Slashdot Mirror
"Fear and Flooding in Las Vegas"
Thanks to Brett Glass for pointing out his recent piece in Boardwatch. Very well written coverage about DEFCON 7, as well as the ethical side of hacking.
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
Why not delete and / or rebuild that feature? No more crappy code. I mean, truly obfusticated code never made it into the Linux kernel.
Perhaps he was referring to their maturity level (barely past adolescense) rather than their actual age! Fact is, people _in general_ (there are unusual cases) act more mature as they age.
"It may have been irritating to some of the cDc folks that I asked some more difficult questions than the rest."
No. I like difficult technical questions just fine. The problem was that you asked the SAME question TIME and TIME AGAIN, and not only THAT, but it's a question which has no answer... when you asked me 4 or 5 times if there was a backdoor in the source for bo2k, did you expect me to say anything other than "no there isn't. Read the source and see for yourself"? What other answer could I have given to that question "Yes, we backdoored it! You got me, you sneaky, technically aware amateur reporter" There were 40 or so people in that room. If I was irritated, it's because I had to answer the same stupid question over and over again when others clearly had questions that hadn't already been asked
As for my use of the word "infected"... well, that's cool, you think what you want. But generally real reporters base their coverage on facts, not half-baked pop psychiatry readings of people's answers to questions. You could probably make a pretty ok case that our intent was malicious without reverting to paranoid interpretations of slips of the tongue. It still wouldn't be even remotely true, but it would surely be more convincing that your attempt.
About CIH: I, PERSONALLY, as well as every other member of cDc, know EXACTLY what happened with those CDs that CIH ended up on them, and EXACTLY who was involved. ALL of the people involved are people I've known for years - in real life and online - and I'm perfectly comfortable with their version of what happened. You are completely welcome to go on believing we have a traitor in our midst, but understand that you are spreading verifiably false, undocumented rumor in the guise of news. If you have any intention of ever being taken seriously in your reporting, that might not be the swiftest idea.
As far as your theories on ethics: If somebody tells you their (presumably real) name, and gives you a piece of open source software with a nice, non-offensive name, you can be confident that it has NO backdoors in it? What if we changed our name to the University of Michigan and called our software wu-ftpd... OH WAIT, THAT WAS BACKDOORED. The whole argument that you can't trust us because we have a stupid sense of humor is anathema to a logical, real world method of establishing trust relationships.
As far as taking responsibility for backdoors and security issues that might arise in our software... YOU GOT IT. If you, after downloading the source from www.bo2k.com, can find a verifiable and repeatable security flaw or backdoor in our software, we will fix it inside of a week, even though we all have day jobs and don't make millions of dollars off of bo2k the way - for instance - Microsoft does off of their software.
I'm curious about your theory that Microsoft takes FULL PERSONAL RESPONSIBILITY for any security flaws in their software. Last I checked they do not, in fact, release the names of the programmers responsible for security holes, which means the "personal" part is pretty much out. As far as "full", I would say that we've been a lot more responsive to issues with our software than Microsoft has. Except, of course, when they're imaginary issues like the ones you discuss.
-tf
Seriously..if you are involved in any type of halfway illegal activities you will not parade around a convention calling yourself a 'hacker'. Instead if you want to be appreciated and considered a doberman, hack unix code for a few years, then you will realize that going to a stupid-ass convention won't make you anyone. Hacking has nothing to do with how you look, act, talk, or who you hang out with. In fact it has nothing to do with security. I'd like to walk into that place and randomly start smacking people, or strap some dynamite on myself and light it.
Be warned when reading this that Brett Glass is obsessively, fanatically opposed to the GPL. He used to be on the am-info ("Appraising Microsoft") mailing list, but he would turn every thread into a thread about the evils of the GPL and it became impossible to discuss anything else because everyone was talking about the absurd claims he was making.
Eventually I publically aired the suggestion that we ask the administrator to remove him from the list; he was removed a couple of weeks later, and the list returned to usefulness.
It's a pity, because he's clearly an intelligent and insightful thinker, but his crusade against the GPL is simply beyond all reason.
--
Xenu loves you!
The man says it better than me. In addition it seems like Microsoft in fact denies all legal responsibility using the EULA which removes ALL responsibility for any software defects, including bugs which may open your machine to all and sundry. To somehow suggest that corporations are genuinely interested in security is revisionist history. Time and again Microsoft and others have been caught with their pants down. Generally the PR spin is to blame the people who found the security leak instead of looking at their own practice of development to find the problem. Tweety Fish helped Brett make an excellent point, this article is purely and simply an attack on cDc. Brett doesn't like them, there's no journalistic integrity or proof, merely Mr. Glass spreading rumors and making up a bunch of bullshit. Next time try using the facts Brett and maybe keep from slandering people who've done more to earn respect than you son. Until then why don't you attempt to understand the term "security through obscurity" and why it is a bad idea. School will be in back session next def con, maybe you can learn something before then. gid-foo
He's been laughed off of InfoWorld, his YMMV page hasn't been updated in a year, and nobody with any self respect replies to him seriously anymore. Never mind tweaking the moderation scheme. Your method of selecting topics is slightly broken.
Hmmm.. I missed those. Do you have any left?
"Is this just useless, or is it expensive as well?"
So do I. And, if you're a skilled hacker (which I'll assume you are), you should have no trouble answering them.
Difficult ethical questions are another matter, though. And that was one of the key points of my column: while many people at the conference were quite skilled technically, few were on firm ethical ground.
The problem was that you asked the SAME question TIME and TIME AGAIN,
Actually, I asked several different questions. However, you, and others on the panel, were apparently expecting only technical questions and blanked on ones regarding responsibility, credibility, and trustworthiness. Perhaps that's why they all seemed the same, even though they weren't. They were outside the scope of what you'd expected to be asked -- and perhaps outside the scope of your usual thinking. They didn't "compute!"
and not only THAT, but it's a question which has no answer... when you asked me 4 or 5 times if there was a backdoor in the source for bo2k, did you expect me to say anything other than "no there isn't. Read the source and see for yourself"?
