Slashdot Mirror
ImageShack Hacked, Security Groups Threatened
revjtanton writes "Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."
in a "shoot the innocent bystander while sounding all righteous about risk" sort of way.
... of their movement?
-- NeilO
These are the same people who say they've found an exploit in some versions of openssh. Any connection?
http://seclists.org/fulldisclosure/2009/Jul/0028.html
http://news.ycombinator.com/item?id=692036
http://lwn.net/Articles/340483/
For interested readers; these were the same people who killed astalavista. (Logs of that attack can be found all over the internet if you google).
From what I can understand from their manifest, they don't want full disclosure of exploits so
1) Other script kiddies cannot use them too easily
2) General public is not aware of the risks
3) Security companies cannot prepare protection against them
This is like... let's thing about proper, slashdot analogy... bunch of car thieves telling that they are against installing immobilizers in cars and warning they will steal cars of immobilizer producers and supporters till they stop distributing immobilizers. When they stop, thieves will come back to stealing random cars, with less effort.
Comment removed based on user account deletion
its the new fad.. or it it the same old bottled in new trust it to die out soon...
Wait, wait. How is messing with other people's stuff on the net from safely behind a computer 'gutsy'? Sounds like cowardice to me. I don't care what their message - if they're fucking with my, or other people's, stuff then whatever their argument is will go unheard. If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
These punks dont know who theyre messin with!! Me and my posse are put on our roller blades, spike our hair and take them out with our camouflage thirty three point six bee pee ess moh demz.
---------
No matter how thin you slice it, its still baloney.
What an effective way to distribute a message, hack one of the worlds most popular image hosting sites and replace all the images with your manifesto! Every site with an image linked back to imageshack would be displaying your message. Instant.global.audience. I'm not justifying what they did and I'm all for the feds handing out a beat down, afterall, the law is the law but man, what a good idea.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.
Linux Zealots: Smarter than Mac Zealots, but still zealots.
...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.
And trust me, the dwarves are not happy about that.
This hack demonstrates exactly why we need full disclosure. If I used ImageShack to host important images for (e.g. a lot of people use it for blog images or forums) and someone figured out a way to hack in, I'd want to know about it so I can take steps to protect myself. What if someone uploaded child porn and it appeared on my forum?
It's always better to know than to stay ignorant. It might harm the companies behind affected products, but if it was a safety issue (e.g. your car can occasionally explode while filling it with petrol, which actually happened) there would be no question that full disclosure would be a good thing.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Their language and style sounds rather distinct. If other writings of them are available on the web, they should be easy to identify.
There's also quite a lot of text.
Stephan
http://stephan.sugarmotor.org
It doesn't show the details but their website gives a summary. http://romeo.copyandpaste.info/txt/imageshack-pwned.txt How accurate, who knows.
Yes, full disclosure can make things worse but some companies take an "out of sight, out of mind" approach to fixing exploits and if no one knows about it they don't fix it.
But I'm not sure it's much better only having a few experts able to steal money and run bot nets over a longer period of time or a lot of clueless script kiddies doing it within a shorter period.
If it's free speech, mind if I come and write graffiti on the side of your house? If you stop me, you're censoring my speech.
Why should knowledge need a gatekeeper in the first place? People say "We can't let this fall into the wrong hands!" but security through obscurity is a losing strategy, if that's all you're doing. I'm not advocating we have no secrets, but I think we have more to gain by disclosing and improving than we do through hiding what we know under a white sheet in the hopes that nobody else knows about it. Remember, if we figured it out, they can figure it out - and then we'll still have the problem but nobody else will be informed or prepared when the hammer falls.
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
I'll be by your house later with some spray paint--I, too, have a message to share with the world, and your attitude toward defacement of private property is refreshing.
What part of "shall not be infringed" is so hard to understand?
PETA and Greenpeace are terrorist organizations. They do alot worse than nuisance hacking. :|
Apparently they are against full disclosure of exploits, because this would lead to the cracks in the first place.
Sounds to me like they are Microsoft PR workers in disguise. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Good point, they should stop doing things over the net. Time to start building those bombs!
They didn't even bother to Ask Slashdot :(
Thankfully you're a /. user, so the goatse.cx picture was probably better.
I would argue that these are not attacks but free speech (as in freedom of expression). Sure, some security sites will be down, that's just the way it is. A mDDOS attack, assuming this is going to be their method, is just like free speech but through the mouth of your NIC card. Ok it's more like yelling but all they need are good earplugs.
Right up until you decide to have a press conference in my living room. Break into my house and you may get shot.
