Denial of Service Episode 1
Page 3
Fritz finally smiled, and waved his hand. “Come on in.”
Fritz’s place was relatively clean and sparsely-furnished, not a lot of bric-a-brac. Against the wall of the living room was an inexpensive LCD TV, a sofa facing it, and a coffee table between them. The dining room had a round table and four simple chairs. In one corner of the living room was a corner devoted to a desk, the laptop sitting on it, and a file cabinet next to it. And that, ladies and gentlemen, was the contents of the house as you walked in. No throw rugs, magazines on the tables, football by the door, car keys on a hook, or even pictures on the walls. This guy could teach Spartans what “Spartan” means.
He waved us at the dining room table, and asked, “Anyone want a Dos Ex?” Pete and I said sure, and he went to the kitchen, returning a few seconds later with three open bottles. He asked Gail again if she wanted anything, but she indicated she had to go back to work, so she wouldn’t drink anything. We all sat down at the table, and Fritz leaned back in the chair, which creaked just a bit underneath him. Frosty bravely curled up behind Fritz’s leaning chair and dozed off.
“So,” I said, “you’re trying to push a sci-fi e-book.” It came out sounding lame, like I was judging him, which I hadn’t meant it to.
But Fritz just shrugged. “Yeah, I know it sounds lame.” (I was gonna have to check my inner monologues for leaks.) “But if you know how to write ‘em, you can get quite a following going.”
“I’ll take your word for it,” I said. “Have you sold e-books before?”
“Yeah,” he said. “My last book was released as an e-book after the paperback came out. It sold some, but the hardback and paperback had already grabbed most of the sales, and my publisher wouldn’t let me discount the e-book enough to get any good numbers of its own.”
“But now you’re going without your publisher,” I said, and he nodded. “So what’s the real problem here?”
Fritz paused. As a web guy, you have to know how to listen to clients, what they say, and what they don’t say. When they say things that sound overly simple, it usually means they don’t know how something works. When they get overly technical, it means they know how it works, but they don’t want to be bothered to do it themselves. And when they get quiet, it means there’s something besides web building going on.
“Are you expecting trouble from someone?” I ventured.
Fritz looked at me, and I knew I struck nerve. “My mortgage guys,” he finally said.
I could tell by the look on Pete’s face that he made the same notation of his words as I did. “Mortgage guys? As in, not a company?”
“Yeah, pretty much,” Fritz said. “Just some local guys with money… sort of the neighborhood’s ‘unofficial bank.’ But when things go wrong, they don’t cut you as much slack as the bank.”
“Loan sharks,” Pete named them. He glanced at me. “Trying to move up in the world.”
“And they know,” Fritz added, “that if they can get me out of here, they can sell this place for twice what I bought it for in this market. They’ve been buying up and reselling all kinds of properties up here in Californian Hills… that’s the name of the neighborhood. They already know about my e-book plans, and they got tech guys of their own. Based on what I’ve heard of their IT savvy, they’re likely to set up a DOS attack on my site. Anything to make sure I get little to nothing from the sales.”
I nodded, thinking hard. Threatening the guy with a DOS attack. There must have been some kind of revenge-karma at work here, and it was certainly pushing my buttons. “Is the book online anywhere yet? Is there any chance they have the book already?”
“No,” Fritz said, and he reached into his T-shirt and fished out a small device I recognized. It was a USB storage key, but one with a powerful biometric encryption system in it… you needed a fingerprint and a password to open it. “The book’s in here, and I haven’t put i t online yet. I haven’t even emailed it to anyone, other than the copyright office for registration.” He stuffed the key back into his shirt. “Can you help me?”
I looked at Pete and Gail. “I think so,” I said. “I need to know a little more about the e-book first. But if your ‘guys’ are that intent on getting you, they might have the place bugged. Let’s do some travelling.”
8: Planning
“Okay, we’re ready,” Pete announced as he rejoined us in the dining room. His dining room, that is… we were now back at his place, where we set up a few very paranoid precautions against being tapped.
