|
Who Really DDOS'd SCO - No, *Not* the Linux Community |
|
Friday, May 20 2005 @ 09:21 PM EDT
|
Finally, the truth comes out. The Linux Community had nothing to do with the MyDoom attack on SCO. If you want to know who did it, read Business Week's account about "Hacker Hunters" and their roundup of criminal gangs:
Trojan Horse
Devilish trickery keeps the criminals one step ahead. In January, 2004, a new virus called MyDoom attacked the Web site of the SCO Group Inc. (SCOX ), a software company that claimed the open-source Linux program violated its copyrights. Most security experts suspected the virus writer was a Linux fan seeking revenge. They were wrong. While the SCO angle created confusion, MyDoom acted like a Trojan horse, infecting millions of computers and then opening a secret backdoor for its author. Eight days after the outbreak, the author used that backdoor to download personal data from computer owners. F-Secure's Hyppönen figured this out in time to warn his clients. It was too late, however, for many others. MyDoom caused $4.8 billion in damage, the second-most-expensive software attack ever. "The enemy we have been fighting is changing," says Hypponen.
Indeed, today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omertà, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. (ISSX ) in Atlanta.
So, now that it's official, I'm sure SCO will issue a public apology for its false accusations. Oh, and there is that SEC filing too. I'm sure they don't want any false information in a SEC filing. Groklaw stood alone on this story when it first broke, finding and reporting all the facts that challenged the SCO account. The next time someone comes to us with such a tale about Linux "extremists", let's learn from this. Until someone is arrested and convicted, we don't know who is responsible for criminal behavior, not even when we think we know who it simply *has* to be.
And I hope the mainstream media, which spread the malicious SCO innuendo about Linux "extremists" attacking SCO will now give equal space and time to the correct information. At a minimum, they should add an addendum correcting stories that remain on the Internet that attributed the MyDoom attack on SCO to the Linux community. I'm sure responsible publishers will do that. Because it is now known for sure: it was not the Linux community.
|
|
Authored by: resst on Friday, May 20 2005 @ 09:29 PM EDT |
This is starting to look like the tapestry is being unraveled, thread by thread.
Only now there isn't much left of the original work.
PJ, I never doubted you. [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, May 20 2005 @ 09:29 PM EDT |
Post your corrections (if any) here.
Wonder if SCO will have to correct it's SEC filings on this? Or am I wrong, and
they didn't mention it in there?
I know they've mentioned it publically a few times.[ Reply to This | # ]
|
|
Authored by: m_si_M on Friday, May 20 2005 @ 09:33 PM EDT |
. [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, May 20 2005 @ 09:37 PM EDT |
Or should that say Nonymous, without the a-?
---
--Bill P, not a lawyer. Question the answers, especially if I give some.[ Reply to This | # ]
|
|
Authored by: Latesigner on Friday, May 20 2005 @ 10:00 PM EDT |
All the voices are stilled?
It wasn't us and no one has a thing to say ?
Who'd a thought it!!!
---
The only way to have an "ownership" society is to make slaves of the rest of us.[ Reply to This | # ]
|
|
Authored by: radix2 on Friday, May 20 2005 @ 10:16 PM EDT |
...criminals, whether they be Linux, Windows, Mac or BSD users... It is time to
stop the OS user generalisations and focus on the real problem. Locking
previously open doors that let the thugs in.[ Reply to This | # ]
|
- what are you talking about? - Authored by: DWitt_nyc on Saturday, May 21 2005 @ 05:13 AM EDT
- addendum - Authored by: DWitt_nyc on Saturday, May 21 2005 @ 05:32 AM EDT
- addendum - Authored by: brian on Saturday, May 21 2005 @ 07:54 AM EDT
- ultimat responsibility - Authored by: Anonymous on Saturday, May 21 2005 @ 09:07 AM EDT
- addendum - Authored by: PJ on Saturday, May 21 2005 @ 11:24 AM EDT
- addendum - Authored by: Anonymous on Sunday, May 22 2005 @ 09:21 AM EDT
- addendum - Authored by: brian on Monday, May 23 2005 @ 05:56 AM EDT
- addendum - Authored by: Superbiskit on Saturday, May 21 2005 @ 05:46 PM EDT
- addendum - Authored by: radix2 on Saturday, May 21 2005 @ 09:02 PM EDT
- addendum - Authored by: PJ on Saturday, May 21 2005 @ 09:30 PM EDT
- But the worst criminals are ... - Authored by: artp on Saturday, May 21 2005 @ 01:10 PM EDT
|
Authored by: leopardi on Friday, May 20 2005 @ 10:16 PM EDT |
Did the informant mentioned in the article receive SCO's
$250,000
reward yet?
