ImageShack Hacked, Security Groups Threatened

← Back to Stories (view on slashdot.org)

ImageShack Hacked, Security Groups Threatened

Posted by Soulskill on Saturday July 11, 2009 @03:23AM from the a-picture's-worth-a-couple-hundred-words-or-so dept.

revjtanton writes "Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."

30 of 288 comments (clear)

Min score:

Reason:

Sort:

Their message is certainly ironic, by Anonymous Coward · 2009-07-11 03:27 · Score: 3, Insightful

in a "shoot the innocent bystander while sounding all righteous about risk" sort of way.
Is this considered full-disclosure ... by neilobremski · 2009-07-11 03:28 · Score: 3, Funny

... of their movement?

--
-- NeilO
Astalavista by Spyware23 · 2009-07-11 03:30 · Score: 5, Informative

For interested readers; these were the same people who killed astalavista. (Logs of that attack can be found all over the internet if you google).
1. Re:Astalavista by Threni · 2009-07-11 03:46 · Score: 3, Interesting
  
  Hardly, given that they're anti-disclosure.
2. Re:Astalavista by tomhudson · 2009-07-11 04:24 · Score: 4, Insightful
  
  Hardly, given that they're anti-disclosure.
  
  ... but they ARE in favour of people p0wning sites - which requires disclosure of vulnerabilities - something they're against. Kind of contradictory ...
  They're just a bunch of assholes, same as the punks who key cars.
3. Re:Astalavista by tomhudson · 2009-07-11 05:34 · Score: 3, Insightful
  
  No, one of the reasons they cite for their anti-full disclosure sentiments is that it allows hordes of script kiddies to "p0wn" sites.
  
  ... in other words, they (Anti-Sec) don't want competition that will ruin the economic value of the 'sploit prematurely.
  Just follow the money ...
Leave door open or we will rob you ? by abies · 2009-07-11 03:33 · Score: 4, Insightful

From what I can understand from their manifest, they don't want full disclosure of exploits so
1) Other script kiddies cannot use them too easily
2) General public is not aware of the risks
3) Security companies cannot prepare protection against them
This is like... let's thing about proper, slashdot analogy... bunch of car thieves telling that they are against installing immobilizers in cars and warning they will steal cars of immobilizer producers and supporters till they stop distributing immobilizers. When they stop, thieves will come back to stealing random cars, with less effort.
1. Re:Leave door open or we will rob you ? by binkzz · 2009-07-11 04:17 · Score: 4, Informative
  
  1) I think that's a good thing
  2) They don't want the world to not know about the exploits, they just don't want the world to know how to use those exploits
  3) These exploits would still be in the hands of the security companies so that they could prepare protection against them
  
  I'm not sure how you came to your conclusions, I don't believe they are correct.
  
  --
  'For we walk by faith, not by sight.' II Corinthians 5:7
2. Re:Leave door open or we will rob you ? by whoever57 · 2009-07-11 04:29 · Score: 4, Insightful
  
  3) These exploits would still be in the hands of the security companies so that they could prepare protection against them
  Except that history has shown that many software companies won't actually fix problems until forced to do so by full disclosure.
  
  --
  The real "Libtards" are the Libertarians!
3. Re:Leave door open or we will rob you ? by Vellmont · 2009-07-11 06:41 · Score: 4, Insightful
  
  2) They don't want the world to not know about the exploits, they just don't want the world to know how to use those exploits
  There's at least a couple large-scale problems with this viewpoint.
  The most direct one is that knowing about the exploit, and knowing how to use the exploit aren't really as different as you try to make them out. How long do you think for "bad guys" to figure out the full picture if you released enough information for people to protect themselves? i.e. "disable function X of server product Y". Well shit, you just gave a HUGE clue to the "bad guys", but probably didn't really give ENOUGH information to enough of the "good guys". What about the guys relying on "function x of server y" who simply can't disable it?
  Exploits are often esoteric sounding enough that companies can just claim (and often have) "that vulnerability is entirely theoretical". It's often the case that the exploit is VERY exploitable, but the developers or companies are just being arrogant, don't understand, or don't care. In a perfect world where companies and developers had perfect knowledge of exactly how exploitable and dangerous a vulnerability was (and addressed the ones that needed to be addressed) your idea would work. The real world has proven otherwise.
  The third problem is simply that the companies/developers responsible for fixing the problem often don't suffer the costs (or a much lower cost) or people actually exploiting the vulnerability. i.e. Microsoft doesn't suffer enormous losses when the latest worm ravages the internet. Since they suffer a lot less pain, they'll devote a lot less resources to fixing it. If the exploit eventually will get out then company X will be a lot more likely to fix it rather than just ignoring it and hoping nobody else ever finds out.
  
