Slashdot Mirror
Hacker Leaks Unreleased CERT Reports
Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."
Maybe someone that's upset with the way CERT is doing things...
or maybe someone joined CERT just so he/she could play uberhacker.
my pet machine
The connotation of the word has changed, deal with it, move on. You lost this war years ago. If you don't like what it now means to everyone but you and a few others, then don't choose it as your label.
Simply put, if the masses see "hackers" as evil criminals then that's what "hackers" are. Language is determined by the masses, not by a small minority who get to determine what's PC or right.
scott
There's a reply to this that is so obvious, that I'm going to leave it to your imagination.
I've never liked the fact that CERT was more or less an exclusive security club. It's obvious that hackers monitor the mailing list and know the vulnerablities before majority of everyone else in the world.
CERT should instead, stick with helping behind the scenes coordination between security agencies like eEye and software companies; and should stop publishing unfixed problems to a CERT's underground mailing list.
Does that mean that black people really are niggers in the south?
In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone.
;)
Keep in mind that pretty much by definition, "script kiddies" won't be doing much with a new vulnerability, as their sole skill lies in being able to run someone else's code. Most new vulnerabilities either aren't exploited for months (vendor patch or no), or if they are, the exploit certainly isn't public knowledge. Therefore, there's little chance of a script kiddie rampage from some leaked vulnerability.
Ok, so I'm nitpicking
I guess the only real threat with this sort of thing is that someone who actually *might* be able to do something with this, now has a known target to go after.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
I think it's ironic how the "hacker" community used go out of their way to emphasize the distinction between hacker (positive) and cracker (negative), but as of late seem to not bother anymore. Certain Slashdot "reporters" don't seem to bother even trying to make the distinction anymore.
Looks like the popular media won this one.
What concerns me is that one of the vlunerability reports released by this guy wasnt schedualed to be released until June... JUNE??? What the hell are they going to wait till June for. Cant the vendor get their act together before then? This is why we need bugtraq so bad.. IMHO they should get 3 or 4 weeks max to fix the problem otherwise it gets released. If there is even a hint its being exploited on the net it should be released immediatly, fix or no fix.
Malice95
When truth is outlawed; only outlaws will tell the truth.
"Hack4life goes on to say that all future vulnerability reports will be released at 7 p.m. on Friday "to give hackers the maximum amount of time to actively exploit the vulnerability before sys-admins, CERT and vendors can act to patch the issue on Monday morning after their weekend off."
You tell me. Is this a good thing, or a bad thing?
define "the public" and "those who have the capacity to fix them".
I have the sources to the operating system that I prefer to run and all the apps that run on it. I am a unix system engineer of quite a few years experience now. I know how to program C with about 13 years of experience there. I believe very firmly that I am in the category of "those who have the capacity to fix them". I am not, however, in the inner circle of those who get early access to CERT security information.
I know this is being pedantic, but 'truth' can't be outlawed any more than 'cold' can be outlawed.
Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take:
- Notify the manufacturer, then wait for said manufacturer to discover a fix and write a press release.
- Loudly notify the entire world so that parents can reduce the risk themselves.
In the above case, the only reason to delay is to protect the manufacturer, so the analogy isn't perfect. Home burglar alarms would be a better analogy, but less vivid.For many people charged with security, this is an easy question: they want all possible information on vulnerabilities the second that someone discovers them. They can shut off services, craft firewall rules, compile in patches, write their own damn patches. The worst-case scenario for them is that their systems are afflicted with a vulnerability that anyone else but them knows about.
Besides, here's the elephant in the living room that no one wants to address: if one person can somehow acquire this information and post it to a public list, another person can use the information for ill gain. One of these vulnerabilities wasn't due to be announced 'til June?? That's a long fucking time for (e.g.) your bank's online transaction processor to be vulnerable.
Disclose early; disclose often. Anything else multiplies the risk for the people who can least afford it.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
That vulnerability is a simple buffer overflow. RedHat had a patch out for it in less than a day. This whole 'wait for the vendor to fix it' thing just results in lazy vendors.
And, as the army breakin shows, the 'bad' guys often have the information whether or not the 'good' guys even know it. There are many script kiddies out there, but there are a few really intelligent people who can do their own research, and won't bother telling CERT before they go and exploit the vulnerability.
Need a Python, C++, Unix, Linux develop
If everyone switches to BSD then most of the vulnerabilities found will be for BSD. No OS is flawless, not OpenBSD nor any other - OpenBSD gets more attention than the other BSDs as far as security is concerned in all probability because of their security stance, but there's still a hojillion (I use that term strictly in the technical sense) bugs in there.
That's not to deride Theo & crew's accomplishments - they've done amazing work, look at how few bugs are found in OpenSSH relative to how incredibly widespread it is - but it is practically impossible to write perfectly secure code that operates at anything like a reasonable speed for the x86.
I always thought a cracker was one who broke copy protection of software. Why not use "black hat" to describe a malicious hacker?
