Comega and I can't figure out why this guy mailed anyone other
than me. Of course, I address this in an oh-so-polite fashion
later on.
Date: Sun, 28 Jan 2001 02:58:59 -0600
From: M Reed Brooks (MReedB@hotmail.com)
To: comega@attrition.org
Subject: Statements Made To ABCNews
Dear Sir,
I chose you to write to mainly because the staff page says you are the
grand old man at attrition. I am writing in reference to the article on
ABCNews, where Brian Martin made some statements:
http://abcnews.go.com/sections/scitech/DailyNews/microsoft010126.html
First, I am one of the global opers on the AT&T Undernet Server
newbunswick.nj.us.undernet.org (irc2.att.net). I wish to emphasize I am
writing on a personal basis though (I just like to brag). As you know, the
undernet was hammered by sysop for over eight days, and I followed the
details of the attack extremely closely. His attacks were very unique,
allowing us to know exactly when it was him and not one of the several
copy-cats that jumped on the bandwagon as time went by. He likes to use
syn floods rather than smurfs for the main part, and he likes to be hands
on on his attacks. Normally, they last around 10 minutes, and each "burst"
is aimed at a single point, usually an upstream router of the hub he is
trying to take out. He hits one point with these bursts for several hours,
with short breaks between bursts (I think he shuts down to brag online,
and assess the damage done). Then he switches to another hub, or sometimes
he would hit the server of an oper directly "harassing" (glining his
current host) him. Overall, though, 90%+ of his attacks were directed at
the Baltimore NAP, which, at the time of his attacks, were hosting most of
our services. I do not know how much you guys got told about the details
of the attacks, but that is a general description. Due to his attacks, we
went from 39 to 27 active servers, and have temporarily shut down our
channel services bots, while our coders and network management specialists
plot (we have them locked in the closet of a whorehouse in the redlight
district of Amsterdam, with orders to create the equivalant of a
packet-seeking H-Bomb tipped missle, heheh).
But here is why I am writing. In every article I have read about these
brute-strength, just overwhelm-em with packets, type attacks, I have read
statements by the supposed "experts" where they are saying two things that
irk me, as they are flat-out wrong. First is the fact that most of these
attackers are geek teenage kids with no brains. Sure, a lot of them are.
But the ones doing the serious hits? No way. They know exactly what they
are doing, the best way to do it to ensure maximum results, and do serious
planning before their attacks. Secondly, nobody seems to realize the sheer
volume of bandwidth these kids now have. The Baltimore NAP was logging, AT
THE ROUTER (ie we're just talking about the packets that actually got
through, which is probably only a percetage of what was actually sent), of
sustained FOURTY MEGABITS PER SECOND! Of course, for that much bandwidth
to get through, the target has to be on a huge pipe or pipes in the first
place. Sysop, for example, is using two main sources of bandwidth: 1) lots
of edus, 2) an unbelievable number of cable and DSL boxes. I was told, as
it was happening, while the Admin was watching the logs scroll madly, that
he had given up trying to go back and manual count the number of hacked
@home boxes sysop was using. So he installed a unique IP counter that
filtered it down to a) packets of the type being used [syn flag set], and
b) only IPs in @home's IP-space. He then showed over 400 unique IPs in a 5
minute period. He also told me that he estimated that was about 1/3 of the
actual cable and DSL boxes sysop was using that night! So we are talking
well over 1000 hacked boxes being used by one person alone.
I do not understand why Brian is not emphasizing this problem, and I do
not understand why Brain is making out people like sysop to be so stupid
that they could not glom onto the fact that MS was running all their DNS
servers at one location, making it a great target to attack. I did -
immediately! Especially after it had just been done; facts kind of spoke
for themselves!
I urge you and your staff to tell these brainless reporters, in words they
can understand, the scope of the problem being faced, and just how far out
of hand it has become. Tell them that the "kiddies" causing most of the
damage are very sharp individuals who have literally thousands of hacked
boxes at their disposal. NOT ONCE have I ever heard a supposed expert
state that these kids have thousands of hacked boxes at their disposal.
