We can’t give hackers anything else to work with

Thanks to David Huff for pointing this link out to me (the good Dr. Keyboard also passed it along). Steve Gibson was hacked last month, and he wasn’t very happy about it. So he set out to learn everything he could about l337 h4x0rs (elite hacker wannabes–script kiddies). What he found out bothers me a lot.
Kids these days. Let me tell you…

In my day, 13-year-old truants (those who had computers and modems) used their modems to dial 800 numbers over and over again long into the night, looking for internal-use-only numbers. Armed with a list, they then dialed every possible keycode combination looking for PINs. Then they’d use that information to call long-distance on the telco’s dime. They’d call BBSs, where they’d swap the previous night’s findings for more codez, cardz (credit card numbers), warez (pirated software), or porn.

I never did those things but I knew a lot of people who did. They’d drop off the face of the earth on a moment’s notice, and rumors would go around about FBI busts, computer equipment being confiscated, kids being hauled off to juvenile detention center… And some of them never came back. Some of them cleaned up. Others, who knows? I heard a rumor about one of them running away to Las Vegas after he got out. And some just got hold of their old contacts and went right back to business. One of my friends cleaned up–the huge phone bill he got was enough of a reality check that he stopped. Whether it was a moral reason or just fear of getting caught again, I don’t know. I knew another who got busted repeatedly, and he’d call me up and brag about how his line was tapped, throwing in the occasional snide remark to whoever else might have been listening. I remember our last conversation. He sent me some code (all of the guys I knew were at least semi-competent 6502 assembly language programmers) and we talked music. I’d been fascinated by that subculture, though I never did anything myself–I just talked to these guys (partly out of fear of getting caught, partly because I did want to have some semblence of a life, partly because I didn’t want to kiss up to a bunch of losers until I’d managed to prove I was elite enough), but at that point I was 16, I’d published once, and I realized as the conversation ended that my fascination with it was ending also. It was 1991. The scene was dying. No, it was dead and pathetic. These “elites” had become the butt of jokes–they were risking arrest so they could call Finland for free and pirate Grover’s Magic Numbers, for Pete’s sake! I guess I was growing up. And I never talked to him again. (I don’t even remember this guy’s real first name anymore–only his handle.)

I guess if I’m going to be totally honest, the only thing that’s really changed are the stakes. I want to say my generation wasn’t that bad… But I don’t know.

Essentially, some guy going by “Wicked” had zombies running on 474 Windows PCs. Some of “Wicked’s” buddies took issue with Gibson talking about script kiddies–they thought he was talking about them–so they told “Wicked” to take him down. And he did. And he bragged about it.

"we will just keep comin at you, u cant stop us 'script kiddies' because we are
better than you, plain and simple."

Now, when someone annoys me, I find out what I can about the guy. At 26, I do it to try to get some understanding. At 13 I didn’t necessarily have that motivation, but I did at least have some basic respect. And anyone claiming to be better than Steve Gibson… Gimme a break! That’s like walking up to Michael Jordan and saying you’re better on the basketball court, or walking up to Mark McGwire and saying you can hit a baseball further, or walking up to Colin Powell and telling him you can beat him in a war. And anyone who’s ever written a line of assembly language code and read any of Steve Gibson’s stuff knows it. And it’s not like the guy’s exactly living in obscurity.

Well, Gibson was diplomatic with this punk. And his reasoning and his respect softened him. He called the attacks off. Then they suddenly started again, and Gibson got this message:

is there another way i can reach you that is secure, (i just ddosed you, i aint stupid, im betting first chance ud tracert me and call fbi) you seem like an interesting person to talk to

Say what? You want to talk to someone, so you blow away every other line of communication and ask if you can talk? Now I can just picture this punk once he gets up the nerve to go talk to a girl. He knocks on the door, and the first words out of his mouth are, “I just tesla coiled your phone line so you couldn’t call the cops, but…” Then he’d toss some Kmart pickup line every girl’s heard a million times her way, and hopefully she’d smack him and run to the neighbors’ and call the cops.

For some reason people get hacked off when you do something malicious to them.

Well, Gibson reverse-engineered some Windows zombies and followed them into a l33t IRC channel where he had another interesting conversation. I won’t spoil the rest of it.

