Slashdot Mirror
Hacker Leaks Unreleased CERT Reports
Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."
Its a little too ironic if he's using the leaks in the reports he steals....
wonder if there will be an advisory over this
It shouldn't be that hard to catch him if they know what information is being leaked and when.
With the way ISS handles things I bet they're after this guy.
Otherwise... $5.00 says he works for ISS... any takers?
scott
If you enjoy Bugtraq and can put up with the occasional flame war ... FD is an awesome list.
FD Charter
KARMA TAG! You're it.
Sun is lagging on releasing updates for this RPC vulnerability.
Maybe someone that's upset with the way CERT is doing things...
or maybe someone joined CERT just so he/she could play uberhacker.
my pet machine
I drink too much coffee. I leak several times per day.
How to Download YouTube Videos
What is interesting to note, is that this, or these, as it may be hackers are /releasing/ the truth.
Not defacing web sites, hacking student DB's, etc.
Is truth the new hack of the future?
This is both good and bad. Good, in the sense that more people will know about these vulnerabilities. Bad, in the sense that more people will know about these vulnerabilities. In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone. It is unreasonable to expect all code to be completely secure, it is just flat out impossible. However, when new vulnerabilities are found, they should only be disclosed to those who have the capacity to fix them, and not to the public, whose only reaction will be panic. Comments?
I hate sigs.
The connotation of the word has changed, deal with it, move on. You lost this war years ago. If you don't like what it now means to everyone but you and a few others, then don't choose it as your label.
Simply put, if the masses see "hackers" as evil criminals then that's what "hackers" are. Language is determined by the masses, not by a small minority who get to determine what's PC or right.
scott
I think this brings up an interesting point related to hackers ethics. On one hand people should know about problems so they fix their machines right away, but if there is no quick fix then perhpas its a thing for a "need to know" basis. I'm interested to hear if slashdotters think this "hacker" is doing a good thing, or a bad thing.
Since he hasn't "cracked" anything either, I suggest we call him based on what he's doing: he's a leaker.
I've never liked the fact that CERT was more or less an exclusive security club. It's obvious that hackers monitor the mailing list and know the vulnerablities before majority of everyone else in the world.
CERT should instead, stick with helping behind the scenes coordination between security agencies like eEye and software companies; and should stop publishing unfixed problems to a CERT's underground mailing list.
Does that mean that black people really are niggers in the south?
I think a hacker is someone who uses software or hardware in a creative way, which includes creative hacks as in source and creative hacks as in breaking in. This hacker has been creative enough to not only get away with it once but he got away with it twice. If this guy is not a hacker then I don't know who is.
hmmmmmm?
Could this have been an inside job?
I think it's ironic how the "hacker" community used go out of their way to emphasize the distinction between hacker (positive) and cracker (negative), but as of late seem to not bother anymore. Certain Slashdot "reporters" don't seem to bother even trying to make the distinction anymore.
Looks like the popular media won this one.
What concerns me is that one of the vlunerability reports released by this guy wasnt schedualed to be released until June... JUNE??? What the hell are they going to wait till June for. Cant the vendor get their act together before then? This is why we need bugtraq so bad.. IMHO they should get 3 or 4 weeks max to fix the problem otherwise it gets released. If there is even a hint its being exploited on the net it should be released immediatly, fix or no fix.
Malice95
Yeah, I'm going to be a leaker too, in the bathroom a minute or two after I hit submit. I don't think that Slashdot readers would be too interested in the details though.
"I think that when you become a Republican, you don't get to score any more." -- Butt-head
I was somewhat torn on the issue until I read "I'm going to release these at 7pm on Friday, so that sysadmins don't know about this and can't do anything about this til Monday morning" (paraphrased).
Any inkling of having me agree with posting these advisories just went out the window with this one. He's not trying to help anyone by divulging these, except for maybe script kiddies and crackers. With such a statement it's obvious he's not trying to help vendors release a quicker fix.
It's better to burn out than to fade away
It's the sound of every sysadmin on Earth switching to BSD!
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
Store the Windows vulnerabilities on a Windows server, Linux vulnerabilities on a Linux server, etc.
That might take the edge off some companies' complaints about vulnerabilities leaking out before the clock is up.
I think, perhaps, that it is because the real hackers simply don't care. That what they are called is associated with malicious intent does not bother the true hacker, because a mere word cannot dictate what a real hacker is. A hacker is instead defined by what he does directly, and that he does it for the sheer joy of doing it.
