Return-Path: <fastflyer28@yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 07 Aug 2001 22:26:10 -0700 (PDT) Received: (qmail 30580 invoked by uid 510); 8 Aug 2001 04:26:13 -0000 Received: from web14503.mail.yahoo.com (216.136.224.66) by 204.181.12.215 with SMTP; 8 Aug 2001 04:26:13 -0000 Message-ID: <20010808052429.60305.qmail@web14503.mail.yahoo.com> Received: from [12.78.116.135] by web14503.mail.yahoo.com; Tue, 07 Aug 2001 22:24:29 PDT Date: Tue, 7 Aug 2001 22:24:29 -0700 (PDT) From: "e.r." <fastflyer28@yahoo.com> Subject: Re: [iwar] Attribution of code red-why no allow for deniability? To: fc@all.net In-Reply-To: <200108051521.IAA06186@big.all.net> Content-Type: text/plain; charset=us-ascii Golf claps for the Linux comment. I will give you room to say that China may be doing this as they recently said in a Party News broadcast, "Let the 10,000 flowers bloom", or go home, those of you whom we allow to have net access and start a"take home war". That was mentioned both in a Chinese language newspaper(and Bejing has a tight fist controlling all media). It was also mentioned on C-Span by an American Sinologist. Taiwan can never be considered out of this equation given the intense friction between China and Taiwan. The only thing that still says NO to me is the lack of operational security, but the Chinese are no fools when it comes to perception management. Why did they take no action to deny this was there bug? I have read all below, but they are so meticilious when doing such things that I wonder why they did not create a situation of plausable deniability? Any ideas? Thanks, BR --- Fred Cohen <fc@all.net> wrote: > Per the message sent by e.r.: > > > It sure is nowhere near dead. Is this a notice from the Party > > Congress that, "America,we have your number(IP).? I feel like a > math > > teacher. You have concluded China, but no one has shown me their > > "work". Is this a break away faction in Taiwan throwing out > > disinformation. If I can use a computer with a .cn in its name, so > can > > lots of folks. > > > > Russia has a serious interest in disrupting China's good > > relationship with N. Korea. All I have heard is it must be China. > WHY? > > And why would they demonstrate no sense of OPSEC and not hit > themselves > > on part of their infrasx they can afford loose for a bit? > > You are, of course, correct. We cannot definitively pin down its > origin, largely because access to the necessary information is not > available. We cannot, for example, assure that it's not a US plant > intended to cause the friction between China and the US to get worse. > > It could just be a PR person from a computer security firms who did > it > to garner publicity. It could be a PR thing against Microsoft. IT > could be a lot of things. > > You have three questions that I think are worth answering: > > 1) Why does it look like China? > > a) The recent variations are not attributed in this way - only the > original. > > b) The first published detected redcode packet came from an IP > address in China. > This is not a real strong indicator on its own, however, this > cannot be > as easily forged as simply calling yourself from China. You need > to be > in the data stream between the target and China and sniff all of > the > back packets and respond to them properly. While the technology to > do > this now exists, it would mean access to an ISP en route. > > c) It differentiates Chinese from not Chinese via character usage > and it uses Chinese > properly - something that significantly reduces the population of > folks > who could do it - but of course this does not eliminate any high > grade > threat or lucky low grade threat. > > d) The code is similar in 'hand' to code written and executed during > the week of > Chinese attacks against US sites several months ago. This is far > harder to > fake, but then the judgement of 'hand' in this case is not all that > precise. > > e) The techniques being used are the same ones used in the previous > attacks - including > one of the same overrun mechanisms. This is not a real strong > indicator, but > having seen the attacks from a defender's standpoint and then > seeing the code that > generates the same behavior, this would seem to be a pretty good > indicator. > > f) China has not vehemently denied it. They don't really have to. > After all, if they > did not do it, they could use it to 'send a message' even if they > hadn't > created it - but this does not seem like the historical bent of the > Chinese. > > g) It says it came from China - obviously not definitive - but who > else would want to > do this, and if China was being slandared, wouldn't you hear then > saying so? > Historically, they have ben quite vocal about such things. They > are a proud > people in this way and I find it hard to swallow that they would > not deny its > creation strongly if they had not created it. (At this point it > would be too late > to start seeing the denials). > > 2) Is it just a rebel faction? > > a) Not likely - China keeps a fairly tight reign over their part of > the Internet. They > recently raided a significant portion of their ISPs and shut down > lots of Internet > cafe's - but not the sites with the folks who launched the attacks > against the US > in the week of Internet attacks - as far as I can tell. > > b) China would likely seek retribution against such a faction. It > is their way. And we have > not seen this sort of action on the ground so far. > > c) The Chinese unauthorized attack community (if there is one) did > not claim any ownership > and neither did any others - which is very common for folks who are > doing this for > fun or pleasure. > > > 3) Do they have the technical capability? > > No question this is within the capability they have displayed in the > past. It uses > some of the same code and same tricks they have previously used, > they have a > history of writing viruses of this sort, and so forth. No doubt at > all that > they could do it. > > 4) Why does China not try to hide it? > > a) You cannot hide the fact of it's infecting Chinese systems > differently than US systems > because the differentiator must be sent with the worm or it cannot > do the > differentiation. It is a fact that it does this differentiation. > > c) They are trying to send a message. > > 5) What are the realistic possibilities? > > a) It's China. Sending a message -or- practicing in the open -or- > doing what they > declared they would do several years ago, bringing down the west by > using > our technology against us ... Sugar in a million gas tanks instead > of Pearl > Harbor. > > b) It's someone trying to lay it off on China. If so, you would > think that China would > come forth with strong denials - unless; (i) they want us to > believe it even > if they didn't really do it or (ii) some other policy issue > prevents them from > denying it. > > 6) If it's a message, what is the message? > > It's always hard to read such messages clearly except in hindsight. > I'll try a few: > > a) Don't push us too far. You want to be our friend, don't you? > > b) Remember this when we move into Taiwan. > > c) You imperialist fools don't know what you have done to > yourselves. > > d) Use Linux - not microsoft? (I felt compelled to say it > somewhere). > > FC > --This communication is confidential to the parties it is intended to > serve-- > Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 > fc@all.net The University of New Haven.....http://www.unhca.com/ > http://all.net/ Sandia National Laboratories....tel:925-294-2087 > __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT