computer whiz vs extortionist
March 14, 2006 4:51 PM   Subscribe

This was really interesting! There seems to be a typo in the last quote, where it sounds like Lyon impeaches himself?
posted by kensanway at 5:37 PM on March 14, 2006

That's awesome.
posted by russilwvong at 5:43 PM on March 14, 2006

Hmm. Seems vaguely familiar. Looks at timestamp ... Saturday, Nov. 22, 2003?! Oh, come on!
posted by kaemaril at 5:48 PM on March 14, 2006

Yeah, I remember reading this years ago....but it is still pretty interesting if you haven't seen it before.
posted by solipse at 5:54 PM on March 14, 2006

This was a long time ago.

It was not uncommon to see botnets of 30,000 hosts, and to be attacked with well over 1Gbps of traffic. It was amazing.

What was more amazing was despite the sums of money involved, and the resources the attackers had on hand, they did basically no research whatsoever into the infrastructure of the sites they were attacking, or which sites were owned by the same company, or anything like that. In some respects it was really amazing, in others, it was very uninformed and clumsy. These were not sophisticated hackers or criminals.. they were russian script kiddies with ties to organized crime and a feeling of impunity.

Some interesting followup, DDOS attacks against online sportsbooks have basically been a non-issue since I believe spring of 2004. Many operations beefed up their infrastructure, and there were several high profile arrests in Russia and elsewhere, organized by multi-national police cooperation. The trials are still ongoing to this day.

Nowadays, the books know better than to pay up, the infrastructure is more resilient, and the ISPs are more cooperative in dealing with the issue.
posted by TravellingDen at 6:05 PM on March 14, 2006

They should fill those criminals up with this and cause them to have a fatal Denial of Elimination Attack!
posted by roguescout at 6:09 PM on March 14, 2006

This was really interesting! There seems to be a typo in the last quote, where it sounds like Lyon impeaches himself?

I didn't take it that way; seemed to me he was saying he would had to have cloned himself to be working both sides of this, since he was working so hard just on the one side.
posted by rkent at 6:13 PM on March 14, 2006

That's still a really cool story, and reminded me of Cuckoo's Egg.
posted by tweak at 6:16 PM on March 14, 2006

Great story.
posted by soiled cowboy at 7:04 PM on March 14, 2006

a classic
posted by rxrfrx at 7:23 PM on March 14, 2006

Neat.
posted by arcticwoman at 7:27 PM on March 14, 2006

Interesting story, but a bit old. Definitely worth a read if you haven't seen it.
posted by alfaspider71 at 7:31 PM on March 14, 2006

I like the way the victim ends up $1m + $50k/year out of pocket to a white hat, instead of $40k out of pocket to a black hat.

It seems to me that instead of entering into a never-ending networking arms race, it might be better simply to get an insurer to pay the extortionist off for you. I'm no actuary, but it seems to me that the premiums would cost less for individual businesses than either consultants' fees or extortion payments; also, the underwriter would end up with way more than $1m to play with, and a direct financial interest in employing investigators to follow money trails and track down miscreants.

This is kind of a similar approach to what the banks take in respect of credit card fraud. Everybody understands that credit cards are massively insecure, and that some degree of fraud is inevitable; but rather than change card procedures until they're inconveniently secure, the interest rates are jacked up enough to cover the fraud losses.
posted by flabdablet at 7:44 PM on March 14, 2006

Whiz kid. Wiz kid.
posted by MrMoonPie at 7:54 PM on March 14, 2006

flabdablet: and so what happens if you get extorted more than once a year, by more than one botnet owner.

This isn't like Mafia protection money, that's the wrong way of looking at it. It's not like if you pay the Russian script kiddie to stop fucking with you, other script kiddies won't try the same thing.

It's more like operating a bank with no lock on the vault; sure, the lock is pretty expensive, but if you don't invest in it initially, eventually more and more people are going to rob you until you get put out of business.

What will be really interesting to see is when someone who gets seriously fucked with by a hacker or scammer fights back IRL by hiring another criminal to take out the extortionist in an illegal manner.
posted by tweak at 8:15 PM on March 14, 2006

kaemaril - Looks at timestamp ... Saturday, Nov. 22, 2003?! Oh, come on!

actually, the article is from May 2005.

that "timestamp" is part of the article.
posted by pruner at 8:42 PM on March 14, 2006

It seems that it'd be more efficient in some of these cases to hire private investigators, instead of beefing the hell out of the infrastructure. I'm sure it's hard to track these guys down on the internet, but large amounts of money changing hands usually leaves a nice fat paper trail. Hire some guys to track that down, get your money back, and make an example out of the extortionists in the local courts. Much more effective than paying them off, which will only encourage more and more of this.
posted by Mitrovarr at 8:45 PM on March 14, 2006

tweak: you misunderstood his suggestion. The point is that you pay the insurance company and they pay all extortionists; the rate is set such that they make enough revenue to hire some investigators and hunt down some of them as a means of deterrence.

It's certainly the better option from the business perspective, as long as the rates would actually be affordable. And I'm not sure what authority the insurance company would really have to do anything to the offenders, regardless of how much incentive they had. They're probably judgment-proof and so there would need to be a good deal of state cooperation if this was to work. An interesting idea though.
posted by rkent at 8:56 PM on March 14, 2006

Interesting geek intrigue story. Good link.
posted by Ogre Lawless at 9:22 PM on March 14, 2006

That was very long and I didn't really understand half of it but it was fascinating nonetheless.
posted by zardoz at 9:25 PM on March 14, 2006

Well, regarding the whole problem of the commons thing, another idea that might make more sense is for the companies to pool their funds to pay a consultant, thus reducing their prices, and then share the software and techniques the consultant produces. Eventually other consultants enter, leading to competition, lowering prices, etc. But apparently, this isn't a problem anymore?
posted by kensanway at 9:34 PM on March 14, 2006

I've seen this story in two different places in the last year. The first was the aticle in the FPP when it was originally published last spring. Wired also covered it here.
posted by hwestiii at 5:30 AM on March 15, 2006

Richardson considered paying off the extortionists. Now Richardson has a better option. Pay Lyon $50,000 a year and he's protected. He doesn't have to worry about paying extortionist's protection fees.

Heh heh heh.
posted by Jairus at 5:57 AM on March 15, 2006

The New Yorker also wrote up this story, but this one is told much better. Lyon's other project opte.org has very cool pictures of the interconnectedness of the internet.

Ooh and they have a picture of a DDoS attack.
posted by stratastar at 7:14 AM on March 15, 2006

$50000 per year might seem stiff until you realize this is being billed to companies that sell little bits of _nothing_ at a huge markup.

These are the guys that will pay 10 grand for a toasted cheese sandwich, so $50000 for peace of mind is nothing.

(great link. old, but a fun read)
posted by login at 7:16 AM on March 15, 2006

New to me. Thanks for the read.
posted by Optimus Chyme at 8:38 AM on March 15, 2006

A couple articles on volunteer groups which are hunting down botnets, via slashdot: Washington Post, eWeek.

After reading a few of these articles, I got paranoid enough that I reinstalled Windows on my home PC.
posted by russilwvong at 1:38 PM on March 21, 2006