Slashdot Mirror
Hacker Leaks Unreleased CERT Reports
Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."
Its a little too ironic if he's using the leaks in the reports he steals....
wonder if there will be an advisory over this
It shouldn't be that hard to catch him if they know what information is being leaked and when.
With the way ISS handles things I bet they're after this guy.
Otherwise... $5.00 says he works for ISS... any takers?
scott
A hacker is someone who tweaks software or hardware beyond it's original specs.
If you enjoy Bugtraq and can put up with the occasional flame war ... FD is an awesome list.
FD Charter
KARMA TAG! You're it.
Sun is lagging on releasing updates for this RPC vulnerability.
Maybe someone that's upset with the way CERT is doing things...
or maybe someone joined CERT just so he/she could play uberhacker.
my pet machine
I drink too much coffee. I leak several times per day.
How to Download YouTube Videos
What is interesting to note, is that this, or these, as it may be hackers are /releasing/ the truth.
Not defacing web sites, hacking student DB's, etc.
Is truth the new hack of the future?
This is both good and bad. Good, in the sense that more people will know about these vulnerabilities. Bad, in the sense that more people will know about these vulnerabilities. In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone. It is unreasonable to expect all code to be completely secure, it is just flat out impossible. However, when new vulnerabilities are found, they should only be disclosed to those who have the capacity to fix them, and not to the public, whose only reaction will be panic. Comments?
I hate sigs.
nowhere in the slashdot article does it say that he hacked; it says that he is a hacker. That's similar to me saying, "The boy ran down the street", and you saying "he's not a boy, he's a runner!"
I think this brings up an interesting point related to hackers ethics. On one hand people should know about problems so they fix their machines right away, but if there is no quick fix then perhpas its a thing for a "need to know" basis. I'm interested to hear if slashdotters think this "hacker" is doing a good thing, or a bad thing.
I've never liked the fact that CERT was more or less an exclusive security club. It's obvious that hackers monitor the mailing list and know the vulnerablities before majority of everyone else in the world.
CERT should instead, stick with helping behind the scenes coordination between security agencies like eEye and software companies; and should stop publishing unfixed problems to a CERT's underground mailing list.
Interesting, but I'm waiting for Chirac to be found dead before I start celebrating. [repost due to unfavorable moderation]
hmmmmmm?
Could this have been an inside job?
What concerns me is that one of the vlunerability reports released by this guy wasnt schedualed to be released until June... JUNE??? What the hell are they going to wait till June for. Cant the vendor get their act together before then? This is why we need bugtraq so bad.. IMHO they should get 3 or 4 weeks max to fix the problem otherwise it gets released. If there is even a hint its being exploited on the net it should be released immediatly, fix or no fix.
Malice95
At Ye Olde Computational Machinery Shoppe they still say hacker as well.
Language fucking changes get over it.
Why don't you just go back to speaking latin you fucking backwards fucker.
I was somewhat torn on the issue until I read "I'm going to release these at 7pm on Friday, so that sysadmins don't know about this and can't do anything about this til Monday morning" (paraphrased).
Any inkling of having me agree with posting these advisories just went out the window with this one. He's not trying to help anyone by divulging these, except for maybe script kiddies and crackers. With such a statement it's obvious he's not trying to help vendors release a quicker fix.
It's better to burn out than to fade away
It's the sound of every sysadmin on Earth switching to BSD!
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
Move along, nigger.
Store the Windows vulnerabilities on a Windows server, Linux vulnerabilities on a Linux server, etc.
That might take the edge off some companies' complaints about vulnerabilities leaking out before the clock is up.
Allow me to speak for the silent majority here at Slashdot. We don't always get an opportunity to
thank you for your great efforts to amuse us. Thank you. Love those tattoos. Keep up the good work!
Maybe it's just that I started reading at -1 a few weeks ago, but the number of trolls here seems to have increased greatly since the war began. Especially the obligatory ASCII-goatse with tatoos. And it now looks like we're about to get a crapflood that consists of random dirty words pluralized with 'z' and with the third one in each series being capitalized.
