I know I cannot be the only person thinking "what a loser." Maybe this guy has some motive behind his actions, but if you're in the world of IT Security you are relatively familiar with Romanian whackers. They can take the most mundane abuse of something and claim it as hacking. This is a perfect example. Is someone cracking, phishing, or scamming their way onto eBay's message boards that much of a "prank" or "hack"? I do not think so. Does it spell out that there is a security weakness somewhere? Absolutely. You will find this in almost any large organization when someone specifically targets them, their employees, and/or users. I cannot begin to account for how many times various ISP have been publicly hacked/owned/pranked, far worse than this.
Do that many people really get their news from eBay message boards? This guy is getting on account and posting messages. What is his next hack going to be? Use a stolen or fraudulently created account to post a *FAKE* auction? This guy can hardly penetrate systems at will. I think there's a reason he only seems to pop up at certain times. Classify this guy as another moron that needs to find something better to do.
Hopefully this loser will join the ranks of Victor Faur. Not so much in notoriety, but in the loss of the right to use a computer or travel internationally.:)
It is interesting this vulnerability makes it into Slashdot where other [past Snort/Sourcefire] vulnerabilities of the same magnitude have not. It would definitely be time to upgrade but the number of people running 2.6.1, 2.6.1.1, 2.6.1.2 and 2.7.0 beta 1 are probably not as wide spread as 2.4.x, 2.6.0, and probably earlier versions. Luckily this vulnerability has been identified by a bunch of good researchers and the potential exploit probably hasn't been developed by anyone malicious. The real fear here of course is not just that *a box* might get rooted.. it's that a box running Snort/Sourcefire might get rooted. Generally this box will of course sit inline on the network or have sort of span/mirror port running to it. Whenever an IDS, switch, or router compromise is possible it can truly spell bad news. However, I'd say in this case it's not likely that a whole lot would happen even if an exploit should be developed.
Unfortunately you tried to pass that violin playing as being original. CDDB has identified your music as being from Giovanni Battista Viotti. Nice try.
Would you classify yourself as someone that has way too much free time and/or nothing better to do? I am not necessarily disagreeing with your points above, but I am actually relatively astounded you took the the time to write all of that. All that comes to mind is: Get a life you douche bag.
First this is a load of crap and they sound like morons. But second, I will pay them $50,000 if they can rob 3 banks chosen at random! Maybe we can get them in jail by the end of attempt #1?:D
Is SPAM not a form of communication? What about all the snail mail you get? Should people that sell your name and address go to jail? What about "CURRENT RESIDENT"? These people don't even know your name but mail you anyway! People advertise/SPAM in regular mail just to make a dollar. It's a form of communication.
Lord Falconer, Secretary of State for Constitutional Affairs and Lord Chancellor, said. "People have a right to have their privacy protected from those who would deliberately misuse it and I believe the introduction of custodial penalties will be an effective deterrent to those who seek to procure or wilfully abuse personal data." Ok, so I'll avoid making a joke about "the falconer" here, but I do have a question. Do you feel like your privacy has been violated if someone that already had your e-mail address sells/trades/gives it to someone else? Also, what count as deliberately misusing it? Last I checked it seems like e-mail addresses were made to be spammed. Go after people spamming and not someone giving out an e-mail address.
I heard they also didn't earn the WTF200 or the LOL500. Based on failing to get the three of these certifcations and seeing how all three of them are as equally popular..this software will surely be going no where.
No big deal folks. Who doesn't remember the IPs for all the websites they visit anyway. I don't know about you guys but I surf the web by IP and provide the hostname myself!
I am going to have to expand on what the first poster said: "Stop writing malicious scripts." My response to that is either "exactly!" or "no shit!" I feel like I am in the twilight zone with some of these other respones, especially the submitter's last comment.
Since when is exploiting the vulnerability considered disclosing it? Sure you can argue something more malicious could have been done, but that is bogus. You can't just decided to exploit a vulnerability because it doesn't do any damage. That's like saying I could open everyone's door in my condo complex because I found out the key they gave me was a master key. So who exactly did he disclose this vulnerability to again? He deserves what he got. I think MySpace could have definitely went another route but they didn't. Sucks for him.
He makes the claim that 'security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine.' Well, he does have a bit of a point. These projects like MOAB, Month of Browser Bugs (did include IE), and although it was cancelled Oracle one go to show there are -tons- of problems in non M$ products. However, if researches all teamed up and held off for a few months. There could easily be a month of Microsoft bugs. I don't know that I would have "dared" anyone to do that regardless.
