Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Your Rights Online

All We Want Is Whatever's On Your Machine 235

kubla2000 writes: "A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet. What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this! It seems the bandwagons have started rolling. Who's next to jump on?"
This discussion has been archived. No new comments can be posted.

All We Want Is Whatever's On Your Machine

Comments Filter:
  • Measure for measure (Score:2, Interesting)

    by fluor2 ( 242824 )
    If they should be able to run code at our computers, they increase the security risk, since viruses may exploit these programs.
    • If they should be able to run code at our computers, they increase the security risk, since viruses may exploit these programs.

      That's why this will only encourage more defiance of copyrights - because the chances of any one of us having our security breached is much less if we all insist and expect each other to not support them. I think copyrights are old-world, and the sooner we get rid of them, the better.

  • by reezle ( 239894 ) on Sunday August 04, 2002 @06:11PM (#4009538) Homepage
    I seem to recall stories of hackers gaiing access to machines, then closing up all the security holes so the machine would stay 'theirs'....

    Who wants to get together and build a worm that does nothing but fix known security problems? We can make it grab all it's data from a chat-room, or web page, so it can stay small, but call upon a large database of known exploits, download them to the machine, and execute them...

    Perhaps self modifying? To take advantage of newer exploits as they are found, so it can continue spreading itself? (Again data taken from IRC or Web URL) Perhaps just several variants of the worm...

    What fun we could have!

    • by jmp ( 84073 ) <(ua.di.sttipnhoj) (ta) (nhoj)> on Sunday August 04, 2002 @06:21PM (#4009559) Homepage

      And what are the consequences if your worm has just one bug?

      How would you "recall" a faulty worm? Write another worm to chase it and kill it? Get real.

    • good thought, and it was tried once. unfortunately, it fell under the category of modifying a machine without permission, which makes it illegal. i think it happened in the late 1980s/early 1990s, buncha hackers got into serious trouble with the fbi over it.
    • This idea is good, but it has one fatal flaw...

      The worm is running around the internet fixing flaws, but how is it going to get into someone's system? Answer: A FLAW! You'd have to make a new worm for each new flaw that was discovered just to get into all the systems you already fixed.

      I just get this funny image of a vigilante crawling into someone's house through a broken window, fixing it, then finding that he's locked himself in. LOL!
      • Heh, what came first, the vigilante or the hole. :)
      • Wait. That's not right.

        If it gets in, then there's a flaw for it to fix. If it can't get in, then, while it may have other flaws, it doesn't whichever flaw allows your worm to infiltrate it.

        Now, there's a decent debate as to whether or not you could send your worm back out after you've fixed all the flaws, because, in theory, if you've fixed all the flaws in the system, the system should then be smart enough to not allow this code to be arbitrarily executing itself.

        Of course, it could fix a number of flaws, and set the last update to occur at the next reboot, ala a run_once entry (for example), then run shutdown -r 60, then send itself back out. After its rebooted, it shouldn't be able to propagate itself at all... or something.

        -9mm-
    • Remember Max Butler, aka Max Vision the guy the ran the whitehats website? He created a variant of a worm that attacked BIND, and had it patch the server. Unfortunately, he also introduced a backdoor.

      Last I heard he is still in jail (I maybe wrong about this).

      And yes, for a while it was common for a cracker to close the security hole while leaving a "secret" backdoor. Sometimes this was accomplished by placing a bogus entry in one's /etc/inetd.conf file; enter this port and gain /bin/sh with root priveleges. Word gets out (or a bunch of script kiddies are using the same exploit), and soon everybody notices strange packets trying to access some weird port.

      In the Windows world there are a bunch of trojans ports (27374, 31337, etc...). Unfortunately the back door was open to everybody.
      • Unfortunately the back door was open to everybody.

        True, back when I first used my Windows machine NetBus was popular in a chat room I visited. A girl I got to know sent me the server part so I could let her see what other people were seeing on her computer (NetBus was actually being run willingly by her as it was a fun thing to do) and being an old computer geek felt safe doing this. 5 minutes after getting the 'patch.exe' and running it, I found the client part online *google wasnt even around then - go webcrawler* and figured it out enough to connect to her computer and do more to her than she could do to me (ie control and execute other programs and lock her out of my computer *she actually complained that noone could connect to my computer and that I wasnt running the server until I gave her the password and watched the many computers connect*). I had to guess the password to her computer of course but the person who sent her the file put her kids name as the password which happened to be the only thing I tried. I ended up changing the password and telling her to not take any more files no matter how much fun they were if she wanted to maintain privacy (it wasnt just to pop the cd in and out as she claimed). I honestly didnt know what a 'port' was at that time and thought hacking an .ini file was fun but managed all of this. Its a good thing the 'bad hackers *dont abuse me for claiming crackers are hackers too - they are usually just stupid hackers whove found something they can take over the world with*' are also usually also stupid people.

        If you like laughing at crackers youll probably like that story.
    • That's a great idea.

      And how about in real life? Like contractors should roam the streets and randomly break into peoples' houses to fix things. No biggie right? If you come home and there are guys in tool belts breaking down your walls and moving your stuff around, you should welcome them with open arms, right?

