Follow by Email

Tuesday, March 27, 2012

Hackers, Part 3

There is no shortage of money at banks, usually. That's why criminals are motivated to rob them. But the act of robbing a bank is considerably less risky if you don't actually have to go there. Enter the hacker.

Money, It's a Hit

In previous installments of the Hackers posts we talked about the motivations of hackers. In the case, the motive is money. What drives computer programmers to steal money? Probably bad people with money that want more of it. Yet, a lot of them are overseas and I can't simply ask them, much less even identify them. I can speculate that some are state-supported, looking for handles on the US and other economies to exploit. Or they are criminal organizations that keep their own stable of indentured hackers in the back room, fed with Doritos and Mountain Dew. Or they are simply businesses that do things in shady ways, by contracting hackers to attack their competitors.

Either way, they typically employ a zero-day exploit and a chain of other buffer-overrun bugs to gain superuser access to a machine running Windows XP. At that point, they install a rootkit in the machine so they can gain superuser access at any point down the line. The machine becomes a bot.

Perhaps the most interesting and disconcerting fact is that there exist entities that sell and update rootkit programs. They need updating as Microsoft issues patches to the known exploits. But Microsoft's task is like trying to put your finger in the bottom of the boat when there are hundreds of holes. Ot thousands.

So there is a market, I expect, of zero-day exploits. These are bugs in software that make a system crash. And allow the hacker to upload code. That code might be part of a buffer overrun - the contents written into a buffer that's just too small to hold what's written. Since all machines are Von Neumann machines, this means that you can execute data just like you can execute code. Data and program are interchangeable. This is why the linker can exist, and dynamic linking of libraries can occur.

And it's also why it's possible to upload malware through websites.

Let's take a case in point: Microsoft has been fighting a war of attrition against the Zeus botnet. But, why do they call it the Zeus botnet?

First, a bunch of machines under control of one master hacker is called a botnet, a network of bots. Each machine can be activated by its master to do their bidding. With many machines under the hacker's control, operations like DDoS attacks can be run with greater effectiveness. Or they can use the botnet for sending ridiculous amount of spam emails advertising for fake Viagra. The botnets also give a certain degree of anonymity to their masters as well, because they are only, after all, operating by proxy.

It is apparent that a group of professional attackers maintains the Zeus code, which is code to help penetrate systems. How can such a group exist? They run their shop somewhere in Eastern Europe, away from the reach of the FBI and other law enforcement groups. I really wish that whatever country they are in would have the guts to shut them down. I'm not even sure Interpol has a presence there.

And maybe there is the question as to whether the construction of a tool to penetrate systems is even illegal at all, in and of itself. Still, selling the tool and supporting the tool seems like it is aiding in the commission of a crime.

Yes, the Zeus code costs money also. They charge between $700 and $15,000 US for their code and also for support, which includes updates to current zero-day exploits and also probably tech support via some anonymized IRC chat.

The presence of Zeus means that it's much easier for state-supported hacking and business-supported hacking to exist. These institutional hackers simply buy Zeus and then rent servers to make botnets.

And this is Microsoft's war of attrition: to take down the server farms (otherwise operating legally and used for housing websites and e-commerce operation, and possibly unaware that they house botnets) that have been converted into botnets. Some 13 million computers are used in this way. And this has resulted in the theft of about $100 million since 2007, that we know about.

Business as Usual

Another real problem is the rampant increase in hacking for the purposes of gaining a business advantage.

A really fascinating and discouraging piece of news showed up today. News Corporation, run by Rupert Murdoch, has been accused of another hacking scandal. This time it was purportedly hiring hackers to crack rival ITV network's smart card encryption scheme, and posting it online so most of ITV's customers could simply avoid paying them.

This put ITV out of business, which was just fine for News Corporation's Sky TV service, which likely picked up the customers.

News Corporation was found guilty of hacking one smart card for the DISH Network. And fined a piddling sum. But what actually happens is that they can post the hack (anonymously) and ruin their competitors.

Pretty sneaky, massively illegal, and very immoral.

The tiny fine was a classic Pyrrhic victory for the DISH Network.

4 teh Lulz

It is interesting to see a return of the splinter group LulzSec, so soon after Sabu, LulzSec's leader, was deftly converted to a mole and then turned on LulzSec itself. This had the useful effect of decreasing the hacker world's trust in itself.

