1080 lines
33 KiB
Plaintext
1080 lines
33 KiB
Plaintext
|
BBC Panorama
|
||
|
|
Interview with Deth Veggie and Sir Dystic of the Cult of the Dead Cow
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Deth Veggie, what is the Cult of the Dead
|
||
|
|
Cow?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
The Cult of the Dead Cow started out back in
|
||
|
|
the early 80s as initially the republished
|
||
|
|
text files. Actually the first e-zines as
|
||
|
|
now they're called, and although we were
|
||
|
|
involved with the computer underground we
|
||
|
|
weren't the same as other hackers. It sort
|
||
|
|
of evolved to the point where it is today
|
||
|
|
where it's still today our primary focus
|
||
|
|
isn't necessarily technical. We have a lot
|
||
|
|
of like social aims, social activity, but we
|
||
|
|
also have.. there's the technical aspect.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
What's the philosophy of Cult of the Dead
|
||
|
|
Cow?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Well one of our primary functions is, is we
|
||
|
|
try to bring information to people that they
|
||
|
|
normally wouldn't ever see from other
|
||
|
|
channels. We publish a lot of text files, a
|
||
|
|
lot of them are not at all technical but not
|
||
|
|
anything that you're likely to find from
|
||
|
|
other sources. We basically like to
|
||
|
|
challenge people's thought ideas and make
|
||
|
|
them think in new ways.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
And hacking, what's the appeal?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
well I mean if you consider hacking to be the
|
||
|
|
manipulation of a system to make it do
|
||
|
|
something, you know, basically you can hack
|
||
|
|
anything. It doesn't have to apply
|
||
|
|
specifically to computers. You can hack
|
||
|
|
electronics, media, information, there's
|
||
|
|
social hacking, and basically it's a certain
|
||
|
|
amount of power. I mean you can make
|
||
|
|
something do something that it wasn't
|
||
|
|
intended to do.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
And that's the appeal of it?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
It's certainly part of the appeal. It's the
|
||
|
|
modern exploration you know.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
I think for me I consider a hacker to be
|
||
|
|
anyone who takes something apart and puts it
|
||
|
|
back together better, and currently it seems
|
||
|
|
like the output, the aspect that it takes is
|
||
|
|
computer hacking but historically there's
|
||
|
|
always been people with that sort of mindset
|
||
|
|
or attitude, we can start like people who I
|
||
|
|
consider to be of the hacker mindset like
|
||
|
|
Benjamin Franklin or Aristotle, people like
|
||
|
|
that, you know, they basically did things
|
||
|
|
their own way.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Okay, you've obviously explained that hacking
|
||
|
|
can apply to different fields and not just
|
||
|
|
computers, but obviously computers is what
|
||
|
|
we're talking about here today, and Sir
|
||
|
|
Dystic you know when you go on line, when you
|
||
|
|
hack, for want of a better word, that's the
|
||
|
|
word we're using, what do you feel? I mean
|
||
|
|
what do you get out of it? What's the appeal
|
||
|
|
of it?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Well like I said, it's a form of exploration.
|
||
|
|
You're trying to, you know, you're exploring
|
||
|
|
ideas or computer systems rather than you
|
||
|
|
know, geographical land, but it's still the
|
||
|
|
idea of being able to go into something and
|
||
|
|
find new things that nobody else has
|
||
|
|
discovered yet before in the sense of hacking
|
||
|
|
being breaking into computers certainly a lot
|
||
|
|
of people do it because they're going into
|
||
|
|
places that they wouldn't normally be
|
||
|
|
allowed.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
And the world at large finds it frightening
|
||
|
|
the idea of people hacking into their
|
||
|
|
systems?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
People are frightened by pretty much anybody
|
||
|
|
who can do something that they can't and they
|
||
|
|
don't understand.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I also think that it's important to see that
|
||
|
|
the danger isn't from hackers in terms of
|
||
|
|
kids. The danger in terms of computer
|
||
|
|
security are from aspects like organised
|
||
|
|
crime or espionage, things like that. The
|
||
|
|
danger is not from hackers like Sir Dystic or
|
||
|
|
myself, or even just other kids out there.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
You showed the way?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
The way was already out there. The people
|
||
|
|
already were aware of it. Another thing
|
||
|
|
about hackers is that they don't create the
|
||
|
|
whole, security holes, they basically just
|
||
|
|
find them and exploit them.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Discover them. They discover them.