[ Reply to This | # ]
|
|
Authored by: Briareus on Friday, May 20 2005 @ 10:22 PM EDT |
Political history is replete with instances of psychological and psychopolitical
warfare being waged in which an aggressor creates confusion by casting a party
that is tangentially involved with the desired target as the aggressor. Even
discerning observers can be duped by a skilled operator. Since the public tends
to have a child's view of such tactics, the obfuscation can last for decades. A
good rule of thumb is simply to ask, "who gains?". Following the money
trail tends to flesh out the answers.
In this case, it should have been obvious from the outset that SCO has neither
the finesse nor the imagination for such an operation. Not even close. They
would like to think so, I'm sure, but they employ the cudgel when a whisper
would serve them better.
The cybercriminals on the other hand exhibited a sharp understanding for media
manipulation, and it's no surprise to me that counter-intelligence operators are
hired to track them down.
As to who benefitted and why, I'm thankful that the money trail is lit up with
streetlights by the many eyes of Groklaw. I think this blog nullified much of
what SCO could have gained after that DDOS holiday. I seem to recall they got a
bump from it, but it wasn't for long.
As a side benefit, it would be wise of us to remind the public of what
characters like Enderle and Co. said at the time. I sense a window of
opportunity to clear more air right now. It has smelt of MoG for too long.
---
scary times are never dull[ Reply to This | # ]
|
|
Authored by: eamacnaghten on Friday, May 20 2005 @ 10:53 PM EDT |
And I hope the mainstream media, which spread the malicious SCO innuendo
about Linux "extremists" attacking SCO will now give equal space and time to the
correct information.
Ho-Hum, I suppose you mean an article like this one from the
BBC, well, I do not think so.
At the time I emailed them a
complaint...
Hi
In Stephen Evans' article entitled "Linux
cyber battle turns nasty"
(http://news.bbc.co.uk/1/hi/business/3457823.stm)
Stephen says regarding
the MyDoom virus...
"There seems little doubt that
SCO was targeted - illegally and
unacceptably, lest anyone be in any doubt -
because it has enraged many
people devoted to the Linux operating
system."
whereas the evidence suggests otherwise, that the virus was created
by
proffessional spammers, possibly by organized crime, and that the attack
on
SCO was there to falsely place the blame on Linux entusiasts to
disguise the
origin, for, the virus, as well as attacking SCO, opens up
network ports on the
affected and installs a keylogger that can record
passwords and credit card
numbers and so on.
Details can be obtained at http://www.linuxworld.com/story
/42125.htm.
Although no-one knows why the virus was created (except the
Authour),
there seems plenty of doubt that it was done by Linux
enthusiasts.
This article does not reflect the high quality of research
usually
excercised by BBC reporters, I believe it is important to correct
the
facts of this story, not only because it paints guilt on parties that
are
probably innocent, but because it does not portray the true nature
of this nasty
virus, many of the readers probably having computers that
have been affected
with it.
I got this reply....
Dear Sir
Thanks for your e-mail.
I have noted the points you made - as well as the
vigorous debate on
Slashdot.org about this article.
Well, Stephen Evan's
weekly "stateside" column is not a news story, but
an analytical look at major
events and business trends in the United
States.
It is, of course, debatable
whether MyDoom/Novarg/Shimgapi was written
just to bring down the SCO website,
or whether the installation of
spamming tools on numerous computers was an
additional - or even the
main - motive.
That was not the point of Stephen's
article.
In his piece he wanted to draw the attention of BBC News
Online's
audience - many of whom are unlikely to know the ins and outs of
the
Open Source debate - to the rapid spread of Linux as a
commercial
application, SCO's attempts to cash in on this fact, and the deep
anger
that SCO has caused within the Linux community through its
legal
actions.
Stephen is not the first to draw the link between MyDoom and
SCO's
actions over Linux - plenty of others have done that before,
including
virus experts.
Regards,
Tim Weber
Business Editor
BBC News Interactive - www.bbc.co.uk/businessnews
I guess
it is more important to present the news well rather than to present it
correctly, even to some extent the more respectable companies like the
BBC.