(Yes, this is you piss assholez BALLZ cunts, or whatever we should call you).
"Hack4life goes on to say that all future vulnerability reports will be released at 7 p.m. on Friday "to give hackers the maximum amount of time to actively exploit the vulnerability before sys-admins, CERT and vendors can act to patch the issue on Monday morning after their weekend off."
You tell me. Is this a good thing, or a bad thing?
ie leak a good piece of fiction to influence the stock market.
I'd like to liberate the pay scale from several of my former employers. The lies they told me about who got paid what were astounding when I finally found the list.
Things I'd rather see kept in the closet: the personal lives of the rich and famous, people's medical history, my home address and phone number (one stalker is one too many). Advert for penis enlargement, and instant uni degrees.
-- it must be true, it's on the internet.
Moreover, if their vendor doesn't patch their system quickly, how are they ever going to stop this guy if he always knows what's broken next?
Catch-22 isn't it!
Speak modern english you dumb fucker and that means using hacker in a MODERN way NOT some old SEVENTIES definition.
It is official; Netcraft confirms: *BSD is dying
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
he'll be called 'Packed4Life'.
meanwhile our Chief Marketing insists we have a secure product to run on windows. So we promise him a product "as secure as windows is". And he's happy. Dumb but happy.
If we get a client that is serious about security, they get the copy on freebsd customised, apache customised...
-- it must be true, it's on the internet.
That vulnerability is a simple buffer overflow. RedHat had a patch out for it in less than a day. This whole 'wait for the vendor to fix it' thing just results in lazy vendors.
And, as the army breakin shows, the 'bad' guys often have the information whether or not the 'good' guys even know it. There are many script kiddies out there, but there are a few really intelligent people who can do their own research, and won't bother telling CERT before they go and exploit the vulnerability.
Need a Python, C++, Unix, Linux develop
...if he knows the vulnerabilities before compromising the server, what's the point of compromising it?
But there is another kind of evil that we must fear most... and that is the indifference of good men.
If you really want security through obscurity, you should be able to get it. Quite simply, if there are a number of sysadmins who want a black box solution, then CERT should provide parallel systems, with different sets of programmers.
One should be advertised as open-source, open-problem. The other should be advertised as security-through-obscurity, maybe open-source, but not open-problem.
Then let the users pick. At that point, well-intentioned hackers should leave the STO code obscure, and publicize the problems with the open-problem code.
Meanwhile, CERT *can* use their lessons from the open-problem code to improve the STO code, but it *is* more at risk to real cracking, perhaps less at risk to script kiddies. Perhaps.
I, for one, would probably use the Security-through-obscurity code if I didn't have time to really learn my system, or hadn't yet learned the system. Once I understood my system, though, I would upgrade to the open-source/open-problem code, in order to be able to maintain maximum security. (Just my $0.02.) By the way,
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
If everyone switches to BSD then most of the vulnerabilities found will be for BSD. No OS is flawless, not OpenBSD nor any other - OpenBSD gets more attention than the other BSDs as far as security is concerned in all probability because of their security stance, but there's still a hojillion (I use that term strictly in the technical sense) bugs in there.
That's not to deride Theo & crew's accomplishments - they've done amazing work, look at how few bugs are found in OpenSSH relative to how incredibly widespread it is - but it is practically impossible to write perfectly secure code that operates at anything like a reasonable speed for the x86.
Worst. Hacker name. Ever.
</voice>
SIGFEH
This Leak is the very reson why keeping secrets is dangerous. This could be real trouble about time microsoft and others need to wake up that this is not working. Lets take linux even when there is a flaw the system admin stands a chance. Ie hard firewall can be used to block a lot and a fast update time.
The real question is how many are using the infomation they get and not telling.