|
||
|
|
CORBIN So would you disclaim all responsibility that
|
||
|
|
you put your tools out there and let people
|
||
|
|
use them?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
People use our tools for all sorts of things
|
||
|
|
and I mean people can use any product in the
|
||
|
|
way it's not prescribed and that in many
|
||
|
|
cases is illegal and certainly using a
|
||
|
|
programme like Back Orifice to break into a
|
||
|
|
computer would be illegal, but in truth it's
|
||
|
|
really not even a programme to break into
|
||
|
|
computers, it's really once a computer has
|
||
|
|
been compromised it allows you to control
|
||
|
|
that computer completely.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Well let's talk about Back Orifice. Sir
|
||
|
|
Dystic why did you write this programme Back
|
||
|
|
Orifice?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
That work it essentially came out of.. it was
|
||
|
|
a small simple tool I was writing and then
|
||
|
|
when I realised the possibilities of how far
|
||
|
|
it could be taken, I basically just added
|
||
|
|
every feature to it I could think of and we
|
||
|
|
tried to point out to the world that this
|
||
|
|
really one of the easiest ways that your
|
||
|
|
computer can be compromised and when that
|
||
|
|
happens there's basically no limit to what a
|
||
|
|
remote attacker can do. All it takes is
|
||
|
|
basically coating it, and what I was trying
|
||
|
|
to show is that it really doesn't even take
|
||
|
|
all that much effort to code that and it's a
|
||
|
|
very small, simple programme and it works
|
||
|
|
very efficiently.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
So you're saying you wrote it to show up the
|
||
|
|
faults in the system.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Sure. I mean my main issue at the time was
|
||
|
|
with Windows 95 which was essentially
|
||
|
|
released without any security built into it.
|
||
|
|
It had very, very, minimal security and that
|
||
|
|
was a marketing decision by Microsoft, they
|
||
|
|
wanted to have as many people be able to use
|
||
|
|
it as possible. But by sacrificing security
|
||
|
|
it's no longer a secure platform. It's
|
||
|
|
certainly not anything that people should be
|
||
|
|
doing things like online commerce and online
|
||
|
|
banking from but they are marketing it for
|
||
|
|
that purpose.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
But they would say that the fact you wrote
|
||
|
|
this software is very malicious to show up
|
||
|
|
the faults in the thing.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
It's malicious to for instance show that
|
||
|
|
there's a faulty seat belt in a car? I don't
|
||
|
|
understand how that's malicious.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I think it's also.. the point is that there
|
||
|
|
are already things like that out there. In
|
||
|
|
fact when we released Back Orifice all these
|
||
|
|
people came out of the woodwork and went like
|
||
|
|
"hey I had something that did this exact same
|
||
|
|
thing months ago." And because nobody had
|
||
|
|
announced it publicly, nobody was protected
|
||
|
|
against it. Nobody knew that hey, you know,
|
||
|
|
when I'm using my credit card to buy shoes on
|
||
|
|
line, somebody could be capturing that credit
|
||
|
|
card information. Nobody knew that their
|
||
|
|
computer was open to basically anybody who
|
||
|
|
wanted to take a look at it.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
But surely when you create something as
|
||
|
|
powerful as Back Orifice that could have such
|
||
|
|
an evil purpose in the wrong hands, that's
|
||
|
|
very irresponsible.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
What I was going to say is that when we
|
||
|
|
released it we consciously made several
|
||
|
|
decisions. We made limitations as far as it
|
||
|
|
would go because we didn't want it to be
|
||
|
|
abused too much, like things like not making
|
||
|
|
it viral in that it wouldn't reproduce
|
||
|
|
itself, and not making it polymorphic, things
|
||
|
|
like that.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
It wouldn't change itself?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
So it wouldn't be impossible to control.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
But basically I mean the anti-virus' response
|
||
|
|
to it was they started scanning for the Back
|
||
|
|
Orifice programme. One of the interesting
|
||
|
|
things was at that time they also started
|
||
|
|
scanning for a bunch of other similar types
|
||
|
|
of applications, many of which had been
|
||
|
|
around for six months to a year, but they had
|
||
|
|
never bothered to scan for those programmes
|
||
|
|
because nobody was talking about it, nobody
|
||
|
|
was making an issue. If we'd wanted to be
|
||
|
|
malicious about it, we wouldn't have made as
|
||
|
|
much noise about it as we could. We tried to
|
||
|
|
get as much media about it as possible
|
||
|
|
because by raising the awareness of the issue
|
||
|
|
is the only way that anything is going to get
|
||
|
|
done about it. If we'd wanted to be
|
||
|
|
malicious we would never have told anybody
|
||
|
|
about it and we'd be out there exploiting
|
||
|
|
people successfully because.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Yes, but aren't people using your programme
|
||
|
|
in a malicious way? Isn't that the end
|
||
|
|
result of what you've done?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I think when we released it we were very -
|
||
|
|
this may have been kind of idealistic of us
|
||
|
|
but I know that I personally, I hoped and I
|
||
|
|
really believed that by releasing something
|
||
|
|
that was this powerful, Microsoft in this
|
||
|
|
case, would be forced to fix the fundamental
|
||
|
|
problems. The fundamental vulnerabilities,
|
||
|
|
whether or not someone is using a programme
|
||
|
|
to exploit them, are still there and that's a
|
||
|
|
problem. I mean I use Windows computers.
