> and taking down all of Liberia’s Internet—to name a few examples.
This did not happen [1] as was documented here[2], here and here[3]. It spices up the story but in truth, one of local telcos was affected but they accounted for less than a third of Liberia's Internet traffic. The weekend-like Internet traffic seen on that day was because of a national holiday.
Additional source: I lived in Liberia during that time managing the local IXP.
> The Department of Justice made the unusual decision not to ask for jail time. In its sentencing memo, the government noted “the divide between [the defendants’] online personas, where they were significant, well-known, and malicious actors in the DDoS criminal milieu and their comparatively mundane ‘real lives’ where they present as socially immature young men living with their parents in relative obscurity.” It recommended five years of probation and 2,500 hours of community service.
Good to read a story where teen hackers get rehabilitated rather than heavily punished and pushed further into crime. That said, they don't really strike me as genius hackers. More just opportunistic and perpetually online.
I thought the more fascinating part was the mandate, as part of the community service, to help the FBI in tracking down additional abusers of Mirai and the resulting success. Seems like the best possible turnout for all parties involved.
> Good to read a story where teen hackers get rehabilitated rather than heavily punished and pushed further into crime. That said, they don't really strike me as genius hackers. More just opportunistic and perpetually online.
Rehabilitation is an excellent path, but removing consequences makes rehabilitation significantly less effective. It does not need to be either - or.
It also furthers an apparent divide of justice system, irrelevant if it does or does not exists.
> It might be surprising that DDoS providers could advertise openly on the Web. After all, DDoSing another website is illegal everywhere. To get around this, these “booter services” have long argued they perform a legitimate function: providing those who set up Web pages a means to stress test websites.
This reminded me of a Wired article[1] from a few weeks back that argued that many of the kids using these services to DDoS their friends/rivals don't realize they're illegal—so federal agencies are taking out keyword ads to warn potential users:
> In fact, he and other members of [cybercrime-busting group] Big Pipes argue that most booter customers seem to believe—or convince themselves—that merely paying to use one of the services to knock out an adversary’s internet connection isn’t against the law, or at least isn’t an enforceable crime. When the UK’s National Crime Agency (NCA) ran a six-month Google advertising campaign in 2018 to intercept people seeking booter services and warn them about their illegality, Clayton’s research group found that attack traffic in the UK remained flat for those six months, while it increased at its usual pace in other countries.
> In the years since, law enforcement agencies seem to have learned from that experiment: The FBI now also buys similar Google advertisements to warn potential booter customers that paying for the services is a crime. The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.
During that time frame, I recall some top players being directy impacted by targeted DDOS attacks from other players. It wasn't too common only because people learned to protect their IP addresses, or change them periodically.
The Mirai botnet had a very negative impact on game play for several servers, and I would argue it was the key factor in the demise of at least one of the servers simply because it rendered certain games unplayable.
> To get around this, these “booter services” have long argued they perform a legitimate function: providing those who set up Web pages a means to stress test websites.
Don't these botnet services run on compromised computer systems?
I find it extremely interesting that the fbi buys ads for illegal stuff, rather than Google Just putting up a warning when you search for ddos services
> The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.
The FBI would be indicting them, not just warning them -- go to all that trouble of setting up a fake site, and then you just give up actually indicting them for their crime? What's even the point of that? That they didn't know it was a fake site is no defense, the FBI routinely, say, sells people fake bombs and then indicts them.
"The Rutgers IT department is a joke. This is the third time I have launched DDoS attacks against Rutgers, and every single time, the Rutgers infrastructure crumpled like a tin can under the heel of my boot."
The fact that people think this is impressive is mind boggling to me
It's interesting that a potentially very large amount of people have the necessary technical skills to set up large botnets. It's mostly teenagers that do it in the Western world since they're both stupidly brave and at the right level of technical knowledge to be able to do the hacking without understanding how much evidence they're leaving behind. Or perhaps they think themselves invincible anyway.
I've known a lot of people who did DDoS and it's honestly like speeding. Chances are that everyone is already doing it so you're not going to get caught, unless you decide to go 140 mph in a 55 mph zone or DDoS Chase bank.
DDoSing your own university and then disclosing publicly it is like going 140 mph in a 55 mph zone though.
I was a Rutgers student when this was happening. I recall some final assignments and exams getting canceled when they attacked the Rutgers network.
When the news broke about the perpetrators behind Mirai and specifically the Dyn attack, I was shocked that such a high-impact attack originated from one of my classmates in the CS department.
I was a student at the same time, and if memory serves correctly, the school's authentication server was down for multiple days at a time. This is a requirement to log into pretty much anything on campus. I remember being unable to access Canvas to download assignments and notes or read professor announcements.
> Paras had started his own DDoS-mitigation service, ProTraf Solutions, and wanted Rutgers to pick ProTraf over Incapsula. And he wasn’t going to stop attacking his school until it switched.
Isn't that just a protection racket? I.e. extortion?
The giant stories Brian Krebs wrote about these guys is fascinating, there's many more characters tangentially involved (like the Datawagon guy) that aren't covered in this.
"Telnet, an outdated system for logging in remotely."
This comment from the article bothered me. No evidence was given as to why it is outdated. I did a little digging to find that Telnet is vulnerable to several different attacks, but all of it can be mitigated by Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication. Of course many devices don't support TLS and SASL. If a device does support the newer standards I think it's wrong to consider it outdated.
"Outdated" is a reasonable moniker for devices that accept cleartext telnet over the open Internet. That you can retrofit security onto telnet by running it over a TLS tunnel is not especially relevant, nor does it make telnet less outdated; secure devices are better off just using SSH.
What makes a protocol outdated? I would argue that outdated protocols "bake in" outdated assumptions. The telnet protocol has a builtin assumption that the network is secure, while newer protocols for remote administration lack this assumption and assume an actively malicious network.
Telnet is not used really at all anymore. Most distributions come without it, or have it disabled by default. Historically it was the only way to connect remotely, as it imitated how connections used to work over phone lines. It's definitely outdated, as SSH is now the defacto.
> but all of it can be mitigated by Transport Layer Security (TLS) security and Simple Authentication and Security Layer (SASL) authentication
At this point anyone sane should question why he would add TLS and SASL to Telnet (and expect to find clients which would support those too) instead of slapping SSH.
It's like asking why anyone would consider a hand-operated drill outdated, since you can slap an electric motor on it.
Telnet is extremely, insanely outdated. It's like walking around in Elizabethan clothes. Just because you also strap on a fanny pack and can go to a modern pub in it doesn't make it up to date. Wearing six inch long pointy toes and a giant codpiece just makes you look ridiculous.
Possible reason: telnet lets you log in with username/password, which is much easier to obtain than an ssh key. Encoded traffic doesn't matter. Paras cs. wouldn't have been able to wiretap the affected servers.
Can you imagine how incompetent the FBI are that they can barely catch some teenagers? Jesus they're embarrassing.
The protocols and networks the internet runs on are ancient and inherently insecure and flaky, but nobody wants to invest in solutions. These attacks have gotten easier, not harder. So I hope these kind of attacks ramp up in intensity and severity to the point that the nation is crippled by some 15 year old anime nerd. Nothing else will get the government or private industry to take security seriously.
[+] [-] kpetermeni|2 years ago|reply
This did not happen [1] as was documented here[2], here and here[3]. It spices up the story but in truth, one of local telcos was affected but they accounted for less than a third of Liberia's Internet traffic. The weekend-like Internet traffic seen on that day was because of a national holiday.
Additional source: I lived in Liberia during that time managing the local IXP.
[1] https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-rea... [2] https://thehackernews.com/2016/11/ddos-attack-mirai-liberia.... [3] https://twitter.com/DougMadory/status/794592487159529472
[+] [-] nagonago|2 years ago|reply
Good to read a story where teen hackers get rehabilitated rather than heavily punished and pushed further into crime. That said, they don't really strike me as genius hackers. More just opportunistic and perpetually online.
[+] [-] aliasxneo|2 years ago|reply
[+] [-] grandinj|2 years ago|reply
Other teens convince themselves that some shoplifting, or car stealing, or drug dealing is "acceptable".
Why does the first group get a pass?
[+] [-] throwawaaarrgh|2 years ago|reply
[+] [-] WaitWaitWha|2 years ago|reply
Rehabilitation is an excellent path, but removing consequences makes rehabilitation significantly less effective. It does not need to be either - or.
It also furthers an apparent divide of justice system, irrelevant if it does or does not exists.
