Cyber Vigilantes 69
Fang wrote in to send
us a link to an interesting article talking about Denial of Service
attacks and Cyber Vigilantes.
The internet is turning into more of a warzone every day. This
is an interesting summary article to read. Worth your time.
Electronic Disturbance Theater (Score:1)
Questions (Score:1)
Much easier said then done. This was no traditional hacker attack. There was no single source. It was a coordinated action of civil disobedience by thousands of people across the world.
Attacks/responses/... (Score:1)
Bad Idea. (Score:1)
Breaking and entering, theft, and assault are all serious charges, and "they tried to break into our computers" is not going to cut it as a defense in court. I hope this Cipher guy gets in jail for a long time.
A little over the edge (Score:1)
Let me get this right, a JAVA counter attack (Score:1)
Java runs in a sandbox, which (assume it works) limits what you can do to attack.
However I really wonder how effective any attack can be that relies on java enabled browser. Can we say overhead? I can program in C something that will allow my 386 to do more damage. I was going to say more but then I realised that the script idiots who do these attacks would use my idea for ill. I'm not a military supporter (Mind you I'm not anti-military, I agree we need them, but I would rather be an isolationist.) but anything they do to counterattack these kids is good in my book. Better of course would be to try them as adults and send them to prison for a few years.
Parents, pay attention to what your kids are doing. Parenting is hard work, and you don't dare slack off, some of the nicest kids I've known have turned out to be crooks while the nose ring and tatoo kids have turned out to be honest once in a while. (I went to high school with both types. Both groups had about an equal amount of crooks)
bluGill, I don't know if this log in thing is working or now.
The attack really happened (Score:1)
Interesting article (Score:1)
Sure, the best defense is a good admin with up-to-date info and the latest patches for the server/router/firewall. If the kiddies can't get in, they can do no harm. If they can't dos or hjack you, you're cool. But it's still kind of tempting, I would think, to stick some reactive armor out there.
Common Thugs (Score:1)
Why this bugs the heck out of me (Score:1)
1. Floods don't just flood the target system; they increase load (sometimes dramatically) on all the routers and links between the flooder and the target. While many DoS attacks are not floods, a lot of the simpler ones (e.g. ICMP directed-broadcast amplified ping flooding, aka "smurf" attacks) are.
2. I administer Linux and Unix systems for a small college. If some freshman IRChead here decides to do stupid things to some remote site, I would much prefer that the remote sysadmin send me logs and ask nicely for the problem to be solved, rather than trying to attack my systems.
When I find a system here being portscanned, I don't start plotting revenge against the evil hAx0rZ. I do a reverse DNS on the originating site, get the admins' addresses from whois, send them the appropriate log clippings, with a nice note saying "I think you're harboring a cracker; please do something about it."
This gets results.
I'm *certain* it gets better results than smurfing the offending site back.
The *attack* was Java-based (Score:1)
When the Pentagon put their "counter-attack" applet up (which detected the presence of the attacking applet and then started spawning new browser windows uncontrollably), it basically caused all of the attacking computers to run out of resources.
It's really rather amusing. I don't really consider it a "vigilante" type of attack. In my opinion it was very effective and neutralized the attack.
Script kiddies typically aren't law savvy (Score:1)
Typically, they're nothing more than your average adolescent anti-social IRC script kiddie. If they were really anything more (any sort of threat to corporate thugs), they would be doing something better with their time.
I totally agree that breaking into homes and (even threatening) assault shouldn't be done, but I do sympathize with the companies who are victims of this type of Internet abuse. They usually have little (if any) affordable legal option.
The pentagon attack *was* browser-based (Score:1)
Basically, a group of people wrote a Java applet that allowed their friends/members to use their browsers to constantly load pages from the Pentagon servers. They could just start up this applet and go eat dinner while their computer helped in this massive collaborative DoS effort.
The Pentagon, in response, put a Java applet on their own page that detected when visitors were using the attacking applet. When detected, the Pentagon's applet would then start spawning windows uncontrollably until the attacking PC's resources were eaten up.
I thought it was a rather clever response. I don't feel they were being very "vigilante" about it at all. It was actually pretty amusing, and neutralized the attack very effectively.
"clever" script kiddies? (Score:1)
Though I do agree that actually tracking down people doing the smurfing is difficult, but it isn't impossible.
You simply need to have the swift, clueful cooperation of every Internet provider at every hop the spoofed packet takes before it arrives at one of the reflector networks. So long as they're willing to help you out and provide you with information about what uplink *they're* receiving the spoofed packets from, you can track it back to the source. If the attack lasts long enough, this can be achieved.
Broken link (Score:1)
Not surprising (Score:1)
This is basic, first-day-of-school security-- beware the disgruntled employee.
