Hacker Leaks Unreleased CERT Reports 379
Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."
Interesting to note... (Score:5, Interesting)
What is interesting to note, is that this, or these, as it may be hackers are /releasing/ the truth.
Not defacing web sites, hacking student DB's, etc.
Is truth the new hack of the future?
Double-edged sword? (Score:5, Interesting)
This should be a piece of cake to iron out. (Score:5, Interesting)
This should be 80% solved in under a week. If it takes longer than a week, and CERT keeps sending these things out and getting compromised, then they're a bunch of morons. Somehow, I don't think they're a bunch of morons.
This won't last long... (Score:5, Interesting)
Sometimes he's a little late. . . (Score:5, Interesting)
He released the RSA timing attack vulnerability on the 15th of March:
To: full-disclosure@lists.netsys.com
From: hack4life@hushmail.com
Date: Sat, 15 Mar 2003 18:57:13 -0800
***** NOT FOR PUBLIC DISTRIBUTION *****
VU#997481 - Cryptographic libraries and applications do not adequately defend against timing attacks etc. . .
when it was discussed on Slashdot [slashdot.org] on the 13th of March:
Once again, Slashdot turns out to be the real problem. . .
------
Re:Interesting to note... (Score:5, Interesting)
The idea is not unique, and is to be applauded, consider hacking into CNN's network and releasing what they are NOT showing on TV!
This could get out of thand though....
"Truth is a noble cause" -> "HACK THE PLANET!"
I would agree, but... (Score:5, Interesting)
Any inkling of having me agree with posting these advisories just went out the window with this one. He's not trying to help anyone by divulging these, except for maybe script kiddies and crackers. With such a statement it's obvious he's not trying to help vendors release a quicker fix.
Re:Double-edged sword? (Score:5, Interesting)
Re:Hacker Ethics (Score:5, Interesting)
How does CERT secure its servers? (Score:4, Interesting)
Moreover, if their vendor doesn't patch their system quickly, how are they ever going to stop this guy if he always knows what's broken next?
Catch-22 isn't it!
Re:Interesting to note... (Score:3, Interesting)
That
God, I hope you're wrong, but we seem to be heading thataway.
Not just from Tom Clancy. Read news 2 wks ago. (Score:5, Interesting)
And how the US immediately attacked the Times for something that was so obviously changed as the spellings,
And how the Times then released the original wording,
And the leaker was IMMEDIATELY caught and charged?
I, for one, would say that that isn't just from Tom Clancy.
Most would disagree, but here's a solution (Score:3, Interesting)
One should be advertised as open-source, open-problem. The other should be advertised as security-through-obscurity, maybe open-source, but not open-problem.
Then let the users pick. At that point, well-intentioned hackers should leave the STO code obscure, and publicize the problems with the open-problem code.
Meanwhile, CERT *can* use their lessons from the open-problem code to improve the STO code, but it *is* more at risk to real cracking, perhaps less at risk to script kiddies. Perhaps.
I, for one, would probably use the Security-through-obscurity code if I didn't have time to really learn my system, or hadn't yet learned the system. Once I understood my system, though, I would upgrade to the open-source/open-problem code, in order to be able to maintain maximum security. (Just my $0.02.) By the way,
Re:You've spelled Cracker wrong. (Score:2, Interesting)
Hurrah for linguistic enlightenment! While we knowledge workers are very use to naming things--establishing strong definitions for new words or phrases within a specific discipline or project--it must be remembered that the usage-consensus ultimately determines what words mean. Dictionaries are ultimately descriptive, not prescriptive.
Intresting about "hacker", though: I think slashdotters and other computer geeks have become more accepting of the criminal connotations while the general public has become more accepting of the original, more benign definition(s). Anyone care to do some field work? (While you're at it, see how many members of the general public would recognize the CSish definition of "string".)
Re:Maybe it's an inside job. (Score:3, Interesting)
Re:Maybe it's an inside job. (Score:3, Interesting)
Certain organizations do use CERT for front-line information, but not necessarily for the front-line you envision. Certain assets (capabilities in this case) diminish in value as knowledge of their existance propagates. The value in CERT is knowing who knows something, since we're often well beyond what someone knows by the time it hits the list...
How do you define when a vulnerability is fixed? (Score:5, Interesting)
How do you define when a vulnerability is fixed, at least for the purpose of determining when to go public with it? Consider a vulnerability in some shared and widely used and distributed library such as OpenSSL or Zlib. Potentially you could say it is fixed as soon as there is a source patch. But that doesn't really make it universally available. Armed with the patch, the vulnerability may well become obvious, yet most systems which are installed and maintained in binary code remain vulnerable. Should things wait until the distributions package the fix? How many have to wait for the others?
And what if the same vulnerability exists in more than one implementation because of things like code re-use, or a flaw in a protocol that can be dealt with in the code anyway? Suppose OpenBSD fixes theirs in 2 hours and NetBSD fixes theirs in 5 hours and FreeBSD fixes theirs in 9 hours and Slackware fixes theirs in 15 hours and Debian fixes theirs in 24 hours and SuSE fixes theirs in 36 hours and Redhat fixes theirs in 60 hours and Microsoft Windows fixes theirs in 10 days (hypothetical times chosen arbitrarily)? Would it be OK for OpenBSD to go ahead and blast their security mailing list with the fix when it's done? Or should everyone have to wait until the stragglers get their act together?