Actually, I asked you several different questions regarding possible back doors.
However, by far the most important question I asked was one that you repeatedly brushed off, as if to say, "This does not compute!" It was: "How can you possibly expect me to be credulous enough to trust you?"
As for my use of the word "infected"... well, that's cool, you think what you want. But generally real reporters base their coverage on facts, not half-baked pop psychiatry readings of people's answers to questions.
I hardly think it's "pop psychiatry" to note the terms that someone uses to describe his or her work. The reactions of your comrades on the panel when you made that remark were also telling. One practically grabbed your arm to stop you! And all of them looked at you as if to say, "Damn it, you're wrecking the spin we're trying to put on this!"
You could probably make a pretty ok case that our intent was malicious without reverting to paranoid interpretations of slips of the tongue.
It's hardly paranoia. But you weren't the only one who betrayed malicious intent; I only cited your remark as one example.
About CIH: I, PERSONALLY, as well as every other member of cDc, know EXACTLY what happened with those CDs that CIH ended up on them, and EXACTLY who was involved. ALL of the people involved are people I've known for years - in real life and online - and I'm perfectly comfortable with their version of what happened.
Perhaps. But would you expect them to tell you the truth if they had intended to throw a monkey wrench into the works?
I can't help recalling the old adage, "There's no honor among thieves." And given the absence of clear, well-grounded, mutually shared ethical standards in your group, it may not be such a wise idea to be that trusting.
As far as your theories on ethics: If somebody tells you their (presumably real) name, and gives you a piece of open source software with a nice, non-offensive name, you can be confident that it has NO backdoors in it?
I would say that the odds would be better. They'd increase if that person had a real address, a real business, and a reputation for quality work that he or she had a desire to maintain. cDc's BO2K doesn't only fail those basic credibility tests, it is the antithesis of them!
What if we changed our name to the University of Michigan and called our software wu-ftpd... OH WAIT, THAT WAS BACKDOORED.
No, it wasn't "backdoored;" the expression "backdoored" implies malicious intent, not accident. wu-ftpd was unintentionally subject to a buffer overflow exploit.
The whole argument that you can't trust us because we have a stupid sense of humor is anathema to a logical, real world method of establishing trust relationships.
That "sense of humor" goes beyond "stupid," I'm afraid. It's malicious and goes far past the point where it is no longer funny.
As far as taking responsibility for backdoors and security issues that might arise in our software... YOU GOT IT. If you, after downloading the source from www.bo2k.com, can find a verifiable and repeatable security flaw or backdoor in our software, we will fix it inside of a week,
Ah, but the damage will have already be done, since there will be plenty of copies out there with the back door still there. And, of course, you would not acknowledge intent. You'd say, "Oops! Geeze, how did that get there?" And hope that I didn't find the other one.
even though we all have day jobs and don't make millions of dollars off of bo2k the way - for instance - Microsoft does off of their software.
As you well know, success in the hacker world has more to do with prestige and control than with money. At least one very prominent hacker, when asked about cDc, replied to me, simply: "They're media whores."
I'm curious about your theory that Microsoft takes FULL PERSONAL RESPONSIBILITY for any security flaws in their software.
I'm curious about that "theory" too. Where, pray tell, did you come up with it? What I said was:
In other words, while cDc -- at its press conference -- insisted that Microsoft was not taking responsebility for security holes, the members of the group themselves weren't even using their own names -- much less taking responsibility for the damage that might be done with the weapon they'd created. Even when they were instructing -- no, urging -- the crowd to go out and use it maliciously.
Forgive me, but I do not see this as being terribly ethical.
--Brett
Incidentally, if you think that Microsoft's EULA is bad, better take a look at UCITA when it comes to your state legislature. It'd absolve software companies of all responsibility for bugs or their consequences -- even more so than Microsoft's "shrink wrap" license.
--Brett Glass
Jon Katz's essay calling for a code of ethics was greeted with flames here, and so I expected that my column would be as well. (Of course, you'd better not go near Slashdot if you can't stand getting flamed.) Some of the flames were simply blunt personal attacks, such as the ones which attempted to brand me as an "anti-GPL zealot." (I do oppose the GPL -- on ethical grounds, in fact -- but that's a topic for another day.) I'm only replying to the few comments which I find to be interesting or thoughtful.
I guess I'm not as quick to condemn commercial software companies or to exonerate cDc and the l0pht as you are. There are plenty of good, ethical businesspeople out there, and some of the activities of the cDc strike me as very UNethical. (YMMV, of course.) And it is not a proven proposition that instantaneous, full disclosure minimizes harm and is therefore the most ethical policy. (See my column in the October BoardWatch for that discussion.)
So, we disagree on some of these points. But that's OK. If we agree on everything, there's nothing to discuss.
--Brett Glass
Ok where to start on this *bad* piece.
IMHO, the stupidist line wasn't the 3 paragraph rant on smoke, or the admittion of taping a conversation w/out concent, but this:
" cDc may claim its beef is with Microsoft; however, users -- not Microsoft -- will be hurt as a result of Back Orifice."
If I was a CIO, and the techies came to me with 2 server choices (linux, NT) and I knew that BO2K was out there, I'd definatly stay away from NT! Or if I *had* any NT boxes ( I don't, but that's not the point), I would have them removed because of this. Thus hurting MS monitarily (no outrageous "upgrade" costs)
Also, wasn't the "ExplorZip" virus outbrake over 2 months ago?
-------------------------------------------------
"Even Prophets don't know everything"
Yeah, I found this article to be lacking. I reached the end with a dry taste in my mouth...because instead of getting a good picture of DEFCON (and wanting to see how it compares to the X-Files version ;-)) I got yet another warning about cDc and, as his big main ending point, "watch out for the scary email virus!!!"