Now, an enterprising hacker with the handle lalalalala has penetrated and posted on pastebin all the information about the 171,000 dating servicemen (and women). As part of a new group. And they are calling themselves LulzSec Reborn.

Reborn, presumably, from the ashes of the FBI sting on the group.

This is the trending problem: that technology can change much faster than law enforcement. Tech is the fastest changing thing on the planet. So its a wonder that the FBI, Interpol, and MI-5 can barely keep up with it: they don't always have the tools they need to be effective. Why?

The real problem is that laws can't keep up with technology.


  1. "The real problem is that laws can't keep up with technology."

    This point I just made in a comment in your first Hackers article.

    "And maybe there is the question as to whether the construction of a tool to penetrate systems is even illegal at all, in and of itself. Still, selling the tool and supporting the tool seems like it is aiding in the commission of a crime."

    Knives can be used to commit crimes, and they can also be used to useful work.

    Laws can not protect us. Thus we need as much experimentation as possible into exploits, so that we can harden our locks.

    It is a fallacy that security gets stronger if make locksmiths illegal. Security is stronger when the range of potential exploits has been enumerated, and we have test beds that are hardened by real world competition.

    1. It is too bad that most of the users of these tools use them for malware purposes. Not for hardening the locks.

      I'm not against hired tiger-strike force teams so you can verify your security. Not at all. But these should be licensed. Like firearms. It's hard to steal someone's identity with a knife. It's easier to do it with malware.

      I really think that making the attack tools illegal is the wrong idea. But they need to be controlled. Like a controlled substance. Laws need to keep up. And they have been used to foster protection and social order for thousands of years to great effect.

    2. I presented the generational research in the Transparency blog, which explains why we are not going to agree on the use of the government to enforce values:

      At least we can be rational about understanding why we have different political philosophies.

      We Gen X did not grow up entitled. We have to struggle on our own to get where we are. We don't feel entitled, and thus we are not stakeholders in the society that the Boomers built. We trust the free market, because that is what we were dealing with on our own. Social security won't be there for us. The boomers took more than all (debt every where). We've had to scrap and negotiate hard to get some. And instead of giving back to us now the peace of individual freedom that we want, they want to put their value system on us (which will continue to escalate the wars).

      So there is conflict ahead.

      The Heros are going to rebuild new institutions and fighting the wars to tear down the current corrupt ones. We Nomads are caught in the cross-fire and just trying to find a way to not get squeezed out. Thus we have no choice but to discard the social contract, as it won't be rebuilt in time for us.

    3. Nobody is entitled, Shelby. I wasn't when I grew up. I had to find my calling. I had to teach myself in many instances. I still do. There were no easy steps.

      I was never a stakeholder in a society. I had to work hard and in some cases fight to earn what I could. And people doubted me every step of the way, until I showed that my ideas could make money. This took decades. It was a very slow growth, and in some cases I had to starve along the way. That's not the kind of thing that happens in entitled classes. If I wasn't inventive, there would have been no way to climb out.

      Now, opportunities for advancement are astounding. Zuckerberg is worth billions. This is because of disruptive technology.

      And software applications were disruptive for me, because I found a niche to succeed in. I found that creativity and hard work could bear on some problems and solve them. I found that I was creating something that was valuable. But I didn't do it by grousing about how everybody else has it easy. I didn't tell the Venture Capitalists that their values were bad. I simply avoided them and found a new and disruptive way to succeed. Despite the previous generation's way of doing things, which was quickly becoming less valid.

      Corruption exists in Gen X, and Gen Y, and Gen Z. Because the common element is Homo Sapiens.

      My point is, if you want to make a difference, then go out and make a difference.

      A truly great idea will flourish no matter what the conditions (unless you're Philo T. Farnsworth, right before WW II, ahem.) And ideas are exactly the currency you need, because creativity and ideas can help create disruptive technologies and a difference can be made.

      And my generation, that had to struggle through hostage crises and gas lines and political assassinations and corrupt presidents had the same things to say about our predecessors.

      The social contrast is being rewritten, by the way, by social media and the new economy. I believe the ones that created the debt should be held accountable and new ways of doing things will have to be put into place. Plenty of countries have taken this step.

    4. "Nobody is entitled"

      Our welfare state has bloated from 10% to 60+% of GDP. (include regulatory capture to get 60+%)

      "I wasn't when I grew up."

      I assume your parents provided a stable home, which gave you access to uninterrupted education.

      Perhaps 50% of Gen X's were abandoned and grew up in chaos. Also, most people in Philippines had to grow in chaos and stop their education at various times.

