Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Security

"Fear and Flooding in Las Vegas" 93

Thanks to Brett Glass for pointing out his recent piece in Boardwatch. Very well written coverage about DEFCON 7, as well as the ethical side of hacking.
This discussion has been archived. No new comments can be posted.

"Fear and Flooding in Las Vegas"

Comments Filter:
  • "It may have been irritating to some of the cDc folks that I asked some more difficult questions than the rest."

    No. I like difficult technical questions just fine. The problem was that you asked the SAME question TIME and TIME AGAIN, and not only THAT, but it's a question which has no answer... when you asked me 4 or 5 times if there was a backdoor in the source for bo2k, did you expect me to say anything other than "no there isn't. Read the source and see for yourself"? What other answer could I have given to that question "Yes, we backdoored it! You got me, you sneaky, technically aware amateur reporter" There were 40 or so people in that room. If I was irritated, it's because I had to answer the same stupid question over and over again when others clearly had questions that hadn't already been asked

    As for my use of the word "infected"... well, that's cool, you think what you want. But generally real reporters base their coverage on facts, not half-baked pop psychiatry readings of people's answers to questions. You could probably make a pretty ok case that our intent was malicious without reverting to paranoid interpretations of slips of the tongue. It still wouldn't be even remotely true, but it would surely be more convincing that your attempt.

    About CIH: I, PERSONALLY, as well as every other member of cDc, know EXACTLY what happened with those CDs that CIH ended up on them, and EXACTLY who was involved. ALL of the people involved are people I've known for years - in real life and online - and I'm perfectly comfortable with their version of what happened. You are completely welcome to go on believing we have a traitor in our midst, but understand that you are spreading verifiably false, undocumented rumor in the guise of news. If you have any intention of ever being taken seriously in your reporting, that might not be the swiftest idea.

    As far as your theories on ethics: If somebody tells you their (presumably real) name, and gives you a piece of open source software with a nice, non-offensive name, you can be confident that it has NO backdoors in it? What if we changed our name to the University of Michigan and called our software wu-ftpd... OH WAIT, THAT WAS BACKDOORED. The whole argument that you can't trust us because we have a stupid sense of humor is anathema to a logical, real world method of establishing trust relationships.

    As far as taking responsibility for backdoors and security issues that might arise in our software... YOU GOT IT. If you, after downloading the source from www.bo2k.com, can find a verifiable and repeatable security flaw or backdoor in our software, we will fix it inside of a week, even though we all have day jobs and don't make millions of dollars off of bo2k the way - for instance - Microsoft does off of their software.

    I'm curious about your theory that Microsoft takes FULL PERSONAL RESPONSIBILITY for any security flaws in their software. Last I checked they do not, in fact, release the names of the programmers responsible for security holes, which means the "personal" part is pretty much out. As far as "full", I would say that we've been a lot more responsive to issues with our software than Microsoft has. Except, of course, when they're imaginary issues like the ones you discuss.

    -tf
  • Be warned when reading this that Brett Glass is obsessively, fanatically opposed to the GPL. He used to be on the am-info [essential.org] ("Appraising Microsoft") mailing list, but he would turn every thread into a thread about the evils of the GPL and it became impossible to discuss anything else because everyone was talking about the absurd claims he was making.

    Eventually I publically aired the suggestion that we ask the administrator to remove him from the list; he was removed a couple of weeks later, and the list returned to usefulness.

