German programmer "Mixter" addresses cyberattacks
In an interview with CNET News.com about last week's Web site shutdowns, the anonymous programmer explains his actions and philosophy on technological security.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
A programmer known only as "Mixter," who says he resides in Germany, has not been publicly accused in any of the cases and denies any responsibility for the "distributed denial of service" (DDoS) attacks. Mixter is part of a small group of underground programmers who say they create assault technologies that can be used in testing to improve Internet security.
The recent attacks have renewed controversy over this practice, raising questions about whether these programs increase the potential for misuse when they are posted publicly online. In an interview Wednesday with CNET News.com at the height of last week's shutdowns, Mixter explained his actions and philosophy on technological security.
CNET News.com: Were you in fact the author of the attack tools? (Several
versions of the attack tools exist, including Tribe Flood Network, its
sequel TFN2K, Trinoo and Stacheldraht.)
Mixter: I am in fact the author of the programs called TFN and TFN2K, but not of Trinoo. The original Trinoo was made some months earlier than the first TFN, but unlike TFN, (it's) not distributed publicly...Stacheldraht isn't written by me. There have been many false rumors about this. There is another German hacker who goes by the name "Randomizer" who wrote that one.
Why did you write the software?
I first heard about Trinoo in July '99, and I considered it as interesting from a technical perspective, but also as potentially powerful in a negative way. I knew some facts of how Trinoo worked, and since I didn't manage to get Trinoo sources or binaries at that time, I wrote my own server-client network that was capable of performing denial of service; later that month I published a working version of TFN on a handful of security sites to make the information public and generate awareness of the issue. The original Trinoo and other distributed tools existed since 1998.
Were you involved directly or indirectly in any of the recent high-profile attacks on Yahoo, eBay, CNN, Buy.com or Amazon?
No. The fact that I authored these tools does in no way mean that I condone their active use. I must admit I was quite shocked to hear about the latest attacks. It seems that the attackers are pretty clueless people who misuse powerful resources and tools for generally harmful and senseless activities just "because they can."
What is your real name?
I really prefer not to give you my real name. On the one hand it is a sad fact that many, many people have a bad opinion of anyone involved with "this strange hacking stuff" and that they make no difference between pointing out security weaknesses and exploiting them, and on the other hand, I'm using my handle, Mixter, because I do believe in privacy, and I simply want to keep my privacy on the Net, like many other nonmalicious people who care about security do.
What is your occupation?
I finished school approximately half a year ago, and I have been getting some offers from security companies since then. However, due to personal issues I haven't yet been able to start an employment, but I will probably be going to work in the area of source code security auditing, where I will have a great potential of improving both my knowledge and network software.
How difficult is it to write the distributed denial of service attack tools?
Not very difficult. The main concept is simply the client-server concept present in almost all Internet applications. Packet flooding and similar attacks are publicly known and available and can easily be implemented. When it comes to implementing stealth features, it might get a bit trickier. But factually, DDoS tools just make an old concept easier. Before DDoS, an attacker would just have to log on to every compromised machine, (then start) a flooding tool from each machine against the target.
How difficult is it to take over a sufficient number of computers to mount a distributed denial of service attack large enough to take down Yahoo?
Unfortunately, it is quite easy. It is safe to assume that all of the flood servers are installed on hosts compromised through vulnerabilities that are publicly known, rather old, and can easily be patched. Most attackers use automated...scripts to do long-range scans for known vulnerabilities. This procedure can take some time, but the concept is really easy. They also do this from compromised and specially modified machines to be sure that their origin cannot be traced back.
How many computers would you estimate were used in the Yahoo attack?
The amount they need depends. It isn't only the number, it is the bandwidth of each of these. From what I've heard from security mailing lists, attackers have already compromised Internet2 and other high-speed machines.
Given that TFN2K uses master and slave computers and encrypted communications channels, how difficult is it to find out who originally sent
the order to attack?
Remote detection is practically impossible unless the attack goes on for a timed amount of days. In that case, if all backbone providers would cooperate and monitor their routers, the origin of some of the "slave" servers could be tracked. That was a point I wanted to prove.
Since the other existing DDoS tools weren't totally anonymous and untraceable, I saw the possibility that security people would waste their time trying to find ways to track the attacker, while the DDoS tools would sooner or later become sophisticated enough to make this impossible. There is still the chance of finding attackers if they aren't extremely careful and leave traces on the compromised hosts or manipulate and damage things on the compromised hosts enough so that the administrator detects them locally.
Do you know if TFN or Trinoo were used in the Yahoo, eBay, Amazon, CNN
or Buy.com attacks, or was it other software?
I'm pretty sure a tool derived from TFN and/or Trinoo was used. Currently, many people seem to be modifying those tools, or developing new, similar ones, and keeping them private. This is because when a program is publicly known, people have a chance of identifying it locally when it is installed on their server by searching for binary patterns, as the FBI (National Infrastructure Protection Center) proved. This is basically the Trojan/virus problem, where antivirus vendors continuously bring out updated scanners, and virus authors continuously bring out new or modified viruses.
Anything else you'd like to say?
I'd like to remind people that the real problem is the insecurity of the huge amount of servers, and not the people that are exploiting it. If security companies and governments are starting a "hunt" against the people they call "hackers," they might succeed in tracking and persecuting some of them, but the real problem remains: Everyone who can manage to learn a handful of Unix commands and to set up a tool can commence DDoS attacks, as long as the overall Internet security is as bad as it is now.
I found it really disturbing and scary when I read that President Clinton is intending to dedicate $240 million for the sole purpose of wiretapping and domestic surveillance. In my opinion, no amount of denial of service attacks or computer intrusions could ever cause a comparable amount of money to be lost in the future. Additionally, such methods and laws can easily be circumvented by malicious people using compromised systems to relay through a number of encrypted channels and are therefore affecting everyone except the people they are intended against.