Slashdot Mirror
Hacker Leaks Unreleased CERT Reports
Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."
What is interesting to note, is that this, or these, as it may be hackers are /releasing/ the truth.
Not defacing web sites, hacking student DB's, etc.
Is truth the new hack of the future?
This is both good and bad. Good, in the sense that more people will know about these vulnerabilities. Bad, in the sense that more people will know about these vulnerabilities. In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone. It is unreasonable to expect all code to be completely secure, it is just flat out impossible. However, when new vulnerabilities are found, they should only be disclosed to those who have the capacity to fix them, and not to the public, whose only reaction will be panic. Comments?
I hate sigs.
I was somewhat torn on the issue until I read "I'm going to release these at 7pm on Friday, so that sysadmins don't know about this and can't do anything about this til Monday morning" (paraphrased).
Any inkling of having me agree with posting these advisories just went out the window with this one. He's not trying to help anyone by divulging these, except for maybe script kiddies and crackers. With such a statement it's obvious he's not trying to help vendors release a quicker fix.
It's better to burn out than to fade away
It's a bad thing. I mean, you can justify almost any crime that way ("oh, I was just testing your locks" or "oh, I was just testing police response in this area" or "oh, I was just testing human skin resistance to .38 caliber rounds").
Moreover, if their vendor doesn't patch their system quickly, how are they ever going to stop this guy if he always knows what's broken next?
Catch-22 isn't it!
If you really want security through obscurity, you should be able to get it. Quite simply, if there are a number of sysadmins who want a black box solution, then CERT should provide parallel systems, with different sets of programmers.
One should be advertised as open-source, open-problem. The other should be advertised as security-through-obscurity, maybe open-source, but not open-problem.
Then let the users pick. At that point, well-intentioned hackers should leave the STO code obscure, and publicize the problems with the open-problem code.
Meanwhile, CERT *can* use their lessons from the open-problem code to improve the STO code, but it *is* more at risk to real cracking, perhaps less at risk to script kiddies. Perhaps.
I, for one, would probably use the Security-through-obscurity code if I didn't have time to really learn my system, or hadn't yet learned the system. Once I understood my system, though, I would upgrade to the open-source/open-problem code, in order to be able to maintain maximum security. (Just my $0.02.) By the way,
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Hurrah for linguistic enlightenment! While we knowledge workers are very use to naming things--establishing strong definitions for new words or phrases within a specific discipline or project--it must be remembered that the usage-consensus ultimately determines what words mean. Dictionaries are ultimately descriptive, not prescriptive.
Intresting about "hacker", though: I think slashdotters and other computer geeks have become more accepting of the criminal connotations while the general public has become more accepting of the original, more benign definition(s). Anyone care to do some field work? (While you're at it, see how many members of the general public would recognize the CSish definition of "string".)
-1, Too Many Layers Of Abstraction
If CERT is a joke, why does DoD use them as one of their many early-warning "front-line" defenses against viruses and worms? Is something happening here or am I just dreaming? Shouldn't something DoD-level be secure enough from the social engineering perspective to be admired not regretted?
$DEITY bless $NATION
If CERT is a joke, why does DoD use them as one of their many early-warning "front-line" defenses against viruses and worms? Is something happening here or am I just dreaming?...
Certain organizations do use CERT for front-line information, but not necessarily for the front-line you envision. Certain assets (capabilities in this case) diminish in value as knowledge of their existance propagates. The value in CERT is knowing who knows something, since we're often well beyond what someone knows by the time it hits the list...
How do you define when a vulnerability is fixed, at least for the purpose of determining when to go public with it? Consider a vulnerability in some shared and widely used and distributed library such as OpenSSL or Zlib. Potentially you could say it is fixed as soon as there is a source patch. But that doesn't really make it universally available. Armed with the patch, the vulnerability may well become obvious, yet most systems which are installed and maintained in binary code remain vulnerable. Should things wait until the distributions package the fix? How many have to wait for the others?
And what if the same vulnerability exists in more than one implementation because of things like code re-use, or a flaw in a protocol that can be dealt with in the code anyway? Suppose OpenBSD fixes theirs in 2 hours and NetBSD fixes theirs in 5 hours and FreeBSD fixes theirs in 9 hours and Slackware fixes theirs in 15 hours and Debian fixes theirs in 24 hours and SuSE fixes theirs in 36 hours and Redhat fixes theirs in 60 hours and Microsoft Windows fixes theirs in 10 days (hypothetical times chosen arbitrarily)? Would it be OK for OpenBSD to go ahead and blast their security mailing list with the fix when it's done? Or should everyone have to wait until the stragglers get their act together?
