Slashdot Mirror
ImageShack Hacked, Security Groups Threatened
revjtanton writes "Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."
in a "shoot the innocent bystander while sounding all righteous about risk" sort of way.
... of their movement?
-- NeilO
I think they are North Korean.... :) (JK)
Actually, I find it interesting that the group wants to make the world a better place by
discouraging full disclosure.... the funny thing is that they want to do this
by destroying things.
I'd like to see where this goes. This is gutsy, and apparently they know what they're doing and they mean business. Their message is clear, concise, and I don't completely disagree with them. Interesting.
These are the same people who say they've found an exploit in some versions of openssh. Any connection?
http://seclists.org/fulldisclosure/2009/Jul/0028.html
http://news.ycombinator.com/item?id=692036
http://lwn.net/Articles/340483/
...of a bowel movement.
For interested readers; these were the same people who killed astalavista. (Logs of that attack can be found all over the internet if you google).
So, it sounds like they'd rather be able to sell their exploits to the highest bidder instead of publishing them for anyone to see. It will be interesting to see how much support this movement gets around here (there are already a few posts supporting them), because from the sounds of things it's almost the exact opposite of the OSS mindset.
From what I can understand from their manifest, they don't want full disclosure of exploits so
1) Other script kiddies cannot use them too easily
2) General public is not aware of the risks
3) Security companies cannot prepare protection against them
This is like... let's thing about proper, slashdot analogy... bunch of car thieves telling that they are against installing immobilizers in cars and warning they will steal cars of immobilizer producers and supporters till they stop distributing immobilizers. When they stop, thieves will come back to stealing random cars, with less effort.
My mom sent an email to the whole family with my high school graduation pictures using ImageShack to host them, but something went wrong and all my relatives saw goatse.cx pictures instead.
That's the problem with limiting free speech. Who is enlightened enough, trust worthy enough, and wise enough to be the gate keepers of knowlege?
Anti-Sec?
The same idiot who would do this and threaten what they have done? Maybe Anti-Sec should talk to Theodore Kaczynski about how well threatening others because of one's lofty ideas works out.
SERIOUSLY offensive BS. And I'm diametrically opposed to its position. FIX THE SOFTWARE THEN!!! And don't tell me I don't have the right to know about the security flaws in YOUR software YOU want ME to use.
Comment removed based on user account deletion
its the new fad.. or it it the same old bottled in new trust it to die out soon...
These punks dont know who theyre messin with!! Me and my posse are put on our roller blades, spike our hair and take them out with our camouflage thirty three point six bee pee ess moh demz.
---------
No matter how thin you slice it, its still baloney.
What an effective way to distribute a message, hack one of the worlds most popular image hosting sites and replace all the images with your manifesto! Every site with an image linked back to imageshack would be displaying your message. Instant.global.audience. I'm not justifying what they did and I'm all for the feds handing out a beat down, afterall, the law is the law but man, what a good idea.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
These morons prove that when you have a small penis and no brains, you'll do anything to get your 15 minutes of fame. I hope they get caught and become an obedient bitch for some big convict one day soon.
This hack demonstrates exactly why we need full disclosure. If I used ImageShack to host important images for (e.g. a lot of people use it for blog images or forums) and someone figured out a way to hack in, I'd want to know about it so I can take steps to protect myself. What if someone uploaded child porn and it appeared on my forum?
It's always better to know than to stay ignorant. It might harm the companies behind affected products, but if it was a safety issue (e.g. your car can occasionally explode while filling it with petrol, which actually happened) there would be no question that full disclosure would be a good thing.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Yes, by using full disclosure some exploits become much worse because then it becomes something anyone can do. But some companies won't fix their exploits if they're not known about and I'm not sure I'd feel much better with a handful of experts able to pinch my money over a long period of time or having a load of script kiddies able to do it in a shorter period of time.
Their language and style sounds rather distinct. If other writings of them are available on the web, they should be easy to identify.
There's also quite a lot of text.