Now, I admit when I was 13, I was a mess. I was insecure, and I had trouble adjusting. My voice was cracking, my skin was oily, and I was clumsy and gawky. And I didn’t like anyone I knew when I was 13, because I was the class punching bag. Part of it was probably because I was an outsider. This was a small town, and I wasn’t born there, which was a strike against me. If you got all your schooling there you were still OK. I came in the third grade, so strike two. And I didn’t want to be a hick, so strike three. I liked computers, and in 1987 that was anything but cool, especially in a small town. And everyone thought I was gay, because I didn’t hit on girls and I didn’t have a huge porn collection–and there aren’t many worse things to be in southern Missouri, because it’s still a really bigoted place (and since girls made me stammer, it’s not like I could have proven I was straight anyway). And I had goals in life besides getting the two or three prettiest girls in the class in bed. (Yes, this was 7th grade.) So I guess I was oh-for-two with two big strikeouts. And since I was five feet tall and about 90 pounds, if that (I’m 5’9″, 140 now, and I was scrawnier then than I am now) I couldn’t exactly defend myself either. So I was an easy target with nothing to like about me.

I guess “Wicked” sees Steve Gibson as a five-foot, 90-pound outsider with a really big mouth, so he’s gonna go pick on him. Then he’s gonna go hit on the 13-year-old girl who looks 18, and he thinks taking down grc.com is going to make her swoon and tell him to take her to bed and lose her forever. But since she has a life, she doesn’t give a rat’s ass about whether grc.com is up or down, so hopefully she’ll smack him but I doubt it.

Yeah, I want to say the solution is to make things like they were in 1987 but bullies are bullies, whether it’s 2001 or 1987 or 1967. AD or BC, for that matter.

I want to say that accountability to a higher being will solve everything and make kids behave, but I know it won’t. That grade-school experience I just described to you, with 13-year-olds making South Park look tame and trying to get in girls’ pants? You know where that happened? A Lutheran grade school. Introducing the kids to God won’t fix it. Establishing a theocracy won’t fix it. In college I wrote a half-serious editorial, after a pair of 6-year-olds in Chicago murdered a four-year-old by dropping him out of a 20th-story window after he refused to steal candy for them, where I advocated the death penalty for all ages–maybe then parents would keep an eye on their kids, I reasoned. But I know that won’t fix anything either.

Steve Gibson doesn’t offer any answers. He’s not a social engineer. He’s a programmer–probably the best and most socially responsible programmer alive right now. And what Gibson wants is for Microsoft to cripple the TCP/IP code in Windows XP, so the zombies these script kiddies use don’t gain the ability to spoof come October.

Frankly, I wish such a castrated TCP/IP stack, with raw sockets capability removed, were available for Linux. My Linux boxes are a minimal threat, being behind a firewall and only having a single port exposed, but I’d cripple them just to limit their usefulness to a script kiddie just in case.

Why? Screw standards compliance. The standard for mail servers used to be to allow them to be wide open so anyone could use one, just in case their mail server was down. It was all about being a good neighbor. Then spammers trampled that good faith, so open relays are now the exception, not the rule.

Maybe there’s some legitimate use for raw sockets. I don’t know. But I know nothing I use needs them. So why can’t I run a stripped-down TCP/IP on all my boxes, so that in the event that I do get compromised, my PCs’ usefulness is limited?

If software companies want to provide a full, standards-compliant, exploitable TCP/IP stack for esotetic purposes that need them, fine. Do it. But don’t install it by default. Make it a conscious decision on the part of the systems administrator.

Let’s just get one myth out of the way. The Internet isn’t going to change the world. So when the world does stupid things, the Internet’s just going to have to change instead.

Craig Mundie’s infamous speech

I haven’t said anything about Microsoft Executive Craig Mundie’s speech yet. Everyone’s heard of it, of course, and the typical response has been something along the lines of “Now we know Microsoft’s stance on Open Source.”

