[Sorry, the video for this story has expired, but you can still read the transcript below. ]
RAY SUAREZ: The assault in cyberspace began Monday against Yahoo!, the largest independent Web site. Millions of people use Yahoo as a portal, the door, they go through to search the World Wide Web. Yahoo! Also provides news, weather, and other services such as e-mail.
PATRICK TAYLOR, Internet Security System: We had a large number of computers gang up on the Yahoo infrastructure and asked them to do more things than they could ever do.
RAY SUAREZ: Soon, the attack had spread to leading retailers. Buy.com, which sells everything from video games to golf gear, was shut down for six hours. Amazon.com, the bookseller, was out of commission for nearly four hours. And eBay, an auction site, was also struck. An eBay spokesman described the impact.
KEVIN PURSGLOVE, eBay Spokesman: It’s a huge inconvenience for eBay users, because essentially they’re the ones that are listing the items and selling the items. But for the most part, you can still conduct your business. It’s just that the process now is much, much slower than it would have been at, say, 2:00 this afternoon.
RAY SUAREZ: Two news sites were hit, CNN and ZDNet, which covers technology. So were Datek and E+trade, online brokerage firms. The attacks, which have been anonymous, have halted commerce on some sites and slowed traffic on other parts of the Internet. Yesterday, Attorney General Janet Reno said the FBI had launched a criminal investigation of the cybercrime.
JANET RENO, Attorney General: At this time we are not aware of the motives behind these attacks. But they appear to be intended to interfere with and to disrupt legitimate electronic commerce. That is the reason the FBI has initiated a criminal investigation into these matters.
RAY SUAREZ: But finding the cyber criminals isn’t easy. Here’s how Internet experts think the attacks have been conducted: A computer user taps into many, perhaps even hundreds, of other computers and surreptitiously installs software. The newly attached software acts like a time bomb. It prompts those computers at a preset time to bombard the online sites with requests for information or with junk mail. The result: system overload, shutting out access to other users. The more computers controlled by the hacker, or hackers, the greater the paralysis. And computer experts say committing the crime isn’t very hard.
FRANK CILLUFFO, Center for Strategic & International Studies: The tools and the software that’s publicly available are so sophisticated and so user-friendly that you don’t even have to be very good at hacking. All you have to do is know how to point and click on that mouse.
RAY SUAREZ: And joining me now are United States Deputy Attorney General Eric Holder; David Clark, one of the original designers of the Internet — he is currently a senior research scientist at MIT and chair of the Computer Science and Telecommunications Board at the National Academy of Sciences — and Patrick Houston, executive producer of ZDNet News, the news division of ZDNet, a high-tech information Web site, and one of the sites hit yesterday. Mr. Holder, are you in that uncomfortable spot for any criminal investigator where it actually gets harder to find your person if they don’t do it again?
ERIC HOLDER, Deputy Attorney General: Well, I would say that we’ve made some progress in the investigation. We are still not at a point where we have any hard suspects, and yet I think over the course of this afternoon we have made not something I would call substantial progress, but at least some progress. It’s going to take some time. This is not going to be an easy case to crack. But I’m actually confident based on the briefing that I’ve had as recently as about two, three hours ago that ultimately we will bring the appropriate people to justice.
RAY SUAREZ: Is your investigation made more difficult by the fact that this is kind a borderless system with no centralized equipment, no centralized gatekeeper? I mean, people doing this could be in Bulgaria.
ERIC HOLDER: There’s no question about that. We’re dealing with things that are really new to us, that’s why we’ve tried to upgrade our system capabilities within the Justice Department, within the FBI, within our U.S. Attorney’s Offices. It’s why the President has asked for $2 billion from Congress, so that we can do those kinds of things, and why we’ve asked for an additional $37 million at the Justice Department. We need new tools, we need new resources, we need actually new knowledge to deal with these kinds of cases.
RAY SUAREZ: Are you always finding out what you’re missing by something going wrong and you having to investigate it with your computer crimes unit?
ERIC HOLDER: We do actually, I think, pretty well. We’ve got some bright, young people there who are, I think, conversant with the state-of-the-art techniques, but in some ways we play catch up, in other ways, I think we’re maybe a little ahead of the curve. These are not easy cases, make no mistake about that.
RAY SUAREZ: David Clark, was this something that was almost predictable by the very open nature of the Internet?
DAVID CLARK, Massachusetts Institute of Technology: Well, you can’t say the exact event was predictable, but certainly we’re headed down the path with the increasing commercial visibility and increasing number of people attached. We’ve seen these sorts of attacks building up over the last decade. So in some respects, this is an expectable direction to be going; it’s something we have to worry about, but I’m not totally surprised this happened.