      Oh and we should absolve these roving contractor crews from any associated liablities too. After all, they're doing it for the good of all.

      In the meantime, I'll stick with downloading and implementing fixes from trusted sources, and hiring bonded and insured contractors.
    • OK, so how do I know that the worm my server was infected by didn't include a trojan?

      Silly me... if I cared about things like that, I wouldn't leave my server infected, would I. ;-)

      How about if it just shut down insecure machines or publically shamed the owner?

      Xix.

    • I've often thought that the ISP should play a role similar to this for users on its network. They should be actively scanning for known vulnerabilities and upon finding one, they should block connections on that port and contact the user. Insurance companies should get involved and force ISP's to implement active defense mechanisms. It's pathetic that friendly machines don't scan each other for the purposes of mutual defense.
    • Yeah, you want to keep your worm in a Trojan(tm), or you might get a virus.
    • some people don't fix things because it would break other, more important things.

      E.g.: I have a computer at work that runs win2k that I have yet to install SP2 on because SP2 is known to have issues with Novell (and we run a novell/AD network). We're trying to migrate away from novell, but as long as it's in use, I can't just break it for the sake of a "more secure" computer.

  • Blaming the Victims (Score:4, Interesting)

    by Anonymous Coward on Sunday August 04, 2002 @06:16PM (#4009546)
    of a virus attack doesn't sound like good public
    policy to me.

    This can't be a good thing: just think of
    the court cases, and the added burden on the legal system.

    Imagine a scenario like this:
    Company A, B, and C are infected with viruses.
    Company A tells Company B to "santize your systems, and stop infecting us, !". Company B has santizied it's system, and tells Company A to "go pound salt".

    Company A, unknowingly infected by Company C but still blaming Company B shuts down Company B's system. Company B is not happy.

    Company B manages to bring it's system back up, and shuts down Company A in retribution.

    Lawsuits ensue. The courts, which could be ruling on citizen's issues instead, (like, say, overruling the DCMA), become backed up with corporate bickering. The citizens lose. Ugly situation.

    And that's not touching on any of the questionable ethics of government sponsored vigilantism. I'll
    leave that flamewar to others -- I imagine things will get quite toasty.

    • BlameGame (Score:5, Interesting)

      by SimplyCosmic ( 15296 ) on Sunday August 04, 2002 @06:39PM (#4009606) Homepage
      We've already seen something akin to this, at least on a small scale.

      Working as a telephone tech support person for a non-tech sector company, Klez was particularly annoying as we would get angry telephone calls from our own corporate executives about how our server based antivirus program wasn't working, as they were getting angry emails from people at other companies telling them to stop sending them the Klez virus.

      All because the damn thing sent false header information and someone outside both companies had been infected, people would continue to blame the wrong parties when their own antivirus program would point them at the wrong culprit, despite all the media stories explaining the damn thing in clear detail.

      We had a number of execs refuse to believe us when we told them their machine was clean, as "obviously" we were wrong according to the people at the other company. Even had one high up try to install her own antivirus program because she didn't trust ours and ended up trashing her computer.

      I just loved the whole telephone support deal during the peak Klez season. :P

      • all of the email i've been getting starting on friday. it started with delivery failure messages to people i hadnt sent email to. then i started getting email from virus scanning programs telling me i'm sending the klez virus to people. it's odd because i use pine to view/send email on linux. the email is also being sent by an account i only use to recieve email. i just dont want to get blacklisted or something because of a security flaw that occurs on windows systems.
      • Re:BlameGame (Score:4, Informative)

        by DennyK ( 308810 ) on Sunday August 04, 2002 @10:44PM (#4010242)
        At the web hosting company I work for, we still get complaints from clients insisting that our mail server must have a virus because people keep sending them mail complaining of Klez attacks from their email addresses. Even explaining to them that their mail account is on a Linux server that can't be infected by Klez doesn't do any good with some of 'em... ;)

        The idea of using worms or exploits to fix holes in systems you don't own, now...I think it's a bad one. The intent might be benign, but the results would likely be ugly. A worm that alters a system enough to close a security hole (even using an "official" patch or hotfix) could do some serious unintentional damage to a machine. Bugs in the worm itself, unusual system configurations, obscure software conflicts...the potential for completely breaking the target system is pretty high.

        Besides which, I don't believe anyone has the right to invade a system they don't own for any reason, benign or otherwise. I am all for convincing the owners of infected machines to clean them up, but there are ways to do this without cracking their systems. Complain to their ISP, their CEO, or someone else who can pull the plug on them until the problem is fixed, if you like. It may not work in all cases, but it can't hurt, and if it doesn't work..well, that's life on the Internet. ;)

        DennyK
    • The whole thing seems like Talsorian's Cyberpunk 2020 is coming to pass. If this goes much farther, companies will have teams of geeks trying to shut down the competition.. then maybe we can move on to corporate armies and such. Weee!

  • Time to burn some karma...