|
||
|
|
Most of the world.. you know, single most
|
||
|
|
popular operating system, and it's pretty
|
||
|
|
scary that there is no security inherent and
|
||
|
|
we hoped that we'd be able to force them to
|
||
|
|
fix that. Unfortunately the response turned
|
||
|
|
out to be basically spin control from the
|
||
|
|
marketing department.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
What about Microsoft's response to your
|
||
|
|
product?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
They basically buried their head in the sand
|
||
|
|
and said that it wasn't at all a problem and
|
||
|
|
they put out a couple of press releases going
|
||
|
|
point by point talking about issues and our
|
||
|
|
response at the time was to go through and do
|
||
|
|
a point by point response, showing how each
|
||
|
|
of their responses was either misleading or
|
||
|
|
simply untrue, or many of them at least,
|
||
|
|
certainly not all of them. And you know we
|
||
|
|
really didn't even like make that much of a
|
||
|
|
big deal of it after that, but within a
|
||
|
|
matter of months Back Orifice had become so
|
||
|
|
widespread that you could pretty much check
|
||
|
|
any sub net in the world and find it on one
|
||
|
|
or two machines.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
But surely that's the point. You created it
|
||
|
|
and you say you wanted to show up the flaws
|
||
|
|
in the system. But other people out there
|
||
|
|
went and used it for nefarious, malicious
|
||
|
|
purposes.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
The fact that it was on those machines
|
||
|
|
doesn't actually mean that it's being used
|
||
|
|
for malicious purposes. In fact huge numbers
|
||
|
|
of people actually mistakenly infected
|
||
|
|
themselves because they heard on the media,
|
||
|
|
and this was something I totally didn't
|
||
|
|
expect to happen, they heard about Back
|
||
|
|
Orifice in the media, they went to our
|
||
|
|
website and downloaded it, not looking at the
|
||
|
|
documentation at all they went and ran every
|
||
|
|
single programme, and one of those programmes
|
||
|
|
of course is the programme which runs the
|
||
|
|
server on your computer.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
But surely it shows the dangers of creating
|
||
|
|
such a powerful tool which, in the wrong
|
||
|
|
hands, can really be out of control?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Certainly but it's not really any different
|
||
|
|
than any other remote administration system.
|
||
|
|
Somebody has Microsoft, someone wrote
|
||
|
|
administration system installed on their
|
||
|
|
computer and their computer's been
|
||
|
|
compromised. You can control the system
|
||
|
|
remotely through that. Ours is just
|
||
|
|
incredibly small, efficient and has a lot of
|
||
|
|
functionality.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I think that we took some of that into
|
||
|
|
consideration when we were designing B02K the
|
||
|
|
second version, for instance since we made it
|
||
|
|
so that it didn't have a default port and
|
||
|
|
password so people couldn't accidentally
|
||
|
|
install it and they actually had to set it up
|
||
|
|
to things. But in my view I think that the
|
||
|
|
ultimate responsibility for these problems
|
||
|
|
lies not with us for pointing them out but
|
||
|
|
with the people who created a fundamentally
|
||
|
|
flawed product in the first place. It's no
|
||
|
|
more the responsibility for people dying in
|
||
|
|
Ford Pintos was not Ralph Nader saying hey
|
||
|
|
look you've run into a Ford Pinto from behind
|
||
|
|
it explodes, it was Ford's responsibility for
|
||
|
|
building something that exploded when you ran
|
||
|
|
into it.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
But more importantly than even really forcing
|
||
|
|
Microsoft to fix the problem, which obviously
|
||
|
|
they're not going to do because that would
|
||
|
|
require essentially abandoning one of their
|
||
|
|
entire platforms, it's more important that
|
||
|
|
people are aware that these are issues.
