Hacker Leaks Unreleased CERT Reports 379
Call Me Black Cloud writes "A hacker calling himself "Hack4Life" swiped 3 unpublished vulnerability reports from a company working with CERT and posted them to the Full Disclosure mailing list. A couple of days later, he did it again (while promising weekly leaks). Wired also has a story, including a link to one of the postings."
A little bit ironic (Score:5, Funny)
Re:A little bit ironic (Score:5, Funny)
Re:A little bit ironic (Score:2)
80% Redundant
20% Funny!
Re:A little bit ironic (Score:5, Funny)
But.. (Score:2)
Bet he works for ISS (Score:4, Funny)
Otherwise... $5.00 says he works for ISS... any takers?
Re:Bet he works for ISS (Score:3, Funny)
That's how I read your comment....
Re:Bet he works for ISS (Score:2)
Re:Bet he works for ISS (Score:2)
Why does that remind me of:
So um, Milton has been let go?
Well just a second there, professor. We uh, we fixed the *glitch*. So he won't be receiving a paycheck anymore, so it will just work itself out naturally.
FD and Bugtraq (Score:5, Informative)
Re:FD and Bugtraq (Score:5, Funny)
I don't think any regular readers of slashdot fit that discription.
Re:FD and Bugtraq (Score:2, Funny)
Maybe it's an inside job. (Score:5, Insightful)
or maybe someone joined CERT just so he/she could play uberhacker.
Re:Maybe it's an inside job. (Score:5, Insightful)
Re:Maybe it's an inside job. (Score:3, Interesting)
Re:Maybe it's an inside job. (Score:3, Informative)
Re:Maybe it's an inside job. (Score:3, Interesting)
Certain organizations do use CERT for front-line information, but not necessarily for the front-line you envision. Certain assets (capabilities in this case) diminish in value as knowledge of their existance propagates. The value in CERT is knowing who knows something, since we're often well beyond what someone knows by the time
Coffee (Score:5, Funny)
Re:Coffee (Score:3, Funny)
alarming rate?
Fry: Uh
Nosy Robot: Well, let me just patch you up with some hot resin. [he
holds the gun up so Fry can see it]
Fry: I think the leak's stopping itself. [it doesn't]
Wait, wait
Nosy Robot: [accusing] What sort of robot turns down a free blast of
searing hot resin?
[Fry is s
Interesting to note... (Score:5, Interesting)
What is interesting to note, is that this, or these, as it may be hackers are /releasing/ the truth.
Not defacing web sites, hacking student DB's, etc.
Is truth the new hack of the future?
Re:Interesting to note... (Score:2)
Re:Interesting to note... (Score:2)
Fair enough. However, the Pentagon Papers don't have an immediate effect on me. Knowing there is a known exploit in my infrastructure that I need to guard against has a direct effect on my job / livelyhood.
Re:Interesting to note... (Score:2, Insightful)
Re:Interesting to note... (Score:2)
"You can't handle the truth"
Oh well.
Re:Interesting to note... (Score:5, Interesting)
The idea is not unique, and is to be applauded, consider hacking into CNN's network and releasing what they are NOT showing on TV!
This could get out of thand though....
"Truth is a noble cause" -> "HACK THE PLANET!"
Re:Interesting to note... (Score:2)
Re:Interesting to note... (Score:3, Insightful)
DOD asked for delay to notify families (Score:4, Insightful)
Re:Interesting to note... (Score:5, Insightful)
Re:Interesting to note... (Score:2, Insightful)
Re:Interesting to note... (Score:4, Insightful)
The folly of relativism... Okay--just got back from freshman philosophy class? You define truth as absolute. Next you state that if truth is not absolute, it is meaningless. Then you offer this as support for the statement that relativism is folly. Go talk to your professor and ask the meanings of the terms "tautology" and "non sequitur"
But truth, in this context is not absolute.