File under 'M' for 'Manic ranting'
Right. Just because I insist everyone call sandwiches "stuffed breadcapsules" doesn't mean the language is going to change to reflect that, even if I convince a small group of other sandwich-eaters to adapt that name.
"Hack4life goes on to say that all future vulnerability reports will be released at 7 p.m. on Friday "to give hackers the maximum amount of time to actively exploit the vulnerability before sys-admins, CERT and vendors can act to patch the issue on Monday morning after their weekend off."
You tell me. Is this a good thing, or a bad thing?
ie leak a good piece of fiction to influence the stock market.
I'd like to liberate the pay scale from several of my former employers. The lies they told me about who got paid what were astounding when I finally found the list.
Things I'd rather see kept in the closet: the personal lives of the rich and famous, people's medical history, my home address and phone number (one stalker is one too many). Advert for penis enlargement, and instant uni degrees.
-- it must be true, it's on the internet.
Moreover, if their vendor doesn't patch their system quickly, how are they ever going to stop this guy if he always knows what's broken next?
Catch-22 isn't it!
he'll be called 'Packed4Life'.
meanwhile our Chief Marketing insists we have a secure product to run on windows. So we promise him a product "as secure as windows is". And he's happy. Dumb but happy.
If we get a client that is serious about security, they get the copy on freebsd customised, apache customised...
-- it must be true, it's on the internet.
i thought this years great sound-byte was "terrorist" or "computer terrorist"?
That vulnerability is a simple buffer overflow. RedHat had a patch out for it in less than a day. This whole 'wait for the vendor to fix it' thing just results in lazy vendors.
And, as the army breakin shows, the 'bad' guys often have the information whether or not the 'good' guys even know it. There are many script kiddies out there, but there are a few really intelligent people who can do their own research, and won't bother telling CERT before they go and exploit the vulnerability.
Need a Python, C++, Unix, Linux develop
...if he knows the vulnerabilities before compromising the server, what's the point of compromising it?
But there is another kind of evil that we must fear most... and that is the indifference of good men.
If you really want security through obscurity, you should be able to get it. Quite simply, if there are a number of sysadmins who want a black box solution, then CERT should provide parallel systems, with different sets of programmers.
One should be advertised as open-source, open-problem. The other should be advertised as security-through-obscurity, maybe open-source, but not open-problem.
Then let the users pick. At that point, well-intentioned hackers should leave the STO code obscure, and publicize the problems with the open-problem code.
Meanwhile, CERT *can* use their lessons from the open-problem code to improve the STO code, but it *is* more at risk to real cracking, perhaps less at risk to script kiddies. Perhaps.
I, for one, would probably use the Security-through-obscurity code if I didn't have time to really learn my system, or hadn't yet learned the system. Once I understood my system, though, I would upgrade to the open-source/open-problem code, in order to be able to maintain maximum security. (Just my $0.02.) By the way,
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
If everyone switches to BSD then most of the vulnerabilities found will be for BSD. No OS is flawless, not OpenBSD nor any other - OpenBSD gets more attention than the other BSDs as far as security is concerned in all probability because of their security stance, but there's still a hojillion (I use that term strictly in the technical sense) bugs in there.
That's not to deride Theo & crew's accomplishments - they've done amazing work, look at how few bugs are found in OpenSSH relative to how incredibly widespread it is - but it is practically impossible to write perfectly secure code that operates at anything like a reasonable speed for the x86.
I always thought a cracker was one who broke copy protection of software. Why not use "black hat" to describe a malicious hacker?
Worst. Hacker name. Ever.
</voice>
SIGFEH
Language is determined by the masses, not by a small minority who get to determine what's PC or right.
That may be true in many countries...but not in france. They have a language standards board that decides what changes are adopted.
Hurrah for linguistic enlightenment! While we knowledge workers are very use to naming things--establishing strong definitions for new words or phrases within a specific discipline or project--it must be remembered that the usage-consensus ultimately determines what words mean. Dictionaries are ultimately descriptive, not prescriptive.
Intresting about "hacker", though: I think slashdotters and other computer geeks have become more accepting of the criminal connotations while the general public has become more accepting of the original, more benign definition(s). Anyone care to do some field work? (While you're at it, see how many members of the general public would recognize the CSish definition of "string".)
-1, Too Many Layers Of Abstraction
The problem with the word nigger is not that it refers to black people, but that it refers to black people in a derogatory manner. At least that's how I see it. You probably meant to ask something more along the lines of, "Does that mean that in the south black people are characterized by the use of nigger?"