Web guys know about most of the tools spies use to tap into places. After all, IT guys built ‘em for them, and web guys have used most of ‘em. Most of them aren’t very effective, unless they are placed in advance, and no one’s had time to bug Pete’s place yet, so we had a good level of protection going. The second kinds of technology were pretty sophisticated, but could be defeated by relatively simple means. For instance, the basic telescope, used to eavesdrop on conversations… sitting inside and drawing the blinds took care of that.
The more sophisticated lasers are designed to detect the vibrations in windows created by conversations, and turn those into sounds that can be recorded. Tuning Pete’s stereo into a daytime talk show, and tilting the subwoofer against the nearest window to the conversation, would effectively mask any real conversations inside.
And finally, I made sure Pete’s PC was unplugged from the web. Really good programs can activate a PC remotely, and if it has a mike or camera, others can watch the room without the owner even knowing. Once Pete’s machine was disconnected, we were safe.
And finally, we’d brought Frosty along, and he was sitting by the front door. If anyone tried to sneak up and listen the old-fashioned way, Frosty would hear ‘em a mile away, and we’d know about that, too.
Satisfied we were safe, I took out my laptop. It was a Toughbook, hardened and secure, which I did my serious work on. I started it up and, making sure the wireless features were disabled, I set up a new secure folder in a folder in a folder, using a few normal-sounding file names that no one would notice as significant, but that related to keywords I knew well enough that I would always be able to find the files without trouble.
Then I held out my hand. “Fritz, I need your e-book.” Naturally, he gave me a skeptical look, so I explained. “I just need it to create a dummy file that will look legitimate. It’s part of the process. I’ll also use it to concoct our viral marketing campaign.”
“Really?” Fritz said, his eyes lighting up. Everybody reacted that way to “viral” campaigns, which could spread word about a person, product or service seemingly faster than light itself. When they worked. “What are you going to do?”
“I don’t know yet,” I said. “But hopefully the story will suggest something. If not, I’ll just wing it.”
Fritz nodded and handed over the key. I plugged it into the laptop, then turned it towards Fritz and let him put in the password and his fingerprint. Then I turned it back to myself, and copied the e-book into the secured file. It was a Word doc, which I’d expected, and which would make my job easier.
“Okay,” I said once that was done. “Now, here’s the plan. We want to make it look like the mark will be able to stage a DOS attack on your e-book server, and take you out. But we’re going to pull a switch on him, and send him to a dummy site. While he DOS-es that to death, you’ll be selling on the other site. Very simple, very easy. Which formats did you plan to use for your e-books?”
“PDF, Mobipocket, ePub and eReader,” Fritz replied. “Those are already made, though.”
“That’s okay, these are for dummy files, too.” eReader may have been the only one I hadn’t heard of before, so I made a quick note of all of them in a notepad file. I knew where I could go online to find free conversion software for all of them besides the PDF, which I already had. They might not be pretty, but they were for the suckers, so it didn’t matter.
“Is your pay site set up already?”
“Not yet,” Fritz replied. “I was goi
ng to do that next.”
“Okay, I’ll take care of it, then,” I told him. “If you’ve already set up any accounts for them, like with Paypal or something, let me have them. I’ll need to use what you’ve already created, because the guys’ll know about them. Then we’ll create a new account for the real transactions.”
“How are people going to know the real site from the dummy site?” Pete asked. “For that matter, how are you going to steer them from one to the other?”
“We can ID their IP address by using cookies in the viral campaign and comparing it to any other correspondence you’ve gotten from them via e-mail, and arrange to redirect that IP to the dummy site,” I explained. “That’ll work for the mark, but not for every IP that a DOS attack will come from. So we use the viral campaign and embed something in it, something we know the mark will ignore, but any interested fan will find and check out. Then we put the link to the real site in there.