|
||
|
|
People who get their computer and go on line
|
||
|
|
first day, it probably never occurred to them
|
||
|
|
that it's even possible for their computer to
|
||
|
|
be taken over remotely. But the fact that BO
|
||
|
|
was so widespread and got so much media
|
||
|
|
attention has made so many people aware that
|
||
|
|
that's a possibility and maybe their decision
|
||
|
|
was okay I'm not going to do on line
|
||
|
|
commerce, or I'm not going to do my home
|
||
|
|
banking. Or maybe their decision was I'm not
|
||
|
|
going to use Windows 95 because it obviously
|
||
|
|
has these problems. But it's really just
|
||
|
|
important that people are aware of the actual
|
||
|
|
issues -
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
So that they can make and educated decision.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Exactly, as opposed to a decision based on
|
||
|
|
Microsoft's marketing.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
I mean you've outlined your reasons for doing
|
||
|
|
it very clearly, but I have to say to you
|
||
|
|
that most people out there just think that
|
||
|
|
these guys shouldn't be doing this kind of
|
||
|
|
thing.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
We don't think the same way as most people.
|
||
|
|
We know that.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Deth Veggie?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I actually believe that anyone who thinks
|
||
|
|
that way just really doesn't understand the
|
||
|
|
situation.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
I'll give you an example. After I released
|
||
|
|
it I received hundreds and hundreds of emails
|
||
|
|
from various different people and I received
|
||
|
|
emails from people who had had their
|
||
|
|
computers taken over, and not a single one of
|
||
|
|
them blamed me for it. Not a single one of
|
||
|
|
them was mad at me, and every single one of
|
||
|
|
them said the same thing to finish which was
|
||
|
|
"I'll never let this happen again".
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Aren't you afraid that law enforcement is
|
||
|
|
going to be on your back at some point over
|
||
|
|
all of this?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
We've done nothing illegal. We've talked to
|
||
|
|
law enforcement. They're not happy about it
|
||
|
|
but I don't think they are holding a grudge
|
||
|
|
against me for it certainly.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
What about Microsoft, how do they feel about
|
||
|
|
it?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Which part of Microsoft, their marketing
|
||
|
|
department, their programmers, Bill Gates
|
||
|
|
himself? I mean everybody is going to have
|
||
|
|
their own opinion and certainly anybody in
|
||
|
|
marketing is not going to like any negative
|
||
|
|
publicity, certainly people who are the
|
||
|
|
technical nature I would hope at least
|
||
|
|
appreciate the work that went into the
|
||
|
|
product. I mean everybody is going to have
|
||
|
|
their own opinion. I don't expect Microsoft
|
||
|
|
to like it but I do expect them to at least
|
||
|
|
admit that these are real issues and answer
|
||
|
|
to them.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Talking about law enforcement, moving on from
|
||
|
|
Back Orifice specifically but to the whole
|
||
|
|
sort of hacker area, it seems, particularly
|
||
|
|
in America, that people are getting more
|
||
|
|
serious about pursuing people that they
|
||
|
|
believe have compromised computers or broken
|
||
|
|
in in an unauthorised way. I mean how do you
|
||
|
|
feel about the way that the law if beginning
|
||
|
|
to treat this?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I don't have a problem with pursuing people
|
||
|
|
who have actually broken into computers. I
|
||
|
|
think that my opinion is that when someone
|
||
|
|
goes into a computer and damages a system,
|
||
|
|
destroys data, things like that, they stop
|
||
|
|
being a hacker and they become a criminal,
|
||
|
|
and at that point more power to law
|
||
|
|
enforcement. If they're going in and
|
||
|
|
destroying things then they should be
|
||
|
|
punished.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
One distinction I'd like to make though is
|
||
|
|
that I don't think most people who I would
|
||
|
|
consider hackers do any type of hacking for
|
||
|
|
personal gain. They do it for exploration
|
||
|
|
purposes, information purposes, but they're
|
||
|
|
not out there stealing money from people.
