In a recent survey by Carnegie Mellon University researchers, 17 out of 100 small and mid-size businesses reported being targeted by cyber-extortionists.

I recently stumbled upon a news article about one such extortionist who threatened an online gaming website in 2003: “Your site is under attack… You can send us $40K by Western Union [and] your site will be protected not just this weekend but for the next 12 months,” or, “if you choose not to pay… you will be under attack each weekend for the next 20 weeks, or until you close your doors.”

The website owner, Mickey Richardson, asked his network admin if they should be concerned. The reply he received was “We should be safe. I think our network is nice and tight.” When the attack finally came, the website crashed hard. Standard DoS (Denial of Service) attack prevention software failed after 10 minutes. The website crashed. His ISP crashed. His ISP’s ISP then crashed. Another e-mail arrived. “I guess you have decided to fight instead of making a deal. We thought you were smart… You have 1 hour to make a deal today or it will cost you $50K to make a deal on Sunday.”

The site stayed down during most of the respite that followed, and could only be brought up for short periods of time. At some point, the downtime was the result of his ISP deciding to null-route the site’s traffic. Null-routing means the ISP collects all of the traffic going to a site and drives it into the ground. This frees up the ISP’s pipes when a site it hosts is receiving massive amounts of DoS attack traffic; even if the extortionists stopped attacking, the site would stay down.

A consultant they hired had an interesting plan: build a system that would absorb huge DoS attacks. An ISP in Phoenix with a 10Gbps (ten gigabits per second) pipe eventually reluctantly agreed to host it. The system intercepted traffic intended for the website, diverted it to the ISP in Phoenix, null-routed the bad traffic, and sent legitimate traffic to the website. The system did a lot of other stuff too: monitoring, capacity planning, logging and analysis. But when it was first turned on, the extortionists stuffed too much traffic down its throat. The servers were overloaded. The website owner’s decision not to pay the extortionists was affecting other websites that shared the same ISP and were also experiencing network problems. He started getting calls from friendly competitors saying, “We paid. Just pay. We’re going down because of you.”

Another email arrived. “I would like to thank you for not keeping your end of the deal and making this upcoming weekend an enjoyable one for me.” The extortionist demanded $75,000, but then seemed to disregard the money: “I do not care how long I have to destroy your business and I will. You will learn the hard way that you do not make a deal and then fûçk around with us…. Let the games begin.”

A DoS attack is most effective using zombies, exposed and unprotected computers hacked without their owner’s knowledge. With a zombie network in place, the only issue left is scale. The more zombies there are in a network, and the more aggregate upstream bandwidth they have, the swifter and more severe havoc they can wreak. A zombie network with several hundred computers can generate hundreds of megabytes of traffic per second, enough to knock a small network offline. It turns out the extortionists had more than 20,000 zombies.

After days of severe battling, suddenly the attacks stopped. Another email: “I tried getting to your site today and I could not. I thought with all the money you spent you would not have these problems anymore. I guess you wasted your money instead of keeping your word. Good luck. P.S. I bet you feel real stupid that you did not keep your word. I figure by now you have lost 5 times what we asked and by the end of the year your decision will cost you more than 20 times what we asked.” It was a bluff. The website was up. The extortionists couldn’t get to it because they were blocked. The website owner hadn’t paid them a dime. They made no more threats. They couldn’t because they couldn’t back them up with action. The extortionists had lost. And yet, the e-mail was not far off. Mickey figures it cost him a million dollars in lost revenue and IT investments to win the war.

Update

Three guys in Russia were caught and charged in connection with the DDoS assault on Mickey’s betting site, including Ivan Maksakov, a 22-year-old student at the Balakov Institute of Engineering, Technology, and Management. According to the Russian newspaper Kommersant, Ivan was sentenced to eight years behind bars and ordered to pay a fine of 100,000 рубле (just under USD$4,000)

OK, so this is the first of the alphabetic series where the letter of the alphabet does not represent a key word in the title of the work. I knew I’d have a hard time finding great classics with Q, J, X, and other high-value Scrabble tiles, so I began the naming exception with the Catcher in the Rye. I read this at least a month ago, but completely forgot to post my mini review until now. Oops!

I have no idea how long it’s been since I first picked up J.D. Salinger’s Catcher in the Rye as a teen. I know that then I read it multiple times, but at this age several decades later I couldn’t tell you a thing about the thin plot until I re-read it, realizing only afterward that the story has very little plot to begin with. It’s not the traditional good-versus-evil or boy-gets-girl-loses-girl-and-gets-girl-again story; rather it tells the tale of a complete loser, Holden Caulfield, who finally gets an inkling of a clue and a small sense of responsibility. The controversy that revolved around the banning of the book from libraries and reading lists did nothing more than spotlight the book and eventually make it required reading. Without that, I believe that despite the well-written passages the book would have faded into obscurity. It’s just not that special.

That said, the subtle message of finally stepping up to the bat and doing what’s right and not necessarily what’s easy could be good for older teens, those capable of responsibly dealing with the sexually mature passages and concepts. With høøkërs, alcohol, violence, and frank talk about sex, the Catcher in the Rye isn’t the next step from Nancy Drew. I don’t think my 15-year-old daughter is ready for it yet, unfortunately her age being the age at which schools today begin to read the book. Or, yet better said, maybe I’m not ready for her to pick it up, a throwback to the paranoid morals of yesteryear…

Someone in the South Bay with the geocaching name Scourge is removing some of those pesky lame micros that never should have been approved in the first place. His (or her) log entry is always only the mystic message “pum-SPAK!” Having been put on the right research path by fellow cacher Equinox who swears no knowledge of the identity of the real-life Scourge, I did a little homework on the details of the Marvel comic origin of villain-killer Scourge.

Scourge was an organization of super-villain killers (posing as a single person) who embarked on a killing spree in 1986 Marvel comics, cumulating in a massacre in a bar. Scourge typically wore a disguise, targeted a super-villain, and shot them to death with a sawed-off shotgun containing explosive ammo — with only the sounds “pum” (the shot fired) followed by “SPAK!” (the lethal explosion of the bullet).

A new Scourge has surfaced in some comics, with the added slogan “Justice is served!” The Scourge organization was originally founded by a major 1940s Marvel hero, The Angel, who retired after a bystander was killed by a criminal he was battling. Consumed by rage and guilt, the aged Angel later used his personal fortune to found and fund the Scourge of the Underworld organization, which is dedicated to the assassination of so-called super-criminals.

Scourge’s victims include Enforcer, Miracle Man, Hate-Monger III, Megatak, Melter, Titania, Basilisk, Hammer and Anvil, Fly, Death Adder, Blue Streak, Cheetah, Commander Kraken, Cyclone, Firebrand, Grappler, Hellrazor, Hijacker, Jaguar, Letha, Mirage, Rapier, Ringer, Shellshock, Vamp, Wraith, and even several Scourge agents. What a list!

Whoever chose Scourge as the alter-ego character with which to assassinate criminally micro-sized geocaches did so brilliantly. I wish I’d thought of it. Justice is served!

Author’s Note

Removal of approved geocaches by anyone other than the owner or an agent of the owner is just not nice, and I do not promote, condone, or support any such activities — and I am also in no way responsible for said activities.