lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 5 Oct 2008 03:32:03 -0500 (CDT)
From: Gadi Evron <ge@...uxbox.org>
To: funsec@...uxbox.org, full-disclosure@...ts.grok.org.uk
Cc: botnets@...testar.linuxbox.org
Subject: pause for reflection

I started answering an email an hour ago, and it was important enough to 
spend time on. It also ended up being too long, so I dumped it in a blog 
post if you prfer reading in a web browser.
http://gadievron.blogspot.com/2008/10/time-for-self-reflection.html

Time for self reflection
In case you don't read any of what I have to say below, read this: I have dual 
citizenship. Along with my homeland citizenship, I am of the Internet, and see 
it as my personal duty to try and make the Internet safe.

Atrivo (also known as Intercage), is a network known to host criminal activity 
for many years, is no more.

Not being sarcastic for once, this is time for some self reflection.

I wish I was one of those who sleep soundly tonight. Being clear in my 
conviction that Atrivo should be out of business, and being positive my 
decision to help that happen was sound--While I would do it again, I am sad.

I won't sleep soundly tonight, as that company, criminal and abusive as it 
clearly and contemptuously was, still sustained quite a few families in several 
layers of employment, from sysadmins sitting in the US of A all the way to 
minor low-level fraudsters employed by their clients' clients.

I will however, be able to look myself in the mirror for my part in the
effort to get rid of them--and even gloat some. My conscious is as clear to me 
as my sadness is crystal. We may not have changed the wall of battle in the 
long term and whenever one criminal falls, another jumps up to the 
opportunities of the land of the free--the Internet. But for once, just for a 
while, we halted the machine. We stopped the wheels of evil, even if only for a 
fortnight.

While doing so, ee also touched some lives in a destructive fashion. The 
criminals'.

No villain ever sees himself as the bad guy, as the saying goes. A friend 
recently showed me Russian language comments written on Brian Krebs' recent 
Washington Post story. In them, the posters ask: "why do you take our bread 
away?"

In a lecture during ISOI 5, some folks just didn't understand the meaning. 
Their bread. Their bread. We in the Western world, behind the cultural divide 
speak a different language. Their culture isn't poorer than ours, it is 
unequivocally different.

We can not truly comprehend what it means for some folks in Russia to no longer 
be able to feed their children this month. Nor can we understand that by 
sending email, we made those children starve. Cheap theatrics on my part, you 
say? You got that right. It doesn't make it any less true.

Cyber crime is a war waged against the Western world. At first, no one even 
noticed and it was a niche.. an art. While the artists still exist, they are a 
minority, the hackers. For the criminals however, motive is as irrelevant as 
nationality. Whatever actions are taken, be it a political defacement, fraud or 
spam, the unavoidable secondary impact remains the same: damage to the Western 
economy and security in an exponential growth which will become ever clearer in 
the coming years.

Yes, my friends. I would do the same again. I feel sorry for Atrivo, but they 
were harboring the equivalent for the Internet of active missile launchers 
firing on Israel from the Gaza strip. They are human beings who hit a curve in 
the road to their success. Cyber criminals, however, establish such growth as 
parasites and whatever I may feel for needing to resort to the end game 
weaponry, these people need to be smacked down like cockroaches.

Ten years ago they were a pride to their parents, today they are a scourge. 
What will they be in ten years?

If all reasonable and even some unreasonable approaches fail. That does not 
mean I don't have to feel sorry for them, and me. But it also doesn't mean we 
don't need to fight back.

Not even a hundred years ago, disastrously, war was business and an
acceptable horrifying part of life. A few years later, in 1918, war was
unthinkable. In the century since we who live in or are influenced by
Western culture made war no longer an option we can publicly stomach, while 
facing those who would play us like children because of it.

War is horrifying and evil, it is also a last resort in a world not as
ascendant as we would like to think. The Internet has its own "liberals" and I 
am proud to be one of them. However, I am also practical and see that wishing 
for a world we once had is not. A world where I could host files on my 
neighbor's servers openly, where children could happily use pocket calculators 
and go to libraries for their school work rather than Google and read 
Wikipedia. You did so, do your children?

This new world has its price, and that price is a complete loss of public 
privacy, and a culture of ineffective security.

We are reliant on our Auntie Jane's computer knowledge for our own security, 
and while not many would follow us to our bathrooms to infringe on our personal 
privacy, online we have no privacy, however much it helps us to lie to 
ourselves that something we do publicly (read, on the Internet) is private.

I accepted that, but that is because I am in the trenches for years. Others 
live better not knowing. But it doesn't mean I won't work diligently to make it 
remain.. functional.

Indeed, taking a step back from my niche in security, and seeing how bad things 
truly are--people can still surf for porn, and argue over who the best Star 
Trek captain is. Cyber crime, in all its immense activity of billions of 
incidents an hour, is background noise. But the background noise continually 
increases. When will it overflow?

All I really want is to maintain the functionality we have, regardless of the 
abuse. And yet... Going back to Atrivo, they made enough money by now. And 
regardless once more, their criminal clients are already back online 
elsewhere--in some places possibly hosted by what seems like Atrivo, only under 
a different name.

We did not win, but boy does it feel good to have a victory once in a while for 
morale's sake. We halted the machine, even if only just for a short time. That, 
my friends, also has strategic implications as far as our ability is to 
influence networks running clean on the Internet, although only time will 
determine if I am right on that.

Enough whining though. Who is next on the target list? :)

More seriously, why do I care so much? I have dual citizenship. Along with my 
homeland citizenship, I am of the Internet, and see it as my personal duty to 
try and make the Internet safe.

Gadi Evron,
Of the Internet.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