Slashdot Mirror
Hacker Leaks Unreleased CERT Reports
Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."
Its a little too ironic if he's using the leaks in the reports he steals....
With the way ISS handles things I bet they're after this guy.
Otherwise... $5.00 says he works for ISS... any takers?
scott
If you enjoy Bugtraq and can put up with the occasional flame war ... FD is an awesome list.
FD Charter
KARMA TAG! You're it.
Maybe someone that's upset with the way CERT is doing things...
or maybe someone joined CERT just so he/she could play uberhacker.
my pet machine
I drink too much coffee. I leak several times per day.
How to Download YouTube Videos
What is interesting to note, is that this, or these, as it may be hackers are /releasing/ the truth.
Not defacing web sites, hacking student DB's, etc.
Is truth the new hack of the future?
This is both good and bad. Good, in the sense that more people will know about these vulnerabilities. Bad, in the sense that more people will know about these vulnerabilities. In my opinion, the only time security vulenrabilities should be released publicly is when they are fixed. Otherwise, teenage script kiddies worldwide will launch attacks on everything and everyone. It is unreasonable to expect all code to be completely secure, it is just flat out impossible. However, when new vulnerabilities are found, they should only be disclosed to those who have the capacity to fix them, and not to the public, whose only reaction will be panic. Comments?
I hate sigs.
The connotation of the word has changed, deal with it, move on. You lost this war years ago. If you don't like what it now means to everyone but you and a few others, then don't choose it as your label.
Simply put, if the masses see "hackers" as evil criminals then that's what "hackers" are. Language is determined by the masses, not by a small minority who get to determine what's PC or right.
scott
I think this brings up an interesting point related to hackers ethics. On one hand people should know about problems so they fix their machines right away, but if there is no quick fix then perhpas its a thing for a "need to know" basis. I'm interested to hear if slashdotters think this "hacker" is doing a good thing, or a bad thing.
I've never liked the fact that CERT was more or less an exclusive security club. It's obvious that hackers monitor the mailing list and know the vulnerablities before majority of everyone else in the world.
CERT should instead, stick with helping behind the scenes coordination between security agencies like eEye and software companies; and should stop publishing unfixed problems to a CERT's underground mailing list.
I think it's ironic how the "hacker" community used go out of their way to emphasize the distinction between hacker (positive) and cracker (negative), but as of late seem to not bother anymore. Certain Slashdot "reporters" don't seem to bother even trying to make the distinction anymore.
Looks like the popular media won this one.
What concerns me is that one of the vlunerability reports released by this guy wasnt schedualed to be released until June... JUNE??? What the hell are they going to wait till June for. Cant the vendor get their act together before then? This is why we need bugtraq so bad.. IMHO they should get 3 or 4 weeks max to fix the problem otherwise it gets released. If there is even a hint its being exploited on the net it should be released immediatly, fix or no fix.
Malice95
I was somewhat torn on the issue until I read "I'm going to release these at 7pm on Friday, so that sysadmins don't know about this and can't do anything about this til Monday morning" (paraphrased).
Any inkling of having me agree with posting these advisories just went out the window with this one. He's not trying to help anyone by divulging these, except for maybe script kiddies and crackers. With such a statement it's obvious he's not trying to help vendors release a quicker fix.
It's better to burn out than to fade away
It's the sound of every sysadmin on Earth switching to BSD!
"In a 32-bit world, you're a 2-bit user. You've got your own newsgroup, alt.total.loser." -Weird Al
Store the Windows vulnerabilities on a Windows server, Linux vulnerabilities on a Linux server, etc.
That might take the edge off some companies' complaints about vulnerabilities leaking out before the clock is up.
"Hack4life goes on to say that all future vulnerability reports will be released at 7 p.m. on Friday "to give hackers the maximum amount of time to actively exploit the vulnerability before sys-admins, CERT and vendors can act to patch the issue on Monday morning after their weekend off."
