Slashdot Mirror
Security Flaw Hits VAserv; Head of LxLabs Found Hanged
Keldrin_1 writes "The discovery of 24 security vulnerabilities may have contributed to the death of the chief of LxLabs. A flaw in the company's HyperVM software allowed data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM solution is popular with cheap web hosting services and the attacks are easy to reproduce, which could lead to further incidents."
I guess there's not much to say...
Why? Why!?
whoops
-SaNo
Just closed an account with VAserv last week for no particular reason.
I hardly ever do things for "no particular reason" so it must have been my spider sense.
Will this be a case of good bye reputation, or no publicity is bad publicity?
That's one way to dodge all those bug reports...
Skiffy is Spiffy, but Ort is tort.
You can't truly blame Milw0rm for a person being depressed and committing suicide.
However, reading their security notes on it, they did hear back from the developer...they simply declared that it didn't happen fast enough and decided unilaterally that the "Vendor appears uninterested".
I have very mixed feelings on security firms releasing exploits to the public just to try and get results. In my (admittedly limited) experience, more bad has come from releasing exploits publicly than good.
-JJS
According to the article, there have been other suicides in the family a few years ago. Let's just discuss tech, and let the personal stay personal.
Had been posited for about 2-3 years now. It is actually amazing that this was such a brutal attack.
The dangers of these attacks had always been stealth related, because it is nearly impossible for the machine to SEE the vm manager. Which makes these things even more dangerous than rootkits.
While suicide should never be celebrated, there's a certain honor in doing it as a result of professional failure.
As opposed to you know, screwing the company over, taking a huge bonus, and running to the Bahamas (*cough* AIG, Bank of America, Chase, GM, WaMu *cough*)
-- Political fascism requires a Fuhrer.
My condolences to Mr. Ligesh's family.
http://timesofindia.indiatimes.com/Bangalore/Techie-hangs-himself-in-HSR-Layout-/articleshow/4633101.cms
Sounds like the guy needed some more help than he got to get to grips with his personal situation. Anyway ...
The flaws include SQL injection vulnerabilities and flaws that create a way for hackers to gain file access to files hosted on a vulnerable system.
There is no excuse for SQL Injection vulnerabilities these days. The problem is well known and publicised, the solutions are well documented. This is a problem that is solved by altering how you code, that results in neater code with less errors. If you can't use prepared/parameterised statements and insist on building SQL command strings out of user supplied data, then ... well, err, I can't say "you deserve to hang" in this case can I?
His sister and mother both committed suicide by hanging 5 years ago. He may have had a genetic propensity towards suicide.
Culturally, Indians have a very heavy emphasis on honor and responsibility. The failure of the software is only the outermost layer of true damage. Each of those compromised VMs is a failure to satisfy a customer at best, and a grave violation of the trust between vendor and customer.
When it comes to suicide, why hanging? It seems like a really hard way to go. Maybe the person wants to suffer to pay back his debts before death.
Techie hangs himself in HSR Layout
Neighbours confirmed that Ligesh didn't have many friends and didn't interact with anyone. Often, he'd sleep with the house door open. On his social networking site page, he wrote that his ambition was to kill God and he was an anti-Christ.
Slashdot ya no es que lo era!
You screw a hook into the head, then hang it where you'd like. Try to think these things through in the future.
Not only that, but TFA states that his mother and sister had committed suicide too 5 years before.
I can imagine that makes a man wonder...
Still, how can anyone subscribe for a hosting solution without backup?
That's like putting your mission critical servers in a garden shed with holes in the roof.
F*ing stupid.
Any sufficiently advanced incompetence is indistinguishable from malice - Grey's Law
He killed himself just because of massive failures in his company?
Why can't more CEOs follow his example?
If the masses can keep you down, you're not the Ubermensch.
Hopefully the sites lost were those abandoned blogs, even better if they were active blogs.
I'm really sad that he hanged himself. Even if he was a total douche-bag (and I have no idea either way), this wasn't a reason for someone to die.
But by killing himself, he likely devastated a amily who loved him.