    It's a pity, because he's clearly an intelligent and insightful thinker, but his crusade against the GPL is simply beyond all reason.
    --
  • The man says it better than me. In addition it seems like Microsoft in fact denies all legal responsibility using the EULA which removes ALL responsibility for any software defects, including bugs which may open your machine to all and sundry. To somehow suggest that corporations are genuinely interested in security is revisionist history. Time and again Microsoft and others have been caught with their pants down. Generally the PR spin is to blame the people who found the security leak instead of looking at their own practice of development to find the problem. Tweety Fish helped Brett make an excellent point, this article is purely and simply an attack on cDc. Brett doesn't like them, there's no journalistic integrity or proof, merely Mr. Glass spreading rumors and making up a bunch of bullshit. Next time try using the facts Brett and maybe keep from slandering people who've done more to earn respect than you son. Until then why don't you attempt to understand the term "security through obscurity" and why it is a bad idea. School will be in back session next def con, maybe you can learn something before then. gid-foo
  • Hmmm.. I missed those. Do you have any left?
  • However, by far the most important question I asked was one that you repeatedly brushed off, as if to say, "This does not compute!" It was: "How can you possibly expect me to be credulous enough to trust you?" The answer should be, don't trust anyone. At the end of the day this is the primary reason that open sourced security tools are the only way to go. You can't trust anything that you can't see. You are operating in an entirely hostile environment. There are hundreds if not thousands of companies producing software to be placed on machines in our networks. Much of that software is a potential security risk. Many of it far more malicious in many ways than BO2k (at least cDc is honest, everyone else just produces closed source software with buffer overruns and easy to guess passwords and doesn't tell a soul). Every time you download a security patch for a kernel or OS (whatever that might be) you are trusting someone. I understand that you're trying to speak about ethics. You article came across as a personal attack on the cDc, and lacked an indepth discussion of ethics. It's a far more complex picture than you paint, and probably than you even have time (or words) to cover. It seems to me that you ended up confusing your point and muddying, rather than bringing up an interesting issue. I agree ethics is a valid concern. I am of the opinion that groups like cDc and the l0pht are far more ethical than many of the companies producing commercial security software (with totally bogus claims as to the abilities of said software) or many of the companies producing non-security related but security compromising software.At the end of the day cDc, BugTraq and other full disclosure/security groups are doing a service to the community by bringing security to the forefront. Admins and users alike are made more aware and that can only be a good thing. A few script kiddies hacking into a poorly secured companies intra-net is a small price to pay for more vigorous security in general. gid-foo
  • Ok where to start on this *bad* piece.
    IMHO, the stupidist line wasn't the 3 paragraph rant on smoke, or the admittion of taping a conversation w/out concent, but this:
    " cDc may claim its beef is with Microsoft; however, users -- not Microsoft -- will be hurt as a result of Back Orifice."
    If I was a CIO, and the techies came to me with 2 server choices (linux, NT) and I knew that BO2K was out there, I'd definatly stay away from NT! Or if I *had* any NT boxes ( I don't, but that's not the point), I would have them removed because of this. Thus hurting MS monitarily (no outrageous "upgrade" costs)
    Also, wasn't the "ExplorZip" virus outbrake over 2 months ago?

    -------------------------------------------------
  • Yeah, I found this article to be lacking. I reached the end with a dry taste in my mouth...because instead of getting a good picture of DEFCON (and wanting to see how it compares to the X-Files version ;-)) I got yet another warning about cDc and, as his big main ending point, "watch out for the scary email virus!!!"
    Let the man do what he wants with his hair, but come on...!
  • Here's Jamie Love, who seems to be the main person from Ralph Nader's organisation driving discussion of Microsoft, announcing [essential.org] that he's created The Unofficial and unauthorized: Brett Glass is unhappy with the GNU General Public License (GPL) page [cptech.org]. The discussion that follows is enlightening. To my knowledge, Brett never *did* create his own page representing his arguments.
    --
  • Only to capture the zeitgeist of this chaotic, but nonetheless important, gathering did I press on.

    I'm morally opposed to unnecessary uses of the word "zeitgeist." I stopped reading after that sentence. :P

    --
  • The comment he made about the anti abortion site that told people the location of doctors willing to practise abortion is way off.

    Just take that comment for what it was, for what the entire article was, a cheap attempt at emotionalism to sway public opinion. Hackers are like anti-abortionists who kill doctors... Hackers are evil because they smoked and it hurt me... Hackers are evil because... blah blah blah...

    Do you think it's a coincidence that he made the comparison of hackers to two groups of people that the media have demonized (terrorists and smokers). I think, perhaps, it was an article written for another website (which shall remain nameless, because I don't want any lawyers to be sent after me, but if you know about Defcon, then you know who I'm referring to), because the readers of /. seem to have rejected it out of hand.

    The theme of the conference, however illusive, was this: There are wizards in our midst -- some masters; some journeymen; some merely would-be apprentices. Many of these wizards, through their knowledge, can endanger or damage the rest of us. But there is no common ethical code among them; each makes up his own, or simply has none. It is unclear that any one of them is well-intentioned or even fully cognizant of the consequences of his actions.

    Okay, I forgot the obvious comparison to wizards. Masters of arcane and dark arts. Makes deals with demons. Heck, I'm surprised that he was so gentle on this point. He could have just as easily said: All computer hackers worship Satan. Anyone who worships Satan will go to Hell. You don't want your children to go to hell, do you? (See also the political ad in the Gnomes episode of South Park).

    But, worse that the attempt to slant public opinion, is the call for the end of individuality. We need a common ethic. One World, One Nation, One People (One Orgasm - the i-brator [geocities.com]). Unfortunately, it's the quest for personal freedom which leads to people joining this sort of sub culture. Do what you want for no reason other than because you can, because in the physical world, some guy with a club and a gun, wearing a uniform, can walk up to you on the street, beat the crap out of you, and then lock you up in a prison, just as soon as look at you.

