EPTThat's exactly what the little essay in the OP reminds me of. They are going to try and use eterror to make major companies stop using full disclosure...
In this case, I will support full disclosure to thwart these immature bastards.
The Anti-Sec movement - Page 3
| Forum Index > General Forum |
|
Fontong
United States6454 Posts
That's exactly what the little essay in the OP reminds me of. They are going to try and use eterror to make major companies stop using full disclosure... In this case, I will support full disclosure to thwart these immature bastards. | ||
|
Lemonwalrus
United States5465 Posts
On July 11 2009 15:06 epicdoom wrote: Just wait till they attack 4chan It's a war waiting to happen They probably are 4chan. | ||
|
konadora
Singapore66083 Posts
4chan won't be bothered to do something like this Oh, images are being restored on imageshack now | ||
|
DoctorHelvetica
United States15034 Posts
| ||
|
teserai
United States15 Posts
| ||
|
Mooga
United States575 Posts
On July 11 2009 11:34 benjammin wrote: i'm not a computer science person in any way, but isn't this just laughably misguided? doesn't disclosure encourage the actual creation of fixes and distribution of them on a larger scale than otherwise? sure, it allows for malicious usage, but that would exist either way, and would be more effective if there was no disclosure i don't know what that bit about money is all about, but this just seems immature correct me if i am wrong, my degrees are in english :D See, the thing is that hackers don't want full-disclosure because it threatens to fix exploits that hackers are using faster than no-disclosure. This forces hackers to come up with novel hacks, instead of using the same method indefinitely without being detected. Of course they say that what they are doing is to stop the script kiddies, but most script kiddies use grey-hat or black-hat exploits anyway, they don't go through code and write their own, so black-hat or grey-hat hackers are still relied on anyway to develop exploits. | ||
|
Physician
United States4146 Posts
==Phrack Inc.== Volume One, Issue 7, Phile 3 of 10 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The following was written shortly after my arrest... \/\The Conscience of a Hacker/\/ by +++The Mentor+++ Written on January 8, 1986 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me... Damn underachiever. They're all alike. I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me... Or thinks I'm a smart ass... Or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us will- ing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike. +++The Mentor+++ _______________________________________________________________________________ | ||
|
Badjas
Netherlands2038 Posts
Sure, this is not about you who use photo bucket. This is about the security industry as you can read. But just as you can lose a photo on photo bucket (big deal, you did have a backup right?), so can you receive spams by the bucketloads due to hacked zombie pc's. So can industrial espionage through hacking happen. So can a company get slandered on their own website by a hack. With everything run by computers, a lot can happen. The security industry doesn't mind, they don't get payed for the problems that have occurred and won't be held responsible, they get payed by the scared people who have been hurt before. Who's on the moral high ground? Can't really say both are on dry land. Getting exploits fixed requires communication but surely it can be done in a way that is much less prone to black hats using those exploits. Oh, another nice one. Why don't you people hold photo bucket responsible for not fixing their code (or updating third party software) once the exploit was published. That's the reason exploits get published, right? See the problem? | ||
|
Badjas
Netherlands2038 Posts
On July 12 2009 09:55 Mooga wrote: See, the thing is that hackers don't want full-disclosure because it threatens to fix exploits that hackers are using faster than no-disclosure. This forces hackers to come up with novel hacks, instead of using the same method indefinitely without being detected. Of course they say that what they are doing is to stop the script kiddies, but most script kiddies use grey-hat or black-hat exploits anyway, they don't go through code and write their own, so black-hat or grey-hat hackers are still relied on anyway to develop exploits. So most hacks come from black hats, not from white hats? Where's your source? | ||
|
Mooga
United States575 Posts
On July 12 2009 15:20 Badjas wrote: So most hacks come from black hats, not from white hats? Where's your source? It's a question of how the exploits are packaged and how they deliver the payload. I don't know how much you know about script kiddies, but most of them rely heavily on programs written by black-hatters/grey-hatters to deliver the payloads because they can't understand/write the code themselves. | ||
|
Badjas
Netherlands2038 Posts
On July 12 2009 16:10 Mooga wrote: It's a question of how the exploits are packaged and how they deliver the payload. I don't know how much you know about script kiddies, but most of them rely heavily on programs written by black-hatters/grey-hatters to deliver the payloads because they can't understand/write the code themselves. That didn't answer the question. Wait perhaps I was a bit unclear. So most exploit discoveries come from black hats, not from white hats? Where's your source? | ||