At the very least, he should have resigned. If he felt the need to make amends, he could have dedicated his remaining life to teaching, serving the poor and oppressed, or generally living a quiet life where he helped the people around him.
For him to judge that his life was such a failure that he had to rob himself and the world of his remaining years seems like a tragic mistake.
I guess he took the Six Sigma "black belt" literally.
Yeah, I feel guilty for that one.
The guys pic
http://i41.tinypic.com/zjdqgy.jpg
RIP
The Antichrist has been made manifest!
The Illuminati is now eliminating the few members that participated in the summoning of the Zhug Jung Kai entity. Notice that both Carridine and now this poor man have ben hung to prevent the Ruthi spirit escaping their lungs, damning the Ruthi to eternity until the Zhug Jung Kai consumes them.
With the spawn of evil growing in power it will force the Illuminati to desparate measures. It falls to you adventure to put a stop to this!
Seek out the Oracle of Shando who currently is posing as Steve Jobs. He will not reval his true self unless you posess the Diamond Apple of Agamerrinon. You can find the Apple in possession of the Dark Obtennebator. He serves his dark master Bill Gate and resides in the Valley of Sorrow on the Mountain of Pain in the Cave of Agony beyond the Doors of Eternal Discomfort. He has occasionally also tried to Ebay the Apple but none seems interested in it for $221,134,110 USD.
Go now and save us all from Terrorists, Bad Remakes, and watered down soft core from Cinemax!
-=[ Who Is John Galt? ]=-
I think it is quite disturbing with all of the disrespectful comments on this article. I could Mod some of this, but not all of it. The guy obviously hit hard times with death of two family members by suicide and the tanking of his company. It is clear he had depression in his family and was not able to bear all of this hitting him. It is sickening that so many of you think it is a joke.
Just because you are wrong and I called you out on it doesn't mean I am a Troll.
I'm sure this guy was already unstable but can't help but believe that the attacks were what finally pushed him over the edge. Legally this would be difficult to prosecute as murder but morally those little script kiddies who so impressed with themselves should consider the unintended consequences of their actions. We are all responsible for our own actions (suicide) but should be equally concerned with how our actions affect others (hackers).
Any idea what other cheap web serving companies are using this tech?
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
but I gotta respect this guy's dedication to the job. If we could get American CEO's to take this level of responsibility when their companies completely faceplant, the world would be a better place.
Support the EFF and Creative Commons. The war is coming, and they're supporting you...
Why don't you round them up, put identifying badges on them, and then try killing them yourse-
Oh wait.
Godwin's law, dammit.
Thank God there's people like you to uphold our high standards of taste here on Slashdot by inviting abusive moderation.
You may have noticed there isn't a "tasteless" mod. Well, I'm here to enlighten you this is primarily because they couldn't agree whether it should be -1 or +1.
Was he in a closet? Was it wrapped around his neck and genitals which was later covered up with the phrase "his body"?
I think I see a serial killer starting to emerge.
Can you imagine if a Microsoft executive hung himself every time a vulnerability was discovered in Windows that led to data loss?
Request: Please no one post links to the VAserv status page. The last thing we need is to /. them right now. Customers have been emailed the URL and we are the only ones who really need to see it (plus it isn't very interesting).
VAserv have emailed customers to say they will be taken over by BlueSquare (where they do most of their hosting anyway). Probably the best option given the scale of the attack.
I've got one apparently deleted VPS and one still running. The whole situation is terribly frustrating. However I don't think the lack of information coming from VAserv is due to a lack of effort on their part.
The purpose of the site is to talk about science and technology, not to see how creatively you can offend people. These wretched posts we're talking about contribute nothing productive and should be hidden.
is not appreciated by those who think they are immortal
ie, teenaged idiots
that the world is full of teenaged idiots (most of whom are not chronologically actual teenagers) should not surprise you or disappoint you
just a simple ugliness of life you need to learn to accept, like people who throw their garbage on the ground or talk loudly at movies, its another example of the tragedy of the commons
sure you could declare a high holy moral crusade against boorish insensitivity, but its like trying to stop the sun from rising and setting: a lot of people are ignorant assholes, status permanent, and even those you might actually be able to educate are quickly replaced by more morons
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
As if cramming 50 VMs into one rack has not been sinful enough.