    Some break in merely for the challenge; some target people or organizations they don't like; others trash systems at random just to prove they can. The public, which doesn't really understand how computer security works, mostly sticks its head in the sand and ignores the issue unless an intruder does serious damage.

    Heh, corporate america sticks it's head in the sand instead of dealing with computer security... True. But, lets face it, they also stick their head in the sand for everything else (the machine's about to crash.... -Oh, is that a bad thing? the software that you have a month to turn out won't work and will destroy your credibility.... - Yes, we know. Mine is better.... - It doesn't matter)

    Other than that, I thought the rest of the article was pretty pedestrain... Actually, the title was kind of witty (would have been wittier if it were: "Phear and L0phting in Las Vegas" or maybe "Ph3ar and (ip)Flooding in Las Vegas")
  • >Brett Glass has a long history of being anti-GPL. His arguments on >the Infoworld Electric fora were thoroughly refuted and he hasn't >been seen there for a while. The gist of his opposition to the GPL is >that it prevents people making money off software. Any attempt to >disprove this (Look at Red Hat etc) met with personal abuse, denial, >a change of subject, or silence.

    Check out the Sept 1999 and Oct 1999 archives over at the lynx-dev Mailing list archives (http://www.flora.org/lynx-dev/html/) for messages with subject headers of "Re: lynx-dev Re: Licensing Lynx" and "Re: lynx-dev More on lynx copyright". Brett's been a busy little troll. Basically he and a bunch of his pals wants the lynx-dev group to "to allow them to use the code of Lynx in proprietary software packages, saying that this will help your "colleagues" compete with Microsoft." Yeah right. It's basically Brett's ranting about how the GPL won't let him and his cronies steal the work of other people again.
  • Brett Glass, After reading and analysing the a few of your articles and posts, and tfish's replies to your posts, I've had a few questions, that I'd like clarified not only for myself, but for the public. 1) you state numerous times that there could be backdoors in back orifice 2000, yet it is open source. You also state that you are aware of the fact that this project is open source but still you state there could be a backdoor. The whole idea behind open source and the GPL movement (if you want to call it that) is that you can read the source and modify it (if you see the need to). So, you can actually see what the program does (if you are competent enough to read the code). The question is this. Wouldn't it be more probable to have a backdoor if it were a closed source project? since the public can't see the source, the programmer could more than easily hide a backdoor in the software. this can be true for any closed source project. even closed source operating systems, such as Windows 95/98/NT and the 2000 series. so you'd think, that open source, which means you can get the actual source for the program being executed on your machine, would be more adventagous as far a security issue, right? 2) you state on numerous occasions that you believe cdc and/or the production team of backorifice 2000 purposely infected the defcon 7 distrobution cd's with the CIH virus. Isn't there a more probably solution? the CIH virus like a good number of virii is both memory resident and infects .exes, which means that when the infected program is run, it loads itself into memory and waits until another .exe is executed and infects it. Now, the solution that I think is most probable explaination is this (btw, I am in no way associated with the production and distrobution of the bo2k cds) one of the developers and/or testers had downloaded a program infected with the CIH virus, which is one of the most common virii in curculation on the net, thus it is labeled wild. they ran this program, thus infecting their machine. they ran the .exe that was later to be put on the cd, with out knowing that the virus had infected their machine. this file was passed onto the the machine that wrote the bo2k cd's which were distributed. thus the cd's had infected binaries on them. REMEMBER: probability over possiblity its more possible that this happened than what you claimed to have happened. in fact, I recieved a product demo cd from a large michigan mining and production corporation in which I am a stockholder (no I'm not naming names, I don't do that) the cd's autorun was infected with the same CIH virus, and they accidentally sent this cd to all of their investors... do you think they did that on purpose? I don't blame the people who burnt the cds, I blame the people who write the virii. what's your view on this? 3) after reading your articles I get this impression. When I was in sixth grade I used to write papers, and as wrote I used a thesarus and inserted words which I thought made sense how I inserted them. Now that I look back on these papers I laugh because the words were used totally out of context and make no sense. This is true of alot of the terms you paste into your writings. An example of this is when you use the term "security through obscurity". this term and your article go entirely different directions. What point are you trying to make by referencing such terms even though you (from my interpertation) don't have a real grasp on the meaning? if you could post a reply it would be most appreciated. Thanks -Optyx http://www.uberhax0r.net
  • Yes, it is easier to hide a back door in a closed source program than in an open source program.

