensive with DoS attacks in retaliation is another matter, but really this is more of an amusement than anything else.
    More importantly, this is a very good solution because it doesn't harm innocent users and it doesn't attack the user unless they ask it to. The attacker has to request the page before they get nailed. This is like a burglar cutting himself while breaking your window...
  • I thought it was pretty interesting, myself. Dunno about the fella who wrote it - a poster above seems to give him less than sterling credentials. But I think from a technical pov, it's kind of a neat concept.

    Sure, the best defense is a good admin with up-to-date info and the latest patches for the server/router/firewall. If the kiddies can't get in, they can do no harm. If they can't dos or hjack you, you're cool. But it's still kind of tempting, I would think, to stick some reactive armor out there.
  • or call their parents...
  • This bugs the heck out of me for two very simple reasons:

    1. Floods don't just flood the target system; they increase load (sometimes dramatically) on all the routers and links between the flooder and the target. While many DoS attacks are not floods, a lot of the simpler ones (e.g. ICMP directed-broadcast amplified ping flooding, aka "smurf" attacks) are.

    2. I administer Linux and Unix systems for a small college. If some freshman IRChead here decides to do stupid things to some remote site, I would much prefer that the remote sysadmin send me logs and ask nicely for the problem to be solved, rather than trying to attack my systems.

    When I find a system here being portscanned, I don't start plotting revenge against the evil hAx0rZ. I do a reverse DNS on the originating site, get the admins' addresses from whois, send them the appropriate log clippings, with a nice note saying "I think you're harboring a cracker; please do something about it."

    This gets results.

    I'm *certain* it gets better results than smurfing the offending site back.
  • The group that originally organized the attack against the Pentagon utilized Java applets on a page someplace. They had all of their buddies/members load the page and let the Java applet there perform the actual attack (I believe by spawning one or more windows pointing to the Pentagon site and having them continuously refresh).

    When the Pentagon put their "counter-attack" applet up (which detected the presence of the attacking applet and then started spawning new browser windows uncontrollably), it basically caused all of the attacking computers to run out of resources.

    It's really rather amusing. I don't really consider it a "vigilante" type of attack. In my opinion it was very effective and neutralized the attack.
  • Most of the kids doing these attacks don't just target one company. They tend to be repeat offenders and attack anyone and everyone that pisses them off. They are deluded into thinking they're untouchable behind that computer screen and for that reason, none of them would think about setting up video surveillance as you described.

    Typically, they're nothing more than your average adolescent anti-social IRC script kiddie. If they were really anything more (any sort of threat to corporate thugs), they would be doing something better with their time.

    I totally agree that breaking into homes and (even threatening) assault shouldn't be done, but I do sympathize with the companies who are victims of this type of Internet abuse. They usually have little (if any) affordable legal option.
  • I sent the story to slashdot when it happened, but it was apparently deemed unimportant.

    Basically, a group of people wrote a Java applet that allowed their friends/members to use their browsers to constantly load pages from the Pentagon servers. They could just start up this applet and go eat dinner while their computer helped in this massive collaborative DoS effort.

    The Pentagon, in response, put a Java applet on their own page that detected when visitors were using the attacking applet. When detected, the Pentagon's applet would then start spawning windows uncontrollably until the attacking PC's resources were eaten up.

    I thought it was a rather clever response. I don't feel they were being very "vigilante" about it at all. It was actually pretty amusing, and neutralized the attack very effectively.
  • It doesn't take a clever person to get a shell password from someone off of IRC, telnet to it, and run "./smurf victim.com". The "clever" part of the attack (spoofing IP addresses, the attack itself) is all built into the pre-packaged DoS program for the convenience of idiots everywhere.

    Though I do agree that actually tracking down people doing the smurfing is difficult, but it isn't impossible.

    You simply need to have the swift, clueful cooperation of every Internet provider at every hop the spoofed packet takes before it arrives at one of the reflector networks. So long as they're willing to help you out and provide you with information about what uplink *they're* receiving the spoofed packets from, you can track it back to the source. If the attack lasts long enough, this can be achieved.
  • There's a close-angle-bracket at the end of the URL, otherwise it works fine. Please remove this post when it's fixed.
  • It isn't too surprising that some companies hire former script kiddies to manage their security. This is just the sort of macho capitalist move that large corporations love-- "we can buy out our enemies!" Bad move, but not surprising. There's no way for these companies to get rid of workers like that, and an admin who uses tactics discussed in the article can probably extort whatever sort of salary he or she wants from the company.

