decoration decoration
Stories

GROKLAW
When you want to know more... 		decoration
For layout only
Home
Archives
Site Map
Search
About Groklaw
Awards
Legal Research
Timelines
ApplevSamsung
ApplevSamsung p.2
ArchiveExplorer
Autozone
Bilski
Cases
Cast: Lawyers
Comes v. MS
Contracts/Documents
Courts
DRM
Gordon v MS
GPL
Grokdoc
HTML How To
IPI v RH
IV v. Google
Legal Docs
Lodsys
MS Litigations
MSvB&N
News Picks
Novell v. MS
Novell-MS Deal
ODF/OOXML
OOXML Appeals
OraclevGoogle
Patents
ProjectMonterey
Psystar
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v IBM
SCO v Novell
SCO:Soup2Nuts
SCOsource
Sean Daly
Software Patents
Switch to Linux
Transcripts
Unix Books

Gear

Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook

Donate

Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

STORIES
No new stories

COMMENTS last 48 hrs
No new comments

Sponsors

Hosting:
hosted by ibiblio

On servers donated to ibiblio by AMD.

Webmaster
Who Really DDOS'd SCO - No, *Not* the Linux Community
Friday, May 20 2005 @ 09:21 PM EDT

Finally, the truth comes out. The Linux Community had nothing to do with the MyDoom attack on SCO. If you want to know who did it, read Business Week's account about "Hacker Hunters" and their roundup of criminal gangs:

Trojan Horse

Devilish trickery keeps the criminals one step ahead. In January, 2004, a new virus called MyDoom attacked the Web site of the SCO Group Inc. (SCOX ), a software company that claimed the open-source Linux program violated its copyrights. Most security experts suspected the virus writer was a Linux fan seeking revenge. They were wrong. While the SCO angle created confusion, MyDoom acted like a Trojan horse, infecting millions of computers and then opening a secret backdoor for its author. Eight days after the outbreak, the author used that backdoor to download personal data from computer owners. F-Secure's Hyppönen figured this out in time to warn his clients. It was too late, however, for many others. MyDoom caused $4.8 billion in damage, the second-most-expensive software attack ever. "The enemy we have been fighting is changing," says Hypponen.

Indeed, today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omertà, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. (ISSX ) in Atlanta.

So, now that it's official, I'm sure SCO will issue a public apology for its false accusations. Oh, and there is that SEC filing too. I'm sure they don't want any false information in a SEC filing.

Groklaw stood alone on this story when it first broke, finding and reporting all the facts that challenged the SCO account. The next time someone comes to us with such a tale about Linux "extremists", let's learn from this. Until someone is arrested and convicted, we don't know who is responsible for criminal behavior, not even when we think we know who it simply *has* to be.

And I hope the mainstream media, which spread the malicious SCO innuendo about Linux "extremists" attacking SCO will now give equal space and time to the correct information. At a minimum, they should add an addendum correcting stories that remain on the Internet that attributed the MyDoom attack on SCO to the Linux community. I'm sure responsible publishers will do that. Because it is now known for sure: it was not the Linux community.


  


Who Really DDOS'd SCO - No, *Not* the Linux Community | 198 comments | Create New Account
Comments belong to whoever posts them. Please notify us of inappropriate comments.
Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: resst on Friday, May 20 2005 @ 09:29 PM EDT
This is starting to look like the tapestry is being unraveled, thread by thread.
Only now there isn't much left of the original work.

PJ, I never doubted you.

[ Reply to This | # ]

Corrections Here
Authored by: Anonymous on Friday, May 20 2005 @ 09:29 PM EDT
Post your corrections (if any) here.

Wonder if SCO will have to correct it's SEC filings on this? Or am I wrong, and
they didn't mention it in there?

I know they've mentioned it publically a few times.

[ Reply to This | # ]

Off Topic here, please - as usual
Authored by: m_si_M on Friday, May 20 2005 @ 09:33 PM EDT
.

[ Reply to This | # ]

Non-anonymous corrections here
Authored by: Anonymous on Friday, May 20 2005 @ 09:37 PM EDT
Or should that say Nonymous, without the a-?