You tell me. Is this a good thing, or a bad thing?
Moreover, if their vendor doesn't patch their system quickly, how are they ever going to stop this guy if he always knows what's broken next?
Catch-22 isn't it!
he'll be called 'Packed4Life'.
That vulnerability is a simple buffer overflow. RedHat had a patch out for it in less than a day. This whole 'wait for the vendor to fix it' thing just results in lazy vendors.
And, as the army breakin shows, the 'bad' guys often have the information whether or not the 'good' guys even know it. There are many script kiddies out there, but there are a few really intelligent people who can do their own research, and won't bother telling CERT before they go and exploit the vulnerability.
Need a Python, C++, Unix, Linux develop
If you really want security through obscurity, you should be able to get it. Quite simply, if there are a number of sysadmins who want a black box solution, then CERT should provide parallel systems, with different sets of programmers.
One should be advertised as open-source, open-problem. The other should be advertised as security-through-obscurity, maybe open-source, but not open-problem.
Then let the users pick. At that point, well-intentioned hackers should leave the STO code obscure, and publicize the problems with the open-problem code.
Meanwhile, CERT *can* use their lessons from the open-problem code to improve the STO code, but it *is* more at risk to real cracking, perhaps less at risk to script kiddies. Perhaps.
I, for one, would probably use the Security-through-obscurity code if I didn't have time to really learn my system, or hadn't yet learned the system. Once I understood my system, though, I would upgrade to the open-source/open-problem code, in order to be able to maintain maximum security. (Just my $0.02.) By the way,
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
If everyone switches to BSD then most of the vulnerabilities found will be for BSD. No OS is flawless, not OpenBSD nor any other - OpenBSD gets more attention than the other BSDs as far as security is concerned in all probability because of their security stance, but there's still a hojillion (I use that term strictly in the technical sense) bugs in there.
That's not to deride Theo & crew's accomplishments - they've done amazing work, look at how few bugs are found in OpenSSH relative to how incredibly widespread it is - but it is practically impossible to write perfectly secure code that operates at anything like a reasonable speed for the x86.
Worst. Hacker name. Ever.
</voice>
SIGFEH
Hurrah for linguistic enlightenment! While we knowledge workers are very use to naming things--establishing strong definitions for new words or phrases within a specific discipline or project--it must be remembered that the usage-consensus ultimately determines what words mean. Dictionaries are ultimately descriptive, not prescriptive.
Intresting about "hacker", though: I think slashdotters and other computer geeks have become more accepting of the criminal connotations while the general public has become more accepting of the original, more benign definition(s). Anyone care to do some field work? (While you're at it, see how many members of the general public would recognize the CSish definition of "string".)
-1, Too Many Layers Of Abstraction
Don't believe everything you see in movies about the
south. I'm a southerner, and I'm as tired of the
'racist hick' stereotype as anyone else broadly
stereotyped. Most of the racists in the south move
down from New York or other northeastern cities,
looking for 'kindred spirits'. To say that they give
us a bad name is an understatement.
--=:: Wings and tail and snout and scales of blackest night
Unfortuneately, the reason the information was leaked is because CERT charges people to get early access to security problems like this... So it could be *anyone* at any of the organizations that have legitimately (*cough*) gained access to this resource. Hell, it could be any one of those people's bored teenaged kid who snagged their dad's laptop when he brought it home for the weekend.
Sorry, but once you sell something there is no way to protect it as secret.
CERT has bought and paid for this. They've earned this security breach and every breach like this.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Hum, look at the references section
6. http://www.kb.cert.org/vuls/id/192995
7. file://localhost/XDR.html#vendors
8. http://www.kb.cert.org/vuls/id/516825
localhost!? They're obviously already using the vulnerability to put files on my computer.
.oO Kaa Oo.