|
StRyKeR
United States1739 Posts
One of my classes at MIT we talked about the importance of sec. I can bring up some of the arguments used in the papers we've read. I get the impression that security systems experts in general agree that disclosure is the best policy. | ||
|
fusionsdf
Canada15390 Posts
On July 11 2009 11:31 konadora wrote: I think they're talking about how imageshack's security is bad, so they are proving that by hijacking the images... ffs I have to replace like 7 months of my blog's images nope. might want to check out http://it.slashdot.org/story/09/07/11/1430249/ImageShack-Hacked-Security-Groups-Threatened?art_pos=14 | ||
|
Jusciax
Lithuania588 Posts
On July 12 2009 15:15 Badjas wrote: Sheesh whiners, the people behind this are vindicated exactly through the proof itself. To those who don't see what they're about, read the damn thing. To those who say they are aggravated by them making you lose an image, how else are they gonna give you a wake up call for their cause, a newspaper ad? How is this going to help imageshack or any other site that could be exploited? If there is no full-disclosure and no security firms, where do these sites go to get latest possible vulnerabilities? If you want to destroy something - give a better alternative, instead of wrecking sites to make your point, like some tagger spraying messages on private property. | ||
|
datscilly
United States528 Posts
It began in the 70's when knowledge of phreaking-- phone hacking-- became widespread. The computerized phone system at the time used tones of specific frequencies to communicate with the phone network, and people found that they could "hack" the phone system by whistling at a certain note or using a device to do the same. Wiki: + Show Spoiler + "In the United States, AT&T began introducing automatic switches for long distance in the mid-to-late 1950s. With the introduction of these switches, the general population began, for the first time, to interact with computing power on a large scale. Phreaking can be viewed as an extension of this, where individuals interested in computers and technology, yet unable to further that interest for a variety of reasons, turned to the only available option: the computer controlled telephone network." See wiki: Phreaking and wiki: 2600 hertz With the seed introduced by phreaking, computer hacking took off in the 80's. + Show Spoiler + In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. During this time, phreaking lost its label for being the exploration of the telephone network, and began to focus more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could later exploit. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985 an underground e-zine called Phrack (a combination of the words Phreak and Hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects. "Hacking" as defined by the hacker subculture is different from the meaning assigned by the mass media and the mainstream public. To the subculture, a hacker is "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary." It's about being fascinated with computers and wanting to know everything about them. It is being knowledgeable and an expert in a field, and when exploiting, the focus is on skill and expertise. This is often contrasted to "script kiddies", who breaking into computer systems just by downloading a script and running it. Phrack is an online magazine dedicated to hacking, phreaking, and other related technological subjects. These days, the phrase "death of the hacker subculture" is frequently thrown around. What is the reason for this? The rise of the security industry: former hackers who have turned "white hat" and want to use their hacking knowledge to make a living. A case in point is the well-publicized hacker Kevin Mitnick, who was thrown in jail by the FBI after hacking into multiple companies' networks, and turned and started a security company when he got out of jail. If it is unclear, the security industry caters to corporations who want to protect their systems, and require knowledge of an expert in computer security. Why does the security industry mean the death of the hacker subculture? When every new exploit is publicized, almost all the 'holes' have been 'plugged' and there is nothing to play with. Only the most veteran of experts can now find new exploits, and they even have to work long and hard to find one. + Show Spoiler + ![[image loading]](http://ec.mashable.com/wp-content/uploads/2009/07/imageshackhack.gif) In the second paragraph you can see the grievances the hacker subculture have against the security industry. It's not just that the security industry is working against them, although that is the most basic reason, it is also that white hats have turned against their culture, a culture with a distaste for authority and a playful cleverness, who are all about taking the serious humorously and their humor seriously. In the third paragraph they express their disgust at script kiddies who are viewed as unskilled and not 'in' their crowd. The fifth paragraph is in reference to the people of the security industry who have chased money and made hacking into their job instead of a hobby. Even though the hacker culture is not as active now as compared to the 90's, their are still people out there finding new tricks. This image is proof of that. | ||