    But think of the challenge of trying to hide a potential exploit in plain sight! This is exactly the sort of challenge (and glory) that "eleet" hackers -- particularly the type who like to grandstand -- crave.

    Also, what better way to get people to trust your backdoored code? You can say, "See? I'm not hiding anything; it's open source!" And many naive folks, who thought they were sooo clever not to use the closed source version, will believe, and will be suckered into using the program. I hope you can see how utterly delicious such a notion would be to certain hackers.

    As for the CIH incident: While I'd like to think it was an accident, it would be (again!) an incredibly tempting prank for those bent on mischief.

    --Brett

  • First occurance: Movies like "The Matrix". That doesn't sound like a quote or skepticism to me. There are many many of these through your article, perhaps you should go back to school and learn a bit more english before continuing to write misguiding and insulting articles.
    P.S. And MLA format specifically addresses the use of quotes to indicate skepticism as being incorrect. If I carried my book (Reasoning why college is bad for programmers.. they teach them english) I would point out the exact verbage. xerithane.karma--; xerithane.gratification++;
    -= Making the world a better place =-
  • "Occurrence" is not spelled with an "a," if you want to be nit-picky about it.


    As for the movie title: it was in italics in my original text. But copy editors often change things; in this case, it was mapped to quotes. Not strictly correct, but perfectly clear.


    --Brett

  • Seriously..if you are involved in any type of halfway illegal activities you will not parade around a convention calling yourself a 'hacker'.

    Or if you do you don't deserve any respect. Haven't people got over the vain, shallow boasting stage yet? That's so juvenile!

    Instead if you want to be appreciated and considered a doberman, hack unix code for a few years, then you will realize that going to a stupid-ass convention won't make you anyone. Hacking has nothing to do with how you look, act, talk, or who you hang out with.

    Seems reasonable. But consider, some people don't go to these events because they think that it will make them "real" hackers. Some people (gasp!) attend because it's a fun party. So it doesn't make them hackers. Neither does it make them losers.

    Flawed logic follows:

    Some losers attended DEFCON.
    (insert name) attended DEFCON.
    Therefore, (insert name) is a loser.
  • Brett, I have a few comments on this. a) You obviously do not understand the logic behind this GPL/Opensource backdoor thing. I'm not sure if I'm wasting my time here, but I will attempt to put this into other words. If the source is open, then anyone can analyze it, and find any backdoors no matter how obfsucated by code. If a user does not have the appropriate skill to do this, they should be aware that they are opening themselves up to possible attacks by obfuscated code. The responsibility for the effects of using this code, are then completely that users. This is stated under the GPL as: " 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES." bo2k is published under the GPL, and by using software published under the GPL, the user agrees to the above statement. As for binary distributions: If a user does not take the appropriate measures to scan any binary introduced into their system, they are again, opening their systems to danger. As Optyx posted, there are known commercial distributions of binaries that have been unknowingly infected by various virii. This does not by necessarily denote maliciousness on behalf of the publisher, or parties involved in the publication and distribution of the binary. As for the infection of ISO images: You are making an assumption about the process of burning the bo2k distribution CD's that voids your logic. This assumtion is that the virus was inserted directly, and purposely into the binary, that was then packaged into an ISO image. The executable may have resided on a system, in which it may have become infected by CIH, before the building of the burned ISO image, without the knowledge of the parties involved with building the ISO and burning it. There is no emprical proof, or way to determine how/what/when/why CIH got onto any given machine, ISO image, or CD involved with bo2k. I personally consider your usage of such non-emprical evidence in a news report to be incredibly unprofessional and biased. I would appreciate your feedback and response to these comments greatly. Thank you -t12
  • Sorry about the formatting, I am not very used to the slashdot posting interface, this being my first post :) -t12
  • by TheBeginner ( 30987 ) on Sunday October 03, 1999 @09:20PM (#1640987)
    I think that it is slight ironic how this article and the last go together to prove my point, which of course you do not know yet.

    So, to begin, where is the future of cracking (hacking/whatever it is GC (geek chic) to call attempts to trespass into electronic information spaces and either gather or disrupt data) heading in the next century? The fact of the matter is that it is heading away from the majority of us. Computer security systems (real computer security systems) are becoming harder than even to break.

    While movies like War Games inspired us all to crack to the launch mechanisms of the U.S. nuclear missile defense, those days are gone. Truly secure systems are only available for acces locally, while important national systems are better protected than ever by the crackers of yesteryear.

