Home > FAIL > Security experts FAIL

Security experts FAIL

August 7th, 2009

Update: I decided this post’s original title, “More journalism FAIL,” was unwarranted.  The fail in the story is more due to the “security experts” interviewed.

Yesterday’s fail just wasn’t stupid enough.  Today, Computerworld brings us a delicious banquet of stupid, each morsel more stupid than the last: “Security experts scramble to decipher Twitter attack.”  I don’t know whether to attribute the stupid to each individual interviewed in the story – maybe it’s not their fault; maybe they were asked really stupid leading questions.  All I can do is ruthlessly mock it.

Security experts scramble to decipher Twitter attack

We can’t even get past the headline without a facepalm.  Who’s scrambling to find the meaning behind the Twitter attack, besides Twitter?  Who gives a shit?  Are they working round-the-clock with federal agencies?  But scrambling they were, says the lead paragraph.  The second paragraph tells us the result:

With little information to go on, researchers ended up speculating on who launched the attacks and why, although several agreed that Twitter’s infrastructure needed immediate strengthening.

This is the point at which the author should have dropped the story and found something else to write about.  But hey, wild speculation makes a good story too, right?  And the third paragraph just jumps right in:

“If you monitor the hacking forums, it’s clear they’re pissed at Twitter,” said Richard Stiennon, founder of IT-Harvest, a security research firm. “Twitter came out of nowhere. Hackers hated that. They’d been using forums and IRC to communicate, and all of a sudden, the rest of the world has their own thing in Twitter.”

What.  The.  Fuck?

It’s possible that Stiennon, pressed for information when really none is to be had, just started making stupid shit up and is now laughing and exchanging high fives with all his buddies.  Kudos to him if that’s so.  Looking over his website, it’s hard to tell; he could be a Case IV Media Whore.  In any case, he goes on:

To Stiennon’s thinking, the rise of Twitter — and the backlash against it — resembles the situation in the 1990s, when AOL rose to prominence, but tech-savvy users denigrated it as little more than a glorified BBS (bulletin board system).

“It’s the same thing now,” Stiennon said. “They look at Twitter and think, ‘there goes the neighborhood.’ So they wanted to demonstrate that they could take it down and generate news at the same time.”

Wow.  So Stiennon monitors the hacking forums, where the hackers all go, and those hackers made it damn clear that they hate Twitter.  “Only we can use the internet to communicate,” said the hackers, “now let’s go take these noobs down!  That’ll teach them to not use forums and IRC to communicate!  They came out of nowhere, and we hate that!”

A friend and I tried to come up with equally stupid, non-sequitur statements.  Here are some:

  • The World Trade Center came out of nowhere.  Hackers hated that.
  • All of a sudden, people are crossing the ocean on the Titanic, which is pretty much a glorified raft.  Icebergs hated that.
  • Blogs are just glorified words.  Calligraphers hated that.
  • The Sudetenland, just a glorified Czechoslovakia.  Hitler hated that.
  • Dinosaurs, basically glorified lizards.  Meteors hated that.
  • People, just glorified pork.  Dr. Lecter hated that.

The article goes on to quote Roger Thompson, chief research officer at AVG Technologies.  The title gives him credibility, in my eyes, but he says:

“I think it was a vigilante,” he said, “who wants to call attention to the danger of botnets.”

Nnnnnnnnnnno.  Again, perhaps we can cut him some slack here.  Perhaps the interviewer kept pressing him to say something, anything, and so he too started making shit up but was a little nicer about it and didn’t make up really outright stupid shit.

Or maybe he meant it, in which case we are compelled to point out: vigilantes attack bad guys.  Furthermore, how many botnet attacks, ever, have been conducted to call attention to the danger of botnets?

He based his idea on several similarities to the distributed denial-of-service (DDoS) attacks that hammered U.S. government and South Korean commercial sites in early July.

That idea works except for the part where those attacks pretty much already showed the danger of botnets.  And so do all the other DoS attacks that happen pretty much every day.  The July attacks, Thompson pointed out, ended with a command to bots to wipe their own hard drives.

“Who builds a botnet, then destroys it?” Thompson asked. “That’s just crazy.”

I agree with the second part, but I don’t see it particularly helping the idea that this is a vigilante at work.  “Hey, I’m a misguided good guy!  I’ll help by showing how dangerous botnets are!  Also I’ll destroy a lot of innocent computers at the end.”  And he goes on:

In fact, Thompson said he believed the Twitter hacker was the same person who ran the U.S./South Korea DDoS almost exactly a month ago. “No one profits from DDoS-ing Twitter,” he said. “The only possible explanation is that someone wanted to make people think about something, and I think that something is botnets.

