Re: Mafioso

Date view Thread view Subject view Author view

From: B.K. DeLong (bkdelong@pobox.com)
Date: Thu Apr 20 2000 - 11:18:46 PDT


At 01:59 PM 04/20/2000 -0400, Kragen Sitaker wrote:
>I'm pretty skeptical, too.

Well, my skepticism is the result of sarcasm and an annoyance due to when I
tried to ignore the e-mail from the Wired reporter, he went ahead and found
my phone number anyway.

>On one hand, an inept person or a braggart certainly could have carried
>these attacks off, and in that case they would be catchable. That's
>the RCMP's story on how they caught the guy --- he bragged.

ANYONE with a computer could do these attacks. All you have to do is know
how to run a piece of software and read directions. Most copies now include
a "zombie list" that the script will automatically activate in the DDoS
attack.

>On the other hand, I would expect a braggart to seek pseudonymous
>publicity by claiming the DDOSes as their doing. I haven't seen this,
>although maybe I haven't been watching. Yet the sites chosen seemed to
>be carefully chosen to get press.

That's why they picked up Coolio, the teen in NH. He was bragging all about
it on IRC so they picked him up and when it turned out he had no real
connection, they announced to the world that he was potentially being
charged with the DARE and RSA Security Web defacements. Thus giving Fed Law
Enforcement time to continue the investigation without public gripping
about the lack of a suspect.

>Also, I don't recall any attacks against institutions or people who'd
>personally wronged this guy.

He's a 15 year old...I doubt CNN, Yahoo, or any online trading firm would
have any opportunity to "wrong" him. Most script kiddies his age do it
because they can or to impress their friends.

>The alleged evidence against this guy consists of timestamped IRC logs
>--- presumably produced two months after the fact by one of his
>cronies.

No....they had this kid's address by Feb 15th but needed to solidify their
case. (Or what little they had of one). Besides, CNN was seen shortly
thereafter as a copycat DDoS....it's my belief that the real DDoSer is
still at large.

>What could have induced them to come forward now if they
>didn't come forward in February? Are there reliable sources these logs
>can be cross-checked with --- e.g. multiple sources for these logs, or
>netsplits or other global events? Or are they fabrications by an
>ex-friend bearing a grudge?

See above. They needed the civilians who had built their own investigation
help them solidify up theirs.....notice the FBI/RCMP takes all the credit.

>The kind of person who would do such a thing would likely be very
>difficult to catch; they wouldn't tell a soul, and they'd operate
>through a chain of five or more compromised Win98 (welll, possibly
>Linux) machines on cable modems or in ResNets, and they would allow a
>month or more to elapse between compromising their zombies and
>launching the attack --- a month during which they would have no
>contact with their slaves, perhaps even going on vacation in the
>Canadian Rockies for a week or so before the attack.

Well, not really...since anyone can execute a DDoS from their desktop.

I'm annoyed at this whole situation. If you want to hear the rest of my
ranting, I just got off the phone with the CBC Radio One show "As It
Happens", and gripe on there as well:
http://www.radio.cbc.ca/programs/asithappens/

--
B.K. DeLong
Research Lead
ZOT Group

617.642.7149 bkdelong@zotgroup.com http://www.zotgroup.com


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Thu Apr 20 2000 - 11:24:24 PDT