The glory part? You charge 1 VM server for about $40 a month.
n/t
Well, not exactly. There is a raging debate over whether this is an appropriate tactic, and this incident will go down in the security text books as an example of why the debate exists. Opposite your opinion is something like, "That's what publicity seeking sociopathic nerds, masquerading as [security folk] do."
There is a fundamental tension between wanting to know if a system you own is vulnerable to some defect, and wanting to keep the exploit code out of the hands of The Bad Guys(TM). In this case, however, it seems pretty clear that simply knowing the name of the product (not even the version) was enough, exploit code wasn't required (as it sometimes is when scanning large numbers of systems that might be at indeterminate patch levels, for example).
There are quite a few actions one could take between "notify the vendor" and "release exploit code" which appear to have been skipped. That's irresponsible, not, "what security folks do".
Frankly, I don't understand how organizations or consultants who do this kind of thing manage to stay in business. If you were a big company with a bunch of interlocking IT systems and limited resources, would you hire someone who had a track record of publishing exploit code before patches were available? Suppose this consultant found some issues, which your organization couldn't respond to as quickly as you would like? Does that consultant become a risk to you now, simply because you didn't fix something in a manner timely enough to suit them? How do you know they wouldn't publish details of your vulnerabilities, because some snot nose punk with an inflated sense of self-righteousness thought you were ignoring him?
I don't operate that way, and neither do any of the fine security consultants who work for me or with me. I work discretely with my clients until they get their problems fixed. That sometimes means doing a lot more work than *should* be required to get the attention of a vendor. However, it has never yet meant publishing exploit code prior to patch availability.
If you mod me down, I shall become more powerful than you could possibly imagine.
Some rather unpleasant comments coming off of you lot.
The poor chap sounds like he'd had a bad decade, and this just topped it off.
When your business collapses overnight (which is what happened here), you're facing god knows how many lawsuits (which is what would have happened here) and the people you'd turn to for support are dead... Well, I'd imagine what follows are some rather sobering thoughts.
My heart goes out to his remaining family, and those of you modded "Funny" should go gargle some engine coolant.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
five years ago, not a few months.
http://www.vaserv.com/
Because we can't really be sure if it is this one or some other link like these:
http://www.vaserv.com/index1.html
http://www.vaserv.com/index2.html
http://support.vaserv.com/
Can't really be sure... keep hitting the refresh but nothing changes.
He WAS David Carradine!
Mit der Dummheit kämpfen Götter selbst vergebens
I generally agree, but then you'd have to hide almost every funny-moderated post on here; they're mostly off-topic, too. It would seem off-topic humor is alright. The OP's attempt was arguably very much on topic, if not very funny.
The thing that makes it bad in this special case seems to be its offensiveness, which just isn't a criterion. Neither in attempts at insight nor information nor, like here, humor.
Summary from http://www.milw0rm.com/exploits/8880 seems pretty serious but quite difficult to fix all of them in 2 weeks.
Timeline :
05/21/2009 - sent initial email to vendor with a link to a private
resource for viewing various kloxo hiab575
vulnerability info
05/23/2009 - received the following: "Thanks for the info. I will
review this and let you know." (no signature)
05/30/2009 - sent an email asking if there were any updates
06/01/2009 - received the following: "Sorry for the delay. I am
currently looking into this, and will reply in a couple
of hours time." (no signature)
06/04/2009 - nothing heard from vendor, and the private resource
containing the vulnerability info still does not
appear to have been accessed
2 weeks have passed since the initial notification. Vendor appears
uninterested.