    What this all leads up to is that the only people left will truly be able to wreak havoc are the government and big corporations. Only they have the computing power and the money to be able to work past strong defense systems.

    And at the same time, I see this electronic power becoming more and more important. So what kind of future do we have to look forward to? Well, I believe that electronic terrorism (or government/corporate action, when it comes down to it, there is really little difference beyod perspective) will bring the world to a standstill. My question, is will that bring about a world like that seen in Rollerball (great movie) with Corporations splitting up the world between them, or a 1984 scenario with Big Brother becoming all powerful because all of our lives can be catalogued electronically.

    When I think of conferences like DEF CON, I wonder if there purpose should not be to prevent futures like this. So while I am not in support a violently breaking the law, or causing others intentional hurt, I so long live the hackers and even the crackers, for they may be the only hope for a medium between two horrible futures.

  • The so called "journalist" who wrote this should take some english classes. First off, according to MLA format, quotes should be used when you are quoting something, not accentuating a point. (And yes, I am making fun of him with the "journalist" remark)
    Ok, now that I feel better about that I can say what I think about him and the article. Most of his points were fairly /dev/null. I used to crack/hack/phreak and all that good stuff -- I almost got busted, and I quit and used my powers for good instead of evil. In that time I actually found the most dependable and trust worthy friends I've made in my lifetime. Mostly due to an us-against-them attitude. And for all of the drooling idiots that populated DEF CON, they have a good purpose. To make people realize that there are security problems, and that those drooling idiots can get into their systems. If you want security, don't connect your box to the internet. That is the only security. While this article is talking about how malicious these hackers are, and how they are just a bunch of ruffians who had no parents (ok, I'm improvising) to teach them any better he's missing the point of computer security and DEF CON. As long as there is a reason -- there will be someone doing it. And hackers do have a code of ethics -- the real ones, not in it for the chicks.
    -= Making the world a better place =-
  • I was going to add this last one, but I thought it would be too mean.

    So, I posted my original message, and re-listed the comments page. And there it was, plain as day, the followup to a critical comment, made by B.G. posting as an A.C. !

    8) B.G. can't let a good flame go. He'll have to followup to each and every one of them, making this topic a 500+ followup by Monday noon.

  • Screw cyberterrorism, given the effect of the recent fiber cut, a few well-placed wire cutters could cripple the internet. Sad but true, the fault-tolerancy of the internet is no more.
  • If you think this reveals the extent of Brett Glass's cluelessness, try browsing the freebsd-chat mailing list archives sometime. This guy's not a hacker, not even a programmer, but his liberal advice to all (especially on matters of advocacy) regularly gets him into flame wars. Also he detests linux, thinks the GPL is evil, etc etc. Actually this article was quite readable by his standards. It didn't have his typical know-it-all attitude and didn't try to preach to the converted. It didn't even try to attack the GPL. I was impressed.
  • ...Uncalled for. I NEVER act 'elite' or 'eleet' or 'leet' or whatever. Try and think back to when you were 12 before you start insulting 12yr/os. Bah. I've seen people younger than me acting more mature than many adults or teens. ~S~
  • I agree. But this is one problem that there is very little we can do to solve. There have to be hard lines and they have to be stretching distances too long to be defendable.

    This in fact is a question I have grappled with (don't read that as overly dramatic) when recently reading Tad Williams Outland series. Albeit, I'm only half way through the third book, but I don't understand how the Grail Brotherhood hopes to live in VR in perfect safety as Gods. Regardless of whatever they create, they will still be vulnerable to attacks on there bodies in the real world.

    However, to come back to my point, what I was trying to look at in my comment was a plausible future. While there may be groups that destroy various phonelines/datalines for whatever reason (anti-tech, anti-phone, wireodestroyomaniacs) but they will not have the same motive of power and control that I see governments and corp.s having.

    But then again, that might just be another tool they use. In general, however, it all comes down to the stunning conclusionary theme in War Games. In a nuclear war, no one can win. If the war becomes the destruction of the hardware supporting the internet, then in the end, we just destory what we have created without gaining anything in the process.

    But again, these are governments and corporations we are referring to. For them, too often it seems that a mutual loss is an acceptable goal.

  • So, in the meantime, we must find a way to require our hackers to be ethical. For me,this was the real message of DEF CON: dangerous knowledge and tools, in the hands of people without ethics, are dangerous. We need a Hippocratic Oath for hackers, and perhaps some Guardian Angels to sniff out the bad apples. And we really, really need to know whom we can trust. Otherwise, we have little hope of making the mean streets of the Internet safe for all of us.