IMHO, vulnerabilities should be released as soon as the first vendor has a fix, or after some fixed determinate time to ensure they don't all get together to hide the problem (not that all of them would, but certain vulnerabilities may only affect a small subset of them, or even just one). Yes, that leaves the systems "supported" by the stragglers unprotected. But that should also help leverage market pressure to fixing things faster, and designing to avoid the as well.
now we need to go OSS in diesel cars
Actually there may be a way to track him down. Set up a script that introduces a typo or two into the text for each download. Store these changes along with the username and IP for whoever looks at it. When a report pops up somewhere, compare typos to gathered data, and you should be very close to uncovering the leak.
OT: This could also be used to track leaks of beta version of software. Just set up a script that changes a few bytes in some of the files that don't alter functionality (images etc.). Ship to beta testers. If there is a leak, it's fairly easy to track down. Of course this could be circumvented if several testers combine their versions.
This post is free (as in cheese in a mousetrap).
from my majick hairball (the one from the seventh cat's stomach) and spake thus:
"How much would you like to bet that there's going to be a very ugly internal audit at CERT, with much finger-pointing and threats amongst the business partners?"
C|N>K
I am SURE that if the exploit finders had a choice of getting a fee, getting paid to work, over doing it for free, 99 out of 100 people would accept the fee.
There is already a growing economy for trading vulnerabilities and exploits, both IN THE open and On the underground. Quite a few companies now offer cash for vulnerabilities and exploits, and the price is determined by the severity of the reported problem.
But these companies are part of the problem, and not a final answer. For example, one company notifies their paying customers on the same day as they contact the vendor, and another one has published a self-contradicting policy and it's not clear what they are really doing. I don't think that's responsible (on the other hand, it's not responsible to publish most of the software that it is used on the Internet).
Here's a thought. How about self education about politics and reality. How about doing the research to find out in advance if the people you are working for are really doing the best possible job, not lying to you, not making you go fight in a questionable war based on questionable reasons in advance of being put into a warzone?
Sorry man, got too many friends who as young men got stuck into a warzone based on a total lie and fabrication, the "tonkin gulf attacks". They got rah rah rahed into it, john wayned. Some got drafted, some just "joined up". Back then, real information was extremely hard to come by. Two of them I can name who are still alive got told for over 30 years their (illegal by signed convention) agent orange chemical warfare damage was illusionary, in their heads. This is NOT the case with general information now.
The background of saddam, bush, cheney, rumsfield, osama, are there, virtually anyone can do the research with a cheap dial up connection or for free at almost all public libraries. It takes the same time as watching one single football game on the TV to find out about enough lies to make anyone rational question this enterprise, that's it, that short of time with google and starting with a clean data slate, being honest about it.
My point is if YOU want to accept a check for military service, accept the responsibility that at this point in time you are in fact, a "mercenary", a soldier for hire. We don't have a draft now. In war, there are no rules. You accept "collateral damage" of your "enemy's" families, they not only find out about their little abdul or mohammed on the front lines, they themselves can get "direct feed back" in the form of exploding bombs on their own persons.
You can't have it both ways, you want your family to not have the possibilities of finding out about you being captured or hurt, then don't go over there and fight, unless you accept your adult responsibilities of the FULL ramifications of war, not the you get to pick and choose which things apply to you and your family or not, because in the real world, you don't get to pick and chose.
I support the US troops! These are my neighbors too, people not at their normal jobs today a lot of them, reserves, being exploited to the max. I know one guy personal who got called back over a year ago, and for what? Sign up for one reason, to DEFEND THE UNITED STATES WHEN IT'S ATTACKED,swell, hunt down osama, stick to that, but not this other crap,being used and abused for some other questionable reasons based on fabrications and exaggerations. Our own spooks can't even find any connections between osama and saddam, those guys HATE each other. British spooks, the same thing.
I support tour guys and nation to call it a draw, come home right now, with as few casualties as possible. Yes, I know that old model has some flaws to it,to actually be attacked, or to at least develop overwhelming evidence that an attack is imminent, but it just ain't there this time. To start down this path of pre emptive wars is just such a bad idea. That's what the 'bad guys" do, that's what stalin and hitler and tojo did, americans don't do that stuff! Once we do it a lot, the precedent established, we cannot any longer condemn any other nation for doing it. In the afghan war started by the russians, we went in and helped those moslems to resist, but unfortunately we picked some serious nutjobs like osama to "support", it was an extremely bad tactical decision, one of many made by the "profit over all" warlords back in Defense Inc. They do it all the time. Last week in the press it was all "secret emails and faxes to iraqi leaders indicated mass defections would occur". Now that that lie, one of hundreds, has been exposed, just look at reality, those people are defending their country from a hostile foreign nation, same as you or I would do. As thoroughly heinous and bad and as obnoxious as saddam is, and I assert he definetly is, these iraqis are finding our invasion a WORSE alternative,