Let the man do what he wants with his hair, but come on...!
"I want peace on earth and good will toward men." "We're the U.S. government. We don't do that sort of thing!!"
Here's Jamie Love, who seems to be the main person from Ralph Nader's organisation driving discussion of Microsoft, announcing that he's created The Unofficial and unauthorized: Brett Glass is unhappy with the GNU General Public License (GPL) page. The discussion that follows is enlightening. To my knowledge, Brett never *did* create his own page representing his arguments.
--
Xenu loves you!
Only to capture the zeitgeist of this chaotic, but nonetheless important, gathering did I press on.
:P
I'm morally opposed to unnecessary uses of the word "zeitgeist." I stopped reading after that sentence.
--
Okay, I got Linux installed. So where's the free beer everyone keeps talking about??
I am afraid I've given up M$ 8 years ago and you're left with one sloppy noodle and a weekend with the ./ team.
The comment he made about the anti abortion site that told people the location of doctors willing to practise abortion is way off.
/. seem to have rejected it out of hand.
Just take that comment for what it was, for what the entire article was, a cheap attempt at emotionalism to sway public opinion. Hackers are like anti-abortionists who kill doctors... Hackers are evil because they smoked and it hurt me... Hackers are evil because... blah blah blah...
Do you think it's a coincidence that he made the comparison of hackers to two groups of people that the media have demonized (terrorists and smokers). I think, perhaps, it was an article written for another website (which shall remain nameless, because I don't want any lawyers to be sent after me, but if you know about Defcon, then you know who I'm referring to), because the readers of
The theme of the conference, however illusive, was this: There are wizards in our midst -- some masters; some journeymen; some merely would-be apprentices. Many of these wizards, through their knowledge, can endanger or damage the rest of us. But there is no common ethical code among them; each makes up his own, or simply has none. It is unclear that any one of them is well-intentioned or even fully cognizant of the consequences of his actions.
Okay, I forgot the obvious comparison to wizards. Masters of arcane and dark arts. Makes deals with demons. Heck, I'm surprised that he was so gentle on this point. He could have just as easily said: All computer hackers worship Satan. Anyone who worships Satan will go to Hell. You don't want your children to go to hell, do you? (See also the political ad in the Gnomes episode of South Park).
But, worse that the attempt to slant public opinion, is the call for the end of individuality. We need a common ethic. One World, One Nation, One People (One Orgasm - the i-brator). Unfortunately, it's the quest for personal freedom which leads to people joining this sort of sub culture. Do what you want for no reason other than because you can, because in the physical world, some guy with a club and a gun, wearing a uniform, can walk up to you on the street, beat the crap out of you, and then lock you up in a prison, just as soon as look at you.
Some break in merely for the challenge; some target people or organizations they don't like; others trash systems at random just to prove they can. The public, which doesn't really understand how computer security works, mostly sticks its head in the sand and ignores the issue unless an intruder does serious damage.
Heh, corporate america sticks it's head in the sand instead of dealing with computer security... True. But, lets face it, they also stick their head in the sand for everything else (the machine's about to crash.... -Oh, is that a bad thing? the software that you have a month to turn out won't work and will destroy your credibility.... - Yes, we know. Mine is better.... - It doesn't matter)
Other than that, I thought the rest of the article was pretty pedestrain... Actually, the title was kind of witty (would have been wittier if it were: "Phear and L0phting in Las Vegas" or maybe "Ph3ar and (ip)Flooding in Las Vegas")
HaXXXor.com - Naked Chicks Teach You How To Ha
>Brett Glass has a long history of being anti-GPL. His arguments on >the Infoworld Electric fora were thoroughly refuted and he hasn't >been seen there for a while. The gist of his opposition to the GPL is >that it prevents people making money off software. Any attempt to >disprove this (Look at Red Hat etc) met with personal abuse, denial, >a change of subject, or silence.
Check out the Sept 1999 and Oct 1999 archives over at the lynx-dev Mailing list archives (http://www.flora.org/lynx-dev/html/) for messages with subject headers of "Re: lynx-dev Re: Licensing Lynx" and "Re: lynx-dev More on lynx copyright". Brett's been a busy little troll. Basically he and a bunch of his pals wants the lynx-dev group to "to allow them to use the code of Lynx in proprietary software packages, saying that this will help your "colleagues" compete with Microsoft." Yeah right. It's basically Brett's ranting about how the GPL won't let him and his cronies steal the work of other people again.
You know, with *BSD being promoted everywhere as "the real hacker's OS," how long do you think it will take before all the wanna-be's switch over to it? I mean, Linux will probably be the domain of the completely clueless forever, but I believe that the script kids and other will make the jump soon. :-P
*Then* we'll see who scores more cool points
Another thing, regarding cons in general; In Europe, demo-culture has always been more popular among computer-youth than hacking. Since '94-'95 the demoparties have been infested with kids playing games and pretending to be elite. Are the American hacker-cons going the same way?