They are running lighttpd and PHP (at least, that is what the headers say), so I doubt they are running on Windows.
Nerd rage is the funniest rage.
Anyone seeming abnormally slow load times for wikipedia at this time? (Or at least a very odd title image)
In order to put an end to security consultants and companies spreading fear of being hacked in order to sell security oriented products and services, they will go on a reign of terror hacking everything that isn't secured to the nines? Uhmmmmmm. I'm not sure how that works.
Why stop at the outside? Break into the place and scrawl all over his wallpaper. That's effectively what anti-sec did here.
Don't let THEM immanentize the Eschaton!
"My mom sent an email to the whole family with my high school graduation pictures using ImageShack to host them, but something went wrong and all my relatives saw goatse.cx pictures instead."
Since you're posting anonymously, it was probably an improvement.
Now, back on-topic ... rule #1 - "follow the money and see who benefits". Who else is against full disclosure? Malware vendors, anti-virus companies, Microsoft, the Russian Business Network, click-fraudsters, bot-netters - they're ALL against full disclosure. They ALL would rather that vulnerability information be closely held, so that they can either ignore it or exploit it to their economic advantage.
I'm not saying Anti-Sec is working with them - they may also fit the definition of "useful fool." But either way, they ARE acting like a bunch of tools, in the Urban Dictionary sense of the word.
I mean, it's mostly only big corps that are for "non-disclosure".. the rest of the free world wants to know!
-- these are only opinions and they might not be mine.
How does lack of full disclosure make the world a better place? The way I see it, if I know how an attack is operational I can figure out how to defend against it, if I don't then I won't know how (or more importantly why I am having) to write secure code. My other issue with a lack of full disclosure is the indication that only, say, the richest people (or companies) can afford them - effectively monopolizing things like the anti-virus or firewall industries.
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
My mom sent an email to the whole family with my high school graduation pictures using ImageShack to host them, but something went wrong and all my relatives saw goatse.cx pictures instead.
Ohh... Sorry... I thought that was your graduation. You know... Senior prank to the principal. Shake his hand and, OH MY GOD!
Guess the OpenSSH bug is real...
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
Better to protest living in cold climates by smashing his windows during the middle of winter.
Nerd rage is the funniest rage.
The biggest problem with this thinking is that the experts eventually sell the tech to the script kiddies to gain maximal value from the exploit. So, in this case, you have the worst of both worlds- they use it over a longer period of time AND then you have a lot of clueless script kiddies doing it over a medium period of time before the companies get pressured into fixing the damn thing in the first place.
Security through obscurity is NOT an answer- as you pointed out, they typically don't fix it if they can help it. :-D
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I'm confused.
So they're a group of black-hat hackers? I assume this since, well, what they did qualifies as black hat hacking.
So that would mean they WANT a less secure world, right? They don't want vulnerabilities fixed. They don't want people to know about them. They want less competition from script kiddies.
But they're arguing against full disclosure in a way that makes it sound like they want a more secure world.
Actually, that's Brilliant!
It's almost like saying "I want more republicans in office, so go vote democrat!", but their subject matter is such that most people won't understand and actually agree with them.
I'd like to see where this goes. This is gutsy, and apparently they know what they're doing and they mean business. Their message is clear, concise, and I don't completely disagree with them. Interesting.
Oddly, this comment, verbatim - save the "Wow" is the subject and not "Wow...", is on another story about this.
Personally I fear people that would go to lengths to post the exact same thing on multiple sites than people with causes.
I'd like to give a shout out to Zorg, from the Fifth Element on this one "I don't like warriors. Too narrow-minded, no subtlety. And worse, they fight for hopeless causes. Honor? Huh! Honor's killed millions of people, it hasn't saved a single one."
"There are no facts, only interpretations." --Friedrich Nietzsche.
1) The text was syntactically and grammatically near perfect. You don't often see that in these sorts of things.
2) The cadence and style was sort of familiar. I was always able on usenet to identify forgeries not by the path, but by the way they were written. Any idiot can put words where they're not supposed to be, but very few people can wrote like somebody else.
3) I posit that if they weren't good intentioned they'd have hacked DHS.
It would not surprise me if this turned out to be a bunch of CS/security professors or the like, or their minions doing their work.
From the message, I'm absolutey certain they're in America, and had either a very rigorous or British schooling.
Need Mercedes parts ?
Not only is the exact opposite of the OSS mindset, I'd be willing to be that it is motivated by exactly what you describe. These are not people concerned about security, these are people who want exploits kept secret so they can sell them and use them--the morons posting here in support of this don't get it. These people are not your friends.