ISSUE 1 - uid/gid reuse
ISSUE 2 - unprivileged port use
ISSUE 3 - default passwords
ISSUE 4 - useradd string in the process list
ISSUE 5 - XSS
ISSUE 6 - remotely create partially user controlled file names
and directories. Locally append uncontrolled data to
any file
ISSUE 7 - local users can take control of any file or directory
ISSUE 8 - local users can take control of any file or directory
ISSUE 9 - local users can overwrite any file on the box
ISSUE 10 - yet another symlink attack for local users
ISSUE 11 - metachar injection, local command execution as root
ISSUE 12 - web stats world readable password hashes
ISSUE 13 - local users can overwrite any file on the box
ISSUE 14 - metachar injection, local command execution as root
ISSUE 15 - remotely block any - or every - IP addr in hosts.deny
ISSUE 16 - remote CPU and mem usage DoS
ISSUE 17 - local users can truncate and control any file
ISSUE 18 - just 2 more symlinks to own any file on the box
ISSUE 19 - file manager, view and edit any file
ISSUE 20 - file manager PT II
ISSUE 21 - file manager PT III
ISSUE 22 - local user symlink attack
ISSUE 23 - local user symlink attack (last one)
ISSUE 24 - sql injection in the "Forgot Password" form
Ian
very sad story, very sorry to hear about your brother.
Yes, I meant hanged. Sorry, english is not my first language.
Read TFA!
Have gnu, will travel.
I've known relations who have opted for suicide, or who have been hospitalized to prevent them. None as close as immediate family, so I can't begin to understand the pain, but in my own way I can dimly see.
One thing that makes this sort of thing doubly painful is that the sorts of minds that can consider suicide a real possibility are often very very close (and sometimes the same) as the minds that are brilliant.
We talk of genius and madness being a razor's edge away from each other, not because it is poetic but because it's true. But you don't have to be a genius to be that razor's edge away from self-destruction. You only have to have a similar biochemistry and/or neurology. There are dozens of conditions linked both to creative talent and self-harm.
Of course, not all suicides are for that reason. Utter despair (which I guess is still biochemical, but it's not a permanent condition) is another reason. There are doubtless many others.
I guess this sort of intellectualizing of suicide is my own way of dealing with the pain I have, for all that it's nothing compared to that of those close to such victims. So long as I intellectualize it, I can imagine that there will someday be solutions which help such people and prevent such tragedies happening.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I'd have thought the primary purpose of *any* individual article is to stay on topic, lest it become a free-for-all or nonsense.
As the topic in question here included "Head of LxLabs found hanged", I don't see any problem in discussing it, and apparently neither did the author.
But, hey, you obviously know better than everyone ... let me guess, you're Rob's mother ?
Let me rephrase what you just said:
Death is not funny.
Anyone who thinks it is should go die.
That about sum it up?
The discovery of 24 security vulnerabilities may have contributed to the death of the chief of LxLabs.
The chief? What? He no see-um vulnerabilities? His tribe name-um new chief yet?
My condolences to his family, and the company....this is a sad tragic event.
i knew a chick in high school who tried to commit suicide a couple of times. each time there was an outpouring of attention and concern, that would fade, then she would try to kill herself again. eventually, she succeeded
there is a such a thing as munchausen syndrome, where people seek sympathy by faking a medical condition
http://en.wikipedia.org/wiki/Munchausen_syndrome
i think the constellation of reasons people commit suicide is a lot broader than munchausen syndrome, but i think there are a lot of similiarities in a large range of reasons that involve this sort of sick seeking of attention, this idea that putting yourself in jeopardy is the way you obtain love from the people around you. suicide is essentially an ultimate form of narcissism, however faulty the circuits that lead to that consuming narcissism, that's what suicide essentially is. some are organic failings, some are personality failings
the instinct of the poster you are responding too, however insensitively arrived at, could actually more helpful than your approach. a lot of personality and psychological problems that we all have, right up to and including outright mental illness, are made worse by sympathy
"tough love", outright hostility and anger, might be a more appropriate external stimulus for a lot of mental conditions, including a lot of suicidal behavior. not all of it of course. and this "tough love" should be motivated by higher nobility than just pure outright disdain, but it is often said that those who mean the best often do the worst damage, and in the case of suicidal people and sympathy, you may actually be looking at the ultimate culmination of that little bit of pop wisdom. that sympathy for them at the wrong set of psychological conditions created their suicidal tendencies in the first place
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I'm having a hard time understanding why this wasn't recoverable. Some would say the only good feature of running a VM is statefull snapshots.
