Secret Service BBS raids from the other perspective

I’ve written in the past about the Feds busting people using BBSs for nefarious purposes in the early 1990s. But the only stories I’ve ever heard were from the perspective of the people who got busted, often second or third hand.

Here’s a story from the side of someone who helped the Secret Service for three days in the 1980s.

Read more

Myspace and blogging isn’t inherently bad

I see some schools are blocking access to Myspace and other blogging tools. The blogosphere, some people seem to believe, is just a bunch of people looking to exploit teenaged girls.

Sure, blogs can be dangerous. So can cars and jobs. I think the Myspace phenomenon exposes weaknesses in upbringing more than anything else.Blogs have only been around for about 9 years so there haven’t been a lot of sociological studies of them–especially since blogging has only been hot for the last couple of years. But there are precedents.

I was very active in a lot of online communities as a teenager. Teens like me were a minority, but there were enough of us. I’m still friends with a couple of people I met online back in those days.

And I’ll tell you something straight up: I ran into a lot of women who were older than me. A lot of, um, lonely women who were older than me. A lot of them had the wrong idea about my age. One asked me where I went to college. But you see, I hadn’t gone yet, because I was only 14.

And in case you’re wondering, it didn’t go any further than that. I’d been taught right from wrong, and I carried myself that way, both online and in person, so the topic never came up.

There were other dark sides of this online world. Software piracy was usually the gateway. And yeah, I’ll admit I downloaded some software that I didn’t pay for. Mostly I stuck to things that were no longer commercially available. And without and Ebay, it was difficult to buy out-of-print stuff. So I wouldn’t have been able to buy the majority of it even if I’d wanted to. That didn’t make it legal, but to my teenaged mind, it sounded moral enough.

Of course most people were interested in the new stuff. And that could lead down a slippery slope. St. Louis wasn’t exactly a hotbed for the latest new releases, so to get the zero-day warez, you had to call long distance. But remember, most of us weren’t 16 yet, so we didn’t have jobs and we didn’t have a lot of money. So I knew an awful lot of people who got into phone fraud. And it often got worse from there. Phone fraud led to credit card fraud, and I heard stories of people who got caught, slapped with the huge bills they’d run up, and turned to dealing drugs to make the money to pay it back.

All so they could be the first one in St. Louis to have the Commodore 64 version of Grover’s Magic Numbers. Yes, there were people who risked all of that to have something that lame-sounding. And no, it didn’t sound any cooler then, but people did it.

I talked with a number of people who were caught up in that. There was a guy in Chicago who called me on a pretty regular basis for a little while. No, he didn’t dial 1-314, if you know what I mean. One day he quit calling, and not long after that, I heard the Feds caught up with him. There was a rumor that he ran away to Colorado after he got out of juvenile detention. Whatever the case, I never heard from him again.

But I never made any fraudulent long-distance calls. I had a 3.6 grade-point average, was in National Honors Society, and I was in Who’s Who Among American High School Students all four years. And I sold my first magazine article before I got my driver’s license. I wasn’t going to throw all that away just so I could make long-distance phone calls on someone else’s dime.

So why was I having anything to do with those people? Simple. We talked programming. Nothing I learned from those guys is remotely useful to me today, but it was interesting then. Sure, those guys made a lot of mistakes, and yeah, they sure did break a lot of laws, but they weren’t entirely bad.

I’m sure if my parents had known everything that was going on, they’d have gotten rid of the modem or at least severely limited what I could do with it. But they couldn’t stand over my shoulder all the time.

And besides, there wasn’t any need to worry. They’d taught me right from wrong, and what I had to lose if I stepped too far out of bounds. Sure I pushed the limits, but that’s being a teenager for you. Come to think of it, I still push the limits sometimes now, even at 31.

The primitive online communities that existed in the late 1980s and early 1990s were social communities. The only difference between that and the mall was distance. The computer took away the geographical boundaries. In that regard they’re the same as Myspace and other online communities today.

There’s potential for problems today, just like there was 17 years ago. But looking back now, there’s no question why I went online back then. It helped me deal with being a teenager. I could talk with other teenagers who were like me–there were only one or two others like me at my school, and one of them was a major-league jerk. And I could get advice from adults who were further removed from the situation and could give me advice without conflicts of interest. Whether the struggle of the day involved a soldering iron or a girl, I knew at least one person who knew the answer.