XP is a good effort against Microsoft's old operating systems, but against to other vendor's - it's a sad joke. Fuck - Apple makes a better Windows-compatable file-serving OS than the people who make Windows. That should tell you somthing.
No super-computer runs Windows.
No root domain server runs Windows.
No satelite runs Windows.
No large-scale database runs Windows.
No cave system runs Windows.
No militaty flight simulator run Windows.
No bank runs it's federal transations on Windows.
Of all the important thing that computers do - hardly anthing important runs Windows. There's a reason for this.
Sure, MS has most the desktop video-game market, most of the simple spread-sheet market and simple document creation market to itself - but nothing really of importance.
I don't digest olives very well.
Fatty beef, like steak or prime rib, smeels good.
Has anyone ever found a vulnerability in the production release (not 4.0.3) of the Wang STOP operating system?
So you stared at that guys gaping anus for like an hour while you made an ascii likeness?
What the hell is wrong with you?
Hallo,
Bin ich ein Erstanwender von diesem hier website angerufenen Slashdot. Mein Englisch ist kein, also gut also ich schreibt auf meinen gebürtigen Deutsch. Ich wundere mich, warum es so viele sonderbare Leute gibt, die hier bekanntgeben. In meinem Land nennen wir diese Leute fette Weibchenesel, die kein Leben haben. Was nennen Sie sie in Ihrem Land? Ich möchte wirklich solche Sachen kennen. Auch ist es zutreffend, daß das Publikum Slashdot ganz homosexuell ist? Ich bin nicht homosexuell, aber ich möchte sein. So kann ich heißes Geschlecht mit Benutzern MitLinux den ganzen Tag haben. Linux gibt mir Holz, glauben, daß ich, den es tut. Manchmal mag ich unter die Blätter und das masturbate zum Anblick eines nude männlichen Penguin kriechen. Wie erotisch! Ich denke, daß ich jetzt gehe. Ich freue, Ihre Antworten zu lesen. Haben Sie einen Supertag!
For those who are interested: (used Google translator). What a SCHMUCK (Yiddish for dumbass)
Greetings, fellow computer users. Hello, I am a first time user of this here website called Slashdot. My English is no so good so I will write in my native German. I am wondering why there are so many weird people posting here. In my country we call these people fat bitch asses who have no life. What do you call them in your country? I would really like to know such things. Also, is it true that the Slashdot audience is all gay? I am not gay, but I would like to be. That way I can have hot sex all day long with fellow Linux users. Linux gives me wood, believe me it does. Sometimes I like to crawl under the sheets and masturbate to the vision of a nude male penguin. How erotic! I think I will go now. I look forward to reading your responses. Have a super day!
Well the only question regarding this "shock and awe" campaign is that did you actually stare at the goatse.cx website for hours or more conveniently just have your dad pose infront of you?
I'll be impressed when you make ASCII tubgirl. Until then, you're still a cock-nibbler.
Hum, look at the references section
6. http://www.kb.cert.org/vuls/id/192995
7. file://localhost/XDR.html#vendors
8. http://www.kb.cert.org/vuls/id/516825
localhost!? They're obviously already using the vulnerability to put files on my computer.
.oO Kaa Oo.
How do you define when a vulnerability is fixed, at least for the purpose of determining when to go public with it? Consider a vulnerability in some shared and widely used and distributed library such as OpenSSL or Zlib. Potentially you could say it is fixed as soon as there is a source patch. But that doesn't really make it universally available. Armed with the patch, the vulnerability may well become obvious, yet most systems which are installed and maintained in binary code remain vulnerable. Should things wait until the distributions package the fix? How many have to wait for the others?
And what if the same vulnerability exists in more than one implementation because of things like code re-use, or a flaw in a protocol that can be dealt with in the code anyway? Suppose OpenBSD fixes theirs in 2 hours and NetBSD fixes theirs in 5 hours and FreeBSD fixes theirs in 9 hours and Slackware fixes theirs in 15 hours and Debian fixes theirs in 24 hours and SuSE fixes theirs in 36 hours and Redhat fixes theirs in 60 hours and Microsoft Windows fixes theirs in 10 days (hypothetical times chosen arbitrarily)? Would it be OK for OpenBSD to go ahead and blast their security mailing list with the fix when it's done? Or should everyone have to wait until the stragglers get their act together?