You are asking a question about WHAT IS EBAY GOING TO DO? What do you expect them to do? Do you think eBay bought the memory stick, found it was fraudulent, and was hurt? Or do you think maybe they see a user with hundreds, thousands, or more happy users that gave the person positive feedback?
The real question is.. WHAT DID YOU DO? I've eBayed for a long time and I have only been ripped off once. Someone sold me a burned up JL Audio 15w6 subwoofer. Guess what I did? I filled a complaint against them on both eBay and Paypal in addition to leaving negative feedback. I got all of my money back and the person's account was cancelled on both spaces. I took the extra time to make sure they were taken off eBay instead of just throwing my hands up in the air. eBay investigates this kind of stuff and takes the appropriate action. If you don't do anything, what do you expect? Punching in some negative feedback doesn't mean anything to eBay. You have to formally file the appropriate complaints. eBay is not the FEEDBACK police. That is YOUR job. YOU are supposed to read their feedback before you bid. Did they have 10000 positive and 20 bad reviews? Did those 20 bad reviews say: This is a fake memory card? If so.. don't bid on it. If you didn't see it.. go report them. Negative feedback is just that..feedback. It's not a form of action.
I see all kinds of accusatory posts which I would have to disagree with. I've been a long time eBay user and that's mostly as a seller (a silver powerseller for a chunk of it). Now I never participated in shill bidding and would even ban friends of mine from bidding on my auctions. Occasionally I'd shoot them a link to just show them what I had posted and they'd bid on it (usually to get it started) thinking they'd be doing me a favor. For example, if I was selling a $500 monitor they might have bid $40 or something. However, I want absolutely nothing to do with this and I will add their user IDs to be banned from bidding on my auctions the second I see this.
Why? Because I have seen/spoke with people that took part in shill bidding. This will include people that just did it every few auctions and were Gold Powersellers, with well over 1000 positive feedback. Guess what happened to them? Two different things - automatic account termination and/or warnings. I've seen a huge seller (makes $$ for eBay you know) have their account closed, no questions asked. This (AFAIK) was not as a result of a complaint either. We're not talking these retards that bid up the auction and then cancel once they see what the first place bidder's amount was.
Anyway, I would say eBay does a good deal to try and stop this practice. So I'd ask that some people not post unless they know what they're talking about. It seems like a lot of people are talking out of their asses. It can be difficult to catch everything on a site that busy. Why don't you just go solve the problem for them instead of posting useless bullshit here.
I would be much more inclined to believe that 1 in 4 PC's are infected with one or more of the following:
- Virus
- Trojan
- Worm
- Spyware
- Adware
A few of the above are used almost interchangeable (by some people) and have the capability of effectively making the machine into some form of a bot or zombie (remotely controlled or not). Now, to say that 1 in 4 machines are bots I would have to whole heartedly disagree with. This just isn't very likely. Especially since the lifetime of a specific botnet has gradually been decreasing. Faster AV responses, increased patching, and more bot competition will inherently decrease these odds. Sorry but the daddy of the internet or not.. I think he's off the mark.
SSL has nothing to do with it though if it's a GET or persisting URL. It can be encrypted all it wants to be to and from the server, but doesn't mean it cannot be picked up as a phishing site..unless the anti-phishing URL checker breaks because it's preceded by https.
Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame. I think Barracuda SPAM Firewall does this as well. Perhaps one of these days we'll just see applications with a higher level of security and won't have to worry about this so much.
It is beyond me how this posting is rated "Insightful". Maybe someone else has already said this, but if you've ever read an article about someone prior to sentencing (or had any legal experience) you would know things like this are pretty common for most crimes. Generally they report the maximum punishable offense which has to have several circumstances involved for it to ever be elevated as such. If someone was convicted on 5 counts with maximum penalties of 25 each, this would mean he faces 125 years. However, that's very unlikely to occur and I'd bet you savings it won't.
Rapists and murderers get less. And sometimes they get much much more.
Well depending on what you have done it might not be that simple either. There are various extradition agreements with various countries. So depending on what you have been done you may get the boot over to the U.S. anyway. In the event you are not in a country or locality with an extradition agreement, they may also make a note with INTERPOL and if you ever travel to anywhere that the U.S. does have an agreement with.. chances are you'll be detained. However, I would agree that they probably won't go to such steps for things like this. I fnd this ridiculous.