GMail invites for completed freeipods.com of
XP is a good effort against Microsoft's old operating systems, but against to other vendor's - it's a sad joke. Fuck - Apple makes a better Windows-compatable file-serving OS than the people who make Windows. That should tell you somthing.
No super-computer runs Windows.
No root domain server runs Windows.
No satelite runs Windows.
No large-scale database runs Windows.
No cave system runs Windows.
No militaty flight simulator run Windows.
No bank runs it's federal transations on Windows.
Of all the important thing that computers do - hardly anthing important runs Windows. There's a reason for this.
Sure, MS has most the desktop video-game market, most of the simple spread-sheet market and simple document creation market to itself - but nothing really of importance.
Don't believe everything you see in movies about the
south. I'm a southerner, and I'm as tired of the
'racist hick' stereotype as anyone else broadly
stereotyped. Most of the racists in the south move
down from New York or other northeastern cities,
looking for 'kindred spirits'. To say that they give
us a bad name is an understatement.
--=:: Wings and tail and snout and scales of blackest night
One aspect of power is that who controlls the definition of terms. In this case popular concensus (fueled by poor journalism and representation in the media) have yielded "hacker" as an evil criminal who breaks into computer systems. What's a cracker? Something you put cheese on, or possibly put in your soup.
--------
Free your mind.
I think it would be far more acceptable if it were only used to refer to the less respectable black people. Pretty much as "white trash" isn't an insult to a white person because they're white, but because they're trashy. But sadly, there's a lot of ignorant people who use it as a blanket term to insult people for being black.
scott
Hum, look at the references section
6. http://www.kb.cert.org/vuls/id/192995
7. file://localhost/XDR.html#vendors
8. http://www.kb.cert.org/vuls/id/516825
localhost!? They're obviously already using the vulnerability to put files on my computer.
.oO Kaa Oo.
How do you define when a vulnerability is fixed, at least for the purpose of determining when to go public with it? Consider a vulnerability in some shared and widely used and distributed library such as OpenSSL or Zlib. Potentially you could say it is fixed as soon as there is a source patch. But that doesn't really make it universally available. Armed with the patch, the vulnerability may well become obvious, yet most systems which are installed and maintained in binary code remain vulnerable. Should things wait until the distributions package the fix? How many have to wait for the others?
And what if the same vulnerability exists in more than one implementation because of things like code re-use, or a flaw in a protocol that can be dealt with in the code anyway? Suppose OpenBSD fixes theirs in 2 hours and NetBSD fixes theirs in 5 hours and FreeBSD fixes theirs in 9 hours and Slackware fixes theirs in 15 hours and Debian fixes theirs in 24 hours and SuSE fixes theirs in 36 hours and Redhat fixes theirs in 60 hours and Microsoft Windows fixes theirs in 10 days (hypothetical times chosen arbitrarily)? Would it be OK for OpenBSD to go ahead and blast their security mailing list with the fix when it's done? Or should everyone have to wait until the stragglers get their act together?
IMHO, vulnerabilities should be released as soon as the first vendor has a fix, or after some fixed determinate time to ensure they don't all get together to hide the problem (not that all of them would, but certain vulnerabilities may only affect a small subset of them, or even just one). Yes, that leaves the systems "supported" by the stragglers unprotected. But that should also help leverage market pressure to fixing things faster, and designing to avoid the as well.
now we need to go OSS in diesel cars
Language is determined by the masses, not by a small minority who get to determine what's PC or right.
Not entirely correct. Language is determined by two parties: the one communicating the idea, and the one listening. So long as they have common definitions of symbols, communication occurs.
Communication, though, is enver 100%. I say "tree", and you might think of an Alabama decidous forest, and I'll think of tall, cool, Northern California pines.
So, talking about trees, we may have to negotiate a common ground.
How many people confuse "schizophrenia" and "multiple personality disorder"? They are two things that, while often related, are not synonymous.
"Hacker/Cracker" is similar for computer people, and proper use of the vernacular is one way you can determine the knowledge level of the person you are dealing with.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Publically posting a document that you shouldn't is hardly "hacking". I'd definitely lump it into cracking before hacking.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
from my majick hairball (the one from the seventh cat's stomach) and spake thus:
"How much would you like to bet that there's going to be a very ugly internal audit at CERT, with much finger-pointing and threats amongst the business partners?"
