Slashdot Mirror
L0pht And The FBI
A reader recently submitted a story from The Reg concerning some questioning of l0pht ? , @stake ? , and the general business of security. The article itself is harsh, but raises some interesting points.
← Back to Stories (view on slashdot.org)
I'm sure if the contents were included in a comment here they'd be modded as flamebait.
:
A typical quote from this article
"There does indeed appear to be a circle jerk between commercialized blackhat sellouts and the Feds; and the cons do appear, perhaps inadvertently, to provide the venue and privacy needed for such liaisons."
There is no substance whatsoever for any of the wild claims this bloke is making. Leet-speak junk.
It seems that a lot of people have problems with this article because it suggests that hackers and their heroes might posess anything less than perfect integrity. But don't let your personal pride in the accomplishments of people you admire and to which you relate prevent you from also acknowledging their flaws and shortcomings.
All the author of this article is doing is reposting a very important rant made by someone at H2K2. The substance of that rant is: the rewards a hacker or hacker group can receive for ratting out malicious hackers is strong, and it is more than likely that a high profile hacking group has done so at one time or another. We are all human.
Why did I get the feeling I was in Junior High again? Black hat hackers squabbling about the "importance" of their craft, tit and tat arguing about UTTERLY STUPID SHIT! This is exactly why mainstream people laugh publicly at hard core computer guys. Classic case of TOO MUCH TIME ON ONE'S HANDS. We live in the best country in the world, and the best these guys do with it is base their lives and hates on the excrutiating useless minutiae and politics of computer hacking and it's culture? These guys make rednecks look like models of common sense.
Some people will now say: "ohn, p0rn has found the 3xpl017 for the buffer overflow at IIS 576.37376SGHAF 54678"
But sorry sonny, this is no skill.
In fact any kiddie with a debugger can create an buffer overflow exploit. If you analyze the "h4x0r" tool these groups publish, you'll soon notice that they are basically based at extremely low technological levels, usually stuff like brute-force password crackers (around since the 70ies) like l0phtcrack and bo-exploits etc.
Any CS undergrad with decent programming skills could do these things.
It's no surprise that the most famous "h4x0rs" got their fame from with breack-ins done by social engineering or at boxen with extremely low security.
For being a real security expert you need extremely broad scientific knowledge and not just a long list of memorized UNIX commands. And these dudes don't have this knowledge at all, e.g. I would be surprised if one of them knows the Riemannian Zeta function at all.
There is a good sign for a bad security company: if they start to hire h4x0r5, then they have no clue at all. And of course we don't need to discuss the issue of "security companies" founded by h4x0r5 at all.
Personally I not surprised of these claims that they sold out each other to the FEDs. These guys are a bunch of no clue wannabe experts with a pathological hang for gaining attention. Such people do such things.
Owner of a Mensa membership card.
How secure were your Windows 2000 machines for the two months that Microsoft knew universal plug and play was a huge hole but were unwilling to tell the public about? They were launching XP at the same time, with the same vulnerability and did not want to have to have to immediatly issue a patch for "the most secure OS ever".
Your security was compromised by Microsofts marketing for god's sake. Oh, I'm sure you had a firewall on port 1900/UDP and port 5000/UDP right?
The timing:
"On December 20, 2001, eEye Digital Security, the security firm that gave the Code Red worm its name, announced the discovery of "major security vulnerabilities"[1] in Microsoft's flagship operating system, Windows XP. Specifically, the vulnerabilities were discovered in Microsoft's Universal Plug and Play feature, which ships by default with XP. On that same day Microsoft released a patch [2] that resolved the issue; however, it was a dismal ending to a year that saw security flaws in Microsoft products announced in the press on a weekly basis [3] and exploited in hundreds of thousands of computers worldwide."
The vulnerability:
"When eEye announced the discovery of the UPNP vulnerability [9], they described three attack scenarios; a remotely exploitable buffer overflow, a Denial of Service attack and a Distributed Denial of Service attack. Of these three, the buffer overflow is by far the most serious. It could lead to a remote compromise of a machine, surrendering complete control of the machine (and possibly an entire network) to its attacker."
Microsoft knew about this hole on the launch date. The XP Cd had gone gold so they could not change it before it reached consumers. They waited until a third party discovered the hole and published before releasing the patch.
The disgust this decision generated caused such a backlash, Bill announced the "Trustworthy Computing" initiative.
There have been 7 exploits found since then.
There will be 7 more found before the end of this year.
Your Windows network is vulnerable no matter how good your admins (1 per 50 machines) are because only Microsoft can issue patches and they have proven to be criminally irresponsible where security is concerned.
If voting were effective, it would be illegal by now.
This article as far as I can see is an opinion not an report of facts. So the merits of it are the relevance you give to the writer. And this writer is well-known by the community, recommended by someone, as a relevant cv for the matter? Doesn't seems so. So why is this here withou the necessary explanation?