LOL is this a serious post? Most rootkits out there are designed to work on *nix based operating systems. True rootkits are far more common on for these flavors of OS over that of Windows. I am not sure if this is a reference to Ubuntu being secure. Maybe you could have recommended visting a site that houses a BSD flavor..won't bother pointing out one for that useless debate. Choosing Ubuntu is not going to protect you from rootkits in anyway.
This will be my second post in here, something I normally don't do but I just recalled something from not so long ago that was actually posted on Slashdot. Do we all forget so quickly? Please read this:
"Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question."
This is exactly what this article is discussing. Not only should you be held liable in some instances for "looking for vulnerabilities", you should be prosecuted. Now the above case is surely an extreme. Just reading the article I would be completely against prosecution in such an instance. Then again I wasn't part of the team that prosecuted or reported him. He might have tried to do a little more than just check a single../../. However, he shouldn't have been doing that either. Tough one there.. but you've been warned!
Well it was "careless" for me to post it without reviewing what I wrote, but I could care less about what it says.:P I meant to say "care less" instead of "careless". However, I did NOT mean to precede it with "couldn't" or "could not" or "not". Why? Because I care at a level of.0004 and I "could care less". See.. I "could" care at a level of.0005 which would be even less.
As someone who researches vulnerabilities and does IT Security for a living I do not find this too hard of an issue to deal with. If you are poking around someone else's website to look for a vulnerability, flaw, or bug, then you should be prepared to deal with the consequences. It is your choice whether or not to start testing for various things that could lead to a SQL injection, XSS issue, directory traversal, authentication bypass, file inclusion, or whatever the vulnerability or issue might be. If the site happens to be running some free or commercially available software, guess what you can do? Get a copy of it yourself and test it. Alternatively, guess what else you can do? GET PERMISSION. If you aren't authorized to start snooping then you deserve to be punished, embarassed, prosecuted, and smacked down.
I did vulnerability research on server at my university when I was starting out. I went out and got authorization to do so. In most instances they have a test/dev server they permitted me to test on. I published these vulnerabilities in the form of an advisory publicly after contacting the vendors. You do not have the right to decide to do whatever else you want on someone else's website.
Should you be allowed to try and steal stuff from a store just to see if they're vulnerable to being robbed? Can you break into that same store to see if your sledge hammer breaks their glass? What if you were doing all this just to show them it could be done and not to rob/harm them? So what.. your ass is getting arrested. I think this is the same point posts above had made and it is 100% valid.
Now I do not run a website that gets millions of hits a day, so maybe I am not one to speak -- but MySpace IMO is pretty poor. If you have ever used it, you must be familiar with its inability to accurately track sessions and frequently mistakenly log you out. Not to mention if you use it for an period of time you will generally fail to reach your intended page multiple times with a plethora of possible errors or blank screens. If this was a service people paid for, it would have no users. However, since it's become one of the number one de facto social stop (and it's FREE) it manages to keep the subscriber base.
I am not complaining as I could honestly careless.. but it runs very very poorly.
Slashdot Mirror
I know I cannot be the only person thinking "what a loser." Maybe this guy has some motive behind his actions, but if you're in the world of IT Security you are relatively familiar with Romanian whackers. They can take the most mundane abuse of something and claim it as hacking. This is a perfect example. Is someone cracking, phishing, or scamming their way onto eBay's message boards that much of a "prank" or "hack"? I do not think so. Does it spell out that there is a security weakness somewhere? Absolutely. You will find this in almost any large organization when someone specifically targets them, their employees, and/or users. I cannot begin to account for how many times various ISP have been publicly hacked/owned/pranked, far worse than this.
:)
Do that many people really get their news from eBay message boards? This guy is getting on account and posting messages. What is his next hack going to be? Use a stolen or fraudulently created account to post a *FAKE* auction? This guy can hardly penetrate systems at will. I think there's a reason he only seems to pop up at certain times. Classify this guy as another moron that needs to find something better to do.
Hopefully this loser will join the ranks of Victor Faur. Not so much in notoriety, but in the loss of the right to use a computer or travel internationally.
It is interesting this vulnerability makes it into Slashdot where other [past Snort/Sourcefire] vulnerabilities of the same magnitude have not. It would definitely be time to upgrade but the number of people running 2.6.1, 2.6.1.1, 2.6.1.2 and 2.7.0 beta 1 are probably not as wide spread as 2.4.x, 2.6.0, and probably earlier versions. Luckily this vulnerability has been identified by a bunch of good researchers and the potential exploit probably hasn't been developed by anyone malicious. The real fear here of course is not just that *a box* might get rooted.. it's that a box running Snort/Sourcefire might get rooted. Generally this box will of course sit inline on the network or have sort of span/mirror port running to it. Whenever an IDS, switch, or router compromise is possible it can truly spell bad news. However, I'd say in this case it's not likely that a whole lot would happen even if an exploit should be developed.