Why? To me its like saying, in the middle of a theater fire, where the
fire has consumed a quarter of the building, "We cannot tell people there
is a fire. It would cause panic!"
[Thirty seven lines of reply deleted...]
So tell Brian to grow some hair and tell these reporters the scope of the
problem. I know it won't do a damn bit of good, but still, my respect for
attrition would return to normal. For the most part, I think you guys are
great :-) You just need to grow some hair, is all, and not be afraid to
tell them the truth.
[Sixty seven lines of reply deleted...]
Keep up the good work guys! People like me rely on you and we believe
every word you say! Scary eh?
Not MReedB (maybe)
From: security curmudgeon (jericho@attrition.org)
To: mreedb@hotmail.com
Cc: Cancer Omega (comega@attrition.org)
Date: Sun, 28 Jan 2001 18:09:32 -0700 (MST)
Subject: Re: Statements Made To ABCNews (fwd)
: ---------- Forwarded message ----------
: Date: Sun, 28 Jan 2001 02:58:59 -0600
: From: M Reed Brooks
: To: comega@attrition.org
: Subject: Statements Made To ABCNews
:
: Dear Sir,
:
: I chose you to write to mainly because the staff page says you are the
: grand old man at attrition. I am writing in reference to the article on
: ABCNews, where Brian Martin made some statements:
: http://abcnews.go.com/sections/scitech/DailyNews/microsoft010126.html
Hi there. I'm probably going to keep this pretty brief and to the point as
I don't think you have any concept of who I am, or what I have done in the
past. That said, I'd first like to quote one little piece of your mail
before I get started.
"So tell Brian to grow some hair and tell these reporters the scope.."
I find this terribly amusing and ironic, that you won't even mail me with
your comments, and instead choose to mail someone else at attrition with
them. In the future, could YOU grow some hair and address the correct
person if you have a gripe?
: First, I am one of the global opers on the AT&T Undernet Server
: newbunswick.nj.us.undernet.org (irc2.att.net). I wish to emphasize I am
: writing on a personal basis though (I just like to brag). As you know, the
I've heard your name before. You may know xxxxx xxxxx, also an Undernet
op. I work with him.
: But here is why I am writing. In every article I have read about these
: brute-strength, just overwhelm-em with packets, type attacks, I have read
: statements by the supposed "experts" where they are saying two things that
: irk me, as they are flat-out wrong. First is the fact that most of these
: attackers are geek teenage kids with no brains. Sure, a lot of them are.
Uh.. you seem to be missing something here. "Most of these attackers.."
and then you say "a lot of them are". That is saying the same thing,
slightly different words. For the most part, DoS kiddies are geek teens
with no brains. Sure, there are some that are smarter, older, and know
something about networking, but that is the minority.
I've read down a little, so I'll go ahead and clear something up here.
Apparently you are completely unfamiliar with how news articles and
reporters work. You can explain everything in excruciating detail to a
reporter, write a book, call them, beat them with a bat, and in the end,
you will likely get a "sound byte" quote in the article. All of attrition
staff is very familiar with this. One of our battles over the past two
years is helping journalists realize which quote is best to pick for the
article. That while one may sound better, it is out of context or doesn't
paint a good picture of what was really said. If you ever have a problem
with something said in a news article like the one you are quoting, you
should bring up that issue with the journalist first, as I can assure you,
a LOT more was said.
: But the ones doing the serious hits? No way. They know exactly what they
: are doing, the best way to do it to ensure maximum results, and do serious
And they are in the minority.
: planning before their attacks. Secondly, nobody seems to realize the sheer
: volume of bandwidth these kids now have. The Baltimore NAP was logging, AT
Nobody? I sure do. As do most of the people quoted in these articles.