---
--Bill P, not a lawyer. Question the answers, especially if I give some.

[ Reply to This | # ]

What's that silence...?
Authored by: Latesigner on Friday, May 20 2005 @ 10:00 PM EDT
All the voices are stilled?
It wasn't us and no one has a thing to say ?
Who'd a thought it!!!

---
The only way to have an "ownership" society is to make slaves of the rest of us.

[ Reply to This | # ]

Criminals are...
Authored by: radix2 on Friday, May 20 2005 @ 10:16 PM EDT
...criminals, whether they be Linux, Windows, Mac or BSD users... It is time to
stop the OS user generalisations and focus on the real problem. Locking
previously open doors that let the thugs in.

[ Reply to This | # ]

SCO's reward?
Authored by: leopardi on Friday, May 20 2005 @ 10:16 PM EDT
Did the informant mentioned in the article receive SCO's $250,000 reward yet?

[ Reply to This | # ]

clear away the stink
Authored by: Briareus on Friday, May 20 2005 @ 10:22 PM EDT
Political history is replete with instances of psychological and psychopolitical
warfare being waged in which an aggressor creates confusion by casting a party
that is tangentially involved with the desired target as the aggressor. Even
discerning observers can be duped by a skilled operator. Since the public tends
to have a child's view of such tactics, the obfuscation can last for decades. A
good rule of thumb is simply to ask, "who gains?". Following the money
trail tends to flesh out the answers.

In this case, it should have been obvious from the outset that SCO has neither
the finesse nor the imagination for such an operation. Not even close. They
would like to think so, I'm sure, but they employ the cudgel when a whisper
would serve them better.

The cybercriminals on the other hand exhibited a sharp understanding for media
manipulation, and it's no surprise to me that counter-intelligence operators are
hired to track them down.

As to who benefitted and why, I'm thankful that the money trail is lit up with
streetlights by the many eyes of Groklaw. I think this blog nullified much of
what SCO could have gained after that DDOS holiday. I seem to recall they got a
bump from it, but it wasn't for long.

As a side benefit, it would be wise of us to remind the public of what
characters like Enderle and Co. said at the time. I sense a window of
opportunity to clear more air right now. It has smelt of MoG for too long.

---
scary times are never dull

[ Reply to This | # ]

Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: eamacnaghten on Friday, May 20 2005 @ 10:53 PM EDT
And I hope the mainstream media, which spread the malicious SCO innuendo about Linux "extremists" attacking SCO will now give equal space and time to the correct information.

Ho-Hum, I suppose you mean an article like this one from the BBC, well, I do not think so.

At the time I emailed them a complaint...

Hi

In Stephen Evans' article entitled "Linux cyber battle turns nasty" (http://news.bbc.co.uk/1/hi/business/3457823.stm) Stephen says regarding the MyDoom virus...

"There seems little doubt that SCO was targeted - illegally and unacceptably, lest anyone be in any doubt - because it has enraged many people devoted to the Linux operating system."

whereas the evidence suggests otherwise, that the virus was created by proffessional spammers, possibly by organized crime, and that the attack on SCO was there to falsely place the blame on Linux entusiasts to disguise the origin, for, the virus, as well as attacking SCO, opens up network ports on the affected and installs a keylogger that can record passwords and credit card numbers and so on.

Details can be obtained at http://www.linuxworld.com/story /42125.htm.

Although no-one knows why the virus was created (except the Authour), there seems plenty of doubt that it was done by Linux enthusiasts.

This article does not reflect the high quality of research usually excercised by BBC reporters, I believe it is important to correct the facts of this story, not only because it paints guilt on parties that are probably innocent, but because it does not portray the true nature of this nasty virus, many of the readers probably having computers that have been affected with it.

I got this reply....
Dear Sir

Thanks for your e-mail. I have noted the points you made - as well as the vigorous debate on Slashdot.org about this article.

Well, Stephen Evan's weekly "stateside" column is not a news story, but an analytical look at major events and business trends in the United States.

It is, of course, debatable whether MyDoom/Novarg/Shimgapi was written just to bring down the SCO website, or whether the installation of spamming tools on numerous computers was an additional - or even the main - motive.

