The RBN Exploit blog is following the ongoing Russia/Georgia cyberwar. And — no surprises here — the Russian Business Network are up to their elbows in it, apparently systematically attacking Georgian servers (in an echo of the Estonian inforwar assault of 2007).
At this point, cyberwar is merely a new adjunct to traditional communication blockades and attempts to jam enemy propaganda channels; I haven't seen any reports of attacks on SCADA systems or attempts to crash enemy logistic infrastructure (although if such attacks were ongoing it's likely that we wouldn't hear anything about it until afterwards). It's still at the stage of air war in 1914.
If you're not familiar with the RBN, read the wikipedia article. Then if you want some more technical information, look at the RBNExploit blog. And don't underestimate its importance, just because it's a bunch of hackers kicking over other folks' routers. This stuff is going to shape the coming century, just as the early experiments in using stringbags for aerial reconnaisance led to strategic bombing and shock'n'awe campaigns.
Indeed, the RBN does seem to be handling the cyberwarfare front. They manage to internalize the governmental media message and in a nationalistic fervor they unleash upon the enemies of state. The only thing better than having a cyberwar arm of your military is having people do it for free. Leaves you a nice little 'not our orders' clause too when you need it. Also seems that the response isn't quite the same was it was for the Estonian situation. Maybe it is, and is just being overshadowed by the shelling and bombing where people instead of packets are being killed.
This definitely makes it harder to get accurate information. Every article reads, "Georgia says (X), Russian counters with (Y)". There seems to be no one outside of (likely) higher government and military posts who knows what is actually going on.
Yeeesssh. I find this immensely terrifying and exciting all at once. That the RBN is so out front and in the open though unknown at the same time. And they have a blog. It's like CHAOS being on Rachel Ray or something. Yikes.
Go watch a movie such as "Target for Tonight" or "In Which We Serve". I think "Target for Tonight" has a bit more relevance: it's showing what the RAF thought they were doing to Germany, before they realised the embarrassing reality that they were lucky to drop a bomb within five miles of the intended target.
So you have the possibility that the people who are in those higher posts think they know what's going on, and don't.
@Dave Bell: True, true. But those with active satellite surveillance over a war zone tend to have better information than those limited to press releases. The RBN blocking internet information going in/out of Georgia definitely is an ugly step - making it far harder for independent sources to operate. Almost enough to make one long for more ham radio ops.
I haven't had any real difficulty reaching Georgian websites - no more than, say, reaching an independently hosted blog that's been slashdotted. The last time I checked the .ge root was operational and there was reachability via Turk Telecom.
As you know Bob, there was never any actual evidence the "Estonian cyberwar" affected anything much; the traffic volumes didn't add up to a major DDOS, and nothing was actually downed. My interview with Gadi Evron suggested quite strongly it was crap. I suspect a lot of this is disinformation and propaganda rather than actual action.
Chang: it's not the RBN's blog, it's the blog of a bunch of RBN watchers. Not the sam thing at all.
TechSlave: much current thinking is that the RBN is technically a criminal enterprise, but is being protected by high-ups in the FSB in return for providing deniable infowar services on demand.
There's ITN and WashPost reporters/photographers on site, and probably more on the way. We're getting pretty accurate news and pictures. Front Top Today's WashPost except they've replaced the war picture with a video of Bush.
Update by AP at 3:39PM ET. This one has lots of pictures, but not the one on the front page. Ah, here we go.
So news is getting out, probably by satellite.
If they weren't protégéed by some more or less official institution, they would not be routed any more. Nor would they have an AS anymore, either, nor BGP connectivity.
If they weren't protégéed by some more or less official institution, they would not be routed any more. Nor would they have an AS anymore, either, nor BGP connectivity.
Well, that's what happened to the RBN version 1.0 last year; eventually all their upstreams were persuaded to nullroute them. (Interoute, when they were spamming AFOE, at least.) Vacuum cleaner sucks up budgie. Vroom - bye bye! However, RBN seems to have moved, some say to China.
