ISOI 3 is on, and Washington DC is hot

following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.

this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

if you are interested in this realm of internet security operations, take a look at isoi 3′s schedule, and perhaps submit something for the next workshop.

some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:

afilias ltd.:
the internet society:
shinkuro, inc.:

it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id. :)

gadi evron,


Month of PHP Bugs exploits are gone – or are they?

Mr. Stefan Esser of Hardened-PHP Project has informed that exploit codes of Month of PHP Bugs are not part of his Web site any more.

The reason for this is a new law in germany that is official since today. This new law renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in.

This list includes PoC exploits too, sees Mr. Esser.
But we know that The Internet remembers many things.


More Soloway documents online (Search warrant application) (Schmutz affidavit) (Reyes affidavit)

Original post:


Soloway: Another spammer bites the dust

A big victory against spam. From the article:

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

Links from a friend:

Indictment & USDOJ press announcement here:

Early press accounts:

Update post and more documents:


I’m Federal Air Marshal and I found my identity from TSA’s HD

From USA Today article:

“If that information is out there, it’s very easy to find out who they are,” said John Adler, executive vice president of the Federal Law Enforcement Officers Association, whose members include air marshals. Adler said terrorists could use personnel information to find where air marshals live, photograph them and disseminate the photos.

This is really serious now.

The subject could be “I’m Federal Air Marshal and I bought my identity from TSA’s HD” as well.


Follow up to my post about my ex-ISP’s backdoor

It’s been roughly two months since Accidental backdoor by ISP. Dan Goodin has written this whole thing nicely for everyone to read.
ISP ejects whistle-blowing student
Don’t forget to digg it :p


The sad consequences of full disclosure

I checked with Sid why he hasn’t been answering my emails and learned that his ISP beThere disconnected him after he warned them about a trivial-to-exploit backdoor on all their customers’ routers.
The disturbing thing about this incident is that beThere were very quick to contact us asking that we take down (or modify) the article, and apparently they were fairly quick in disconnecting Sid, but when it comes to their customers’ security they are not as diligent – the problem is obviously still there.

I thought Sid was too nice when he removed the exploit details from his post (the ‘bad’ guys can get those themselves anyway) and I think I was very correct there. On the other hand I gave beThere a compliment about how fast they reacted to this incident and I was very wrong there – it seems their concerned was solely about the bad PR.

Let me change my previous comment to this: If I were a beThere customer I’d be concerned about the fact there’s a gaping backdoor on my router and all my ISP is doing is to threaten and disconnect a CS student for making this fact public.


Pervasive Cluelessness

If you don’t know about the Julie Amero case, you probably should. The case says all kinds of disturbing things about authorities who don’t take responsibility for the technology under their control, prosecution on the basis of public outrage, total failures of forensic procedures, and media witch hunts. The case has been written about all over the place. Here’s a recent sample:

> All she appears to be guilty of is being utterly clueless about computers.

This seems to be an all-too-common theme. While I think we can all appreciate the support, in terms of outrage over the conviction itself, I wish people wouldn’t keep sounding the “clueless” drum.

(If you don’t have any background on the case, then you’re ignorant of it, correct? You might want to do a search on “Julie Amero.” I’ll wait.)
I recall, way back when I was first getting involved with info tech, an editiorial in “The Computing Teacher” (as it happened). It stated that, even if you didn’t have a computer, the simple fact that you subscribed to the magazine meant you were more tech savvy than 95% of your colleagues. (It was undoubtedly correct.)

Most people only *think* they know about computers. OK, so these smart-alecs know that turning off a monitor means you don’t turn off the computer. Good for them. (I can recall working on machines where, if you did turn off the monitor, you lost the session. Guess who’d be laughing at the smart-alecs in that case …)

I work in some fairly esoteric areas of technology. Any of the bloggers, and even tech rag columnists, that have made comments about cluelessness (on the part of Julie, the school, or even our good friend Mark) would be similarly woefully ignorant of things I take for granted. Everybody is ignorant, only on different topics (to quote another Mark).

I’d say that one of the important points to be made about this whole situation is that society at large is clueless about the technology that is increasingly important in all of our lives. And that includes those of us who supposedly know about it …


e360 Sues Yet Again

if you remember, e360 filed against spamhaus. now they filed against the nanas usenet newsgroup maintainer.

this is what happens when you open the door. (thanks to john l).

gadi evron,


Operation spamalot

The SEC is doing the right thing by fighting stock spam. The best way to fight the ‘pump and dump’ schemes is through the body that is responsible for controlling stock trading.