Web Sig: Eddy Currents
[ Reply to This | # ]
|
- Who Really DDOS'd SCO - No, *Not* the Linux Community - Authored by: Anonymous on Friday, May 20 2005 @ 11:09 PM EDT
- Who Really DDOS'd SCO - No, *Not* the Linux Community - Authored by: egan on Friday, May 20 2005 @ 11:21 PM EDT
- In the BBC's defense... - Authored by: eamacnaghten on Friday, May 20 2005 @ 11:30 PM EDT
- Who Really DDOS'd SCO - No, *Not* the Linux Community - Authored by: lifewish on Friday, May 20 2005 @ 11:36 PM EDT
- Who Really DDOS'd SCO - No, *Not* the Linux Community - Authored by: stend on Saturday, May 21 2005 @ 12:19 AM EDT
- *Not* the Linux Community, but... - Authored by: Einhverfr on Saturday, May 21 2005 @ 01:52 AM EDT
- Who Really DDOS'd SCO - No, *Not* the Linux Community - Authored by: Anonymous on Saturday, May 21 2005 @ 01:55 AM EDT
- Who Really DDOS'd SCO - No, *Not* the Linux Community - Authored by: cc0028 on Saturday, May 21 2005 @ 03:40 AM EDT
- The BBC - very poor - Authored by: Nick_UK on Saturday, May 21 2005 @ 04:50 AM EDT
- Who Really DDOS'd SCO - No, *Not* the Linux Community - Authored by: darkonc on Saturday, May 21 2005 @ 08:53 AM EDT
- Goebbels would be proud of many in today's news media. nt - Authored by: Anonymous on Saturday, May 21 2005 @ 10:00 AM EDT
- Who Really DDOS'd SCO - No, *Not* the Linux Community - Authored by: PJ on Saturday, May 21 2005 @ 12:44 PM EDT
- What a steaming pile of poo - Authored by: cmc on Saturday, May 21 2005 @ 05:21 PM EDT
- The BBC and complaints - they have a whole department - Web address here. - Authored by: Anonymous on Sunday, May 22 2005 @ 09:27 AM EDT
- A PS to this. - Authored by: Anonymous on Sunday, May 22 2005 @ 09:55 AM EDT
|
Authored by: belzecue on Friday, May 20 2005 @ 11:02 PM EDT |
Apologies if this has already been noted. Nothing major, but it reinforces what
PJ said earlier about the Russian origins of the attacks. An enlightening look
into the world of DDOS blackmailing:
"How a Bookmaker and
a Whiz Kid Took On an Extortionist — and Won"
...In ensuing
chats, Turner gathered circumstantial connections to BetCris and the gaming
extortion wave. EXe asked Hardcore, "how u know about our work? about bettings
& sportsbooks"; at another point, Turner saw a reference to BoDog, a sports
book that had been attacked. Another time, eXe inadvertently exposed his real
ISP, in Russia.
Chat sessions continued for eight weeks. Often they were
jarring and discombobulated. Cyrillic characters mixed with poor English. There
was foul language and other noise. Turner watched eXe attack Microsoft and
probe SCO.com...
[ Reply to This | # ]
|
|
Authored by: vruz on Saturday, May 21 2005 @ 12:22 AM EDT |
it should have been fairly obvious since most linux developers/hackers won't
probably care or be bothered about learning the Win32 api to only get such a
scarce reward.
---
--- the vruz[ Reply to This | # ]
|
|
Authored by: tangomike on Saturday, May 21 2005 @ 01:04 AM EDT |
I'm not sure that the article absolves the "Linux community". Sure,
the TSCOG DDoS was probably misdirection. Yes, the attack was launched from
Windoze machines.
Unfortunately, niether of these facts absolves the Linux community. If this was
a criminal case, then the Linux community could be found not guilty for lack of
evidence. In a civil suit the balance of probabilities also appears in the Linux
community's favour. Niether of those findings proves it wasn't the Linux
community.
Still the article doesn't say that Hyponen confirmed that this wasn't launched
by someone who is a member of the Linux community. That's (sort of) the author's
opinion.
Before anyone fires up their flame throwers, let me also note that I don't
recall anyone blaming this on the "Windows community" though the
attacks originated from Windows boxes.
At the end of the day, it was the criminal community that did it. The operating
systems of the perpetrators are irrelevant, except to note that it's highly
unlikely that a MyDoom could succeed on Linux boxes. Windows on the other hand
is designed to do what MyDoom did.
---
Nothing screams 'poor workmanship' like wrinkles in the
duct tape.
