|
konadora
Singapore66358 Posts
|
Baltimore, USA22259 Posts
Yeah, just happened to a pic I uploaded... what a bunch of d-bags.
|
konadora
Singapore66358 Posts
Any other image-uploading sites affected? So far I've only used imageshack, so with half my images being hijacked with this, it's going to take me a whole day to reupload onto another site and replace the images on my blog...
|
Belgium6775 Posts
Hopefully the imageshack crew will manage to fix it themselves
|
If they actually wanted to get across to people they should narrow down their huge essay there to like two sentences or less so people actually care to read it. ;o
|
hope too.... why are they doing that....
|
Is this against Imageshack forcing ads onto images?
I'm not sure I understand what they're trying to do here.
|
konadora
Singapore66358 Posts
I think they're talking about how imageshack's security is bad, so they are proving that by hijacking the images...
ffs
I have to replace like 7 months of my blog's images
|
i'm not a computer science person in any way, but isn't this just laughably misguided? doesn't disclosure encourage the actual creation of fixes and distribution of them on a larger scale than otherwise? sure, it allows for malicious usage, but that would exist either way, and would be more effective if there was no disclosure
i don't know what that bit about money is all about, but this just seems immature
correct me if i am wrong, my degrees are in english :D
|
i just got this too, googled the anti-sec movement, and got this thread.
|
motbob
United States12546 Posts
|
I wouldn't use a site like Imageshack to host any image intended to last longer than an IRC session.
|
|
|
Jesus I hate self righteous idiots who think they can pull shit like this off because "they are in the right so its ok to fuck with millions of photos". God I hate these people.
|
Hahaha, this is just another thing to put on my list of "REASONS NOT TO USE IMAGESHACK". Seriously there are hundreds.
Use photobucket people.
|
TLDR version: Security companies distribute exploits,etc so that they can get more people to buy their own security software, thus making more $$. These guys are attempting to break the cycle by disrupting anything that supports this cycle
|
everything on photobucket is fine
|
yeah imageshack is terrible anyways.
pretty good advertising for photobucket if nothing else.
|
big companies expoiting to make $$
whats new?
|
Also reminds me of the time when someone told me antivirus companies sued microsoft for making some changes to the windows kernel that would prevent most viruses from executing. Dunno if its true or not.
This approach(hijacking imageshack) is not going to work imo.
|
This is why I use photobucket
|
konadora
Singapore66358 Posts
I regret using imageshack now, should have used flickr -_-
|
|
|
imgur.com or skipall.com
the best hosts, bar none
|
konadora
Singapore66358 Posts
Looks like imageshack found out, I think they're restoring the images
|
I always use tinypic but you can't upload from URL there :/
|
On July 11 2009 12:18 Nightmarjoo wrote:LOL that sucks.
NOOOOOOOOOOOOO
ROOOOOOOGIE
|
When in doubt, hit it with Starlight breaker~~~~
|
konadora
Singapore66358 Posts
On July 11 2009 12:36 SWPIGWANG wrote:
When in doubt, hit it with Starlight breaker~~~~
hehe lol
|
mmm tl. While I don't agree with full disclosure(this is actually the first I heard of it) it seems mighty counter productive to hack a bunch of sites to battle security companies.... Hey guys let's stop the money grabbing security companies by causing more havoc!! that way they consumers have more reason to buy their stuff!! LOL.
|
On July 11 2009 13:14 DeathSpank wrote:
mmm tl. While I don't agree with full disclosure(this is actually the first I heard of it) it seems mighty counter productive to hack a bunch of sites to battle security companies.... Hey guys let's stop the money grabbing security companies by causing more havoc!! that way they consumers have more reason to buy their stuff!! LOL.