    Our hackers ??
    As in the people we/I own or control ??
    what a kook!
    Sorry but I had to say it......
    End_Vent=true
  • i went to defcon 7 also and wrote a 3 page txt the day i got back. there might be errors and such but oh well.

    my writeup isnt nearly as uhm... formatted as his is. i didnt use proper anything.

    the write up is at
    http://pluto.spaceports.com/~disc0re/defcon.txt [spaceports.com]

    i also got some pictures up here [spaceports.com]

    it was a great conferance and i highly suggest going next year if you can make it!

    tyler
  • I will definately agree that Mr. Glass is quite a fool. I had a bit of a tangle with him as I manned the DOC booth selling the Defcon 7 - FreeBSD shirts. He came and argued with me about commercialization/GPL/etcetc. He was pretty unclued on the state of events, although he seemed impressed with the utter lack of Linux *anything* at the event. Actually that was pretty much the most amazing thing about the event, even with all the Skr1pt kiddiez at the event, there were *no* linux CD's being sold, and everything there was *BSD oriented. FreeBSD and NetBSD were being represented by the DoC (Myself, Dover, Cyber/etc) and Mike Smith (and a friend of his who's name slipped my mind). OpenBSD was being sold by Theo's cohorts.

    Point 4 is kinda correct actually, RedHat builds a distribution, and they distribute it.
    I don't believe that they charge for any of the actual contents of the CD. I'm sure I could be wrong, but that seems to be how they would get around licensing issues. I need to re-read all the licenses again, I should know better what I'm talking about.

    He's also sorta right about point 6, I'm sure that you *could* hide stuff in source, but its so pointless if its open source anyways :)

    Regardless of this, I think Mr. Glass is a first class twit-of-the-media and should be debunked as often as possible, and as publicly as possible.
  • OK, I'm going to be mean and this might cost me some karma points, but I've just got to say this:

    1) Brett Glass pointed out *his own* article. That has to be some indicator of cluelessness and/or hubris.

    2) He's a MORON. He obviously didn't use the DeMoronizer to fix up the Microsoft Stupid Quotes.

    3) What's with the^H^H^H^H^H^H^H^H^H^H^H^H^H^I Love the Hair!

    4) If you read what this guy posts on Infoworld.com, you'll see that he's generally clueless compared to everyone else there. He is a critic of open source, but not a very good one. I seem to remember him claiming that Red Hat didn't sell Linux because Linux was free. Red Hat sold bandwidth, because they could mail a CD to you for an effective data rate of 670 Megs per 24 hours for FedEx. Ummmm. Sure.

    5) He described BO2K as a trojan horse program. Would he describe PC Anywhere the same way? How about an admin tool released from Microsoft? These are all the same kind of program, and can be used or misused in a wide variety of ways.

    6) Brett obviously has no idea what obfuscated code is. He claims that BO2K could have trojans hidden in obfuscated code. Heee hee haw haw.

    7) Linux is just as insecure as Windows? Poorly designed and rife with security holes? That's a joke. For goodness sakes, MS Excel has a whole flight simulator hidden away inside of it. Where is the easter egg inside the Linux kernel?

  • True enough, though in the event of some sort of backbone catastrophe, routers configured to silently deny traffic on port 80 in favor of ports 21-25 would raise the survival factor immensely. The fault-tolerance algorithms are still there, but web (and to a lesser extent mail) usage has eliminated hope for redundant carrier channels for the time being.
  • by blue_adept ( 40915 ) on Monday October 04, 1999 @04:29AM (#1641001)

    I was at Defcon as a speaker, and
    although *some* of the details of this
    article were correct (eg great parties to which
    windbags like Glass were not invited), overall this is a *horrible* piece on Defcon.

    The CIH computer virus was found on
    *copies* of the bo2k cd's distributed at
    Defcon, not the originals, correct me if I'm wrong.

    The idea that bo2k contains obfuscated
    trojans is laughable, cosidering it's open
    source. Leave it to Glass to connect the
    dots... open source + GPL = plot to hide
    backdoor. (?!) Brett... if you don't
    trust the binaries, compile the source.
    And if you don't trust the source,
    then show us why... Maybe you
    can contribute to some bugs that have already
    been spotted and patched in bo2k [bo2k.com].

    Of course, this is probably asking
    too much from someone that's proud to
    amid to secretly tape-recording
    comments at a post-conference party and
    consiers his own 10-year-old phreaking
    activities a passport to the underground.

    "one cannot trust the group's output and must regard it as not only untrustworthy but dangerous. "

    fear + ignorance = loathing, that's understandable, but I'm disappointed
    that Hemos referred to it as "Very well
    written coverage".

