Feeds

Of mad snipers and cyber- terrorists

We'll trade one for the other

  • alert
  • submit to reddit

Protecting against web application threats using SSL

Last Monday the Internet was attacked in what one Washington official described as "the most sophisticated and largest assault" in its history. Eight of thirteen root DNS servers got whacked simultaneously with a distributed denial of service attack. Had the assault not been shut down in an hour, the constant interchange of e-mail spam and viruses might have been slowed; the ability of millions to BS idly with strangers in IRC might have been impeded; e-commerce orders of bulk dog food might have gone unfulfilled; and millions of teenagers might have been denied their daily downloads of porn and warez and MP3s.

None of this happened, of course. Somehow, the Internet survived. It survived against the dire warnings of White House alarm divas Richard Clarke and Howard Schmidt. It survived against the predictions of Gartner which recently conducted cyber war games but neglected to involve a blue team and neglected to emphasize this curious fact. Had there been people working against the attack squads, as there would be in the real world, their results might have been vastly different.

As it turns out, in the real world there are 'blue teams' capable of shifting in difficult situations and putting up obstacles to the 'most sophisticated attack in the history of the Internet' (actually it was a monumentally crude attack, but let's not quibble). Airplanes were not crashed by hackers -- nor will they be so long as pilots continue to fly them rather than Web bots. The flood gates of dams were not opened and no villages were swept away. Chemical additives were not incorporated into foodstuffs in toxic quantities because there are humans working on the production lines. The vast torrents of spam and viruses continued circulating. All was right with the world.

Now, admittedly there are better attacks against DNS than some boneheaded packet flood, like cache poisoning for example. But this has been done and no doubt the 'blue teams' have a pretty good idea how to deal with it. Then of course there are 0-day exploits that no one is quite sure how to defend against or recover from because we haven't seen them yet, but here again so long as the equipment is in the hands of normal, adaptive humans, it should get sorted in a reasonable time.

And so what if DNS goes down for a while. So what if the Internet slows. What's the worst that can happen? A few million Net addicts will have to go out and get some exercise for a change.

You'll put your eye out

What this big, non-incident illustrates is the fact that people are capable of dealing with unexpected difficulties in spite of bureaucratic insistence to the contrary. The bureaucrats who devote their lives to interfering with ours tell us that we're weak and stupid and incapable of managing our affairs without their guidance and protection and improvement schemes.

Of course this has more to do with their own neuroses and Messiah complexes than the incompetence of ordinary folk. A certain number of deranged people believe they're superior to the general run of mankind and feel uniquely qualified to wield authority and regulate the lives of others. Most of these tortured souls end up among the ranks of bureaucrats, politicians, teachers, televangelists, social workers and 'mental-health professionals'. The worst are the bureaucrats and politicians; they wield the greatest power, and exposure to this addictive intoxicant inevitably leads them to underestimate the rest of us to the greatest extent.

So we hear the Messianic cries: the "electronic Pearl Harbor" of Richard Clarke; the deadly electronic attacks on "America's soft underbelly" predicted by former NIPC honcho Michael Vatis; and ex-Microserf Howard Schmidt's new slogan, "weapons of mass disruption" -- all signifying horrors about to boil up from the depths of the Internet and destroy our way of life.

Real disruption

Meanwhile, as Reg readers know, I live well within what, until recent days, has been the Beltway Sniper's line of sight here in our nation's capital. Two unemployed, ignorant losers humiliated and taunted the best minds of our local and federal law-enforcement bureaucracy for three weeks whilst making sport of innocent human beings going about their daily business.

So for me it was particularly ironic to hear about cyber-terror and 'weapons of mass disruption' and kiddie attacks against DNS while at the same time having, almost daily, a fresh opportunity to contemplate the extraordinary fragility of the human body in competition with high-velocity ammunition.

Unlike a kiddie packet flood, a rifle shot does tremendous and often irreparable damage to the bodies and lives of people. Consider the tiny .223 Remington. Weighing anywhere from 50 to 75 grains (or a mere one-eighth of an ounce) and traveling anywhere from 2800 to 3800 feet per second, it strikes with up to 1400 foot-pounds of kinetic energy.1 Because of its small diameter and diminutive weight, we might expect it to do only local damage along its trajectory; but the .223 unfortunately has a tendency to exhibit yaw during penetration and to break up, especially if it's a semi-jacketed round, which greatly increases its effects.

Obviously as the bullet fishtails and breaks up, its forces and those of its fragments will be transferred to surrounding tissues, spreading the damage. Thus most of the sniper's victims died quickly; the few who survived have sustained devastating, perhaps permanently-crippling, internal injuries.2

The second thing our sniper did was change forever the lives of every person close to his victims. In three weeks, with thirteen shots, a pair of pathetic drifters caused, to hundreds of people, pain and loss and suffering that will never go away, while the Internet suffered the worst attack in its history and absolutely nothing came of it.

I'd like to hear Clarke or Schmidt or one of their fellow cyber-alarmist bureaucrats explain publicly what a so-called cyber-terrorist can accomplish that even approaches this sort of damage. I'd like to see one of these superior creatures address the friends and families of the sniper's victims and explain to them the devastating horrors of Internet mischief and cyber-terrorism. ®

1Hollywood action-film directors have done much to exaggerate the significance of a bullet's stated kinetic energy. This is calculated merely by multiplying half the mass of the moving object by the velocity squared. Far more important to the person struck is the rate and manner of the bullet's deceleration inside them, and its trajectory and the trajectories of its fragments in relation to vital organs and major blood vessels, all of which depends in each instance upon hundreds of variables. Suffice it to say that people shot do not fly backwards ten feet through the air. Of course this looks way cool on film, especially in slow motion with squibs full of stage blood bursting explosively, and has therefore become an established idiom of fictional ballistics. The chief myth at play here is that 'stopping power' is a function of kinetic energy. In fact it's a function of rapid blood loss and consequent loss of consciousness, which in turn depends on optimal wound-channel volume and bullet fragmentation -- both of which tend to favour nicking a major blood vessel.

2There is also a theory of 'hydrostatic shock' claiming that people shot by high-velocity rounds, even when major organs and blood vessels are missed, often die from internal injuries because a deadly wave of fluid pressure bangs up their innards beyond repair. I personally think it's an exaggeration at best, but many believe it to be a real effect.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.