More Junkmail from Bob!

Sunday, February 13, 2000

Important Stuff.

This week is the week that press people learned what Denial of Service means. Although I usually get this at a nice retail outlet, it has a different meaning in the internet world. Some big web sites were "under attack"  this week. Yahoo, CNN, Ebay,, and Amazon web sites were essentially shut down for 2-3 hours each by unknown hackers. What happened?

A while back, someone secretly loaded some programs on to a bunch of computers (30 or 10,000, depending on who you ask), from California to Germany. Stanford, UCLA, and UCSB were all lucky enough to host these programs. These computers all had fast internet access. The programs just sat there and listened, until one day they all received a command over the Internet. It said to "go for it," and all these programs started sending packets of data that requested a response from Yahoo's web servers. I think they were addressing some vulnerable places in Yahoo's system that didn't automatically reroute the overflow data.

The result? Nobody else could get into Yahoo's web sites for about three hours. Then later this week it happened to CNN, Ebay, Amazon,, and a few others. The damage? Some users had to wait a little while to access some web sites and a few billionaires got excited and yelled at their workers.

Who did it? I don't know. There are several possibilities:

1. Some kids (or grown kids) having fun.

2. Some people wanting to manipulate stock prices. was hit on the day of their IPO, but the stock didn't crater like you might expect. Computer security company stocks did go way up, though.

3. Some computer security firm trying to drum up some business.

4. A foreign government or group group trying to cause general internet or e-commerce instability.

5. A US government group or contractor trying to get publicity to get internet security dollars into this year's federal budget.

It's relatively easy to do something like this, but kind of hard to do it completely anonymously. It's also hard to do it to the level required to bring down Yahoo's site. The programs used are available for download in the internet. There are also programs you can download that scan the internet for computers with known security holes.

This is pretty interesting. Take Windows NT for example. It's kind of like Windows 95 or Windows 98 with extra networking and security features. Companies who use Microsoft systems for internet servers usually use Windows NT (becoming Windows 2000). Microsoft has come out with lots of security patches for Windows NT that plug security holes. Someone will figure out a way to "sneak into" the system, and Microsoft will find a way to prevent it and issue a patch to Windows NT. People who use Windows NT should install these patches, but it doesn't always happen because they don't think it's important, they don't know about it, or they figure "if it ain't broke, don't fix it."

There are programs that scan computers on the Internet to see if they're Windows NT systems. Then they check to see if certain of the security patches are installed. If not, that computer's address is logged for future reference. Then, a person can take this list of unsecure computers, break into them, and install a "sleeper agent" or "zombie" program that does nothing until it's activated days, weeks, or months later. This program runs as a service in Windows NT among dozens of others, so it's not normally noticed. Hopefully the evidence of the break-in will be gone by the time it's activated.

When the program is awakened, it delivers its payload. In this week's case it sent packets of information over and over to the targeted system -- Yahoo, etc.  The packets contain requests for information with multiple false return addresses, so it's hard to figure out where they're coming from right away. The web site is still up and running, but there's very little legitimate data that can get through because of all the fake traffic generated by all the attacking systems.

These kind of attacks are called Denial of Service, or DoS. (The small o differentiates it from DOS, Microsoft's Disk Operating System.) Denial of Service attacks are not new or unusual. The big thing about this week's was that the internet's biggest and most reliable sites were successfully incapacitated. One of them happened to be CNN, which was instrumental in creating a press frenzy.

In fact, there was so much press over this that the politicians figured they could get into the act. President Clinton is having a "summit" about it this week, bunches of Democrats and Republicans are blaming bunches Republicans and Democrats, and Attorney General Janet Reno said, "Hacking will not be tolerated."  Jesse Ventura even quit his political party over the attacks. OK, OK, I made that part up. But lobbyists ARE trying to make a buck and internet companies ARE trying to get more internet money into the federal budget. It's a hot topic, so they're money to be made!

With politicians and billionaires involved, whoever gets caught for doing this will likely spend more time in jail than the average murderer. If it was just some recreational hacker/hobbyists, I hope they don't get caught. It seems to me like these companies could pay whoever did it for showing them their vulnerabilities. A few hours of downtime is relatively insignificant in the big picture. If the culprits were trying make money, I think they could stand to spend a few nights in jail.

Here's Ebay's system info site. Go down to 2-8 and you can see what they were saying about the DoS attack as it happened. You can also see that there have been lots of other problems on their site, just like everybody else, and this isn't the end of the world. It just got a lot of press.

