[Note from Matthew Gaylor: Sent with permission. Charles Mudd's
rebuttal appears at the end of Vin McLellan's comments. I thought
both posts covered some interesting territory.]
From: Vin McLellan <vin@SHORE.NET>
Subject: Re: Hearings on Denial of Service Attacks
Charlz Franz is a generous soul. Unlike him, I don't have any
problem declaring the D-DoS attacks "obviously wrong" -- whatever the (thus
far undeclared) "state of mind and purpose" behind the attack.
Mr. Franz <charlzfranz@EARTHLINK.NET> suggests -- on the basis of
absolutely no evidence whatsoever, so far as I can see -- that these attacks
could be "protests against the commercialization of the net," and suggests
that this could be a mitigating circumstance.
I certainly agree with both Mr. Franz and American Bar Association
luminary Charles Mudd <muddhaven@EARTHLINK.NET> that the motivation and
goal of the perpetrator(s) should be considered in determining punishment
-- in the unlikely event that he or they are identified and prosecuted --
but I think it is utter balderdash to presume, as both do, that the recent
Distributed Denial of Service (D-DoS) attacks are only naive adolescent pranks.
The most notable and obvious result of this series of D-DoS attacks
was a whipsaw on Wall Street. If we are going to make assumptions, let's
assume that what happened is exactly what the perp expected and intended to
happen.
Why not assume that the person who planned this -- and it was
obviously very premeditated -- made a million or two shorting Internet
stocks and going long on the leading infosec vendors? (That is certainly
as likely -- far more likely, IMNSHO -- than Mr. Franz's fantasy that these
attacks were an expression of community protest.)
D-DoS attacks -- like computer virus and worm attacks -- are
closer to arson than halloween pranks. Things of value get destroyed; real
institutions and real people are threatened -- perhaps hurt; certainly
harassed; probably burdened with out-of-pocket losses.
As with arson, some people figure out how to use such destruction
for their own economic benefit. Others burn down buildings out of delight
in the dancing flames and the pain they cause.
To suggest that this behavior might be a cry for social justice --
or as a <gag> protest against the popularization and commercialization of
the Internet -- is romantic claptrap... the same thumb-sucking
myth-mongering that the media used for years to romanticize a generation of
destructive behavior among the virus writers.
Mr. Franz runs up the Flag with his warm fuzzy memories of Vietnam
War protestors who marched, got their heads bashed, and then showed up
(book-laden and bourgeois) in class te next day. As someone who wrapped 7
or 8 year of his life around the Anti-War and Civil Rights movements, I find
the suggested parallel offensive and unwarranted. Social justice is not a
likely motivation for the perp or perps in this case.
(If you want to get nostalgic, recall instead the fears --
widespread among those of us who marched, as well as among the FBI agents of
Cointelpro, and the Civil Defense mavens in their '50s-era bunkers;-] --
that some idiot would seize the moment and toss amayonase jar full of
Leary's acid, or some other psychoactive drug, into an urban water reservoir.)
Again, AFAIK, there is not a smidgen of evidence that these attacks
are associated with any prayer for social justice, or motivated by any
political or social or religious values. What we do know is that -- on top
of the losses of the DoS targets and their customers -- a lot of quick
money made on the stock market by investors who placed their bets on the
heavy-hitters in the mecurial compsec and comsec sectors.
I think the presumptions that Mr. Mudd and Mr. Franz make about a
naive young perpetrator (with or without a Cause) colors their attitude to
an embarassing degree.
Mr. Mudd and Mr. Franz both referred to the Morris Worm. My
recollection is that Bob Morris Jr. did not intend to do damage. Morris
thought he was clever enough to infect thousands of computers without
disrupting them and the Net. (His worm became known, destructive, and
famous because he fouled up on the imlementation.)
This was not the case with the author of these D-DoS attacks.
Like the virus writers, the person or persons who set up all these
D-DoS attacks had overt destruction as a goal. Perhaps a purposeful
(profitable?) destruction. "Voices demanding to be heard?" Gimme a break!