C|N>K
In Netrunner you are an upstanding corporation, who aims to improve life for all people. The Evil Hackers are out there trying to constantly break into your systems. The integrity of all business relies on their being stopped!
Alternately, In the USA, those who matter are upstanding corporations whose aims . . .
I think that information that helps you to protect your sensitive information shouldn't be sensitive to the point of being protected with tools wich vulnerabilities are sensitive information.
Why do I think that? I won't tell you.. it's sensitive information.
-- When did Ignorance Become a Point of View?
First of all, it's a Bad Thing. This particular cracker did it to give other crackers a head start of the sysadmins. Even if he did it in the cyberpunk 'information wants to be free' style, it would still be a Bad Thing.
but if there is no quick fix then perhpas its a thing for a "need to know" basisEven if there's no quick fix you can always pull the plug on your servers - if you know there's an exploit, of course.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
I am under the impression that these 'masses' are the same ones who give moderation points :P
"'Yrch!' said Legolas, falling into his own tongue."
Then tell me, what is the "correct" word for hacker nowadays? That is, a hacker as in http://info.astrian.net/jargon/terms/h/hacker.html
That would be a geek nowadays, or what?
And what is the new cracker doing? Eating crack and smokeing weed?
Hey! That's my sig you're smoking there!
Yes... if you refer to a "nigger" then obviously your refering to a black person. It is sometimes what they are called but this doesn't make it right. Just like calling these people "hackers" whether or not its right doesn't matter because we know what they are talking about.
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
Hackers have been doing this forever, why write your own 0-day when you can steal other peoples? why find your own vulnerabilities when you can read some security experts email and "borrow" their research? Apparently its amazing how many security researchers have insecure computers/data storage.
Why was Mitnick originally poking around Shimomura's computers?
Wasn't there a breakin to the Well (before well.com) for a similar reason about 10/12 years ago?
Then tell me, what is the "correct" word for hacker nowadays?
Computer hobbyist. Sorry if that doean't sound all "wicked cool" and such, but when Walmart started selling Linux PCs, you should have realized you've come careening into the mainstream. Pop open another Miller Lite and slip some more Bruce into the CD player, my brother -- It's a Good Thing!
And what is the new cracker doing?
Shovelling cheese into my mouth. Truth to tell, "cracker," competing in meaning as it was against the perjorative slang term for southern American, never stood a chance.
As several of the broadcast outlets noted, the Dept. of Defense asked U.S. media to delay broadcasting images of the American POWs so that they could notify the immediate relatives. Right or wrong, and I think right, the DoD believes it is wrong for the immediate family to learn such things from television. I also do not believe such a request is unreasonable. Imagine yourself in such a situation. The world knows your brother has been captured, but you don't, because you haven't been watching TV. You're walking down the street and friends start offering condolences. You're surprised. Why are they doing this. One of the things you would be angry about is that DoD hadn't worked harder to tell you, before telling the world.
Communication, though, is enver 100%.
:)
Indeed.
It's too fine a line to draw since cracking is one possible extension hacking. I have never understood why programmers don't want to be called programmers? I am a professional engineer and a programmer and I am happy with either title. I am also a hacker in the classical sense of the word but I never use the term about myself. In a lot of countries an Engineer can be anyone from the guy changes the oil in your car to the guy who designed the wing of a passenger jet. Engineers have to live with the widespread use of a title that can (for some of us) take years of professional training to achieve.
So I say to all you disgruntled hackers out there, don't be so touchy. Prove yourself by actions not by a label. If you're good at what you do, you don't need a label.
Art is the mathematics of emotion
has been patched in glibc for several days, at least.
Vote for global prefs bug
You know it's only a matter of time 'til CERT starts modifying their reports so each company's report is unique. Then they'll find which company's leaking them, and stop giving them information.
If you say "hacking around with some kernels", and they understand you, then you're not talking to the masses.
On earth, where most people are, weight and mass are synonomous.
That said, a lot of folks with a lot of resources are probably going to try to find out who did this.
If/When this person is identifiec, I'll be very interested to see exactly how that happens.
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
While it is easy to claim this is propaganda, many media experts attribute much of this to different standards in various parts of the world. That is, regardless of the event, American media tends to show much less footage of severly injured people. Whether we're talking about war or a natural disaster, American media does not show lots of bodies on TV news. In general, the worst thing you see is a body draped with a sheet. In contrast, other parts of the world routinely show it, regardless of the cause.
Language is determined by the masses, not by a small minority who get to determine what's PC or right.