I can think of lots of things I’d change if I could go back, but that isn’t among them. So I don’t believe isolating kids today from online communities solves anything. Kids will be kids. Hopefully they know right from wrong and what they can lose if they choose wrong.

Blocking those who would choose wrong doesn’t solve a lot. They’ll find another way to choose wrong.

Denying an important resource to those who would choose right is a greater loss. It’s much easier to find another way to choose wrong than it is to find another way to get wise counsel.

We can’t give hackers anything else to work with

Thanks to David Huff for pointing this link out to me (the good Dr. Keyboard also passed it along). Steve Gibson was hacked last month, and he wasn’t very happy about it. So he set out to learn everything he could about l337 h4x0rs (elite hacker wannabes–script kiddies). What he found out bothers me a lot.
Kids these days. Let me tell you…

In my day, 13-year-old truants (those who had computers and modems) used their modems to dial 800 numbers over and over again long into the night, looking for internal-use-only numbers. Armed with a list, they then dialed every possible keycode combination looking for PINs. Then they’d use that information to call long-distance on the telco’s dime. They’d call BBSs, where they’d swap the previous night’s findings for more codez, cardz (credit card numbers), warez (pirated software), or porn.

I never did those things but I knew a lot of people who did. They’d drop off the face of the earth on a moment’s notice, and rumors would go around about FBI busts, computer equipment being confiscated, kids being hauled off to juvenile detention center… And some of them never came back. Some of them cleaned up. Others, who knows? I heard a rumor about one of them running away to Las Vegas after he got out. And some just got hold of their old contacts and went right back to business. One of my friends cleaned up–the huge phone bill he got was enough of a reality check that he stopped. Whether it was a moral reason or just fear of getting caught again, I don’t know. I knew another who got busted repeatedly, and he’d call me up and brag about how his line was tapped, throwing in the occasional snide remark to whoever else might have been listening. I remember our last conversation. He sent me some code (all of the guys I knew were at least semi-competent 6502 assembly language programmers) and we talked music. I’d been fascinated by that subculture, though I never did anything myself–I just talked to these guys (partly out of fear of getting caught, partly because I did want to have some semblence of a life, partly because I didn’t want to kiss up to a bunch of losers until I’d managed to prove I was elite enough), but at that point I was 16, I’d published once, and I realized as the conversation ended that my fascination with it was ending also. It was 1991. The scene was dying. No, it was dead and pathetic. These “elites” had become the butt of jokes–they were risking arrest so they could call Finland for free and pirate Grover’s Magic Numbers, for Pete’s sake! I guess I was growing up. And I never talked to him again. (I don’t even remember this guy’s real first name anymore–only his handle.)

I guess if I’m going to be totally honest, the only thing that’s really changed are the stakes. I want to say my generation wasn’t that bad… But I don’t know.

Essentially, some guy going by “Wicked” had zombies running on 474 Windows PCs. Some of “Wicked’s” buddies took issue with Gibson talking about script kiddies–they thought he was talking about them–so they told “Wicked” to take him down. And he did. And he bragged about it.

"we will just keep comin at you, u cant stop us 'script kiddies' because we are
better than you, plain and simple."

Now, when someone annoys me, I find out what I can about the guy. At 26, I do it to try to get some understanding. At 13 I didn’t necessarily have that motivation, but I did at least have some basic respect. And anyone claiming to be better than Steve Gibson… Gimme a break! That’s like walking up to Michael Jordan and saying you’re better on the basketball court, or walking up to Mark McGwire and saying you can hit a baseball further, or walking up to Colin Powell and telling him you can beat him in a war. And anyone who’s ever written a line of assembly language code and read any of Steve Gibson’s stuff knows it. And it’s not like the guy’s exactly living in obscurity.

Well, Gibson was diplomatic with this punk. And his reasoning and his respect softened him. He called the attacks off. Then they suddenly started again, and Gibson got this message:

is there another way i can reach you that is secure, (i just ddosed you, i aint stupid, im betting first chance ud tracert me and call fbi) you seem like an interesting person to talk to

Say what? You want to talk to someone, so you blow away every other line of communication and ask if you can talk? Now I can just picture this punk once he gets up the nerve to go talk to a girl. He knocks on the door, and the first words out of his mouth are, “I just tesla coiled your phone line so you couldn’t call the cops, but…” Then he’d toss some Kmart pickup line every girl’s heard a million times her way, and hopefully she’d smack him and run to the neighbors’ and call the cops.