Again, there is absolutely *no* published evidence that the perpetrator(s)
want to protest, or communicate, or do anything other than what they did!
This Child of the Sixties, for one, would not hesitate to send a
healthy check to any fund which set a NetCitizen's Bounty on the perp or
perps. Let's pony up a reward for (anonymous) information leading to the
arrest and conviction, etc., etc.
Anti-social destructive actions must have consequences, and the Net
-- as opposed to the many governments it owes allegiance to -- ought to find
a popular voice with which to condemn those responsible.
Mind you, this is not a call for a lynch mob. Nor is it an
endorsement of some suspension of civil liberties. OTOH, I hope the clever
minds on Mr. Mudd's ABA Committee, along with the barristers of Cyberia,
have been considering some intelligent ways to cut into the connundrum
surrounding click-and-shoot "exploit code" (like TFN, which morphed into
TFN2K) and the Byzantine politics of "full disclosure" in computer and
network security.
The vulnerability of the Net to D-DoS attacks by untracable parties
is probably an intractable problem -- at least not without some major
reengineering of the Interet services. In much the same way, major
software products (Windows2K comes to mind;-) are so big they will
inevitably have a huge number of bugs (features?), among other
vulnerabilties. The hackers who pick these software products apart and
document their vulnerabilities do us all a great service.
Unfortunately, the cult of "full disclosure" has gone far beyond
that, spurred in part by a reaction to the pro-vendor bias of the
government-sponsored CERT, which refused to publish iformation about
widely-known vulnerabilities until the vendor approved a "fix." (This
policy, it is widely believed, let corporate sinners pump up sales in flawed
products for years.)
Now the issue has come full circle. Many "full disclosure" forums
(e.g., Bugtraq at <www.SecurityFocus.com>) now celebrate those who create,
and release into the "Wild," dangerous exploit code without giving the
vendor any chance to warn vulnerable users or to develop a "fix." A mailing
list moderator who urges restraint -- usually just a delay to give a willing
vendor time to develop and test a software patch -- like Russ Cooper of
NTBugtraq <www.ntbugtraq.com> gets routinely vilified in the hacker-informed
forums.
The stated logic of "full disclosure" is to force a vendor to
quickly correct a discovered vulnerability in a product or technology. Yet
proponents of FD work hard to obscure the fact that they are willing,
sometimes eager, to sacrifice users to get the attention of the vendor. (It
is, after all, not going to be _their_ blood on the altar of full disclosure
-- and vendors bleed ink, not blood, if the truth be told.)
Today, of course, many "full-disclosure" announcements are
accompanied and illustrated by "exploit code," which is sometimes little
more than a point-and-click package of attack code, which gets circulated by
e-mail or downloaded off a website by tens of thousands of people. This
type of "exploit" could empower any "script kiddie" (or some stockbroker
hoping to escape the Boiler Room) to raid a few prominent e-commerce sites
-- and probably make the stock market dance in predictable and profitable
ways -- even if they couldn't code up "hello world" in Basic to save a life.
Some sensible institutional way has to be found to draw distinctions
between those worthy hackers who would warn vendors (and, as appropriate,
system admins and the community of users) of vulnerabilities -- including
those who develop proof-of-concept "exploits" -- and those who freely
distribute push-button attack code to anyone.
There is a legitimate argument against secrecy, of course.
"Security thru obscurity" is a curse in infosec for good reason. What one
can discover, others may have already discovered -- and be using. Vendors
-- who today attempt to disclaim all liability for software flaws -- have
their own hierarchy of priorities. (Functionality, new features, and
time-to-market are at the top; security of the user's data and product
integrity are usually somewhere down n the list.)
There is a real threat here. With losses high enough, and fears
stoked, attacks like the recent D-DoS capers could cause a major
Constitutional crunch (or perhaps some tweak in copyright law?) which might
place serious constraints on the free speech of those who discover, or
announce, or prove the existance of vulnerabilities in commercial products.