That was not the point of Stephen's article. In his piece he wanted to draw the attention of BBC News Online's audience - many of whom are unlikely to know the ins and outs of the Open Source debate - to the rapid spread of Linux as a commercial application, SCO's attempts to cash in on this fact, and the deep anger that SCO has caused within the Linux community through its legal actions.

Stephen is not the first to draw the link between MyDoom and SCO's actions over Linux - plenty of others have done that before, including virus experts.

Regards,

Tim Weber
Business Editor
BBC News Interactive - www.bbc.co.uk/businessnews

I guess it is more important to present the news well rather than to present it correctly, even to some extent the more respectable companies like the BBC.

Web Sig: Eddy Currents

[ Reply to This | # ]

Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: belzecue on Friday, May 20 2005 @ 11:02 PM EDT
Apologies if this has already been noted. Nothing major, but it reinforces what PJ said earlier about the Russian origins of the attacks. An enlightening look into the world of DDOS blackmailing:

"How a Bookmaker and a Whiz Kid Took On an Extortionist — and Won"

...In ensuing chats, Turner gathered circumstantial connections to BetCris and the gaming extortion wave. EXe asked Hardcore, "how u know about our work? about bettings & sportsbooks"; at another point, Turner saw a reference to BoDog, a sports book that had been attacked. Another time, eXe inadvertently exposed his real ISP, in Russia.

Chat sessions continued for eight weeks. Often they were jarring and discombobulated. Cyrillic characters mixed with poor English. There was foul language and other noise. Turner watched eXe attack Microsoft and probe SCO.com...

[ Reply to This | # ]

Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: vruz on Saturday, May 21 2005 @ 12:22 AM EDT
it should have been fairly obvious since most linux developers/hackers won't
probably care or be bothered about learning the Win32 api to only get such a
scarce reward.

---
--- the vruz

[ Reply to This | # ]

Nit Pick time
Authored by: tangomike on Saturday, May 21 2005 @ 01:04 AM EDT
I'm not sure that the article absolves the "Linux community". Sure,
the TSCOG DDoS was probably misdirection. Yes, the attack was launched from
Windoze machines.

Unfortunately, niether of these facts absolves the Linux community. If this was
a criminal case, then the Linux community could be found not guilty for lack of
evidence. In a civil suit the balance of probabilities also appears in the Linux
community's favour. Niether of those findings proves it wasn't the Linux
community.

Still the article doesn't say that Hyponen confirmed that this wasn't launched
by someone who is a member of the Linux community. That's (sort of) the author's
opinion.

Before anyone fires up their flame throwers, let me also note that I don't
recall anyone blaming this on the "Windows community" though the
attacks originated from Windows boxes.

At the end of the day, it was the criminal community that did it. The operating
systems of the perpetrators are irrelevant, except to note that it's highly
unlikely that a MyDoom could succeed on Linux boxes. Windows on the other hand
is designed to do what MyDoom did.

---
Nothing screams 'poor workmanship' like wrinkles in the
duct tape.

[ Reply to This | # ]

There is still a big gap in the story that needs filling in.
Authored by: Anonymous on Saturday, May 21 2005 @ 01:17 AM EDT
Who was the person who supposedly contacted Eric Raymond?

Why would somebody who presumably had no knowledge of the actual perpetrator contact Raymond, and give a false reason and origin for the attack?

Why did Eric Raymond believe this person? And then choose to publish these unsupported claims, as if fact, to the world?

And oh yes: While it's nice that the criminal involved apparently wasn't part of the Linux community, but I've said it before and I'll say it again: You are responsible for your own actions. You are not responsible for what other people do, especially not for people who just happen to use the same technology as you. I've heard that Bin Liner guy uses a Mac, a satellite phone, and CDRs, but I don't think that is a reason to throw all other Mac users, satellite phone users and CDR users in jail.

Quatermass
IANAL IMHO etc

[ Reply to This | # ]

OSI Leader Asks Hacker to Stop SCO Attack
Authored by: Anonymous on Saturday, May 21 2005 @ 02:03 AM EDT
This is really funny because Eric Raymond claimed to know who was attacking SCO.