However, this is a slippery slope – is it the company’s fault that someone is running a scam on their stock? Quite the contrary – the company’s stock usually takes a dive, and unless the company’s owners are in on the scheme they have the most to lose from this fraud. Some would say the SEC is doing a favor to those companies by suspending trade, but remember how anonymous email is and how easy it is to spam to million of people – if I run a fake pump-and-dump on MSFT or GOOG (in order for it to work I would need a less high-profile stock, but you get the point) should that result in a trading suspension?


Canada, UK etc. seeking tax cheats with special Web crawler

This Wired news article reports that

A five-nation tax enforcement cartel has been quietly cracking down on suspected internet tax cheats, using a sophisticated web crawling program to monitor transactions on auction sites, and track operators of online shops, poker and porn sites.

The countries participating in this Xenon project are Austria, Canada, Denmark, The Netherlands and United Kingdom. They are in co-operation with Amsterdam-based data mining company Sentient Machine Research.

A very interesting detail is that the search process is very “slow” to prevent finding it in server logs!


Google, Service Providers and the Future of P2P

in a non-operational nanog discussion about google bandwidth uses, several statements were made. it all started from the following post by mark boolootian:

> cringley has a theory and it involves google, video, and oversubscribed backbones:

in the discussion, the following statement was made by rodrick brown:

> the following comment has to be one of the most important comments in
> the entire article and its a bit disturbing.
> “right now somewhat more than half of all internet bandwidth is being
> used for bittorrent traffic, which is mainly video. yet if you
> surveyed your neighbors you’d find that few of them are bittorrent
> users. less than 5 percent of all internet users are presently
> consuming more than 50 percent of all bandwidth.”

from there it went down-hill with discussion of the future, with the venice project (streaming p2p for tv), etc. being mentioned. some points were raised about how isps currently fight p2p technologies and may fight these new worlds of functionality, denying what the users want rather than work with them, citing as we have seen above that today, a very small percentage of internet users account for about 50% of all internet traffic. that of course, will increase dramatically in the future — it is where the users want to go.

the isps inhibit this progress, just like in my opinion a bad security “guy” or “gal” would try to prevent functionality from their users as part of their security strategy, rather than work with their users and enable functionality first.

in this discussion, randy bush (who i have had my share of strong disagreements with in the past) said the following, which is admirable:

> the heavy hitters are long known. get over it.
> i won’t bother to cite cho et al. and similar actual measurement
> studies, as doing so seems not to cause people to read them, only to say
> they already did or say how unlike japan north america is. the
> phenomonon is part protocol and part social.
> the question to me is whether isps and end user borders (universities,
> large enterprises, …) will learn to embrace this as opposed to
> fighting it; i.e. find a business model that embraces delivering what
> the customer wants as opposed to winging and warring against it.
> if we do, then the authors of the 2p2 protocols will feel safe in
> improving their customers’ experience by taking advantage of
> localization and proximity, as opposed to focusing on subverting
> perceived fierce opposition by isps and end user border fascists. and
> then, guess what; the traffic will distribute more reasonably and not
> all sum up on the longer glass.

it has been a long time since i bowed before mr. bush’s wisdom, but indeed, i bow now in a very humble fashion.

thing is though, it is equivalent to one or all of the following:
-. eff-like thinking (sticking to the moral high-ground or (at times!) impractical concepts. stuff to live by.
-. (very) forward thinking (not yet possible for people to get behind – by people i mean those who do this daily), likely to encounter much resistence until it becomes mainstream a few years down the road.
-. not connected with what can currently happen to affect change, but rather how things really are which people can not yet accept.

as randy is obviously not much affected when people disagree with him (much the same as me), nor should he be, i am sure he will preach this until it becomes real. with that in mind, if many of us believe this is a philosophical as well as a technological truth — what can be done today to affect this change?

the service providers are not evil — they do this out of operational necessity and business needs. how can this change or shown to be wrong?

some examples may be:
-. working with network gear vendors to create better equipment built to handle this and lighten the load.
-. working on establishing new standards and topologies to enable both vendors and providers to adopt them.
-. presenting case studies after putting our money where our mouth is, and showing how we made it work in a live network.

staying in the philosophical realm is more than respectable, but waiting for fussp-like wide-adoption or for sheep to fly is not going to change the world, much.

for now, the p2p folks who in most cases are not eveel “internet pirates”, are mostly allied whether in name or in practice with illegal activities. the technology isn’t illegal and can be quite good for all of us to save quite a bit of bandwidth rather than waste it (quite a bit of redundancy there!).