It is not the fact that people die in war, people are losing jobs, votes were miscounted, etc. that one wishes to hide. The facts will eventually come out. But they will be presented at a time and in a manner that supports the agendas of the presenters.
It is "the truths" that war is justified, we should spend money on new trucks, and GWB is our just and wise leader that are of interest.
Don't get caught up arguing semantics. What is going on is the control of the hearts and minds of the people. This is achieved through emotion, religion, fear, greed, salesmanship, torture... These are methods that have nothing to do with empirically provable facts.
To control "the truth" is not to hide the facts, but to convince people that only the facts you like are relevant. Anyone who campaigns against this view threatens that control of "the truth"
Those who wish to control "the truth" often state their truths as dogma, and legislate against contravening statements or even privately held views.
In many situations, sedition, heresy, treason by word are crimes. Remember the witch hunts--in the 1600s and the 1950s. Same process; different details. There is a very legitimate concern that those in power--in order to maintain power--will criminalize speech (in any form) that threatens their control.
This is why the first amendment to the US Consititution is the first amendment. It's that important.
BTW, the full text of the above referenced document is available at Thomas [loc.gov]. It's an enlightening read if you haven't already. The original text is only 14-15 pages long; check it out!
Re:Interesting to note... (Score:3, Interesting)
That
God, I hope you're wrong, but we seem to be heading thataway.
Re:Interesting to note... (Score:3, Insightful)
Don't sweat it... we're already there.
Re:Interesting to note... (Score:2)
Double-edged sword? (Score:5, Interesting)
Re:Double-edged sword? (Score:3, Insightful)
Keep in mind that pretty much by definition, "script kiddies" won't be doing much with a new vulnerability, as their sole skill lies in being able to run someone else's code. Most new vulnerabilities either aren't exploited for months (vendor patch or no), or if they are, the exploit certainly isn't public know
Re:Double-edged sword? (Score:5, Interesting)
Re:Double-edged sword? (Score:5, Insightful)
I have the sources to the operating system that I prefer to run and all the apps that run on it. I am a unix system engineer of quite a few years experience now. I know how to program C with about 13 years of experience there. I believe very firmly that I am in the category of "those who have the capacity to fix them". I am not, however, in the inner circle of those who get early access to CERT security information.
Re:Double-edged sword? (Score:5, Insightful)
Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take:
For many people charged with security, this is an easy question: they want all possible information on vulnerabilities the second that someone discovers them. They can shut off services, craft firewall rules, compile in patches, write their own damn patches. The worst-case scenario for them is that their systems are afflicted with a vulnerability that anyone else but them knows about.
Besides, here's the elephant in the living room that no one wants to address: if one person can somehow acquire this information and post it to a public list, another person can use the information for ill gain. One of these vulnerabilities wasn't due to be announced 'til June?? That's a long fucking time for (e.g.) your bank's online transaction processor to be vulnerable.
Disclose early; disclose often. Anything else multiplies the risk for the people who can least afford it.
Re:Double-edged sword? (Score:2)
1. The non-digital example. The "fix" for the flaw in the child seat is something ANYONE can address by replacing the seat. Software frequently isn't able to be "fixed" that easily, much less by 100% of the user base. An app is one thing, something buried in the OS...
2. The worst case is NOT that anyone else but you may know about it. The worst case is everyone and their dog can use the hack with the click of a button. Look at your weblogs some time. What hacks
Re:Double-edged sword? (Score:5, Insightful)
Finally, let's use a non-digital example. If (e.g.) Consumer Reports found a flaw in a popular child car seat that could cause severe injury to a child, which path would you prefer they take:
What usually happens in this scenario is that parents remove the childs seats in blind panic and as a result 10x more kids are killed by seatbelts and not being in carseats than would have been killed by the carseats.
Lucky we removed those car seats isn't it?
Alex
Re:Double-edged sword? (Score:3, Insightful)
Re:Double-edged sword? (Score:2)
Most would disagree, but here's a solution (Score:3, Interesting)
One should be advertised as open-source, open-problem. The other should be advertised as security-through-obscurity, maybe open-source, but not open-problem.