RTFA -- from the Sun RPX XDR libraries notice:
"BSD-derived libraries with XDR/RPC routines (libc)"
Don't think your safe just because your OS make you feel that way. Patch now! Patch Often!
I don't follow true BSDs so I don't know if there is actually a fix for OpenBSD or FreeBSD. My linux boxes are patched. I assume my OS X boxes are vulnerable as well. Don't assume because your OS is great for you, that it's secure and you don't need to be concerned about patches. Read up on what was released so you know what the average cracker and script kiddie knows. Beat them to the punch and be happy knowing you're smart enough to know better. Only then will you be secure, Grasshopper.
I am, and always will be, an idiot. Karma: Coma (mostly effected by
Don't believe everything you see in movies about the
south. I'm a southerner, and I'm as tired of the
'racist hick' stereotype as anyone else broadly
stereotyped. Most of the racists in the south move
down from New York or other northeastern cities,
looking for 'kindred spirits'. To say that they give
us a bad name is an understatement.
--=:: Wings and tail and snout and scales of blackest night
Unfortuneately, the reason the information was leaked is because CERT charges people to get early access to security problems like this... So it could be *anyone* at any of the organizations that have legitimately (*cough*) gained access to this resource. Hell, it could be any one of those people's bored teenaged kid who snagged their dad's laptop when he brought it home for the weekend.
Sorry, but once you sell something there is no way to protect it as secret.
CERT has bought and paid for this. They've earned this security breach and every breach like this.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
That's not "truth" - its propaganda.
Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take:
What usually happens in this scenario is that parents remove the childs seats in blind panic and as a result 10x more kids are killed by seatbelts and not being in carseats than would have been killed by the carseats.
Lucky we removed those car seats isn't it?
Alex
Don't sweat it... we're already there.
Congratulations! Now we are the Evil Empire
As several of the broadcast outlets noted, the Dept. of Defense asked U.S. media to delay broadcasting images of the American POWs so that they could notify the immediate relatives. Right or wrong, and I think right, the DoD believes it is wrong for the immediate family to learn such things from television. I also do not believe such a request is unreasonable. Imagine yourself in such a situation. The world knows your brother has been captured, but you don't, because you haven't been watching TV. You're walking down the street and friends start offering condolences. You're surprised. Why are they doing this. One of the things you would be angry about is that DoD hadn't worked harder to tell you, before telling the world.
It's too fine a line to draw since cracking is one possible extension hacking. I have never understood why programmers don't want to be called programmers? I am a professional engineer and a programmer and I am happy with either title. I am also a hacker in the classical sense of the word but I never use the term about myself. In a lot of countries an Engineer can be anyone from the guy changes the oil in your car to the guy who designed the wing of a passenger jet. Engineers have to live with the widespread use of a title that can (for some of us) take years of professional training to achieve.
So I say to all you disgruntled hackers out there, don't be so touchy. Prove yourself by actions not by a label. If you're good at what you do, you don't need a label.
Art is the mathematics of emotion
You know it's only a matter of time 'til CERT starts modifying their reports so each company's report is unique. Then they'll find which company's leaking them, and stop giving them information.
Language is determined by the masses, not by a small minority who get to determine what's PC or right.
Like the phrase "human rights violation"? Which is only something done to Americans and not to captives at Guantanamo Bay.
The folly of relativism... Okay--just got back from freshman philosophy class? You define truth as absolute. Next you state that if truth is not absolute, it is meaningless. Then you offer this as support for the statement that relativism is folly. Go talk to your professor and ask the meanings of the terms "tautology" and "non sequitur"
But truth, in this context is not absolute.
It is not the fact that people die in war, people are losing jobs, votes were miscounted, etc. that one wishes to hide. The facts will eventually come out. But they will be presented at a time and in a manner that supports the agendas of the presenters.
It is "the truths" that war is justified, we should spend money on new trucks, and GWB is our just and wise leader that are of interest.
Don't get caught up arguing semantics. What is going on is the control of the hearts and minds of the people. This is achieved through emotion, religion, fear, greed, salesmanship, torture... These are methods that have nothing to do with empirically provable facts.
To control "the truth" is not to hide the facts, but to convince people that only the facts you like are relevant. Anyone who campaigns against this view threatens that control of "the truth"
Those who wish to control "the truth" often state their truths as dogma, and legislate against contravening statements or even privately held views.
In many situations, sedition, heresy, treason by word are crimes. Remember the witch hunts--in the 1600s and the 1950s. Same process; different details. There is a very legitimate concern that those in power--in order to maintain power--will criminalize speech (in any form) that threatens their control.
This is why the first amendment to the US Consititution is the first amendment. It's that important.
BTW, the full text of the above referenced document is available at Thomas. It's an enlightening read if you haven't already. The original text is only 14-15 pages long; check it out!
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
- First they ignore you, then they laugh at you, then ???, then profit.
If a hacker can publish such a report, a hacker can exploit it. So why keep the report secret? If it is published, at least administrators of affected systems can take measures to protech their systems.
Keeping the report "secret" does not block access to crackers.