I think this represents a minority of the security community, though. There are CTOs that can make intellegent hiring decisions, and a good security person can handle their *personal* insecurities.
Right to Bear Arms? (Score:1)
Since this same government has has classified cryptography as munitions does not each citizen have the right to outfit their system with the most advanced security and counteroffensive technology they can afford. And if we are given the right to maintain such arsenals are we not justified in using them when law inforcement is inadequate or responsible? But if everyone is bandying around such firepower the internet could get pretty spicey in the next few years.
Misunderstanding? (Score:1)
My first point was that we are guaranteed the right to keep and bear arms.
Second, the government has already set a president for information to be classified as a weapon. If we conceed that a weapon does not need to cause physical harm but is anything which potentially give you power over your fellow men, then alot of technology could be considered weapons, including counteroffensive technology.
Througout history those who controlled the weapons, the warrior class, had the power to do alot of damage to the populace. But in just about any culture I can think of such power was tempered by a code of conduct, which usually included the idea that you can blast away at other soldiers but leave the civillians alone. Maybe it's time for such a code to develope for todays warrior class?
A Thin Line (Score:1)
On the other hand I think that you have to be really careful with this sort of stuff. Say I'm trying to connect to some corprate web site and the info isn't getting through, so I keep on hitting the reload button. Hopefully the software is set up in such a way that it will only 'strike back' in the most dire of needs.
Baseball bats? (Score:1)
Riiiight. I meet tons of ubermacho-sysadmins (yeah, that's a common mix) every day who fly across the world threatining hackers/crackers with baseball bats. Nice reporting work. Wonder why the source is anonymous.
Help requested (Score:1)
Lando
I've just finished reading Winn Schwartau's article Cyber-vigilantes hunt down hackers and I seriously question Mr. Schwartau's technical knowledge in this matter and knowledge of the cyber-community.
My credentials are as follows. I am a systems administrator/analyst working on high end UNIX systems and have been in my current position for 2 years. I have been working on the internet since 1991 and before that was actively involved with bbs systems since the early 80's. I currently have 12 years of systems administration experience and over 20 years programming experience. I work within the computing field, however computers are my hobby and after I leave work it is not unusual from me to spend 4-6 hours pouring over code and working on personal projects. I am familiar with elite/cracking proceedures and have worked with several hackers in the past in order to improve the security of my systems.
Disclaimer: The opinions represented here are my personal opinions and observations. They do not represent any corporate opinion or policy within my current employer. Portions of this message were developed and expanded by reading the comments section of Slashdot(1)
Introductions having been completed, I'd like to point out several problems with the news article posted by Mr. Schwarau. I believe this article was created propagate fear and anxiety. I feel that the article is inaccurate and contains misrepresentation by Mr. Schwartau. Though it is of the opinion of some of my colleges that inaccuracy in technical matters is the norm, I feel that this article goes beyond acceptable limits.
My primary objection is regarding the testomonial statements by Lou Cipher. To me these statements lack the ring of a professional system administrator. Refering to a post by Jabber on Slashdot(1)
The fact that CNN would release a story in which it claims that a senior security manager at one of the country's largest financial institutions would actually say "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves", and incriminate himself by adding "We've broken in, stolen the computers and left a note: 'See how it feels?' and "We had to resort to baseball bats. That's what these punks will understand" is an absolute joke. No one in "that" position would speak to the media this way and expect to be taken seriously.
The remainder of the article seems Kosher enough, but the Lou Cipher bit begs the question of where CNN gets it's information. Our CIO may be Beelzebub himself, but as far as I know, he doesn't have a KooL NiCk.
Jabber's opinion mirrors my own. As I see it the Lou Cipher character is one of three things, ie someone in IRC chat that was having "fun" with Mr. Schwarau who accepted that the other was a system administrator without verifying credentials, or Lou Cipher is a young computer buff who feels he knows more than most about computer systems and was hired by promoting himself as a "hacker" to the financial company, though he probably is not a senior security manager, or Lou Cipher is a fabrication.
In recent months various news organizations have been "caught" creating the news rather than reporting the news, this article and the Lou Cipher character bring to mind another article where the newspaper published a supposedly true story of a hacker demanding money, etc from a corporation.
As I said, the Lou Cipher character is the most blatent problem I see.
Other notes of interest include,
The news article is presented as current day fact and happenings, whereas the DOD attack and response were
That out of the way, I'd like to point out several problems with the news article posted by Mr Schwartau, specifically I believe this article was created not as a news article, but more of a sensationalist article made to provoke fear and anxioty.
(1) Slashdot
Homepage: http://slashdot.org
Section referenced: http://slashdot.org/articles/99/01/12/1524230.sht
http://www.nyu.edu/projects/wray/memo.html
http://www.nyu.edu/projects/wray/Sept26.html
http://www.nyu.edu/projects/wray/CHRON.html September 10th
http://www.thing.net/~rdom/ecd/ecd.html Homepage Electronic Civil Disobedience
So tempting. (Score:1)
This has to be the stupidest idea since nuking accounts for 3 incorrect passwords.