IMHO, vulnerabilities should be released as soon as the first vendor has a fix, or after some fixed determinate time to ensure they don't all get together to hide the problem (not that all of them would, but certain vulnerabilities may only affect a small subset of them, or even just one). Yes, that leaves the systems "supported" by the stragglers unprotected. But that should also help leverage market pressure to fixing things faster, and designing to avoid the as well.
now we need to go OSS in diesel cars
all of this was already disclosed to isa members. wheres the 'hacking'? i could have done this. im an idiot.
wouldn't it be more worthwhile to dig through the changelog on openbsd and determine which software has been fixed by that team and then just exploit what they fixed somewhere else?
I would like to know more.
Please subscribe me to your newsletter.
from my majick hairball (the one from the seventh cat's stomach) and spake thus:
"How much would you like to bet that there's going to be a very ugly internal audit at CERT, with much finger-pointing and threats amongst the business partners?"
C|N>K
In Netrunner you are an upstanding corporation, who aims to improve life for all people. The Evil Hackers are out there trying to constantly break into your systems. The integrity of all business relies on their being stopped!
Alternately, In the USA, those who matter are upstanding corporations whose aims . . .
I think that information that helps you to protect your sensitive information shouldn't be sensitive to the point of being protected with tools wich vulnerabilities are sensitive information.
Why do I think that? I won't tell you.. it's sensitive information.
-- When did Ignorance Become a Point of View?
First of all, it's a Bad Thing. This particular cracker did it to give other crackers a head start of the sysadmins. Even if he did it in the cyberpunk 'information wants to be free' style, it would still be a Bad Thing.
but if there is no quick fix then perhpas its a thing for a "need to know" basisEven if there's no quick fix you can always pull the plug on your servers - if you know there's an exploit, of course.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
from the linked article:
Before the capture of the POWs, the media had little hesitation in running graphic pictures of surrendering, captured, dead or dying Iraqi soldiers, usually accompanied by US statements that large numbers of Iraqi troops were unwilling to fight for Saddam Hussein.
But the censorship of the POWs highlighted starkly what is and is not acceptable news on the war.
Hackers have been doing this forever, why write your own 0-day when you can steal other peoples? why find your own vulnerabilities when you can read some security experts email and "borrow" their research? Apparently its amazing how many security researchers have insecure computers/data storage.
Why was Mitnick originally poking around Shimomura's computers?
Wasn't there a breakin to the Well (before well.com) for a similar reason about 10/12 years ago?
Im glad to see this guy posting stuff. Simply put, people need to know what the f*ck is happening in the cyber world around them [sys-admins too ;)].
I do not understand why people should be kept from this information... Yes, it may give a "black hat" a chance to take advantage of the vuln BUT if the company or organization using the faulty software is aware of it, they should be able to watch for this attack being used or build a patch or even [GOD FORBID] switch to something more secure. [Anyone heard of a back-up plan?] Would that not solve the problem?
A post earlier on made a good point: if a black hat[hacker/cracker type] has discovered the vuln, likely he/she wont report it. They would likely use the vuln to their own ends [duh!]... If this is the case then the white hats[another hacker type] and the comunity will be none the wiser and the vuln will continue to be exploited until discovered yet again by a white hat... That takes care of the "black hat/cracker discoveres the vuln first" scenario.
Lets try the "white hat discovers the vuln first" scenario, shall we? SEE THE BLACK HAT/CRACKER SCENARIO ABOVE....
IN CASE OF FLAME...
These are just my opinions. They are not proven fact nor are they statements made by an all-seeing all-knowing entity. They are made by a human that wishes to share his opinion. [due to past flames...] Sorry if I offend and please forgive mis-spellings.