No, we’ve always known Microsoft’s stance on that. They’re scared of it. Remember the stereotype of open-source programmers: college students and college dropouts writing software in their basements that a lot of people are using, with the goal of toppling an industry giant. Seem far-fetched? Friends, that’s the story of Microsoft itself. Microsoft became an underground sensation in the late 1970s with Microsoft Basic, a programming language for the Altair and other kit computers and later for CP/M. And while we’ll probably never know the entire story of how and why this happened, when IBM decided to outsource the operating system for the IBM PC, they went to Microsoft and got both an OS and the must-have Microsoft Basic. Ten years later, IBM was just another hardware maker–really big, but getting squeezed. Today, 20 years later, IBM’s still a huge force in the computing industry, but in the PC industry, aside from selling ThinkPads, IBM’s a nobody. There may be hardware enthusiasts out there who’d be surprised to hear IBM makes and sells more than just hard drives.

Ironically, Microsoft’s response to this new threat is to act more and more like the giant it toppled. Shared Source isn’t a new idea. IBM was doing that in the 1960s. If you were big enough, you could see the source code. DEC did it too. At work, we have the source code to most of the big VMS applications we depend on day-to-day. Most big operations insist on having that kind of access, so their programmers can add features and fix bugs quickly. If Windows 2000 is ever going to get beyond the small server space, they really have no choice. But they do it with strings attached and without going far enough. An operation the size of the one I work for can’t get the source and fix bugs or optimize the code for a particular application. You’re only permitted to use the source code to help you develop drivers or applications. Meet the new Microsoft: same as the old Microsoft.

Some people have read this speech and concluded that Microsoft believes open-source software killed the dot-com boom. That’s ludicrous, and I don’t see that in the text. OSS was very good for the dot-com boom. OSS lowered the cost of entry: Operating systems such as FreeBSD and Linux ran on cheap PCs, rather than proprietary hardware. The OSs themselves were free, and there was lots of great free software available, such as the Apache Web server, and scripting languages like Python and Perl. You could do all this cool stuff, the same cool stuff you could do with a Sun or SGI server, for the price of a PC. And not only was it cheaper than everybody else, it was also really reliable.

The way I read it, Microsoft didn’t blame OSS for the dot-com bust. Microsoft blamed the advertising model, valuing market share over revenue, and giving stuff away now and then trying to get people to pay later.

I agree. The dot-com boom died because companies couldn’t find ways to make money. But I’m not convinced the dot-com boom was a big mistake. It put the Internet on the map. Before 1995, when the first banner ad ran, there wasn’t much to the Internet. I remember those early days. As a college student in 1993, the Internet was a bonanza to me, even though I wasn’t using it to the extent a lot of my peers were. For me, the Internet was FTP and Gopher and e-mail. I mostly ignored Usenet and IRC. That was pretty much the extent of the Internet. You had to be really determined or really bored or really geeky to get much of anything out of it. The World Wide Web existed, but that was a great mystery to most of us. The SGI workstations on campus had Web browsers. We knew that Mosaic had been ported to Windows, but no one in the crowd I ran in knew how to get it working. When we finally got it running on some of our PCs in 1994, what we found was mostly personal homepages. “Hi, my name is Darren and this is my homepage. Here are some pictures of my cat. Here’s a listing of all the CDs I own. Here are links to all my friends who have homepages.” The running joke then was that there were only 12 pages on the Web, and the main attraction of the 12 was links to the other 11.

By 1995, we had the first signs of business. Banner ads appeared, and graduating students (or dropouts) started trying to build companies around their ideas. The big attraction of the Web was that there was all this information out there, and it was mostly free. Online newspapers and magazines sprung up. Then vendors sprung up, offering huge selections and low prices. You could go to Amazon.com and find any book in print, and you’d pay less for it than you would at Barnes & Noble. CDNow.com did the same thing for music. And their ads supported places that were giving information away. So people started buying computers so they could be part of the show. People flocked from closed services like CompuServe and Prodigy to plain-old Internet, which offered so much more and was cheaper.

