The IIQ
By Deesl
There is a well-known number associated with one's
intelligence, the IQ, or intelligence quotient. It is
derived by an individual's responses to a well-formed
standardized test of thinking skills and other higher-level
skills. There have been other *related* measure, such as
the EQ, the etiquette quotient; the SQ, a reading of one's
social skills or lack thereof, used by US Justice officials
in determination of one's sanity in prosecuting certain
cases; and the PQ, a system to measure someone's
personality traits such as gregariosity, generosity, and
the like. I'm going to introduce another concept, the IIQ.
The IIQ is a measure of someone's Internet Intelligence
Quotient. It rates someone's ability to utilize the
internet for their own benefit, the ability to share such
knowledge in a clear way with others, and the ability to
operate in a secure manner at all times. You will find
that many internet users (not just new users, but many
long-time users too) have incredibly low IIQ's. Why is
this so? Why would I make such a statement?
Let us use the theme of this month's zine, Denial of
Services attacks, or more specifically, Distributed Denial
of Service attacks. The main characteristic of such an
attack is the use of multiple (usually more than 20) host
machines to attack a single machine, effectively
overpowering either the target machine itself, or the line
connecting it to the world. Obviously the attackers do not
purchase machines and host them at remote sites, then use
them to attack other hosts. They obtain access to remote
machines through three methods. First is through
exploitation of security holes. The second is by utilizing
backdoors, including administrative, user, and maintenance
passwords. The third, and most widespread, is by social
engineering.
Social engineering is the *art* of convincing someone to
do something they otherwise would not do, if they knew the
intentions of such a request. It involves tricking the
victim into handing over passwords, pin numbers, account
names and numbers, and convincing the user to download
programs which they would not otherwise download. In the
case of DDoS attacks, the majority of hosts compromised and
used in the attacks are either machines that were *broken
into*, because they were left unsecured, or machines whose
owners were socially engineered into handing them over.
The owners of the machine are convinced to download a
file, and execute it, or to simply go to a website while
using an unpatched web browser.
This is where the IIQ comes in. Many users are convinced
that everything everywhere on the internet is safe, and is
exactly what it claims to be. They will think nothing of
clicking on every single thing that even remotely looks
like an URL, if they believe they will get something for
free. Most often the advertised item is pornography, or a
program that will provide them with free money. Other
types of things that users are convinced to get is warez
files. Users will download these files without a regard to
the source of the file, the type of file, or anything but
the method it is advertised. Who would think that a file
named brittney_with_horse.jpg.bat would be anything but a
hot movie containing a well-known musician and a horse?
The effect of these people's IIQ on the rest of the world
is immense. The system being attacked is taken offline.
But a side-effect to this is that the system the user is
on may also be taken offline. Consider an ISP with 5000
clients. If 50 of them are infected, and their machines
are used to attack another system, it is likely that that
ISP would go down along with the intended target. The
result of all this is that one person's ignorance can
result in not only many thousands of dollars of damage, but
also the loss of service for thousands of users who would
never be so ignorant.
The solution to this is of course impossible to pinpoint
or to implement in a satisfactory manner. The main thing
users need to be thinking while they are surfing around is
*Don't take candy from strangers.* I remember when I was a
kid there was this trashman who would give us kids these
caramel candies. About a year later, another trashman was
on the news for giving out candies filled with cyanide.
Just because we survived didn't mean that it's always (or
even often) ok to take candy from a stranger. If you don't
know and trust the source 100%, do not click on, download,
install, or run ANYTHING. If you don't understand what an
item is and does, 100%, do not click on, download, install
or run ANYTHING. When you do, you may not destroy your
system at all, but indeed may be participating in a crime,
both legally and socially.
©Deesl 2002