    Is it me, or is this story's headline totally incoherant? I re-read it twice and still only have a vague clue of what the links are going to be about. He couldn't even take some time to proofread or even close his parenthesis.
    • Personally, the headline seemed fairly clear. Yes, it's not exactly literal, but considering the context it should be pretty easy to tell that "we" refers to the media industry, and refers to their ability to hack their customer's systems.
    • by Xzzy ( 111297 ) <sether@tr u 7 h . o rg> on Sunday August 04, 2002 @07:23PM (#4009718) Homepage
      > Is it me, or is this story's headline totally
      > incoherant?

      No, it's cut straight out of 'The Slashdot Guide for Guaranteeing your Submission is Accepted', chapter 2 which discusses creating a sensationalist headline that enables people to leap to conclusions about a story before reading it.

      Bonus points are awarded for managing to make it sound like it's an issue of the man against the little man.

      Cause yeah, I picked that up too.. the headline and following text had almost nothing to do with the actual story.

      I'd suggest the guy submitted before reading the story, but trying to comprehend the lack of thought that would require makes my brain hurt.
    • I was just about to post something similar to what you posted. That is the most incoherent submission I've read in a while.
  • I thought it was fairly well balanced actually. Outlined the problems of "hacking back" in language that everyone can understand...
  • I really hope this catches on. Then all you have to do is send some virified email to your target before you hack it. "Sorry 'bout the thousands of dollars worth of downtime I caused you, but your network was spreading Nimda." It's a great idea, really it is.
  • by pete-classic ( 75983 ) <hutnick@gmail.com> on Sunday August 04, 2002 @06:27PM (#4009577) Homepage Journal
    I don't see where Mullen defends the "DOS for the sake of copyright."

    What he says on the issue is:
    Mullen said his hack-back idea is different because it is designed to improve the security of cyberspace and would not harm any computer systems.
    What he seems to be advocating is decriminalization of defending your computer against an active attack. I tend to agree. It's like saying it isn't theft to take a crowbar away from someone who is using it to jimmy your front door.

    The author has blurred all sorts of lines, viruses and worms, copyright and attack, defense of ones computer and defense of ones IP.

    I'd be interested to hear Mullen's comments on the story.

    -Peter
    • by hagbard5235 ( 152810 ) on Sunday August 04, 2002 @09:13PM (#4009989)
      Vigilante justice is not the solution. When I discover someone has burgled my house, and I have reason to believe I KNOW who did it, that does not entitle me to go break into their house to take my stuff back and avenge myself upon them.

      It's important to remember WHY vigilante actions are generally illegal:

      • They are highly error prone
      • They effectively invalidate all of the accused rights summarily.
      • They lead to chains of criminal behavior that can be hard to unravel.

      I can only think of one set of circumstances in which our culture and law condone vigilante justice: self defense of a human being against bodily harm.

      It is important to remember that computer crime is almost universally property crime. With rare exceptions there is absolutely no danger to the person of a human being posed by computer cracking, and thus no reasonable basis for authorizing vigilante justice.

      • "An eye for an eye and the whole world would be blind." -- M. Gandhi

        (And yes, I did write "M. Gandhi" because I don't know how to spell his first name)

        -a
    • Oh my God. Somebody else who actually read the story before commenting.

      The only "rant" in the story was from the anonymous author of the story (Reuters wasn't kind enough to let us know who the RIAA/MPAA hack was that wrote the story). This cowardly bastard quotes Mullen about whether it is ethical to hack back at a computer that is attacking one of yours and also mentions his use of an attack to push out a patch to his own network. Both interesting subjects but totally irrelevant to allowing the RIAA/MPAA to attack someone's computer because they think it is being used to possibly violate a copyright.

      The tie in between what Mullen would like to do (hack back at hackers) and has done (hijack an attack to push out a patch) and what Howard Berman, the RIAA and MPAA want is strictly in the author's mind. Mullen, unfortunately, must have given an interview to a "journalist" who makes Jeraldo Rivera look like a candidate for a Pulitzer. Shame on him for talking to such a low life.

      Some thoughts:

      1) More people should read the story before they comment.

      2) The few that do read the story need to read it more carefully (including the submitter who seems to have confused an anonymous author quoting someone out of context with statements by that person).

      3) My guess is Mr. Mullen's comments on the story wouldn't be printable in a "family" publication. If I were in his position, I know mine wouldn't be.
  • First they attempt to litigate, but they don't get the 100 percent returns they want. Then they try and remove our rights through precedent. After they get tired of precedent they buy off some disney lawmakers. They make it illegal to even teach people how to circumvent technological countermeasures to remove our fair use.

    Then through precedent, they make it illegal to link to pages which teach others how to circumvent technological countermeasures which remove our fair use.

    They have found the best route to getting their way. Disney politicians who can be bought, as they were bought by enron.

    We have got to change the american political structure. We must mandate 100% disclosure of personal monies and campaign contributions of all politically elected officials.

    In the meantime, perhaps autohack-backs on DoS need to start getting spread around.

    Who cares if you take down huge portions of the net, at least you'll get back at the RIAA for putting people like Britney Spears out there.

    • We must mandate 100% disclosure of personal monies and campaign contributions of all politically elected officials.