      USA had a small % of the world's population, but was consuming 25% of its resources. One Treasury dept official said to the developing world, "it is our dollar, but your problem". I have studied how the corrupt economic model worked to extract all the resources for the entitled.

      "I had to work hard and in some cases fight to earn what I could. And people doubted me every step of the way, until I showed that my ideas could make money."

      I saw first hand how hard you work, and I can imagine you struggled even more at the earlier stages or your *young adulthood*.

      The difference is not that you didn't work hard as a young adult and had no challenges, rather I surmise that you (like most Boomers) believe the social system works. That generational research claims that the attitude towards politics is due to the *childhood* years, i.e. whether the system protected us as children.

      What it interesting now is the Boomers recognize that there are imbalances, but the difference is how we want to correct them. I want to replace the corrupt government with a free market. The Gen Ys (Heros) who are your archtype, will want to build a new government that is very strict (fascism ahead as that is the intersection of the Boomer and Hero psyche and the 2 groups outnumber us Gen X). The Boomers want to rebalance by giving the existing government even more power. So now we have carbon taxes-- taxing the lifecycle of the earth. Carlin understands because he was a Gen Z (Artist in the research) -- my grandparent's generation who I was very compatible with:

      "I had to starve along the way"

      Not literally. I was in the Philippines during the Asian crisis. Some were literally eating once a day.

      I have always had food, although I did go through a brief period after Fractal where I was down to eating rice and beans in a Nipa hut (but no decent programmer was unable to find a job in USA at that time, so this was self-inflicted).

      "Now, opportunities for advancement are astounding. ... This is because of disruptive technology."

      Agreed. We share a love for technology. And I am blessed with opportunities. No complaints.

      The political attitude difference is that Boomers want to sustain/morph the existing social contract, and Gen Xs opted out of it, Gen Ys want to (fight to) tear it down and rebuild.

      "But I didn't do it by grousing about how everybody else has it easy."

      That wasn't my point. I am not saying Boomers have it easier than me now. I actually believe they are at a economic crossroads, and I don't think they grasp the full implications yet.

      My point is that these generations have different attitudes about the role of the government, based on our differing formative experience as children.

    5. ...continued from prior comment...

      "I didn't tell the Venture Capitalists..."

      We share entrepreneurship. Roughly $350K gross on in 2001 (3 eye surguries too), coded in a Nipa Hut. 1 man company. Had a software co. before Fractal too. I respect your hard earned success. I am guilty that the chaos in my life prevented me from being loyal to Fractal for a longer period. Rationally it helps me to see that we diverge on politics due to a generational effect, if that is a valid theory.

      "My point is, if you want to make a difference, then go out and make a difference"

      Agreed! I am coming to understand why Boomers want to control so many things through the government, when it is individuals in a free market that make a difference. Governments always fail. Centralized management is failed economic model so many times over in history. The theory is it because system worked well for Boomers as children.

      I also admit that Gen X and Gen Y go in two different opposite extremes. None of the extremes are the stable solution. There is no stable solution. Life is dynamic and there are cycles and competition.

      So yeah, I like to stay focused on what I can do as an individual. All the collective action stuff is waste of my scarce remaining time, and gives me a headache.

      But yet (I have enough experiences of banging my head on the wall to know), still we won't completely understand each other's politics, and I am okay with that. I hope we remain friends in technology.

      "And my generation, that had to struggle through hostage crises and gas lines and political assassinations and corrupt presidents had the same things to say about our predecessors."

      I remember those. The real threats to my childhood were the things close by, such as changing schools every year or so, father gone, my stepfather throwing me down the stairs, being locked in a car with windows that wouldn't open with thick marijuana smoke and an 8 track tape of Bob Marley, the inner city blacks who ganged up on me, etc..

      I don't want to prevent that from happening to others via some collective action, such as government mandated education, government regulation of many aspects. Because I don't think that works, nor was the lack of that the cause.

      I see the cause was the chaos around the 60s and 70s. And the spoiling of the Boomers in childhood, which caused the Boomers to take childhood for granted and not attend to it for their first set of children (Boomers do protect their Gen Y and Gen Z kids).

      I think those were to some degree caused by the ability to print dollars and extract resources from the developing world. Perhaps the enabling action was done by the prior Heros, e.g. the Fed Reserve Act in 1913 (detaching the reserve currency from gold).

      "The social contrast is being rewritten, by the way, by social media and the new economy."