Now the party’s ending as dot-coms close up shop, often with their content gone forever. To me, that’s a loss only slightly greater than the loss of the Great Library. There’s some comfort for me: Five years from now, most of that information would be obsolete anyway. But its historical value would remain. But setting sentiment aside, that bonanza of freebies was absolutely necessary. When I was selling computers in 1994, people frequently asked me what a computer was good for. In 1995, it was an easier sell. Some still asked that question, but a lot of people came in wanting “whatever I need to get to be able to get on the Internet.” Our best-selling software package, besides Myst, was Internet In A Box, which bundled dialup software, a Web browser, and access to some nationwide provider. I imagine sales were easier still in 1996 and beyond, but I was out of retail by then. Suddenly, you could buy this $2,000 computer and get all this stuff for free. A lot of companies made a lot of money off that business model. Microsoft made a killing. Dell and Gateway became behemoths. Compaq made enough to buy DEC. AOL made enough to buy Time Warner. Companies like Oracle and Cisco, who sold infrastructure, had licenses to print money. Now the party’s mostly over and these companies have massive hangovers, but what’s the answer to the Ronald Reagan question? Hangover or no hangover, yes, they’re a whole heck of a lot better off than they were four years ago.

I’m shocked that Microsoft thinks the dot-com phenomenon was a bad thing.

If, in 1995, the Web came into its own but every site had been subscription-based, this stuff wouldn’t have happened. It was hard enough to swallow $2,000 for a new PC, plus 20 bucks a month for Internet. Now I have to pay $9.95 a month to read a magazine? I could just subscribe to the paper edition and save $2,500!

The new Internet would have been the same as the old Internet, only you’d have to be more than just bored, determined, and geeky to make it happen. You’d also have to have a pretty big pile of cash.

The dot-com boom put the Internet on the map, made it the hot ticket. The dot-com bust hurt. Now that sites are dropping out of the sky or at least scaling operations way back, more than half of the Web sites I read regularly are Weblogs–today’s new and improved personal home page. People just like me. The biggest difference between 1994 and 2001? The personal home pages are better. Yeah, the pictures of the cat are still there sometimes, but at least there’s wit and wisdom and insight added. When I click on those links to the left, I usually learn something.

But there is another difference. Now we know why it would make sense to pay for a magazine on the Internet instead of paper. Information that takes a month to make it into print goes online in minutes. It’s much easier and faster to type a word into a search engine than to leaf through a magazine. We can hear any baseball game we want, whether a local radio station carries our favorite team or not. The world’s a lot smaller and faster now, and we’ve found we like it.

The pump is primed. Now we have to figure out how to make this profitable. The free ride is pretty much over. But now that we’ve seen what’s possible, we’re willing to start thinking about whipping out the credit cards again and signing up, provided the cost isn’t outrageous.

The only thing in Mundie’s speech that I can see that Linus Torvalds and Alan Cox and Dan Gillmor should take offense to is Microsoft’s suspicion of anyone giving something away for free. Sure, Microsoft gives lots of stuff away, but always with ulterior motives. Internet Explorer is free because Microsoft was afraid of Netscape. Outlook 98 was free for a while to hurt Lotus Notes. Microsoft Money was free for a while so Microsoft could get some share from Quicken. It stopped being free when Microsoft signed a deal with Intuit to bundle Internet Explorer with Quicken instead of Netscape. And there are other examples.

Microsoft knows that you can give stuff away with strings attached and make money off the residuals. What Microsoft hasn’t learned is that you can give stuff away without the strings attached and still make money off the residuals. The dot-com bust only proves that you can’t necessarily make as much as you may have thought, and that you’d better spend what you do make very wisely.

The Internet needs to be remade, yes, and it needs to find some sustainable business models (one size doesn’t fit all). But if Mundie thinks the world is chomping at the bit to have Microsoft remake the Internet their way, he’s in for a rude awakening.

More Like This: Microsoft Linux Weblogs Internet Commentary

Napster and the decline of copyright–part 3

All of this talk of Napster brings up some questions: What is legitimate use?

Making MP3s from CDs you already own is legal, just like making tapes from CDs you own is legal. It’s difficult to say that downloading MP3s made from CDs you already own would be illegal, as you can just make the MP3s yourself. For some people, this is preferable, as encoding MP3s takes a good deal of time on slower systems. However, one can never be certain of the quality of the MP3s online–the condition of the CD, the quality of the source drive, and the quality of the encoder come into play. Those who aren’t audiophiles probably prefer to just download the MP3s, but the existence of the files understandably makes record companies and artists nervous.

So Napster isn’t just out-and-out theft. (Just almost.)