“The dummy site will look just like the real site,” I continued. “We don’t want the mark to get wise. He will go to the fake site, along with the rest of the DOC traffic, while the real site is sitting pretty on another server with another ISP.”
I shut off the Toughbook. “So, we need a viral campaign. Why don’t you tell us about the novel, and we’ll see what we can brainstorm up?”
Fritz agreed, and was eager to tell us his story. I don’t read much sci-fi, but I had to admit, it sounded interesting as he went on. Once he finished, we started throwing ideas back and forth, and trying to figure out inventive ways of approaching them. A few hours passed, and we prevailed upon Gail to order pizzas and wings to go with Pete’s beer.
By that evening, we had a plan.
Finally, it had gotten late. Fritz was yawning a lot, and Frosty hadn’t had dinner, so we decided to get them home. While I stood out on the balcony, ordering my strategy in my head, the others were saying goodnight in the living room. I finally heard the door shut behind me, and the place was quiet for awhile.
A minute later, I was aware of someone else on the balcony. Expecting Pete to be bringing me a beer nightcap, I held my hand out. I was surprised when a hand, not a beer, slipped into it, and turned my head around.
“Gail! Aren’t you taking Fritz home?”
“I talked Pete into doing that,” she said. “There’s more room in his car for a tall guy and a dog, anyway.” I reflected on how badly they had fit into her eclipse, at that, and nodded. “Besides, I wanted some alone time with you.”
“Alone time, with my brother’s ex?” I said. “Hello, awkward.”
“Not really,” she told me, and joined me on the balcony. “Pete and I were always swingers, even when we were together. And now we’re not together. Trust me, he wouldn’t mind if you and I spent some quality time together.”
“Oh, really? And what if I minded?”
“Oh, excuse me,” Gail said with a smile. “Nobody told me you were dead.” And she turned my head towards her, and kissed me. I immediately thought of Pete’s comments about sex videos, the thoughts punctuated by her talents with the liplock, and I started revising my immediate plans. IT guys do a lot of their work at night. But most of us are smart enough to know when to blow work off, if it means getting some. Namely, every time it comes up.
When Gail finally pulled back from me, I asked, “Are you sure Pete won’t have a problem with this?”
“Are you kidding?” Gail said. “We’ll have to lock the door to keep him from joining us. And oh, yeah: We’d better check the room for cameras first.”
9: Preparation
By the time Pete came out of his room, I was already busy at the dining room table working over my Toughbook. “Morning, super-stud,” he said, which confirmed that he knew what I’d been doing last night. Not that it would have been hard to figure out: The way Gail had carried on last night, the walls would’ve had to be four feet thick to guarantee no one else heard us. “Coffee?” he offered.
“Please,” I said. All I’d found was cans of Donald Duck orange juice, and I needed more than that. “Don’t suppose there’s a Starbucks on your block?”
“Not quite, but it’s not far. What’cha want?”
“Ohh…” It took me a good few seconds to switch gears enough to rattle off my drink of choice, as usual. “A grande double-shot skim milk espresso with room, in my… oh, I don’t have my cup…”
Only then did I look up, to notice that Pete was standing there and holding out his cellphone in my direction. I realized I had just dictated my drink order to someone. Once he was sure I was through, he brought the phone up to his own ear, and said, “You got that? Good. Be there in five.” He hung up, and smiled. “A little sweetie I got on the hook down there. Maybe I’ll bring her by later. How’s it going?”
“It’s going,” I said non-committally. Pete nodded, shrugged, and headed for the door. Only then did I notice he was still wearing his sleeping shorts. “ Dude—”
“S’okay,” Pete called over his shoulder, “I’ve got Gail’s account card. Be back soon!” The door closed, leaving me alone again. After a moment, I quickly glanced around, just to make sure I really was alone in the apartment this time. As nice as last night had been, I didn’t have time for the distraction right now.