RAY SUAREZ: So every time you have a sizable increase in the number of users, you have an increase that’s proportionate in the number of people who are mischief makers or criminals?
DAVID CLARK: Well, not only do you have an increase in the number of people but the event becomes more visible and the excitement becomes more attractive. We don’t yet know quite why this event happening, whether it’s something for the fun of it, or there’s going to be some economic motive that comes out. But clearly a lot of this is done for sort of bragging rights, as one of your… as you said earlier. You can pick up the software to do this on the Net, and people get a lot of jollies of putting it out there and saying hey, look at the wonderful thing I’ve got.
RAY SUAREZ: Is there something materially different about it when you’ve got something that’s simple and easily reproducible, as opposed to the kind of hacking that’s done by people with very specialized knowledge? Is it more threatening that way?
DAVID CLARK: Well, it’s easy to replicate, so you don’t have to be a technical whiz to do this kind of thing now. You just — you can download the software and decide how you want to do it and turn it on. I don’t know whether that’s more threatening, but it certainly makes the probability that this is going to happen go up.
RAY SUAREZ: Patrick Houston, I’m sure part of the attraction for sites like your own is that they’re easy to get to. And I’m wondering if ZDNet and other places become more hardened targets, do we sort of lose something, part of the charm?
PATRICK HOUSTON, ZDNet: I don’t think that will happen, Ray. You know, we can filter for attacks like this to some extent. The problem in many cases with sophisticated and high-profile Web sites like ours is that you can… if you filter to any great extent, you can only raise the fire wall so high without overtaxing or devoting too many of your resources to the protection of it and less resources to your users. We want to make sure our Web site is accessible and is fast, able to fulfill requests as fast as possible. So we’re limited in how many barriers we can throw up between ourselves and our users.
RAY SUAREZ: If I understand this correctly, one of the aspects of the programs that are able to bombard you in this way, I think it’s called a sin flood.
PATRICK HOUSTON: We were the subject of a sin flood attack.
RAY SUAREZ: What it does is it gives your own return address as the bounce-back point. So in fact you’re cycling this information frantically and slowing yourself down.
PATRICK HOUSTON: Right. Here’s what happened in our case, Ray. We got within a five-second period yesterday morning some 100,000 requests for connections. Now, what a Web server does in these cases, it sends back an acknowledgment. Imagine that it’s a telephone directory assistance operator that 100,000 people have called. The operator would say may I help you and wait for a response. Well, in this case, those information or those requests came in, in disguise. They were… they had some other fake address in front of them. So our servers kept asking for a period of three minutes for each one of those requests may I help you? May I help you? May I help you? And received no response. That only exacerbated the flood of requests we got. So we were down for about two hours and 32 minutes, or unavailable I should say.
RAY SUAREZ: So you put in a shield that eventually detects this kind of attack, it can slow you down. It takes up energy to figure out that you’re under this kind of attack.
PATRICK HOUSTON: It’s overhead and it consumes resources. For example, we’ve installed filters for this particular attack. One of the problems with a denial of service attack is that we can filter for certain characteristics that are signatures of this particular attack, but if it mutates or someone changes it even slightly, then that limits our capability to filter.
RAY SUAREZ: David Clark, a lot of people are sitting at home and they saw that graphic where unknown computers attach something to unwitting and waiting computers. If you go on the Web at all, if you surf at home, if you have a desktop computer at your office are you open to this kind of attack?
DAVID CLARK: In principle, especially if you’re attached to the Internet over a high speed connection and your machine is on all the time. There’s certain operating systems that is are more popular as targets here. But, yes, in principle any machine that’s on the net, especially with a high speed connection is susceptible to these kind of attacks. The attackers try addresses at random, essentially, like picking a random phone number and calling it and seeing if somebody answers. And they’ll try the machine, try to figure out what kind it is, and they’ll send you a few test messages and they are a certain number of well known faults; they’ll see if they can exploit them, if it doesn’t work, they go onto another machine. If they succeed in breaking in, they go in your machine, they lodge a program there, they set a timer, the way you described it, it’s a time bomb, then they go away. And any connection between them and your machine is long gone by the time this program starts. So I think part of what’s interesting about this attack is there are a lot of unwitting machines out there on the Net, or machines belonging to unwitting people who have been subverted.
RAY SUAREZ: Well, Mr. Holder, one of the places where there’s a lot of attention in this world is in the trading of information, in the unwitting awarding of information, people are upset when they find out how much people know about them because of the places they visit. But here it’s just the opposite. People mask who they are when they set these things off. They change the aliases, they change the return addresses. It’s covering up their trail for you, isn’t it?