My friend Marcus Ranum -- a leading pioneer in firewall design; now
the president of NFR, an intrusion detection system vendor -- argues
vehemently that technically-savvy people must choose to be either part of
the problem or part of the solution.
It seems inevitable to many of us that steps will be taken in the
(US) code -- particularly, if nothing is done within the Network Culture to
isolate and shun outlaw hackers and those who distribute tools of (virtual)
mass distruction -- to raise the level of personal accountability for
actions and transactions on the Net, to foster better network hygiene, and
to constrain both the free distribution and sale of executable code which
can cause widespread harm to our (surprisingly) frail commercial nodes
within the generically robust network infrastructure.
Sun Micro's CIO, Whit Diffie is coinventor of public key
cryptography and a farsighted man. Four or five years ago, Diffie began to
warn that the most likely version of Information Warfare would focus on
individual companies and seek to diminish their relative and competitive
stature, pr0bably for pecuniary gain.
The blunt fact is that there are no absolute or foolproof technical
solutions to many vulnerabilities in the TCP/IP network and in the millions
of nodes now attached to it.
Constraints on destructive online behavior is, inevitably, largely a
social problem -- and new law; new network service contracts; and a
vigorous interpretation of old law, will all be called upon to defend those
who work, play, and hold property on the Internet. With millions of jobs
already dependant upon the Internet economy, forces are in play which might
legitimately reconfigure Constitutional rights in the Internet-enabled USA.
I applaud the caution and scepticism with which Mr. Mudd looks at
efforts to use this threat to legislate the Surveillance State -- but damn,
I would hope for something a little more constructive than this wait-'n-see
handwringing from the Vice Chair of the ABA's Privacy and Computer Crime
Committee.
There is a real social problem here. It will not be diminished f
we learn that these recent attacks were fraternity pranks. If will not
become more serious if we learn that someone engineered these attacks to
make a killing in the market. And social problems are seldom amenable to
technical solutions.
Suerte,
_Vin
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which
by its nature will resist efforts to restrict it to bureaucrats and others
who deem only themselves worthy of such Privilege."
_A Thinking Man's Creed for Crypto _vbm
* Vin McLellan + The Privacy Guild + <vin@shore.net> *
###
From: Charles Mudd <muddhaven@EARTHLINK.NET>
Subject: Re: Hearings on Denial of Service Attacks
My remarks follow.
Vin McLellan wrote:
> but I think it is utter balderdash to presume, as both do, that the recent
> Distributed Denial of Service (D-DoS) attacks are only naive adolescent
pranks.
I do not believe them to be "naive adolescent prnks." Specifically, I do not
attribute naivet to those responsible. Clearly, it took an intent
to place the
program elements on various computers and then to proceed with a command
initiating the attack. Moreover, the primary results to the attacked systems
would undoubtedly be known to the attacker (though it may be less so for
attendant results, i.e. the market effects). As for "pranks," clearly they are
not pranks. I do not believe I employed that term. Nonetheless, the behavior
is adolescent and, without doubt, wrong.
> Why not assume that the person who planned this -- and it was
> obviously very premeditated -- made a million or two shorting Internet
> stocks and going long on the leading infosec vendors?
In response to Mr. McLellan's requested assumption, I have several problems
preventing me from acquiescing. First, I did not assume the attackers to be
teenage hackers. Rather, my own inclination and knowledge of adolescent hacker
behavior suggests to me that this is a strong possibility. However,
I would not
and do not make the assumption that the attacks are the result solely of this
class of individuals. Rather, I would not be surprised if more
devious renegade
netizens caused some of the attacks for financial gain. As I reiterate below,
my argument merely posited that before criminalizing the behavior, certain
considerations should be made for the various state of minds that undoubtedly
played a role in the series of attacks.
Second, Mr. McLellan makes much of the lack of evidence to support my and my
colleague's remarks. While not explicitly identifying evidence in my initial
remarks (as they were mainly off the top of my head last night), I
would cite to
the claims and statements made on several newsgroups and mailing
lists that have
as their primary members the very group I discuss. Also, we have reports
(though, granted, all are not verified) of Mafia boy's alleged statements
indicating his intent to cause an attack prior to some of the attacks
occurring. Furthermore, the programs (TFN, trin00, TFN2K, stacheldraht, etc.)
are quite plentiful on those sites, by all facial indications, run by the class
of hackers to which I refer (though some may no longer be teenagers).