In a posting to internetnews.com sister site Linux Today, Raymond, while noting that he does not know the identity of the person responsible, said, "I had been hoping, and actually expecting, that the attacker would turn out to be some adolescent cracker with no real connection to the open-source community other than a willingness to stand down when one of its leaders asked. But no; I was told enough about his background and how he did it to be pretty sure he is one of us -- and I am ashamed for us all." internet.com

[ Reply to This | # ]

My Doom is a Windows only worm like all worms in the last 15 years.
Authored by: Anonymous on Saturday, May 21 2005 @ 02:37 AM EDT
Does this mean SCO was running a Windows server, or did
the person who created the My Doom worm direct an attack
towards SCO? What would you call this person? A Windows
user, someone who is anti-Windows, or just someone who
wants to reap the data stored on Windows servers and PCs
which can be so readily harvested for fun or profit thanks
to Windows
security flaws? Can you really catagorise people in such a
over-simplistic way? Surely no one in the real world is
black or white - everyone is a shade of grey.

[ Reply to This | # ]

Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: blacklight on Saturday, May 21 2005 @ 02:50 AM EDT
"... And I hope the mainstream media, which spread the malicious SCO
innuendo about Linux "extremists" attacking SCO will now give equal
space and time to the correct information" PJ

Fat chance.

[ Reply to This | # ]

Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: Anonymous on Saturday, May 21 2005 @ 05:08 AM EDT
Please note that you didn't deny that these shadowgang members are linux users
:P

Actually, i believe the ddos stuff was in so people with an infection won't
clean their system so fast (because it does something funny/useful/deserved).
Please note, those people are not linux users, just windows slaves. But they
could definitely have sympathies.

Or it was simply for publicity. If a virus is so widespread it can execute a
DDOS, it is definitely good enough to create spam zombies.

[ Reply to This | # ]

A good article.
Authored by: Anonymous on Saturday, May 21 2005 @ 08:09 AM EDT
IMO this is an interesting read. SCO is mentioned, briefly.
Link

Maat

[ Reply to This | # ]

ESR Apology
Authored by: Anonymous on Saturday, May 21 2005 @ 08:40 AM EDT
One of the most damaging falsehoods was spread by the usually respectable Eric Raymond, president of the Open Source Initiative. He should also apologize. See this for background.

[ Reply to This | # ]

At least 3 separate claims of attacks.
Authored by: gvc on Saturday, May 21 2005 @ 10:57 AM EDT
Darl claimed to be the victim of DDOS attacks at least three times.

As I recall the claims were something like this:

(1) One or more early claims by Darl that the sco.com was down due to DDOS,
but no evidence of any attack has ever been seen. PJ and others raised
considerable scepticism.

(2) One claim that seemed to be supported by backscatter evidence. Still no
plausible evidence of the mechanism of the attack, but sceptics seemed to back
off entirely.

(3) Mydoom was discovered to be "armed" to attack SCO at a future
date, which it did.

The Mydoom attack is the only one for which I see a satisfactory explanation of
the mechanism for the attack. So the question is, what about (1) and (2).

It could be that (2) was a 'ranging shot' by the Mydoom authors. Or it could be
that (1) and/or (2) were unrelated to MyDoom - the MyDoom perpetrators were
being opportunistic - SCO were obviously an easy mark and the prior controversy
might deflect discovery.

If Mydoom was just opportunistic it did the perpetrators of (2) a great service.
Nobody appears to be treating it as a separate incident. If there's evidence
of a tie-in I'd like to see it.

Similarly, I haven't seen a whole lot of evidence with regard to the
relationship between (1) and (2). They may be related or not.

In my opinion, there are still many unanswered questions here. Some possible
explanations are more credible than others. I don't think you can assume that
there is one cause for all the attacks, or indeed that all the attacks really
happened. More investigation is in order.

[ Reply to This | # ]

Where does it prove the hackers weren't open source proponents?
Authored by: Anonymous on Saturday, May 21 2005 @ 11:35 AM EDT
Missing that somehow?