ERIC HOLDER: Yes, that’s what makes it so difficult for us to uncover who’s actually behind these kinds of cases. And so we’ll have to work as hard as we can. We’re going to need partnerships quite frankly, with industry, and the reports that I have been getting indicate that people in industry have really been cooperating with us. We’ve really been heartened by the response we have gotten. But it also means we have to use traditional techniques as well. It’s not just a question of trying to get back to the computers; you have to do the other things that we do — figure out who’s talking to who, get into chat rooms, things like that — always respecting people’s privacy. I want to make sure that everybody understands that, but do the investigative things that we would do in other investigations to see who, for instance, is bragging about something that they did and then follow that lead.
RAY SUAREZ: And can you do this without becoming the interlocutor, the go-between for a lot of the traffic, or is the Justice Department already a place where much of the traffic that’s zipping through these wires passes through for a look-see?
ERIC HOLDER: No, I don’t want people to get that impression at all. When I was talking about people talking, it was really focusing more on statements that people might be making off-line, where you have people having normal conversations and saying one thing to somebody else. We’re actually getting a fair number of people who are writing in to us or who are using their computers to send messages to us about things they are heard, and with time to accumulate these things, then we will run them down in due course.
RAY SUAREZ: Is this something that lives very comfortably inside existing law, or have there had to be new laws to take account of this new way of communication?
ERIC HOLDER: Well, there have been attempts at trying to deal with these new situations, and some of the laws that are on the books are of relative recent vintage. But I have to tell you, as I look at the statute that’s most applicable here, we’re looking at a statute that has a penalty of five years, a fine of about $250,000 or so. And given the nature of what we have seen over the last three days, it seems entirely possible to me that those kinds of penalties aren’t adequate. And so we might be looking at thinking about doing something with those penalty provisions in these statutes that, as I said, are relatively new.
RAY SUAREZ: Go ahead.
PATRICK HOUSTON: This is the third significant wake-up call that we’ve received in the space of one year. It began last year with — in March with the widespread Melissa virus that caused such damage out there. Then, as you know, we had the Y2K bug, which garnered so much attention in the public mind. Now we have these denial of service attacks. I think it’s really going to escalate efforts on the part of the federal government, particularly, to try to develop a national plan for the protection of information systems. There was a version, a very early version in framework released in January, and I think that’s going to become the subject of much scrutiny here as a result of many of these incidents.
RAY SUAREZ: Does this set off something like an arms race, where once you make it tougher to do it to your site there are already people trying to figure out how to jump higher over the barrier you’ve put in place?
PATRICK HOUSTON: Yeah, I think that’s true. But you know what, the significance in these incidents is they’ve underscored two things for us, Ray. One is our utter dependence on computer systems these days, especially in this new era of E-commerce, and two, our increasing vulnerability to disruptions of the kind we’ve seen, either from virus producers, from unintended bugs, like the Y2K bug, and from malicious mischief makers, perhaps, as was the case in these denial of service attacks.
RAY SUAREZ: So David Clark, are there certain kinds of businesses that are more exposed than others — that use the Web now for business to business contact, just in time inventory, and have sort of easily evolved their business to take advantage of this world that are suddenly now very vulnerable to being shut down?
DAVID CLARK: Well, there are all sorts of businesses that have moved into this space. He used the phrase wake-up call. I think that’s right. We have to decide to devote enough resources to this problem to try to deal with it, and I think we have technical means, they’re not perfect, but the question is how much of your resources are you going to put here and how much do you put into being first to market? And I think it’s part of a balanced approach as we put more emphasis on this stuff, we’re just going to have to pay attention. And I think the companies that care about it are the ones that are the ones that are going to deal with it first. There are a lot of companies that is have really staked their plans on Internet access.
PATRICK HOUSTON: You know, Ray, security breaches, computer security breaches are not anything new. What’s different here is this: In the past when a bank’s computer system was compromised, it was pretty much kept quiet for reasons of credibility, no one wanted to frighten customers. But now these incidents are very public. When a Web site, like a very high-profile Web site, like Yahoo!, like ZDNet goes down, there’s no hiding it. So we are very much more aware of these kinds of security breaches and these incidents than we’ve ever been before.
RAY SUAREZ: So Mr. Holder, what do you do next?
ERIC HOLDER: Well, we will continue the investigation. We will try to work our way back through the whole computer process, but in addition to those other traditional things, as I’ve indicated. We’ve established really good partnerships with people in industry and we’ll try to take advantage of those as well. I’m not at all certain this is something that will be resolved in a short period of time, but I do think ultimately we will get back to who was behind this.
RAY SUAREZ: Eric Holder, Patrick Houston, David Clark, thanks a lot.