There are a number of well-documented cases of vendors being notified well in advance of publication, and those vendors doing nothing until after publication (in some cases the publication was only made because the vendor refused to do anything). Full disclosure forces lazy, cost-cutting corporations to improve their products when they would otherwise have no motivation to do so. The only people who benefit from non-disclosure are black hat criminals.
So the average age of this group is apparently what, 15 or thereabouts?
#DeleteChrome
They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.
Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".
-Billco, Fnarg.com
I mean, if they got their way, completely. What would happen? Anyone motivated enough could find an exploit of their own and hack anyone else. But presumably this would eradicate the script-kiddie element as it would require an element of skill.
Is this just another way of the internet evolving itself? If you're an asshole or are part of a company which fucks someones shit up for profit, then in that potential future you'd be vulnerable to backlash. This isn't the chaos ensuing from giving automatic weapons to the mob, as the weapons would only be in the hands of those parts of the mob who give enough of a shit to actively study things which are beneficial to the internet as an organism; thereby sustaining a symbiotic relationship.
Or are they just a bunch of bored script-kiddies? Either way it's interesting.
The fact that they hacked ImageShack shows that there is a vulnerability, probably one that was exposed before. In terms of natural selection this is a good thing to make the severity of the vulnerability clear. I think it would be a good thing if this kind of attacks would happen more often to get a better relation to security situation overall, because many companies and individuals tend to ignore otherwise.
Their message is complete bullocks tough. Full disclosure in combination with destructive exploiting would harden the technology, but their agenda is to just 'not talk' about holes in the security, which is completely stupid, as it would only produce a temporal or no relief at all and then someone would wreck much more havoc.
So their statement "Security through obscurity" is complete crap, but we already know that.
Now away from wishful thinking, what will probably happen?
1. As these guys/girls (probably script kiddies, as they don't seem to have much cognitive power) did cause some financial damage, they will probably be tracked down and sentenced to something not nice for them (as they stepped on both sides toes).
2. People with financial interest exploiting vulnerabilities will continue to do so while they'll be staying below the radar (full disclosure or not, it stays like this), as companies don't give a damn in cases where the damage is not obvious or not on their side.
3. Security industry will stay as it is - because the white hat approach works better than the alternative.
It's not censorship. It's enforcing the castle doctrine by protecting my property and family.
They did a LOT more than that!
They came inside the house. Sat down at the TV and ordered PPV and drank all the beer!
Bastards!
"I'd rather have a bottle in front of me than have to have a frontal lobotomy."
img1...us is running on 4.5; there is no img998...us though. Yes, the logs definitely don't show all details nor do we have any way of knowing if they're all true. Their hack into two other sites appear to indicate they used a OpenSSH 4.3 vulnerability. http://romeo.copyandpaste.info/txt/nowayout.txt http://romeo.copyandpaste.info/txt/ssanz-pwned.txt
Others have linked to other sites on this thread that speculates a 0-day vuln for the most up-to-date version of OpenSSH exists and this is a way for them to target more people. That would be interesting. It will show if the open method is good for exposing bugs in a timely manner. It will also show how a lot of sysadmins not have the time or maybe skill to go over all changes in a distribution to see if it's secure. I know many times I would download a dist. and compile and if make test passes, I install.
They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.
Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".
Wow. I don't think you understand what full disclosure is and what they are allegedly advocating. It seems like they are not advocating to not disclose the vulnerability to the vendor but rather to not disclose not only the existence of vulnerability but also an example exploit to the world. This full disclosure is precisely what results in "script kiddies" getting their toys because they don't have to be part of any particular hacking group or hack significant "skillz". It creates a mad rush for the vendor to get the patch out there before it can be exploited by lamerz using a script they either downloaded off a website or a script that they copied from the the disclosure with some minor changes.
Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.
Jesus was a compassionate social conservative who called individuals to sin no more.
.
There's a reason people fear public speaking more than death. Anybody can write graffiti on a toilet door without risk, but it takes character to say the same thing in front of an assembly of your peers. Don't think these people are cowards? Ask them to put their names and contact details in the message next time.
Yes, there is a role for anonymous whistleblowers to get important truths aired, but most people would get their point across with letters to journalists, not defacement. And besides, I hardly think security companies pose a threat to the safety of their members, just for holding the views that they do. These people only 'need' their anonymity to protect themselves against the repercussions of hacking other peoples' webpages.
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
Damn, I meant to say 998 doesn't show what version of SSH it runs.