------I can please only one person per day. Today is not your day. Tomorrow isn't looking good either.------
I didn't go to H2K2, although I looked over the itinerary and this speech caught my eye because of it's title and because of who was giving it. I know most of the people involved in this.
As far as the specific finger pointing at specific people, I don't really care and there probably was both truth and falsehoods contained in them. I don't care about that part of it, the specifics. As far as the *general* tone, I tend to agree with it.
Hackers break into systems and networks despite whatever technical roadblocks and threatened legal roadblocks are in their way. On the other side is law enforcement, who imprisons them, and corporate security people who try to prevent breakins from a technical standpoint and who work with law enforcement. These two sides are in *conflict* and as laws become more draconian (the recent retroactive hacker laws, or the life imprisonment hacker laws in the US) and hysteria about "cyber-attacks" or whatever they're called on the news grows, this only sharpens the definitions between the two conflicting groups.
This notion that there is a kind of continuity, with "black hats", "grey hats" and "white hats" and law enforcement all blending into one another is ridiculous. For that part, anyone actively engaged in the type of law breaking that the government is interested in enforcing would be crazy to go to these cons, or being a known person in these circles.
The skilled hackers I have known usually had regular contact with a handful of people and never went to cons. And even many of them got busted. Don't forget TAP's 3rd commandment of phreaking - "every 3rd phreak is an FBI agent".
There's a circle of people who always have, and always will, keep to themselves, get into systems and stay there unobtrusively, who are usually very good at programming, hacking, or social engineering. They seize the means of production, for a short time, from the bourgeoisie for themselves. Some of them don't even hack, they just look for buffer overflows, race conditions, or whatever the hell people look for nowadays, and pass them on to the people who do hack when they do find them. Security always exists so a small elite can hoard to themselves ownership and control of most of the pie, usually directly for, if not, as a side result of. For those like me who agree with Proudhon that "property is theft", what is obscene is not that some 16 year old wants to get into Monsanto's network, but what is obscene is Monsanto, it's profits which it expropriates from the surplus labor time of it's workers, it's frankenfood, toxic dumping and poisoning of the environment, and the security apparatus it employs, from it's software and hardware security, to it's onstaff security, to the state security apparatus, that maintains and continues it's existence. Most of the computer community is repulsive to look at, but at least there's some hope.
When you are a kid, you have skills and powers and the fire in your gut. And Mom & Dad pay for more than half your stuff. You don't worry about how you'll take care of yourself. You don't care about owning property and about how you will take care of your family. --You don't have kids yet, and probably don't plan to. Money is interesting and sexy, but it's not vital. In fact, it's kind of funny. It seems so many people take it far too seriously. It's fun to mock.
And so you hack. Or paint. Or busk. Or drink and smoke, or whatever young people do with their time and their fire and the money Mom & Dad gave them. --Or the few bucks earned from some lousy retail job.
And life is pretty good for about five to ten years. Rough and kinky and friendly around the edges. You can live on beer and pizza and Playstation and hope for a good romance/fuck with that girl you like, and maybe get some D&D in on every second Tuesday, cuz, you know, everybody has so little time these days, now that college is over.
But then. . .
You get the first of your grey hairs. Your body starts to do funny things. The mad fire of enthusiasm starts to flicker and you realize that your river of power is really NOT going to last forever!
And worse, you realize that true love has an unexpected price tag; one which is somewhat higher than the cruddy IKEA furnished room-mate situation you lived in when you were 25. Wives and families need proper bedspreads and New Car Smell purring from the AC. --And it always kind of sucked, but now you find yourself thinking more and more that working the Blockbuster counter just isn't as cool in your late twenties as it was when you were sixteen. And fuck! You're going to be thirty next year!
So you start to get scared, but this time you can't put off finding a solution. It's getting late. So what skills do you have? What can you turn into a lot of cash? The gun-wielding asshole at the border or in the patrol car or wherever, isn't going to let you get away with your stupid young shit just because you flash that caught-in-the-headlights "but I'm just a student," look at them anymore. You need credit cards and a fucking haircut buddy, or you're no place.
Sure, it's selling out. Sure it is. Hell, you had about 10 whole years to find a proper solution! And hell, if you were smart and diligent, you could have come up with something which would have steered you to financial comfort and self-reliance without darkening your soul; without caving in to the siren call of corporate slavery. But if you are like the other 99% of the spent sperm out there which never even found the road map to the lovely egg, then you're fucked like everybody else. Youth is powerful and wonderful and intoxicating, but then it's gone, and that's the way of things. It's not even sad. It's just how it is.
And this is one of the places where FBI sell-outs come from.
The rest is just stupidity and grandstanding. Cuz, you know, kids, eh?.
-Fantastic Lad
(Sorry. I'm painting a very negative picture of life here. You can change any of the above at any time. Corporate slavery can be left behind and moral high ground reached very easily any time you choose. But tonight, I've got the techno-ambient MP3's playing and I'm in a bad mood, so this is what I wrote. The sun'll come out tomorrow. . .)