Like the phrase "human rights violation"? Which is only something done to Americans and not to captives at Guantanamo Bay.
Cracker ass cracka!
Mod me down and I will become more powerful than you can possibly imagine...
If you're a geek (look up the definition yourself), I want to see you bite the head off of a live chicken. Damn, someone hijacked that definition too!
Just another day in Paradise
Tell the publisher of the software about the problem in priviate and give them 10 days or 30 days to fix the problem. If they don't announce a fix in that time go public. This keeps the script kiddies at bay, allows the publisher to save face and even "be the hero", and takes care of the problem. Not a perfect solution but one that can work can it not?
Slashdot, home of supporters of free software, free music, and free speech.Except for Moderators that disagree with you.
I saw the images of the Iraqi prisoners of war on television; and I remarked to my wife that it was unsavory. I don't defend it in any way; but it's a far cry from scanning the dead faces of soldiers who appear to have been executed.
It was a poor decision on the part of the media; and for that matter, the soldiers the media accompanied. I don't know how much training the average soldier or war correspondent gets on the rules of the Geneva Convention; but I'm fairly certain that they all should have known better.
However, having seen both broadcasts (that of the Iraqi prisoners, and of the American - yes, you can see it here in the states, despite what the article implies) it is painfully obvious that there was a mean-spiritedness about the Iraqi broadcast that was absent from the American.
The Iraqi broadcast was meant as a taunt to the coalition forces, and as a motivation to the Iraqi forces/resistance. What you saw on the American broadcast was prisoners being given blankets, food, medical attention, sleep (at least until the damned cameras shined their lights on them), etc.
It was a bad decision by the Americans, my countrymen; but there is also a reality that the breaches of convention were not in any way equitable. Don't tell me that the Iraqi behavior was justified because our reporters got a little anxious for a "scoop."
Hot Damn! It's the Soggy Bottom Boys!
...should charge money for them. Why should anyone release stuff to CERT for free then? Ta heck with that noise. Inform them you have found an exploit, all you need to do to describe it is say something like "this exploit concerns application xxx, it rates as critical (or whatever standards numerical scale that can be worked out), and CERT has a public posted fee schedule based on that. If it's not enough, some other exploit clearing house can offer the same exact service based on that model. I am SURE that if the exploit finders had a choice of getting a fee, getting paid to work, over doing it for free, 99 out of 100 people would accept the fee. Initial exchanges between the two contractural parties are done encrypted and signed and dated obviously, so neither party can claim fraud. Bona Fides are built on trust and peer review of releases. The exploit finders build their reputation based on performance, similar to a sellers rating, ie., they are caught exaggerating all the time, their stuf becomes of not much worth, so it doesn't sell. And the converse would be true obviously. Why should "open source" exploit finders be denied data and be denied their finder's fees if some company throws money into the equation? It works both ways. They either share freely,like normal open source code, or if charging goes on, BOTH sides get paid.
CERT is just a clearing house, they "take" other's bug finding efforts for free, but then sell the data, the good stuff that needs to be known about in a timely manner. It's the "timely manner" part that is controversial, but frankly I am of the "as soon as it's known about" persuasion, I think the info should be released as soon as known about, as a lesser of two evils option. I see the advantages and disadvantages of both methods, so it really is taste there, not all completely right or wrong.
CERT want their cake and eat it to, seems like a good business plan for them, bad for everyone else. Bad for their subscribers, bad for the freebie find-out-about-it week-later leeches, bad for the exploit finders.
I am SURE that if the exploit finders had a choice of getting a fee, getting paid to work, over doing it for free, 99 out of 100 people would accept the fee.
There is already a growing economy for trading vulnerabilities and exploits, both IN THE open and On the underground. Quite a few companies now offer cash for vulnerabilities and exploits, and the price is determined by the severity of the reported problem.
But these companies are part of the problem, and not a final answer. For example, one company notifies their paying customers on the same day as they contact the vendor, and another one has published a self-contradicting policy and it's not clear what they are really doing. I don't think that's responsible (on the other hand, it's not responsible to publish most of the software that it is used on the Internet).
ESR, do you mean to tell me you haven't gotten a Slashdot account in all these years?
--sdem
It doesn't help when movies like "A Beautiful Mind" come along and make even more inaccurate portrayals of this disease. Now everyone with $7.50 and 2 free hours thinks they are an expert on Schizophrenia... It gets to the point where you tire of correcting everyone. When a room full of people accept a set of ideas, even when completely wrong, you eventually start to just go along to save your own sanity...