      You can find the contributions at OpenSecrets [opensecrets.org].

      You will discover that your favorite politicians are not only 4 sale, but that you can buy them for fire-sale prices.

  • Legal DOS Attacks (Score:3, Interesting)

    by Greyscale ( 597578 ) on Sunday August 04, 2002 @06:36PM (#4009599)
    Wouldn't any DOS-attack against an alleged "offender" also hit the bandwidth/resources of all the innocent systems along the way? I'm not sure how this wouldn't create lots of collateral damage for people who aren't involved.
  • If these stupid laws were passed, what would stop government agencies from just randomly entering your house to search for just about anything they thought you might have in there?

    Nothing would displease me more than waking up at 4am to discuss with a fireman who has a key to my frontdoor, the dangers of not having a smoke alarm.

    Seems more and more, you're guilty until you've been proved innocent.

    RIAA or MPAA come a knockin on my machine with the 'l33t0 toolz' they have, i'm perfectly within my rights to retaliate... afterall I dont live in the US of A.

    • Neither do I - I wonder how other countries will take crack attempts on their servers, or even better, what if someone does fake evidence pointing to (for example) a Chinese company's server as being a major warez/mp3z site - what fun!
      I'm not advocating that by the way *grin*.
  • Ninja. Lots of them.
  • In real life, if you're suspected of holding illegal copies of something your premises can be raided (with a warrant) and the items confiscated. If you're suspected of carrying a harmful virus that can easily be spread (i.e. your a public risk) then you can be quarantined. They can't treat you with out consent but they can still keep you away from the public.

    (you can just tell when your about to be modded down, yet you still cant help posting)
    • Re:Real life (Score:2, Insightful)

      And in real life, searches and seizures are handled by the police/FBI, and potential virus outbreaks are handled jointly by the CDC and law enforcement (though, depending on the circumstances, the military might get involved).

      The point is that the proper authorities already have the power to search computers for pirated data and viruses (with a warrant), so why do we need to give ordinary citizens (copyright holders and sys admins) this kind of power?

  • Seems to me that the RIAA and other such groups should think twice before declaring the start of this new arms race.

    It's like doctors questioning the overprescription of antibiotics -- the more agressive their weapons become, the more clever we will become in working around them. Increased use of antibiotics and other agressive medicine is creating superbugs. The same is true online:

    As the internet becomes more dangerous for p2p networks, only the stronger networks will survive.
  • I think we should all have the right to hack the people responsible for all of the stupid viruses we have today!

    ...and the best part is, Microsoft will never see it coming!

  • by Telex4 ( 265980 ) on Sunday August 04, 2002 @06:58PM (#4009662) Homepage
    If this article were advocating that people could go on "white-hat" vigilante attacks against people they didn't like, everyone would point out how ridiculous that would be. Well this is really pretty similar, because if you say that it is legal to crack computers causing problems to other computers, then you have all kinds of ways of weasling out of trouble for cracking. Script kiddies would be delighted!

    As usual, this just sidesteps the more important issue which is that of secure software. If Microsoft tied up he bugs in Outlook and finally realised/admitted that secure by default is more important than snazzy and integrated by default, we wouldn't have half these problems. And if the software industry in general were really made to be more careful about its security, we could sit back and relax *a little*.

    This sort of idea does little to prevent malicious scripts, and does a lot of encourage vigilantism, which is exactly the sort of nonsense that just makes things worse, and opens the legal doors to companies cracking into your computer to check if you've written about their products (y'never know lol).
    • If Microsoft tied up he bugs in Outlook and finally realised/admitted that secure by default is more important than snazzy and integrated by default

      You mean like Outlook 2K2 in the Office XP suite that keeps its security settings on a setting thats tighter than a fish's asshole by default? That's right. It now assumes every email is out to get you.

      Oh wait, my mistake. This is /. You people don't take notice of anything that Microsoft make less than 5 years old. That's why you still think Windows 98 is Microsoft's pinnacle of stability.

      This is all despite the fact that many (but not all) of the Outlook "viruses" required the user to actually OPEN the emails. Get over it already.
  • I'm no UNIX head (I just got Mac OSX a while back), and I recently remember reading about the RIAA wanting to sabotage our computers if they're running XNap, LimeWire, Kaaza, Morpheus [insert your favorite file sharing program here]. Would it be theoretically possible with UNIX/Linux/Mac OS X to take whatever DOS attacks the RIAA initiates, and somehow pipe them through right back at their own machines (using different port numbers, etc...)? I don't think it would be difficult to set up a port scanning program to detect "what was going on" and send DOS attack back right at them. They'd bring their own systems down very quickly that way if it works.
    • You could probably get the crap they throw at you turned around and thrown back at them.. but it still has to go through you - so if they were planning on just making your puny adsl connection unusable by beating it up with theirs and their friends many big fat pipes it would make no difference - all the traffic goes through your connection.
      If they were going to be exploiting some bug in the filesharing software that they discovered, then the only way to stop that would be to block the port to your filesharing program.. which means you wont be sharing anyway, so, they get what they wanted. It would be possible to block incoming connections from riaa.[org/com] and friends, but they could get round that.
  • by EdMcMan ( 70171 ) <moo.slashdot2.z.edmcman@xoxy.net> on Sunday August 04, 2002 @07:06PM (#4009679) Homepage Journal
    Come on, wake up and smell the coffee/pizza/flowers or whatever you want to smell, but there's no way "self defense" cracking is going to become legal. Without someone drawing the lines, the line between cracking and "self defense" will be very blurred:

    "Well, his computer pinged me a few times, so I used a buffer overflow to gain access to his machine, and formatted his harddrive."