  3) These exploits would still be in the hands of the security companies so that they could prepare protection against them
  
  Heh. Where does this view that there's always the mysterious people who are just going to fix everything come from? If you think "Security Companies" are going to save you, blah blah blah Bridge to sell.. blah blah blah swamp land in Florida.
  No, what needs to happen is if security is important it needs to be built into the product to begin with. Security isn't a product you "buy", it's something you are. This is nothing different than what people have been saying for 20 years.
  
  --
  AccountKiller
Re:Wow by Kell+Bengal · 2009-07-11 03:39 · Score: 4, Insightful

Wait, wait. How is messing with other people's stuff on the net from safely behind a computer 'gutsy'? Sounds like cowardice to me. I don't care what their message - if they're fucking with my, or other people's, stuff then whatever their argument is will go unheard. If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

--
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
HaCk ThE PlanET!!! by carn1fex · 2009-07-11 03:40 · Score: 4, Funny

These punks dont know who theyre messin with!! Me and my posse are put on our roller blades, spike our hair and take them out with our camouflage thirty three point six bee pee ess moh demz.

--
---------
No matter how thin you slice it, its still baloney.
wow what an awesome idea! by trybywrench · 2009-07-11 03:41 · Score: 4, Interesting

What an effective way to distribute a message, hack one of the worlds most popular image hosting sites and replace all the images with your manifesto! Every site with an image linked back to imageshack would be displaying your message. Instant.global.audience. I'm not justifying what they did and I'm all for the feds handing out a beat down, afterall, the law is the law but man, what a good idea.

--
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
1. Re:wow what an awesome idea! by Pyrion · 2009-07-11 03:44 · Score: 4, Informative
  
  Except they haven't replaced all of the images. I just looked in my account and only one of my images (a horribly outdated tf2 screenshot, of all things) was replaced.
  
  --
  "There is much pleasure to be gained from useless knowledge." - Bertrand Russell.
Re:Wow by jombeewoof · 2009-07-11 03:42 · Score: 3, Insightful

...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.

--
Linux Zealots: Smarter than Mac Zealots, but still zealots.
Re:Wow by Anonymous Coward · 2009-07-11 03:48 · Score: 5, Funny

...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.
And trust me, the dwarves are not happy about that.
Best pro full-disclosure advert ever by AmiMoJo · 2009-07-11 03:48 · Score: 3, Insightful

This hack demonstrates exactly why we need full disclosure. If I used ImageShack to host important images for (e.g. a lot of people use it for blog images or forums) and someone figured out a way to hack in, I'd want to know about it so I can take steps to protect myself. What if someone uploaded child porn and it appeared on my forum?
It's always better to know than to stay ignorant. It might harm the companies behind affected products, but if it was a safety issue (e.g. your car can occasionally explode while filling it with petrol, which actually happened) there would be no question that full disclosure would be a good thing.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:Help for the unfamiliar by klui · 2009-07-11 03:57 · Score: 5, Interesting

It doesn't show the details but their website gives a summary. http://romeo.copyandpaste.info/txt/imageshack-pwned.txt How accurate, who knows.
Re:Wow by sqlrob · 2009-07-11 03:59 · Score: 5, Insightful

If it's free speech, mind if I come and write graffiti on the side of your house? If you stop me, you're censoring my speech.
Re:I was a victim... by Niris · 2009-07-11 04:12 · Score: 3, Funny

Thankfully you're a /. user, so the goatse.cx picture was probably better.
I'm not sure I get it by sjames · 2009-07-11 04:15 · Score: 3, Insightful

In order to put an end to security consultants and companies spreading fear of being hacked in order to sell security oriented products and services, they will go on a reign of terror hacking everything that isn't secured to the nines? Uhmmmmmm. I'm not sure how that works.
1. Re:I'm not sure I get it by maxume · 2009-07-11 04:27 · Score: 4, Insightful
  
  It probably makes more sense if you are 15.
  