|
||
|
|
Those are the organised crime people. Those
|
||
|
|
are people who are thieves anyway and happen
|
||
|
|
to have picked up the technical knowledge to
|
||
|
|
steal stuff in any way.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
But people don't like the fact that people
|
||
|
|
are breaking in to their computers. They see
|
||
|
|
it as their own personal domain, even if
|
||
|
|
those people aren't stealing anything it's
|
||
|
|
felt to be an invasion of privacy.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Invasion of privacy, absolutely, but still,
|
||
|
|
one of the other issues is that people who
|
||
|
|
are getting caught for what I consider to be
|
||
|
|
essentially victimless crimes, breaking into
|
||
|
|
a computer, looking around, not stealing
|
||
|
|
anything, not deleting anything, are getting
|
||
|
|
sentenced to completely unreasonable
|
||
|
|
sentences because they're being made examples
|
||
|
|
of because the chances of actually catching
|
||
|
|
and prosecuting somebody completely for these
|
||
|
|
types of crimes happens so rarely that when
|
||
|
|
it does happen they want to make and example
|
||
|
|
of them.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
It's not just that, it's that a lot of times
|
||
|
|
in the case it'll be like sort of an
|
||
|
|
arbitrary monetary damage - okay he caused X
|
||
|
|
millions of dollars worth of damage, and then
|
||
|
|
it turns out that the person actually didn't
|
||
|
|
do any damage. What they're doing is okay,
|
||
|
|
that was the cost to go in and patch the
|
||
|
|
holes. The problem with that is that this
|
||
|
|
person did not create those holes. They're
|
||
|
|
not responsible for those holes. All they
|
||
|
|
did was enter through holes that are already
|
||
|
|
there, and whether or not that person came in
|
||
|
|
and exploited them, somebody else could have
|
||
|
|
been doing it, it could have been someone
|
||
|
|
coming in to do actual damage.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Do you think that law enforcement is getting
|
||
|
|
the right people when it arrests those that
|
||
|
|
it believes are responsible?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
It's just like any other activity. Sometimes
|
||
|
|
they get the right person and sometimes they
|
||
|
|
don't.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
I think that with the cases that they tend to
|
||
|
|
go after tend to be the cases that got the
|
||
|
|
most media attention, and the cases that got
|
||
|
|
the most media attention are usually not
|
||
|
|
malicious or particularly ingenious hacks.
|
||
|
|
They're -
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Web page hacks.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Web page hacks, a lot of this service stuff.
|
||
|
|
Those aren't dangerous things. That's not
|
||
|
|
somebody stealing millions of dollars from a
|
||
|
|
bank which is what you really need to worry
|
||
|
|
about.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Well I kind of disagree. Denial of Service
|
||
|
|
attacks can be like very malicious and very
|
||
|
|
dangerous.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Well of course we've seen some this year,
|
||
|
|
haven't we, in February, a great rash of
|
||
|
|
them. Now again there were tools out there
|
||
|
|
that people took advantage of. I mean did
|
||
|
|
you see that coming up? Was that on the
|
||
|
|
horizon?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Absolutely.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
I'd been saying that exactly that was going
|
||
|
|
to happen for years and years. In fact two
|
||
|
|
days before the denial of service attacks I
|
||
|
|
did an interview with a TV station and talked
|
||
|
|
about specifically that, about how in the
|
||
|
|
underground there are people who are
|
||
|
|
collecting lists of ownable and exploitable
|
||
|
|
machines which to be used for some unknown
|
||
|
|
purpose in the future, and that's very
|
||
|
|
exactly what happened. But the attacks we've
|
||
|
|
seen so far have been very, very low tech and
|
||
|
|
very reserved and not particularly successful
|
||
|
|
in my opinion.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
What could happen though?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
What could happen? I think a worst case
|
||
|
|
scenario would be like a programme for
|
||
|
|
Windows which was by virusidic and wormed
|
||
|
|
itself, that means it copies itself to other
|
||
|
|
automatically hacked into other computers and
|
||
|
|
if that programme were designed to attack a
|
||
|
|
specific website or something it would be so
|
||
|
|
widespread that there would be really little
|
||
|
|
that they could do without actually cutting
|
||
|
|
off access to their legitimate customers
|
||
|
|
because they wouldn't be able to distinguish
|
||
|
|
between the attacking machines and legitimate
|
||
|
|
customers. All they would see was huge
|
||
|
|
amounts of traffic that are overloading their
|
||
|
|
servers.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
A competent security person could basically
|
||
|
|
shut down the internet. I mean it is
|
||
|
|
completely technically possible, and the fact
|
||
|
|
that it had..
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Break down completely?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Yes, there are fundamental flaws in the
|
||
|
|
internet.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
- in the protocol that the internet uses, the
|
||
|
|
internet protocol, IP, there's fundamental
|
||
|
|
problems with it that if somebody who knew
|
||
|
|
what they were doing could make the internet
|
||
|
|
unusable for a large amount of time.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
There's another of the CDC members, Mudge,
|
||
|
|
actually was testifying before the US Senate,
|
||
|
|
was it last year - two years ago and said the
|
||
|
|
same thing in front of the US Senate that if
|
||
|
|
he or any of the other people that knew this
|
||
|
|
sort of thing were inclined, they could take
|
||
|
|
down the entire internet and that needs to
|
||
|
|
be, you know, those are serious
|
||
|
|
vulnerabilities that need to be taken care
|
||
|
|
of.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
But keep in mind that the people who have
|
||
|
|
that level of ability is the very, very tip
|
||
|
|
of the pyramid. It's an incredibly small
|
||
|
|
number of people and those people have that
|
||
|
|
ability because they have worked with
|
||
|
|
computers and security for years and years
|
||
|
|
and years, and in that time they get over the
|
||
|
|
whole.. you know, oh boy I'm breaking into
|
||
|
|
somebody's computer and I'm going to go
|
||
|
|
change their wallpaper. You get over that
|
||
|
|
really quickly in the first several months.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
That's really big when you're a 13 year old,
|
||
|
|
but..