      Very much agreed.

      "I believe the ones that created the debt should be held accountable and new ways of doing things will have to be put into place."

      Here is my politics. I would start by dismantling the government, which is the fox guarding the hen house. I am not so interested in jailing the perpetrators, I just want a free market default and then rebuild. Rather the Gen Ys will want retribution. The foxes will playing this like a fiddle (they're drooling for any calls for increased power for their govt which they control with their central banks), just like they did the last time, when they got us off a gold standard onto a fiat in 1913, that enabled them to expand the government theft system from 10% to 60+% of the economy.

      Any way, I know that my course is orthogonal to that drama. So I don't really care what they do. I will be doing technology and algorithms.

    6. Typo: change "2001" to "2000".

    7. I can't respond to your comments, because they are too far afield for the subject of Hackers.

      I'm not sure what your talk about the social welfare of Gen X has to do with creativity or even hackers. But I do know that cyberwarfare is a real problem. It can destabilize society and so it must be reigned in. I don't think China practices hacking "for the lulz", do you?

    8. Technological disruption is a form of destabilization. Disruption can be a net positive or negative for society. Even net positive technological disruption can also harm some people, e.g. bankrupting the company they work for.

      1. This Hacker blog series appears to posit that negative forms of hacking (e.g. cracking, as opposed to other positive definitions of hacking) and/or asymmetric secrecy, is a net negative for society.

      Or I doubt you are arguing for what I understand to be the uneconomic philosophy of democracy-- unlimited expenses (no net benefit/cost analysis) should be applied to protect every life at any cost?

      2. And that since the private free market has been unable to contain this technological disruption (it is growing), then the government should attempt to.

      I am arguing that #1 is not provably true, because for one thing it is not falsifiable, and also because regulating openness has a huge cost on the positive benefits. And I am arguing that both of those assumptions are a matter of political philosophy, and thus I made a long exposition to try to explain and understand what causes the political attitude of person.

      However, I ultimately agreed with you, that the outcome will also be political, i.e. that if society believes that a phenomena is a net negative (whether proved or assumed), then if the private free market can't contain either the phenomena or society's opinion, then government will always step in:

      The civil war and the world wars were very negative causing many deaths, but at the time many apparently agreed they were net positive, because of the political assumption of the fight for freedom (political slogans of ending slavery, ending communism, ending fascism respectively, although there were apparently other economic reasons). To this day, we can't falsify those assumptions, because we don't have the alternative fork in historical experience to compare to. Btw, this brings us back to our discussions of the meaning or direction of time (being undecidable with an unbounded set of observers):
      (readers see also the Future 1 blog)

      Another point I have made is that government regulation always succumbs to the will of the free market (i.e. "fails", this is Coase's theorem, that any unnatural boundary or cost will eventually be disrupted or routed around), i.e. the governments can't stop nature:

      They can temporary perturb the opportunity cost model of society (i.e. artificially holding interest rates low as they are doing now, some say fundamentally by selling gold and silver short in futures markets-- a complex point), but ultimately the disruption runs its course, because government is not nature in total, but obviously just a variable in the massive network that is the free market. That brings me back to my theory that degrees-of-freedom (an analog of potential energy) is always conserved, which is the basis for my theory of the universe (to model the fact that time is non-referential for unbounded observers, so as to unify quantum mechanics and spacetime, see my link above to Thinking Backwards and also Future 1 blog).

    9. ...continued from prior comment...

      As for my opinion of what I can not prove, but highly suspect to be true, I concur with the belief that many forms of predatory and asymmetric cracking are proliferating. However, I would prefer to see technological solutions that filter the benefits of open network disruption model from the negative ones. I documented in the Hacking 1 blog that we have holes in the programming languages we use, in the browsers, etc.. Some security experts are promoting closing openness at what I believe to be the wrong layers (e.g. XSS) where the vulnerability is not original compromised, thus harming openness of the network. I believe either we do it technologically, or the government will be forced to lock down society, because it won't succeed to stop the negative effects of the disruption with openness.

      I am can be overly dramatic (self-important) and assert this is an extremely important fork in the road, and thus we technologists have the opportunity to save the world.

      I try to look at every possible negative in life as an abstract technological challenge, something to potentially work on. My Myers-Briggs personality type circa Sept 2010 was "ENFP, 44/88/25/22%" and during Nov 2011 on the same test I scored "ENFP 33%/62%/50%/44%", which is shared with Mark Twain, Dr. Suess, and Robin Williams.