Then let the users pick. At that point, well-intentioned hackers should leave the STO code obscure, and publicize t
Come one.. (Score:5, Funny)
.. we all know who did it. Dust off those "Free Kevin" bumper stickers everyone.
Full disclosure link (Score:3, Informative)
http://lists.netsys.com/pipermail/full-disclosure
go to March--view by author--hack4life@hushmail.com.
This should be a piece of cake to iron out. (Score:5, Interesting)
This should be 80% solved in under a week. If it takes longer than a week, and CERT keeps sending these things out and getting compromised, then they're a bunch of morons. Somehow, I don't think they're a bunch of morons.
Re:This should be a piece of cake to iron out. (Score:2)
They're looking for A, B, C, D, E, F, or G and he publishes Z.
Re:This should be a piece of cake to iron out. (Score:2)
Not if there's more than one culprit (Score:2)
Of course, this doesn't work unless they see it coming or are extremely paranoid.
F-bacher
Re:Not if there's more than one culprit (Score:2)
And sure. My idea can be defeated. It could also be improved: Certain details could be divulged only to certain members. If any of those detail
This won't last long... (Score:5, Interesting)
Re:This won't last long... (Score:2)
Re:This won't last long... (Score:2)
Re:This won't last long... (Score:2)
Not just from Tom Clancy. Read news 2 wks ago. (Score:5, Interesting)
And how the US immediately attacked the Times for something that was so obviously changed as the spellings,
And how the Times then released the original wording,
And the leaker was IMMEDIATELY caught and charged?
I, for one, would say that that isn't just from Tom Clancy.
It was the Guardian Observer... (Score:5, Informative)
oh, and link to story on subsequent arrest: (Score:3, Informative)
Is CERT doing what they are supposed 2 do? (Score:5, Insightful)
Sometimes he's a little late. . . (Score:5, Interesting)
He released the RSA timing attack vulnerability on the 15th of March:
To: full-disclosure@lists.netsys.com
From: hack4life@hushmail.com
Date: Sat, 15 Mar 2003 18:57:13 -0800
***** NOT FOR PUBLIC DISTRIBUTION *****
VU#997481 - Cryptographic libraries and applications do not adequately defend against timing attacks etc. . .
when it was discussed on Slashdot [slashdot.org] on the 13th of March:
Once again, Slashdot turns out to be the real problem. . .
------
Hacker Ethics (Score:3, Redundant)
Re:Hacker Ethics (Score:5, Interesting)
From the second link: (Score:3, Insightful)
You tell me. Is this a good thing, or a bad thing?
Re:Hacker Ethics (Score:2)
I personally love it, the Robin Hood style rob information from the rich, give it to the poor.
Its really the greatest justification for the hacker/cracker subculture. (lets face it, NO ONE is going to say cracker, the term is used)
Ya, i do understand the postion of the company, but hell, there has to be a better way of dealing with vuln.
Re:Hacker Ethics (Score:2)
Inherent problems with CERT (Score:5, Insightful)
CERT should instead, stick with helping behind the scenes coordination between security agencies like eEye and software companies; and should stop publishing unfixed problems to a CERT's underground mailing list.
Re:Inherent problems with CERT (Score:2)
CERT/CC is not an exclusive club. You can join via the Internet Security Alliance [isalliance.org] and get early access to vulnerability information (at least that is what the press reported when ISA was announced). As a result, quite a few people refuse to cooperate with CERT/CC these days.
And mitnick was released how long ago? (Score:2, Funny)
I don't trust him (Score:2)
One was supposed to be held back till june??? (Score:5, Insightful)
Malice95
I would agree, but... (Score:5, Interesting)
Any inkling of having me agree with posting these advisories just went out the window with this one. He's not trying to help anyone by divulging these, except for maybe script kiddies and crackers. With such a statement it's obvious he's not trying to help vendors release a quicker fix.