    This is basic, first-day-of-school security-- beware the disgruntled employee.

    I think this represents a minority of the security community, though. There are CTOs that can make intellegent hiring decisions, and a good security person can handle their *personal* insecurities.
  • The Constitutions guarantees us (well some of us) the right to keep and bear arms. This particular clause has come under fire recently under the argument that it was created during a time when such rights were necessary because law inforcement was inadequate if not responsible for many crimes.
    Since this same government has has classified cryptography as munitions does not each citizen have the right to outfit their system with the most advanced security and counteroffensive technology they can afford. And if we are given the right to maintain such arsenals are we not justified in using them when law inforcement is inadequate or responsible? But if everyone is bandying around such firepower the internet could get pretty spicey in the next few years.
  • Maybe I was unclear in my post. I'm not arguing weather guns or encryption should be illegal. I'm taking a guess at the future.
    My first point was that we are guaranteed the right to keep and bear arms.
    Second, the government has already set a president for information to be classified as a weapon. If we conceed that a weapon does not need to cause physical harm but is anything which potentially give you power over your fellow men, then alot of technology could be considered weapons, including counteroffensive technology.
    Througout history those who controlled the weapons, the warrior class, had the power to do alot of damage to the populace. But in just about any culture I can think of such power was tempered by a code of conduct, which usually included the idea that you can blast away at other soldiers but leave the civillians alone. Maybe it's time for such a code to develope for todays warrior class?
  • I do beleive that companies should strike back. If some kid is giving you a DoS attack then, striking back will slap him in the face and make him realize that he is being an idiot. Not necessarly just adding his IP to the firewall, cause he'll just dial back in and start again.. You have to hit the stupid bugger so he'll learn.

    On the other hand I think that you have to be really careful with this sort of stuff. Say I'm trying to connect to some corprate web site and the info isn't getting through, so I keep on hitting the reload button. Hopefully the software is set up in such a way that it will only 'strike back' in the most dire of needs.
  • "We had to resort to baseball bats. That's what these punks will understand."

    Riiiight. I meet tons of ubermacho-sysadmins (yeah, that's a common mix) every day who fly across the world threatining hackers/crackers with baseball bats. Nice reporting work. Wonder why the source is anonymous.
  • I'm putting together a response to this article and could use some help pulling together facts. This is the rough so far, and I'll be working on it today. I intend to submit it to wired, salon, cnn, Mr. Katz and call in to CNN Live tomorrow 1/14/99.

    Lando

    I've just finished reading Winn Schwartau's article Cyber-vigilantes hunt down hackers and I seriously question Mr. Schwartau's technical knowledge in this matter and knowledge of the cyber-community.

    My credentials are as follows. I am a systems administrator/analyst working on high end UNIX systems and have been in my current position for 2 years. I have been working on the internet since 1991 and before that was actively involved with bbs systems since the early 80's. I currently have 12 years of systems administration experience and over 20 years programming experience. I work within the computing field, however computers are my hobby and after I leave work it is not unusual from me to spend 4-6 hours pouring over code and working on personal projects. I am familiar with elite/cracking proceedures and have worked with several hackers in the past in order to improve the security of my systems.

    Disclaimer: The opinions represented here are my personal opinions and observations. They do not represent any corporate opinion or policy within my current employer. Portions of this message were developed and expanded by reading the comments section of Slashdot(1)

    Introductions having been completed, I'd like to point out several problems with the news article posted by Mr. Schwarau. I believe this article was created propagate fear and anxiety. I feel that the article is inaccurate and contains misrepresentation by Mr. Schwartau. Though it is of the opinion of some of my colleges that inaccuracy in technical matters is the norm, I feel that this article goes beyond acceptable limits.