True, they're exercising free speech in the text of their manifesto. They have their right to that. However, while you're entitled to say what you want, how you say it is quite naturally under some limitations. For example, you are free to say that you like flowers. But if you said that by lighting houses on fire so that from the air, the flames could be read, then you'd get arrested for massive arson. Hacking into the site is clearly illegal and this group should get busted for that.
It'll be quite amusing to watch their dumb asses get drug off to prison if they actually carry out their threat of "destruction and mayhem." Cyber criminal types seem to forget that when it comes to criminal investigations, the bigger a target you make yourself the more likely you are to get caught. When you are just causing trouble, there just isn't enough care to really devote any resources to going after you. However if you do real damage, all of a sudden there's more interest. The more damage, the more resources spent in finding you.
This is why when your car is broken in to, you get to fill out a police report and maybe have a cop come dust for prints. However if someone if murdered, there are cops all over, detectives assigned to the case and so on. The more harm you cause, the more dedicated they are to finding and stopping you.
However, my guess is like most of these Internet Tough-guy hacker types, they've got no way to actually carry out any sort of threat. So they'll just do stupid shit like deface images on imageshack, and nobody will care enough to try and track them down.
If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Because they already tried that and nobody listened?
I would argue that these are not attacks but free speech (as in freedom of expression).
This is also the stance of most Real Terrorists. They justify taking hostages, destroying planes or killing innocent people, so the world will hear their message. Their message might even be a good one. In the end no one might be seriously hurt, as in the case of taking hostages, but releasing them afterwards. But don't try fooling yourself or others into thinking that this is NOT an attack. That's just BS double speak.
.
If the people had done the same actions but without a political message would you still try claiming it wasn't an attack. Just because you add a political message doesn't make it any less of an attack.
.
You can even justify the action, as in the case of civil rights protestors vandalizing property, or US soldiers attacking German Soldiers to free Jewish Holocaust Victims. However it is still an attack.
Lets stop with the PC BS.
.
RandomU
Reading the text of their "manifesto" is quite interesting (assuming the link above actually points at what they said).
I don't believe its incredibly accurate (what they claim). Full-disclosure (if you've been around for a while) sort-of came about due to the security industries inability to actually respond to real threats (and they are still incapable of it). Often exploits would become available over the 'net from script-kiddie producers (i.e. the people with the real brains to figure out wholes in software and produce something even a script-kiddie could use) and so when something like SSH was "exploited" it was typically a case of the script kiddies being armed before the targets of the exploit.
Now-a-days, full disclosure mostly benefits the industry cause when the "ssh" attack came out, every person who wrote an ssh server could check to see if they were vulnerable and patch appropriately rather then say (only) f-secure finding out about the hack, fixing their own server software then running around telling everyone that "only we're secure!".
However, i dont get why imageshack were attacked, they seem to have very little to do with the people they claim they "are a target" of their rampage. Or was it just cause its such a widely used website that alot of people would see it where as most security-related sites are pretty low on the radar for alot of people?. What are imageshack doing running fedora core 5 (at least, the way i read that post they appear to be running an fc5 kernel)?
Of course being a linux advocate, why couldn't they have attacked a windows based server farm? Or made every ATM in the world print their message (now THAT would have gotten some serious publicity).
We can ask "Where do our rights end?" and the best answer I've ever heard was "When they infringe on other people's rights". You say a group hacking sites and bringing them down to display their message is free speech!? That's as far as free speech as you can get, imagine if you wanted to speak out against government, and they jailed you and said "Our freedom of expression says that we can express it by shutting you up" that's exactly what this group is doing, they're not communicating, they're trying to silence and overwrite messages, they want to restrict speech and curtail basic freedoms.
Indians that block major roadways make no attempt to eliminate the awareness of the opposition, only make theirs known. This group is not simply yelling, they're yelling and silencing, you don't just need good earplugs, cause when they take down a security blog, earplugs would be useless in undoing the "damage" they have done.
If proof-of-concept code is never released, what's to motivate the vendors to release a patch? If nobody actually exploits a vulnerability, Joe Q. Public isn't going to care that someone could (even if they did, most people don't care...).
Plus, if a white hat gets their hands on the exploit code, they may be able to release a patch well before the vendor can, or at least try to mitigate the possible damage caused (saying 'program x is vulnerable to a buffer overflow!' isn't useful to ANYBODY). Full disclosure has worked so far, why do we need to change it?
Worst. Analogy. Ever.