For some reason people get hacked off when you do something malicious to them.

Well, Gibson reverse-engineered some Windows zombies and followed them into a l33t IRC channel where he had another interesting conversation. I won’t spoil the rest of it.

Now, I admit when I was 13, I was a mess. I was insecure, and I had trouble adjusting. My voice was cracking, my skin was oily, and I was clumsy and gawky. And I didn’t like anyone I knew when I was 13, because I was the class punching bag. Part of it was probably because I was an outsider. This was a small town, and I wasn’t born there, which was a strike against me. If you got all your schooling there you were still OK. I came in the third grade, so strike two. And I didn’t want to be a hick, so strike three. I liked computers, and in 1987 that was anything but cool, especially in a small town. And everyone thought I was gay, because I didn’t hit on girls and I didn’t have a huge porn collection–and there aren’t many worse things to be in southern Missouri, because it’s still a really bigoted place (and since girls made me stammer, it’s not like I could have proven I was straight anyway). And I had goals in life besides getting the two or three prettiest girls in the class in bed. (Yes, this was 7th grade.) So I guess I was oh-for-two with two big strikeouts. And since I was five feet tall and about 90 pounds, if that (I’m 5’9″, 140 now, and I was scrawnier then than I am now) I couldn’t exactly defend myself either. So I was an easy target with nothing to like about me.

I guess “Wicked” sees Steve Gibson as a five-foot, 90-pound outsider with a really big mouth, so he’s gonna go pick on him. Then he’s gonna go hit on the 13-year-old girl who looks 18, and he thinks taking down is going to make her swoon and tell him to take her to bed and lose her forever. But since she has a life, she doesn’t give a rat’s ass about whether is up or down, so hopefully she’ll smack him but I doubt it.

Yeah, I want to say the solution is to make things like they were in 1987 but bullies are bullies, whether it’s 2001 or 1987 or 1967. AD or BC, for that matter.

I want to say that accountability to a higher being will solve everything and make kids behave, but I know it won’t. That grade-school experience I just described to you, with 13-year-olds making South Park look tame and trying to get in girls’ pants? You know where that happened? A Lutheran grade school. Introducing the kids to God won’t fix it. Establishing a theocracy won’t fix it. In college I wrote a half-serious editorial, after a pair of 6-year-olds in Chicago murdered a four-year-old by dropping him out of a 20th-story window after he refused to steal candy for them, where I advocated the death penalty for all ages–maybe then parents would keep an eye on their kids, I reasoned. But I know that won’t fix anything either.

Steve Gibson doesn’t offer any answers. He’s not a social engineer. He’s a programmer–probably the best and most socially responsible programmer alive right now. And what Gibson wants is for Microsoft to cripple the TCP/IP code in Windows XP, so the zombies these script kiddies use don’t gain the ability to spoof come October.

Frankly, I wish such a castrated TCP/IP stack, with raw sockets capability removed, were available for Linux. My Linux boxes are a minimal threat, being behind a firewall and only having a single port exposed, but I’d cripple them just to limit their usefulness to a script kiddie just in case.

Why? Screw standards compliance. The standard for mail servers used to be to allow them to be wide open so anyone could use one, just in case their mail server was down. It was all about being a good neighbor. Then spammers trampled that good faith, so open relays are now the exception, not the rule.

Maybe there’s some legitimate use for raw sockets. I don’t know. But I know nothing I use needs them. So why can’t I run a stripped-down TCP/IP on all my boxes, so that in the event that I do get compromised, my PCs’ usefulness is limited?

If software companies want to provide a full, standards-compliant, exploitable TCP/IP stack for esotetic purposes that need them, fine. Do it. But don’t install it by default. Make it a conscious decision on the part of the systems administrator.

Let’s just get one myth out of the way. The Internet isn’t going to change the world. So when the world does stupid things, the Internet’s just going to have to change instead.

WordPress Appliance - Powered by TurnKey Linux