    My primary objection is regarding the testomonial statements by Lou Cipher. To me these statements lack the ring of a professional system administrator. Refering to a post by Jabber on Slashdot(1)


    The fact that CNN would release a story in which it claims that a senior security manager at one of the country's largest financial institutions would actually say "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves", and incriminate himself by adding "We've broken in, stolen the computers and left a note: 'See how it feels?' and "We had to resort to baseball bats. That's what these punks will understand" is an absolute joke. No one in "that" position would speak to the media this way and expect to be taken seriously.
    The remainder of the article seems Kosher enough, but the Lou Cipher bit begs the question of where CNN gets it's information. Our CIO may be Beelzebub himself, but as far as I know, he doesn't have a KooL NiCk.


    Jabber's opinion mirrors my own. As I see it the Lou Cipher character is one of three things, ie someone in IRC chat that was having "fun" with Mr. Schwarau who accepted that the other was a system administrator without verifying credentials, or Lou Cipher is a young computer buff who feels he knows more than most about computer systems and was hired by promoting himself as a "hacker" to the financial company, though he probably is not a senior security manager, or Lou Cipher is a fabrication.

    In recent months various news organizations have been "caught" creating the news rather than reporting the news, this article and the Lou Cipher character bring to mind another article where the newspaper published a supposedly true story of a hacker demanding money, etc from a corporation.

    As I said, the Lou Cipher character is the most blatent problem I see.

    Other notes of interest include,
    The news article is presented as current day fact and happenings, whereas the DOD attack and response were


    That out of the way, I'd like to point out several problems with the news article posted by Mr Schwartau, specifically I believe this article was created not as a news article, but more of a sensationalist article made to provoke fear and anxioty.

    (1) Slashdot
    Homepage: http://slashdot.org
    Section referenced: http://slashdot.org/articles/99/01/12/1524230.shtm l



    http://www.nyu.edu/projects/wray/memo.html
    http://www.nyu.edu/projects/wray/Sept26.html
    http://www.nyu.edu/projects/wray/CHRON.html September 10th
    http://www.thing.net/~rdom/ecd/ecd.html Homepage Electronic Civil Disobedience
  • It's soooooo tempting to find two of these active firewalls and point them at each other. Look at all the grief that comes from "smurfed" pings, and those packets are supposed to be friendly!

    This has to be the stupidest idea since nuking accounts for 3 incorrect passwords.

    --
  • I have a feeling this should be from the "everyone-sent-me-this-URL" dept.
  • Please, the last thing I want is a bunch of politicians trying to define what an attack is - the tought of this scares the hell out of me. What's even more scary is all the other legislation they'd try to pass along with it. Besides, the real problem would be enforcing the laws. I can't imagin the FBI taking time away from murder cases and the like to go to someone's house that's been scaning ports. The government is not the answer (since when has the government done anything well except the military and maybe the US Mail), nor is violence or physical action the answer (as the artical talks about 'stealing' hackers machines and using baseball bats). Companies on the net should work together to get these punks off the net. Most of them are probably on their parents accounts and if company were sent a letter or email and got the account canceled, problem solved. For those that use an account at college, same story.

  • "The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash."

    Why would anyone run this as an applet on the server? But an even better question is, how many serious hackers out there would lanch an attack from a browser? This really makes me question the reliability of this artical.

  • numbers 2 and 3 basically kill counter attacks all together.

    "4) If you make a point of sending out goons to pound on the doors of suspected hackers and threaten them with physical violence, what's to stop the crackers from being prepared for the goons... with something more than just baseball bats? (Like for instance, video cameras taping you saying "Hello, we're from XYZ corporation and we're here to beat the snot out of you!" Can you say "Civil lawsuit?" I knew you could!)Remember, you're at a BIG disadvantage on someone else's home field, where they may or may not be the son of the local police chief! "

    Better yet I'd have my gun pointed at thier head as soon as the door opened! I wouldn't let any goon threaten my in my house, and if I felt that my family was in danger (as I might if someone where to break down the door with bats) I wouldn't hesitate to act.
  • "Encryption is freely useable. Patent restrictions are about intellectual property rights, a completely different story altogether."

    In other words, encryption is regulted IN the US. Just because the status quo regulates something it doesn't mean that these laws are constitutional. The US has overturn laws that have been in effect for years because they were later ruled as unconstitutional (ie "Jim Crow laws").