Unfortunately you tried to pass that violin playing as being original. CDDB has identified your music as being from Giovanni Battista Viotti. Nice try.
Would you classify yourself as someone that has way too much free time and/or nothing better to do? I am not necessarily disagreeing with your points above, but I am actually relatively astounded you took the the time to write all of that. All that comes to mind is: Get a life you douche bag.
First this is a load of crap and they sound like morons. But second, I will pay them $50,000 if they can rob 3 banks chosen at random! Maybe we can get them in jail by the end of attempt #1? :D
Is SPAM not a form of communication? What about all the snail mail you get? Should people that sell your name and address go to jail? What about "CURRENT RESIDENT"? These people don't even know your name but mail you anyway! People advertise/SPAM in regular mail just to make a dollar. It's a form of communication.
I heard they also didn't earn the WTF200 or the LOL500. Based on failing to get the three of these certifcations and seeing how all three of them are as equally popular..this software will surely be going no where.
No big deal folks. Who doesn't remember the IPs for all the websites they visit anyway. I don't know about you guys but I surf the web by IP and provide the hostname myself!
Since when is exploiting the vulnerability considered disclosing it? Sure you can argue something more malicious could have been done, but that is bogus. You can't just decided to exploit a vulnerability because it doesn't do any damage. That's like saying I could open everyone's door in my condo complex because I found out the key they gave me was a master key. So who exactly did he disclose this vulnerability to again? He deserves what he got. I think MySpace could have definitely went another route but they didn't. Sucks for him.
You are asking a question about WHAT IS EBAY GOING TO DO? What do you expect them to do? Do you think eBay bought the memory stick, found it was fraudulent, and was hurt? Or do you think maybe they see a user with hundreds, thousands, or more happy users that gave the person positive feedback?
The real question is.. WHAT DID YOU DO? I've eBayed for a long time and I have only been ripped off once. Someone sold me a burned up JL Audio 15w6 subwoofer. Guess what I did? I filled a complaint against them on both eBay and Paypal in addition to leaving negative feedback. I got all of my money back and the person's account was cancelled on both spaces. I took the extra time to make sure they were taken off eBay instead of just throwing my hands up in the air. eBay investigates this kind of stuff and takes the appropriate action. If you don't do anything, what do you expect? Punching in some negative feedback doesn't mean anything to eBay. You have to formally file the appropriate complaints. eBay is not the FEEDBACK police. That is YOUR job. YOU are supposed to read their feedback before you bid. Did they have 10000 positive and 20 bad reviews? Did those 20 bad reviews say: This is a fake memory card? If so.. don't bid on it. If you didn't see it.. go report them. Negative feedback is just that..feedback. It's not a form of action.
I see all kinds of accusatory posts which I would have to disagree with. I've been a long time eBay user and that's mostly as a seller (a silver powerseller for a chunk of it). Now I never participated in shill bidding and would even ban friends of mine from bidding on my auctions. Occasionally I'd shoot them a link to just show them what I had posted and they'd bid on it (usually to get it started) thinking they'd be doing me a favor. For example, if I was selling a $500 monitor they might have bid $40 or something. However, I want absolutely nothing to do with this and I will add their user IDs to be banned from bidding on my auctions the second I see this.
Why? Because I have seen/spoke with people that took part in shill bidding. This will include people that just did it every few auctions and were Gold Powersellers, with well over 1000 positive feedback. Guess what happened to them? Two different things - automatic account termination and/or warnings. I've seen a huge seller (makes $$ for eBay you know) have their account closed, no questions asked. This (AFAIK) was not as a result of a complaint either. We're not talking these retards that bid up the auction and then cancel once they see what the first place bidder's amount was.
Anyway, I would say eBay does a good deal to try and stop this practice. So I'd ask that some people not post unless they know what they're talking about. It seems like a lot of people are talking out of their asses. It can be difficult to catch everything on a site that busy. Why don't you just go solve the problem for them instead of posting useless bullshit here.