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
You're saying that when you get older ethics
|
||
|
|
creep in and you do actually do the right
|
||
|
|
thing?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Yes, when you're a 13 year old kid it's the
|
||
|
|
Beavers and Butthead syndrome, you know, you
|
||
|
|
mess stuff up, whereas as you get older and
|
||
|
|
you mature, you develop a sense of ethics, of
|
||
|
|
right and wrong etc.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
But surely the danger is that if the internet
|
||
|
|
is that vulnerable, and there are some people
|
||
|
|
who can wreak havoc that someone could pay
|
||
|
|
them a great deal of money or..
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Absolutely.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Absolutely which is why we spend so much
|
||
|
|
effort trying to point out these problems to
|
||
|
|
people and hoping that.. I mean we can't
|
||
|
|
solve the problems. We can offer solutions
|
||
|
|
but nobody has to listen to us. All we can
|
||
|
|
do is raise the awareness of the issues and
|
||
|
|
hope that people care enough to make them be
|
||
|
|
fixed.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
It's like with the denial of service things,
|
||
|
|
as Sir Dystic said. That's something that
|
||
|
|
we've been talking about for years, not just
|
||
|
|
us but people from the hacker community,
|
||
|
|
people from the computer security industry
|
||
|
|
had been saying for years like hey, look,
|
||
|
|
this is a real danger. And then, but then
|
||
|
|
all of a sudden it happens and people act
|
||
|
|
like really surprised like on my God, how did
|
||
|
|
this happen, it's like well, we've been
|
||
|
|
telling you.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
And like I said..
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I was surprised it hadn't happened earlier.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Exactly, and I'm also surprised that it was
|
||
|
|
that badly executed.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Yes, that it was that easy to set up. I
|
||
|
|
think that the first couple of them were well
|
||
|
|
executed. I think that the vast majority of
|
||
|
|
the ones that we saw were copy cat attacks.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
True.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
And those were the ones that were just kind
|
||
|
|
of sloppy.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
So what's the answer then, to stop these kind
|
||
|
|
of attacks, to bring some kind of security?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
To stop which kind of attacks?
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Well some of the scenarios that you've
|
||
|
|
outlined, whether it be denial of service or
|
||
|
|
of organised crime gangs, getting hold of
|
||
|
|
people. I mean what is your message to
|
||
|
|
people?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
There's a technical solution and there's a
|
||
|
|
social solution. The technical solution is
|
||
|
|
obviously find every hole and fix it and
|
||
|
|
that's never going to happen because there's
|
||
|
|
always going to be other problems. The
|
||
|
|
social solution is to make people aware of
|
||
|
|
the dangers that go with being on the
|
||
|
|
internet and hope that they can use their own
|
||
|
|
intelligence to protect themselves some way,
|
||
|
|
and granted if all that requires is running
|
||
|
|
some product that some company has provided
|
||
|
|
that actually protects you, that'd be great,
|
||
|
|
but there's no one product that actually
|
||
|
|
provides you any great amount of protection
|
||
|
|
so far.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Well there's varying amounts of protection.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
What exactly?
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
What about laws because Congress is looking
|
||
|
|
at various bills to strengthen the law. Is
|
||
|
|
that the answer?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
It's not the answer. I think the problem
|
||
|
|
with that is that it's all after the fact.
|
||
|
|
I mean you can legislate the heck out of
|
||
|
|
something but it's not going to stop people
|
||
|
|
from doing things beforehand. It's not going
|
||
|
|
to make it harder for them to do it. It just
|
||
|
|
means that okay if they do it they'll be
|
||
|
|
punished.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
And we know that punishment is definitely a
|
||
|
|
deterrent, right?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Yes, I mean with the development of money
|
||
|
|
instead of the idea of putting money into
|
||
|
|
bank vaults they just left the money in paper
|
||
|
|
bags on the street and just said well if you
|
||
|
|
take that money you'll be in really big
|
||
|
|
trouble. You know, it's important to do
|
||
|
|
both. But some of the laws that are being
|
||
|
|
looked at right now are actually
|
||
|
|
counterproductive. Like.. what's the name of
|
||
|
|
the law.. the thing that's being..?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
The reverse engineering thing?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Yes, the reverse engineering thing. If you
|
||
|
|
hold on for a second I can find out what's..