[ Reply to This | # ]
|
- Nit Pick time - Authored by: Anonymous on Saturday, May 21 2005 @ 01:26 AM EDT
- Getting real... - Authored by: Anonymous on Saturday, May 21 2005 @ 01:30 AM EDT
- And jsut who and what is "the linux community" - Authored by: Anonymous on Saturday, May 21 2005 @ 02:06 AM EDT
- Can you point at this "Linux community"? - Authored by: Anonymous on Saturday, May 21 2005 @ 02:26 AM EDT
- Nit Pick time - Authored by: dmarker on Saturday, May 21 2005 @ 02:27 AM EDT
- Nit Pick time - Authored by: dmarker on Saturday, May 21 2005 @ 04:01 AM EDT
- The media and "Linux people". - Authored by: Anonymous on Saturday, May 21 2005 @ 08:19 AM EDT
- Ok, then, Mr. Prosecutor, prove your case! - Authored by: darthaggie on Saturday, May 21 2005 @ 10:47 AM EDT
- Nit Pick time - Authored by: fotoguzzi on Saturday, May 21 2005 @ 04:16 PM EDT
- Nit Pick time - Authored by: jplatt39 on Saturday, May 21 2005 @ 10:22 PM EDT
|
Authored by: Anonymous on Saturday, May 21 2005 @ 01:17 AM EDT |
Who was the person who supposedly contacted Eric
Raymond?
Why would somebody who presumably had no knowledge of the
actual perpetrator contact Raymond, and give a false reason and origin for the
attack?
Why did Eric Raymond believe this person? And then choose to
publish these unsupported claims, as if fact, to the world?
And oh
yes:
While it's nice that the criminal involved apparently wasn't part of the
Linux community, but I've said it before and I'll say it again: You are
responsible for your own actions. You are not responsible for what other people
do, especially not for people who just happen to use the same technology as you.
I've heard that Bin Liner guy uses a Mac, a satellite phone, and CDRs, but I
don't think that is a reason to throw all other Mac users, satellite phone users
and CDR users in jail.
Quatermass
IANAL IMHO etc[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 02:03 AM EDT |
This is really funny because Eric Raymond claimed to know who was attacking
SCO.
In a posting to internetnews.com sister site Linux Today,
Raymond, while noting that he does not know the identity of the person
responsible, said, "I had been hoping, and actually expecting, that the attacker
would turn out to be some adolescent cracker with no real connection to the
open-source community other than a willingness to stand down when one of its
leaders asked. But no; I was told enough about his background and how he did it
to be pretty sure he is one of us -- and I am ashamed for us all." internet.com
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 02:37 AM EDT |
Does this mean SCO was running a Windows server, or did
the person who created the My Doom worm direct an attack
towards SCO? What would you call this person? A Windows
user, someone who is anti-Windows, or just someone who
wants to reap the data stored on Windows servers and PCs
which can be so readily harvested for fun or profit thanks
to Windows
security flaws? Can you really catagorise people in such a
over-simplistic way? Surely no one in the real world is
black or white - everyone is a shade of grey.
[ Reply to This | # ]
|
|
Authored by: blacklight on Saturday, May 21 2005 @ 02:50 AM EDT |
"... And I hope the mainstream media, which spread the malicious SCO
innuendo about Linux "extremists" attacking SCO will now give equal
space and time to the correct information" PJ
Fat chance.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 05:08 AM EDT |
Please note that you didn't deny that these shadowgang members are linux users
:P
Actually, i believe the ddos stuff was in so people with an infection won't
clean their system so fast (because it does something funny/useful/deserved).
Please note, those people are not linux users, just windows slaves. But they
could definitely have sympathies.
Or it was simply for publicity. If a virus is so widespread it can execute a
DDOS, it is definitely good enough to create spam zombies.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 08:09 AM EDT |
IMO this is an interesting read. SCO is mentioned, briefly. Link
Maat[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 08:40 AM EDT |
One of the most damaging falsehoods was spread by the
usually respectable Eric
Raymond, president of the Open
Source Initiative. He should also apologize.
See
this
for background.
[ Reply to This | # ]
|
|
Authored by: gvc on Saturday, May 21 2005 @ 10:57 AM EDT |
Darl claimed to be the victim of DDOS attacks at least three times.
As I recall the claims were something like this:
(1) One or more early claims by Darl that the sco.com was down due to DDOS,
but no evidence of any attack has ever been seen. PJ and others raised
considerable scepticism.
(2) One claim that seemed to be supported by backscatter evidence. Still no
plausible evidence of the mechanism of the attack, but sceptics seemed to back
off entirely.
(3) Mydoom was discovered to be "armed" to attack SCO at a future
date, which it did.
The Mydoom attack is the only one for which I see a satisfactory explanation of
the mechanism for the attack. So the question is, what about (1) and (2).