Stephan
http://stephan.sugarmotor.org
It doesn't show the details but their website gives a summary. http://romeo.copyandpaste.info/txt/imageshack-pwned.txt How accurate, who knows.
Yes, full disclosure can make things worse but some companies take an "out of sight, out of mind" approach to fixing exploits and if no one knows about it they don't fix it.
But I'm not sure it's much better only having a few experts able to steal money and run bot nets over a longer period of time or a lot of clueless script kiddies doing it within a shorter period.
Apparently they are against full disclosure of exploits, because this would lead to the cracks in the first place.
Sounds to me like they are Microsoft PR workers in disguise. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
They didn't even bother to Ask Slashdot :(
Obviously fake: that shows a Linux box getting hacked into.
People have been defacing websites for more than a decade. Twitter gets screwed nearly every day by kids. Some flashy kiddies who act so immaturely should just be ignored - all this slashdot article has done is further their attention grabbing. Anyhow, someone is always looking to break in. Give the chance for people to fix it, give time for the patch to propagate, let the people know what caused it - someone else might trigger something in their mind for some other software. And of course, this is fully usable in a malicious way. But my kitchen knife is also fully usable as a murder weapon.
They are running lighttpd and PHP (at least, that is what the headers say), so I doubt they are running on Windows.
Nerd rage is the funniest rage.
Anyone seeming abnormally slow load times for wikipedia at this time? (Or at least a very odd title image)
In order to put an end to security consultants and companies spreading fear of being hacked in order to sell security oriented products and services, they will go on a reign of terror hacking everything that isn't secured to the nines? Uhmmmmmm. I'm not sure how that works.
I mean, it's mostly only big corps that are for "non-disclosure".. the rest of the free world wants to know!
-- these are only opinions and they might not be mine.
supporters of full-disclosure and the security industry in its present form
(whatever that is)
How does imageshack fit into that definition? I guess it's just another script kiddy who chose imageshack because he happened to know an exploit, and the alleged cause is pure trolling BS.
Guess the OpenSSH bug is real...
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
I'm confused.
So they're a group of black-hat hackers? I assume this since, well, what they did qualifies as black hat hacking.
So that would mean they WANT a less secure world, right? They don't want vulnerabilities fixed. They don't want people to know about them. They want less competition from script kiddies.
But they're arguing against full disclosure in a way that makes it sound like they want a more secure world.
Actually, that's Brilliant!
It's almost like saying "I want more republicans in office, so go vote democrat!", but their subject matter is such that most people won't understand and actually agree with them.
1) The text was syntactically and grammatically near perfect. You don't often see that in these sorts of things.
2) The cadence and style was sort of familiar. I was always able on usenet to identify forgeries not by the path, but by the way they were written. Any idiot can put words where they're not supposed to be, but very few people can wrote like somebody else.
3) I posit that if they weren't good intentioned they'd have hacked DHS.
It would not surprise me if this turned out to be a bunch of CS/security professors or the like, or their minions doing their work.
From the message, I'm absolutey certain they're in America, and had either a very rigorous or British schooling.
Need Mercedes parts ?
Not necessarily. To me it comes off a lot like Anonymous' writing style (and before I get attacked by rabid fanboys, yes I know they are _not_ Anonymous, completely different group, blah blah gtfo NEWB, and other assorted retarded memes)
So the average age of this group is apparently what, 15 or thereabouts?
#DeleteChrome
meh. ... only that thing has 7 pages of bugs on securityfocus.com....
if that's the system imageshak uses... linux 2.6.15-1
but... if you are against full-disclosure, why the heck do you hack imageshak ?
securityfocus, milw0rm, and countless other websites should be their target, intead they hacked imageshak...
to me, they're just a bunch of lamers who wanted to shout "hei! we're here too!"...
"everyone and everything is getting owned"... o come on... are you really *that* dumb?
"The security industry uses full-disclosure to profit and develop..."
"our battle is that of the removal of full-disclosure for the purpose of making it harder for the security industry to exploit its consequences"...
it's like saying "i got t3h guns! no one else must have it! i'll protect everyone!"
come on... this is childish...