|
Badjas
Netherlands2038 Posts
On July 12 2009 17:26 Jusciax wrote: How is this going to help imageshack or any other site that could be exploited? If there is no full-disclosure and no security firms, where do these sites go to get latest possible vulnerabilities? If you want to destroy something - give a better alternative, instead of wrecking sites to make your point, like some tagger spraying messages on private property. The report of a known exploit does not have to go along with the details of how to perform it. Furthermore, the owner of the software (or maintainers in the case of open source) is the only one who needs to know the details to fix the problem. When the problem is fixed, they can put out a public notice that clients should get a patch for that software. The only thing that publication of the details of an exploit does, is to force the owner of the software to get a fix to limit the damage done by the exploit. Well, a second thing, it forces everyone to update said software who's using it because the risk of being hit by the exploit is higher. Exploits should be reported publicly though, so as to warn 'the world' of the danger. There's the method that white hatters have of warning a software producer about an exploit with details, and threatening to publicize the exploit publicly within x days. This I see as a working method. If this method was applied for the exploit that got imageshack hit, then imageshack or a third party software producer made the error of not plugging the hole. If the exploit used in imageshack is an unpublished one, then the imageshack hacker is wrong. It would be very helpful for their cause if they mentioned the used exploit in the image. | ||
|
Jusciax
Lithuania588 Posts
On July 12 2009 19:54 datscilly wrote: It makes sense that people would be confused as to the reason they do this, because there's a whole story behind this, and it's not a simple story. It began in the 70's when knowledge of phreaking-- phone hacking-- became widespread. The computerized phone system at the time used tones of specific frequencies to communicate with the phone network, and people found that they could "hack" the phone system by whistling at a certain note or using a device to do the same. Wiki: + Show Spoiler + "In the United States, AT&T began introducing automatic switches for long distance in the mid-to-late 1950s. With the introduction of these switches, the general population began, for the first time, to interact with computing power on a large scale. Phreaking can be viewed as an extension of this, where individuals interested in computers and technology, yet unable to further that interest for a variety of reasons, turned to the only available option: the computer controlled telephone network." See wiki: Phreaking and wiki: 2600 hertz With the seed introduced by phreaking, computer hacking took off in the 80's. + Show Spoiler + In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. During this time, phreaking lost its label for being the exploration of the telephone network, and began to focus more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could later exploit. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985 an underground e-zine called Phrack (a combination of the words Phreak and Hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects. "Hacking" as defined by the hacker subculture is different from the meaning assigned by the mass media and the mainstream public. To the subculture, a hacker is "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary." It's about being fascinated with computers and wanting to know everything about them. It is being knowledgeable and an expert in a field, and when exploiting, the focus is on skill and expertise. This is often contrasted to "script kiddies", who breaking into computer systems just by downloading a script and running it. Phrack is an online magazine dedicated to hacking, phreaking, and other related technological subjects. These days, the phrase "death of the hacker subculture" is frequently thrown around. What is the reason for this? The rise of the security industry: former hackers who have turned "white hat" and want to use their hacking knowledge to make a living. A case in point is the well-publicized hacker Kevin Mitnick, who was thrown in jail by the FBI after hacking into multiple companies' networks, and turned and started a security company when he got out of jail. If it is unclear, the security industry caters to corporations who want to protect their systems, and require knowledge of an expert in computer security. Why does the security industry mean the death of the hacker subculture? When every new exploit is publicized, almost all the 'holes' have been 'plugged' and there is nothing to play with. Only the most veteran of experts can now find new exploits, and they even have to work long and hard to find one. + Show Spoiler + In the second paragraph you can see the grievances the hacker subculture have against the security industry. It's not just that the security industry is working against them, although that is the most basic reason, it is also that white hats have turned against their culture, a culture with a distaste for authority and a playful cleverness, who are all about taking the serious humorously and their humor seriously. In the third paragraph they express their disgust at script kiddies who are viewed as unskilled and not 'in' their crowd. The fifth paragraph is in reference to the people of the security industry who have chased money and made hacking into their job instead of a hobby. Even though the hacker culture is not as active now as compared to the 90's, their are still people out there finding new tricks. This image is proof of that. Sounds quite simple. People with great skills who didn't manage grow up and adapt are being pissed at ones that could. Tho i don't see how this history justifies anything that they are doing, including hacking imageshack. | ||
|
Jusciax
Lithuania588 Posts
On July 12 2009 20:50 Badjas wrote: The report of a known exploit does not have to go along with the details of how to perform it. Furthermore, the owner of the software (or maintainers in the case of open source) is the only one who needs to know the details to fix the problem. When the problem is fixed, they can put out a public notice that clients should get a patch for that software. Could you give example of this, because i don't see how you could publicly report an exploit without giving away enough information for hacker figure it out. And if you publish it to small amount of maintainers, wouldn't leaked information be more dangerous, since most hackers would share it among themselves and only a handful of developers/maintainers would be able to fix it. The only thing that publication of the details of an exploit does, is to force the owner of the software to get a fix to limit the damage done by the exploit. Well, a second thing, it forces everyone to update said software who's using it because the risk of being hit by the exploit is higher. Exploits should be reported publicly though, so as to warn 'the world' of the danger. Why only "limit the damage done" if you can fix it? And I see only a positive thing out of 2nd statement. Again, i'm not expert, but just curious how can you report exploit publicly and give out enough details to help user and keep hacker in the dark? There's the method that white hatters have of warning a software producer about an exploit with details, and threatening to publicize the exploit publicly within x days. This I see as a working method. If this method was applied for the exploit that got imageshack hit, then imageshack or a third party software producer made the error of not plugging the hole. If the exploit used in imageshack is an unpublished one, then the imageshack hacker is wrong. It would be very helpful for their cause if they mentioned the used exploit in the image. This approach is far more logical than hacking the site to send a message. | ||
|
Badjas
Netherlands2038 Posts
On July 12 2009 22:23 Jusciax wrote: Could you give example of this, because i don't see how you could publicly report an exploit without giving away enough information for hacker figure it out. And if you publish it to small amount of maintainers, wouldn't leaked information be more dangerous, since most hackers would share it among themselves and only a handful of developers/maintainers would be able to fix it. How do hackers share? Can't security researchers get the news on exploits if hackers can share? Secondly, if I find an exploit in a mail server, I could simply say that 'mail server x has an exploit regarding message parsing as of 12-7-2009 leading to program crashes'. the amount of detail that is safe to give really varies. Why only "limit the damage done" if you can fix it? And I see only a positive thing out of 2nd statement. Again, i'm not expert, but just curious how can you report exploit publicly and give out enough details to help user and keep hacker in the dark? yeah I kinda left the message too implicit. limit damage done should be read 'as opposed to preventing any damage from occurring'. This approach is far more logical than hacking the site to send a message. Euh, false dichotomy? | ||
|
ThaddeusK
United States231 Posts
On July 12 2009 22:06 Jusciax wrote: Sounds quite simple. People with great skills who didn't manage grow up and adapt are being pissed at ones that could. Tho i don't see how this history justifies anything that they are doing, including hacking imageshack. not really, its just that they view hacking as something that should be done for fun/as a hobby rather than as a job, saying that they didnt manage to grow up and adapt is like saying the people who play starcraft but are not progamers didnt grow up and adapt (my point being that doing something for a job doesnt have to be the end result of having a hobby, sometimes you just do it for fun) although you are right, it doesnt justify what they are doing. | ||
| ||
