It's a new era -- of economic blackmail By Tom Steinert-Threlkeld, Inter@ctive Week February 9, 2000 2:29 PM PT

The commercialization of the Internet is entering a dangerous new era -- the era of extortion.

It's a discouraging milestone, but there can be no doubt that the public takedowns of many of the biggest e-commerce and content sites on the Web -- Yahoo! (Nasdaq:YHOO), Buy.com (Nasdaq:BUYX), E*Trade (Nasdaq:EGRP) and ZDNet (NYSE:ZDZ), to name a few -- is setting the stage for continued economic blackmail. The bar has been raised. Now hackers will be salivating over the chance to show who has the best automated, denial-of-service software. To prove it, they'll use it.

Worse, a light is flicking on in the criminal minds among them. The revelation: If we can commandeer the processing power of Solaris, NT and other computers against these bastions of the World Wide Web, we can also take their money.

Hackers clever enough to put tens, hundreds or thousands of machines at their disposal are clever enough to figure out how to tap into a company's digital coffers. After all, Yahoo! rakes in nearly $2 million a day, and Amazon.com (Nasdaq:AMZN)takes in $4 million.

It's not so farfetched to see these hackers demanding money in exchange for availability -- a protection racket in cyberspace.

"What's to keep them from saying next week to eBay, do you want to stay up or stay down," said Alan Paller, research director of the SANS Institute, the network security organization. "That, to me, is a new dimension."

And there's recent precedent. Just last month a computer intruder tried to extort $100,000 from CD Universe by holding as hostage 300,000 credit card numbers taken off the music e-tailers servers. The company refused to pay. Its reward: The intruder released 25,000 of the stolen numbers.

Then, over the first weekend in February, Autodesk buckled in to threats of an attack from fans of a site called The3Dstudio.com. Artists, in conjunction with an outfit called RTMark, said they would launch a crippling attack on Autodesk after the company sued to close the site named after its proprietary 3-D software application. Autodesk backed off.

"Now if they jump like that before being threatened, we'll have achieved something nice," an RTMark spokesperson, Ernest Lucha, was quoted as saying in an electronic news release about the event.

But even that "nice" comment comes after a veiled threat. RTMark -- and others loath to identify themselves -- are clearly willing not just to make threats, but to act on them.

Or, worse, they'll stage attacks without forewarning, as happened repeatedly this week.

It'd also be "nice" to think that these attacks won't represent the dawning of an age of online coercion. Such intimidation is as old as computer networking. But in the past it's been largely invisible, with banks, telecommunications companies, manufacturers and others clamming up when there's a security breach involving money.

For e-commerce sites there's no room to hide. Now anyone with a browser knows when a site is down. So sites will be faced with the dilemma: How far do you go to retain customer loyalty, credibility and business compared with how far you go in resisting blackmail?

The ante has been raised. Even the largest of the large, the most profitable of the profitable, are at risk. The Internet's age of innocence is over.

-- Martin Thompson (mthom1927@aol.com), February 09, 2000

Answers

URL http://www.zdnet.com/zdnn/stories/comment/0,5859,2435665,00.html

-- Martin Thompson (mthom1927@aol.com), February 09, 2000.

Martin, this is a great post...FOR Y2K REASONS, let alone infrastructure. See, a lot of us took some hits because we advised clients and superiors to shut down the system over the rollover, too much risk of hackers, power surges, viri, etc. Well, none of that happened over the rollover...but *all* of it has happened since. And it was only the then-beneficent whim of the hackers, contingency planning, and a lot of people glazing at their terminals that prevented worse things happening. Imagine what might have happened...even just with the "panic" mode...had all this occurred January 1.

-- Bud Hamilton (budham@hotmail.com), February 09, 2000.

This is a good posting! Thank you.I've been mulling over the possible intent of the e-commerce cracks just as you have. Following the discussions on the other board I've noted a generalized concern about intrusion into the privacy of the individual, but in most cases it's almost an abstract issue. Finances as target made the issue of vulnerability in the IT world more relevant to many of us. I've followed the cracker exploits for some time now and have noted that the true crackers relish the game aspect of hacking/cracking, so I question if government control would do anything more than spice up the board for them, and that not greatly. Terrorism is a valid consideration, but more permanent damage would be desirable in that scenario. However, if the DNS attack was a diversionary tactic to cover the introduction of a more virulent mechanism-well, that would make sense. The IT mavens will quickly assess if that's a far-fetched or naive idea. At any rate, this situation will bear watching and my gut instinct is that there's something going on other than Y2K and fireworks on e-commerce sites . mike

-- mike in houston (mmorris67@hotmail.com), February 10, 2000.