  • by aqua ( 3874 ) on Sunday October 03, 1999 @11:33PM (#1641002)
    Like much of that article, that bit seemed to be a mixture of journalistic cynicism, journalistic naivite and journalistic arrogance.

    I wasn't able to decide if the author was trying to make jabs at the OSS realm or not -- he dismissed the GPL aspect of BO2k with the "obfuscation" claim, missed every ramification of an open source BO except for the concern of the script kiddies about trojaned exploits.

    (aside: Kiddies don't read source. The claim that BO might be obfuscated in the identifier/whitespace sense is bogus -- it would reduce the point of GPLness to a PR tactic which would be quickly noted and cDc would be reviled for it, more than they already are. Obfuscation in the code-structure sense would merely make it unmaintainable, not unusable or unmodifiable)

    ... and, to resume, he seemed generally to propose (especially with your quoted excerpt) that the darker side of security research is somehow wrong and misguided and should go away (gosh, someone should tell that to street hoodlums), and that open-spec/open-source/open-attack security is somehow a bad thing. He did get right the part about how there's no common code of ethics -- an attribute he might find is shared by many sectors of street criminals, marketing executives and politicians.

    He mentions also that defcon's a party, which is true enough, but then forgets that fact for the rest while applying his lofty judgement to the various frivoloties. Defcon is supposed to be gross, overstated and stupid -- it's a party. It's not a particularly serious meeting of minds, in any sense, and interpreting it as such leads to all sorts of depressingly absurd conclusions, such as those found in this article.

    Poor boardwatch. They've gone downhill.

  • Why should we be warned about the author's view on the GPL? This is offtopic IMHO. What's wrong with being against the GPL? What does that have to do with DefCon anyway?

    I think Slashdotters' crusade against anti-GPL is also beyond reason.
  • Regardless of this, I think Mr. Glass is a first class twit-of-the-media and should be debunked as often as possible, and as publicly as possible.

    One of the leading occupations of media twits is debunking other media twits. It makes for long, self-righteous columns unravelling other long, self-righteous columns. That gets added to a simpering "hard-news" corps whose main function is to give any new product its alottment of drool and "Can it beat X?"-type "analysis" pieces. Then add a lot of pandering to the big-name advertisers, and you have... the US technology press, both print and electronic.

    (and, of course, I'm saying this while reading slashdot. oh well. :))

  • Yes, you're right, I did miss that one. I also noticed that you and others mis-interpreted what I said about Brett being a MORON.

    It wasn't strictly name calling, though I'm sure that there are others who would agree that he fits the dictionary definition. I was referring to his use of Microsoft tools that make their users look like Morons. The feature in question is the Microsoft Smart Quote, which turns a regular quote into a smart quote. MS Word and other programs write that smart quote into an undefined character, and on non-Windows systems the quote appears as a question mark. There is a program called the DeMoronizer that will fix these documents up.

    I realize that my original article could be taken as a troll, but it's not entirely a troll. My point is that Brett Glass is well known for arguing against open source and free software on other forums, and for using goofy logic to justify himself. Falling victim to the MS Smart Quotes is just another indication that he's no techie.
  • >He did get right the part about how there's no
    >common code of ethics -- an attribute he might
    >find is shared by many sectors of street criminals,
    >marketing executives and politicians.

    Good Point.
    But that's sorta mean to politicians to group them with marketing. *grin*

    After reading many more Posts I start to get the idea about whats up with this guy.I allways get a little touchy when Media takes the attitude of My this and we need to, in such a possessive tone.


    On the bight side;
    * one can't control what he/she doesn't understand
    * DefCon is meant to be Fun + Informative, so if he left concerned and confused, then he missed the point!

    _Chunk
    --Results may vary
  • How anyone could tell whether or not I interpreted or misinterpreted anything from my post is clearly beyond my mental radar. Hee hee.. I didn't exactly say a whole lot. =P

  • The CIH issue is important too. I'm still convinced that cDc was hacked -- by an insider -- in the same spirit of uncontrolled and possibly harmful mischief that pervades the entire group.

    Not sure why you would be convinced of this when you have no evidence.

    As I'm sure you're aware, you can't just "infect" the ISO image of a CD with a virus.

    As you *should* be aware, CIH is an .exe infector.

    You must do so at an earlier stage, while the .EXE file is still present in its original form. So, the idea that a machine used only to burn the disks contained the virus doesn't wash. The virus must have been present on the machine where the CD-R image was prepared.

