'Pecked to Death by a Duck'

[InfoSec News <isn () C4I ORG>]

Forwarded By: Small Grey <spunge () attrition org>

http://www.villagevoice.com/issues/0042/ferguson.shtml

'Pecked to Death by a Duck'
by Sarah Ferguson

The 12,000 activists who flooded the streets of Prague weren't the
only ones targeting the titans of global capital last month. In
addition to the militants hurling molotovs and bricks at police and
financiers during the annual meeting of the International Monetary
Fund and World Bank, thousands of other protesters waged war online by
squatting the two organizations' web sites.

Orchestrated by a group of French cyberactivists called the Federation
of Random Action and an affiliate, toyZtech, the virtual sit-in used a
new "distributed denial of service" tool that even relative newbies
could download in the comfort of their own homes. The plan of attackto
flood imf.org and worldbank.org with requests for information,
overloading the servers and clogging the pipeswas hardly original. But
unlike the hackers who hijacked computers and automated them to crash
the sites of Yahoo and eBay in February, the FRA announced the action
up-front and created a program that required mass participation to be
effective.

As Oxblood Ruffin of the renowned hacker collective Cult of the Dead
Cow commented, it's like "the difference between blowing something up
and being pecked to death by a duck."

Indeed, FRA's real ammunition was the participants' own free speech.
The collective provided a chat-room toy that enabled users to pound at
the IMF's and World Bank's servers for 12 hours on September 26 as
they ranted to each other about economic inequities worldwide. While
e-protesters typed, the program watched for key words such as poverty,
finance, investment, and financial power. Each time the words
appeared, the program hit the IMF and World Bank sites with requests
for information. It also embedded error messages like "Our life is not
for sale," "Please crush us too!" and "Do you sell sheep shavers?"

"We want to plant seeds of doubt in the actual world order," explains
FRA member Fazter. "The chat here is very symbolic, [in] that it is
the protesters' speech which hurts the castles, a bit of poetry" to
mimic actual street protest.

FRA claims the action was a "half-success" that caused some
intermittent slowdowns on the sites of the World Bank, IMF, and four
investment firms also targeted by protesters. Just 2000 people
downloaded the chat-room toy, FRA says, and perhaps 5000 got
involvedfar fewer than the 452,000 who reportedly bombarded the World
Trade Organization's site in December, during a virtual sit-in
orchestrated by the U.K.'s Electrohippies.

"There may have been a slowdown, but nothing that proved crippling,"
says World Bank spokesperson Merrell Tuck, who describes the
organization's firewalls as "pretty good." "In one or two places there
were some messages on a message screen, but they were taken down
pretty quickly."

The IMF similarly claims to have been unharmed. "We were aware that a
number of protest groups were seeking to organize attacks on the IMF
Web site at the time of our annual meeting," says spokesman William
Murray. "Our Web site continued to operate throughout the meeting."

Denial-of-service attacks have been evolving at a rapid clip since
1998, when the pro-Zapatista group Electronic Disturbance Theater
unleashed FloodNet software that targeted sites of the Mexican
government, U.S. Department of Defense, and Frankfurt Stock Exchange,
and succeeded in crashing the site of former Mexican president Ernesto
Zedillo. As hacktivists have refined their tactics, the attacks have
grown harder to stop. Where once law enforcement had to track down
only the dedicated servers hurling outsized packets of data, now they
have to contend with thousands of people working with toys on their
home computers.

Yet the FRA's offensives are far less malevolent than the so-called
zombie attacks that hackers launched against major corporate sites
this year, because the collective relies on individualsnot automated
applications. "They're only as effective as the numbers of people
they're able to bring into their action, and that's part of their
point," explains Jerry Irvine of the security firm iDefense. "It's not
meant to be a two-person hack into the system, but a broad-based
protest."

While Ruffin and others in the hacker community dismiss hacktivists as
"packet monkeys," groups like the FRA say they're seeking to
democratize, and thus decriminalize, Web-based protest. More than
hackers, FRA members are really art phreaks, looking to poke fun at
corporate (and social) firewalls as much as they seek to dent them.

Still, they take credit for a few direct hits. In February, the group
launched a "Mail-o-Matic" attack on Occidental Petroleum and targeted
the servers of one of its largest shareholders, Fidelity Investments,
to protest Oxy's plans to drill for oil on land sacred to Colombia's
U'wa tribe. The FRA claims to have swamped five Fidelity Web sites in
one week. The collective has also bombed the Starbucks Web site in a
joint action with New York's anticorporate prankster Reverend Billy,
and it attacked the IMF and World Bank with a "doodle" tool that
pestered the financiers' sites with requests whenever hacktivists
scribbled on an electronic whiteboard.

Of course, the impact of these virtual sit-ins is largely symbolicmore
likely to annoy company webmasters than shift corporate policybut the
FRA's Fazter says it's better than doing nothing. "To be creative, or
destructive, makes you active," he says, elliptically. "First you draw
doodles with no specific aim in mind, and after that you try to draw
something else."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".