Here are some details on Yahoo's attack. There were four separate attacks on Yahoo's site last Monday before the one came that put them out of service. The first four attacks had no noticeable effects on Yahoo's site. The fifth one had so much traffic (more than 1 billion bits per second) that they lost a router. When it recovered, they lost all routing to their upstream ISP, which is their primary connection to the internet. They had had some hardware problems earlier and assumed this was caused by a hardware problem. They disconnected from the ISP, got everything running again, and then figured out they'd been under a widely distributed DoS attack. I read in one place that the attack on Yahoo seems to be more sophisticated than the others. This might mean that the others were copy-cat attacks.

One of the zombie programs is called Stacheldraht (German for barbed wire). A German guy who goes by Mixter wrote Stacheldraht, and a modified version of it was used in these attacks. It runs under Linux and Unix systems. He posted a way to protect against the attacks on the internet in the past few days. The FBI would like to talk to him. He might be reluctant to talk to them.

Stacheldraht pings every computer on the local network over and over and gets all those computers to reply to the target. There are supposed to be some more complex things involved that I don't understand, such as false return addresses and some encryption. There's a lot of conflicting information in the press, which is normal for any "hot" news item that is even remotely technical.

Network Associates' just came out with a program to scan networks for zombies.

Here's today's mountain picture -- Mount Bierstadt and Mount Evans, Colorado:


and some electric snow:


A couple of weeks ago, the Japanese government was talking about hackers being a grave threat to national security after some of its web pages were defaced. Defaced is the term used when someone adds to or replaces someone else's web site. It's kind of like grafitti, except a lot easier to clean up. I think this kind of thing would be fun to do, but I'm "old enough to know better" so they'd probably make an example out of me when I got caught. So I'll just watch and laugh at them instead.

A guy who goes by YTCracker and claims to be a high school student from Colorado Springs ran a 15-minute "audit" of some Japanese government web sites. He a relatively large number of security holes. In the U.S., there is a lot more defacing so web sites have to be more secure. A few instances of web defacing caused a big uproar with the Japanese government so they're getting everything battened down now. Here is his article:

There's a site called Attrition that copies and logs ("mirrors") defaced web sites. There is everything from nice warnings saying "your web site isn't secure" to dirty pictures to threatening garbage. For example, this one from NASA (office of human resources, Goddard Space Flight Center) defaced last Thursday just had this message attached to the bottom: "i know you have good intentions, but fix me please. mr_min."

This one's pretty funny from yesterday. It's RSA's web site, a big computer security firm:

Then someone else got them again today!

YT Cracker notified several government web sites last fall about their security holes. Most of them ignored his repeated warnings. So he finally defaced their pages and got them to fix their systems. They apparently didn't try to track him down very hard, probably because it wasn't very malicious.

It's getting harder and harder for the U.S. government to wiretap, so they're planning (in Clinton's budget I think) to pay phone companies $240 million to put equipment in the switching offices to facilitate wiretapping. This is up just a bit from $15 million last year. The Department of Defense Department is paying half, which seems a little odd because they're supposed to be defending us instead of spying on us.

Like I mentioned a week ago, Mike is history at ViaGrafix. But I forgot the documentary photos of Mike's last day. Here is Mike and his poor wife Traci languishing, facing a life of parasitic unemployment:


Fatigue sets in after 10 years' hard labor. (Note the stylish $153 Learn2 cap):


Not too long ago GE was the largest company in the U.S. in terms of market capitalization. That's the number of shares of GE stock times its price -- it's essentially how many dollars the company is worth. GE makes everything from light bulbs to jet engines to nuclear reactors. GE's market capitalization is $438 billion. Microsoft, with a market capitalization of $517 billion, passed GE a while back. Last week Cisco Systems, who makes internet and network equipment, passed GE by about $10,000,000,000 for the number two spot. Maybe there really is something to these computer companies.

The MPAA is still hassling people about DVD decryption, so I felt obligated to post some DVD source code and linux utilities here:

And finally, two more pictures of today...  a P51 Mustang at Claremore, gassing up:


...and buzzing the airport. I was on the runway when I took this -- that's a runway light in the foreground:


(o) 1990, all rites observed. No unauthorized copying of this piece of fine prose is prohibited. If you are wondering why this appeared in your inbox, take comfort in the fact that this is NOT a Denial of Service attack in spite of its quality or lack thereof. If you are of such a mental attitude that you want more of this amazing tripe, go to You can also go there to sign up yourself, your friends, acquaintances, relatives, enemies, perfect strangers, and strangers with slight imperfections. If you would like to be removed from the Junkmail list, please change your email address, or contact munge and request Stacheldraht.