    "your use of encryption has no affect on me"

    Actually, if a company is using little or no encryption (ie because of US export laws) to transmit sesitive data around the world, this could have an effect of you, more so if the data is _your_ personal info.

  • I've had these kiddies scanning my machines (I'm sure we all have) and it is sometimes interesting to do the same to them. Most of the time their machines are wide open, and even if you can't break in, you can do a lot of annoying things because they don't really know enough to figure out what is going on!
  • The really sad thing about this is that CNN is becoming about as objective as PCMagazine.

    The fact that CNN would release a story in which it claims that a senior security manager at one
    of the country's largest financial institutions
    would actually say "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves", and incriminate himself by adding "We've broken in, stolen the computers and left a note: 'See how it feels?' and "We had to resort to baseball bats. That's what these punks will understand" is an absolute joke. No one in "that" position would speak to the media this way and expect to be taken seriously.

    The remainder of the article seems Kosher enough, but the Lou Cipher bit begs the question of where CNN gets it's information. Our CIO may be Beelzebub himself, but as far as I know, he doesn't have a KooL NiCk.
  • by ponyisi ( 13744 )
    It's not that hard to do a denial of service attack with an applet. Display a lot of graphics, allocate tons of memory, ..., and your standard wimpy OS won't have the ability to stop it properly.
  • Here's a nice little real-world application of the "retaliation defense".

    I am a sysadmin for a medium sized (300-500 million annually) multi-national corporation. Approximately 4 months ago, our firewall was DoS'ed and taken down. Fortunately, it illustrated an open port that I hadn't noticed. Even more fortunately, when I checked the logs, I found that the DoS attack came from a MUCH larger company.

    Upon futher investigation, it was found that their sysadmin, in his infinite wisdom, felt the need to attack a spoofed address, hitting us.

    In short, our lawyers had a field day earning our company MUCH money (read: millions) in a nice settlement, and the sysadmin found himself out a job, and more than likely looking at a bit of difficulty getting another job in the same niche.

    So please, go right ahead, fuck around and retaliate people. I look forward to getting another sizeable raise for "earning" a large amount of extra income for my company.

    -Pheonix
  • by El ( 94934 )
    1) Who the heck uses a browser for a Denial of Service attack??? Methinks the author of the article must be near clueless...

    2) What happens when your automatic strike-back firewall accidentally targets another automatic strike-back firewall?

    3) Doesn't strike-back invite a whole new brand of DoS attach, wherein one fakes a route to goad a company into "striking back" against an innocent party?

    4) If you make a point of sending out goons to pound on the doors of suspected hackers and threaten them with physical violence, what's to stop the crackers from being prepared for the goons... with something more than just baseball bats? (Like for instance, video cameras taping you saying "Hello, we're from XYZ corporation and we're here to beat the snot out of you!" Can you say "Civil lawsuit?" I knew you could!) Remember, you're at a BIG disadvantage on someone else's home field, where they may or may not be the son of the local police chief!

    5) Doesn't use of force always beget use of force? If you claim a my attack justifies your attack, can't I claim your counter-attack justifies a counter-attack from me? Isn't this sort of stupid, short-sighted think exactly what causes minor disagreements to escalate into wars, or Hatfield-and-McCoy-style feuds that go on for generations?

    Overall, I found the article to be blatant sensationalism, without the slightest hint of being based in research of facts. Even the poll about the correct response didn't have ANY reasonible choices! The correct response to an attack is to 1) Filter out the offending packets 2) alert all upstream ISPs to the problem 3) working with the ISPs, try to trace the problem back to it's source 3) shut off the connection as close as possible to the source.

    Yes, I did once work for a firewall company that considered active counter-measures -- and then quickly discarded the idea for obvious reasons.
  • My sentiments exactly. No sane person would seriously contemplate active countermeasures...
  • Yes, you've got a right to defend yourself (with arms if necessary). But you DON'T have a right to go firing off shotguns when you have no idea what you're hitting. I would argue that on the Internet, it's never quite certain that the IP address you're retaliating against is in any way connected to the actual culprit you want to "get". Start blasting away at muggers and hit innocent bystanders, and you're likely to be staring down the barrel of a VERY expensive lawsuit...

"You're a creature of the night, Michael. Wait'll Mom hears about this." -- from the movie "The Lost Boys"

Working...