Re: Code Red - A Possible Origin?

[Ben Okopnik <fuzzybear () pocketmail com>]

On Mon, Aug 27, 2001 at 05:55:56PM -0500, Michael J. Cannon wrote:
> For those that joined this thread late, again, I am not saying these ARE the
> authors, I am advocating that we use this opportunity as a 'tactical
> exercise' in a well-known public forum, to show the public what tools are
> used and some of the procedures for tracking down these incidents.  If this
> is not the correct forum, I expect the relevant authorities (the list
> moderator/admin) will tell us (and maybe make a suggestion on where would be
> more appropriate).

I will agree that this is a reasonable idea. This is, of course, FAR
short of what the most likely public response is going to be (hell, 
already is): Congress and the talking heads are going to call for new, 
more stringent laws, public floggings, maybe executions... oh, wait, 
they've only _implied_ that so far. <grin>
 
> Finally, for any lurkers from the press:  I don't believe that this is in
> any way 'cyber-terrorism,'  whoever perpetrated 'Code Red,' its variants, or
> virii like SirCam.  I don't believe that the TAO and their sibling
> organizations are terrorists.  I don't believe whoever created Code Red is a
> terrorist.  Terrorism kills people, not networks and computers.  Terrorism
> costs lives and limbs, not money and bandwidth/inconvenience.  What goes on
> in Israel/Palestine, Macedonia/Yugoslavia, Sri Lanka and elsewhere is
> terrorism.

Erm... _In the main,_ I agree with you - but, just to play the devil's 
advocate, what happens when someone crashes a hospital's network, or 
something similar where life does indeed equal the machine being up? 
The issue is not quite all that black-and-white.

> The computer security community is on the job and we do care.  We want to
> make the Internet a safer place for communities and commerce.  But to call
> any of what our opposition does  'terrorism' is to demean the lives and
> efforts of those who risk their lives combating that FAR more grievous
> menace.  Bruce Schneier has said we in the security industry have lost the
> battle with the press when it comes to 'hacker' vs. 'cracker.'  Let us not
> allow the press to portray activists, curious children, petty criminals and
> misguided individuals in the same way they do the animals that kill people
> with guns and bombs.  'Hacktivism' and electronic civil disobedience are
> better terms more amenable to the result of the crime.

Erm... no, sorry, try again. "Hacktivism" is a positively-loaded term; I
see very few (note that I carefully do not say "no") positive facets to 
cracking, and while cracking may on occasion be an instance of 
"hacktivism", confuting the two, IMO, is an even _worse_ evil than the 
"hacking/cracking" confusion. "Electronic civil disobedience"... I
believe that I'm expressing the common sentiment that this sounds like
marketroid-speak, and will be accepted to about the same degree; i.e.,
"sounds like bullshit to me!" Catchy phrases have their place; this one 
does not fit. It's not even catchy.

Worse yet, the concept itself does not fit. Cracking may not be 
terrorism, but it's not a harmless prank, either. Some folks might see 
it as "well, gee, it only hurts these companies - no big deal!" 
*WRONG*. "These companies" are someone's blood, sweat, and tears; 
often, a whole lot of someones. I speak as a man who has "raised" a 
company from scratch, ran it for a number of years, and then watched it 
die (not this crash; this was the '80s.) Buddy, lemme tell ya... if I 
caught someone destroying that company's resources, the resources that 
I painstakingly built up one penny at a time, I would skin the bastard 
with a dull file and spread the salt liberally.

Crackers love to hide behind the shielding image of the rebel, the 
revolutionary. Puh-lease. A 13-year-old script kiddie is not a 
revolutionary; he's out to satisfy his adolescent curiosity and doesn't 
care in the least about the cost to others. Cracking is nothing but 
wanton destruction of someone's resources; end of story.

Terrorism? No. Innocent exploration? Not that, either. Not by a *damn* 
long shot.


Ben Okopnik
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Criminals do not die by the hands of the law. They die by the
hands of other men. -- George Bernard Shaw

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com