Of all the servers i run the only ones that are running in VM's are because the client wanted to be able to snapshot the whole deal while running as often as hourly so recovery was as simple as resuming an earlier backup snapshot. To me this is one of the only good things about VM's and in their instance it was worth the performance issues.
Were there no backup's? Someone was running over 100,000 VM's and not even a weekly backup? I find this odd.
Maybe zombies can procreate!
Wouldn't that bring a whole new twist?
He who has no
But is a hypervisor or virtualization really involved?
Seems to me that the software involved was some sort of web hosting software.
Which to me is rather different from the vmware, virtualbox, xen sort of stuff.
An exploit in those would be a bit more interesting (though not unexpected).
Whereas an exploit in some random PHP web hosting software is about as surprising as an exploit in Yet Another PHP Bulletin Board.
The guy hanging himself is noteworthy though.
No one gives a shit what you think, mall cop.
Maybe you're only interested in the technical, but many /.ers are interested in the personal and social aspects of this story. You can tell, because they are discussing it. If you don't want to comment on that, don't. If you don't want to read about it, don't. People mod you insightful, but what insight have you brought to the table? You've basically walked into a conversation that you aren't interested in, and told everyone to shut up, without adding anything relevant . You must be great at parties.
To borrow a hackneyed cliche: "Sex is like air, it's only a big deal if you're not getting any"
regular sex does little to cure depression.
More likely, the depressed individual will reach for any sort of escape (sex, drugs, alcohol, other) to alleviate said depression.
Mostly it doesn't work.
You better watch out, there may be dogs about . .
uhm you might not be able to buy food or housing on 7 dollars an hour
You chose the obligations. You're still choosing to live up to them. Acknowledge that choice and what it means. Always be aware of that choice, and you'll realise you're never trapped.
We try very hard to live well within our means. We've got a very affordable mortgage on our house. We bought a used car a few years back and paid for it in full, with cash. We don't have a lot of expensive hobbies. We don't have a pile of debt. But if I lost my job we'd be pretty much screwed.
I'm much the same (though still clearing off a mess I got myself into at university). I don't even have a TV. I bought a studio flat that cost a very reasonable 1.5x salary. I'm in negative equity, one paycheck away from bankruptcy, repossession, and all that fun stuff, and if I lose my job I'm screwed.
My friend has the house mortgaged up to something like twice its value, has a very shiny new car, every toy in the house you could wish for, etc. He's in negative equity, one paycheck away from bankruptcy, repossession, and all that fun stuff, and if he loses his job he's screwed.
Who's the smart one? I really don't know. Since we're both just as buggered when the money stops coming in, and I worry just as much as he does, maybe the clever thing to do is to get in debt up to your eyeballs, have all the fun you can, and wash your hands of it when the music stops. *shrug*
read the story on his blog about his junky date: http://ligesh.com/2008/05/drug-binge-at-300-am/
He was most probably not easy to handle and posed as a Nietzschean asshole, but after reading that post I couldn't but like him. And showing off an anti-God tattoo in a country like India deserves a lot of respect.
Ligesh has (had) a blog with an about page. Sounds a bit f**** up.
A number of hosts have been hit by this, see e.g. this post at WHT. The software itself is apparently closed source (i.e. obfuscated source). Based on what I read, it was also quite cheap (speculations were ~50 cents for a single VPS), so most budget VPS providers used it.
This includes 2host, where I got an account a few days back. A few hours later I got an e-mail saying they disabled the HyperVM panel. Nice.
It appears as though our grammar nazis, in addition to being tactless and unsympathetic, are also unaware that this "rule" in English is merely a suggestion, and not an actual rule.
Too true.
The "Standard English" movement was a creation of east-coast education bureaucrats, trying to impose their ideas on the rest of the country (and perhaps define people from other regions as being less literate).