  --
  Nerd rage is the funniest rage.
2. Re:I'm not sure I get it by Bigjeff5 · 2009-07-11 06:31 · Score: 3, Insightful
  
  You may need to go younger, ever seen a toddler when mommy or daddy tells them "no"? They tend to pitch a fit, and try to break stuff.
  These guys may be smart as hell, but they are little more than toddlers who can hack. They are definitely NOT worth paying attention to beyond what is necessary to track them down and put them in jail.
  BTW, do you know what happens to guys like these when they get caught? After jail time, they are generally banned from computers. I.e. more jail time if they are caught using one. That's got to be a virtual death sentance for a hacker.
  I'm not sure these guys thought this thing through, they are definitely public enough to be traceable. I hope they don't like where they live very much!
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Re:Wow by NickFortune · 2009-07-11 04:15 · Score: 4, Insightful

Why stop at the outside? Break into the place and scrawl all over his wallpaper. That's effectively what anti-sec did here.

--
Don't let THEM immanentize the Eschaton!
Re:Making the world a better place. by billcopc · 2009-07-11 04:32 · Score: 5, Insightful

They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.
Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".

--
-Billco, Fnarg.com
Re:Wow by GeorgeS · 2009-07-11 04:44 · Score: 3, Funny

They did a LOT more than that!
They came inside the house. Sat down at the TV and ordered PPV and drank all the beer!
Bastards!

--
"I'd rather have a bottle in front of me than have to have a frontal lobotomy."
Re:Making the world a better place. by Thiez · 2009-07-11 06:11 · Score: 4, Insightful

I think full disclosure is a good motivation for companies to fix their stuff. Notify them you found a problem, what the problem is, and that you will make the exploit public after a certain (reasonable) period of time, whether they fix it or not.
My best guess is... by bXTr · 2009-07-11 06:31 · Score: 3, Funny
- This is a legitimate threat, and they're truly against full disclosure.
- Or they're using reverse psychology and are for full disclosure.
- Unless they're using reverse-reverse psychology and are really against full disclosure.
- But maybe they're using reverse-reverse-reverse psychology and are really for full disclosure.
- ...
- Or they're just a bunch of script kiddies trying demonstrating their "l33t 5k1lz".
--
It's a very dark ride.
Re:Making the world a better place. by UncleTogie · 2009-07-11 07:05 · Score: 3, Insightful

I think l0pht's home page back in the day had it right when they quoted Microsoft as saying:

"That vulnerability is theoretical." -Microsoft
...which is one of my arguments for releasing POC code. Some folks need to be hit with a bigger clue-stick than others.

--
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
Re:Making the world a better place. by Jah-Wren+Ryel · 2009-07-11 07:38 · Score: 5, Insightful

Wow. I don't think you understand what full disclosure is and what they are allegedly advocating.
Nope. He has it right, you have it 100% wrong. The ATM issue is a perfect example. That vulnerability was disclosed to the vendor eight months ago and they haven't done jack shit. Now the threat of full disclosure - to the entire world - has caused the vendor to get an injunction to prevent disclosure. Where is the fix? I still don't see a fix. Under your theory of "full disclosure is just another word for limited disclosure" the vendor would have fixed the problem long ago.
It rarely ever works like that and we have 30+ years of history to prove it - the security industry used to work the way you wish and the results were the same, vendors didn't do shit. The only time a fix comes is when the vendor knows that the only way to stop the script kiddies and all the serious blackhats is to actually fix the problem instead of sitting on it. Without at least the threat of true full disclosure vendors won't fix their problems, they don't have enough of an economic incentive to do so.

Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.
Without the threat of true full disclosure, nothing ever comes of limited disclosure.

--
When information is power, privacy is freedom.