Third, though the markets were affected, I do not agree with Mr. McLellan that
this happened to be the intended purpose behind the attacks. DOS and DDOS
(collectively "DOS") attacks (though DDOS attacks are indeed newer) have been
occurring prior to the market craze for Internet stocks. What prompted similar
DOS attacks before the media responded to them with fervor? What prompted
similar attacks before the markets were so saturated with volatile
Internet/tech
stocks? More than likely, the impetus for those similar attacks is not that
which Mr. McLellan argues may have prompted the most recent attacks.
But again,
I do not assume that some of the attacks were not for that purpose. Rather, I
keep an open mind, one that perhaps is not as cynical or jaded.
Finally, after reading my clarification, one should see how I could not indulge
Mr. McLellan's assumption for the very reasons I made no complete assumption in
my initial argument.
> D-DoS attacks -- like computer virus and worm attacks -- are
> closer to arson than halloween pranks. Things of value get destroyed; real
While I agree to the extent that the attacks, for whatever purpose, are more
severe than Halloween pranks, I reserve comment on whether Mr. McLellan's arson
analogy will actually hold up. Despite my reservations, I would
initially argue
that the attacks were more akin to an interference than than the destruction
that would result from arson. Granted, the attacks caused computers to be
overwhelmed and shut down for some period of time. However, the
attacks did not
coincide with a virus attack wiping clean hard drives and other storage media.
As for the market response, if such was the intent of the attackers, then Mr.
McLellan's analogy holds more weight. Though I still am not completely
convinced. That being said, I welcome a more structured analogy.
> [omissions]
> political or social or religious values. What we do know is that -- on top
> of the losses of the DoS targets and their customers -- a lot of quick
> money made on the stock market by investors who placed their bets on the
> heavy-hitters in the mecurial compsec and comsec sectors.
Mr. McLellan's focus on the market response and his implicit assumption that
this is the "obvious" intent of the attackers also lacks any evidence
other than
the fact that the market responded. For me, such a conclusory connection is
fallacious.
> I think the presumptions that Mr. Mudd and Mr. Franz make about a
> naive young perpetrator (with or without a Cause) colors their attitude to
> an embarassing degree.
Again, I do not employ the term "naive." Clearly, they knew what they were
doing- whoever 'they' were. As for coloring my attitude to an embarrassing
degree, I suggest that the clarifications should negate this surprising attack.
Even without the clarifications, Mr. McLellan's surprising language
is, I'd say,
the more embarrassing.
> Mr. Mudd and Mr. Franz both referred to the Morris Worm. My
> recollection is that Bob Morris Jr. did not intend to do damage. Morris
> thought he was clever enough to infect thousands of computers without
> disrupting them and the Net. (His worm became known, destructive, and
> famous because he fouled up on the implementation.)
>
> This was not the case with the author of these D-DoS attacks.
Thank you for illustrating my point. I'll explain. Yes, Robert
Morris (I think
most of us know he is the son of the Sr. who, at the time, happened to be a NSA
specialist ) did not intend to cause the damage his worm program inevitably
caused. Nonetheless, many of those who responded upon the initial attack
graphed all kinds of deviate and vicious intents upon the then unknown
"attacker." Until Mr. Morris (sorry, I don't know him well enough to use the
familiar 'Bob') and a colleague posted a corrective procedure, he remained
somewhat elusive. Even so, Justice Department, I still think, overreacted in
its prosecution of Mr. Morris.
We do not know the nature of the present DOS attackers. Yet, many commentators
have graphed an intent upon these unknown "attackers" without knowing the
circumstances behind the motivation for the attacks. To me, this aspect of our
present situation is not unlike the initial response to the "Internet Worm."