How do you define when a vulnerability is fixed, at least for the purpose of determining when to go public with it? Consider a vulnerability in some shared and widely used and distributed library such as OpenSSL or Zlib. Potentially you could say it is fixed as soon as there is a source patch. But that doesn't really make it universally available. Armed with the patch, the vulnerability may well become obvious, yet most systems which are installed and maintained in binary code remain vulnerable. Should things wait until the distributions package the fix? How many have to wait for the others?
And what if the same vulnerability exists in more than one implementation because of things like code re-use, or a flaw in a protocol that can be dealt with in the code anyway? Suppose OpenBSD fixes theirs in 2 hours and NetBSD fixes theirs in 5 hours and FreeBSD fixes theirs in 9 hours and Slackware fixes theirs in 15 hours and Debian fixes theirs in 24 hours and SuSE fixes theirs in 36 hours and Redhat fixes theirs in 60 hours and Microsoft Windows fixes theirs in 10 days (hypothetical times chosen arbitrarily)? Would it be OK for OpenBSD to go ahead and blast their security mailing list with the fix when it's done? Or should everyone have to wait until the stragglers get their act together?
IMHO, vulnerabilities should be released as soon as the first vendor has a fix, or after some fixed determinate time to ensure they don't all get together to hide the problem (not that all of them would, but certain vulnerabilities may only affect a small subset of them, or even just one). Yes, that leaves the systems "supported" by the stragglers unprotected. But that should also help leverage market pressure to fixing things faster, and designing to avoid the as well.
now we need to go OSS in diesel cars
Note that isn't one of Slashdot's conspiracy theories. If you report something to CERT/CC for free, they sell it to their subscribers.
Unfortunately, this process is not defined in a way that is transparent for those who contact CERT/CC. I've seen conflicting reports regarding the question whether this sharing is mandatory or optional, implicit or explicit. Not surprisingly, the CERT/CC website is not very helpful:
(From the CERT/CC FAQ.)Actually there may be a way to track him down. Set up a script that introduces a typo or two into the text for each download. Store these changes along with the username and IP for whoever looks at it. When a report pops up somewhere, compare typos to gathered data, and you should be very close to uncovering the leak.
OT: This could also be used to track leaks of beta version of software. Just set up a script that changes a few bytes in some of the files that don't alter functionality (images etc.). Ship to beta testers. If there is a leak, it's fairly easy to track down. Of course this could be circumvented if several testers combine their versions.
This post is free (as in cheese in a mousetrap).
I am under the impression that these 'masses' are the same ones who give moderation points :P
"'Yrch!' said Legolas, falling into his own tongue."
As several of the broadcast outlets noted, the Dept. of Defense asked U.S. media to delay broadcasting images of the American POWs so that they could notify the immediate relatives. Right or wrong, and I think right, the DoD believes it is wrong for the immediate family to learn such things from television. I also do not believe such a request is unreasonable. Imagine yourself in such a situation. The world knows your brother has been captured, but you don't, because you haven't been watching TV. You're walking down the street and friends start offering condolences. You're surprised. Why are they doing this. One of the things you would be angry about is that DoD hadn't worked harder to tell you, before telling the world.
It's too fine a line to draw since cracking is one possible extension hacking. I have never understood why programmers don't want to be called programmers? I am a professional engineer and a programmer and I am happy with either title. I am also a hacker in the classical sense of the word but I never use the term about myself. In a lot of countries an Engineer can be anyone from the guy changes the oil in your car to the guy who designed the wing of a passenger jet. Engineers have to live with the widespread use of a title that can (for some of us) take years of professional training to achieve.
So I say to all you disgruntled hackers out there, don't be so touchy. Prove yourself by actions not by a label. If you're good at what you do, you don't need a label.
Art is the mathematics of emotion
You know it's only a matter of time 'til CERT starts modifying their reports so each company's report is unique. Then they'll find which company's leaking them, and stop giving them information.