Shush, you're not helping the OP's superiority complex.
Interesting. That does lend credence to the theory that they have an exploit for an old version of sshd, since it's explicitly mentioned in their script output that the servers were running openssh-4.5.
Then again, it's not unthinkable that the script output is faked, and they're just trying to ride the publicity from the supposed break. Without more details it's impossible to be sure.
I mean, if they got their way, completely. What would happen? Anyone motivated enough could find an exploit of their own and hack anyone else. But presumably this would eradicate the script-kiddie element as it would require an element of skill.
Is this just another way of the internet evolving itself? If you're an asshole or are part of a company which fucks someones shit up for profit, then in that potential future you'd be vulnerable to backlash. This isn't the chaos ensuing from giving automatic weapons to the mob, as the weapons would only be in the hands of those parts of the mob who give enough of a shit to actively study things which are beneficial to the internet as an organism; thereby sustaining a symbiotic relationship.
Or are they just a bunch of bored script-kiddies? Either way it's interesting.
The fact that they hacked ImageShack shows that there is a vulnerability, probably one that was exposed before. In terms of natural selection this is a good thing to make the severity of the vulnerability clear. I think it would be a good thing if this kind of attacks would happen more often to get a better relation to security situation overall, because many companies and individuals tend to ignore otherwise.
Their message is complete bullocks tough. Full disclosure in combination with destructive exploiting would harden the technology, but their agenda is to just 'not talk' about holes in the security, which is completely stupid, as it would only produce a temporal or no relief at all and then someone would wreck much more havoc.
So their statement "Security through obscurity" is complete crap, but we already know that.
Now away from wishful thinking, what will probably happen?
1. As these guys/girls (probably script kiddies, as they don't seem to have much cognitive power) did cause some financial damage, they will probably be tracked down and sentenced to something not nice for them (as they stepped on both sides toes).
2. People with financial interest exploiting vulnerabilities will continue to do so while they'll be staying below the radar (full disclosure or not, it stays like this), as companies don't give a damn in cases where the damage is not obvious or not on their side.
3. Security industry will stay as it is - because the white hat approach works better than the alternative.
@ http://www.cgisecurity.com/2009/07/antisec-hackers-replace-all-imageshack-images.html
Believe me, if I started murdering people, there would be none of you left.
Full disclosure is not the solution for security vulnerabilities like this one, oh wait...
img1...us is running on 4.5; there is no img998...us though. Yes, the logs definitely don't show all details nor do we have any way of knowing if they're all true. Their hack into two other sites appear to indicate they used a OpenSSH 4.3 vulnerability. http://romeo.copyandpaste.info/txt/nowayout.txt http://romeo.copyandpaste.info/txt/ssanz-pwned.txt
Others have linked to other sites on this thread that speculates a 0-day vuln for the most up-to-date version of OpenSSH exists and this is a way for them to target more people. That would be interesting. It will show if the open method is good for exposing bugs in a timely manner. It will also show how a lot of sysadmins not have the time or maybe skill to go over all changes in a distribution to see if it's secure. I know many times I would download a dist. and compile and if make test passes, I install.
Damn, I meant to say 998 doesn't show what version of SSH it runs.
Bring it on.
Let them attack as many sites as they like. If there really are that many top-secret vulnerabilities that they know about, why not let them reveal their existence?
Sounds pretty silly to me.
My Pr0n Has Been Replaced by a Manifesto!
What's next, Rapidshare?
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
http://www.zone-h.org/mirror/id/8961233
It'll be quite amusing to watch their dumb asses get drug off to prison if they actually carry out their threat of "destruction and mayhem." Cyber criminal types seem to forget that when it comes to criminal investigations, the bigger a target you make yourself the more likely you are to get caught. When you are just causing trouble, there just isn't enough care to really devote any resources to going after you. However if you do real damage, all of a sudden there's more interest. The more damage, the more resources spent in finding you.