When you’re duplicating a website, you have to be careful that the two sites look identical. Since different sites might be on different servers at different ISPs, that meant checking your site’s appearance and links to make sure everything works the same on both sites. If you don’t do this, you might tip off your mark that he’s been played for a sucker. And with loan sharks, that was never a good idea. So I was neck-deep in Fritz’s site, which would become the bogus site, and the new, real site I was setting up, making sure you couldn’t tell one from the other. I’d also have to “spoof” the domain name window, to make it look to the sharks that the bogus site was in fact the real site… so far, there was no way to create two sites with the same domain name on the web, thanks to the careful work of ICANN. But being creative with your site naming could accomplish the same thing.
For instance, Fritz’s site was named after his book, “Blue Shift Bandits .” One of the great things about standard browsers is, they display site names and other things using sans-serif fonts. In standard sans-serif fonts, and in many serif fonts, the number one and the lowercase “L” all look alike. (So does the uppercase “I ,” but you can’t specify caps in domain names, so that particular similarity isn’t something you can take advantage of, except in internal pages.) So you can swap them interchangeably in your domain name and create identical-looking sites at brand new domains. I had already registered a new domain substituting a “one” for the “L” in Blue, giving me my new site with the identical-looking domain name, under an alias with a Paypal account that I’ve used before… so the sharks wouldn’t know who to look for.
Of course, some creative googling could still reveal my new site to them. So I had to prepare a surprise for the sharks, to keep them busy while the new site did its work. Most site attackers expect that they won’t get caught orchestrating a DOS attack. This is usually because they can use a temporary site long enough to create the attack viruses, then ditch it before they can be traced. But we knew in advance that they were coming, and when you knew in advance, there were things you could do about it. Things that would keep them too preoccupied to google spoof addresses.
By the time Pete got back with my coffee, I had the dupe site up. Now it was time for the fun work.
Viral campaigns are interesting things: They work because they play on people’s emotions or curiosity, hook them either with assumed veracity or just plain entertainment value, and are subsequently passed around to others. Sometimes, they don’t have to be real, truthful, or even that well-done, as long as they are clever. So the trick is, figuring out what’s real enough, truthful enough or clever enough to become viral.
Unfortunately, people know about viral campaigns now… so they won’t fall for just
anything. You have to be very careful, or someone will expose your viral campaign for what it is, and everyone will ignore it. However… sometimes, that’s exactly what you want. If you can get enough people to check out the guy who had the incredibly big cojones to do some crazy online stunt, you’ll achieve the same thing as a viral campaign that has everybody fooled.
So what was I gonna do?
What else? I was gonna use porn.
10: Distracting with Porn
Any web guy knows porn is the easy way around anything. You want it found? Use porn. You want it hidden? Use porn as a distraction. You want everyone to check it out? Give it a porn connection. In this case, it would be the cover to Fritz’s book, which he fortunately hadn’t created yet. Using trusty Photoshop, I whipped up a book cover that included a certain star of stage, screen, silken sheets, yacht decks, private plane lounges, limo back seats, doctor’s offices, and the occasional honeymoon suite closet (hey, I don’t judge ‘em, I just pick ‘em), and roughed up a set of futuristic clothing over her otherwise naked body… in such a way that everyone who saw it would know who it was, and how to find the unencumbered photo my art was based on. It was like dangling a carrot the size of… well, a really big carrot… in front of those sci-fi fanboys. Then I added a male, same notations as above, for the fangirls.
Then I sent that cover art shot to numerous e-book-related forums I dug up after a quick search, making sure the art was also a link to the bogus site. The bogus site included an easy-to-find page I’d thrown together on how to Photoshop cover art, which included source links. This material would suck the fanboys in like flies, because if there’s one thing fanboys like to do, it’s to know easy ways to make salacious content of their own. For the wimming, I added a few comments and links to sites that discussed the affairs of said male porn star with the wife of a certain Latin heartthrob. (Later, I’d remove the art and material, and leave a message from the author about an over-zealous web guru with questionable taste.)