Further, I doubt the RBN blog's details. Here's a traceroute from my place to the Georgian root DNS. (NB sanet.ge hosts .ge)
yorksranter:/home/yorksranter # traceroute ns.nic.ge traceroute to ns.nic.ge (212.72.130.11), 30 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 1.511 ms 0.973 ms 0.734 ms 2 ar0.rbsov.bogons.net (193.178.223.245) 31.648 ms 33.032 ms 31.765 ms 3 cr0-Vl1455.thdo.bogons.net (194.39.143.161) 36.985 ms 33.802 ms 32.396ms 4 hex67-2.lon.turktelekom.com.tr (195.66.227.59) 33.556 ms 32.648 ms 32.912 ms 5 ulusebgp1-loncol1.turktelekom.com.tr (212.156.103.14) 95.235 ms 93.681 ms 96.867 ms 6 ulust11-ulusebgp1.turktelekom.com.tr (212.156.119.241) 96.535 ms 95.956 ms 97.661 ms 7 erzurumt21-ulust11.turktelekom.com.tr (212.156.109.26) 3801.069 ms 3797.658 ms 3794.271 ms 8 rizet31-erzurumt21.turktelekom.com.tr (212.156.121.158) 109.215 ms 109.599 ms 108.554 ms 9 195.175.5.42 (195.175.5.42) 206.102 ms 202.613 ms 199.154 ms 10 host-80-241-181-14.deltanet.ge (80.241.181.14) 114.022 ms 115.141 ms 115.828 ms 11 host-80-241-178-69.deltanet.ge (80.241.178.69) 115.958 ms 117.014 ms 119.009 ms 12 host-80-241-178-18.deltanet.ge (80.241.178.18) 115.094 ms 113.965 ms 116.509 ms 13 g0-22.ct0.tbs1.sanet.ge (212.72.131.1) 115.705 ms 116.744 ms 115.556 ms
I don't see any of the ASNs they are talking about. Routing to civil.ge was similar (same netblock in fact), but now they've rehosted in the US, a path entirely via Level(3).
Charlie@6: I've heard much the same, though its hard to tell the missiles from the chaff. It may even be so simple as the fact that the RBN is a great cover, even if it has moved on from Russian based servers, for other less recognized infowar groups.
Marilee@7: Traditional journalism has its strengths definitely, one of them being resilience in face of informational denial.
Alex: In general a useful tool, traceroute doesn't verify much. I'm not saying you are wrong - you may be entirely right. I don't see the RBN as the end-all-be-all of cyberwar, or superhackers. But the Estonia incident, well, we may have different ideas or levels of what a 'massive' DDoS actually is. I mean, if RBN really wanted, they would just put a guaranteed meme-bait video on a server on Georgia and upmod it on Digg, Reddit, slashdot, etc, until the entire infrastructure rolled over.
As a whole, one must wonder if we'll soon have botnet-style cloud computing mercenaries, working in the pay of various groups of both national or trans-national actors. Its always better to have your information warriors distributed, so that a physical backbone-cut won't be as effective.
Reportedly, there were also attacks on physical telecomm infrastructure. Apparently, the libertarian analysis holds here; there is no clear line between the Russian government and Russian organized crime.
The fact that it's reachable now may simply show that previous bogus announcements are now being filtered. Screwing with the global routing system in an obvious and dramatic way does rather piss off the powers that be, who in this case would be the various admins at IXes and other peering points. On the other hand, the RBN watchers could simply be talking out of their shorts.
On the face of it it sounds pretty plausible, as I wouldn't be surprised if RBN had some pretty solid expertise in AS hijacking. Various spammers have been using for several years the trick of announcing some little-used subnet of some other sucker's address space, massively spamming from it, and then withdrawing the announcement leaving others to sort out the aftermath.
If you knew what AS numbers to look for, it would be pretty easy to check what had happened to routing in the last 24-48 hours via BGPlay or the like.