(this is intended mostly as humor more than reality)
On the plus side, if any security group you buy software/hardware from gets hacked by these guys, you know that perhaps you choose the wrong security software/hardware provider... But, no doubt, the security consultant of their closest competitors will be knocking on your door shortly to sell their own product and show how anti-sec haven't hacked them yet! ;)
I WONDER WHY. It CERTAINLY has NOTHING to do with the fact that their argument amounts to 'full disclosure is bad durr!!'. Nope, nothing at all.
A friend of mine had her machine infected with one of the imageshack exploits. It was basically a double extension EXE, labelled like Aphoto.jpg__________________.exe
She wasn't paying much attention and had hit OK when prompted to run the program. So her computer had started sending me MSN links to similar images hosted on ImageShack.
Here's the EXE that I got sent.
Someone I was chatting with in a technology IRC chatroom had run the virus in a VM, and it apparently has code to detect the presence of a VM, rapes your registry, spreads itself to multiple EXEs across your system, and a bunch of other weird things. The code is apparently run through one of those code masher programs to prevent decompilers.
Ah, yet another person who mistakenly assumes what they do on the Internet is anonymous and therefore risk-free. If you're just being an annoying troll, you're relatively safe, but if you get the law and security experts involved, the supposed anonymity drops away pretty quickly most of the time.
because the image of the elf was substituted by one of an angry hacker.
I think full disclosure is a good motivation for companies to fix their stuff. Notify them you found a problem, what the problem is, and that you will make the exploit public after a certain (reasonable) period of time, whether they fix it or not.
What?
:)
ac
sig? Oh, that sig...
That "manifesto" is an obvious attempt at reverse psychology. Large corporations and governments would LOVE to eliminate full disclosure. Exploits and fixes will then become trade secrets and sold off at a premium to the richest customers that can afford the "Elite Protection Package".
The best disinfectant will always be sunshine, not shadows.
So that's how Melkor created the orcs!
It's a very dark ride.
Ah, yet another person who mistakenly assumes what they do on the Internet is anonymous and therefore risk-free. If you're just being an annoying troll, you're relatively safe, but if you get the law and security experts involved, the supposed anonymity drops away pretty quickly most of the time.
They clearly don't believe this. If they did, they wouldn't have bothered to do this anonymously. They'd sign the names to their work and show how 'gutsy' they really are. The fact that they didn't reveal this information indicated that they believe it can be effectively hidden. And, in fact, it can, if you know what you're doing. The "supposed anonymity" drops way pretty quickly most of the time because most of the time, the people making the supposition don't know what they're doing.
"Convictions are more dangerous enemies of truth than lies."
It's still cowardice to anonymously conduct vandalism, even if that anonymity is an illusion. So, it would appear to be anti-sec's assumption, not mine.
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.
Partial disclosure of a new class of vulnerability can also result in new ways of thinking about problems. For example, to exploit webmail interfaces, I don't have to disclose how to write a CSS file that positions malicious links over a particular webmail app's legitimate interface links, just that such is possible. (FWIW, this was first fully disclosed to the major vendors/operators in 2000. Most of them spent weeks trying to convince themselves that it wasn't a problem that "Reply" lead to an off-site re-login screen... It was fixed only after the attack was described, as above, on a public list in 2001.)
With respect to ATMs, where could an attacker provide input into the app? Via 2-3 mechanisms on the ATM card, the UI, via displayed details of individual accounts, or other means. Perhaps "I can has <BOM>" is all someone needs to find out what to attack, after which an implementation would be relatively trivial.
There are 1.1... kinds of people.
Eh? I thought PETA got taken over by the only marginally good satire writers from the Onion and MAD.
This group needs to hire a good copy/PR writer to explain what "exploit", "disclosure", "script kiddie", "whitehats", and "rm'd" mean, and also how their proposed technical solution of targeting individuals for removal purports to solve the problem of socially motivated script kiddies, and what this technical demonstration has to do with their business objectives.
In short, this group has successfully met all the criteria to be a typical late '90s dot-com company.
There are 1.1... kinds of people.
But I'm not sure it's much better only having a few experts able to steal money and run bot nets over a longer period of time or a lot of clueless script kiddies doing it within a shorter period.
I'm sure. I'd rather have some idiot punk walk into my house and steal the TV than some knowledgeable professional come in, empty the contents of my safe, and steal the far more valuable painting on the wall while leaving the relatively worthless TV alone.
If the argument is it reduces the number of idiot punks running around, so I don't find out about the defect in my security system until the professional comes along, it's fairly easy to see why it's a bad thing, even if it does in fact reduce the number of idiot punks running around stealing TVs.