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
No, I know what you mean, yes. What's the
|
||
|
|
dangers of that?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Well because that basically prevents people
|
||
|
|
from looking at something and seeing if
|
||
|
|
there's problems, but the criminals, the
|
||
|
|
people who you should worry about, they don't
|
||
|
|
care if it's illegal to break into systems,
|
||
|
|
so if they're planning on doing that, then
|
||
|
|
why would they care if it's illegal to
|
||
|
|
backwards engineer it.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
It's basically trying to make it security
|
||
|
|
through obscurity.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
If we make it illegal for people to analyse
|
||
|
|
this stuff, to find bugs in it, then people
|
||
|
|
won't find bugs in it which is just not true.
|
||
|
|
CORBIN You're painting a pretty dark picture of all
|
||
|
|
of this. Is that the way you think we're
|
||
|
|
going?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Of which?
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Of the general vulnerabilities, the dangers.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
You know the internet is a very dangerous
|
||
|
|
place to be and it's being marketed right now
|
||
|
|
as being this neat toy that everybody should
|
||
|
|
come play with, and you know, get online
|
||
|
|
today, and you don't get any warning when you
|
||
|
|
log online. You don't get a warning that
|
||
|
|
says look, you are opening yourself up to
|
||
|
|
these possible ways of being exploited. So
|
||
|
|
it is, in my opinion, a dark situation and
|
||
|
|
like I said, I think that the only way to
|
||
|
|
deal with it is use your education, you know.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I think you're a little more pessimistic than
|
||
|
|
I am. I think that the internet, although I
|
||
|
|
think it's tremendously powerful, like
|
||
|
|
tremendous..
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Potential?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Well, I mean it's a very powerful took and
|
||
|
|
the potential there is for it to either go to
|
||
|
|
very dark future or to a very positive one,
|
||
|
|
it just totally depends on how and what
|
||
|
|
happens now as to what.. you know, what it
|
||
|
|
will develop into.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Why did you create Back Orifice and release
|
||
|
|
it?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
I released Back Orifice to point out the
|
||
|
|
risks that people are putting themselves at
|
||
|
|
by using various operating systems which were
|
||
|
|
essentially created with no security built
|
||
|
|
into them.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Which one?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Well specifically Windows 95 is what the
|
||
|
|
original Back Orifice ran on. Windows 95,
|
||
|
|
from what I understand, Microsoft actually
|
||
|
|
took in marketing survey when they were
|
||
|
|
preparing to create it where they itemised or
|
||
|
|
asked people how much they valued each of the
|
||
|
|
different features that they wanted to be
|
||
|
|
into the product and security was somewhere
|
||
|
|
around 24, and of course any time you put
|
||
|
|
security into something you sacrifice
|
||
|
|
usability. Every time you have to log into
|
||
|
|
something or whatever, you have to.. it makes
|
||
|
|
it that much.. or in Microsoft's opinion more
|
||
|
|
difficult to use, or more annoying or
|
||
|
|
whatever, so they do things like save your
|
||
|
|
passwords for you which completely defeats
|
||
|
|
the point of having a password, things like
|
||
|
|
that, and again it was just a marketing
|
||
|
|
decision. They want to market it to six year
|
||
|
|
olds and grandmothers and they don't want to
|
||
|
|
have to deal with.. you know, access control
|
||
|
|
lists and other, you know, big security words
|
||
|
|
that they don't understand.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I think fundamentally there's security, be it
|
||
|
|
computer security or physical security is
|
||
|
|
always at odds with convenience.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Oh absolutely.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
The analogy that I always use is that it
|
||
|
|
would be really nice if you didn't need a key
|
||
|
|
to start up your car, but that's not the way
|
||
|
|
the world works. That's not reality.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
That's what you need.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Kind of an interesting analogy to that with
|
||
|
|
like for instance saving passwords, catching
|
||
|
|
passwords is like well we need a key to start
|
||
|
|
the car but we'll leave the key in the car.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
That's what you think Microsoft does.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
The problem is there's so much encasing
|
||
|
|
passwords, the problem is encasing passwords
|
||
|
|
that anybody can read.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
So you say you released Back Orifice to show
|
||
|
|
up the shortcomings and the security of
|
||
|
|
Microsoft systems, but most people say it's
|
||
|
|
just a really malicious thing to do, and
|
||
|
|
dangerous.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
Well if they heard about it then I
|
||
|
|
accomplished my goal which was to make people
|
||
|
|
aware of these problems.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Yes but it's still out there and people can
|
||
|
|
use it against other people in a pretty
|
||
|
|
unpleasant way.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
WellBack Orifice is scanned for in all the
|
||
|
|
major anti-virus software, so the only people
|
||
|
|
who I guess would technically be at risk to
|
||
|
|
it at this point would be people who didn't
|
||
|
|
even bother to run a virus scanner, and
|
||
|
|
they're going to be vulnerable to gazillion
|
||
|
|
different things that are equally if not more
|
||
|
|
dangerous.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
What about ordinary people though, who might
|
||
|
|
not know about that?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
That's whose awareness I'm trying to
|
||
|
|
increase. I'm trying to make ordinary people
|
||
|
|
aware of these issues.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
The problem is, is if we'd just started, you
|
||
|
|
know, there wouldn't really be any way for us
|
||
|
|
to publicise the fact of these
|
||
|
|
vulnerabilities, I mean we could have gone on
|
||
|
|
the street corner and started yelling but
|
||
|
|
then they'd just throw us in jail because
|
||
|
|
we're crazy. I think there's pretty limited
|
||
|
|
amount of things you can do to actually be
|
||
|
|
heard.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
But how do you feel when you know that there
|
||
|
|
are people out there whose machines have been
|
||
|
|
infected as it were, with the software?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
If they're actually being exploited I feel
|
||
|
|
terrible. I mean I think that's really bad.
