Saturday, August 26, 2006

Christopher Maxwell, botnet master, sentenced to 3 years +

I was in attendance at the four hour sentencing hearing for Christopher Maxwell, the botnet master. After extensive testimony from the investigating agent Dave Farquhar, as well as representatives from Northwest Hosptital, the DoD, and a California school district, Judge Pechman spoke at length and eloquently about her decision to send Mr. Maxwell to prison.
Where Asst. US Attorney Kathryn Warma sought 6 years imprisonment, the defense sought probation. The judge, after much thoughtful deliberation, gave him three years, followed by three years probation, and more that $250,000 in restitution to Northwest Hospital and DoD. He may well pay more to the school district too.
By any real standard, Mr. Maxwell's life is ruined, thanks to sadly flexible morals and the desire for easy cash.
It's a shame as, on one hand I felt bad for him, as I watched his family weep and pray, and noted his own readily visible emotions. He was indeed remorseful and accepted responsibility for his actions.
But my compassion began to fade as, in his own opportuntiy to speak to the judge, he suggested he might best serve time by speaking to high school students and other youth groups about his wrong doing.
To this I say, three years in the hole will offer a far better deterrent than Mr. Maxwell on a speaking tour, elevated to a status he is not worthy of.
Yes, his sole intention was propogating adware for pay, and even with root access to machines, he did no further damage and stole no information.
But botnets for dollars, or any other nefarious purpose, could have, quite simply in this case, cost someone their lives. Northwest Hospital continued to operate thanks to good disaster planning, but what if they hadn't? What if someone was misdiagnosed or issued the wrong medication as a function of Mr. Maxwell's criminal acts?
Both the Assistant US Attorney and Judge Pechman spoke directly of the need for deterrence. Yes, it may not help with our friends overseas, but maybe, just maybe, some script kiddie in a basement somewhere will now think twice before firing up an IRC server and letting loose with the malware.
To Asst. US Attorney Warma, Agent Dave Farquhar, and Judge Pechman I say, job well done.

Tuesday, August 15, 2006

Snort management scripts

In a recent thread on the Internet Storm Center I offered some scripts that I wrote entirely for convenience at the shell prompt. Save each as the # commented title, add them to your working directory, chmod a+x them, and use at will:

For Bleeding-Edge rules, I prefer the single bleeding-all.rules so I use this to update it rather than Oinkmaster:

cd /etc/snort/rules/
rm -f bleeding-all.rules
To fire Oinkmaster manually rather than cron:
#oink -C /etc/oinkmaster.conf -C /etc/autodisable.conf -o /etc/snort/rules
To kill the daemon:
killall snort
To confirm Snort process state:
ps aux | grep snort
To confirm Snort running cleanly after config or rule changes:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -v
To start the daemon:
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth1 -g snort -D

Thursday, August 03, 2006

RE: Hackers and Employment - What the heck's wrong with us?

Hackers and Employment - What the heck's wrong with us?

This essay describes a scenario that has long bothered me to no end.
What place does a hacker with obvious moral flexibilty have in our
enterprises? Certainly they may be talented and quite brilliant, but can
they truly be trusted?
An associate, whose views I respect greatly, said this regarding
Mitnick's books. "I'll check them out of the library and read them for
the value they hold. But I won't buy them, I simply can't fund the
The essay's author is right. We willingly pay for the breakdown of
simple societal standards that not so long ago were the expected norm.
Is it too much to ask that our information be safe, our systems
unhindered by malware designed to rob us financially and strategically,
and that organizations will choose not to hire the morally flexible?
Sadly, we know it is too much to ask.
But, I for one, will continue in my quest to protect that information,
those systems, and the people who count on them, living by a solid moral
standard built on the premise of "first, do no harm."

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...