This is why when your car is broken in to, you get to fill out a police report and maybe have a cop come dust for prints. However if someone if murdered, there are cops all over, detectives assigned to the case and so on. The more harm you cause, the more dedicated they are to finding and stopping you.
However, my guess is like most of these Internet Tough-guy hacker types, they've got no way to actually carry out any sort of threat. So they'll just do stupid shit like deface images on imageshack, and nobody will care enough to try and track them down.
Images hack us
Reading the text of their "manifesto" is quite interesting (assuming the link above actually points at what they said).
I don't believe its incredibly accurate (what they claim). Full-disclosure (if you've been around for a while) sort-of came about due to the security industries inability to actually respond to real threats (and they are still incapable of it). Often exploits would become available over the 'net from script-kiddie producers (i.e. the people with the real brains to figure out wholes in software and produce something even a script-kiddie could use) and so when something like SSH was "exploited" it was typically a case of the script kiddies being armed before the targets of the exploit.
Now-a-days, full disclosure mostly benefits the industry cause when the "ssh" attack came out, every person who wrote an ssh server could check to see if they were vulnerable and patch appropriately rather then say (only) f-secure finding out about the hack, fixing their own server software then running around telling everyone that "only we're secure!".
However, i dont get why imageshack were attacked, they seem to have very little to do with the people they claim they "are a target" of their rampage. Or was it just cause its such a widely used website that alot of people would see it where as most security-related sites are pretty low on the radar for alot of people?. What are imageshack doing running fedora core 5 (at least, the way i read that post they appear to be running an fc5 kernel)?
Of course being a linux advocate, why couldn't they have attacked a windows based server farm? Or made every ATM in the world print their message (now THAT would have gotten some serious publicity).
If they really wanted to get their message across, they could have made it a bit more to the point. 90% of people aren't going to read some random wall of text.
I love that the parent was scored (Score:-1, Redundant)
Look where all this talking got us, baby.
(this is intended mostly as humor more than reality)
On the plus side, if any security group you buy software/hardware from gets hacked by these guys, you know that perhaps you choose the wrong security software/hardware provider... But, no doubt, the security consultant of their closest competitors will be knocking on your door shortly to sell their own product and show how anti-sec haven't hacked them yet! ;)
A friend of mine had her machine infected with one of the imageshack exploits. It was basically a double extension EXE, labelled like Aphoto.jpg__________________.exe
She wasn't paying much attention and had hit OK when prompted to run the program. So her computer had started sending me MSN links to similar images hosted on ImageShack.
Here's the EXE that I got sent.
Someone I was chatting with in a technology IRC chatroom had run the virus in a VM, and it apparently has code to detect the presence of a VM, rapes your registry, spreads itself to multiple EXEs across your system, and a bunch of other weird things. The code is apparently run through one of those code masher programs to prevent decompilers.
What?
:)
ac
sig? Oh, that sig...
I believe the US Gov't and other industries that have been harmed by full-disclosure is involved with this, and that the effort involves more than one "group".
That "manifesto" is an obvious attempt at reverse psychology. Large corporations and governments would LOVE to eliminate full disclosure. Exploits and fixes will then become trade secrets and sold off at a premium to the richest customers that can afford the "Elite Protection Package".
The best disinfectant will always be sunshine, not shadows.
It's a very dark ride.
Is anyone else tremendously amused at the method these guys have chosen to get their message out? I don't necessarily disagree with them - specifically, I usually only believe in full disclosure being necessary when an exploit is already in use in the wild - but it seems to me that they're just going to polarize the debate against their own position. IT security geeks are notably stubborn, defiant, etc., and being attacked over this will only entrench them further in their position. And to add to this, the 'attack' is frankly negligible - your blog will be defaced! Of course, you will certainly have backups now that we've warned you, but it'll still be defaced for up to a few hours!
Stuff.
Reading this "manifesto" very charitably for the sake of an argument, the point appears to be that these people think (or purport to think) that the security industry creates the problems it'll then fix for money.