Re:I would agree, but... (Score:5, Funny)
What I'd like to know, is what real sys admin is NOT glued to multiple consoles at 7pm on a Friday?
That's about the start of the week when real work can get done!
Re:I would agree, but... (Score:3, Interesting)
There must be a balance in life... cuz in the end, what was it all for? Your servers and your bosses won't be at your bedside when you're really sick and/or dying. But family, friends and loved ones will.
(Damn, I have been watching way too much SouthPark
Re:I would agree, but... (Score:3, Interesting)
Some sys admins love their work too much I guess. I took care of a stock exchange backup network, worked crazy hours, usually 6 days a week, and actually loved it...
until the politics changed and realistic, learned management who'd worked their way up in the industry, were replaced with some completely clueless non-IT management who managed to cause almost every IT staff member to leave within months (some of the most incredibly gifted IT peop
Re:I would agree, but... (Score:2, Funny)
Listen...can you hear that? (Score:4, Funny)
Obvious Result (Score:5, Insightful)
That's not to deride Theo & crew's accomplishments - they've done amazing work, look at how few bugs are found in OpenSSH relative to how incredibly widespread it is - but it is practically impossible to write perfectly secure code that operates at anything like a reasonable speed for the x86.
Re:Listen...can you hear that? (Score:3, Insightful)
"BSD-derived libraries with XDR/RPC routines (libc)"
Don't think your safe just because your OS make you feel that way. Patch now! Patch Often!
I don't follow true BSDs so I don't know if there is actually a fix for OpenBSD or FreeBSD. My linux boxes are patched. I assume my OS X boxes are vulnerable as well. Don't assume because your OS is great for you, that it's secure and you don't need to be concerned about patches. Read up on what was released so y
A modest proposal (Score:5, Funny)
That might take the edge off some companies' complaints about vulnerabilities leaking out before the clock is up.
How does CERT secure its servers? (Score:4, Interesting)
Moreover, if their vendor doesn't patch their system quickly, how are they ever going to stop this guy if he always knows what's broken next?
Catch-22 isn't it!
When the jail system is done with him... (Score:3, Funny)
CERT is incredibly stupid (Score:5, Insightful)
That vulnerability is a simple buffer overflow. RedHat had a patch out for it in less than a day. This whole 'wait for the vendor to fix it' thing just results in lazy vendors.
And, as the army breakin shows, the 'bad' guys often have the information whether or not the 'good' guys even know it. There are many script kiddies out there, but there are a few really intelligent people who can do their own research, and won't bother telling CERT before they go and exploit the vulnerability.
Re:CERT is incredibly stupid (Score:3, Insightful)
That vulnerability is a simple buffer overflow. RedHat had a patch out for it in less than a day. This whole 'wait for the vendor to fix it' thing just results in lazy vendors.
That would be because Red Hat and others took advantage of the time CERT takes from vendor notification to general release. This is exactly what CERT is trying to do - release the vulnerability info at the same time vendor patches are ready.
Hack4Life? (Score:4, Funny)
Worst. Hacker name. Ever.
</voice>
localhost? (Score:4, Funny)
Hum, look at the references section
6. http://www.kb.cert.org/vuls/id/192995
7. file://localhost/XDR.html#vendors
8. http://www.kb.cert.org/vuls/id/516825
localhost!? They're obviously already using the vulnerability to put files on my computer.
How do you define when a vulnerability is fixed? (Score:5, Interesting)
How do you define when a vulnerability is fixed, at least for the purpose of determining when to go public with it? Consider a vulnerability in some shared and widely used and distributed library such as OpenSSL or Zlib. Potentially you could say it is fixed as soon as there is a source patch. But that doesn't really make it universally available. Armed with the patch, the vulnerability may well become obvious, yet most systems which are installed and maintained in binary code remain vulnerable. Should things wait until the distributions package the fix? How many have to wait for the others?