Would you step back from techno geek heaven and look at reality please? In
a 1000 word article that talks about DoS attacks, do you think they have
enough time or space to really explain anything? Or that Joe Consumer
knows what a T3 or 100 megabits really means? No. So they don't print it.
Even if the expert and the journalist know what it means.
: I do not understand why Brian is not emphasizing this problem, and I do
: not understand why Brain is making out people like sysop to be so stupid
: that they could not glom onto the fact that MS was running all their DNS
I do not understand why you are so blind and unable to read the article.
At what point am I talking about Sysop.. ONE PERSON. Where do you see the
JOURNALIST addressing the resources of the attacker? Please quote to me
exactly where the journalist asked ME about *sysop* or *his resources* or
the resources of MOST DOS kiddies or SOME DOS kiddies.
When you realize that he didn't, kindly get a grip and spend your clearly
abundant time whining to someone else. Guh. You mind if I mail you
everytime I have a problem with EFNet?
: I urge you and your staff to tell these brainless reporters, in words they
: can understand, the scope of the problem being faced, and just how far out
: of hand it has become. Tell them that the "kiddies" causing most of the
I urge you to read the Attrition pages, especially the 'errata' section.
I further encourage you to read any of the other thirty articles I am
quoted in and realize that I make a very concerted effort to do exactly
what you are saying. Last, I encourage you to interact with jouranlists
and learn how it works. That in many cases it is even beyond their control
as editors can change things last minute.
: boxes at their disposal. NOT ONCE have I ever heard a supposed expert
: state that these kids have thousands of hacked boxes at their disposal.
: Why? To me its like saying, in the middle of a theater fire, where the
Why? Because it hasn't been asked of us? Or if it has, it wasn't printed
in the article? Or maybe read back to the feb DDOS articles and realize
that it was said, or at least brought up that it COULD be such.
: So tell Brian to grow some hair and tell these reporters the scope of the
: problem. I know it won't do a damn bit of good, but still, my respect for
: attrition would return to normal. For the most part, I think you guys are
: great :-) You just need to grow some hair, is all, and not be afraid to
: tell them the truth.
Hrm. I really did ponder how to respond to this. This is what I ended up
with.
Fuck you.
You are such a complete moron it hurts me to type this. "i know it won't
do a damn bit of good". Uh, then suggest something that WILL. Don't
presume yourself important enough to tell me how to deal with journalists
only to tell me it will be a waste of time. Or waste your eighteen page
rants on the journalists since the problem lies there. I can NOT believe
you sent all this shit to Comega, all over one fucking quote in one
article by me.
You say you don't respect attrition, yet you are an Undernet IRC op. Oh
please, pot kettle black anyone? Because of one soundbyte in one article
made by one staff member, your respect for attrition is somehow lowered?
No wonder I hate the undernet and the asshole fascist administators of it.
You undernet irc admins breed the script kiddies you whine about. You
administrate one of the most fascist IRC networks out there, and whine
about others having control? How does that work.
[part of my reply snipped..]
: DO what you will with this information. I figured that since you track
: these dudes, who better to send the info to. Maybe it will help you in
Since when do we track these dudes? We track web defacement, nothing more.
If you would actually READ our pages and quit making all these ass
backwards assumptions, you would save yourself a lot of time.
: fact, and I am flatout stating I have zero proof of anything I say (or I
: am not going to provide any proof, at any rate). In fact, I did not even
: write this letter. 14+ people have access to this box, so it was probably
: one of them. In fact, I know it was one of them, since I did not write
What was that about ME growing some hair? Hypocrite. Can't even take
responsibility for one piece of email, yet you passingly jump down my
throat for one quote? Guh.
[part of my reply snipped..]
: Keep up the good work guys! People like me rely on you and we believe
: every word you say! Scary eh?
What? You just said you had a low opinion of us, remember?
Please, don't reply to this. If you mail any of us in the future, make
sure you educate yourself a bit more on who we are, what we do, and what
we have done in the past. Mail like this is extremely offensive and
counter productive to everything you seek to do. Spend your time more
wisely.