S-()-u-|-s-!-|)-E
As several of the broadcast outlets noted, the Dept. of Defense asked U.S. media to delay broadcasting images of the American POWs so that they could notify the immediate relatives. Right or wrong, and I think right, the DoD believes it is wrong for the immediate family to learn such things from television. I also do not believe such a request is unreasonable. Imagine yourself in such a situation. The world knows your brother has been captured, but you don't, because you haven't been watching TV. You're walking down the street and friends start offering condolences. You're surprised. Why are they doing this. One of the things you would be angry about is that DoD hadn't worked harder to tell you, before telling the world.
I always look to see the size. I am always happy when I do a big one.
has been patched in glibc for several days, at least.
Vote for global prefs bug
... one of their many early-warning "front-line" defenses ...
You know it's only a matter of time 'til CERT starts modifying their reports so each company's report is unique. Then they'll find which company's leaking them, and stop giving them information.
That said, a lot of folks with a lot of resources are probably going to try to find out who did this.
If/When this person is identifiec, I'll be very interested to see exactly how that happens.
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
While it is easy to claim this is propaganda, many media experts attribute much of this to different standards in various parts of the world. That is, regardless of the event, American media tends to show much less footage of severly injured people. Whether we're talking about war or a natural disaster, American media does not show lots of bodies on TV news. In general, the worst thing you see is a body draped with a sheet. In contrast, other parts of the world routinely show it, regardless of the cause.
the joke about BSD dying is ... dying. It has been around for so long and has grown increasingly lame over time so that now, it can barely raise its head.
[Notice the lack of apostrophe in "its".]
So let's put it to rest, people.
Tell the publisher of the software about the problem in priviate and give them 10 days or 30 days to fix the problem. If they don't announce a fix in that time go public. This keeps the script kiddies at bay, allows the publisher to save face and even "be the hero", and takes care of the problem. Not a perfect solution but one that can work can it not?
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
to try and distiguish between the two. Back in the day a hacker was generally bad but could be good too and was a general term used to describe someone who 'hacked' into computer systems(hince the term). A cracker was someone who cracked software to spread as warez(like cracking the cd protection).
Get over it.
...should charge money for them. Why should anyone release stuff to CERT for free then? Ta heck with that noise. Inform them you have found an exploit, all you need to do to describe it is say something like "this exploit concerns application xxx, it rates as critical (or whatever standards numerical scale that can be worked out), and CERT has a public posted fee schedule based on that. If it's not enough, some other exploit clearing house can offer the same exact service based on that model. I am SURE that if the exploit finders had a choice of getting a fee, getting paid to work, over doing it for free, 99 out of 100 people would accept the fee. Initial exchanges between the two contractural parties are done encrypted and signed and dated obviously, so neither party can claim fraud. Bona Fides are built on trust and peer review of releases. The exploit finders build their reputation based on performance, similar to a sellers rating, ie., they are caught exaggerating all the time, their stuf becomes of not much worth, so it doesn't sell. And the converse would be true obviously. Why should "open source" exploit finders be denied data and be denied their finder's fees if some company throws money into the equation? It works both ways. They either share freely,like normal open source code, or if charging goes on, BOTH sides get paid.
CERT is just a clearing house, they "take" other's bug finding efforts for free, but then sell the data, the good stuff that needs to be known about in a timely manner. It's the "timely manner" part that is controversial, but frankly I am of the "as soon as it's known about" persuasion, I think the info should be released as soon as known about, as a lesser of two evils option. I see the advantages and disadvantages of both methods, so it really is taste there, not all completely right or wrong.
CERT want their cake and eat it to, seems like a good business plan for them, bad for everyone else. Bad for their subscribers, bad for the freebie find-out-about-it week-later leeches, bad for the exploit finders.
Since the original "The Turd Report" has turned karma whore on us, perhaps you could pick up the slack and provide us a daily report.