This, of course, is patently absurd; the problem that needs fixing is not the existence of an exploit but the vulnerability that is exploited. If a security researcher found it, a blackhat might find (or have already found) it as well, and then there'd be real trouble. A boat does not spring a leak only after someone found and told people about it, even if that someone is a carpenter who offers to fix it for a nominal fee.
And what's bad about that, anyway? Of course the security industry is about money; it's an industry! The people who hire them also do so for money, specifically to not lose a lot of money when the aforementioned blackhat comes along and tries to crack their network.
Also, I have seen some people here argue that the internet would be a better place if vulnerabilities and exploits were only available to people in the know. Them I must ask: Are you insane?
From the ability to find these things good intentions do not necessarily follow. If you think they do, you might want to educate yourself about the blackhat industry; for starters, FireEye's blog does a relatively good job of explaining their methods (among other things). Unsurprisingly, it also works for money, but unlike the security industry, it is in the business of exploiting vulnerabilities instead of fixing them. Make no mistake, there are criminal syndicates (such as the RBN) that employ blackhats who are in the know.
Sure, you might have a few less script kiddies around (might, not would. Remember the internet 15 years ago? No disclosure, but also no shortage of script kiddies), but script kiddies are mostly just an annoyance. The really dangerous guys would absolutely love it if the vulnerabilities they exploit were kept secret.
Finally, it should go without saying but doesn't that this kind of vigilante approach is highly despicable, especially because whitehats are well within their rights to disclose whatever they want and would be so even if disclosure was morally questionable. Approve or disapprove of full disclosure, you do not get to tell them what to do.
All of this only applies if these people actually believe what they wrote there. I am not convinced of that, but until I see evidence to the contrary, I will assume they're just stupid, not evil.
Given slashdot's stance on full-disclosure and security, anybody think this site may be targeted? Just curious...
So wait, the whole explotie was 900+ servers of unpatched OpenSSH?
Why the hell was OpenSSH open to ALL those servers? Don't they have a VLAN for that sort of internal config? Hell, Yahoo uses a bunch of terminal servers hooked to the serial port to prevent this kind of thing. I bet this is older unpatched OpenSSH too.
Don't know if I agree with their messages, but since the OpenSSH exploits were public for a while now, one would think everyone would be patched.
Yeah.
It's not so much "Redundant, because somebody just said that two posts higher," as it is "Redundant, because we've seen that for the past 28,751 /. stories...."
"City hall" in German is "Rathaus" Kinda explains a few things......
What if someone uploaded child porn and it appeared on my forum?
Then you could start charging $20 at the door, Pedobear.
FYI, conviction requires intent. If you never intended it, you didn't commit a crime, except for manslaughter.
Let me describe a useful analogy: When a house alarm code is "guessed" by a thief, and the thief is caught, the media report, if any, usually does not include disclosing the code on your TV-screen in big letters along with instructions how you too can do it, as they cover the incident. Does it? This is however much like what reality is for IT players. As soon as one person breaks into another partys authorization domain, he/she feels it is their democratic duty to let any and all others know how they can do the same. Disregarding any opinion the target party of the break-in may have about it. Why? Some twisted moral codex, mutated from reality into virtuality, I guess.
http://romeo.copyandpaste.info/
-----[ Check list / Goals: Take down every public forum, group, or website that helps in promoting exploits and tools or have show-off sections. Publish exploits rigged with /bin/rm to whitehats, let them rm their own boxes for you.
Spread the anti-security movement.
Revive pr0j3ct m4yh3m.
I understand that imageshack might get people's attention and spread your message, but if you stated goal is to attack sites that host tools and disclose exploits, wouldn't something like Sectools.org be more appropriate? Or maybe they couldn't handle something legitimate... Also, it seems likely that they would use tools distributed from just such a site to exploit an OpenSSH vulnerability.
Science will save us. The question is, will it destroy us first?
Who knows anti-sec is a group? I wouldn't be surprised this sort of action comes just from one man, pretending to be a group a sick showoff. He needs some attention, in that he is succesful.