And what if the same vulnerability exists in more than one implementation because of things like code re-use, or a flaw in a protocol that can be dealt with in the code anyway? Suppose OpenBSD fixes theirs in 2 hours and NetBSD fixes theirs in 5 hours and FreeBSD fixes theirs in 9 hours and Slackware fixes theirs in 15 hours and Debian fixes theirs in 24 hours and SuSE fixes theirs in 36 hours and Redhat fixes theirs in 60 hours and Microsoft Windows fixes theirs in 10 days (hypothetical times chosen arbitrarily)? Would it be OK for OpenBSD to go ahead and blast their security mailing list with the fix when it's done? Or should everyone have to wait until the stragglers get their act together?
IMHO, vulnerabilities should be released as soon as the first vendor has a fix, or after some fixed determinate time to ensure they don't all get together to hide the problem (not that all of them would, but certain vulnerabilities may only affect a small subset of them, or even just one). Yes, that leaves the systems "supported" by the stragglers unprotected. But that should also help leverage market pressure to fixing things faster, and designing to avoid the as well.
Won't last long (Score:3, Insightful)
Re:You've spelled Cracker wrong. (Score:5, Insightful)
Simply put, if the masses see "hackers" as evil criminals then that's what "hackers" are. Language is determined by the masses, not by a small minority who get to determine what's PC or right.
Re:You've spelled Cracker wrong. (Score:2, Interesting)
Hurrah for linguistic enlightenment! While we knowledge workers are very use to naming things--establishing strong definitions for new words or phrases within a specific discipline or project--it must be remembered that the usage-consensus ultimately determines what words mean. Dictionaries are ultimately descripti
Re:You've spelled Cracker wrong. (Score:2)
Re:You've spelled Cracker wrong. (Score:2)
Not entirely correct. Language is determined by two parties: the one communicating the idea, and the one listening. So long as they have common definitions of symbols, communication occurs.
Communication, though, is enver 100%. I say "tree", and you might think of an Alabama decidous forest, and I'll think of tall, cool, Northern California pines.
So, talking about trees, we may have to negotiate a common
Re:You've spelled Cracker wrong. (Score:3, Insightful)
south. I'm a southerner, and I'm as tired of the
'racist hick' stereotype as anyone else broadly
stereotyped. Most of the racists in the south move
down from New York or other northeastern cities,
looking for 'kindred spirits'. To say that they give
us a bad name is an understatement.
Re:You've spelled Cracker wrong. (Score:2)
Re:You've spelled Cracker wrong. (Score:2)
Re:You've spelled Cracker wrong. (Score:2)
Re:You've spelled Cracker wrong. (Score:2, Insightful)
I think it's ironic how the "hacker" community used go out of their way to emphasize the distinction between hacker (positive) and cracker (negative), but as of late seem to not bother anymore. Certain Slashdot "reporters" don't seem to bother even trying to make the distinction anymore.
Looks like the popular media won this one.
Re:You've spelled Cracker wrong. (Score:2)
Re:Well.... (Score:5, Insightful)
Sorry, but once you sell something there is no way to protect it as secret.
CERT has bought and paid for this. They've earned this security breach and every breach like this.
Re:Well.... (Score:5, Informative)
Note that isn't one of Slashdot's conspiracy theories. If you report something to CERT/CC for free, they sell it to their subscribers.
Unfortunately, this process is not defined in a way that is transparent for those who contact CERT/CC. I've seen conflicting reports regarding the question whether this sharing is mandatory or optional, implicit or explicit. Not surprisingly, the CERT/CC website is not very helpful:
(From the CERT/CC FAQ [cert.org].)Re:Well....then the one's who find the exploits.. (Score:3, Interesting)
There is already a growing economy for trading vulnerabilities and exploits, both IN THE open and On the underground. Quite a few companies now offer cash for vulnerabilities and exploits, and the price is determined by the severity of the reported problem.
But these companies are part of the problem, and not a final answer. For example, one company