Wednesday, 22 November 2017

Openness

As an ISP we (A&A) try to be very open about what we do.

I worry that sometimes my own staff can be concerned that we are too open. But I appreciate that some times we are just "asking for it" if we are too open, and that is why I have had to be so coy with all of the work we are doing on DoS attacks. It is frustrating that we are doing a shit load behind the scenes but we cannot really say anything about it. It would just open up other ways to attack things. I am really sorry.

I would say to some of the dealers and peers we work with that I am more than happy to discuss more detail off the record, ideally when shit has stopped hitting fan.

But, in the interests of openness I just want to say I am sorry that we cannot say much.

As both an ISP (A&A) and equipment developer (FireBrick) we take these issues very seriously. I wish I understood the motives and psychology of such attacks.

It may be worth saying a few things about my background, as I was using computers long before the Computer Misuse Act and the illegality of these sorts of attacks. I was, what kids may call leet, or 1337, long before that was a term. I fully understand the fun of proper hacks - the thrill of basically solving impossible puzzles. It was a game. The game is the same for any coder. And anyone trying to debug someone else's code, especially "black box" style remains. Working out how and why some system will be vulnerable is a game.

Even now I see behaviour in equipment we are trying to work with and I can imagine or picture in my mind the bad coding that must exist for that particular bug to happen. It is so frustrating.

When I am working on code, I now have to think how someone may exploit it, how they could send a packet that is not quite right just to find a weakness in my code. The very things I may have once done.

I remember the days of unix /etc/passwd files where hashes had no salt, and just comparing them to other passwords allowed one to find matches. I remember simple setuid shell scripts being allowed and making them as root to allow access later when root password changed. I remember then being employed to work on sorting such issues on systems.

In many ways it was fun, but these days it has lost a lot of appeal and not just because of the illegality of it all. Yes, expecting and finding (and reporting) bugs in systems we work with is still an important skill, as it coding systems to expect the "attack" vectors, but just not as "fun".

Anyway, I may not be leet any more. For now I won't be posting any details regarding DoS attacks.

8 comments:

  1. Not only was it fun, but you learned things... not just the security stuff but plenty more too. I ended up confessing some of the stuff I did on my website!

    ReplyDelete
  2. Hmmm something seems strange about all of this, it will be interesting to see the vulnerability that they have found in the system in a write up after a fix if we will be treated to that. What I'm more interested in is the why, as I almost find it hard to believe that a customer of your services annoyed someone enough that they would go out of there way to find a exploit in a piece of hardware that produced the person who also runs there ISP does that not seem odd to anyone else? Seems like whoever has done this knows you and there must be a deeper meaning this isn't child's play someone put time and effort into carrying this out, anyway long waffly post over interested to find out more keep us updated please

    -Customer

    ReplyDelete
    Replies
    1. The vulnerability is not in the systems and code we have, it is in the very nature of the Internet that a port that has 1G or 10G or whatever, when flooded with way more packets than that, cannot work to pass traffic sensibly any more. I hope that makes sense.

      Delete
  3. Damn my whole comment wiped when I got asked to sign in to blogger :(

    Hopefully no double post appears, does anyone else find it a little strange that a customer of A&A annoyed someone to the point where they went out of there way to attack a piece of hardware that is also produced by that ISP, I've just stumbled upon this blog today although I do work for a company that's a customer of yours after we were effected by the issues, it just seems to me that perhaps the reason this was done may be more complex.

    Anyway appreciate that this is hard work and I don't have much technical knowledge interested in a write up after the fact if we will be treated to this

    ReplyDelete
    Replies
    1. In is very unusual for someone to go after the ISP, especially one like us that is very much in favour of free speech and net neutrality and so on. We're sorry it has happened. We can but try to mitigate it if it continues.

      Delete
  4. "I remember the days of unix /etc/passwd files where hashes had no salt"

    Are you _really_ that old? Because that would mean you were working with Unix in the 1970s. System Seven Unix introduces salt and the DES-based crypt() in 1979.

    ReplyDelete
    Replies
    1. Well, I am pretty sure I remember that, it was probably more like 1980 or 1981 so maybe the system was not updated.

      Delete
  5. Plenty of embedded Linux distros that don't salt stuff :/

    ReplyDelete