Phillip Hallam-Baker <hallam@ai.mit.edu> writes:
On Saturday, September 27, 1997 7:57 PM, Adam Back [SMTP:aba@dcs.ex.ac.uk] wrote:
Reckon cypherpunks can knock up a few of those.
So lets here some ideas for good photogenic infowar attacks which show that the lack of crypto is dangerous.
I suggest unless people want to hand the FBI an excuse to harass everyone that they don't enter into this discussion.
There are plenty of conspiracy laws on the book. Infrastructure attacks are illegal and exactly the kind of thing that gets long jail sentences.
Uh, I think you are over-reacting. It really depends how the engineered "infowar disaster" is presented in the press, ranging from say: Dr Adam Back, a computer security researcher at Exeter University highlighted a fundamental weakness in DNS security which he demonstrates can be easily exploited. "This is entirely avoidable", said Back, "the only reason that global infrastructure is left vulnerable, is that the wire-tapping extremists and intelligence special groups are being allowed to jeopardise national security to protect their jobs in their now redundant function in a post-cold war era." or An anonymous cypherpunk took down half of the internet yesterday, with an estimated loss to business of $50 million. The cypherpunk hacker terrorist issued a manifesto claiming that his motives were to highlight insecurities in the DNS. Whether his motives were pure or not, the incident does highlight the vulnerabilities in our infrastructure, something infowar researchers have been arguing. either one I can't see getting me or anyone else in trouble. I didn't do it, no one saw me do it, you can't prove a thing, etc. ie actually I don't really know much about DNS mechanics, and am not personally planning to perpetrate the attack, nor develop the software, but why should I disclaim all that each time I write something? The other infowarers aren't in their academic papers... They guy who wrote the SYN flood attack is none the worse for wear, it was released in a phrack article, and I don't think there was any secret as to who authored the software.
More to the point it is completely counterproductive. Even now there is probably some FBI junior waving Back's message in the air as if he has won the pools, probable cause for wiretaps I would say.
Ah, fuck that. The FBI and spooks wiretap any one they want to anyway, probably cause, feh. Mealy mouthed disclaimers at the bottom of each point in a discussion is a prior restraing on academic research. Cypherpunks have just as much right to discuss and develop attacks demonstrating infowar vulnerabilities as Mr Winn "hype hype hype" Schwartau (sp), or anyone else. I'd suggest a good target for DNS jamming would be to take out .mil TLD servers. Not as if they're doing anything useful, and won't adversely affect anyone else, whilst it will be a wake up call to the SIGINT side of the GAK argument that they are jeopardising the national infrastructure security side. Perhaps we could even draw the otherside into the argument.
I suspect I'm not the only person on the list who is responsible for a service that is a regular hacker target. If I catch someone I really don't care what the motive for the attack was. I'm going to look to make that person serve jail time.
Your argument seems to be that if you legislate against OS bugs, that they will go away. Well, go ahead if your idea of computer security is to legislate against security flaws. Reminiscent of the politician who offered to repeal a few laws of physics to help out the physicists. I would point out that the hackers who change your web page, or exploit OS bugs you haven't applied patches, and send you taunting messages telling what's wrong with your setup, are probably doing you a service. If you have something of real value to secure, you'd rather know about it from a few harmless hackers, than an industrial spy who takes the farm, and covers up his tracks so well that you don't even notice. Adam -- Now officially an EAR violation... Have *you* violated EAR today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`