IMHO, vulnerabilities should be released as soon as the first vendor has a fix, or after some fixed determinate time to ensure they don't all get together to hide the problem (not that all of them would, but certain vulnerabilities may only affect a small subset of them, or even just one). Yes, that leaves the systems "supported" by the stragglers unprotected. But that should also help leverage market pressure to fixing things faster, and designing to avoid the as well.
Re:Well.... (Score:2, Interesting)
OT: This could also be used to track leaks of beta version of software. Just set up a script that changes a few bytes in some of the files that don't alter functionality (images etc.). Ship to beta testers. If there is a leak, it's fairly easy to track down. Of course this could be circumvented if several testers combine their versions.
The Djinn came out... (Score:1, Interesting)
"How much would you like to bet that there's going to be a very ugly internal audit at CERT, with much finger-pointing and threats amongst the business partners?"
Re:I would agree, but... (Score:3, Interesting)
There must be a balance in life... cuz in the end, what was it all for? Your servers and your bosses won't be at your bedside when you're really sick and/or dying. But family, friends and loved ones will.
(Damn, I have been watching way too much SouthPark
Re:I would agree, but... (Score:3, Interesting)
Some sys admins love their work too much I guess. I took care of a stock exchange backup network, worked crazy hours, usually 6 days a week, and actually loved it...
until the politics changed and realistic, learned management who'd worked their way up in the industry, were replaced with some completely clueless non-IT management who managed to cause almost every IT staff member to leave within months (some of the most incredibly gifted IT people I've ever met, allowed to go for a few bucks an hour).
Systems let me down far less often than people do, which is why I prefer to spend my time hacking than drinking on Friday nights.
I have a gf now, but I *really* miss the times when I could go for hours in front of a machine (and achieve plenty) without being whined at.
If I gave up my gf for the old life, you'd probably say "get a life", but some people enjoy "having no life".
PS, my original post was merely poking fun at what constitutes pretty much every sys admin I know (they always come back after drinks to "do stuff" with their babies, almost secretly, as if embarassed about actually loving their work).
Re:Well....then the one's who find the exploits.. (Score:3, Interesting)
There is already a growing economy for trading vulnerabilities and exploits, both IN THE open and On the underground. Quite a few companies now offer cash for vulnerabilities and exploits, and the price is determined by the severity of the reported problem.
But these companies are part of the problem, and not a final answer. For example, one company notifies their paying customers on the same day as they contact the vendor, and another one has published a self-contradicting policy and it's not clear what they are really doing. I don't think that's responsible (on the other hand, it's not responsible to publish most of the software that it is used on the Internet).
Here's a thought (Score:2, Interesting)
Sorry man, got too many friends who as young men got stuck into a warzone based on a total lie and fabrication, the "tonkin gulf attacks". They got rah rah rahed into it, john wayned. Some got drafted, some just "joined up". Back then, real information was extremely hard to come by. Two of them I can name who are still alive got told for over 30 years their (illegal by signed convention) agent orange chemical warfare damage was illusionary, in their heads. This is NOT the case with general information now.
The background of saddam, bush, cheney, rumsfield, osama, are there, virtually anyone can do the research with a cheap dial up connection or for free at almost all public libraries. It takes the same time as watching one single football game on the TV to find out about enough lies to make anyone rational question this enterprise, that's it, that short of time with google and starting with a clean data slate, being honest about it.
My point is if YOU want to accept a check for military service, accept the responsibility that at this point in time you are in fact, a "mercenary", a soldier for hire. We don't have a draft now. In war, there are no rules. You accept "collateral damage" of your "enemy's" families, they not only find out about their little abdul or mohammed on the front lines, they themselves can get "direct feed back" in the form of exploding bombs on their own persons.
You can't have it both ways, you want your family to not have the possibilities of finding out about you being captured or hurt, then don't go over there and fight, unless you accept your adult responsibilities of the FULL ramifications of war, not the you get to pick and choose which things apply to you and your family or not, because in the real world, you don't get to pick and chose.
I support the US troops! These are my neighbors too, people not at their normal jobs today a lot of them, reserves, being exploited to the max. I know one guy personal who got called back over a year ago, and for what? Sign up for one reason, to DEFEND THE UNITED STATES WHEN IT'S ATTACKED,swell, hunt down osama, stick to that, but not this other crap,being used and abused for some other questionable reasons based on fabrications and exaggerations. Our own spooks can't even find any connections between osama and saddam, those guys HATE each other. British spooks, the same thing.
I support tour guys and nation to call it a draw, come home right now, with as few casualties as possible. Yes, I know that old model has some flaws to it,to actually be attacked, or to at least develop overwhelming evidence that an attack is imminent, but it just ain't there this time. To start down this path of pre emptive wars is just such a bad idea. That's what the 'bad guys" do, that's what stalin and hitler and tojo did, americans don't do that stuff! Once we do it a lot, the precedent established, we cannot any longer condemn any other nation for doing it. In the afghan war started by the russians, we went in and helped those moslems to resist, but unfortunately we picked some serious nutjobs like osama to "support", it was an extremely bad tactical decision, one of many made by the "profit over all" warlords back in Defense Inc. They do it all the time. Last week in the press it was all "secret emails and faxes to iraqi leaders indicated mass defections would occur". Now that that lie, one of hundreds, has been exposed, just look at reality, those people are defending their country from a hostile foreign nation, same as you or I would do. As thoroughly heinous and bad and as obnoxious as saddam is, and I assert he definetly is, these iraqis are finding our invasion a WORSE alternative,