[HN Gopher] The teens behind the Mirai botnet
___________________________________________________________________
The teens behind the Mirai botnet
Author : rbanffy
Score : 137 points
Date : 2023-05-24 11:03 UTC (11 hours ago)
(HTM) web link (spectrum.ieee.org)
(TXT) w3m dump (spectrum.ieee.org)
| cdme wrote:
| Well now I can't wait to read the book this was drawn from.
| lagniappe wrote:
| I didn't know ieee had been putting out articles like this, I'll
| be bookmarking their feed. Thanks OP!
|
| If anybody from ieee is reading this, I'd appreciate more of this
| type of content, maybe even longer format like you'd find on LRB.
| cpascal wrote:
| I was a Rutgers student when this was happening. I recall some
| final assignments and exams getting canceled when they attacked
| the Rutgers network.
|
| When the news broke about the perpetrators behind Mirai and
| specifically the Dyn attack, I was shocked that such a high-
| impact attack originated from one of my classmates in the CS
| department.
| gurchik wrote:
| I was a student at the same time, and if memory serves
| correctly, the school's authentication server was down for
| multiple days at a time. This is a requirement to log into
| pretty much anything on campus. I remember being unable to
| access Canvas to download assignments and notes or read
| professor announcements.
| TradingPlaces wrote:
| From Yale Law professor and frequent shitposter Scott Shapiro's
| new book, Fancy Bear Goes Phishing
| https://www.penguin.co.uk/authors/122489/scott-shapiro
| kpetermeni wrote:
| > and taking down all of Liberia's Internet--to name a few
| examples.
|
| This did not happen [1] as was documented here[2], here and
| here[3]. It spices up the story but in truth, one of local telcos
| was affected but they accounted for less than a third of
| Liberia's Internet traffic. The weekend-like Internet traffic
| seen on that day was because of a national holiday.
|
| Additional source: I lived in Liberia during that time managing
| the local IXP.
|
| [1] https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-
| rea... [2] https://thehackernews.com/2016/11/ddos-attack-mirai-
| liberia.... [3]
| https://twitter.com/DougMadory/status/794592487159529472
| stepupmakeup wrote:
| The giant stories Brian Krebs wrote about these guys is
| fascinating, there's many more characters tangentially involved
| (like the Datawagon guy) that aren't covered in this.
| SapporoChris wrote:
| "Telnet, an outdated system for logging in remotely." This
| comment from the article bothered me. No evidence was given as to
| why it is outdated. I did a little digging to find that Telnet is
| vulnerable to several different attacks, but all of it can be
| mitigated by Transport Layer Security (TLS) security and Simple
| Authentication and Security Layer (SASL) authentication. Of
| course many devices don't support TLS and SASL. If a device does
| support the newer standards I think it's wrong to consider it
| outdated.
| justsomehnguy wrote:
| > but all of it can be mitigated by Transport Layer Security
| (TLS) security and Simple Authentication and Security Layer
| (SASL) authentication
|
| At this point anyone sane should question why he would add TLS
| and SASL to Telnet (and expect to find _clients_ which would
| support those too) instead of slapping SSH.
|
| It's like asking why anyone would consider a hand-operated
| drill outdated, since you can slap an electric motor on it.
| tgv wrote:
| Possible reason: telnet lets you log in with username/password,
| which is much easier to obtain than an ssh key. Encoded traffic
| doesn't matter. Paras cs. wouldn't have been able to wiretap
| the affected servers.
| junon wrote:
| Telnet is not used really at all anymore. Most distributions
| come without it, or have it disabled by default. Historically
| it was the only way to connect remotely, as it imitated how
| connections used to work over phone lines. It's definitely
| outdated, as SSH is now the defacto.
| marcod wrote:
| How could anybody claim that the teletype protocol is outdated?
| Teletype refers to this:
| https://en.wikipedia.org/wiki/Teleprinter
| tgv wrote:
| It's not really related to teletypes (which I've never heard
| being called a teleprinter). They didn't operate over the
| internet, but used protocols such as RS-232 or acoustic
| modems.
| Jtsummers wrote:
| For remote login (context of the statement), telnet has been
| deprecated for a very long time.
| blowski wrote:
| It's outdated in the same way my 90s baggy jeans are outdated.
| Technically, they still work as clothing, but people find it
| unusual if I wear them.
| InCityDreams wrote:
| Where do you live, though?
| vngzs wrote:
| "Outdated" is a reasonable moniker for devices that accept
| cleartext telnet over the open Internet. That you can retrofit
| security onto telnet by running it over a TLS tunnel is not
| especially relevant, nor does it make telnet less outdated;
| secure devices are better off just using SSH.
|
| What makes a protocol outdated? I would argue that outdated
| protocols "bake in" outdated assumptions. The telnet protocol
| has a builtin assumption that the network is secure, while
| newer protocols for remote administration lack this assumption
| and assume an actively malicious network.