    As you can see, there are two issues that are left unresolved: what defines an illegal attack, and what defines an appropriate "counter attack".

    As for this falling under a self-defense part of the law, I would suggest looking at the goal of self-defense: stopping an attack against you. Self defense does not mean kill someone, does not mean detain someone, or anything else. Although it is possible that those could be necessary in an act of self defense, in most cases they are not.

    With all this in mind, take a look at how you can stop the attack on you. The best way would be with a firewall or patching the problem. From there on, you should report the problem to the authorities (ala "real life"), probably being the machine's isp, and possibly the police/fbi.

    Vigilanties are not protected by the law, and their best hope is to convince a jury/judge that they were doing the "right thing". Unfortunately, most of them aren't qualified to make that decision :]

    • And what about wide-open machines that we all sometimes inadvertently trip over? What if the owner notices your unintentional visit and retaliates by assaulting your machine? That's kinda like digging a hole in the sidewalk, then shooting whoever stumbles into it in the dark.

      And then there's the problem of someone retaliating against a dynamic IP address. It may have been the right person at the very moment of an intrusion, but by the time the admin gets around to checking their logs, it's whoever else happened to dial into that POP. Then someone totally innocent gets nailed instead, just because they happened to get assigned the same IP address as yesterday's miscreat.

    • If someone punches me in the nose, I can kick him in the nuts. And if he's a better, wiser person for it, so much the better. Now that doesn't mean I can incinerate him with one of my thermonuclear weapons, kill the whole town, beat him to death, or even go all ninja on him until I get that "so sweet I want to crap my pants" feeling.

      AFAIK I get to beat on him till he quits, unless I want to skip right past go, and land my ass in a place where "getting doubles" has nothing to do with dice.
  • Isn't it obvious? (Score:2, Interesting)

    by Anonymous Coward
    If hacking is illegal, only criminals will hack.

    To protect ourselves, we need to make justified hacking legal!

    God knows the world doesn't have enough hackers.

    Now, seriously... if it's possible to do something nasty, like spreading a virus or disabling a remote system, someone will do it - regardless of what the law says. This is true of all laws, whether we like it or not. There are two important differences in the 'digital' world:

    - The Internet is such a hopelessly confused tangle of metaphors that often we have trouble telling exactly how our normal ideas apply.

    - The Internet is not like the physical world, and often our ideas don't apply.

    Now, the point here is that while laws can help protect the Internet, the actual solution - perhaps the only solution - is for our machines to protect themselves. No - that's the wrong metaphor. There's no reason a computer needs to start running a bit of malicious code just because of a bunch of bytes it happens to read through the network. Our computers can only be hurt by others if they themselves allow it.
  • Not to clean the mess I make in my computer room.
    Leave all those papers where they are,
    Don't touch anything, I like my computer room this way.

    Now, I should go to my rep. and told him not to touch my computer. If it is full of virus, leave it like that. I like it the way it is. Thanks.
  • by Anonymous Coward
    this would most likely fall under the category of "those who would give up essential liberties for a little temporary security deserve neither" (and all its variations through history)

    Basically, even if you take away the factor of 'trade offs' (of security/privacy vs freedom) and personal freedom in general, the fact is that history has proven that such tactics in the end not only fail to accomplish their goal, but the cost to achieve this failure only adds more injury. What finally adds insult is the fact that the vast majority of time, the problems actually become WORSE, whether from direct or indirect results.

    Now the part that pisses me off is people's response to this little historical lesson. Many refuse to actually heed the lesson but only bastardize aspects of it to fit their self centered needs. This is much akin (in many ways) to the situation where a child will justify (instead of reason) with very hand selected 'facts' as arguments simply to get some nintendo game, cd, bike, etc. Any sort of logical analysis and use of reason is only mimicked and faked. When people like this never grow out of this but age chronologically they continue to use such 'thinking' to justify positions in things like politics and lifestyle choices.

    Well, either way... even if self labled 'heroes of the people' that are in reality only petty whoring thieves choose to use this fact as an excuse I suppose there is nothing to be done about it. The fact remains, regardless of how the short sighted, greedy, and manipulative sheep refuse to acknowledge that their actions cause more problems form them and others down the road (as if they EVER trully think of anyone else), the problem requires education not FUD or their reactive responsive FUD.