I am SURE that if the exploit finders had a choice of getting a fee, getting paid to work, over doing it for free, 99 out of 100 people would accept the fee.
There is already a growing economy for trading vulnerabilities and exploits, both IN THE open and On the underground. Quite a few companies now offer cash for vulnerabilities and exploits, and the price is determined by the severity of the reported problem.
But these companies are part of the problem, and not a final answer. For example, one company notifies their paying customers on the same day as they contact the vendor, and another one has published a self-contradicting policy and it's not clear what they are really doing. I don't think that's responsible (on the other hand, it's not responsible to publish most of the software that it is used on the Internet).
Here's a thought. How about self education about politics and reality. How about doing the research to find out in advance if the people you are working for are really doing the best possible job, not lying to you, not making you go fight in a questionable war based on questionable reasons in advance of being put into a warzone?
Sorry man, got too many friends who as young men got stuck into a warzone based on a total lie and fabrication, the "tonkin gulf attacks". They got rah rah rahed into it, john wayned. Some got drafted, some just "joined up". Back then, real information was extremely hard to come by. Two of them I can name who are still alive got told for over 30 years their (illegal by signed convention) agent orange chemical warfare damage was illusionary, in their heads. This is NOT the case with general information now.
The background of saddam, bush, cheney, rumsfield, osama, are there, virtually anyone can do the research with a cheap dial up connection or for free at almost all public libraries. It takes the same time as watching one single football game on the TV to find out about enough lies to make anyone rational question this enterprise, that's it, that short of time with google and starting with a clean data slate, being honest about it.
My point is if YOU want to accept a check for military service, accept the responsibility that at this point in time you are in fact, a "mercenary", a soldier for hire. We don't have a draft now. In war, there are no rules. You accept "collateral damage" of your "enemy's" families, they not only find out about their little abdul or mohammed on the front lines, they themselves can get "direct feed back" in the form of exploding bombs on their own persons.
You can't have it both ways, you want your family to not have the possibilities of finding out about you being captured or hurt, then don't go over there and fight, unless you accept your adult responsibilities of the FULL ramifications of war, not the you get to pick and choose which things apply to you and your family or not, because in the real world, you don't get to pick and chose.
I support the US troops! These are my neighbors too, people not at their normal jobs today a lot of them, reserves, being exploited to the max. I know one guy personal who got called back over a year ago, and for what? Sign up for one reason, to DEFEND THE UNITED STATES WHEN IT'S ATTACKED,swell, hunt down osama, stick to that, but not this other crap,being used and abused for some other questionable reasons based on fabrications and exaggerations. Our own spooks can't even find any connections between osama and saddam, those guys HATE each other. British spooks, the same thing.
I support tour guys and nation to call it a draw, come home right now, with as few casualties as possible. Yes, I know that old model has some flaws to it,to actually be attacked, or to at least develop overwhelming evidence that an attack is imminent, but it just ain't there this time. To start down this path of pre emptive wars is just such a bad idea. That's what the 'bad guys" do, that's what stalin and hitler and tojo did, americans don't do that stuff! Once we do it a lot, the precedent established, we cannot any longer condemn any other nation for doing it. In the afghan war started by the russians, we went in and helped those moslems to resist, but unfortunately we picked some serious nutjobs like osama to "support", it was an extremely bad tactical decision, one of many made by the "profit over all" warlords back in Defense Inc. They do it all the time. Last week in the press it was all "secret emails and faxes to iraqi leaders indicated mass defections would occur". Now that that lie, one of hundreds, has been exposed, just look at reality, those people are defending their country from a hostile foreign nation, same as you or I would do. As thoroughly heinous and bad and as obnoxious as saddam is, and I assert he definetly is, these iraqis are finding our invasion a WORSE alternative,
Who read the header as
Hacker "Leaks" unreleased CERT reports
THAT would be cool!
(Leaks as a nickname).
FIRST POST!!!!!