|
||
|
|
I don't feel responsible. I think that the
|
||
|
|
responsibility ultimately lies with the
|
||
|
|
people who actually are responsible for these
|
||
|
|
problems which, in this case, would be
|
||
|
|
Microsoft.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Yes, but you created it and put it out there.
|
||
|
|
Surely you must bear responsibility or some
|
||
|
|
responsibility.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
I don't feel responsible. I've actually
|
||
|
|
thought about this a lot. Like I said, I
|
||
|
|
feel really bad about it, but I think that
|
||
|
|
what Microsoft is doing, the analogy that I
|
||
|
|
use is that basically handing out loaded guns
|
||
|
|
to school children and what we're doing is
|
||
|
|
saying hey, that's really, really dangerous,
|
||
|
|
and...
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
We're pointing out to the kids that if you
|
||
|
|
pull that trigger you can get hurt. Probably
|
||
|
|
a lot of those kids are going to pull the
|
||
|
|
trigger immediately but.. you know, that
|
||
|
|
happens. (laughter)
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Sir Dystic why is the internet so vulnerable?
|
||
|
|
In a nutshell.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Because it all is essentially using
|
||
|
|
technology which was designed 20 plus years
|
||
|
|
ago that was not designed for this type of
|
||
|
|
use at all. It was for small, private,
|
||
|
|
academic and research originally and it's
|
||
|
|
using the exact same protocol since day one.
|
||
|
|
There were these fundamental problems in that
|
||
|
|
protocol when it was designed and because
|
||
|
|
everybody is using that protocol now, it's
|
||
|
|
going to take a huge amount of effort to get
|
||
|
|
everybody to switch to a new protocol that
|
||
|
|
doesn't...
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
They're working on it.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Oh yes, sure.
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
But I think another problem isn't just the
|
||
|
|
age, it's the fact that because it wasn't
|
||
|
|
designed for this, sort of hobble along doing
|
||
|
|
this, it was hacked and patched together by a
|
||
|
|
million people over the past 25-30 years,
|
||
|
|
able to make it possible to function in the
|
||
|
|
way that it does.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
So it was sort of added to in little
|
||
|
|
exponentially bits and pieces.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Exactly, by lots of different people.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Rather than a whole system being designed.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
Exactly, and I mean that's a very sort of
|
||
|
|
like over simplification but you don't want
|
||
|
|
me to get very technical about it.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Sir Dystic, why don't you go and work for
|
||
|
|
Corporate America, you could make a fortune
|
||
|
|
with your skills.
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
What makes you think I don't?
|
||
|
|
|
||
|
|
CORBIN Deth Veggie, why don't you go and work for
|
||
|
|
Corporate America?
|
||
|
|
|
||
|
|
DETH VEGGIE
|
||
|
|
We all have day jobs, but that's separate,
|
||
|
|
you know, and a lot of us actually work in
|
||
|
|
the computer security industry doing what we
|
||
|
|
can to make computers and systems more
|
||
|
|
secure.
|
||
|
|
|
||
|
|
CORBIN
|
||
|
|
Okay. So do you?
|
||
|
|
|
||
|
|
SIR DYSTIC
|
||
|
|
I work in the computer industry but I don't
|
||
|
|
actually do security. I write software for a
|
||
|
|
living and I do it in my spare time.
|
||
|
|
CORBIN Okay. Thank you.
|
||
|
|
|
||
|
|
(End of Interview)
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|