(However, my comparison betwen the two ends here until we learn more of the
present attackers.) As for my own references to teenage or young hackers, I
merely a suggest what I believe to be the more likely source of the attacks.
> endorsement of some suspension of civil liberties. OTOH, I hope the clever
> minds on Mr. Mudd's ABA Committee, along with the barristers of Cyberia,
> have been considering some intelligent ways to cut into the connundrum
> surrounding click-and-shoot "exploit code" (like TFN, which morphed into
> TFN2K) and the Byzantine politics of "full disclosure" in computer and
> network security.
I agree. For this reason, our committee has begun a professional dialogue to
address these issues.
> Some sensible institutional way has to be found to draw distinctions
> between those worthy hackers who would warn vendors (and, as appropriate,
> system admins and the community of users) of vulnerabilities -- including
> those who develop proof-of-concept "exploits" -- and those who freely
> distribute push-button attack code to anyone.
To the extent distinctions must be drawn between various intents and
states-of-mind, I completely agree. However, I stop short of suggesting the
mere dissemination of information should be grounds for criminal indictment or
civil penalties. For me, this invades the sacred province of the First
Amendment. Though certainly there are exceptions where "clear and present
danger" may be found, I vehemently oppose the criminalization Mr. McLellan
appears to suggest.
As to his additional constitutional arguments, I do not believe we have been
presented with the circumstances that would warrant the departure Mr. McLellan
suggests.
> It seems inevitable to many of us that steps will be taken in the
> (US) code -- particularly, if nothing is done within the Network Culture to
> isolate and shun outlaw hackers and those who distribute tools of (virtual)
> mass distruction -- to raise the level of personal accountability for
> actions and transactions on the Net, to foster better network hygiene, and
> to constrain both the free distribution and sale of executable code which
> can cause widespread harm to our (surprisingly) frail commercial nodes
> within the generically robust network infrastructure.
I would agree. In fact, my comments focused upon this inevitability and
addressed the need for discussions within the "Network Culture" and other
interested parties; particularly, those subscribers to this list.
> I applaud the caution and scepticism with which Mr. Mudd looks at
> efforts to use this threat to legislate the Surveillance State -- but damn,
> I would hope for something a little more constructive than this wait-'n-see
> handwringing from the Vice Chair of the ABA's Privacy and Computer Crime
> Committee.
Mr. McLellan clearly misunderstands. In my remarks, I suggested that we should
"wait and see" before jumping to any conclusions as to which group
the attackers
belong. Moreover, I do not suggest that we "wait and see" before beginning any
efforts to discuss alternative approaches to the criminalization of the
behavior. Rather, I believe it essential that professional dialogue and
discussions continue and, in an ideal setting, foster collaborative efforts
among many diverse groups. The purpose of these efforts would be to counteract
the recent congressional efforts to regulate this area of cyberspace.
Indeed, I
suggest that Congress reacts all too quickly. And, by doing so,
Congress reacts
blindly. Congress should slow down. This happened to be the thesis of my
article I thought to cite.
As for Mr. McLellan's attacks of a personal nature, I find them unworthy of
response.
> There is a real social problem here.
Mr. McLellan is not the only individual to recognize the "real social problem
"facing the Internet. While we may disagree on whom may (I stress may) be
responsible for the recent attacks, I respect Mr. McLellan's arguments and
comments. It is my hope that a dialogue may continue amongst all of us in a
courteous and professiona manner. It was to this end that I offered my
comments in the first place. I hope Mr. McLellan joins.
Charles Mudd (clmjr@abanet.org)
Subscribe to Freematt's Alerts: Pro-Individual Rights Issues
Send a blank message to: freematt@coil.com with the words subscribe FA
on the subject line. List is private and moderated (7-30 messages per month)
Matthew Gaylor,1933 E. Dublin-Granville Rd., PMB 176, Columbus, OH 43229
Archived at http://www.egroups.com/list/fa/
Visit the Crazy Atheist Libertarian
Visit my atheist friends at Arizona Secular Humanists
Some strange but true news about the government
Some strange but real news about religion
Interesting, funny but otherwise useless news!