[+] [-] spondylosaurus|2 years ago|reply
This reminded me of a Wired article[1] from a few weeks back that argued that many of the kids using these services to DDoS their friends/rivals don't realize they're illegal—so federal agencies are taking out keyword ads to warn potential users:
> In fact, he and other members of [cybercrime-busting group] Big Pipes argue that most booter customers seem to believe—or convince themselves—that merely paying to use one of the services to knock out an adversary’s internet connection isn’t against the law, or at least isn’t an enforceable crime. When the UK’s National Crime Agency (NCA) ran a six-month Google advertising campaign in 2018 to intercept people seeking booter services and warn them about their illegality, Clayton’s research group found that attack traffic in the UK remained flat for those six months, while it increased at its usual pace in other countries.
> In the years since, law enforcement agencies seem to have learned from that experiment: The FBI now also buys similar Google advertisements to warn potential booter customers that paying for the services is a crime. The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.
[1] https://www.wired.com/story/big-pipes-ddos-for-hire-fbi/ (For the relevant bits, scroll to the "Honeypots, Google Ads, Knock-and-Talks" section)
[+] [-] itronitron|2 years ago|reply
The Mirai botnet had a very negative impact on game play for several servers, and I would argue it was the key factor in the demise of at least one of the servers simply because it rendered certain games unplayable.
[+] [-] amelius|2 years ago|reply
Don't these botnet services run on compromised computer systems?
[+] [-] thatguy0900|2 years ago|reply
[+] [-] jrochkind1|2 years ago|reply
The FBI would be indicting them, not just warning them -- go to all that trouble of setting up a fake site, and then you just give up actually indicting them for their crime? What's even the point of that? That they didn't know it was a fake site is no defense, the FBI routinely, say, sells people fake bombs and then indicts them.
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] charcircuit|2 years ago|reply
[deleted]
[+] [-] koromak|2 years ago|reply
The fact that people think this is impressive is mind boggling to me
[+] [-] ziml77|2 years ago|reply
[+] [-] ftxbro|2 years ago|reply
[+] [-] itronitron|2 years ago|reply
[+] [-] lagniappe|2 years ago|reply
If anybody from ieee is reading this, I'd appreciate more of this type of content, maybe even longer format like you'd find on LRB.
[+] [-] dj_mc_merlin|2 years ago|reply
[+] [-] thrashh|2 years ago|reply
DDoSing your own university and then disclosing publicly it is like going 140 mph in a 55 mph zone though.
[+] [-] TradingPlaces|2 years ago|reply
[+] [-] mikeyouse|2 years ago|reply
https://twitter.com/scottjshapiro/status/1661465332832239618
[+] [-] cpascal|2 years ago|reply
When the news broke about the perpetrators behind Mirai and specifically the Dyn attack, I was shocked that such a high-impact attack originated from one of my classmates in the CS department.
[+] [-] gurchik|2 years ago|reply
[+] [-] personjerry|2 years ago|reply
Isn't that just a protection racket? I.e. extortion?
[+] [-] wayne-li2|2 years ago|reply
[+] [-] compilator1|2 years ago|reply
[+] [-] throwawaaarrgh|2 years ago|reply
[+] [-] stepupmakeup|2 years ago|reply
[+] [-] cdme|2 years ago|reply
[+] [-] SapporoChris|2 years ago|reply
[+] [-] vngzs|2 years ago|reply
What makes a protocol outdated? I would argue that outdated protocols "bake in" outdated assumptions. The telnet protocol has a builtin assumption that the network is secure, while newer protocols for remote administration lack this assumption and assume an actively malicious network.
[+] [-] junon|2 years ago|reply
[+] [-] blowski|2 years ago|reply
[+] [-] justsomehnguy|2 years ago|reply
At this point anyone sane should question why he would add TLS and SASL to Telnet (and expect to find clients which would support those too) instead of slapping SSH.
It's like asking why anyone would consider a hand-operated drill outdated, since you can slap an electric motor on it.
[+] [-] throwawaaarrgh|2 years ago|reply
[+] [-] tgv|2 years ago|reply
[+] [-] andersa|2 years ago|reply
[+] [-] marcod|2 years ago|reply
[+] [-] throwawaaarrgh|2 years ago|reply
The protocols and networks the internet runs on are ancient and inherently insecure and flaky, but nobody wants to invest in solutions. These attacks have gotten easier, not harder. So I hope these kind of attacks ramp up in intensity and severity to the point that the nation is crippled by some 15 year old anime nerd. Nothing else will get the government or private industry to take security seriously.
[+] [-] ai_ia|2 years ago|reply
Edit: Forgot about American Kingpin. That's a more worthy successor.
[+] [-] anthk|2 years ago|reply