Look, maybe I don’t monitor the right hacker forums and maybe I’m not a chief research guy anywhere.  But somehow I don’t think that’s the only possible explanation.  In fact, I have my own long-shot theory, assembled from years of research while living in the wild frontiers of The Internet: the person responsible was exhibiting a behavior referred to by social psychologists as “Swinging His E-Penis.”  This behavior can have many different causes: boredom, insult, perceived insult, etc.  But it all comes down to the same result: Twitter gets DoS’d, and someone feels better about himself.

Of course, it could have been a business demonstration from a potential botnet seller for a potential buyer, but that idea is as much a long-shot as the e-penis-swinging theory.

But hey, a vigilante.  That’s a good theory too.

“Botnets are a very big problem, but no one does anything about them,” he added.

My gosh, he’s right!  And you know what else grinds my gears?  Nobody is doing anything about cancer, either.  Why don’t more people cure their cancer?  It’s shameful!  Maybe a cancer vigilante should go around giving people cancer to raise awareness.

When you find the magical cure for DoS attacks, Mr. Thompson, you just let us know.

Back to Stiennon:

“Twitter has to [re-examine] their infrastructure,” Stiennon recommended. “It wouldn’t take much more than $10 million to double the transaction capacity from what they have had. I’d double that or even quadruple that right away.”

Chalk this one up to ignorance, rather than stupidity: Twitter is not exactly rolling in money, and has been hovering around various advertising models the way a broke dope fiend hovers around a dealer.  It seems like every week I see a story about Twitter fretting about staying afloat, and trying to figure out a way to make money off their service.

Barrett Lyon, the former chief technology officer and co-founder of BitGravity, and a noted expert on DDoS attacks, concurred. He and Stiennon collaborated yesterday in an attempt to dig up information about the Twitter attack; Lyon pegged the attack a DDoS before Twitter acknowledged it later Thursday morning.

“Ooh, your powers of deduction are exceptional. I can’t allow you to waste them here when there are so many crimes going unsolved at this very moment. Go, go, for the good of the city.”  (Comic Book Guy, The Simpsons)

“It’s pretty clear [Twitter is] ready for a redesign,” Lyon said in an entry to his personal blog [WARNING: LINK CONTAINS GRATUITOUS, BARELY EDITED NSFW SCREENSHOT -Brad]. “They need their own autonomous network, bring in bandwidth from many different providers, and have several layers of security. Building a strong ACL border and a nice mitigation layer would make a lot of sense for a company that is enabling communication.”

What’s the ACL?  “Evil packets: DENY.  All others: ACCEPT.”?  Stiennon recommended increasing traffic capacity, which one of a few ways you can actually deal with a DoS.

The story concludes with Thompson, hot on the trail of The Dangerous Botnet Demonstration Vigilante.  Thompson has identified a crucial part of the Vigilante’s MO:

Noting the monthlong gap between the July DDoS attacks against U.S. and South Korean sites and Thursday’s assault on Twitter and others, he said the vigilante might strike again using the same timeline.”If I was a betting man, I’d be betting on another one in early September,” Thompson said.

Uh oh!  Thompson didn’t mention a predicted target – after all, it was the US and South Korean governments a month ago, now Twitter and maybe Facebook.  Who’s next?  Of course, if you actually look at, say, facts and data, you can predict a relatively small DoS at any time and be right.  For example, Arbor Networks shows that a ton of similar attacks happened… at the exact same time as the Twitter attack.  In fact, they were all dwarfed by a massive attack against an Asian 3G provider.  Gosh, could that be another vigilante trying to raise awareness?

To give credit where credit is due, someone has already beaten me to the punditry on the related subject of a currently popular theory about the attacks’ motive.  Stefan Tanase at ThreatPost thinks the “silencing a Georgian dissident named Cyxymu” theory is bullshit.  Charles Babbage has returned from the dead to leave a comment there pointing out the very same Arbor Networks report I just mentioned.

So what have we learned from this mess?  Probably that I shouldn’t consider it my duty to make fun of stupid things in the news.  It takes a lot of time, and I’m scrambling to prepare for my Botnet Awareness bake sale.

Categories: FAIL
Comments are closed.