According to a couple of my history books (sorry, can't check titles as I'm away from home right now) the RAF knew quite well what damage they were (or weren't) doing, but to admit their Big Bomber policy had been wrong would have meant the careers of those in charge, so they couldn't change tactics. Between the wars the RAF had emphasized strategic bombing as the way to win wars, so to admit it wasn't working…
pinpoint bombing dint work, but the RAF ound that they could go after really big targets- like cities. and they did, good old bomber harris! the americans set out to hit military targets- generally failing due to trying to bomb acuratly in daylight and the raf went out to kill civilians, and were pretty good at it if the cep of your raid is 5 miles then you go after a target at least that big
My own reachability is currently compromised due to moving house, but I promise I'll look up RIPE BGPlay as soon as I'm stable. meanwhile I recommend the Renesys Blog
The numbers about bombing in WWII are often quoted - what is forgotten is that those numbers came from early in 1942, as a result of OR by us (the Brits).
All this changed dramatically with the introduction of H2S (2-cm radar) mounted in all attack aircraft. It certainly fucked the Kriegsmarine in the Bay of Biscay, and "pathfinder" Mosquitoes equipped with H2S gave a much better target to aim at. After fitting H2S, a U-boat crossing th BoB at night would be pootling along, and then (!) they were illuminated in the "Leigh light" mounted on the wing of the incoming Sunderland or Liberator, whose front gun-turret would already be firing. By this date the depth-charges had been set to explode at a much shallower depth - the usual result was one ex-U-boat, very quickly ....
Target for Tonight was released in 1941, filmed earlier. A nice propaganda film, but like all such works it was intended to convince not inform.
I am fairly ignorant in this type of thing - but it seems clear that there is a large contingent of russian hackers "up to no good", with something similar coming out of china. my question is, who performs a similar role for the UK and the USA?
Don't know about the UK; there isn't an organized crime hacker group working for the US government that's admitted it so far as I know. There is, however, a US Air Force Cyber Command unit, supposedly tasked with cyberwar attack and defense*. Their public statements make them sound relatively clue-impoverished.
I am led to understand that the US Navy has a rather, ahem, low opinion of USAF Cyber Command. Although CyC allegedly has civilian contractors working for them ...
A few years ago, a friend who works in the computer support department of a large oil and natural gas transport company told me that the company was the target of daily unrelenting hacking attempts. He said the two centers of the attacks were Russia and China. The consensus was that the Chinese attacks were government-sponsored, while the source of the Russian attacks was more obscure. Some thought private, some thought official. It seems that perhaps the Russian cyberspy/cyberwar efforts are more pervasive than previously thought.
An irony behind this horror is that Georgia claims to be the first victim of their local son Stalin, just as Austria claims to be the first victim of their local boy Adolf Hitler. Not every blog comment about Nazis is gratuitous. Next, I note that the flag of Georgia is the 2nd iteration of a fractal. Step 1: 1 cross. Step 2: add 4 smaller crosses, one per quadrant. Step 3: add 4 smaller crosses, one per quadrant, with respect to the crosses of the previous step. Lather, rinse, repeat. Step N therefore has 4^0 = 1 cross of full size, 4^1 = 4 crosses of the next size down, 4^2 = 16 crosses of the next size smaller, and 4^0 + 4^1 + 4^2 + ... + 4^N crosses total. Geometric series. What Russia is doing encourages what a noted Scottish author called "fractal balkanization."
I had noted that the current funny-headline-style spam (then the CNN Top 10, now the msnbc.com - BREAKING NEWS) started in late June, just as the botnet operators would have wanted lots of fresh IPs for this kind of geopolitical DDoS warfare.
(I'm tracking some of this at http://www.vivtek.com/projects/despammed/stormspam.html - but beyond individual comments on the techniques they're using, I don't know how much I can contribute to divining their overall purposes (except making money, of course).)
I've actually just been looking at RIPE-NCC BGPlay viz for the .ge root's prefixes during the war, and I'm slightly concerned it was a subacute Langford's attack.
To put it another way, there may have been something in it. Certainly, the routes kept flapping between the TurkTelecom and TransTel/RosTel ones, with a regular 12 hour cycle (waking Russians?).
Murder, intrnational intrigue, and Dungeons & Dragons gaming? Man, there's a Science Fiction novel in there someplace...
Is it really mere coincidence that this story about a muder suspect from Grmany appears when Russia storms into Georgia and the President of Pakistan resigns?