Pretty much QFT.
|
Everything in the TL dota thread seems normal? O.o
Edit: Ah wait. I'm a couple hours late. that might be why
|
On July 11 2009 13:24 Medzo wrote:Show nested quote +On July 11 2009 13:14 DeathSpank wrote:
mmm tl. While I don't agree with full disclosure(this is actually the first I heard of it) it seems mighty counter productive to hack a bunch of sites to battle security companies.... Hey guys let's stop the money grabbing security companies by causing more havoc!! that way they consumers have more reason to buy their stuff!! LOL. Pretty much QFT.
well not quite. they want hackers to stop publishing the exploits they find which means any potential security holes that are found are going to be kept among hackers themselves as opposed to publishing them on a website. general consensus is that it's better when hackers publish exploits because it pushes the companies to fix the security holes or enables knowledgeable administrators to avoid making themselves vulnerable to the exploit. for some reason though these anti-sec people think the security industry is unjustly profiting from the full disclosure of exploits.
|
On July 11 2009 12:20 konadora wrote:
Looks like imageshack found out, I think they're restoring the images
Oh man, imageshack's images are messed up for two hours and everyone abandons them 
I still use them. I enjoy that I don't have to sign up for anything to upload files. AFIK you need to make an account to use photobucket... blaah. Then again, I haven't used photobucket in ten million years.
|
uh. Wut's bad in full disclosure ? Could someone explain me in few words ? Cuz I've read the wiki and I can't see wut's bad in : telling everyone which part sucks so someone can fix that asap.
Or maybe I've missed the point.
|
konadora
Singapore66358 Posts
On July 11 2009 14:46 Chef wrote:Show nested quote +On July 11 2009 12:20 konadora wrote:
Looks like imageshack found out, I think they're restoring the images Oh man, imageshack's images are messed up for two hours and everyone abandons them I still use them. I enjoy that I don't have to sign up for anything to upload files. AFIK you need to make an account to use photobucket... blaah. Then again, I haven't used photobucket in ten million years.
I'm going to use flickr from now on -_-
|
Just wait till they attack 4chan It's a war waiting to happen
|
Full disclosure is not "big companies exploiting to make money." Opponents of full-disclosure are essentially advocating security by obscurity. I'm not an expert in computer security but I find it an interesting topic and loosely follow some news and blogs. Full disclosure has its drawbacks but the alternative is almost certainly worse.
It's like proposing that your country's scientists should stop publishing research openly because other people might use your ideas to build something or discover something new. The entire goal of sharing the information is that the leaders in the field have overwhelmingly decided that it's worth the costs in order to advance the field as a whole.
Without full disclosure potential exploits will be far more numerous and someone who knows what they're doing can do a lot more damage once they've found one. I'd gladly trade allowing script kiddies to get their hands on noob exploits for making the entire field of security more robust overall.
|
Oh no wonder.. I thought i had posted a wrong link of the pic..
|
I see where they are coming from. At least in theory....
|
Basically, they are an eTerrorism group??
That's exactly what the little essay in the OP reminds me of. They are going to try and use eterror to make major companies stop using full disclosure...
In this case, I will support full disclosure to thwart these immature bastards.
|
On July 11 2009 15:06 epicdoom wrote:
Just wait till they attack 4chan It's a war waiting to happen
They probably are 4chan.
|
konadora
Singapore66358 Posts
On July 11 2009 17:57 Lemonwalrus wrote:Show nested quote +On July 11 2009 15:06 epicdoom wrote:
Just wait till they attack 4chan It's a war waiting to happen They probably are 4chan.
4chan won't be bothered to do something like this
Oh, images are being restored on imageshack now
|
That's pretty ridiculous. You need to be pretty self-righteous to mess with other peoples images to make your statement.
|
You'd think they would use a less annoying method if they wanted people to support their cause. S:
|
On July 11 2009 11:34 benjammin wrote:
i'm not a computer science person in any way, but isn't this just laughably misguided? doesn't disclosure encourage the actual creation of fixes and distribution of them on a larger scale than otherwise? sure, it allows for malicious usage, but that would exist either way, and would be more effective if there was no disclosure
i don't know what that bit about money is all about, but this just seems immature
correct me if i am wrong, my degrees are in english :D
See, the thing is that hackers don't want full-disclosure because it threatens to fix exploits that hackers are using faster than no-disclosure. This forces hackers to come up with novel hacks, instead of using the same method indefinitely without being detected. Of course they say that what they are doing is to stop the script kiddies, but most script kiddies use grey-hat or black-hat exploits anyway, they don't go through code and write their own, so black-hat or grey-hat hackers are still relied on anyway to develop exploits.
|
Physician
United States4146 Posts
File: archives/7/p7_0x03_Hacker's Manifesto_by_The Mentor.txt
==Phrack Inc.==
Volume One, Issue 7, Phile 3 of 10
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The following was written shortly after my arrest...
\/\The Conscience of a Hacker/\/
by
+++The Mentor+++
Written on January 8, 1986
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Another one got caught today, it's all over the papers. "Teenager
Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain,
ever take a look behind the eyes of the hacker? Did you ever wonder what
made him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of
the other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain
for the fifteenth time how to reduce a fraction. I understand it. "No, Ms.
Smith, I didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is
cool. It does what I want it to. If it makes a mistake, it's because I
screwed it up. Not because it doesn't like me...
Or feels threatened by me...
Or thinks I'm a smart ass...
Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through
the phone line like heroin through an addict's veins, an electronic pulse is
sent out, a refuge from the day-to-day incompetencies is sought... a board is
found.
"This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked to
them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at
school when we hungered for steak... the bits of meat that you did let slip
through were pre-chewed and tasteless. We've been dominated by sadists, or
ignored by the apathetic. The few that had something to teach found us will-
ing pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the
beauty of the baud. We make use of a service already existing without paying
for what could be dirt-cheap if it wasn't run by profiteering gluttons, and
you call us criminals. We explore... and you call us criminals. We seek
after knowledge... and you call us criminals. We exist without skin color,
without nationality, without religious bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and lie to us
and try to make us believe it's for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is
that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never forgive me
for.
I am a hacker, and this is my manifesto. You may stop this individual,
but you can't stop us all... after all, we're all alike.
+++The Mentor+++
_______________________________________________________________________________
|
Sheesh whiners, the people behind this are vindicated exactly through the proof itself. To those who don't see what they're about, read the damn thing. To those who say they are aggravated by them making you lose an image, how else are they gonna give you a wake up call for their cause, a newspaper ad?
Sure, this is not about you who use photo bucket. This is about the security industry as you can read. But just as you can lose a photo on photo bucket (big deal, you did have a backup right?), so can you receive spams by the bucketloads due to hacked zombie pc's. So can industrial espionage through hacking happen. So can a company get slandered on their own website by a hack. With everything run by computers, a lot can happen. The security industry doesn't mind, they don't get payed for the problems that have occurred and won't be held responsible, they get payed by the scared people who have been hurt before.
Who's on the moral high ground? Can't really say both are on dry land. Getting exploits fixed requires communication but surely it can be done in a way that is much less prone to black hats using those exploits.
Oh, another nice one. Why don't you people hold photo bucket responsible for not fixing their code (or updating third party software) once the exploit was published. That's the reason exploits get published, right? See the problem?
|
On July 12 2009 09:55 Mooga wrote:Show nested quote +On July 11 2009 11:34 benjammin wrote:
i'm not a computer science person in any way, but isn't this just laughably misguided? doesn't disclosure encourage the actual creation of fixes and distribution of them on a larger scale than otherwise? sure, it allows for malicious usage, but that would exist either way, and would be more effective if there was no disclosure
i don't know what that bit about money is all about, but this just seems immature
correct me if i am wrong, my degrees are in english :D See, the thing is that hackers don't want full-disclosure because it threatens to fix exploits that hackers are using faster than no-disclosure. This forces hackers to come up with novel hacks, instead of using the same method indefinitely without being detected. Of course they say that what they are doing is to stop the script kiddies, but most script kiddies use grey-hat or black-hat exploits anyway, they don't go through code and write their own, so black-hat or grey-hat hackers are still relied on anyway to develop exploits.
So most hacks come from black hats, not from white hats? Where's your source?
|
On July 12 2009 15:20 Badjas wrote:Show nested quote +On July 12 2009 09:55 Mooga wrote:On July 11 2009 11:34 benjammin wrote:
i'm not a computer science person in any way, but isn't this just laughably misguided? doesn't disclosure encourage the actual creation of fixes and distribution of them on a larger scale than otherwise? sure, it allows for malicious usage, but that would exist either way, and would be more effective if there was no disclosure
i don't know what that bit about money is all about, but this just seems immature
correct me if i am wrong, my degrees are in english :D See, the thing is that hackers don't want full-disclosure because it threatens to fix exploits that hackers are using faster than no-disclosure. This forces hackers to come up with novel hacks, instead of using the same method indefinitely without being detected. Of course they say that what they are doing is to stop the script kiddies, but most script kiddies use grey-hat or black-hat exploits anyway, they don't go through code and write their own, so black-hat or grey-hat hackers are still relied on anyway to develop exploits. So most hacks come from black hats, not from white hats? Where's your source?
It's a question of how the exploits are packaged and how they deliver the payload. I don't know how much you know about script kiddies, but most of them rely heavily on programs written by black-hatters/grey-hatters to deliver the payloads because they can't understand/write the code themselves.
|
On July 12 2009 16:10 Mooga wrote:Show nested quote +On July 12 2009 15:20 Badjas wrote:On July 12 2009 09:55 Mooga wrote:On July 11 2009 11:34 benjammin wrote:
i'm not a computer science person in any way, but isn't this just laughably misguided? doesn't disclosure encourage the actual creation of fixes and distribution of them on a larger scale than otherwise? sure, it allows for malicious usage, but that would exist either way, and would be more effective if there was no disclosure
i don't know what that bit about money is all about, but this just seems immature
correct me if i am wrong, my degrees are in english :D See, the thing is that hackers don't want full-disclosure because it threatens to fix exploits that hackers are using faster than no-disclosure. This forces hackers to come up with novel hacks, instead of using the same method indefinitely without being detected. Of course they say that what they are doing is to stop the script kiddies, but most script kiddies use grey-hat or black-hat exploits anyway, they don't go through code and write their own, so black-hat or grey-hat hackers are still relied on anyway to develop exploits. So most hacks come from black hats, not from white hats? Where's your source? It's a question of how the exploits are packaged and how they deliver the payload. I don't know how much you know about script kiddies, but most of them rely heavily on programs written by black-hatters/grey-hatters to deliver the payloads because they can't understand/write the code themselves.
That didn't answer the question. Wait perhaps I was a bit unclear.
So most exploit discoveries come from black hats, not from white hats? Where's your source?
|
interesting discussion
One of my classes at MIT we talked about the importance of sec. I can bring up some of the arguments used in the papers we've read. I get the impression that security systems experts in general agree that disclosure is the best policy.
|
|
|
On July 12 2009 15:15 Badjas wrote:
Sheesh whiners, the people behind this are vindicated exactly through the proof itself. To those who don't see what they're about, read the damn thing. To those who say they are aggravated by them making you lose an image, how else are they gonna give you a wake up call for their cause, a newspaper ad?
How is this going to help imageshack or any other site that could be exploited? If there is no full-disclosure and no security firms, where do these sites go to get latest possible vulnerabilities? If you want to destroy something - give a better alternative, instead of wrecking sites to make your point, like some tagger spraying messages on private property.
|
It makes sense that people would be confused as to the reason they do this, because there's a whole story behind this, and it's not a simple story.
It began in the 70's when knowledge of phreaking-- phone hacking-- became widespread. The computerized phone system at the time used tones of specific frequencies to communicate with the phone network, and people found that they could "hack" the phone system by whistling at a certain note or using a device to do the same. Wiki: + Show Spoiler +"In the United States, AT&T began introducing automatic switches for long distance in the mid-to-late 1950s. With the introduction of these switches, the general population began, for the first time, to interact with computing power on a large scale. Phreaking can be viewed as an extension of this, where individuals interested in computers and technology, yet unable to further that interest for a variety of reasons, turned to the only available option: the computer controlled telephone network." See wiki: Phreaking and wiki: 2600 hertz
With the seed introduced by phreaking, computer hacking took off in the 80's. + Show Spoiler +In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. During this time, phreaking lost its label for being the exploration of the telephone network, and began to focus more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could later exploit. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985 an underground e-zine called Phrack (a combination of the words Phreak and Hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects.
"Hacking" as defined by the hacker subculture is different from the meaning assigned by the mass media and the mainstream public. To the subculture, a hacker is "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary." It's about being fascinated with computers and wanting to know everything about them. It is being knowledgeable and an expert in a field, and when exploiting, the focus is on skill and expertise. This is often contrasted to "script kiddies", who breaking into computer systems just by downloading a script and running it.
Phrack is an online magazine dedicated to hacking, phreaking, and other related technological subjects. These days, the phrase "death of the hacker subculture" is frequently thrown around. What is the reason for this? The rise of the security industry: former hackers who have turned "white hat" and want to use their hacking knowledge to make a living. A case in point is the well-publicized hacker Kevin Mitnick, who was thrown in jail by the FBI after hacking into multiple companies' networks, and turned and started a security company when he got out of jail. If it is unclear, the security industry caters to corporations who want to protect their systems, and require knowledge of an expert in computer security. Why does the security industry mean the death of the hacker subculture? When every new exploit is publicized, almost all the 'holes' have been 'plugged' and there is nothing to play with. Only the most veteran of experts can now find new exploits, and they even have to work long and hard to find one.
+ Show Spoiler +
In the second paragraph you can see the grievances the hacker subculture have against the security industry. It's not just that the security industry is working against them, although that is the most basic reason, it is also that white hats have turned against their culture, a culture with a distaste for authority and a playful cleverness, who are all about taking the serious humorously and their humor seriously.
In the third paragraph they express their disgust at script kiddies who are viewed as unskilled and not 'in' their crowd.
The fifth paragraph is in reference to the people of the security industry who have chased money and made hacking into their job instead of a hobby.
Even though the hacker culture is not as active now as compared to the 90's, their are still people out there finding new tricks. This image is proof of that.
|
On July 12 2009 17:26 Jusciax wrote:Show nested quote +On July 12 2009 15:15 Badjas wrote:
Sheesh whiners, the people behind this are vindicated exactly through the proof itself. To those who don't see what they're about, read the damn thing. To those who say they are aggravated by them making you lose an image, how else are they gonna give you a wake up call for their cause, a newspaper ad? How is this going to help imageshack or any other site that could be exploited? If there is no full-disclosure and no security firms, where do these sites go to get latest possible vulnerabilities? If you want to destroy something - give a better alternative, instead of wrecking sites to make your point, like some tagger spraying messages on private property.
The report of a known exploit does not have to go along with the details of how to perform it. Furthermore, the owner of the software (or maintainers in the case of open source) is the only one who needs to know the details to fix the problem. When the problem is fixed, they can put out a public notice that clients should get a patch for that software.
The only thing that publication of the details of an exploit does, is to force the owner of the software to get a fix to limit the damage done by the exploit. Well, a second thing, it forces everyone to update said software who's using it because the risk of being hit by the exploit is higher. Exploits should be reported publicly though, so as to warn 'the world' of the danger.
There's the method that white hatters have of warning a software producer about an exploit with details, and threatening to publicize the exploit publicly within x days. This I see as a working method. If this method was applied for the exploit that got imageshack hit, then imageshack or a third party software producer made the error of not plugging the hole. If the exploit used in imageshack is an unpublished one, then the imageshack hacker is wrong. It would be very helpful for their cause if they mentioned the used exploit in the image.
|
On July 12 2009 19:54 datscilly wrote:It makes sense that people would be confused as to the reason they do this, because there's a whole story behind this, and it's not a simple story. It began in the 70's when knowledge of phreaking-- phone hacking-- became widespread. The computerized phone system at the time used tones of specific frequencies to communicate with the phone network, and people found that they could "hack" the phone system by whistling at a certain note or using a device to do the same. Wiki: + Show Spoiler +"In the United States, AT&T began introducing automatic switches for long distance in the mid-to-late 1950s. With the introduction of these switches, the general population began, for the first time, to interact with computing power on a large scale. Phreaking can be viewed as an extension of this, where individuals interested in computers and technology, yet unable to further that interest for a variety of reasons, turned to the only available option: the computer controlled telephone network." See wiki: Phreaking and wiki: 2600 hertz With the seed introduced by phreaking, computer hacking took off in the 80's. + Show Spoiler +In the 1980s, the revolution of the personal computer and the popularity of computer bulletin board systems (accessed via modem) created an influx of tech-savvy users. These BBSes became popular for computer hackers and others interested in the technology, and served as a medium for previously scattered independent phone phreaks to share their discoveries and experiments. This not only led to unprecedented collaboration between phone phreaks, but also spread the notion of phreaking to others who took it upon themselves to study, experiment with, or exploit the telephone system. During this time, phreaking lost its label for being the exploration of the telephone network, and began to focus more on toll fraud. Computer hackers began to use phreaking methods to find the telephone numbers for modems belonging to businesses, which they could later exploit. Groups then formed around the BBS hacker/phreaking (H/P) community such as the famous Masters of Deception (Phiber Optik) and Legion of Doom (Erik Bloodaxe) groups. In 1985 an underground e-zine called Phrack (a combination of the words Phreak and Hack) began circulation among BBSes, and focused on hacking, phreaking, and other related technological subjects. "Hacking" as defined by the hacker subculture is different from the meaning assigned by the mass media and the mainstream public. To the subculture, a hacker is "A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary." It's about being fascinated with computers and wanting to know everything about them. It is being knowledgeable and an expert in a field, and when exploiting, the focus is on skill and expertise. This is often contrasted to "script kiddies", who breaking into computer systems just by downloading a script and running it. Phrack is an online magazine dedicated to hacking, phreaking, and other related technological subjects. These days, the phrase "death of the hacker subculture" is frequently thrown around. What is the reason for this? The rise of the security industry: former hackers who have turned "white hat" and want to use their hacking knowledge to make a living. A case in point is the well-publicized hacker Kevin Mitnick, who was thrown in jail by the FBI after hacking into multiple companies' networks, and turned and started a security company when he got out of jail. If it is unclear, the security industry caters to corporations who want to protect their systems, and require knowledge of an expert in computer security. Why does the security industry mean the death of the hacker subculture? When every new exploit is publicized, almost all the 'holes' have been 'plugged' and there is nothing to play with. Only the most veteran of experts can now find new exploits, and they even have to work long and hard to find one. + Show Spoiler +In the second paragraph you can see the grievances the hacker subculture have against the security industry. It's not just that the security industry is working against them, although that is the most basic reason, it is also that white hats have turned against their culture, a culture with a distaste for authority and a playful cleverness, who are all about taking the serious humorously and their humor seriously. In the third paragraph they express their disgust at script kiddies who are viewed as unskilled and not 'in' their crowd. The fifth paragraph is in reference to the people of the security industry who have chased money and made hacking into their job instead of a hobby. Even though the hacker culture is not as active now as compared to the 90's, their are still people out there finding new tricks. This image is proof of that.
Sounds quite simple. People with great skills who didn't manage grow up and adapt are being pissed at ones that could. Tho i don't see how this history justifies anything that they are doing, including hacking imageshack.
|
On July 12 2009 20:50 Badjas wrote:
The report of a known exploit does not have to go along with the details of how to perform it. Furthermore, the owner of the software (or maintainers in the case of open source) is the only one who needs to know the details to fix the problem. When the problem is fixed, they can put out a public notice that clients should get a patch for that software.
Could you give example of this, because i don't see how you could publicly report an exploit without giving away enough information for hacker figure it out. And if you publish it to small amount of maintainers, wouldn't leaked information be more dangerous, since most hackers would share it among themselves and only a handful of developers/maintainers would be able to fix it.
The only thing that publication of the details of an exploit does, is to force the owner of the software to get a fix to limit the damage done by the exploit. Well, a second thing, it forces everyone to update said software who's using it because the risk of being hit by the exploit is higher. Exploits should be reported publicly though, so as to warn 'the world' of the danger.
Why only "limit the damage done" if you can fix it? And I see only a positive thing out of 2nd statement. Again, i'm not expert, but just curious how can you report exploit publicly and give out enough details to help user and keep hacker in the dark?
There's the method that white hatters have of warning a software producer about an exploit with details, and threatening to publicize the exploit publicly within x days. This I see as a working method. If this method was applied for the exploit that got imageshack hit, then imageshack or a third party software producer made the error of not plugging the hole. If the exploit used in imageshack is an unpublished one, then the imageshack hacker is wrong. It would be very helpful for their cause if they mentioned the used exploit in the image.
This approach is far more logical than hacking the site to send a message.
|
On July 12 2009 22:23 Jusciax wrote:Show nested quote +On July 12 2009 20:50 Badjas wrote:
The report of a known exploit does not have to go along with the details of how to perform it. Furthermore, the owner of the software (or maintainers in the case of open source) is the only one who needs to know the details to fix the problem. When the problem is fixed, they can put out a public notice that clients should get a patch for that software. Could you give example of this, because i don't see how you could publicly report an exploit without giving away enough information for hacker figure it out. And if you publish it to small amount of maintainers, wouldn't leaked information be more dangerous, since most hackers would share it among themselves and only a handful of developers/maintainers would be able to fix it.
How do hackers share? Can't security researchers get the news on exploits if hackers can share?
Secondly, if I find an exploit in a mail server, I could simply say that 'mail server x has an exploit regarding message parsing as of 12-7-2009 leading to program crashes'. the amount of detail that is safe to give really varies.
Show nested quote +The only thing that publication of the details of an exploit does, is to force the owner of the software to get a fix to limit the damage done by the exploit. Well, a second thing, it forces everyone to update said software who's using it because the risk of being hit by the exploit is higher. Exploits should be reported publicly though, so as to warn 'the world' of the danger. Why only "limit the damage done" if you can fix it? And I see only a positive thing out of 2nd statement. Again, i'm not expert, but just curious how can you report exploit publicly and give out enough details to help user and keep hacker in the dark?
yeah I kinda left the message too implicit. limit damage done should be read 'as opposed to preventing any damage from occurring'.
Show nested quote +There's the method that white hatters have of warning a software producer about an exploit with details, and threatening to publicize the exploit publicly within x days. This I see as a working method. If this method was applied for the exploit that got imageshack hit, then imageshack or a third party software producer made the error of not plugging the hole. If the exploit used in imageshack is an unpublished one, then the imageshack hacker is wrong. It would be very helpful for their cause if they mentioned the used exploit in the image. This approach is far more logical than hacking the site to send a message.
Euh, false dichotomy?
|
On July 12 2009 22:06 Jusciax wrote:
Sounds quite simple. People with great skills who didn't manage grow up and adapt are being pissed at ones that could. Tho i don't see how this history justifies anything that they are doing, including hacking imageshack.
not really, its just that they view hacking as something that should be done for fun/as a hobby rather than as a job, saying that they didnt manage to grow up and adapt is like saying the people who play starcraft but are not progamers didnt grow up and adapt (my point being that doing something for a job doesnt have to be the end result of having a hobby, sometimes you just do it for fun) although you are right, it doesnt justify what they are doing.
|
What's full disclosure and wth is this sec about?
|
In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths since the 19th century.
Full disclosure requires that full details of a security vulnerability are disclosed to the public, including details of the vulnerability and how to detect and exploit it. The theory behind full disclosure is that releasing vulnerability information immediately results in quicker fixes and better security. Fixes are produced faster because vendors and authors are forced to respond in order to save face. Security is improved because the window of exposure, the amount of time the vulnerability is open to attack, is reduced.
by Wikipedia
|
On July 12 2009 23:34 ThaddeusK wrote:Show nested quote +On July 12 2009 22:06 Jusciax wrote:
Sounds quite simple. People with great skills who didn't manage grow up and adapt are being pissed at ones that could. Tho i don't see how this history justifies anything that they are doing, including hacking imageshack. not really, its just that they view hacking as something that should be done for fun/as a hobby rather than as a job, saying that they didnt manage to grow up and adapt is like saying the people who play starcraft but are not progamers didnt grow up and adapt (my point being that doing something for a job doesnt have to be the end result of having a hobby, sometimes you just do it for fun) although you are right, it doesnt justify what they are doing.
But you aren't pissed at others who took starcraft gaming to pro level and make a living out of it, are you? That was my whole point (or at least that's what i got from that post) that hackers think others who took it to next level (used their knowledge to get a job in security firms) are somehow sellouts and not respected anymore. Which is why i found that view childish and laughable.
|
|
|
So sad how many ppl in this thread got all angry and bashed this movement without even reading the statement because it's more than 2 lines.
If you'd have read it, you might have
a) learned something interesting/important, even if you decided they were wrong and
b) discovered that "no images were harmed", so you wouldn't have had to reupload your images or anything.
|
On July 12 2009 16:43 Badjas wrote:Show nested quote +On July 12 2009 16:10 Mooga wrote:On July 12 2009 15:20 Badjas wrote:On July 12 2009 09:55 Mooga wrote:On July 11 2009 11:34 benjammin wrote:
i'm not a computer science person in any way, but isn't this just laughably misguided? doesn't disclosure encourage the actual creation of fixes and distribution of them on a larger scale than otherwise? sure, it allows for malicious usage, but that would exist either way, and would be more effective if there was no disclosure
i don't know what that bit about money is all about, but this just seems immature
correct me if i am wrong, my degrees are in english :D See, the thing is that hackers don't want full-disclosure because it threatens to fix exploits that hackers are using faster than no-disclosure. This forces hackers to come up with novel hacks, instead of using the same method indefinitely without being detected. Of course they say that what they are doing is to stop the script kiddies, but most script kiddies use grey-hat or black-hat exploits anyway, they don't go through code and write their own, so black-hat or grey-hat hackers are still relied on anyway to develop exploits. So most hacks come from black hats, not from white hats? Where's your source? It's a question of how the exploits are packaged and how they deliver the payload. I don't know how much you know about script kiddies, but most of them rely heavily on programs written by black-hatters/grey-hatters to deliver the payloads because they can't understand/write the code themselves. That didn't answer the question. Wait perhaps I was a bit unclear. So most exploit discoveries come from black hats, not from white hats? Where's your source?
I was probably unclear - all I was trying to say is that whomever discovered the exploit is irrelevant to the question of which scripts script kiddies use. If you want to let script kiddies hack security systems, then you have to basically write every line of code for them in order to make that possible because that's all script kiddies do... they download programs from hackers and run those scripts on everything. White-hat hackers do not explicitly make programs to help script kiddies execute exploits. So that's what I meant by needing black-hats or grey-hats to exploit.
|
|
|
|
|
|
EPT![[image loading]](http://farm3.static.flickr.com/2583/3708287543_5b85941f25.jpg?v=0)
![[image loading]](http://ec.mashable.com/wp-content/uploads/2009/07/imageshackhack.gif)