so, instead of fighting progress and seeing it [p2p technology] left in the hands of the “pirates” and the privacy folks trying to bypass the firewall of [insert evil regime here], why not utilize it?

how can service providers make use of all this redundancy among their top talkers and remove the privacy advocates and warez freaks from the picture, leaving that front with less technology and legitimacy while helping themselves?

this is a pure example of a problem from the operational front [realm] which can be floated to research and the industry, with smarter solutions than port blocking and qos.

it’s about progress and how change is affected and feared, not about who is evil. it is about who will step up and make a difference, and whether business today is smart enough to lead the road rather than adapt after the avalanche has already fallen.

gadi evron,


Botnets: a retrospective to 2006, and where we are headed in 2007

a few months back i released a post on where i think anti-botnets technology is heading. now it’s time for what happened in 2006, and what we can expect from here on.

i am not a believer in such retrospective looks, as often, they are completely biased and based on what we have seen and what we want to see. this is why i will try and limit myself to what we know happens and is likely to get attention, as well as what we have seen tried by bad guys, which is working for them enough to take to the next level.

what changed with botnets in 2006:

1.botnets reached a level where it is unclear today what parts of the internet are not compromised to an extent. count by clean rather than infected.
2. botnets have become the most significant platform from which virtually any type of online attack and crime are launched. botnets equal an online infrastructure for abusive or criminal activity online.
3. in the past year, botnets have become mainstream. from a not existent field even in the professional realm up to a few years ago, where attacks were happening constantly reagrdless, it has turned to the main buzzword and occupation of the security industry today, directly and indirectly.
4. websites have returned to being one the most significant form of infection for building botnets, which hadn’t been the case since the late 90s.
5. botnets have become the moving force behind organized crime online, with a low-risk high-profit calculation.
6. new technologies are finally being introduced, moving the botnet controllers from using just (or mainly) irc to more advanced c&c (command and control) channels such as p2p, or multi-layered, such as dns and irc on the osi model.
7. botnets used to be a game of quantity. today, when quantity is assured, quality is becoming a high concern for botnet controllers, both in type of bot as well as in abilities.

what’s going to happen with botnets in 2007:

botnets won’t change. all will remain the same as it has been for years. awareness however, will increase making the problem appear larger and larger, perhaps approaching its real scale. the bad guys would utilize their infrastructure to get more out of the bots (quality once quantity is here) and be able to do more than just steal cash. maximizing their revenue.

further, more and more attackers unrelated to the botnet controllers will make use of already compromised systems and existing botnets to gain access to networks, to facilitate anything from corporate espionage and intelligence gathering, to shame-less and open show of strength to those who oppose them (think blue security), in the real world as well as the cyber one (which to the mob is one and the same, it’s the income that speaks).

meaning, the existing botnets infrastructure will be utilized both in an open fashion, due to the fact online miscreants (real-world mob) face virtually no risk, as well as quiet and secretive uses for third-party intelligence operations.

gadi evron,


e360 vs. Spamhaus via Tucows (round #3)

e360 is going after spamhaus again, this time trying to use the us marshall service to
seize from tucows, inc.

“game on.”

gadi evron,


Spamhaus Update: Judge Denies e360′s Requested Relief

For those of you following the e360 v. Spamhaus case, today the judge in the case issued an order denying e360′s motion to, among other things, order ICANN to suspend Spamhaus’s domain. In relevant part, Judge Kocoras wrote:

In its moving papers, e360 requested three forms of relief for the claimed noncompliance: first, suspension of Spamhaus’s domain name until it complies with the terms of the injunction; second, steps to prevent third parties from accessing Spamhaus’s technology or permission to add them as defendants to this suit if they continue to do so; and third, a monetary sanction against Spamhaus for each day that it fails to comply with the injunction. When e360 appeared in court to present the motion, we noted the breadth of the requested relief and directed e360 to submit a draft order that was more tailored.


ICANN Issues a Statement on the Spamhaus Case

icann issued a statement on the spamhaus case:

9 october 2006 — icann has been advised that a proposed order referencing icann has been submitted to the court in the matter entitled e360insight, llc et al. v. the spamhaus project, case no. 06 cv 3958. this lawsuit is currently pending in the united states district court, northern district of illinois.

please note that icann is not a party to this action and no order has been issued in this matter requiring any action by icann. additionally, icann cannot comply with any order requiring it to suspend or any specific domain name because icann does not have either the ability or the authority to do so.