Slashdot Mirror
ImageShack Hacked, Security Groups Threatened
revjtanton writes "Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."
in a "shoot the innocent bystander while sounding all righteous about risk" sort of way.
... of their movement?
-- NeilO
These are the same people who say they've found an exploit in some versions of openssh. Any connection?
http://seclists.org/fulldisclosure/2009/Jul/0028.html
http://news.ycombinator.com/item?id=692036
http://lwn.net/Articles/340483/
For interested readers; these were the same people who killed astalavista. (Logs of that attack can be found all over the internet if you google).
From what I can understand from their manifest, they don't want full disclosure of exploits so
1) Other script kiddies cannot use them too easily
2) General public is not aware of the risks
3) Security companies cannot prepare protection against them
This is like... let's thing about proper, slashdot analogy... bunch of car thieves telling that they are against installing immobilizers in cars and warning they will steal cars of immobilizer producers and supporters till they stop distributing immobilizers. When they stop, thieves will come back to stealing random cars, with less effort.
Wait, wait. How is messing with other people's stuff on the net from safely behind a computer 'gutsy'? Sounds like cowardice to me. I don't care what their message - if they're fucking with my, or other people's, stuff then whatever their argument is will go unheard. If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
These punks dont know who theyre messin with!! Me and my posse are put on our roller blades, spike our hair and take them out with our camouflage thirty three point six bee pee ess moh demz.
---------
No matter how thin you slice it, its still baloney.
What an effective way to distribute a message, hack one of the worlds most popular image hosting sites and replace all the images with your manifesto! Every site with an image linked back to imageshack would be displaying your message. Instant.global.audience. I'm not justifying what they did and I'm all for the feds handing out a beat down, afterall, the law is the law but man, what a good idea.
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.
Linux Zealots: Smarter than Mac Zealots, but still zealots.
...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.
And trust me, the dwarves are not happy about that.
This hack demonstrates exactly why we need full disclosure. If I used ImageShack to host important images for (e.g. a lot of people use it for blog images or forums) and someone figured out a way to hack in, I'd want to know about it so I can take steps to protect myself. What if someone uploaded child porn and it appeared on my forum?
It's always better to know than to stay ignorant. It might harm the companies behind affected products, but if it was a safety issue (e.g. your car can occasionally explode while filling it with petrol, which actually happened) there would be no question that full disclosure would be a good thing.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Their language and style sounds rather distinct. If other writings of them are available on the web, they should be easy to identify.
There's also quite a lot of text.
Stephan
http://stephan.sugarmotor.org
It doesn't show the details but their website gives a summary. http://romeo.copyandpaste.info/txt/imageshack-pwned.txt How accurate, who knows.
If it's free speech, mind if I come and write graffiti on the side of your house? If you stop me, you're censoring my speech.
They didn't even bother to Ask Slashdot :(
Thankfully you're a /. user, so the goatse.cx picture was probably better.
In order to put an end to security consultants and companies spreading fear of being hacked in order to sell security oriented products and services, they will go on a reign of terror hacking everything that isn't secured to the nines? Uhmmmmmm. I'm not sure how that works.
Why stop at the outside? Break into the place and scrawl all over his wallpaper. That's effectively what anti-sec did here.
Don't let THEM immanentize the Eschaton!
I mean, it's mostly only big corps that are for "non-disclosure".. the rest of the free world wants to know!
-- these are only opinions and they might not be mine.
1) The text was syntactically and grammatically near perfect. You don't often see that in these sorts of things.
2) The cadence and style was sort of familiar. I was always able on usenet to identify forgeries not by the path, but by the way they were written. Any idiot can put words where they're not supposed to be, but very few people can wrote like somebody else.
3) I posit that if they weren't good intentioned they'd have hacked DHS.
It would not surprise me if this turned out to be a bunch of CS/security professors or the like, or their minions doing their work.
From the message, I'm absolutey certain they're in America, and had either a very rigorous or British schooling.
Need Mercedes parts ?
Not only is the exact opposite of the OSS mindset, I'd be willing to be that it is motivated by exactly what you describe. These are not people concerned about security, these are people who want exploits kept secret so they can sell them and use them--the morons posting here in support of this don't get it. These people are not your friends.
There are a number of well-documented cases of vendors being notified well in advance of publication, and those vendors doing nothing until after publication (in some cases the publication was only made because the vendor refused to do anything). Full disclosure forces lazy, cost-cutting corporations to improve their products when they would otherwise have no motivation to do so. The only people who benefit from non-disclosure are black hat criminals.
They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.
Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".
-Billco, Fnarg.com
They did a LOT more than that!
They came inside the house. Sat down at the TV and ordered PPV and drank all the beer!
Bastards!
"I'd rather have a bottle in front of me than have to have a frontal lobotomy."
Are we talking about /. now ?
Oh sorry that's mental age.
They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.
Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".