Example 2 (less exhausting): I own 2 Italian Greyhounds that are a bit larger than most IGs. People (strangers) will approach me, point at my dogs and say "Whippets!" After several "They're not Whippets, they're Italian Greyhounds. No, Greyhounds. Trust me, they're Greyhounds" conversations, I simply say "Yeah" and walk away. It's easier...
Come and see the violence inherent in the system!
Here's a thought. How about self education about politics and reality. How about doing the research to find out in advance if the people you are working for are really doing the best possible job, not lying to you, not making you go fight in a questionable war based on questionable reasons in advance of being put into a warzone?
Sorry man, got too many friends who as young men got stuck into a warzone based on a total lie and fabrication, the "tonkin gulf attacks". They got rah rah rahed into it, john wayned. Some got drafted, some just "joined up". Back then, real information was extremely hard to come by. Two of them I can name who are still alive got told for over 30 years their (illegal by signed convention) agent orange chemical warfare damage was illusionary, in their heads. This is NOT the case with general information now.
The background of saddam, bush, cheney, rumsfield, osama, are there, virtually anyone can do the research with a cheap dial up connection or for free at almost all public libraries. It takes the same time as watching one single football game on the TV to find out about enough lies to make anyone rational question this enterprise, that's it, that short of time with google and starting with a clean data slate, being honest about it.
My point is if YOU want to accept a check for military service, accept the responsibility that at this point in time you are in fact, a "mercenary", a soldier for hire. We don't have a draft now. In war, there are no rules. You accept "collateral damage" of your "enemy's" families, they not only find out about their little abdul or mohammed on the front lines, they themselves can get "direct feed back" in the form of exploding bombs on their own persons.
You can't have it both ways, you want your family to not have the possibilities of finding out about you being captured or hurt, then don't go over there and fight, unless you accept your adult responsibilities of the FULL ramifications of war, not the you get to pick and choose which things apply to you and your family or not, because in the real world, you don't get to pick and chose.
I support the US troops! These are my neighbors too, people not at their normal jobs today a lot of them, reserves, being exploited to the max. I know one guy personal who got called back over a year ago, and for what? Sign up for one reason, to DEFEND THE UNITED STATES WHEN IT'S ATTACKED,swell, hunt down osama, stick to that, but not this other crap,being used and abused for some other questionable reasons based on fabrications and exaggerations. Our own spooks can't even find any connections between osama and saddam, those guys HATE each other. British spooks, the same thing.
I support tour guys and nation to call it a draw, come home right now, with as few casualties as possible. Yes, I know that old model has some flaws to it,to actually be attacked, or to at least develop overwhelming evidence that an attack is imminent, but it just ain't there this time. To start down this path of pre emptive wars is just such a bad idea. That's what the 'bad guys" do, that's what stalin and hitler and tojo did, americans don't do that stuff! Once we do it a lot, the precedent established, we cannot any longer condemn any other nation for doing it. In the afghan war started by the russians, we went in and helped those moslems to resist, but unfortunately we picked some serious nutjobs like osama to "support", it was an extremely bad tactical decision, one of many made by the "profit over all" warlords back in Defense Inc. They do it all the time. Last week in the press it was all "secret emails and faxes to iraqi leaders indicated mass defections would occur". Now that that lie, one of hundreds, has been exposed, just look at reality, those people are defending their country from a hostile foreign nation, same as you or I would do. As thoroughly heinous and bad and as obnoxious as saddam is, and I assert he definetly is, these iraqis are finding our invasion a WORSE alternative,
Who read the header as
Hacker "Leaks" unreleased CERT reports
THAT would be cool!
(Leaks as a nickname).
If a hacker can publish such a report, a hacker can exploit it. So why keep the report secret? If it is published, at least administrators of affected systems can take measures to protech their systems.
Keeping the report "secret" does not block access to crackers.
Black people are quite free to call one another "nigger" without fear of prosecution for racial hatered/discrimination.
An irony that I'll leave you to ponder.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
I'm a southerner as well (Alabama, Hick central).
And while it's true that not everyone here is a hick, lots of them are.
My parents, aunts, and uncles were all born and raised here. And most of them use the n-word quite frequently.
I've noticed that it's mostly the older generations (I.E. Baby Boomers) who are the most Racist. Most of my schoolmates (ok, well, most of the schoolmates that I had classes with) were generally more open-minded.
basicly what you're stating is that in some cases the cure is worse than the dissease. But that's not the point at all.