But some tracks on Napster are legal as well. The right to make and distribute live bootleg recordings has been upheld by courts. And some artists, notably The Grateful Dead and, more recently, Phish and The Dave Matthews Band, have given bootleggers their blessing. Other artists aren’t so keen on being bootlegged, but aside from trying to keep recording devices out of their concerts, there isn’t much they can do about it. Such recordings on Napster are legal, but determining whether such a track is what it claims to be can be difficult. I once downloaded a supposed live version of ‘Til Tuesday’s “Believed You Were Lucky,” only to find it was the studio recording with reverb added–clearly a violation of copyright unless you happen to own the original. Many of the live recordings I’ve downloaded from likes of Joe Jackson, Peter Gabriel, and Social Distortion turned out to be from commercially available live albums, some of which I owned, and some of which I didn’t.

And occasionally an artist will release a recording on Napster for promotional purposes–or to hack off their record label. Veteran alternative supergroup Smashing Pumpkins released an album’s worth of unreleased material on Napster last year and said it was their last album.

But policing content on Napster and other peer-to-peer sharing plans is difficult. It’s not a total impossibility, but file renaming can make it much easier for illegal content to get through. Digital fingerprinting would be harder to circumvent, but that, too, could be done, and implementation is extremely difficult. The difficulty of such measures makes me wonder why Napster came into being–it’s not a good business model. Part of me wonders if Napster’s creators just didn’t care whether they were breaking the law or aiding others in breaking the law. While there are legal uses for Napster, I suspect few people are confining themselves to the legal uses.

There are plenty of people calling for copyright reform, and that’s not unreasonable. Under current law, copyrights can be extended beyond the material’s original audience’s lifetime. Under the original law, copyrights lasted for 26 years, renewable for another 26, for a total of 52 years. So that time frame won’t prevent Michael Jackson and Paul McCartney from making a living. But under that law, the pop songs from 1949 would now be freely distributable, and could be performed without royalties. The beloved early rock’n’roll tunes from the 1950s would come available this decade. For those songs, Napster wouldn’t be an issue.

Content publishers seem to be more worried about current copyright provisions than content creators are. Sci-Fi author Jerry Pournelle has stated numerous times he had no problem with the original law, when he was writing his early works under it.

Reverting back to the old law is probably the best compromise. People wanting to freeload will be able to do so, but they’ll have to wait 52 (or if they’re lucky, 26) years. Those who produce and distribute content will still be able to make a living doing so–the majority of people won’t be willing to wait all those years. Abandoned property won’t be an issue either–once it reaches 26 years of age, if it’s not renewed, it’s fair game.

Unfortunately, the copyright law debate is lost in all the Napster rhetoric. And that, I fear, is possibly the greatest casualty of the battle. But it’s no silver bullet either. It increases the pool of material that’s fair game for free distribution, but it doesn’t solve the problem of outright piracy of recent material.

MP3 has plenty of legitimate uses, for the consumer as a matter of convenience and for copyright holders as a matter of promotion, and the courts have upheld those legitimate uses. MP3 usage tends to be a fall guy for all the record industry’s problems, but the record industry had problems before the MP3 phenomenon became rampant. As Andy Breslau said, there are so many avenues of entertainment available today, it’s perfectly natural that the recording industry’s share of the entertainment pie would shrink, just like TV networks’ share is in decline. If and when Napster is forced to close its doors, the industry’s problems won’t just disappear, and the illegal copying of MP3s will almost certainly continue, though possibly not on such a large scale. There’s very little, if anything, the industry can do to stop MP3 swapping through Usenet newsgroups and IRC chatrooms, which was where the MP3 phenomenon began in the first place.

I expect the use of MP3 for promotional purposes to continue, and services such as MP3.com will take advantage of it legally for years to come. But services like Napster, which provide virtually anything you want with no proof of ownership, are probably running on borrowed time, even though the industry is lying to itself about the true impact these services have.

Napster will be forced to shut down, the record industry will continue to make billions and artists won’t get their fair share, and the record industry will continue to┬ácomplain their billions aren’t enough and blame MP3s or something else.

Part 1 in a series. Part 1 Part 2 Part 3

WordPress Appliance - Powered by TurnKey Linux