  • my head hurts (Score:2, Insightful)

    by applejacks ( 536591 )
    This made no sense whatsoever. The only coherent point I read was reply about how hackers break in and then patch the system. Whats so bad about that? Lets look at facts Pat.
    o -- Lazy System Administrator is paid $75,000 dollars a year to secure a server.
    o -- Over worked and under paid factory worker is paid about $15,000 dollars a year and spends his leisure time chating on IRC and hacking unsecure systems.
    o -- The later, takes time and helps the aforementioned secure his system. While he spends some quality time at the fairway play 18 holes of golf.
    I don't see no problem. I concur that they need to switch jobs.
    Back to you Pat.
    In other news.. Scientists have unravaled the mysteries of how chocolate pudding will prevent cavaties and reduce heart disease.....
  • I've been cranking on this idea for a while and it may be possible to thwart the RIAA. Some really smart encryption heads/programmers could tweak the current file sharing protocols to switch port numbers, route the data to dead end/non-existent IP addresses using some complicated algoerithm. Yeah, it might take a little longer to get your file (MP3, let's be honest), but the DOS attacks wouldn't be able to go through since your IP address would "flicker" in and out of existence. From the perspective of the network, there would be periodic and unpredictable breaks in the network. A LimeWire-type P2P would be pretty cool, switching port numbers, and periodically breaking connection (for a finite amount of time, then reconnecting). With everyone's computer running this program, the network would be a virtual Christmas Tree of flickering IP addresses and port numbers. It would even be cool if a series of virtual or decoy IP address existed, making life very complicated for the RIAA DOS attacks. Gah-ah-lly, my imagine runs wild, I just wish I had the programming knowledge to make his work. It sounds so fun. Of course, this assumes that the stupod law passes through Congress. Is Joe Smith transferring files illegally or not? I'm sure some Ivy-League Geek will figure this out. The RIAA doesn't have a chance.
  • by Anonymous Coward

    Using his technique, the computer that launches an attack is paralyzed and requires an administrator to restart it, but it stays online and is not otherwise harmed, said Mullen, who is a columnist for SecurityFocus.com

    Requires an administrator to restart it? Do they mean it basically crashes and has to be rebooted? How does that do anything to solve the virus? Sure it temporarily disables it, but if it's a 9x/ME box there is no "administrator" and if it's NT/2K/XP there may be many people with admin rights. Furthermore, your average grandmother-using-aol-on-her-emachine would have no idea what to do, or that she has a virus, or what a virus is. Temporarily disabling machines doesn't do anything to solve virus problems. The only thing that will solve virus problems is educated computer users, and that is unlikely to happen anytime soon.

    • >Requires an administrator to restart it? Do they mean it basically crashes
      >and has to be rebooted?

      Probably, yes. I don't know what exactly Mullen is doing, but I suspect it's similar to one of the "return fire" solutions I've implemented:

      HTTP requests for default.ida (of Code Red fame) are redirected to a PHP script via Apache rewrite directives. That script pulls the REMOTE_ADDR environmental variable, which contains the IP address of the infected machine, then sends two requests back to that host:

      http://$host/scripts/root.exe?/c+iisreset+/stop
      http://$host/scripts/root.exe?/c+rundll32.exe+she l l32.dll,SHExitWindowsEx+5

      If you're so inclined, you could use root.exe to do something more conspicuous in the hopes of alerting the user to the problem. For example, instead of shutting down the remote machine, you could create some directories named @ATTENTION_ADMINISTRATOR and @YOUR_COMPUTER_IS_INFECTED_WITH_A_VIRUS in the C drive. That's bound to get someone's attention eventually.

      Shaun
  • by Critical_ ( 25211 ) on Sunday August 04, 2002 @09:09PM (#4009976) Homepage
    Disclaimer: I'm probably going to burn more krama with this post since my ideas don't jive with some of the current moderators. I guess that's the price of being honest and an individual thinker.

    I don't think anyone has the right to be mucking around with anyone elses system. To quote from the article:

    "It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person," Chassot said."

    I agree with this since you cannot always get the right person. Furthermore, why even attack another machine when you can go about it in more civilized ways. The internet is not the wild west, rather it [was] a place where individuals could be trusted. Unfortuantely, with the boom of the cyberworld we get the not-so-good citizens. But what defines our character? It's the fact that we stick with our civilized ways even when dealing with those who are uncivilized. I don't want my machine to be disabled or attacked just because someone spoofed my IP. That would piss me off and then they would be protected under this law they want to propose.

    TO further quote: "This is a type of defense of property," she said. "There is a lot of sympathy for that (kind of action) from law enforcement and vendors because we do have such a big problem with viruses."

    I'm sorry, but just because someone pee'ed on your lawn from my lawn doesn't mean that you rip up my front yard. Viruses are written and we will always have to deal with that. The people who should be paying for it are the ones who use the virus for malicious purposes. We shouldn't be targetting the virus writters since one man's virus is another man's utility/shortcut/etc.

    As for copyright holders putting decoy files on networks... they can do that all they want. People will just adapt and write software to counteract the flood of this crap. Back in the days of audiogalaxy, people used to rename MP3's and put them online under a new name. But it was easy to spot the crap files since they would be coming from a couple specific hosts. When it got really bad, I just moved on to another network.