Brett Glass, After reading and analysing the a few of your articles and posts, and tfish's replies to your posts, I've had a few questions, that I'd like clarified not only for myself, but for the public. 1) you state numerous times that there could be backdoors in back orifice 2000, yet it is open source. You also state that you are aware of the fact that this project is open source but still you state there could be a backdoor. The whole idea behind open source and the GPL movement (if you want to call it that) is that you can read the source and modify it (if you see the need to). So, you can actually see what the program does (if you are competent enough to read the code). The question is this. Wouldn't it be more probable to have a backdoor if it were a closed source project? since the public can't see the source, the programmer could more than easily hide a backdoor in the software. this can be true for any closed source project. even closed source operating systems, such as Windows 95/98/NT and the 2000 series. so you'd think, that open source, which means you can get the actual source for the program being executed on your machine, would be more adventagous as far a security issue, right? 2) you state on numerous occasions that you believe cdc and/or the production team of backorifice 2000 purposely infected the defcon 7 distrobution cd's with the CIH virus. Isn't there a more probably solution? the CIH virus like a good number of virii is both memory resident and infects .exes, which means that when the infected program is run, it loads itself into memory and waits until another .exe is executed and infects it. Now, the solution that I think is most probable explaination is this (btw, I am in no way associated with the production and distrobution of the bo2k cds) one of the developers and/or testers had downloaded a program infected with the CIH virus, which is one of the most common virii in curculation on the net, thus it is labeled wild. they ran this program, thus infecting their machine. they ran the .exe that was later to be put on the cd, with out knowing that the virus had infected their machine. this file was passed onto the the machine that wrote the bo2k cd's which were distributed. thus the cd's had infected binaries on them. REMEMBER: probability over possiblity its more possible that this happened than what you claimed to have happened. in fact, I recieved a product demo cd from a large michigan mining and production corporation in which I am a stockholder (no I'm not naming names, I don't do that) the cd's autorun was infected with the same CIH virus, and they accidentally sent this cd to all of their investors... do you think they did that on purpose? I don't blame the people who burnt the cds, I blame the people who write the virii. what's your view on this? 3) after reading your articles I get this impression. When I was in sixth grade I used to write papers, and as wrote I used a thesarus and inserted words which I thought made sense how I inserted them. Now that I look back on these papers I laugh because the words were used totally out of context and make no sense. This is true of alot of the terms you paste into your writings. An example of this is when you use the term "security through obscurity". this term and your article go entirely different directions. What point are you trying to make by referencing such terms even though you (from my interpertation) don't have a real grasp on the meaning? if you could post a reply it would be most appreciated. Thanks -Optyx http://www.uberhax0r.net
Not to nit pick, but wouldn't that be deltreeing each other's computers, or format c:ing each other's computers? As far as I know there is not Linux version as of yet.
The truth is, there are a lot of people who use BO for legit reasons. It is a free sys admin tool that can be used to transfer files from one windows box to another, and not a bad one either. I stuck it on my parents' machine so that I wouldn't have to drive 20 miles every time they needed something installed. I've known people who use it for everything from an instant messaging tool to a easy to use file transfer program. The uses of it are limited only by limited minds.
On the other hand, PC Anywhere has been known to be used for shady servers that supply anything from pirated software to porn.
The CIH virus was on the cd's? Well, you'd be a damn fool to get a cd from a notorious hacking group and not run a simple virus scan.
But think of the challenge of trying to hide a potential exploit in plain sight! This is exactly the sort of challenge (and glory) that "eleet" hackers -- particularly the type who like to grandstand -- crave.
Also, what better way to get people to trust your backdoored code? You can say, "See? I'm not hiding anything; it's open source!" And many naive folks, who thought they were sooo clever not to use the closed source version, will believe, and will be suckered into using the program. I hope you can see how utterly delicious such a notion would be to certain hackers.
As for the CIH incident: While I'd like to think it was an accident, it would be (again!) an incredibly tempting prank for those bent on mischief.
--Brett
"...so your argument is mute."
s/mute/moot/
Try not to use words you don't understand, OK?
First occurance: Movies like "The Matrix". That doesn't sound like a quote or skepticism to me. There are many many of these through your article, perhaps you should go back to school and learn a bit more english before continuing to write misguiding and insulting articles.
P.S. And MLA format specifically addresses the use of quotes to indicate skepticism as being incorrect. If I carried my book (Reasoning why college is bad for programmers.. they teach them english) I would point out the exact verbage. xerithane.karma--; xerithane.gratification++;
-= Making the world a better place =-
Dacels Jewelers can't be trusted.
I wonder if he drove his Mystery Machine to DC? :)
This is slashdot, NO FREAKING BETTER place to discuss the GPL. Here's an idea, Brett. Why don't you write a piece for Slashdot on why the GPL is evil. Sure you'll get flamed, but I'm sure you are used to it (it seems to happen on every forum you inhabit) and perhaps, just perhaps, there will be some intelligent discussion about it in amongst the flamage.
As for the movie title: it was in italics in my original text. But copy editors often change things; in this case, it was mapped to quotes. Not strictly correct, but perfectly clear.
--Brett
Sorry about the formatting, I am not very used to the slashdot posting interface, this being my first post :) -t12
Here I was, reading through the article, enjoying it for the most part.
Then, the author questions whether releasing BO2K source under the GPL "really makes it safe, since obfuscated code can still be dangerous."
DUH, drool, spittle, wtf? So reformat the stuff with any of a miriad of tools and have someone who can read code look at it.
Give me a break.
So, to begin, where is the future of cracking (hacking/whatever it is GC (geek chic) to call attempts to trespass into electronic information spaces and either gather or disrupt data) heading in the next century? The fact of the matter is that it is heading away from the majority of us. Computer security systems (real computer security systems) are becoming harder than even to break.
While movies like War Games inspired us all to crack to the launch mechanisms of the U.S. nuclear missile defense, those days are gone. Truly secure systems are only available for acces locally, while important national systems are better protected than ever by the crackers of yesteryear.
What this all leads up to is that the only people left will truly be able to wreak havoc are the government and big corporations. Only they have the computing power and the money to be able to work past strong defense systems.
And at the same time, I see this electronic power becoming more and more important. So what kind of future do we have to look forward to? Well, I believe that electronic terrorism (or government/corporate action, when it comes down to it, there is really little difference beyod perspective) will bring the world to a standstill. My question, is will that bring about a world like that seen in Rollerball (great movie) with Corporations splitting up the world between them, or a 1984 scenario with Big Brother becoming all powerful because all of our lives can be catalogued electronically.
When I think of conferences like DEF CON, I wonder if there purpose should not be to prevent futures like this. So while I am not in support a violently breaking the law, or causing others intentional hurt, I so long live the hackers and even the crackers, for they may be the only hope for a medium between two horrible futures.