[ Reply to This | # ]

MyDoom and SCO
Authored by: Anonymous on Saturday, May 21 2005 @ 02:24 PM EDT
So MyDoom infects a machine, attacks SCO, and created a backdoor for the virus
author. Then eight days later the author uses the backdoor to steal personal
information.

Why attack SCO first? Doesn't that just make it far more likely that the
infected machines will be discovered? Wouldn't you want to steal the information
first and then attack SCO?

[ Reply to This | # ]

"Arrest & Conviction" have no relation to responsibility.
Authored by: Anonymous on Saturday, May 21 2005 @ 04:46 PM EDT
Just because a person(s) can be shown to be responsible for a criminal act does
not mean that they will be:

1) procecuted

2) found guilty

3) punished

As a result, it is enough just to know who is responsible, O.J. Simpson, comes
to mind.

Robert

[ Reply to This | # ]

What OS does MyDoom run on.
Authored by: Anonymous on Saturday, May 21 2005 @ 05:08 PM EDT
I wouldn't know myself; since I don't think MyDoom has been ported to any of the
computers I have.
<p>
Whatever OS it is, I think they should blame those extremists, whomever they
are.
<p>

[ Reply to This | # ]

The Troll can't spell
Authored by: Anonymous on Saturday, May 21 2005 @ 08:22 PM EDT
Back under the bridge you.

But to bite a little.

The author of the blog here isn't after fame and fortune, this is about
understanding a court case that, amongst other things, shows the problem with
the legal system. All this time in and still no proof of a case offered, and the
management obfuscating the nature of the case.

So privacy is not inappropriate for PJ. She isn't out there making statements
about millions of lines of code proving illegality, she's just shining a torch
using her knowledge.

So, to conclude, awa wi ye

[ Reply to This | # ]

GROKLAW, Hyporcicy and the Linux Community
Authored by: PJ on Saturday, May 21 2005 @ 09:21 PM EDT
Sorry, but I don't allow people to come here and call others
idiots. Read the comments policy.

[ Reply to This | # ]

Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: Anonymous on Sunday, May 22 2005 @ 03:18 AM EDT
Until someone is arrested and convicted, we don't know who is responsible for criminal behavior, not even when we think we know who it simply *has* to be.

There are cases in the archives of this blog where similar advice might have been applied. I've seen for example offhand comments that SCO or MS is behind all sorts of nasty things, when in fact there was no proof of a connection. I agree that one should be careful when making such accusations of responsibility in public, but this community has been (to a lesser degree) somewhat guilty of this also.

I'll be surprised if we see the press covering this, in their world it's probably not "news" because it won't help to "sell papers" the way stories of hackers and Linux "extremists" does. In the US these days, if it isn't scary, it isn't news. Hopefully the word gets out anyway.

J

[ Reply to This | # ]

Another article about the DDOS against SCO
Authored by: Anonymous on Monday, May 23 2005 @ 08:10 AM EDT
http://www.csoonline.com/read/050105/extortion.html

[ Reply to This | # ]

Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: CavemanOg on Monday, May 23 2005 @ 12:30 PM EDT

ShadowCrew have been long known (although not their identities) to the general security community for some time. They often engage is turf wars with their rivals, which are conducted using Joe-jobs, which are run through machines they've compromised. They also sell compromised home PC's to spammers (it's a fairly routine operation in those circles).

From my own perch in the anti-spam arena, I'm very happy to see this organization go down.

[ Reply to This | # ]

Who Really DDOS'd SCO - No, *Not* the Linux Community
Authored by: Anonymous on Thursday, May 26 2005 @ 08:06 PM EDT
Personally, i wouldnt apologize to Linux community for anything. This story
doesnt say who definately did it, they like you are going on speculation. i
personally think the Linux community launched the DoS attack and until i see a
bonafide arrest, which we havent right now, then i will continue to think Linux
extremists did it.

[ Reply to This | # ]
Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details ) 		Site layout based on Woodlands theme by Bryan Bell.
Groklaw logo by John Crowley.
News Picks logo by Ted Thompson.
Powered By GeekLog
Created this page in 0.04 seconds