I pack a lunch most days in order to slow my delirious tail-spin into bankruptcy. I like bananas, so I usually throw one in there. The problem is that by the time I actually eat the banana, it’s been rolling around the inside of my backpack for seven hours or so. Bananas are not the most resilient fruit. Usually I can just avoid the mushy spots (the damage is not just cosmetic! it ruins the taste!) as I eat the thing, but today it was so badly bruised along one side that I just peeled it entirely, then ate the good half like it was corn on the cob. What’s really grim about this scenario is that I was in the Silverberg Landing, a little lounge on the 5th floor of Sieg II, and so at any moment a CSE professor could have walked by and witnessed my simian behavior. Of course I scanned up and down the hallway all the while, but I still felt like a vandal or a thief, especially as I carried the lengthwise half of a gnawed banana into the bathroom to throw it away.
Your “what is it” riddle for the day: you throw away the outside, cook the inside, eat the outside, then throw away the inside. All together now… what is it?!
Today’s article grew out of a discussion Bryan and I were having about how one might bring down the Internet. He didn’t think it could be done, but I was much more optimistic. After I’d convinced him of the feasibility, I then had to convince him why we shouldn’t – for one thing, I have a vested interest in its continued well-being, monetarily and otherwise. Since I only have 16″ to play with for my column, the juicy stuff (which most people wouldn’t have understood) got left out. Bryan emailed me some protests, and this is what I said to him. Feel free to stop reading here unless you’re a nerd.
The nice thing about this scheme is that it doesn’t involve breaking RSA, or doing anything else all that difficult. The primary weakness it exploits is what has always been the weakest link in the chain: the user. This plan would likely involve 1) a take-down of a DNS server and redirection of major banking sites, whose user names and passwords are stored for the duration of the attack (one could likely get around 1 million before the alarm bells went off sufficiently) 2) a series of DDOS attacks, using a network of millions of zombie PC’s (this is where stupid users come into place) to get the white hats off one’s tail during the attack, and 3) a simultaneous zombiePC attack to filch every last cent out of every user who falls for the attack in 1), which will likely be a very high number, using ordinary bank transactions with RSA encryption and everything. Interesting, suddenly my Cayman Islands bank account is much larger.
The profits earned by such an attack would not just be credit card numbers, bank account numbers, and passwords. You also get social security numbers, opening the doors to perpetrate ID theft on any of these individuals. You also get access to their email, since most people use the same password for everything and (this is key), using WHOIS lookups, you’re likely to trap several hundred server admins as well — guess who just got root access, very easily, to several hundred websites. The process continues and spreads.
A vital part of this plan would be 1) making the attack last as long as possible, in order to collect as much data as possible, and 2) making people *think* the attack didn’t last nearly as long as it really did to give them a false sense of security. This can be done very convincingly by 1) using your zombiePCs to keep traffic at banking websites at normal levels, and 2) playing with the logs of the DNS server, not to hide the intrusion but to give it an artificially short timestamp.
Would this be easy? No. Is it possible? Most definitely. As are many other scenarios.
The end of the internet will not be the end of world economies. It will happen when, through a variety of well-publicized attacks like the above, normal people no longer feel safe using the internet. We’ve already discussed just how much peril they are in, normally, and as technology gets more complicated and the number of vulnerabilities increase, this will only get worse. When normal people turn away from the web in fear, there will be no incentive for corporations to use it as a sales tool. Goodbye, www.
Of course, I should emphasize that you couldn’t pull a scheme like this off without the help of me and a few dozen other hackers working in tandem. It would have to be a well-planned, concerted effort around the globe. *And* I have no interest in such a scheme, my livelihood and so on dependent upon the continued well-being of the internet. A white hat was I born and a white hat shall I die.
There you have it. For the group of crackers who will inevitably pull something like this off: keep my name out of the source code, please. I have a reputation to uphold over here.
The Player of Games (Culture, #2)
Consider Phlebas (Culture, #1)
A Confederacy of Dunces
The Handmaid’s Tale
Middlesex
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.