Slashdot Mirror
L0pht And The FBI
A reader recently submitted a story from The Reg concerning some questioning of l0pht ? , @stake ? , and the general business of security. The article itself is harsh, but raises some interesting points.
← Back to Stories (view on slashdot.org)
It seems that a lot of people have problems with this article because it suggests that hackers and their heroes might posess anything less than perfect integrity. But don't let your personal pride in the accomplishments of people you admire and to which you relate prevent you from also acknowledging their flaws and shortcomings.
All the author of this article is doing is reposting a very important rant made by someone at H2K2. The substance of that rant is: the rewards a hacker or hacker group can receive for ratting out malicious hackers is strong, and it is more than likely that a high profile hacking group has done so at one time or another. We are all human.
Everyone here knows how the Reimann Zeta function relates to hacking.... Except me.. Care to explain-- or were you just flaunting your "knoweldge" of math to make others feel stupid?
How secure were your Windows 2000 machines for the two months that Microsoft knew universal plug and play was a huge hole but were unwilling to tell the public about? They were launching XP at the same time, with the same vulnerability and did not want to have to have to immediatly issue a patch for "the most secure OS ever".
Your security was compromised by Microsofts marketing for god's sake. Oh, I'm sure you had a firewall on port 1900/UDP and port 5000/UDP right?
The timing:
"On December 20, 2001, eEye Digital Security, the security firm that gave the Code Red worm its name, announced the discovery of "major security vulnerabilities"[1] in Microsoft's flagship operating system, Windows XP. Specifically, the vulnerabilities were discovered in Microsoft's Universal Plug and Play feature, which ships by default with XP. On that same day Microsoft released a patch [2] that resolved the issue; however, it was a dismal ending to a year that saw security flaws in Microsoft products announced in the press on a weekly basis [3] and exploited in hundreds of thousands of computers worldwide."
The vulnerability:
"When eEye announced the discovery of the UPNP vulnerability [9], they described three attack scenarios; a remotely exploitable buffer overflow, a Denial of Service attack and a Distributed Denial of Service attack. Of these three, the buffer overflow is by far the most serious. It could lead to a remote compromise of a machine, surrendering complete control of the machine (and possibly an entire network) to its attacker."
Microsoft knew about this hole on the launch date. The XP Cd had gone gold so they could not change it before it reached consumers. They waited until a third party discovered the hole and published before releasing the patch.
The disgust this decision generated caused such a backlash, Bill announced the "Trustworthy Computing" initiative.
There have been 7 exploits found since then.
There will be 7 more found before the end of this year.
Your Windows network is vulnerable no matter how good your admins (1 per 50 machines) are because only Microsoft can issue patches and they have proven to be criminally irresponsible where security is concerned.
If voting were effective, it would be illegal by now.
I didn't go to H2K2, although I looked over the itinerary and this speech caught my eye because of it's title and because of who was giving it. I know most of the people involved in this.
As far as the specific finger pointing at specific people, I don't really care and there probably was both truth and falsehoods contained in them. I don't care about that part of it, the specifics. As far as the *general* tone, I tend to agree with it.
Hackers break into systems and networks despite whatever technical roadblocks and threatened legal roadblocks are in their way. On the other side is law enforcement, who imprisons them, and corporate security people who try to prevent breakins from a technical standpoint and who work with law enforcement. These two sides are in *conflict* and as laws become more draconian (the recent retroactive hacker laws, or the life imprisonment hacker laws in the US) and hysteria about "cyber-attacks" or whatever they're called on the news grows, this only sharpens the definitions between the two conflicting groups.
This notion that there is a kind of continuity, with "black hats", "grey hats" and "white hats" and law enforcement all blending into one another is ridiculous. For that part, anyone actively engaged in the type of law breaking that the government is interested in enforcing would be crazy to go to these cons, or being a known person in these circles.
The skilled hackers I have known usually had regular contact with a handful of people and never went to cons. And even many of them got busted. Don't forget TAP's 3rd commandment of phreaking - "every 3rd phreak is an FBI agent".
There's a circle of people who always have, and always will, keep to themselves, get into systems and stay there unobtrusively, who are usually very good at programming, hacking, or social engineering. They seize the means of production, for a short time, from the bourgeoisie for themselves. Some of them don't even hack, they just look for buffer overflows, race conditions, or whatever the hell people look for nowadays, and pass them on to the people who do hack when they do find them. Security always exists so a small elite can hoard to themselves ownership and control of most of the pie, usually directly for, if not, as a side result of. For those like me who agree with Proudhon that "property is theft", what is obscene is not that some 16 year old wants to get into Monsanto's network, but what is obscene is Monsanto, it's profits which it expropriates from the surplus labor time of it's workers, it's frankenfood, toxic dumping and poisoning of the environment, and the security apparatus it employs, from it's software and hardware security, to it's onstaff security, to the state security apparatus, that maintains and continues it's existence. Most of the computer community is repulsive to look at, but at least there's some hope.
The hypocracy. You get these people that say "ya, screw the government, information was meant to be free" and so on BUT then are willing to be governmantal lapdogs when it acts to line their pocketbooks. That's the aspect I mind of some of these "hacker" companies. They like to play pretend that they are in it for idealistic reasons, but are prefectly willing to throw ideals out the window if it will serve to make them more money.
"Hey! You forgot the 'Riemannian Zeta function'", he noted.
Talk about a professional faus paux - that changed my entire ruleset. I knew then was the time to lock my screen and go get a coke from the break room. If I forgot such a mainstay to information security, I obviously needed a break.
The odd thing is that I was using the "Riemannian Zeta function" to harden a server that was going on the DMZ just that morning. And its also prominently featured in many of our infosec policies and best practices documentation - some of which I helped write. Hell - many arguments over infrastructure issues with the rest of the IT department has been solved by getting everyone in conference room and hashing out a zeta function on the whiteboard. I mean... sure, you still have a few dissenters. But its hard to maintain a rational stance in the face of pure mathmatics.