Berkeley CSUA MOTD:Entry 21430
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2018/08/20 [General] UID:1000 Activity:popular
8/20    

2001/6/5 [Uncategorized] UID:21430 Activity:high
6/5     must read!  C:\WINDOWS\The Attacks on GRC_COM.htm
        \_ How?...
           \_ http://grc.com/dos/grcdos.htm
        \_ More MOTD entries like this one, please.
        \_ The man is writing his own B-tree in assembly. Clearly he is
                insane yet cool, kinda like Cliff Stoll
                                    \- cliff stoll is an immature moron
Cache (8192 bytes)
grc.com/dos/grcdos.htm
Acknowledgement of Debt to the World's Hackers" at the bottom of my " 10 NanoProbe" page. I explained that while I did feel there was a distinction between an elite hacker and a script kiddie, I was someone who always took pains to be respectful of others' egos (when possible), and that I was unlikely -- unless provoked -- to casually refer to anyone using a derogatory term. I told him that while I was aware of a dispute that had erupted several weeks before in one of our newsgroups, and reportedly involved his friends "HeLLfiReZ" and "DrGreen", I had neither read nor participated in any of that conflict. He volunteered to speak with his friends and call off the attacks. He promised that there would be no further attacks from then on . Fortunately, that was the first night of our new and (so far) impregnable router filters, so we felt nothing across our T1's while Verio's router counted and discarded nearly five hundred and thirty-nine million (538,916,268) malicious bandwidth-consuming attack packets. From my dialog with "Wicked", I saw that these repeated attacks were "fun" for him. He was like a child pulling the legs off a spider to see what it would do, watching it flail and attempt to get away from its tormentor. And, as we have seen, he experiences absolutely no remorse and has no regard for any damage being done as a consequence. Hiding behind the anonymity created by the Internet's trusting technology, he exhibits no social conscience. I hope it is becoming clear to everyone reading this, that we can not have a stable Internet economy while 13 year-old children are free to deny arbitrary Internet services with impunity. I wanted these attacks to stop, but I was certainly in no position to make any "parental" demands of "Wicked". While we were essentially functional, hiding behind our router filters, we could not remain behind them forever. We were unable to send and receive "ping", "trace route" and UDP fragments -- all crucial requirements for full Internet function. In the long term this would pose serious problems for the delivery of GRC's Internet security testing services. This correlated perfectly with "Wicked's" claim to be using a "stolen earthlink". Since I had collected the exact dates, times, and IPs for each of "Wicked's" several dial-up connections, I felt that perhaps Earthlink could preserve the access and phone records in case the FBI might need them later. If his home phone number could be determined, we could identify him. I knew that Earthlink would never reveal such information to me, but I just wanted them to preserve the evidence against the possibility of future need. Two months before this, Earthlink's privacy officer, Les Seagraves, and I met and formed a good relationship during our quest to understand the peculiar 11 Earthlink Browser Tag. Unfortunately, Les' voicemail explained that he would be out of town through the end of the month. So I got the name of Earthlink's director of corporate communications, Kurt Rahn, from a well-placed press contact of mine. Kurt was prompt with eMail, and he made lots of motivated-sounding noises, but nothing more ever happened. After waiting hopefully for several days, I finally spoke to Kurt on the phone and allowed myself to sound a bit perturbed. His many promises to have Earthlink's security people get in touch with me never resulted in a single contact from anyone. Hackers take note: Earthlink appears to be a safe haven for your operations. From everything I have seen, Earthlink couldn't care less WHAT you do, so long as someone pays the bill. Further note: The day after I wrote this, Les Seagraves returned from his trip and immediately returned my original voicemail message. Les was sincerely apologetic and wonderful when I explained the situation. So I feel self-conscious over being as harsh about Earthlink's response as I have been here. But what I wrote is exactly what happened, and I don't know how else we will ever get ISP's to spend some money, and get involved in security issues, unless we begin holding them accountable for their inaction. This grants the hacker who is controlling the Zombie -- the "Zombie-master" -- absolute control over his victims' machines. Among the many invasions the Sub7Server Trojan enables is monitoring every keystroke for the purpose of capturing online passwords, credit card numbers, eBanking passwords and you name it. Now, you might think that this would be significant to @home's chief of security, Todd Welch, but it isn't. Refusing to have the machine IP's disappear and never to know what, if anything, had been done, I called back the next day and got Todd on the phone. I have no idea why, but he didn't sound at all happy to be talking with me. It was as if he wished this problem would just go away -- or that at least, I would. Since @home is in Redwood City on the Bay Area Peninsula, I thought that perhaps I could fly up to their offices, then he and I could make a few house calls on some Bay Area Zombie-infected @home subscribers. I was itching to get my hands on one of those nasty nightmares that had been plaguing us for the previous two weeks so that I could take it apart and figure out what made it tick. I told Todd that after I had dissected a Zombie, I might be able to come up with a way for @home to scan their network to find all of them. It turns out that I have found a way, but again, Todd and @home couldn't be bothered. He declined all cooperation of any sort, curtly adding that they work with the FBI, and no one else. As we will see next, this is a policy in dire need of change. Nice as it sounds on the surface, the realities of Federal government involvement mean that most of the time Todd and @home . He said that he carries a copy of PatchWork around with him to quickly demonstrate how vulnerable Windows servers are due to missing security patches. All of this made our introductions much simpler and smoother. COM's business model (such as it is :), these attacks were stirring up interest in my forthcoming research and it wasn't even clear that we were going to be economically damaged in any way. Furthermore, since the cost of an FBI prosecution was in the neighborhood of $200,000, they needed to prioritize their cases based upon prosecuting criminals who were responsible for causing large dollar losses. They said that a couple of agents might go out to his home and have a talk with his parents, but in this country his youth was an impenetrable shield. This, of course, further discouraged the costs which would be incurred through any investigation. Contrary to what you might presume, I did not regard any of this as particularly bad news. I felt that I should do what I could do in the legal arena, because I should. But I really didn't have any desire to be responsible for putting a 13 year-old behind bars. I have since told "Wicked" that if he doesn't wise up, in five years his "youthful offender shield" is going to dissolve and he could find himself in some serious trouble. He says that he was already in trouble with the FBI when he was eight -- for hacking government servers. His computer was taken away until he was ten, then he was carefully monitored for another year until he was eleven. I forwarded the information to him immediately, so now they have that stuff. I immediately volunteered to fly to Texas and begged him not to destroy any evidence until I got there. But that gave me an idea: Although the big ISP's are apparently so big that they no longer need to care about their customers, the smaller users -- like TAMU -- might be much more receptive. So I sent out a mass of eMail to every smaller ISP and domain administrator of the infected attacking machines. I will never know whom to thank because they dropped the Zombie into our anonymous web-based Spyware drop-box. But it was all I needed to learn how these Zombie's operate and then infiltrate the Zombie High-Command . Changing the first lower-case 'l' (el) to an upper-case 'I' completely hides the difference under Windows 9x systems because the font used by the Windows registry renders those two characters as a featureless vertical bar. My inspecti...