    • > "It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person,"

      Yeah, but the RIAA doesn't have this worry. Several of their spokesmen have already informed us that everyone is now downloading pirated music. So whoever they attack, they got the right person.

      (Do I need a smiley here? Nah ... )

  • You'll do just as i did. Write your representative and tell him to vote NO on the bill.

    If we let them get away with this, pretty soon there will be no more rights.

  • by Bloody Bastard ( 562228 ) on Sunday August 04, 2002 @09:32PM (#4010065)
    Maybe it is a good idea to deal with lots of infected sites trying to attack your system... But, if we have so many vulnerable sites, how many clueless sysadmins do we have? And what if all these sysadmins start shutting down computers that they *think* are causing some kind of problem???

    But I would be glad to shutdown some spammers...

    ----------------
    this message has been espeled.
  • If what we want to do is stop viruses and worms and the like, there's a simple thing we could do that would eliminate over 99% of them.

    Just ban all Microsoft systems from the Internet.

    The remaining handful of viruses and worms wouldn't be enough of a problem to get the media's attention. We'd want a mop-up operation to stop them, of course. But that would be a minor technical project that the media wouldn't find interesting.

    We should have done this five years ago, when it was becoming clear that Microsoft had no intention of fixing the security holes they were building into their systems, and their customers were too clueless to demand fixes.
  • It is illegal to attack a machine that is attacking you. It's illegal to release a worm/virus into the wild. However, its NOT illegal to participate in its distribution simply because you're too inept to keep your machines patched. Those who are indirectly causing all the damage will suffer no liabilities as a result. And perhaps punishing them isn't the answer.

    However, look at it from the worm's perspective. It seeks only to invade and to reproduce. It doesn't care about legalities or consequences. It will do what its designed to do, and will do so indefinitely until its means of propagation has been eliminated. The vulnerable machines are out there. They will always be out there. And as long as they're out there, there will be breeding grounds for worms.

    We need to meet halfway on this one. If we can't attack the machines that are already attacking us, we should at the very least be able to stop the problem. In fact, it makes sense to stop the problem before it even starts. If someone is running an unpatched system, they're going to be the participants in a worm redistribution program eventually. If it has to happen, let it be a benign worm that hits it. Invade the machine, fix all known holes, then propagate to a set range of addresses, then die. No more worms for that host, and in a matter of hours, that exploit will have been completely removed from the world, or at least as well as the worms could find it.

    Perhaps at least with XP's automatic updates, these patches might be implemented on a regular basis. However, what about all the people that don't allow themselves to use the automatic update features? There are plenty of pirates and security wary but otherwise legitimate users who won't use the automatic update features. Those machines are just as vulnerable. IF the user isn't willing to patch them, then let someone legitimately be allowed to do so. Or at least look the other way when it happens.

    -Restil
  • Use the law? (Score:2, Interesting)

    by number11 ( 129686 )
    Consider. Anything you write is protected by copyright automatically.

    Let's suppose you write an email. While it shouldn't be necessary, perhaps you might include an explicit restriction in the body of the email, or at the bottom like lawyers often do: "This material is copyright by the sender and may not be reproduced in whole or in part by any means, including but not limited to reproducing on paper via a printer, forwarding to any other mailbox, storing on punch cards, paper tape, magnetic tape, optical media, or any other machine-readable form of reproduction. If you wish to reproduce this item, licenses are available from the sender for a nominal fee."

    Let's suppose you sent your email to the RIAA. They are entitled to exactly one copy, which will end up in the mailbox of the receptionist. This will pose a dilemma, which will probably be solved by violating your copyright.

    You might find it necessary to take steps to protect your intellectual property.
  • I wrote a script on my server web server (that constently gets hit over and over by nimda... about 300 times a day it seems) to use the vonrobility against them.

    It uses nimda vonrobility to hit them back and gives them hundreds of popup messages thruout their system, telling them to apply the patch and get some type of security (then the scripts delete themselves).It also applys an "at" command to launch a vbs file on their system to remisystem nd them to get a patch.Just anough to anoy them.

    It work seems to work. I impliment this because I work at a very small ISP here in town hosting dsl lines. Our lines are always getting eatten up by nimda, even still. This way it saves on our bandwidth for everyone else to use. The funny thing is that it works. Traffic used by nimda on the network has gone down dramaticly because of it. We applied the program to all the gateways (since they are all linux boxxes). Just added Apache with my scirpt to fish out as many people as possible.

    I love it. We get calls from customers yelling and screaming that they didn't have nimda and we prove it to them by emailing them the log file. Some are even thankful. Zac Bowling
    • Your ideas are valid but you are treading on dangerous ground. Let me explain.

      Suppose your neighbour cranks up her stereo to bone vibrating levels. This is illegal in most neighbourhoods and you have a right to complain. Now, if you walk on her property to knock on her door then technically you _could_ be guilty of trespassing. Most courts would laugh at the idea of prosecuting someone for such a trivial offense mind you - but she would have the legal right to put you into a position where you have to explain your actions to the court.

      The proper thing is for you to phone the police and let them deal with the problem.