Note that the "never use a preposition to end a sentence with" pseudo-rule was never a part of colloquial American English grammar. It was part of Latin grammar which they chose to impose on the children of America. They also tried eliminating "ain't", the use of a double-negative for emphasis (which conflicts with symbolic logic but was exactly as valid as sucking a period inside a trailing parenthesis), and the second-person plural "you all".
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
(*cough* AIG, Bank of America, Chase, GM, WaMu *cough*)
Please don't dump on WaMu. The rest might have overextended on bad loans. But as I hear it WaMu was solvent.
I hear they got into a cash crunch after an unfounded flame by Barney Frank started a run on them. Then the regulators, instead of doing their job and loaning them the money to tide them over while they pay off the depositors and gracefully liquidate some assets to cover it, forced them into the deal with Chase - essentially looting WaMu and letting their cronies buy the swag at fence prices.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Publishing exploit code :
Care to play again?
If you mod me down, I shall become more powerful than you could possibly imagine.
If you really think it wouldn't be in the hands of the script kiddies in short order anyway, you're woefully naive.
"You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
When I lost my job back in 2000, I was depressed and feeling unworthy. A feeling of ability to work and meet basic bills turned into a feeling of helplessness. After a while when the credit cards were way out there, my wife decided I was no longer capable of supporting us in the style she had become accustomed to. She committed suicide. Now what I am talking about is where that left me. I felt bad enough to begin with, but after my wife's departure I was beyond suicidal. Not only did I seem to be useless, but I had let down my family. I haven't worked since, and but for the grace of God I would be dead now. Sometimes I feel I should be. This story is all true, I swear.
I am a costumer of FsckVPS (sister company of Vaserv) and I am one of the unlucky guys who has 100% data loss on his VPS. Unlucky, because not every FsckVPS (and Vaserve) server and VPS have data loss. And unlucky, or idiot, because I have an outdated backup only on my local hard disk.My fresh backup was stored on the server. But, if I would not be so idiot and I would have a fresh backup on my local hard disk or on a remote backup server, what could I do now? Nothing, because all destroyed servers are still offline, offline 3 days after the hacker attack. Vaserv's costumers typically are not large enterprises, but micro companies, small teams, one man projects without sufficient financial and human resources. Just that is why they choose Vaserv's cheap VPS solutions, or at least I choosed FsckVPS for that reason. And just because of small budget I don't able to maintain other VPS as a backup server, and just because of small budget I maintain unmanaged server. I usually work alone on my projects, sometimes I get some help from other people, but usually don't. So I am the businessman, the marketing guru, the SEO expert, the copywriter, the designer, the webmaster and the system admin in one body. I have not enough time, energy to execute everything perfectly, so I haven't got a fresh backup to my local hard disk before this hacker attack happened. I suck this now. I wanted to tell this story from my own perspective, because more people ask here and on other forums, who are such stupid guys, who have not got a fresh backup to their own hard drive? I am! Sorry if my english is not perfect, but I am from Hungary. P.S. Since my vps and websites are still offline I started a blog about this hacker story http://laja404.blogspot.com/
Hmm guys have you looked at their website, more specifically their fora? This is your run-of-the-mill half-assed Indian company. The website is low-quality, full of stock photos and phony hindu english. When I read the summary I thought 'poor guy' but seriously, have a look at the messages there, the language is *very* tense, feature requests go unanswered for months, bugs go unfixed... I would go as far as suggesting that the breach was orchestrated by one of their very angry customers. This is a company that boasts about world-class stability software, latest version has over 200 new features! Give me a break, it screams CHEAP and BOGUS all over. They are playing way out of their league hosting 1e5 websites.
If you are hosting that many sites (probably about shitty industries too) then go for some real world-class software made in first world countries (where no matter what you do, you can't get away with too much crap) and pay three or four world-class hackers to pull it together, even if you cannot or do not want to pay for the software and everything is pirated, it's okay, you are in India after all. These guys deserved the breach. These companies should never form and operate in the first place.
How does a genetic predisposition for suicide propagate...?