I am SURE that if the exploit finders had a choice of getting a fee, getting paid to work, over doing it for free, 99 out of 100 people would accept the fee.
There is already a growing economy for trading vulnerabilities and exploits, both IN THE open and On the underground. Quite a few companies now offer cash for vulnerabilities and exploits, and the price is determined by the severity of the reported problem.
But these companies are part of the problem, and not a final answer. For example, one company notifies their paying customers on the same day as they contact the vendor, and another one has published a self-contradicting policy and it's not clear what they are really doing. I don't think that's responsible (on the other hand, it's not responsible to publish most of the software that it is used on the Internet).
Here's a thought. How about self education about politics and reality. How about doing the research to find out in advance if the people you are working for are really doing the best possible job, not lying to you, not making you go fight in a questionable war based on questionable reasons in advance of being put into a warzone?
Sorry man, got too many friends who as young men got stuck into a warzone based on a total lie and fabrication, the "tonkin gulf attacks". They got rah rah rahed into it, john wayned. Some got drafted, some just "joined up". Back then, real information was extremely hard to come by. Two of them I can name who are still alive got told for over 30 years their (illegal by signed convention) agent orange chemical warfare damage was illusionary, in their heads. This is NOT the case with general information now.
The background of saddam, bush, cheney, rumsfield, osama, are there, virtually anyone can do the research with a cheap dial up connection or for free at almost all public libraries. It takes the same time as watching one single football game on the TV to find out about enough lies to make anyone rational question this enterprise, that's it, that short of time with google and starting with a clean data slate, being honest about it.
My point is if YOU want to accept a check for military service, accept the responsibility that at this point in time you are in fact, a "mercenary", a soldier for hire. We don't have a draft now. In war, there are no rules. You accept "collateral damage" of your "enemy's" families, they not only find out about their little abdul or mohammed on the front lines, they themselves can get "direct feed back" in the form of exploding bombs on their own persons.
You can't have it both ways, you want your family to not have the possibilities of finding out about you being captured or hurt, then don't go over there and fight, unless you accept your adult responsibilities of the FULL ramifications of war, not the you get to pick and choose which things apply to you and your family or not, because in the real world, you don't get to pick and chose.
I support the US troops! These are my neighbors too, people not at their normal jobs today a lot of them, reserves, being exploited to the max. I know one guy personal who got called back over a year ago, and for what? Sign up for one reason, to DEFEND THE UNITED STATES WHEN IT'S ATTACKED,swell, hunt down osama, stick to that, but not this other crap,being used and abused for some other questionable reasons based on fabrications and exaggerations. Our own spooks can't even find any connections between osama and saddam, those guys HATE each other. British spooks, the same thing.
I support tour guys and nation to call it a draw, come home right now, with as few casualties as possible. Yes, I know that old model has some flaws to it,to actually be attacked, or to at least develop overwhelming evidence that an attack is imminent, but it just ain't there this time. To start down this path of pre emptive wars is just such a bad idea. That's what the 'bad guys" do, that's what stalin and hitler and tojo did, americans don't do that stuff! Once we do it a lot, the precedent established, we cannot any longer condemn any other nation for doing it. In the afghan war started by the russians, we went in and helped those moslems to resist, but unfortunately we picked some serious nutjobs like osama to "support", it was an extremely bad tactical decision, one of many made by the "profit over all" warlords back in Defense Inc. They do it all the time. Last week in the press it was all "secret emails and faxes to iraqi leaders indicated mass defections would occur". Now that that lie, one of hundreds, has been exposed, just look at reality, those people are defending their country from a hostile foreign nation, same as you or I would do. As thoroughly heinous and bad and as obnoxious as saddam is, and I assert he definetly is, these iraqis are finding our invasion a WORSE alternative,
If a hacker can publish such a report, a hacker can exploit it. So why keep the report secret? If it is published, at least administrators of affected systems can take measures to protech their systems.
Keeping the report "secret" does not block access to crackers.