It could be that (2) was a 'ranging shot' by the Mydoom authors. Or it could be
that (1) and/or (2) were unrelated to MyDoom - the MyDoom perpetrators were
being opportunistic - SCO were obviously an easy mark and the prior controversy
might deflect discovery.
If Mydoom was just opportunistic it did the perpetrators of (2) a great service.
Nobody appears to be treating it as a separate incident. If there's evidence
of a tie-in I'd like to see it.
Similarly, I haven't seen a whole lot of evidence with regard to the
relationship between (1) and (2). They may be related or not.
In my opinion, there are still many unanswered questions here. Some possible
explanations are more credible than others. I don't think you can assume that
there is one cause for all the attacks, or indeed that all the attacks really
happened. More investigation is in order.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 11:35 AM EDT |
Missing that somehow? [ Reply to This | # ]
|
- It does not matter. - Authored by: Anonymous on Saturday, May 21 2005 @ 11:53 AM EDT
- Better yet.... - Authored by: Anonymous on Saturday, May 21 2005 @ 01:19 PM EDT
- Puh-lease - Authored by: PJ on Saturday, May 21 2005 @ 01:34 PM EDT
|
Authored by: Anonymous on Saturday, May 21 2005 @ 02:24 PM EDT |
So MyDoom infects a machine, attacks SCO, and created a backdoor for the virus
author. Then eight days later the author uses the backdoor to steal personal
information.
Why attack SCO first? Doesn't that just make it far more likely that the
infected machines will be discovered? Wouldn't you want to steal the information
first and then attack SCO?[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 04:46 PM EDT |
Just because a person(s) can be shown to be responsible for a criminal act does
not mean that they will be:
1) procecuted
2) found guilty
3) punished
As a result, it is enough just to know who is responsible, O.J. Simpson, comes
to mind.
Robert[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 05:08 PM EDT |
I wouldn't know myself; since I don't think MyDoom has been ported to any of the
computers I have.
<p>
Whatever OS it is, I think they should blame those extremists, whomever they
are.
<p>
[ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, May 21 2005 @ 08:22 PM EDT |
Back under the bridge you.
But to bite a little.
The author of the blog here isn't after fame and fortune, this is about
understanding a court case that, amongst other things, shows the problem with
the legal system. All this time in and still no proof of a case offered, and the
management obfuscating the nature of the case.
So privacy is not inappropriate for PJ. She isn't out there making statements
about millions of lines of code proving illegality, she's just shining a torch
using her knowledge.
So, to conclude, awa wi ye[ Reply to This | # ]
|
|
Authored by: PJ on Saturday, May 21 2005 @ 09:21 PM EDT |
Sorry, but I don't allow people to come here and call others
idiots. Read the comments policy. [ Reply to This | # ]
|
|
Authored by: Anonymous on Sunday, May 22 2005 @ 03:18 AM EDT |
Until someone is arrested and convicted, we don't know who is
responsible
for criminal behavior, not even when we think we know who it
simply *has* to
be.
There are cases in the archives of this blog where similar advice
might have
been applied. I've seen for example offhand comments that SCO or MS
is
behind all sorts of nasty things, when in fact there was no proof of a
connection. I agree that one should be careful when making such
accusations
of responsibility in public, but this community has been (to a
lesser degree)
somewhat guilty of this also.
I'll be surprised if we see the press
covering this, in their world it's probably
not "news" because it won't help to
"sell papers" the way stories of hackers
and Linux "extremists" does. In the
US these days, if it isn't scary, it isn't
news. Hopefully the word gets out
anyway.
J [ Reply to This | # ]
|
|
Authored by: Anonymous on Monday, May 23 2005 @ 08:10 AM EDT |
http://www.csoonline.com/read/050105/extortion.html [ Reply to This | # ]
|
|
Authored by: CavemanOg on Monday, May 23 2005 @ 12:30 PM EDT |
ShadowCrew have been long known (although not their identities) to the
general security community for some time. They often engage is turf wars with
their rivals, which are conducted using Joe-jobs, which are
run through machines they've compromised. They also sell compromised home PC's
to spammers (it's a fairly routine operation in those circles).
From my
own perch in the anti-spam arena, I'm very happy to see this organization go
down. [ Reply to This | # ]
|
|
Authored by: Anonymous on Thursday, May 26 2005 @ 08:06 PM EDT |
Personally, i wouldnt apologize to Linux community for anything. This story
doesnt say who definately did it, they like you are going on speculation. i
personally think the Linux community launched the DoS attack and until i see a
bonafide arrest, which we havent right now, then i will continue to think Linux
extremists did it.
[ Reply to This | # ]
|
|
|
|
|