Image how you would feel if you lost a relative because of an illness you could have cured or prevented if you had known. But in stead the guy
discovering it only reports it to some firm so that this one can make profits selling the info to any paying pharmaceutic compagnies.
now replace : a relative-> private data or server, illness->hack, firm->CERN, pharmaceutic->software
Now there is a fair chance that the pharmaceutic compagny brings a solution in a fair timeframe. But really their would be lot's of people having a damned good argument being angree because of the needless loss they have to endure.
You don't make a disseas disappear by not talking about it, In that case you're keeping the masses ignorant and buy some time for the pharmceutics.
If the pharaceutics come up with a solution it is only about pollisching their image, it doesn't save your ass in the meantime. If they ignore the problem, it's even worse. It can be lethal to yourself in that timeframe.
Now ask yourself again, do you still feel it's better being kept ignorant ?
it can be very frustrating when 99.99% of the population is grossly misinformed, often to the point of perceived enlightenment.
[snip]
It gets to the point where you tire of correcting everyone. When a room full of people accept a set of ideas, even when completely wrong, you eventually start to just go along to save your own sanity...
I feel your pain. As it is in one's personal sphere, so is it with society in general. Challenge the orthodoxy with facts and/or reason -- even right here on slashdot -- and you're suddenly the recipient of a thousand points of flame.
I could say something here about the reputation I've earned here for my position on the "global warming" myth, but... I've given up trying to educate fools.
Yeah, I definitely know what you mean about just saying "Yeah, whatever" and just walking away.
In times of universal deceit, telling the truth gets you modded -1 Troll
No seriously, do people actually EAT crack?
Uh... *ahem!* well, I'd love to answer that, but I'm afraid to do so on a "family-oriented" site such as this one... There ARE impressionable young teens here, after all, and I'd hate to corrupt any...
sorry, gotta go. My GF says it's time for me to get off of the computer and, uh, eat some more crack...
In times of universal deceit, telling the truth gets you modded -1 Troll
If the masses refer to burgulars as "locksmiths", and to vandals as "architects", does that mean that criminals are now locksmiths and architects?
Quothe the poster: To begin with, it would look like the truth. Secondly, it would look like you're putting your customers' security needs ahead of your own public image. I realize this is anathema to most large corporations, which is why strenuous arguments need to be made in favor of the correct position. So how do you tell who has that knowledge? Make them sign up on a list beforehand? That's meaningless. Make them take a test? That would be a nightmare to adminster. The situation now is nothing like what you describe - ability to fix the problem is not a precondition to have access to this information. As far as I can tell <opinion type="uninformed">the only requirement for getting this information is paying a hefty annual fee to CERT</opinion>. Perhaps you're not aware that this is the way the system operated for a long time. It was recognition of the fatal flaws of that system that started people calling for full disclosure. The vendor must be given no wiggle room, because they will almost always put their own public image ahead of the needs of their customers. Given a choice between fixing a security flaw that no one knows about and adding a new feature, which choice will a vendor make? In fact, most vendors chose to roll security patches into the new version, due in 9 months; if you got cracked in the meantime, you'd have no idea how or why, and the vendor would be no help. The game changes dramatically if there's public pressure due to rapid disclosure. Neither do I, actually. But making the information public gives you the greatest chance of reaching someone who can fix the problem. We've already established that no scalable "knowledge or desire" requirement can be imposed, so the reasonable solution is to give the information to everyone.
What you're missing, though, is that there's another solution aside from fixing faulty software: taking it offline. If a vendor announced a flaw that gave up all their servers to crackers, I'd like to be able to make the risk/benefit calculation of taking my servers offline completely, implementing different software, or trusting to luck. Without disclosure all you can do is hope to get lucky.
To get a little off-topic, remember the discussion a couple months ago about asteroid impact? Many in the atronomy community favor utter silence in the case of inevitable planetary apocalypse by asteroid impact. There are two problems with this, and both these problems map exactly onto our security disclosure argument (although the rest of the problem does not, and granted the stakes are much higher).
First, just because a small group of people can't come up with a solution does not mean that all 6 billion of us working together, or one genius working in isolation, cannot. Chances for such a solution may be small, but in this case I would leap at any small chance. Second, inevitably someone else will discover the asteroid, and then all the secrecy will have been for naught.