14 digits of Pi are all we need.
The so called "journalist" who wrote this should take some english classes. First off, according to MLA format, quotes should be used when you are quoting something, not accentuating a point. (And yes, I am making fun of him with the "journalist" remark) /dev/null. I used to crack/hack/phreak and all that good stuff -- I almost got busted, and I quit and used my powers for good instead of evil. In that time I actually found the most dependable and trust worthy friends I've made in my lifetime. Mostly due to an us-against-them attitude. And for all of the drooling idiots that populated DEF CON, they have a good purpose. To make people realize that there are security problems, and that those drooling idiots can get into their systems. If you want security, don't connect your box to the internet. That is the only security. While this article is talking about how malicious these hackers are, and how they are just a bunch of ruffians who had no parents (ok, I'm improvising) to teach them any better he's missing the point of computer security and DEF CON. As long as there is a reason -- there will be someone doing it. And hackers do have a code of ethics -- the real ones, not in it for the chicks.
Ok, now that I feel better about that I can say what I think about him and the article. Most of his points were fairly
-= Making the world a better place =-
Dacels Jewelers can't be trusted.
I was going to add this last one, but I thought it would be too mean.
So, I posted my original message, and re-listed the comments page. And there it was, plain as day, the followup to a critical comment, made by B.G. posting as an A.C. !
8) B.G. can't let a good flame go. He'll have to followup to each and every one of them, making this topic a 500+ followup by Monday noon.
If tits were wings it'd be flying around.
If you think this reveals the extent of Brett Glass's cluelessness, try browsing the freebsd-chat mailing list archives sometime. This guy's not a hacker, not even a programmer, but his liberal advice to all (especially on matters of advocacy) regularly gets him into flame wars. Also he detests linux, thinks the GPL is evil, etc etc. Actually this article was quite readable by his standards. It didn't have his typical know-it-all attitude and didn't try to preach to the converted. It didn't even try to attack the GPL. I was impressed.
--Brett Glass
...Uncalled for. I NEVER act 'elite' or 'eleet' or 'leet' or whatever. Try and think back to when you were 12 before you start insulting 12yr/os. Bah. I've seen people younger than me acting more mature than many adults or teens. ~S~
Intel Inside: The worlds most commonly used warning label.
This in fact is a question I have grappled with (don't read that as overly dramatic) when recently reading Tad Williams Outland series. Albeit, I'm only half way through the third book, but I don't understand how the Grail Brotherhood hopes to live in VR in perfect safety as Gods. Regardless of whatever they create, they will still be vulnerable to attacks on there bodies in the real world.
However, to come back to my point, what I was trying to look at in my comment was a plausible future. While there may be groups that destroy various phonelines/datalines for whatever reason (anti-tech, anti-phone, wireodestroyomaniacs) but they will not have the same motive of power and control that I see governments and corp.s having.
But then again, that might just be another tool they use. In general, however, it all comes down to the stunning conclusionary theme in War Games. In a nuclear war, no one can win. If the war becomes the destruction of the hardware supporting the internet, then in the end, we just destory what we have created without gaining anything in the process.
But again, these are governments and corporations we are referring to. For them, too often it seems that a mutual loss is an acceptable goal.
14 digits of Pi are all we need.
So, in the meantime, we must find a way to require our hackers to be ethical. For me,this was the real message of DEF CON: dangerous knowledge and tools, in the hands of people without ethics, are dangerous. We need a Hippocratic Oath for hackers, and perhaps some Guardian Angels to sniff out the bad apples. And we really, really need to know whom we can trust. Otherwise, we have little hope of making the mean streets of the Internet safe for all of us.
Our hackers ??
As in the people we/I own or control ??
what a kook!
Sorry but I had to say it......
End_Vent=true
i went to defcon 7 also and wrote a 3 page txt the day i got back. there might be errors and such but oh well.
my writeup isnt nearly as uhm... formatted as his is. i didnt use proper anything.
the write up is at
http://pluto.spaceports.com/~disc0re/defcon.txt
i also got some pictures up here
it was a great conferance and i highly suggest going next year if you can make it!
tyler
I will definately agree that Mr. Glass is quite a fool. I had a bit of a tangle with him as I manned the DOC booth selling the Defcon 7 - FreeBSD shirts. He came and argued with me about commercialization/GPL/etcetc. He was pretty unclued on the state of events, although he seemed impressed with the utter lack of Linux *anything* at the event. Actually that was pretty much the most amazing thing about the event, even with all the Skr1pt kiddiez at the event, there were *no* linux CD's being sold, and everything there was *BSD oriented. FreeBSD and NetBSD were being represented by the DoC (Myself, Dover, Cyber/etc) and Mike Smith (and a friend of his who's name slipped my mind). OpenBSD was being sold by Theo's cohorts.
:)
Point 4 is kinda correct actually, RedHat builds a distribution, and they distribute it.
I don't believe that they charge for any of the actual contents of the CD. I'm sure I could be wrong, but that seems to be how they would get around licensing issues. I need to re-read all the licenses again, I should know better what I'm talking about.
He's also sorta right about point 6, I'm sure that you *could* hide stuff in source, but its so pointless if its open source anyways
Regardless of this, I think Mr. Glass is a first class twit-of-the-media and should be debunked as often as possible, and as publicly as possible.
OK, I'm going to be mean and this might cost me some karma points, but I've just got to say this:
1) Brett Glass pointed out *his own* article. That has to be some indicator of cluelessness and/or hubris.
2) He's a MORON. He obviously didn't use the DeMoronizer to fix up the Microsoft Stupid Quotes.
3) What's with the^H^H^H^H^H^H^H^H^H^H^H^H^H^I Love the Hair!