Wow. I don't think you understand what full disclosure is and what they are allegedly advocating. It seems like they are not advocating to not disclose the vulnerability to the vendor but rather to not disclose not only the existence of vulnerability but also an example exploit to the world. This full disclosure is precisely what results in "script kiddies" getting their toys because they don't have to be part of any particular hacking group or hack significant "skillz". It creates a mad rush for the vendor to get the patch out there before it can be exploited by lamerz using a script they either downloaded off a website or a script that they copied from the the disclosure with some minor changes.
Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.
Jesus was a compassionate social conservative who called individuals to sin no more.
True, they're exercising free speech in the text of their manifesto. They have their right to that. However, while you're entitled to say what you want, how you say it is quite naturally under some limitations. For example, you are free to say that you like flowers. But if you said that by lighting houses on fire so that from the air, the flames could be read, then you'd get arrested for massive arson. Hacking into the site is clearly illegal and this group should get busted for that.
A friend of mine had her machine infected with one of the imageshack exploits. It was basically a double extension EXE, labelled like Aphoto.jpg__________________.exe
She wasn't paying much attention and had hit OK when prompted to run the program. So her computer had started sending me MSN links to similar images hosted on ImageShack.
Here's the EXE that I got sent.
Someone I was chatting with in a technology IRC chatroom had run the virus in a VM, and it apparently has code to detect the presence of a VM, rapes your registry, spreads itself to multiple EXEs across your system, and a bunch of other weird things. The code is apparently run through one of those code masher programs to prevent decompilers.
I think full disclosure is a good motivation for companies to fix their stuff. Notify them you found a problem, what the problem is, and that you will make the exploit public after a certain (reasonable) period of time, whether they fix it or not.
It's a very dark ride.
I think l0pht's home page back in the day had it right when they quoted Microsoft as saying:
"That vulnerability is theoretical." -Microsoft
...which is one of my arguments for releasing POC code. Some folks need to be hit with a bigger clue-stick than others.
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
If you discover another zero-day root exploit in the Linux kernel on your own, and you have the means to sell it to the highest bidder for a nice pile of cash, then neither you nor the winner have a motivation to pass on that secret to the underground.
If there are fewer active vulnerabilities floating in the underground - accounting for accidental or the occasional intentional leak - then how is that more chaotic than what we have now?
I'm curious - I'm not an expert in this stuff by any means.
Oh wait, this reminds me a little of the Linux-development policy change with regards no longer enumerating the fixes and vulnerabilities which comprise each release version -- do you similarly believe that policy will lead to more chaos?
Wow. I don't think you understand what full disclosure is and what they are allegedly advocating.
Nope. He has it right, you have it 100% wrong. The ATM issue is a perfect example. That vulnerability was disclosed to the vendor eight months ago and they haven't done jack shit. Now the threat of full disclosure - to the entire world - has caused the vendor to get an injunction to prevent disclosure. Where is the fix? I still don't see a fix. Under your theory of "full disclosure is just another word for limited disclosure" the vendor would have fixed the problem long ago.
It rarely ever works like that and we have 30+ years of history to prove it - the security industry used to work the way you wish and the results were the same, vendors didn't do shit. The only time a fix comes is when the vendor knows that the only way to stop the script kiddies and all the serious blackhats is to actually fix the problem instead of sitting on it. Without at least the threat of true full disclosure vendors won't fix their problems, they don't have enough of an economic incentive to do so.
Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.
Without the threat of true full disclosure, nothing ever comes of limited disclosure.
When information is power, privacy is freedom.
What would happen, is that the prevalence of unskilled script kiddies would massively decrease, and the background scans taking place constantly would decrease... Because the perceived threats would have abated, people wouldn't bother installing updates or taking any measures to protect themselves. Also without public disclosure and/or active exploitation, software vendors would downplay the seriousness of their vulnerabilities and delay providing patches for them.
The end result of this, is that the smaller number of people who can acquire exploits, and this includes paid criminal gangs, would have a lot more power because they would no longer have to compete against the script kiddies for control of drone systems.
Incidentally, i am also against the *free* disclosure of vulnerabilities in non free software... Commercial vendors charge you a lot of money for their software, and can often be hostile or uncommunicative towards people who find bugs in their software... These people finding bugs are effectively doing their jobs for them and get nothing but grief in return, so it's no wonder that so many bug hunters are now working for criminal gangs.
A lot of these vendors want you to do their beta testing for them for free, and then report the bugs privately to them so they can silently fix them not even giving you credit for the find and often not disclosing any details to the public other than perhaps providing a black box patch.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I think they are pro full-disclosure, and this action is just a pun.
The message they are trying to get across is: "If you close your eyes, the world doesn't disappear. Here's an example of a hack, just to show you that vulnerabilities will continue to exist even if you don't make them public. Not only that, but there will also be people who will find them and use them, regardless of your will to make them public or not".
The message is worded well, others noticed it too; I think the author is too intelligent to be so ignorant of the truth.
The saddest poem