      Tangentially,the Halting Problem was proved in the Dr. Suess style of writing:

      For readers, let me make the proof more simple. If I write a function that returns either "Stops" or "Does not stop" when it analyzes any other function. Now I have my function call that function, so that function analyzes my function and returns "Does not stop", because there is an infinite loop.

      The point is that any function can be called. The set of functions always contains itself. This is why a Turing-complete machine is fundamentally "unbounded recursion".

      Actually that all relates back to everything written above, but I better stop... (lest I infinitely recurse this blog ;-).

      Currently I am very interested in the concepts of open recursion and the degrees-of-freedom of extension programming:

      How does that relate to Cracking? Openness (unbounded recursion, i.e. freedom of networking) is like the knife of my first comment in this blog...

    10. It's stupid to think that a country cannot protect itself against cyberwarfare. It's just another kind of defense. And technology will work its way towards quantum entanglement transmission, which is tightbeam and uninterceptable. So some problems of transition tampering will just go away.

      To assume that it costs an unlimited amount to protect yourself is an extremist attitude. There are reasonable solutions. And each solution is only one part of the entire solution anyway.

      Hacking is net negative because the real players in the long term are going to be opponent governments. We need to wise up and fast.

      War in itself is negative, for obvious reasons. But in the face of unreasoning enemies, sometimes you have no other option. In general it's better to stay out of wars because people die.

      Other governments shut down the basic social network services in defense, like Syria. Or tightly control the matter that can be sent through them, like China. I hope this doesn't happen here, but anything is possible I suppose.

      Many basic services are for good purposes, like the US Mail. But then sometimes people send bombs through the mail. Those people are criminals and must be stopped at all costs, and the basic services resume.

      The exact same can be said for the internet. The lawlessness must be stopped. These are basic services we are talking about. Countless things are controlled through the internet and so we must decide if we wish to keep critical services in friendly hands.

    11. 1. I didn't mean to imply that an individual couldn't protect himself at a reasonable expense. I actually think that is the solution, that the individual should do more to protect his cyber assets. My point was that if the government is the judge of whether a disruption is positive or negative, and for example shuts down the internet in order to protect what it thinks is the greater good, it may end up doing more harm than good (i.e. a net negative decision). That would be an example of applying (nearly) unlimited expense to protect a minority of negative effects.

      I am asserting that the problem can be that no one really knows if a disruption is net negative or positive until well after the fact. Here follows an example, where luckily the government was tricked into not making the decision (we perhaps wouldn't have an internet today otherwise):

      World Without Web

      "The divergence point for this history is in 1983-1984, when the leadership of DARPA lied through its teeth to Congress about who was being allowed access to the Internet."

      2. I am not against the governments using *technology* (not regulation) to protect their cyber assets. I am politically against them shutting down the internet to do so. Any way, let them pass SOPA (or did they already?), it will just encourage an internet where the data isn't stored on servers any more. The government will cause the disruption to accelerate by trying to regulate it. But then what will their next move? If the government power is defeated in the technology domain, they might have to shut it down? Hope not.

      3. The problem is that the technology of an open internet prevents the government from having the capability to force compliance with regulations. They can make some high profile busts, but they can not keep up with the proliferation. If they make a law prohibiting the distribution of certain kinds of software, then the software will just be moved off servers and into the billion node peer cloud. See "MUTE: Simple, Anonymous File Sharing".

    12. True, the governments that shut down the internet do tend to fail. Though the internet is typically limited in scope and content in many countries with varying degrees of success.

      SOPA was killed some time ago. We need more intelligent and techno-savvy legislators, I think. People who are thoughtful, and not just parrots of crowdthink philosophy. Laws need to help twice as much as they hinder.

      Enforcement often scares people into conforming. At least most of us honest citizens, anyway. But it doesn't stop the criminals, who apparently learn to avoid detection. There is no way to enforce compliance. That's an illusion. It's all about perception and keeping the worst offenders off the streets.

      The spam kings. The Lulz people. The big credit card hacks and posts. Things that incite fear and also hurt a lot of people by exposing their identities to real criminals who are happy to download the files from pastebin.

      These are the small ones. The real big ones are governments. Governments are the biggest nastiest hackers there are. So we need active research and consistent defense. Secure channels, which is why I suggest quantum entanglement and crypto.

      Personally I don't think the small-time hackers are a big problem. It's the cyberwarfare that is going to hurt.