"Convictions are more dangerous enemies of truth than lies."
I think l0pht's home page back in the day had it right when they quoted Microsoft as saying:
"That vulnerability is theoretical." -Microsoft
...which is one of my arguments for releasing POC code. Some folks need to be hit with a bigger clue-stick than others.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
sure, as long as you use washable ink. After an attack, what has changed except delay access for a few and more cash in the pockets of IT security contractors?
Views expressed do not necessarily reflect those of the author.
Is anyone else tremendously amused at the method these guys have chosen to get their message out? I don't necessarily disagree with them - specifically, I usually only believe in full disclosure being necessary when an exploit is already in use in the wild - but it seems to me that they're just going to polarize the debate against their own position. IT security geeks are notably stubborn, defiant, etc., and being attacked over this will only entrench them further in their position. And to add to this, the 'attack' is frankly negligible - your blog will be defaced! Of course, you will certainly have backups now that we've warned you, but it'll still be defaced for up to a few hours!
Stuff.
Plus it would also make it more difficult for anyone to figure out who was using the exploit.
If only a few people have the exploit, then it is a lot easier to catch the people who are using the exploit to extract money from banks. If everyone has it then it's difficult to figure out who was using it in past crimes.
But what will probably happen is the exploit will get out to the script kiddies and some stupid hacker wannabe is going to be nailed for a lot of crimes.
So if I had the exploit and was using it, I think now would be a good time to release it to the 2600 crowd.
Jesus, what planet did you come from?
Wow. I don't think you understand what full disclosure is and what they are allegedly advocating.
Nope. He has it right, you have it 100% wrong. The ATM issue is a perfect example. That vulnerability was disclosed to the vendor eight months ago and they haven't done jack shit. Now the threat of full disclosure - to the entire world - has caused the vendor to get an injunction to prevent disclosure. Where is the fix? I still don't see a fix. Under your theory of "full disclosure is just another word for limited disclosure" the vendor would have fixed the problem long ago.
It rarely ever works like that and we have 30+ years of history to prove it - the security industry used to work the way you wish and the results were the same, vendors didn't do shit. The only time a fix comes is when the vendor knows that the only way to stop the script kiddies and all the serious blackhats is to actually fix the problem instead of sitting on it. Without at least the threat of true full disclosure vendors won't fix their problems, they don't have enough of an economic incentive to do so.
Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.
Without the threat of true full disclosure, nothing ever comes of limited disclosure.
When information is power, privacy is freedom.
I wrote "follow the money and see who benefits" because in this case it's one and the same.
Also, "useful tool", as per the Urban Dictionary definition of "tool"
So wait, the whole explotie was 900+ servers of unpatched OpenSSH?
Why the hell was OpenSSH open to ALL those servers? Don't they have a VLAN for that sort of internal config? Hell, Yahoo uses a bunch of terminal servers hooked to the serial port to prevent this kind of thing. I bet this is older unpatched OpenSSH too.
Don't know if I agree with their messages, but since the OpenSSH exploits were public for a while now, one would think everyone would be patched.
If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Silly rabbit, their trix aren't for you. Their plan is to help grease the path for the fuckers in Congress trying to get this POS Cybersecurity Act of 2009bill passed. Once a good portion of the Internet structure becomes nationalized, any full disclosure of vulnerabilities could be considered as posing a national security threat and thus would have to be kept secret. What this means, of course, is that any software vendor providing a product that constitutes a major portion of the federal government information infrastructure as well an the internet commerce and banking, will be protected from full disclosure of vulnerabilities in their product by the federal government based on national security policy.
As this relates to "anti-sec", they want to build the impression that will be amplified by a scaremongering media that the Internet is being besieged by warring factions of evil hackers. There will even be some useful idiots pointing to the ramblings of these assholes as proof that even the sec community is divided on issue of FD. Which it is, but mostly debate revolves around the timing of disclosure and not whether to disclose at all. This is a sham war designed to put pressure on Congress members to pass a really, really, bad bill.
I think the timing of this incident, along with recent botnet attacks and other media grabbing "cyber" events within the few months just before this bill was introduced, couldn't be more perfect to create a campaign to justify the takeover of the Internet infrastructure by the federal government. http://www.eff.org/deeplinks/2009/04/cybersecurity-act
No one really fully understands a topic as controvercial as full disclosure, and your perspective isn't complete either. Neither is mine.
Full Disclosure doesn't necessarily mean exploit code. It does mean full details for someone skilled in the art to be able to produce exploit code. There is a world of difference. Of course, these days for any worthwhile flaw the time from full disclosure to in the wild worm type exploit code is now usually only 48 hours or so, but that isn't usually released by the researcher.
