Journal sllort's Journal: What Can Illegal Hacking Do For MY Business? 19
Slashdot has an interview with security legend Fyodor, admin of the famed insecure.org and author of the world's most affordable port scanner, nmap.
The best part of this interview is that Slashdot does not often interview criminals. Many Slashdot readers know that Fyodor used his tool to illegally attack a college student in 2002, for his personal amusement but also to the benefit of Slashdot's admins. For those that don't know the story, I will present a brief summary.
*Those individuals interested in independently verifying the facts presented in this article should skip to the "Verification" section near the end.
Sdem had created a hoax account entitled electricmonk, and used it to post this comment pronouncing that he was actually a cute Linux booth babe. "electricmonk" left an email at Yahoo and encouraged Slashdot readers to get in touch.
Fyodor proceeded to do so, boasting of his previous exploits with women he'd met online. He was even helpful enough to attach a picture.
This is where the story turns ugly. Sdem responded with a truthful email, in which he advised Fyodor that the whole thing was a hoax. After that, sdem posted a log of his exploits to sid=20721 (trolltalk), mentioning that he had tricked Fyodor and referring to many of the biters as "wankers". This apparently really set Fyodor off, and he began to plot criminal revenge.
First, Fyodor dug through insecure.org's referrer logs to find what IP address had requested the picture of Fyodor & his paramour. Using this information (and the logged User-Agent), Fyodor knew from the get-go Sdem's IP address and O/S. From this point, he launched nmap against Sdem's box and was greeted with the holy grail of sorts for BlackHats: an open X windows server on port 6000.
Sdem had been running an X-windows server for Windows on his Win2k box. Fyodor was able to bypass the authentication on the X-windows server and used the X-windows server to take complete screen captures of Sdem's machine whilst sniffing and recording keystrokes.
Fyodor proceeded to take hours worth of screen captures, including information on a "secret troll irc server" that sdem was using. Fyodor wrote a detailed writeup of what he observed, including an irc robot used on the server to detect new Slashdot stories for the purpose of early posting. Fyodor also mined and posted as much information about Sdem as he could find, including his real name and contact information. Jamie McCarthy used this illegally obtained information shortly after it was posted to log on to the irc server, monitor the bot, and modify Slashdot in order to break the story monitor.
Fyodor even submitted his "troll hunting" story to Slashdot, though it was rejected.
After he was done hacking Sdem's computer, Fyodor posted his screen captures and a log of his breakin to www.insecure.org/tmp/trolls. The content was removed 24 hours later. He went on to boast in sid=20721 about his "troll hunting finale". While sid 20721 is regularly cleaned, a cache of Fyodor's boasting about his illegal break-in is available here. Very interesting reading.
So, while Fyodor's interview is no doubt very interesting, I think that, as an accomplished (and due to the lack of prosecution very successful) criminal, the nature of questions given to Fyodor in the interview don't do justice to the type of expertise this man has in illegally penetrating computers across state lines and getting away with it. I'm sure that many companies would like to have a man of this caliber at their disposal in order to infiltrate and destroy their competitor's IT infrastructure.
Of course, no sane person would use this man's software without compiling it from inspected source, given his history. Fortunately the folks at Redhat pore over his code with a fine toothed comb before including it in their distribution, so if you've ever wanted to peer into the mind of a madman, I encourage you to take a look at Redhat's copy of nmap.
Also if anyone has a cached copy of fyodor's insecure.org/tmp/trolls page, please let me know in the comments so we can get it hosted. This particular piece of sordid Slashdot history just became more relevant.
Additional reading:
Sdem's account of the incident
Trolltalk cache, circa break-in
Cache of Fyodor's "Troll Hunting 101" from www.insecure.org/tmp/trolls
Verification:
Above are caches of both Fyodor's bragging about the break-in on his web site, and his bragging in a Slashdot comment about having hacked Sdem. Numerous people witnessed this and have posted comments in my following journal entries certifying to the veracity of these mirrors. To date, no one at Slash Team and no one at insecure.org has denied it. Nor will they; they have almost certainly been advised by legal counsel not to speak about it in public.
That said, any journalist or researcher wishing to pursue this story may wish to take additional steps. The Slashdot editorial staff was well aware of this story when it happened. Jamie McCarthy used Fyodor's information to penetrate the irc server Fyodor discovered and attack the irc bot he found there. Jamie McCarthy and Michael Sims are both aware of the details surrounding this incident and can confirm their recollection and involvement in the incident by email. Their email addresses are easily available to a curious researcher so I won't bother repeating them for spam robots, but suffice it to say that asking Jamie the question "did you see Fyodor's page on his web site in which he took screen captures from a hacked trolls computer" will probably yield you positive confirmation. There is the possibility that they won't want to involve themselves for legal reasons, but I doubt it. Jamie is historically honest to a fault and forthcoming when approached with a legitimate question.
So, if you're a doubter, email the Slashdot editorial staff. Fyodor is a Black Hat, and the eds know it.
Super secret IRC server? (Score:2)
Re:No (Score:1)
Hey Sllort... (Score:1)
You will find something hopefully to your advantage therein.