4) If you read what this guy posts on Infoworld.com, you'll see that he's generally clueless compared to everyone else there. He is a critic of open source, but not a very good one. I seem to remember him claiming that Red Hat didn't sell Linux because Linux was free. Red Hat sold bandwidth, because they could mail a CD to you for an effective data rate of 670 Megs per 24 hours for FedEx. Ummmm. Sure.
5) He described BO2K as a trojan horse program. Would he describe PC Anywhere the same way? How about an admin tool released from Microsoft? These are all the same kind of program, and can be used or misused in a wide variety of ways.
6) Brett obviously has no idea what obfuscated code is. He claims that BO2K could have trojans hidden in obfuscated code. Heee hee haw haw.
7) Linux is just as insecure as Windows? Poorly designed and rife with security holes? That's a joke. For goodness sakes, MS Excel has a whole flight simulator hidden away inside of it. Where is the easter egg inside the Linux kernel?
If tits were wings it'd be flying around.
"The theme of the conference, however illusive, was this..."
Sigh. Another case where an obvious error is not caught by the spell checker... just how the theme of the conference was supposed to be " deceiving by false show", or " based on or having the nature of an illusion", I can't say. Yet another example of how the Internet has *not* helped with overall literacy in the population at large.
I was at Defcon as a speaker, and
although *some* of the details of this
article were correct (eg great parties to which
windbags like Glass were not invited), overall this is a *horrible* piece on Defcon.
The CIH computer virus was found on
*copies* of the bo2k cd's distributed at
Defcon, not the originals, correct me if I'm wrong.
The idea that bo2k contains obfuscated
trojans is laughable, cosidering it's open
source. Leave it to Glass to connect the
dots... open source + GPL = plot to hide
backdoor. (?!) Brett... if you don't
trust the binaries, compile the source.
And if you don't trust the source,
then show us why... Maybe you
can contribute to some bugs that have already
been spotted and patched in bo2k.
Of course, this is probably asking
too much from someone that's proud to
amid to secretly tape-recording
comments at a post-conference party and
consiers his own 10-year-old phreaking
activities a passport to the underground.
"one cannot trust the group's output and must regard it as not only untrustworthy but dangerous. "
fear + ignorance = loathing, that's understandable, but I'm disappointed
that Hemos referred to it as "Very well
written coverage".
"Is this just useless, or is it expensive as well?"
Yes, you're right, I did miss that one. I also noticed that you and others mis-interpreted what I said about Brett being a MORON.
It wasn't strictly name calling, though I'm sure that there are others who would agree that he fits the dictionary definition. I was referring to his use of Microsoft tools that make their users look like Morons. The feature in question is the Microsoft Smart Quote, which turns a regular quote into a smart quote. MS Word and other programs write that smart quote into an undefined character, and on non-Windows systems the quote appears as a question mark. There is a program called the DeMoronizer that will fix these documents up.
I realize that my original article could be taken as a troll, but it's not entirely a troll. My point is that Brett Glass is well known for arguing against open source and free software on other forums, and for using goofy logic to justify himself. Falling victim to the MS Smart Quotes is just another indication that he's no techie.
If tits were wings it'd be flying around.
As for the content of the article: some of the ideas I've put forth were intended to be controversial. And, of course, this is Slashdot, so I knew that if it appeared (I mentioned it to Hemos over the weekend) it would bring out some flames, trolls, and personal attacks as well as some intelligent comments. But that's just Sturgeon's Law at work. I appreciate the intelligent input.
--Brett Glass
End of story. If I'd seen him at DC, I would have giggled myself silly.
You are correct that the ExploreZip virus first began to spread two months ago. That's when I wrote the column, which was for the September issue. BoardWatch delays posting columns to the Web until a few weeks after the magazine is no longer on the stands.
As for cDc's activities preventing CIOs from choosing Linux: I'm out there in the trenches, doing administration and security work, and believe me it makes very little difference. In many cases, the company is committed to Microsoft and does not have a practical choice other than NT. And the choice of NT is often dictated from above. Finally, most NT sites are in denial about any security problems in the OS. Sad but true.
--Brett Glass
How anyone could tell whether or not I interpreted or misinterpreted anything from my post is clearly beyond my mental radar. Hee hee.. I didn't exactly say a whole lot. =P
~ Kish
Not sure why you would be convinced of this when you have no evidence.
As I'm sure you're aware, you can't just "infect" the ISO image of a CD with a virus.
As you *should* be aware, CIH is an .exe infector.
You must do so at an earlier stage, while the .EXE file is still present in its original form. So, the idea that a machine used only to burn the disks contained the virus doesn't wash. The virus must have been present on the machine where the CD-R image was prepared.
Doesn't sound like you've done much CD burning. I haven't either, but even I know what's wrong with this statement. If, at any point, the files were copied to a writeable media (i.e. the harddrive) they could become infected. On a machine with one CD drive (the CDR) there are two choices: Make an image of the CD, or just copy the files to a temp directory on the harddrive.
For such a small image, I probably would have just copied them to a temp directory,too.
The events on the "Appraising Microsoft" list were unfortunate. Some participants in the list, determined not to hear these questions raised, intentionally caused the discussion to devolve into a flame war so that serious discussion could not continue.
This isn't the place to discuss the GPL, though, as it's not relevant to the main topic here. Suffice it to say that, even if BO2K were released under a BSD license or even into the public domain, back doors or security holes could still have been "planted," cleverly, in the code. It doesn't take a very inventive hacker to figure out how this might be done. (Just remember the last really tough-to-find bug you encountered -- one whose causes spanned modules, depended on subtle side effects, etc.)
--Brett Glass
He's had his 15 minutes ... please
"Pray arm me further by your reply" Winston Churchill
I'd rather read almost anything than solipsistic scribbles like this -- even how Jon Katz has conquered Linux. I agree with the rest of the peanut gallery: bad call, Hemos. Better to get the notes, humble as they might be, of any other random conference attendee than to plow through this drivel; at least that way interesting issues could be discussed without having to sidestep the ego.