How would you know? How would we even know it's a group, rather than a lone bottom feeder in his parent's cellar? Or just some loose bunch of people without much organisation, coherence or anything else that makes it an actual group? Even if it is, how would we know it's the same group as then?
I think they are pro full-disclosure, and this action is just a pun.
The message they are trying to get across is: "If you close your eyes, the world doesn't disappear. Here's an example of a hack, just to show you that vulnerabilities will continue to exist even if you don't make them public. Not only that, but there will also be people who will find them and use them, regardless of your will to make them public or not".
The message is worded well, others noticed it too; I think the author is too intelligent to be so ignorant of the truth.
The saddest poem
I'm surprised this hasn't been mentioned yet: This same group claims that there is a 0day vulnerability in OpenSSH, and used it to attack the site of a security consultant: More here.
And, what do you know? These kids (yes, script kiddies, most likely teenagers) FORGOT TO REMOVE THEIR IP ADDRESS FROM THAT POST. 125.238.144.224.
I, for one, find it quite ironic that they want "full-disclosure" abandoned, yet they know about a potentially devastating vulnerability in OpenSSH and won't tell anyone. Kind of reiterates why we need full-disclosure.
They're demonstrating that full disclosure is bad, by making use of a secret exploit? And they aren't going to release the exploit so that it can be fixed, they're going to keep it for themselves so that they can hack more people? Do they not realise that they just shot their own point in the foot? :-/
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
You should hack them back.
Well done, saved me some typing. I was reading down through this whole thread wondering when someone was going to apply flatfoot 101 to this and come up with the (most probable) real explanation.
with this shit.
They better pray I never learn who they are in the real world. They've got a .45 hollow point coming fast toward their kneecaps.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
This reminds me of a "Not the Nine O'Clock News"* skit interviewing a spokesman for a centrist terrorist group.
"All we want is peace and tolerance, and we're prepared to maim and kill to achieve our ends."
Straying off-topic, another favourite quote from the show: "Political scientists think they have finally understood current [Reagan era] American foreign and defence policy. Having been late for the last two world wars, they want to make sure they are extra early for the next one."
(Both quotes from ~25 year old memories and are therefore unreliable in detail.)
* A British 1980's politics/satire/skit comedy TV show.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
more like anti-suck!
man, what a bunch of dicks..
Remember how germany outlawed "hacker tools"? I guess these anti-sec-terrorists can relate to that. Thinking that banning something easily available will help anyone but criminals is very similar to thinking that bullying people into shutting up will stop hackers from finding security holes.
Well-meaning but technologically ignorant politicians are one thing (personally I think they are the biggest threat to science and progress), jerks like this are another. I'm sure they are a bunch (if there is more than one) of angry young men who feel like they know exactly what's best for the world and who are almost religiously passionate about imposing their will on others.
I'm sure many of us have felt something similar at some point of our lives, but the origin of that emotion is a need to feel powerful - not solving some problem or anything altruistic at all. If you resort to terrorizing people so they act the way you want them to, then you are nothing but a power-hungry terrorist. No matter how pure you think your reasons are.
Sure they were demoing Imgshack's insecurity, but this is really not the way to get heard. They should have made a racket at a DEFCON, where all their "security experts" are. Otherwise, this just pisses a whole fu**ton of people who haven't realized this and not switched to Photobucket.
Can't believe they're using the glider as their favicon... the idiots probably don't even know what it means.
Many a contributor asks here:
... something smells fishy here ... if we just could prove this ...
what's the motivation and why the specific target?
If we follow the money we get:
1) Non-open-source software shops
2) EOM software shops
3) Propriatory software shops
Oh, did I mention that posting spolits hurts those who are not open source, but helps
the open source community to debug and fix software in a fraction of the time this gets
(if every) done in closed shops?
It also allows sysadmins to take action in a meaningful
way. Yeah, the security dudes get a cut from this too if you let them.
As in other incidents where the terrorist and rebel has way less to gain than many other
interest groups
Remove full disclosure of exploits so script kiddies stop capturing the vulnerable systems that the "Anti-sec movement" guy wants for themselves. Nice.