On October 29, 2016 at 14:07 esr@thyrsus.com (Eric S. Raymond) wrote:
bzs@TheWorld.com <bzs@TheWorld.com>:
On October 28, 2016 at 22:27 list@satchell.net (Stephen Satchell) wrote:
On 10/28/2016 10:14 PM, bzs@TheWorld.com wrote:
Thus far the goal just seems to be mayhem.
Thus far, the goal on the part of the botnet opearators is to make money. The goal of the CUSTOMERS of the botnet operators? Who knows?
You're speaking in general terms, right? We don't know much anything about the perpetrators of these recent Krebs and Dyn attacks such as whether there was any DDoS for hire involved.
We can deduce a lot from what didn't happen.
You don't build or hire a botnet on Mirai's scale with pocket change.
Do we know this or is this just a guess? The infamous 1988 Morris worm was also thought to be something similarly sinister for a short while until Bob Morris, Jr et al owned up to it just being an experiment by a couple of students gone out of control. Back around 1986 I accidentally brought down at least half the net by submitting a new hosts file (for Boston Univ) with an entry that tickled a bug in the hosts.txt->/etc/hosts code which everyone ran at midnight (whatever) causing a loop which filled /tmp (this would be unix hosts but by count they were by far most of the connected servers) and back then a full /tmp crashed unix and it often didn't come back up until a human intervened. Ok I doubt this was an accident, tho its scale could've been an accident, a prank gone wild. Anyhow what do we *know*? That the effect was large doesn't necessarily imply that it required a lot of resources. We live in a world rife with asymmetric warfare. A few boxcutters and 3,000+ people dead.
And the M.O. doesn't fit a criminal organization - no ransom demand, no attempt to steal data.
Same question. Would Dyn et al publicize ransom demands at this point? And even if not how do we rule out a prank or similar? Is there something specific about this attack which required significant resources? How significant?
That means the motive was prep for terrorism or cyberwar by a state-level actor. Bruce Schneier is right and is only saying what everybody else on the InfoSec side I've spoken with is thinking - the People's Liberation Army is the top suspect, with the Russian FSB operating through proxies in Bulgaria or Romania as a fairly distant second.
Well, barring further details one can go anywhere with a few suppositions.
Me, I think this fits the profile of a PLA probing attack perfectly. -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*