| jamesdwilson wrote:
| the telnet protocol does not have to be used only on the open
| internet, just as HTTP (insecure) does not have to be either.
| It can be used internally for whatever reason you want as
| well. I don't think that makes it outdated.
| nightpool wrote:
| And what sort of network do you think the IOT devices from
| the article were designed to be used on? This kind of
| thought process (well security isn't important if you use
| it internally) is exactly the sort of attitude that led to
| the botnets in the article becoming as large and as
| devastating as they ended up being
| koromak wrote:
| "The Rutgers IT department is a joke. This is the third time I
| have launched DDoS attacks against Rutgers, and every single
| time, the Rutgers infrastructure crumpled like a tin can under
| the heel of my boot."
|
| The fact that people think this is impressive is mind boggling to
| me
| spondylosaurus wrote:
| > It might be surprising that DDoS providers could advertise
| openly on the Web. After all, DDoSing another website is illegal
| everywhere. To get around this, these "booter services" have long
| argued they perform a legitimate function: providing those who
| set up Web pages a means to stress test websites.
|
| This reminded me of a Wired article[1] from a few weeks back that
| argued that many of the kids using these services to DDoS their
| friends/rivals don't realize they're illegal--so federal agencies
| are taking out keyword ads to warn potential users:
|
| > In fact, he and other members of [cybercrime-busting group] Big
| Pipes argue that most booter customers seem to believe--or
| convince themselves--that merely paying to use one of the
| services to knock out an adversary's internet connection isn't
| against the law, or at least isn't an enforceable crime. When the
| UK's National Crime Agency (NCA) ran a six-month Google
| advertising campaign in 2018 to intercept people seeking booter
| services and warn them about their illegality, Clayton's research
| group found that attack traffic in the UK remained flat for those
| six months, while it increased at its usual pace in other
| countries.
|
| > In the years since, law enforcement agencies seem to have
| learned from that experiment: The FBI now also buys similar
| Google advertisements to warn potential booter customers that
| paying for the services is a crime. The UK's NCA, meanwhile, has
| not only launched new advertising campaigns but even run its own
| fake booter services to identify would-be customers and then send
| them warnings--sometimes even with in-person visits--about the
| consequences of paying for criminal DDOS attacks.
|
| [1] https://www.wired.com/story/big-pipes-ddos-for-hire-fbi/ (For
| the relevant bits, scroll to the "Honeypots, Google Ads, Knock-
| and-Talks" section)
| thatguy0900 wrote:
| I find it extremely interesting that the fbi buys ads for
| illegal stuff, rather than Google Just putting up a warning
| when you search for ddos services
| spondylosaurus wrote:
| I mean, it's not illegal to _search_ for those keywords, so
| Google doesn 't have much of an incentive to stop running ads
| on them (at least of their own free will). I'm sure "triple
| homicide" is a hot keyword for advertising the latest true
| crime podcast or whatever.
|
| Granted, I'm also a little surprised that the FBI didn't just
| twist Google's arm about it, but who knows. Maybe Google did
| them a solid and doesn't actually charge for the ad space, or
| maybe the FBI is just trying to play nice since Google has
| plenty of federal contracts.
| 2OEH8eoCRo0 wrote:
| > I'm also a little surprised that the FBI didn't just
| twist Google's arm about it
|
| _Just_ twist their arm? What does it mean for the FBI to
| _twist_ Google 's arm?
| HDThoreaun wrote:
| Why would google do that for free when they can get paid?
| jrochkind1 wrote:
| > The UK's NCA, meanwhile, has not only launched new
| advertising campaigns but even run its own fake booter services
| to identify would-be customers and then send them warnings--
| sometimes even with in-person visits--about the consequences of
| paying for criminal DDOS attacks.
|
| The FBI would be indicting them, not just warning them -- go to
| all that trouble of setting up a fake site, and then you just
| give up actually indicting them for their crime? What's even
| the point of that? That they didn't know it was a fake site is
| no defense, the FBI routinely, say, sells people fake bombs and
| then indicts them.
| aendruk wrote:
| > What's even the point
|
| Education
| spondylosaurus wrote:
| The NCA too, not just the FBI. But the Wired article goes on
| to say:
|
| > Big Pipes' Allison Nixon says she hopes that softer tactics
| like those can intercept would-be booter service operators
| early, before they start committing felonies: She's found
| that most booter operators start as customers before
| launching their own service. But for people who aren't
| dissuaded by those interventions, she says, Big Pipes and its
| partners at the FBI will still be watching them.
|
| > "The hope is that this whole show of force will convince
| some of them to quit and get a real job," Nixon says. "We
| want to send a message that there are people tracking you.
| There are people paying attention to you. We have our eyes on
| you, we might get you next. And it might not even be on
| Christmas."
|
| So the honeypots sound like a sort of catch-and-release
| strategy to scare kids before they start their own DDoS
| enterprises.
| jrochkind1 wrote:
| Right, I was amazed that the NCA seemed to be kinder and
| gentler than the FBI, which has no problem entrapping
| people and then putting them in prison.
| florbo wrote:
| There's an extreme difference in severity between trying to
| buy a bomb and trying to pay for DDoSaaS. I'd rather people
| come out of this sort of thing unscathed but wiser,
| especially if they're simply ignorant of the law, which seems
| to be the objective of that tactic.
|
| Besides, if something is illegal and there's a significant
| portion of offenders who _are_ truly ignorant of its
| illegality, perhaps a new approach to education is needed,
| which this tactic also covers.
|
| Maybe other organizations will take notes...
| amelius wrote:
| > To get around this, these "booter services" have long argued
| they perform a legitimate function: providing those who set up
| Web pages a means to stress test websites.
|
| Don't these botnet services run on compromised computer
| systems?
| 3np wrote:
| This is abstracted away from the customer and there is a
| wider and richer grayscale than at least I imagined before
| working at a data company and looking at IP providers for
| outbound. You have your TV sticks and VPN providers where a
| careful squinting at the ToS will tell you that users on the
| other end are signing off on the right to have their
| bandwidth leased. I don't see how else the supposedly
| legitimate providers of residential IPs could possibly offer
| the supply, geo-diversity, and pricing they do.
| itronitron wrote:
| During that time frame, I recall some top players being directy
| impacted by targeted DDOS attacks from other players. It wasn't
| too common only because people learned to protect their IP
| addresses, or change them periodically.
|
| The Mirai botnet had a very negative impact on game play for
| several servers, and I would argue it was the key factor in the
| demise of at least one of the servers simply because it
| rendered certain games unplayable.
| charcircuit wrote:
| [flagged]
| SkyPuncher wrote:
| Computer Fraud and Abuse Act:
| https://sgp.fas.org/crs/misc/R46536.pdf
|
| > Broadly speaking, SS 1030(a)(5)141 prohibits a variety of
| acts that result in damage to a computer. Subsection
| 1030(a)(5) may be used to prosecute many of the activities
| that are commonly associated with hacking, such as the
| transmission of viruses or worms and unauthorized access by
| intruders who delete files or shut off computers.142 The
| provision may also be used to prosecute the perpetrators of
| Distributed Denial of Service (DDoS) attacks,143 which occur,
| for example, when an attacker overwhelms a server's ability
| to process legitimate requests by overloading the server with
| a flood of illegitimate traffic.1
|
| Kicking your friend offline (via DDOS or other) would prevent
| it from processing legitimate requests and count as a breach
| of CFAA.
| charcircuit wrote:
| >would prevent it from processing legitimate requests
|
| Your friend is not hosting a server and they are not
| incurring damages due to having trouble connecting to the
| internet.
|
| The damages from not being able process legitimate requests
| is like if you DDoS an ecommerce site which means that they
| are unable to receive orders from legitimate customers
| which causes them damage.
| anoonmoose wrote:
| I don't agree with that. If your DDoS prevents me from
| using services I paid for, I could rightfully sue you in
| small claims for the damages. They'd be small- a
| percentage of a monthly Internet bill. It's still
| damages.
| charcircuit wrote:
| It would depend on if being unable to access services you
| paid for would be considered damage to a "protected
| computer" which is specifically the kind of damage
| 1030(a)(5) protects against.
| Manuel_D wrote:
| > Your friend is not hosting a server and they are not
| incurring damages due to having trouble connecting to the
| internet.
|
| But they are, right? Whoever is hosting the multiplayer
| match is running a server. And damages come in the form
| of being rendered unable to enjoy the video game they
| paid money for. "Damages" do not have to come in the form
| of lost customers.
| anoonmoose wrote:
| According to the FBI, 18 U.S.C. SS 1030 proves you wrong, and
| I'm going to believe fbi.gov over anonymous HN commenters 99
| times outta 100. Even if you think you're right because you
| think some part of the law is unconstitutional, or the way
| you worded the question was specifically chosen such that you
| think it doesn't fall under this law, or something I am not
| aware of idk, I don't believe that the FBI agrees with you,
| and they're the ones who would be charging me/my kids.
|
| https://www.fbi.gov/contact-us/field-
| offices/anchorage/fbi-i...
| dj_mc_merlin wrote:
| It's interesting that a potentially very large amount of people
| have the necessary technical skills to set up large botnets. It's
| mostly teenagers that do it in the Western world since they're
| both stupidly brave and at the right level of technical knowledge
| to be able to do the hacking without understanding how much
| evidence they're leaving behind. Or perhaps they think themselves
| invincible anyway.
| ftxbro wrote:
| > "Unfortunately for the owner, he was a big fan of Japanese
| anime and thus fit the profile of the hacker."
| itronitron wrote:
| _" That's some first class detective work Agent Johnson"_
| compilator1 wrote:
| So, in the end trio landed a job in FBI. Like from on a movie.
| anthk wrote:
| A botnet called "future'. Meh.
___________________________________________________________________
(page generated 2023-05-24 23:00 UTC)