Rockefeller saga: Linda Sohus' fate baffling By Frank C. Girardot and Nathan McIntire, Staff Writers Article Launched: 08/16/2008 11:15:04 PM PDT http://www.pasadenastarnews.com/ci_10227304
Linda Sohus. (Courtesy) Special Section: San Marino Murder Mystery
SAN MARINO - Hours before she and her husband vanished 23 years ago, Linda Sohus seemed anxious, excited and frustrated.
Sohus, an artist known for paintings of fanciful centaurs, unicorns and bunnies, had recently booked a commission from a Northern California art collector whom she had met in Anaheim.
The man, who asked not to be identified because he has been interviewed by Los Angeles County sheriff's homicide detectives in connection with the Sohuses' disappearance... [truncated]
The first person to notice her disappearance was Lydia Marano, her boss and the owner of the now-defunct Dangerous Visions bookstore in Sherman Oaks. Linda was supposed to open the store over the weekend in early February 1985....
[truncated]
Both the art collector and Marano described Linda as quiet but pleasant. She was an artist and a member of the Los Angeles Science Fantasy Society (LASFS) and had a passion for science-fiction that she shared with her husband. Under the pseudonym "Cody," Linda drew and painted animals and fantastic creatures for the society's amateur publication.
"I think she was naïve," Marano said.
"She tended to draw Hallmark-like critters. Really nice unicorns and horses," Marano said. "Very funny Easter bunnies and turkeys."
The art collector described Linda's work as "interesting."
"She had two styles. One was a very high contrast. The other was standard fantasy art."
[truncated]
Charles Lee Jackson, the current president of LASFS, also remembered Linda as shy.
"I don't remember her as being very forceful or sociable," he said.
"There weren't a lot of people that knew her really well who are still alive."
Galen Tripp is one of the few. He knew Linda as a fellow member of LASFS, and recalled her as "a very pretty woman."
"My understanding was she did some modeling in her youth," Tripp said. "She had a very beautiful face."
Tripp said Linda lived with a couple in LASFS before she met John. They had a falling out, however, when Linda accused the girlfriend of throwing nails into her horse's stable to injure it.
Unlike others who knew her, Tripp remembered Linda as being strong-willed.
"I never thought of her as the victim type or the type that would be suckered by a con man," he said.
"She did seem to me a very strong personality."
John, who worked at the Jet Propulsion Laboratory in Pasadena, left less of an impression. Outside of his family, very few people who knew him remember him at all.
Ellen Sohus, John's half-sister, remembers her brother as intelligent - even nerdy - and kind.
"He was what I call the original computer geek," Ellen said.
"He was fascinated with computers and electronics; he was a Trekkie. He loved 'Star Trek' - he knew everything about 'Star Trek.'"
John worked also loved listening to FM-radio personality Dr. Demento, Ellen recalled, and was an aficionado of the fantasy role-playing game Dungeons and Dragons, which he played with students at Caltech.
Tripp, who said he met John "a few times," also didn't recall much about the man.
In recent weeks the couple's disappearance has been a topic of much discussion among area sci-fi fans who gather every Thursday in North Hollywood, Tripp said. This week the club displayed some of Linda's art work.
As for the art collector, he's thought about the couple often since that final phone call.
He tried to reach Linda weeks later, and instead spoke to John Sohus' mother.
"I asked 'have you heard anything from them?' She just started crying. Basically it was incoherent," he recalled. "She said, 'I haven't heard - I don't know what's going on.'
"She said something about France. I thought they were moving to New York," he said.
The art collector said that he was in touch with several computer users in the mid-1980 s and had a friend who had access to raw wire feeds archived by The Associated Press and United Press International. Nothing surfaced, he said.
Over the years, the art collector held out some hope for the couple, but in recent weeks that faith has waned.
"It's really sad. You see all these things on the news about tweakers and people getting themselves into trouble and dying," he said. "It's not the kind of thing you'd usually associate with geeky science fiction fandom people who were really nice and didn't deserve what they got. Somehow they got sucked into this guy's con game and it doesn't seem right."