This piece was weak on social insights and nil on technical insights. In addition, Glass has an "illusive" grasp of spelling.
Finally, to cap it all he proposes bringing in the Guardian Angels or something to police the net. Erm, Brett, they already tried. Even as a ha-ha joke this is a bad thing to bring back up.
--------
Bill Gates Is My Evil Twin.
As for the Guardian Angels: What would you propose instead? Certainly there must be some accountability for irresponsible actions taken on the Net. Would you rather that we, as Netizens, self-police -- or have the government do it for us?
--Brett
-Re: the phreaking comment
this industry moves much too quickly for people like Glass to even *be* clued. not saying it's impossible, just that he thought he was already in.
-Re: ethics
just a quick comment (i'm not going for status on this post) -- hackers and crackers DO have ethics. that's why the two are distinguished. crackers are lame "kiddie" renditions of hackers, who are the more mature. that's relative, of course. most hackers i know are under 21...
nevertheless, as The Red Book taught us all, no UNIX system can be truly secure *ever*. We may as well stop trying.
At some point, I am going to use this new slashdot username i've recently perloined and go into a big rant on free information and ultimate communication. maybe i'll just write rob and jeff instead...
--kaspar
================ No McDonalds. There is no longer such a thing as a McDonalds Hamburger.
There's a smear against the GPL in his article. As he says here, he needn't have named that license: he could have made it clear that his reservations applied to any system of code inspection. But, like I say...
--
Xenu loves you!
I have been constantly confounded by so called 'media' that attempts to find a central theme of DC. The only reason it existed in the first place, was for a bunch of people to get together and hang out. That is still its main focus. Granted there are:
"wild, wild parties -- some open, some whose locations were known only the "right people."
However, the purpose is still the same; now not only the original inner circle meets, but literally hundreds of other groups are doing likewise.
The most accurate theme to apply to DefCon is, "Geek New Year". OK, so we don't have fireworks and dragons, but rather Electonica and the CDC, DOC, DD, et all.
Furthermore, for the author to blast the CDC for its antics is ill informed. He didn't even bother to ask Dildog why he spent the time to code it. Obviously they love publicity. And for them to get into the national media and TV was the Ultimate Hack @ DC7.
If you don't like the smoking...DON'T COME. It's Vegas, smoking is legal, it's 110 outside... go to the damn concession stand... No, better yet, go cover something that your might actually have the ability to grasp.
RANT:
/RANT
Finally, insofar as the social engineering contest goes. We wanted to entertain the real attendees, not to prove that people are uber-31337. Those that violated the spirit of the show by recording the contest, I have no respect for you.
And for those that wonder about me: Yes, I work for a TLA. And, YES I'm a Goon... and damn proud of it.
A personal favorite from Con.
-Section9
Yep, you're right... there were over 3000 "script-kiddies" @ Con. Gawd I feel like such a lamer.
I'm looking forward to H2000, as well, but I don't have to put DC down just to elevate myself...nor do I have to resort to anonymously posting flame bait.
-Section9
All I got out of this article is that hackers like to smoke?
There is no hacker ethic?
cDc can't trust themselves?
The self submission (if that was the case) doesn't help either.
http://www.mp3.com/fudge/
http://fudge.org
There are a number of groups trying to change this (such as UNESCO) but I suggest people take a look at the pledge campaign at the Student Pugwash USA web site (http://www.spusa.org/pugwash/) as the site has a stock of documents related to ethics and technology.
I don't believe that *WE* ever *ASKED* you what you thought. *WE* Discovered and built this world. *WE* advance computer security, not you. *WE* have an understanding of today's technology FAR GREATER than you can imagine right now. (But by all means, please take it upon yourself to start learning) If we can do this much in tiny little groups, what can we all do together? Just think about that. We aren't a bunch of kids who just happened to learn how to use some nasty program (okay, some are...). We are people who have been using computers since we were very young. Before they were popular. Your world laughed at us, picked on us, and then trusted in technology that you didn't understand. You gave too much power to government, instead of working things out with your neighbors. You are hypocrites. Our generation will not go this way. We will fix it, make it right. It's already happening. Ethics? Where are our government's ethics? Where are police ethics? Don't talk to us about ethics. The hacker is generally a straightforward, fair person, who calls it as he sees it, and doesn't bow to the brainwashed beliefs of the masses just because it's the path of lease resistance. It's our world now (to coin a phrase) and you can't take it back.
For one thing, writing is a sideline for me. I'm primarily a programmer, engineer, and (these days, because so many people are asking me to do it and I know how) system administrator and security consultant.
Second, while I do believe that the GPL has serious ethical problems and does a great deal of harm, it was far from my mind during most of the conference. (The cDc's contention that releasing code under the GPL meant that it could be trusted would have been amusing were it not so intentionally deceptive.) Nor was I much concerned about the presence or absence of Linux, though it actually did have a significant presence on users' machines.
What was -- and always is -- on my mind was the "big picture" -- the overall state of the hacking/cracking/computer security community. Like Jon Katz (who was flamed on Slashdot a few weeks ago for mentioning the same topic), I believe that the problem is ethics -- or, rather, a lack thereof. And many of the more level-headed folks out there agree -- including many of your compadres at DOC.
--Brett Glass
I remember being interviewed by this guy at the post BO2K launch press conference. He was the one who was TOTALLY convinced that we MUST have hidden a backdoor in BO2K. "You can hide trojans in the source!" he said, over and over again. I tried to get him to tell me what HE would have us do to convince people that BO2K was not backdoored, but he didn't have any answers. He refused to acknowledge that making bo2k open source was anything but a massive conspiracy to make people THINK we hadn't put a backdoor into the code. Finally I said "well, if you're that worried about it, you don't have to use it. anybody who does can read the code"
He also JUMPED on the fact that I slipped and said "infected"... yeah, that MUST be a sign that I REALLY think bo2k is a virus, 'cuz otherwise - after correcting literally dozens of media who used that (incorrect) terminology - I wouldn't have made that slip EVEN ONCE. Never mind that even if BO2K were a purely malicious trojan horse (it's not any of those things) a machine still wouldn't be INFECTED with it, because it STILL wouldn't be a VIRUS.