If a hacker can publish such a report, a hacker can exploit it. So why keep the report secret? If it is published, at least administrators of affected systems can take measures to protech their systems.
Keeping the report "secret" does not block access to crackers.
basicly what you're stating is that in some cases the cure is worse than the dissease. But that's not the point at all.
Image how you would feel if you lost a relative because of an illness you could have cured or prevented if you had known. But in stead the guy
discovering it only reports it to some firm so that this one can make profits selling the info to any paying pharmaceutic compagnies.
now replace : a relative-> private data or server, illness->hack, firm->CERN, pharmaceutic->software
Now there is a fair chance that the pharmaceutic compagny brings a solution in a fair timeframe. But really their would be lot's of people having a damned good argument being angree because of the needless loss they have to endure.
You don't make a disseas disappear by not talking about it, In that case you're keeping the masses ignorant and buy some time for the pharmceutics.
If the pharaceutics come up with a solution it is only about pollisching their image, it doesn't save your ass in the meantime. If they ignore the problem, it's even worse. It can be lethal to yourself in that timeframe.
Now ask yourself again, do you still feel it's better being kept ignorant ?
Quothe the poster: To begin with, it would look like the truth. Secondly, it would look like you're putting your customers' security needs ahead of your own public image. I realize this is anathema to most large corporations, which is why strenuous arguments need to be made in favor of the correct position. So how do you tell who has that knowledge? Make them sign up on a list beforehand? That's meaningless. Make them take a test? That would be a nightmare to adminster. The situation now is nothing like what you describe - ability to fix the problem is not a precondition to have access to this information. As far as I can tell <opinion type="uninformed">the only requirement for getting this information is paying a hefty annual fee to CERT</opinion>. Perhaps you're not aware that this is the way the system operated for a long time. It was recognition of the fatal flaws of that system that started people calling for full disclosure. The vendor must be given no wiggle room, because they will almost always put their own public image ahead of the needs of their customers. Given a choice between fixing a security flaw that no one knows about and adding a new feature, which choice will a vendor make? In fact, most vendors chose to roll security patches into the new version, due in 9 months; if you got cracked in the meantime, you'd have no idea how or why, and the vendor would be no help. The game changes dramatically if there's public pressure due to rapid disclosure. Neither do I, actually. But making the information public gives you the greatest chance of reaching someone who can fix the problem. We've already established that no scalable "knowledge or desire" requirement can be imposed, so the reasonable solution is to give the information to everyone.
What you're missing, though, is that there's another solution aside from fixing faulty software: taking it offline. If a vendor announced a flaw that gave up all their servers to crackers, I'd like to be able to make the risk/benefit calculation of taking my servers offline completely, implementing different software, or trusting to luck. Without disclosure all you can do is hope to get lucky.
To get a little off-topic, remember the discussion a couple months ago about asteroid impact? Many in the atronomy community favor utter silence in the case of inevitable planetary apocalypse by asteroid impact. There are two problems with this, and both these problems map exactly onto our security disclosure argument (although the rest of the problem does not, and granted the stakes are much higher).
First, just because a small group of people can't come up with a solution does not mean that all 6 billion of us working together, or one genius working in isolation, cannot. Chances for such a solution may be small, but in this case I would leap at any small chance. Second, inevitably someone else will discover the asteroid, and then all the secrecy will have been for naught.
The only rational argument against full disclosure is that the disclosure itself can cause more harm than the vulnerability. Clueful admins will read the security bulletins and should be trusted to make their own fully-informed decisions; clueless admins don't install security fixes or read bulletins, so they may be worse off in the case of full disclosure. Fuck 'em. I have a bumper sticker on my truck: "Stupidity should be painful."
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Flamebait? Where is the bait? All I see is an opinion. My nick says all that needs to be said.