Full disclosure is the A bomb, scorched earth, last resort of most legit security researchers, and legit researchers will follow some sort of "responsible disclosure" timeline, but if the vendor does not fix the problem in a reasonable amount of time(where reasonable varies widely by software, # of deployments, complexity of the fix, etc), Full Disclosure is the big stick threat that usually will get results if nothing else does.
Blessed are the pessimists, for they have made backups.
Let me describe a useful analogy: When a house alarm code is "guessed" by a thief, and the thief is caught, the media report, if any, usually does not include disclosing the code on your TV-screen in big letters along with instructions how you too can do it, as they cover the incident. Does it? This is however much like what reality is for IT players. As soon as one person breaks into another partys authorization domain, he/she feels it is their democratic duty to let any and all others know how they can do the same. Disregarding any opinion the target party of the break-in may have about it. Why? Some twisted moral codex, mutated from reality into virtuality, I guess.
http://romeo.copyandpaste.info/
-----[ Check list / Goals: Take down every public forum, group, or website that helps in promoting exploits and tools or have show-off sections. Publish exploits rigged with /bin/rm to whitehats, let them rm their own boxes for you.
Spread the anti-security movement.
Revive pr0j3ct m4yh3m.
I understand that imageshack might get people's attention and spread your message, but if you stated goal is to attack sites that host tools and disclose exploits, wouldn't something like Sectools.org be more appropriate? Or maybe they couldn't handle something legitimate... Also, it seems likely that they would use tools distributed from just such a site to exploit an OpenSSH vulnerability.
Science will save us. The question is, will it destroy us first?
AC's confusion is understandable, you wrote 'useful fool' in your initial message.
Nerd rage is the funniest rage.
I think they are pro full-disclosure, and this action is just a pun.
The message they are trying to get across is: "If you close your eyes, the world doesn't disappear. Here's an example of a hack, just to show you that vulnerabilities will continue to exist even if you don't make them public. Not only that, but there will also be people who will find them and use them, regardless of your will to make them public or not".
The message is worded well, others noticed it too; I think the author is too intelligent to be so ignorant of the truth.
The saddest poem
I used both :-) I called them useful fools, and tools, because they ARE both. Then a poster tried to say I was incorrect, and should have used the expression "useful idiots". Intelligent people can still be fools and tools, but idiots are just idiots.
If you meant to communicate 'useful tool' in your first message, you did a crappy job of it. I mean, there is even a period between 'useful' and 'tools', and you use 'bunch of' to modify 'tools'.
I shall endeavor now to stop splitting hairs.
Nerd rage is the funniest rage.
I'm surprised this hasn't been mentioned yet: This same group claims that there is a 0day vulnerability in OpenSSH, and used it to attack the site of a security consultant: More here.
And, what do you know? These kids (yes, script kiddies, most likely teenagers) FORGOT TO REMOVE THEIR IP ADDRESS FROM THAT POST. 125.238.144.224.
I, for one, find it quite ironic that they want "full-disclosure" abandoned, yet they know about a potentially devastating vulnerability in OpenSSH and won't tell anyone. Kind of reiterates why we need full-disclosure.
Hey, I had some dejavu when I read his post. Then I google for "I'd like to see where this goes. This is gutsy, and apparently they know what they're doing and they mean business. Their message is clear, concise, and I don't completely disagree with them. Interesting." and it shows me that this strange post abouhow consice the message is everywhere where this is reported uh.
And well, I guess I would be more impressed if they hacked an actual central part of the security industry like they threaten to do rather than just a photo hosting site (are they needy for attention or something?)
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
They're demonstrating that full disclosure is bad, by making use of a secret exploit? And they aren't going to release the exploit so that it can be fixed, they're going to keep it for themselves so that they can hack more people? Do they not realise that they just shot their own point in the foot? :-/
I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
Sure, blackmail is perfectly fine when you have good intentions.
with this shit.
They better pray I never learn who they are in the real world. They've got a .45 hollow point coming fast toward their kneecaps.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
So just to be clear, you're alright with people vandalizing your house as long as it costs you nothing more than time and money to fix it.
Or just not interested in the same stuff as you.
I wish I could say I too long for the days when I was part of a special elite by virtue of the fact that I could use the Internet, but in truth regular people are a lot more fun to talk to than nerds so I don't.
This reminds me of a "Not the Nine O'Clock News"* skit interviewing a spokesman for a centrist terrorist group.