Finally, I'm not sure where his whole theory about one of us secretly putting CIH on those CDs... why would ANY of us want to make cDc look that stupid? Has anything else we've ever done indicate that we operate that way? Clearly not, but just as clearly, this loser didn't pay much attention to how we do things, choosing instead to feature the conspiracies he chose to see before even talking to any of us.
This isn't reporting. It's paranoid ranting based on a weak, unsubstantiated, and indeed, already disproven version of the facts.
I mean, really. We fucked up and let somebody burn CDs from a machine infected with virii, and then we fucked up doubly by refusing to believe that could have happened. We admitted as much on cultdeadcow.com a couple weeks after defcon... If we could have possibly laid the blame anyplace besides our own slipups, don't you think we would have?
I wish everybody who read this column, Hemos, and everybody on slashdot, could have seen how consummately unprofessional this "reporter" was at the press conference he attended.
And no, we didn't invite him to our party.
- tf
All of these are legitimate uses of quotes.
--Brett
Brett Glass is an idiot.
CC
"Pray arm me further by your reply" Winston Churchill
As for your statement that a system was "infected" with Back Orifice: the most telling thing about this slip of the tongue was not that you abused the term. (As you yourself point out, the term is really only germane to viruses, and BO2K is a Trojan horse.) Rather, it's that it strongly suggests malicious intent. At the very least, intent to make mischief; at worst, intent to harm and destroy. That's a good way to blow your credibility. But your remark was far from the only remark of this ilk -- there were many more during the presentation.
The CIH issue is important too. I'm still convinced that cDc was hacked -- by an insider -- in the same spirit of uncontrolled and possibly harmful mischief that pervades the entire group. As I'm sure you're aware, you can't just "infect" the ISO image of a CD with a virus. You must do so at an earlier stage, while the .EXE file is still present in its original form. So, the idea that a machine used only to burn the disks contained the virus doesn't wash. The virus must have been present on the machine where the CD-R image was prepared.
Regarding the issue of back doors and trust: The only way cDc could possibly convince the world that it was ethical enough not to put back doors in its code would be if it were to change many of its practices. For example, it would have to stop advocating the use of its code for illicit purposes. This means that the many offhand remarks about how to use it to hack into networks, which were scattered throughout cDc's presentation, would have to go. The name, which is scatological, suggests violation of a victim, and might as well be a synonym for "back door," would likewise have to go.
At this point, those who have seen the cDc's past antics might require you to go even further before trusting you: they'd ask for accountability. They'd expect you to quit hiding behind pseudonyms and take full, personal responsibility for any security problems and back doors that might show up -- just as you would insist that Microsoft do. That'd take a lot of guts, though. Would your group would be willing to take on that challenge?
After that, you'd just have to hope that your reputation was not damaged beyond recovery (it still might be).
The issue of back doors in open source wasn't first raised by me, by the way. It was raised, long ago, by Ken Thompson -- and, more recently, by Louis Mettler.
As for your party: No, I was at a different party that night (at which great debauchery occurred as well, but in a non-smoking environment). So, I would not have been able to attend.
--Brett
His article is awful. Did he go to the same con I went to? First thing in the article, he complains about cigarette smoke. Wuss. He's shocked con attendees don't trust/like anyone with a Press Pass (hint: some untrustworthy attendees had stolen/forged passes [Carolyn Meinel] and were removed from the conference grounds). He doesn't trust cDc. Hell, I trust those guys much more than any dorky columnist for a BBS magazine. Yup, that's right, Boardwatch is a BBS magazine. I'm saying Ouch-a-roonie!
Bwahaha, that was the best part. Too bad I missed it...I think I was gambling at the time or holed up in rhost's suite at the Hard Rock.
The comment he made about the anti abortion site that told people the location of doctors willing to practise abortion is way off. AFAIK, Cult of the Dead Cow, does not update its pages with ips of hapless victims for people to pick on.. If they did, I would believe that would be wrong. However, they are not doing this. End of story.
I believe you missed a point..
9) He makes a point of saying hackers and crackers, but then goes on to use the two words interchangeably. If that is not an indication of cluelessness, I don't know what is.
~ Kish
Practically everything you said is an indication to me that you are either attempting to troll, or.. no, I won't bother flaming too much today. I'll just examine the point you made which almost made sense as opposed to the others which were apparently the work of an underdeveloped brain..
Any OS could be insecure.. If you want total security, don't install any new applications, and don't connect yourself to a network. OpenBSD would be just as subject to security holes as GNU/Linux if you installed the same easily exploitable application onto both systems. OpenBSD may be the most secure "out of the box", but do you expect me to believe, for even one second, that you have never ever installed any other application onto your OpenBSD system since you've got it? Even if that were true, I think you're missing the entire point of having a computer. So.. next time I suggest using the preview button ("Linux can be just as insecure as Linux"??), and I highly recommend you actually try thinking for once in your life. You obviously haven't been lately.
I'm sick of clueless fanatics trying to press their opinions onto us as if they were documented facts. I don't make up shit about *BSD, so why should others make up shit about GNU/Linux? Because they're bitter? Because they're fscking idiots? They want more "mind share" and will do anything to get it, including lie their asses off? It seems the more *BSD folks I meet, I find that almost all of them are assholes and liars. Damn, I want to join that community right away.. However, I know that the grand majority of *BSD users are probably good people, despite what I think of those I have met so far. As such.. Would the actual "clued in" *BSD advocates please be more vocal than those who do a disservice to *BSD users everywhere, and make it so that the signal/noise ratio appears to be a little higher from that community than it looks like right now? =P
~ Kish