I would be much more inclined to believe that 1 in 4 PC's are infected with one or more of the following:
- Virus
- Trojan
- Worm
- Spyware
- Adware
A few of the above are used almost interchangeable (by some people) and have the capability of effectively making the machine into some form of a bot or zombie (remotely controlled or not). Now, to say that 1 in 4 machines are bots I would have to whole heartedly disagree with. This just isn't very likely. Especially since the lifetime of a specific botnet has gradually been decreasing. Faster AV responses, increased patching, and more bot competition will inherently decrease these odds. Sorry but the daddy of the internet or not.. I think he's off the mark.
I look forward to www.0daytube.com.
SSL has nothing to do with it though if it's a GET or persisting URL. It can be encrypted all it wants to be to and from the server, but doesn't mean it cannot be picked up as a phishing site..unless the anti-phishing URL checker breaks because it's preceded by https.
Sounds like we have some sites that are passing persistent username and password information in the URL (not just querystrings etc). That's pretty lame. I think Barracuda SPAM Firewall does this as well. Perhaps one of these days we'll just see applications with a higher level of security and won't have to worry about this so much.
Rapists and murderers get less. And sometimes they get much much more.
Well depending on what you have done it might not be that simple either. There are various extradition agreements with various countries. So depending on what you have been done you may get the boot over to the U.S. anyway. In the event you are not in a country or locality with an extradition agreement, they may also make a note with INTERPOL and if you ever travel to anywhere that the U.S. does have an agreement with.. chances are you'll be detained. However, I would agree that they probably won't go to such steps for things like this. I fnd this ridiculous.
LOL is this a serious post? Most rootkits out there are designed to work on *nix based operating systems. True rootkits are far more common on for these flavors of OS over that of Windows. I am not sure if this is a reference to Ubuntu being secure. Maybe you could have recommended visting a site that houses a BSD flavor..won't bother pointing out one for that useless debate. Choosing Ubuntu is not going to protect you from rootkits in anyway.
Oh.. well I guess rkhunter http://www.rootkit.nl/ does not run on Windows. Nevermind. :-(
This will be my second post in here, something I normally don't do but I just recalled something from not so long ago that was actually posted on Slashdot. Do we all forget so quickly? Please read this:
3 2241&tid=172/
../../. However, he shouldn't have been doing that either. Tough one there.. but you've been warned!
http://it.slashdot.org/article.pl?sid=05/10/07/15
"Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question."
This is exactly what this article is discussing. Not only should you be held liable in some instances for "looking for vulnerabilities", you should be prosecuted. Now the above case is surely an extreme. Just reading the article I would be completely against prosecution in such an instance. Then again I wasn't part of the team that prosecuted or reported him. He might have tried to do a little more than just check a single
Well it was "careless" for me to post it without reviewing what I wrote, but I could care less about what it says. :P I meant to say "care less" instead of "careless". However, I did NOT mean to precede it with "couldn't" or "could not" or "not". Why? Because I care at a level of .0004 and I "could care less". See.. I "could" care at a level of .0005 which would be even less.
As someone who researches vulnerabilities and does IT Security for a living I do not find this too hard of an issue to deal with. If you are poking around someone else's website to look for a vulnerability, flaw, or bug, then you should be prepared to deal with the consequences. It is your choice whether or not to start testing for various things that could lead to a SQL injection, XSS issue, directory traversal, authentication bypass, file inclusion, or whatever the vulnerability or issue might be. If the site happens to be running some free or commercially available software, guess what you can do? Get a copy of it yourself and test it. Alternatively, guess what else you can do? GET PERMISSION. If you aren't authorized to start snooping then you deserve to be punished, embarassed, prosecuted, and smacked down.
I did vulnerability research on server at my university when I was starting out. I went out and got authorization to do so. In most instances they have a test/dev server they permitted me to test on. I published these vulnerabilities in the form of an advisory publicly after contacting the vendors. You do not have the right to decide to do whatever else you want on someone else's website.
Should you be allowed to try and steal stuff from a store just to see if they're vulnerable to being robbed? Can you break into that same store to see if your sledge hammer breaks their glass? What if you were doing all this just to show them it could be done and not to rob/harm them? So what.. your ass is getting arrested. I think this is the same point posts above had made and it is 100% valid.
Now I do not run a website that gets millions of hits a day, so maybe I am not one to speak -- but MySpace IMO is pretty poor. If you have ever used it, you must be familiar with its inability to accurately track sessions and frequently mistakenly log you out. Not to mention if you use it for an period of time you will generally fail to reach your intended page multiple times with a plethora of possible errors or blank screens. If this was a service people paid for, it would have no users. However, since it's become one of the number one de facto social stop (and it's FREE) it manages to keep the subscriber base.
I am not complaining as I could honestly careless.. but it runs very very poorly.