Re: Code Red - A Possible Origin?

["Michael J. Cannon" <mcannon () ubiquicomm com>]

Excellent point...but the delay COULD just be the fact that it is an
anarchist group, with the resultant lack of organization (although many of
these groups, anarchist or not, are almost as good as the corporations when
it comes to PR announcements.)

For those that joined this thread late, again, I am not saying these ARE the
authors, I am advocating that we use this opportunity as a 'tactical
exercise' in a well-known public forum, to show the public what tools are
used and some of the procedures for tracking down these incidents.  If this
is not the correct forum, I expect the relevant authorities (the list
moderator/admin) will tell us (and maybe make a suggestion on where would be
more appropriate).

Also, I don't personally believe this information from Canada is in any way
more credible or believable than what came out of Germany, China, Holland,
Mauritius and India.

Finally, for any lurkers from the press:  I don't believe that this is in
any way 'cyber-terrorism,'  whoever perpetrated 'Code Red,' its variants, or
virii like SirCam.  I don't believe that the TAO and their sibling
organizations are terrorists.  I don't believe whoever created Code Red is a
terrorist.  Terrorism kills people, not networks and computers.  Terrorism
costs lives and limbs, not money and bandwidth/inconvenience.  What goes on
in Israel/Palestine, Macedonia/Yugoslavia, Sri Lanka and elsewhere is
terrorism.

The computer security community is on the job and we do care.  We want to
make the Internet a safer place for communities and commerce.  But to call
any of what our opposition does  'terrorism' is to demean the lives and
efforts of those who risk their lives combating that FAR more grievous
menace.  Bruce Schneier has said we in the security industry have lost the
battle with the press when it comes to 'hacker' vs. 'cracker.'  Let us not
allow the press to portray activists, curious children, petty criminals and
misguided individuals in the same way they do the animals that kill people
with guns and bombs.  'Hacktivism' and electronic civil disobedience are
better terms more amenable to the result of the crime.


----- Original Message -----
From: "Mike Lewinski" <mike () rockynet com>
To: <incidents () securityfocus com>
Sent: Friday, August 24, 2001 3:09 PM
Subject: Re: Code Red - A Possible Origin?


> $ telnet tao.ca www
> GET /~wrench/bloc/news/07_19_01.html HTTP/1.1
>
> HTTP/1.1 200 OK
> Date: Fri, 24 Aug 2001 19:47:42 GMT
> Server: Apache
> Last-Modified: Fri, 20 Jul 2001 01:52:42 GMT
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> The server appears to be located in the Toronto area which I believe
> is -0400 GMT. If it hasn't been monkeyed with, the Last-Modified tag
> places the document's creation time around 9:50pm local time on the 19th
> of July.
>
> The original Eeye advisory containing details about the worm's
> "whitehouse attack mode" was released two days earlier, on the 17th of
> July. I'd be a lot more inclined to believe the claim of responsibility
> if Apache was giving a 'last-modified' tag earlier than that date. By
> the posting date it was already public knowledge.
>
> Mike
>
> ----- Original Message -----
> From: "Michal Nazarewicz" <m.nazarewicz () dkgroup com pl>
> To: "'Michael J. Cannon'" <mcannon () ubiquicomm com>;
> <incidents () securityfocus com>
> Sent: Friday, August 24, 2001 1:42 AM
> Subject: RE: Code Red - A Possible Origin?
>
>
> > > Tongue VERY firmly in cheek here, gang.  Let's not mistake a
> > > group's target
> > > of opportunity for the real thing.  But it's interesting that
> > > somone would
> > > have the balls to claim responsibility, no matter how indirectly.
> >
> > ...let's also add that there is a message written in black on black
> > background which says:
> >
> > red worm denial-of-service dos code welcome to http://www.worm.com!
> Hacked
> > by Chinese - xo ha
> >
> >
> >
> > ----------------------------------------------------------------------
> ------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com