      Similarly, in the case of attacks on your server, the proper response is to phone the police. Of course they probably won't do anything about it so your next step is then to register a formal complaint about the police.

      Given enough pressure they might actually start dealing with the situation and the side effect is that a LOT of people are going to react to a cop knocking on the front door and telling them to turn off their cracked machine whereas if you do it many are likely to attack you.

      The analogy with the noise complaint is that if you respond to your neighbours bad deeds by turning your stereo up to max - then this simply creates the situation where both parties are breaking the law.

      Finally, if you complain to the police and they do nothing and then you follow this up with formal complaints about the police, when you then contact people and nicely ask them to fix their damn machine or turn it off, at least you have a defense to put before a judge. Whether that defense means much is an open question. You might be better off just suing them in small claims court for the damages they cause you.

      Much of this comes down to rights that are not clearly defined. For instance when you visit my web server and ask for something you would think you clearly have this right. I did after all put the web server on line for people to access (presumably). But what if the webserver was intended (by me) to be accessable on an intranet and I was too dumb to configure it properly? Do you still have the right to access it?

      Suppose we are dealing with open windoze file shares. I do know at least one person who opened her hard drive up. She thought of it as a cheap anonymous FTP service - with read and write access to everyone. She wanted people to be able to distribute music. (seriously).

      Well - I warned her. Within a month someone shut her down by running a program that erased the bios. I had warned her about that risk too.

      Perhaps most people would not open network shares so that their files can be available to all. But most people do not run anonymous FTP servers and web servers either. Some people do open network shares on purpose and these people are in effect publishing on the net in the same way that a webmaster is (albeit - a far more primitive way).

      So, if you happen apon a machine that is open - then you can certainly argue that you thought there was an open house. Thus you would not be guilty of "hacking" you would think. Just don't count on it. Some people will accuse you of trying to break into their machine and some will even argue that you should not tell the management because this might cause an incompetant MSCE to get fired. Some will even argue that if you do tell the management that your _PURPOSE_ is to try to get someone fired. I witnessed this in fact. What a dumb bunny!

      Now - if they are customers it would be a very good idea to put a clause into their service contract that "requires" you to contact them in the case of hacks. Of course, write it so that there is nothing wrong if you fail to contact them. By doing this you create a very good defense if someone sues you for damages.

      Just be careful _how_ you contact them. Throwing popups into the machine is probably a risky move. Suppose it is some advertizing firm and they are giving a demo to a major client about what a great web site they can build - and suddenly your pop-ups show up and they lose the client.

      In many respects I consider these sorts of threats to be analogus to someone being accused of being a peeping tom because he pointed out that someone else's fly was open and his dick was hanging out. But we are still left with the situation where people really are pretty stupid and all sorts of accusations are going to be made - many of which do not make much sense.

      So, be careful.

      • Dangerous grounds. Yeah. Kinda, sorta.
        This is a case where size does make a difference. It's a small ISP, probably with a fairly good feel for its clientelle. Workable assuming he keeps an eye out for potential problems. It is a minimum hassle way to control the damage from nimda. Probably does *not* scale to a large ISP.
  • What struck me most though is that in the midst of the rant from Timothy Mullen (no stranger to hacking the hack as this story from computerworld magazine shows, was
    a throw-away line justifying the RIAA and MPAA's appeal to Congress to make it legal to do this!

    Did they change the original article online? 'Cause I don't see anything like that in the news.com article now.

  • A breathless story about how the best defense against [fill in the blank: piracy, virii, hacking] is a good offense at CNet.

    Yes! CNet is the root of all these evils for publishing stuff like this! A good offence at CNet would surely be in the best intrest of the public.
  • Okay, our /. lead-in is a mess, and the article itself is all over the dang map. The content isn't that imbalanced; it's just badly edited. It's not any sort of "bandwagon," either way. (The headline calls this approach "Vigilante hacking." That's hardly sympathetic.)

    Bad editing leads to abrupt transitions. Here we go from "Striking back against a computer that is attacking you" with a worm to this:

    The defensive strategy of "strike back" is gaining some support among politicians, who will be voting on a bill backed by movie and music studios that would allow retaliation to help thwart Internet piracy.

    Whah? Then we back off and contrast that approach (placing "destructive decoy digital files into peer-to-peer networks to penalize users") with the hack-back the story was really written around.

    It's almost like the editor wanted to nod in the direction of the latest legislative "anti-hacker" move, whether or not it really had anything to do with his story. That's all. No "bandwagon." Just bad editing. Given the state of /.'s stories, we should relate.

  • by TheSync ( 5291 ) on Monday August 05, 2002 @09:23AM (#4011716) Journal
    "Hi, I'm from Al Quaeda records, and I'm here to hack your computer!"

    Enough said.
  • It is the DoD's policy not to take active measures against anybody because of the lack of certainty of getting the right person.

    Great. I guess we might as well get rid of the Department of Defense, if they're not going to bother to take any active measures. I guess that whole Afghanistan thing with the "unavoidable civilian casualties" was just a figment of our imagination.

The trouble with being punctual is that nobody's there to appreciate it. -- Franklin P. Jones

Working...