The story begins two weeks ago. Yitzhak Mozgah, a consultant and employee of security company COMSEC Computers, issued a press release in which he reported that COMSEC, in cooperation with PubliCom, had identified a break-in to Israeli computers carried out by Lebanese nationals residing in Texas. According to him, the company had managed to trace a break-in as it occurred before their very eyes. The Israeli security specialists followed the hackers and found that they hid behind fourteen secondary sites in order to conceal their identities. However, tracing all the sites revealed the source to be a Lebanese resident of Texas who operated an Internet site known as leb.net.
In addition, Mozgah reported that for a period of three weeks, dozens of Israeli sites had been attacked from that site and the hackers had erased files and shut down services. He hinted that even defense units had been brought into the picture, as this sort of hacking can also serve as virtual terrorism against Israel.
The information reported by COMSEC was reported in all of Israel's newspapers. "Ha'aretz" published it under the headline "Computerized Terror Attack on Israeli Companies". "Globes" published the item with the headline "Lebanese Resident in US Attacks Scores of Israeli Co Internet Sites". "Ma'ariv" later published an item entitled "Lebanese Hackers Attack Internet Sites in Israel". That report raised the number of attacked sites to 100.
Over the weekend, Globes' Internet site received angry responses from readers all over the world, accusing the newspaper of falsely implicating completely innocent people. And that was the polite electronic correspondence - a few Internet sites called the publications by rather crude names.
The most touching of all was a letter from Hans himself. Hans Zoebelein, from Munich, recounted that he operates software to check operating systems at Internet sites. "I run a survey which measures precisely the number of operating systems used on computers to run the Internet. The survey was launched in July 1998 and has been running monthly since then," Zoebelein tells us. "The entire story began because someone thought this was a hack attack, shouted 'Fire!' and then was too embarrassed to admit their mistake".
Hans Zoebelein. Never saw it coming
"Why would a hacker send seven 'information packets' to a site he is attacking?" Zoebelein asked, and included the seven commands he sent to computers in Israel that had mistakenly been identified as a hostile attack. "If you don't understand what I've written, you can ask Eli Marmor in Israel and he will explain this to you," Zoebelein suggested.
Marmor, the owner of software company El-Mar, engaged in Hebrew support for sites and computer systems that use Unix operating systems, confirmed the story. "This is a mistake that causes great damage," he explained emotionally. From him, things sound a little different than in the press release.
The system was programmed by hundreds of volunteer programmers and is designed for use on the Internet. Marmor says Alex Halil, an American of Lebanese descent who runs an Internet site that spreads the news of the alternative operating system Linux, voluntarily hosts various bodies such as human rights organizations from Arab countries. Alex and Hans also cooperate in the voluntary management of an Internet site for the blind. The site provides a variety of Linux-based software designed to help the blind use computers and surf the Internet.
Another area in which the two cooperate is the "Operating System Counter", which Zoebelein essentially operates from Germany and Halil hosts, as he has fast communications lines.
The software, like the Linux language, was programmed by a large group of Linux programmers who volunteered their work, and is designed to make a real accounting of the use of operating systems on the Internet. As opposed to surveys by research companies, the system does not offer estimated figures, or a sampling, but scans the entire Internet, site by site, clarifying which operating systems are in use.
But here comes another question: why maintain an operating systems survey on the Internet when there are large, resource-rich consulting firms that publish market data, estimates and projections?
Because, say Internet people begging that their names not be used, those figures are untrue, or at least inaccurate. The community itself is interested in a real accounting, not market estimates.
For instance, a glance at the survey's September figures immediately indicates why the real professional community prefers this data. The most prominent thing is the unshakable controlling position of the Linux operating system. The system was jointly designed beginning ten years ago by volunteers and distributed for free via the Internet ever since.
Of the 643,000 web servers queried in September, Linux operates on 171,000, in other words, on 26.3%. This is followed by Microsoft's Windows operating system at 23.4% of the market (152,000 servers). Third place goes to BSD, the University of Berkeley's version of Unix, with 22.6%.
Other than Linux's status, another surprise in the survey is the weak position of reputable, veteran systems. Sun's Solaris, for instance, is in second place only in Internet news servers, where it has more than 23% of the market. Linux reigns supreme here too, with 24.7% of the market, while Microsoft is at a downtrodden third place with a 15.5% market share.
In contrast to Solaris, however, the reputable, veteran systems of Hewlett Packard's HPUX and IBM's AIX, Digital Unix, and Mac, have small presence percentages in all the categories.
On October 23, Zoebelein says, his friend Alex Halil, whose Internet site sends the scouting packets, told him of a problem. Just then, the software was querying all the servers with domain names ending in "il" (Israel), which led to complaints of attempted hack attacks on Israeli high tech companies and banks. Halil wrote that the press release he received was a declaration that the hackers had succeeded in circumventing Check Point's Firewall-1 defense system and erase the log files of compromised computers.
Hans was alarmed by the response. Usually, a few complaints about the scouting packets are received, once in every 120,000 queried computers, usually from webmasters operating firewalls. In a report to readers, Hans quotes the text of the letter he says he sent to COMSEC.
In the letter, he detailed the nature of the packets he sends, explained why they cannot erase log files, and why they cannot be hostile packets in any way, and even offered to remove sites managed by the complainants from the survey. "I can put servers on a special list that excludes them from the survey and they will not be queried again," he wrote. "If you wish to remove any host computers from the survey, please send me their domain names and I will add them to the exclusion list."
Hans thought that was the end of the story. He went out for the evening with friends and returned home only at 4:00 am. When he checked his e-mail, he found a letter from Alex including a "hack warning for Israeli sites" to which Alex had added the comment "This must be a joke". But it wasn't a joke. According to him he corresponded for two days with an expert from COMSEC, trying to convince him that this was not a hack attack. Unsuccessfully.
So what did we have here? It is not entirely clear. Eli Marmor is convinced that COMSEC made a horrible mistake: they misunderstood the Queso software's transmissions, and then it was too late to retract their mistake. "The damage is enormous," he says. Among other things, for those interested, the Internet operating system survey was stopped until further notice. That is concrete, visible damage.
Hank Nussbacher, a member of the Israeli Linux community and considered one of the first in Israel involved in the Internet, wrote about the incident, stating that it is possible that Check Point's firewall interpreted the scouting software's communications as a hack attack, despite the fact that it was not. COMSEC insists that there are clear signs of hacking in the incident.
COMSEC general manager Nissim Barel says, "That approach, penetrating other systems without permission, is unacceptable. That is how hackers work and he does use software that hackers use. It is only reasonable that anyone doing a worldwide survey should not do so without permission, and not use software used by hackers. Anyone who reads the computer law in Israel understands that he committed a hacking offense."
Hans claims that that you acted unprofessionally and that you published a hack attack warning without seeking his response.
Barel states, "That is the version of the hacker community. You don't say anything that isn't agreed in advance. We don't approach any hacker to consult with him. If someone appears to us to be a hacker, we warn about him."
Hans says that the commands he used, and transmitted to you, cannot cause damage or erase files in the host computer, so your warning was unreasonable.
"I don't know what is going on in his head and if he had malicious intent or not, but it doesn't look good, and his explanations look even worse. The Firewall software that he went through included a list of concerns authorized to enter the site, but he went to those sites, although unauthorized, in an attempt to bypass the firewall and reach the operating system itself. To penetrate another system without permission. That is hacking, and it doesn't matter what your purpose is."
Published by Israel's Business Arena November 8, 1998