"All we want is peace and tolerance, and we're prepared to maim and kill to achieve our ends."
Straying off-topic, another favourite quote from the show: "Political scientists think they have finally understood current [Reagan era] American foreign and defence policy. Having been late for the last two world wars, they want to make sure they are extra early for the next one."
(Both quotes from ~25 year old memories and are therefore unreliable in detail.)
* A British 1980's politics/satire/skit comedy TV show.
Quattuor res in hoc mundo sanctae sunt: libri, liberi, libertas et liberalitas.
Remember how germany outlawed "hacker tools"? I guess these anti-sec-terrorists can relate to that. Thinking that banning something easily available will help anyone but criminals is very similar to thinking that bullying people into shutting up will stop hackers from finding security holes.
Well-meaning but technologically ignorant politicians are one thing (personally I think they are the biggest threat to science and progress), jerks like this are another. I'm sure they are a bunch (if there is more than one) of angry young men who feel like they know exactly what's best for the world and who are almost religiously passionate about imposing their will on others.
I'm sure many of us have felt something similar at some point of our lives, but the origin of that emotion is a need to feel powerful - not solving some problem or anything altruistic at all. If you resort to terrorizing people so they act the way you want them to, then you are nothing but a power-hungry terrorist. No matter how pure you think your reasons are.
It's not blackmail, just potentially embarrassing.
If some guy threatens to out your extramarital affair, or the fact you've been defrauding your employer, or any other thing you'd rather keep secret, and they want money to keep quiet... that's blackmail.
If someone outs your ill affairs for free because you're an irresponsible prick, that's justly deserved. Disclosure of found exploits falls under this umbrella, not blackmail.
-Billco, Fnarg.com
You can't force clients to do anything, but much like the upstream vendor, if there is a serious threat to their bottom line, clients will do backflips on command if you can make the gaping hole go away.
There is also a rather broad culture of vendor-managed or reseller-managed equipment. For example, if a vulnerability is discovered in any of the software I've build and sold to my clients, it is a simple matter for me to log into each box and patch every single one of them, and email the fix to the remaining few whose installations I don't manage. For those who don't enjoy such a strong vendor-client relationship, there is often an auto-update mechanism built into off-the-shelf apps, all you have to do is click it and reboot.
-Billco, Fnarg.com
That made me laugh. You got beat up in school because you tried to' logically argue' with the bullies over your differences didn't you?
The world is run by bullies. You either stand up to them, or do what you do: blow hot air. Speak to a brick wall. Request that the pigs take flight.
There is a place for words, a very prominent place. It is the first port-of-call when dealing with issues. But if you honestly had any idea how long this issue has been going on despite decades of the most carefully crafted arguments, then you would realise that the time for words alone is clearly over. I'm not advocating aggressive behaviour by default, but I'm certainly not going to sit on my bum and 'talk to the hand' while these idiots continue to put us all at risk. Its been going on for a while now, dude.
.
But this is different. They have a political agenda they are powerless to affect unless we pay attention to them. The fact that they are acting illegaly to push their message disinclines me to give their position the consideration it might otherwise have received. And yes, bullies generally do go away when you ignore them, and if they attack you then I say respond decisively and with all requisite violence. But that's not the point of my original post.
My point is they can't resolve their differences in a civilised way then they don't deserve to be heard. It's one thing to be disenfranchised because of injustice; it's another thing to break the law just to make a point.
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
Many a contributor asks here:
... something smells fishy here ... if we just could prove this ...
what's the motivation and why the specific target?
If we follow the money we get:
1) Non-open-source software shops
2) EOM software shops
3) Propriatory software shops
Oh, did I mention that posting spolits hurts those who are not open source, but helps
the open source community to debug and fix software in a fraction of the time this gets
(if every) done in closed shops?
It also allows sysadmins to take action in a meaningful
way. Yeah, the security dudes get a cut from this too if you let them.
As in other incidents where the terrorist and rebel has way less to gain than many other
interest groups
"if their clients get owned, it looks bad on the vendor, but you cant force your clients to do anything."
That's because it IS bad on the vendor. End of story.
The vendor should have taken all due precautions to prevent security flaws in their code BEFORE they released it. They didn't. Any ownage is now entirely their fault, regardless of patching. It should never be the client's responsibility to apply a patch.
We don't tolerate 'apply a patch after the fact' as an answer in other disciplines. We shouldn't tolerate it in computing. Do it once, do it right, zero tolerance for security bugs.
If your language (*cough* C, C++) does not help you do this then stop using that language and use/create appropriate tools.
You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC