The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Imageshack Hacked by Anti-Sec
CmdPrompt
Registered User regular
Registered User regular
So, chances are you've seen this floating around:
Let's talk about it.
oh god what do these words even mean
Here's a quick rundown of part of the security business:
All software has bugs. All of it. There are generally two types of people that take advantage of this fact. First are the white hats. These guys follow a process of full-disclosure, which involves reporting the bug to the company, giving them a lead time in order to fix the bug, and then publishing the exploit across the internet. The idea of publishing is to give companies an impetus to fix the bugs, while giving a nice boost to e-penis and occasionally getting paid for it.
On the other end of the scale are black hats. Once they find a bug, they use it for some personal gain, be it money, e-penis again, or the spreading of their own agenda - as in this case.
Additionally, it may help to know that rm is short for the Linux command remove.
This should give you enough information to understand the context.
oh god are they going to HACK THE PLANET and steal all of my monies?
In this case (unless you happen to belong to the security community), this particular attack doesn't concern you. What is important about this is the visibility. Most black hats are going to quietly steal your information and profit from it. Exploits are very common and increasingly sophisticated. Make sure you protect yourself by having strong passwords and keeping your computer updated.
THE INTERNET IS SERIOUS BUSINESS
Indeed.
More information can be found about this group here, if you're interested in reading walls of text.
oh god what do these words even mean
Here's a quick rundown of part of the security business:
All software has bugs. All of it. There are generally two types of people that take advantage of this fact. First are the white hats. These guys follow a process of full-disclosure, which involves reporting the bug to the company, giving them a lead time in order to fix the bug, and then publishing the exploit across the internet. The idea of publishing is to give companies an impetus to fix the bugs, while giving a nice boost to e-penis and occasionally getting paid for it.
On the other end of the scale are black hats. Once they find a bug, they use it for some personal gain, be it money, e-penis again, or the spreading of their own agenda - as in this case.
Additionally, it may help to know that rm is short for the Linux command remove.
This should give you enough information to understand the context.
oh god are they going to HACK THE PLANET and steal all of my monies?
In this case (unless you happen to belong to the security community), this particular attack doesn't concern you. What is important about this is the visibility. Most black hats are going to quietly steal your information and profit from it. Exploits are very common and increasingly sophisticated. Make sure you protect yourself by having strong passwords and keeping your computer updated.
THE INTERNET IS SERIOUS BUSINESS
Indeed.
More information can be found about this group here, if you're interested in reading walls of text.
CmdPrompt on
0
Posts
This is kind of interesting, is there any info on the group itself? Do we have an idea of the size or scope of the organization? Have they done anything else in the past?
Edit: this sounds alot like a declaration of war. Either this will get fixed and turned to nothing, or were gonna see fireworks over the next few days, could be cool/shitty. Cue fox news talking about deadly hackers and exploding vans?
White hats are pretty often normal guys who just find this stuff, or hack for fun and then report back, or even are hired to find this stuff. The only reason NOT to have a full disclosure on these bugs is for black hats to turn your computer into a bot net without you having a chance to stop it. In closing, ugh, hackers.
I'm surprised to see them use a site with so much visibility on the internet, they are really getting serious or is this just simple saber rattling to get some recognition. Speaking of which when is the next Defcon?
You might want to check the link I just edited in. It contains a lot of info on the group itself.
You're liable to annoy some people with that sort of comment, as a lot of people that self style themselves as hackers aren't the ones screwing over your computer. See this for a good definition of hacker.
Right after Black Hat, July 30th to August 2nd. I'll be attending if anyone else happens to be going.
Although, hacking imageshack is pretty impressive. Hope we get to see the exploit details at some point.
Edit:
"pr0j3ct m4yh3m" Oh my god ahahahahaha.
Now i think this has to be made up, marketing... something.
Agreed.
Do we understand why they hate full disclosure? I read the image but...the fuck does that mean?
Because it allows companies to fix the software... and... I dunno. Sounds like they're a bunch of pricks to me.
Oh, ok. They don't want companies to fix their software so that...something.
Got it.
They're trying to say that full disclosure creates a "climate of fear" that allows security companies to hawk their wares, and allows the script kiddies to grab new hacks and attack vulnerable servers.
The thing is that full disclosure policies already incorporate a period of time to allow the flaws to be fixed, and that sunlight IS the best disinfectant.
As I said in [chat], if I was going to declare war on someone, Bruce Schneier wouldn't be someone I would pick as my first choice.
I don't get how it lets companies hawk their wares.
If anything, high profile attacks, exactly like this one do a far better job of giving security companies more leverage, because it's that much more obvious that things are insecure because it's staring right at you in the face, instead of being a combination security bulletin + patch.
Additionally, it's true that public knowledge makes it easier to attack vulnerable servers. However, I suspect many attacks are simply reversed engineered against patches for unspecified issues. Hiding the details doesn't hide much for long.
What these guys are doing is fearmongering, nothing more, and if they're trying to hurt security companies, they're doing nothing more than making them seem more valuable.
Basically it looks like it benefits 3 groups in ways that they don't like:
1) White hats who discover the vulnerabilities and publish them get to basically advertise their services (since usually you disclose that you were the one to discover said vulnerability)
2) Security companies get to fearmonger
3) Script kiddies (and whoever else) get to have a field day until patches come out (and even afterwards, a lot of people aren't great about keeping servers properly patched)
I'm not even sure how exactly they think 1) is supposed to work. I guess they're supposed to do it for the love of the software, man or something.
whoever posted that either doesn't have the first clue about how security actually works (security through obfuscation has a horrific track record) or is being deliberately misleading, probably because they have something to gain from software being full of exploits, i.e. black hats. Anyone who knows anything about security can tell you that simply hiding bugs does nothing to secure anything. Security through obscurity simply does not work, this is IT Sec 101 stuff.
The whole things reeks of script kiddy arrogance, tbh.
I also find the timing to be convenient, as this may likely be conflated with the DDoS attacks earlier this week.
However, you never ever ever have to pay for a security fix. EVER. If they charged for them and such, then this would make some sense. However, if they charged for patches, A: No one would ever ever buy it, B: someone would always make a free patch anyway, C: It's probably horribly illegal to do that.
But this is just whining that white hats keep finding holes and letting people know so that they can close them before THESE pricks get a hold of them and steal your bank info.
Yeah, that's basically what I concluded with that "everyone and everything is getting owned" line.
Or that it was posted at all.
Serious black hats don't post manifestos, invisibility is a virtue for them.
I mean, their goal is nonsensical. 'We do not like that white hats give companies time to fix their code before it fucks everyone over'? Or 'we do not like that white hats publish code after failing to receive a response from companies'? What? What the fuck?
As a coder I recognize that even my own (relatively) simplistic code at my job, which is running in an entirely closed environment inside of a corporate network, is most likely riddled with security holes. As others have said, shit happens. It's illogical to expect code to be bug-free. It doesn't make sense to say 'We should rely on obfuscation', which apparently is what they want. The only logical choice is to push for full disclosure. Will there be fuckheads that screw people over by releasing exploits without first notifying the appropriate companies? Sure, but the overall system will be better than a closed system.
And see? I still feel dumb for having typed all of this. It has to be a big troll attempt. It has to be.
These guys want to keep the exploits open so that they can continue to profit off their knowledge and information. They're annoyed because when people talk about exploits, it leads to a) people they don't like profiting, b) their own avenues for profiting from the knowledge getting narrower.
This isn't some kind of "protect the people" or "improve security" manifesto. It's simply about trying to shut up the people who are frustrating their attempts at accessing information and making cash where they're not meant to.
Edit: Appears I was incorrect, my bad. http://romeo.copyandpaste.info/txt/ats-policy.txt It's basically security through a nuanced obscurity. They're guys who really like being the smartest dudes in the room with all the exploits that no one else knows about.
These assholes are pissed off because companies are fixing their software and stopping them from doing their illegal activities
And so the plan is to POST about their illegal activities and how this is wrong that the companies are stopping them?
Brilliant plan if I ever saw one.
PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
But hey i'm curious to see what they end up doing.
They think that security exploits in code shouldn't be fixed? Or that they should be fixed in a way that the mean old security industry doesn't get money for it?
I think I need a Cliff's Notes version or something.
PS4:MrZoompants
PSN/Steam/NNID: SyphonBlue | BNet: SyphonBlue#1126
That line of thinking seems obvious to me (and to be honest I don't know how people can think they're saying "let us keep hacking the exploits, don't tell anyone"), how correct it is is another matter entirely though.
"Everything is getting owned"
Nothing works as well as sounding like a 13 year old Halo player to make you feel like a badass.
3DS FC: 5343-7720-0490
PS4:MrZoompants
This sort of language predates Halo by quite a few years and was used seriously by serious people until it became popular with this sort of person.
That's almost cartoon stupid in reasoning.
If you fix the problem, why then hand out the keys to the computers that aren't updated? In that case, I agree its a fucked up practice to keep people subscribed to their services, because they make sure that if you don't, everyone knows how to fuck their old versions.
PSN: SAW776
The harder the rain, honey, the sweeter the sun.
As in, should I be leery about using sensitive information on the tubes for a few days, or anything like that?