--
heh... (Score:1)
No more laws (Score:1)
hey, I was wrong... (Score:1)
Why would anyone run this as an applet on the server? But an even better question is, how many serious hackers out there would lanch an attack from a browser? This really makes me question the reliability of this artical.
Great questions... (Score:1)
"4) If you make a point of sending out goons to pound on the doors of suspected hackers and threaten them with physical violence, what's to stop the crackers from being prepared for the goons... with something more than just baseball bats? (Like for instance, video cameras taping you saying "Hello, we're from XYZ corporation and we're here to beat the snot out of you!" Can you say "Civil lawsuit?" I knew you could!)Remember, you're at a BIG disadvantage on someone else's home field, where they may or may not be the son of the local police chief! "
Better yet I'd have my gun pointed at thier head as soon as the door opened! I wouldn't let any goon threaten my in my house, and if I felt that my family was in danger (as I might if someone where to break down the door with bats) I wouldn't hesitate to act.
Right to Bear Arms? (Score:1)
In other words, encryption is regulted IN the US. Just because the status quo regulates something it doesn't mean that these laws are constitutional. The US has overturn laws that have been in effect for years because they were later ruled as unconstitutional (ie "Jim Crow laws").
"your use of encryption has no affect on me"
Actually, if a company is using little or no encryption (ie because of US export laws) to transmit sesitive data around the world, this could have an effect of you, more so if the data is _your_ personal info.
disable their machine before they cause damage (Score:1)
The REALLY sad thing about this (Score:1)
The fact that CNN would release a story in which it claims that a senior security manager at one
of the country's largest financial institutions would actually say "We are drawing a line in the sand, and if any of these dweebs cross it, we are going to protect ourselves", and incriminate himself by adding "We've broken in, stolen the computers and left a note: 'See how it feels?' and "We had to resort to baseball bats. That's what these punks will understand" is an absolute joke. No one in "that" position would speak to the media this way and expect to be taken seriously.
The remainder of the article seems Kosher enough, but the Lou Cipher bit begs the question of where CNN gets it's information. Our CIO may be Beelzebub himself, but as far as I know, he doesn't have a KooL NiCk.
Sure (Score:1)
Just a little wake up call. (Score:1)
I am a sysadmin for a medium sized (300-500 million annually) multi-national corporation. Approximately 4 months ago, our firewall was DoS'ed and taken down. Fortunately, it illustrated an open port that I hadn't noticed. Even more fortunately, when I checked the logs, I found that the DoS attack came from a MUCH larger company.
Upon futher investigation, it was found that their sysadmin, in his infinite wisdom, felt the need to attack a spoofed address, hitting us.
In short, our lawyers had a field day earning our company MUCH money (read: millions) in a nice settlement, and the sysadmin found himself out a job, and more than likely looking at a bit of difficulty getting another job in the same niche.
So please, go right ahead, fuck around and retaliate people. I look forward to getting another sizeable raise for "earning" a large amount of extra income for my company.
-Pheonix
Questions (Score:1)
2) What happens when your automatic strike-back firewall accidentally targets another automatic strike-back firewall?
3) Doesn't strike-back invite a whole new brand of DoS attach, wherein one fakes a route to goad a company into "striking back" against an innocent party?
4) If you make a point of sending out goons to pound on the doors of suspected hackers and threaten them with physical violence, what's to stop the crackers from being prepared for the goons... with something more than just baseball bats? (Like for instance, video cameras taping you saying "Hello, we're from XYZ corporation and we're here to beat the snot out of you!" Can you say "Civil lawsuit?" I knew you could!) Remember, you're at a BIG disadvantage on someone else's home field, where they may or may not be the son of the local police chief!
5) Doesn't use of force always beget use of force? If you claim a my attack justifies your attack, can't I claim your counter-attack justifies a counter-attack from me? Isn't this sort of stupid, short-sighted think exactly what causes minor disagreements to escalate into wars, or Hatfield-and-McCoy-style feuds that go on for generations?
Overall, I found the article to be blatant sensationalism, without the slightest hint of being based in research of facts. Even the poll about the correct response didn't have ANY reasonible choices! The correct response to an attack is to 1) Filter out the offending packets 2) alert all upstream ISPs to the problem 3) working with the ISPs, try to trace the problem back to it's source 3) shut off the connection as close as possible to the source.
Yes, I did once work for a firewall company that considered active counter-measures -- and then quickly discarded the idea for obvious reasons.
Re: Why this bugs the heck out of me (Score:1)
Right to Bear Arms? (Score:1)