The mods are on crack
www.globeandmail.com/servlet/ArticleNews/TPStory
Hypocrisy stalks the land
The view from inside Iraq of this war's effect on people -- and on truth -- moves PAUL WILLIAM ROBERTS to outrage
By PAUL WILLIAM ROBERTS
Tuesday, March 25, 2003
I have been in and out of Iraq more often than the Turkish army these past few days, viewing the war both firsthand and on the surprisingly
copious array of television news channels available all over Syria and Jordan. I heard Donald Rumsfeld on the radio discussing "the humanity that goes into" building the kind of weapons of mass destruction that America prefers these days. I saw for myself enough of their effects, the inevitable consequences of their inbuilt humanity, to convince myself that no dialogue is possible with Washington's current
leadership.
We no longer speak the same language. To them, terms like "freedom," "humanity," "democracy" and "liberation" signify the opposite of what
they mean to me. I resent this theft and abuse of language.
And I am enraged at George W. Bush for forcing me, now the war is under way, to accept implicitly that the coalition must continue with its killing and destroying until the stated goal of "regime change" has been achieved. To stop at anything less now would be crueler to most Iraqis
than whatever atrocities this conclusion brings. This is like Sophie's Choice.
And I hate both Bushes for the pleasure I distinctly felt when Iraqi television broke into its Saddam lovefest to reveal the nation's troops
gloating over the corpses of U.S. soldiers, manhandling them so the camera could see the fresh bullet holes that punched the envelope of
life to death. We have all become less than human in this. We all share in shame. Earlier this week, Ali Abul-Ragheb, the Jordanian Prime Minister, told me, "There will only be losers in this war, no winners."
During the course of one long day last week I was in England, Germany, France and Lebanon. The following day, I traveled through Syria, Jordan
and Iraq -- seven different countries in which I had the same conversation with some 50 ordinary people: pilots, waiters, cab drivers, chefs, merchants, managers, barmaids. Not one felt that America had pursued a just course for a just cause. Not one believed the stated goals were the real objectives.
Not one had a good word to say about Saddam Hussein, either. Yet each, on learning I was from Canada -- and this is usually the first question
you're asked nowadays -- had nothing but praise for Canada's stand against the war and support for the United Nations. I didn't have the
heart to tell anyone that Canadian ships and servicemen were actively involved as American accomplices as we spoke.
Despite our claims of neutrality, we have 31 troops on exchange with British and U.S. forces in the Persian Gulf -- which gives us a greater
presence than the majority of members of the so-called coalition. I felt ashamed at the hypocrisy.
Jordan feels ashamed, too. The Prime Minister told me his country would never permit the United States to launch an attack from its soil. Yet I
saw U.S. military vehicles towing vast fuel containers through eastern Jordan; and I saw F-15 fighter jets landing somewhere behind the low
hills lining the highway to western Iraq. The Jordanian air force does not possess any F-15s -- the Prime Minister himself volunteered that
fact.
This morning, I was forced to abandon a new attempt to sneak back into Iraq when my guide and I stumbled across a raging battle between U.S.
Special Forces and Iraqi troops somewhere near the town of Akashat. As I write this, three nations are denying all knowledge of such a battle.
As many of the "embedded" media enthuse over the "courage and professionalism" of their new pals, or marvel shamelessly at the wondrous toys they now get to play with, the rest of us, along with increasingly many Iraqis, wonder if we
Muchas Gracias, Señor Edward Snowden !
Hacker leaks unreleased CERT reports. When asked about it, he had this to say:
Vintage computer games and RPG books available. Email me if you're interested.
A would-be disciple came to Nasrudin's hut on the mountain-side. Knowing
that every action of such an enlightened one is significant, the seeker
watched the teacher closely. "Why do you blow on your hands?" "To warm
myself in the cold." Later, Nasrudin poured bowls of hot soup for himself
and the newcomer, and blew on his own. "Why are you doing that, Master?"
"To cool the soup." Unable to trust a man who uses the same process
to arrive at two different results -- hot and cold -- the disciple departed.
- this post brought to you by the Automated Last Post Generator...