The only rational argument against full disclosure is that the disclosure itself can cause more harm than the vulnerability. Clueful admins will read the security bulletins and should be trusted to make their own fully-informed decisions; clueless admins don't install security fixes or read bulletins, so they may be worse off in the case of full disclosure. Fuck 'em. I have a bumper sticker on my truck: "Stupidity should be painful."
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Flamebait? Where is the bait? All I see is an opinion. My nick says all that needs to be said.
The mods are on crack
I simply don't think that's true. When I've found people most vocal about the "proper" use of the term hacker, it's the self-styled hackers that were the loudest.
Yeah... but we stopped caring when we realized that the world wasn't about to drop the term.
File under 'M' for 'Manic ranting'
www.globeandmail.com/servlet/ArticleNews/TPStory
Hypocrisy stalks the land
The view from inside Iraq of this war's effect on people -- and on truth -- moves PAUL WILLIAM ROBERTS to outrage
By PAUL WILLIAM ROBERTS
Tuesday, March 25, 2003
I have been in and out of Iraq more often than the Turkish army these past few days, viewing the war both firsthand and on the surprisingly
copious array of television news channels available all over Syria and Jordan. I heard Donald Rumsfeld on the radio discussing "the humanity that goes into" building the kind of weapons of mass destruction that America prefers these days. I saw for myself enough of their effects, the inevitable consequences of their inbuilt humanity, to convince myself that no dialogue is possible with Washington's current
leadership.
We no longer speak the same language. To them, terms like "freedom," "humanity," "democracy" and "liberation" signify the opposite of what
they mean to me. I resent this theft and abuse of language.
And I am enraged at George W. Bush for forcing me, now the war is under way, to accept implicitly that the coalition must continue with its killing and destroying until the stated goal of "regime change" has been achieved. To stop at anything less now would be crueler to most Iraqis
than whatever atrocities this conclusion brings. This is like Sophie's Choice.
And I hate both Bushes for the pleasure I distinctly felt when Iraqi television broke into its Saddam lovefest to reveal the nation's troops
gloating over the corpses of U.S. soldiers, manhandling them so the camera could see the fresh bullet holes that punched the envelope of
life to death. We have all become less than human in this. We all share in shame. Earlier this week, Ali Abul-Ragheb, the Jordanian Prime Minister, told me, "There will only be losers in this war, no winners."
During the course of one long day last week I was in England, Germany, France and Lebanon. The following day, I traveled through Syria, Jordan
and Iraq -- seven different countries in which I had the same conversation with some 50 ordinary people: pilots, waiters, cab drivers, chefs, merchants, managers, barmaids. Not one felt that America had pursued a just course for a just cause. Not one believed the stated goals were the real objectives.
Not one had a good word to say about Saddam Hussein, either. Yet each, on learning I was from Canada -- and this is usually the first question
you're asked nowadays -- had nothing but praise for Canada's stand against the war and support for the United Nations. I didn't have the
heart to tell anyone that Canadian ships and servicemen were actively involved as American accomplices as we spoke.
Despite our claims of neutrality, we have 31 troops on exchange with British and U.S. forces in the Persian Gulf -- which gives us a greater
presence than the majority of members of the so-called coalition. I felt ashamed at the hypocrisy.
Jordan feels ashamed, too. The Prime Minister told me his country would never permit the United States to launch an attack from its soil. Yet I
saw U.S. military vehicles towing vast fuel containers through eastern Jordan; and I saw F-15 fighter jets landing somewhere behind the low
hills lining the highway to western Iraq. The Jordanian air force does not possess any F-15s -- the Prime Minister himself volunteered that
fact.
This morning, I was forced to abandon a new attempt to sneak back into Iraq when my guide and I stumbled across a raging battle between U.S.
Special Forces and Iraqi troops somewhere near the town of Akashat. As I write this, three nations are denying all knowledge of such a battle.
As many of the "embedded" media enthuse over the "courage and professionalism" of their new pals, or marvel shamelessly at the wondrous toys they now get to play with, the rest of us, along with increasingly many Iraqis, wonder if we
Muchas Gracias, Señor Edward Snowden !
No. It's something done to innocent people, as opposed to terrorists.
Hacker leaks unreleased CERT reports. When asked about it, he had this to say:
Vintage computer games and RPG books available. Email me if you're interested.
I usually get questioned on "What's a kernel", but that's about it.
Karma: Non-Heinous
So you're conceding the point, then. The self-styled "hackers" are the ones who gave up on the so-called "proper" usage of the term.