    Doesn't sound like you've done much CD burning. I haven't either, but even I know what's wrong with this statement. If, at any point, the files were copied to a writeable media (i.e. the harddrive) they could become infected. On a machine with one CD drive (the CDR) there are two choices: Make an image of the CD, or just copy the files to a temp directory on the harddrive.

    For such a small image, I probably would have just copied them to a temp directory,too.

  • by CC ( 1075 )

    He's had his 15 minutes ... please

    Nevermore

    He's been through the whole thread, he's fucking insatiable.

    CC

  • I'd rather read almost anything than solipsistic scribbles like this -- even how Jon Katz has conquered Linux. I agree with the rest of the peanut gallery: bad call, Hemos. Better to get the notes, humble as they might be, of any other random conference attendee than to plow through this drivel; at least that way interesting issues could be discussed without having to sidestep the ego.

    This piece was weak on social insights and nil on technical insights. In addition, Glass has an "illusive" grasp of spelling.

    Finally, to cap it all he proposes bringing in the Guardian Angels or something to police the net. Erm, Brett, they already tried. Even as a ha-ha joke this is a bad thing to bring back up.

    --------
  • Again, the errors (e.g. the use of "illusive" instead of "elusive") aren't mine; they were introduced by the magazine during copy editing.

    As for the Guardian Angels: What would you propose instead? Certainly there must be some accountability for irresponsible actions taken on the Net. Would you rather that we, as Netizens, self-police -- or have the government do it for us?

    --Brett

  • -Re: the phreaking comment

    this industry moves much too quickly for people like Glass to even *be* clued. not saying it's impossible, just that he thought he was already in.

    -Re: ethics

    just a quick comment (i'm not going for status on this post) -- hackers and crackers DO have ethics. that's why the two are distinguished. crackers are lame "kiddie" renditions of hackers, who are the more mature. that's relative, of course. most hackers i know are under 21...

    nevertheless, as The Red Book taught us all, no UNIX system can be truly secure *ever*. We may as well stop trying.

    At some point, I am going to use this new slashdot username i've recently perloined and go into a big rant on free information and ultimate communication. maybe i'll just write rob and jeff instead...

    --kaspar
  • There's a smear against the GPL in his article. As he says here, he needn't have named that license: he could have made it clear that his reservations applied to any system of code inspection. But, like I say...
    --
  • I have been constantly confounded by so called 'media' that attempts to find a central theme of DC. The only reason it existed in the first place, was for a bunch of people to get together and hang out. That is still its main focus. Granted there are:

    "wild, wild parties -- some open, some whose locations were known only the "right people."

    However, the purpose is still the same; now not only the original inner circle meets, but literally hundreds of other groups are doing likewise.

    The most accurate theme to apply to DefCon is, "Geek New Year". OK, so we don't have fireworks and dragons, but rather Electonica and the CDC, DOC, DD, et all.

    Furthermore, for the author to blast the CDC for its antics is ill informed. He didn't even bother to ask Dildog why he spent the time to code it. Obviously they love publicity. And for them to get into the national media and TV was the Ultimate Hack @ DC7.

    If you don't like the smoking...DON'T COME. It's Vegas, smoking is legal, it's 110 outside... go to the damn concession stand... No, better yet, go cover something that your might actually have the ability to grasp.

    RANT:
    Finally, insofar as the social engineering contest goes. We wanted to entertain the real attendees, not to prove that people are uber-31337. Those that violated the spirit of the show by recording the contest, I have no respect for you.
    /RANT

    And for those that wonder about me: Yes, I work for a TLA. And, YES I'm a Goon... and damn proud of it.

    A personal favorite from Con. [713.org]

    -Section9

  • Yep, you're right... there were over 3000 "script-kiddies" @ Con. Gawd I feel like such a lamer.

    I'm looking forward to H2000, as well, but I don't have to put DC down just to elevate myself...nor do I have to resort to anonymously posting flame bait.

    -Section9
  • When I read through a article like this I can only think back to why it would not have made it past Jack Rickard [internet.com].

    All I got out of this article is that hackers like to smoke?

    There is no hacker ethic?

    cDc can't trust themselves?

    The self submission (if that was the case) doesn't help either.
    http://www.mp3.com/fudge/ [mp3.com]

  • The thing that struck me in the article was the comment that most hackers don't have any ethics. Nearly every scientific field doesn't teach ethics to a great degree. When I carried out a survey of physics undergraduates in the mid-1990s, the majority of respondants said it was the first time anyone had mentioned ethics to them, despite physicists being involved in the H-bomb and in the defence industry.

    There are a number of groups trying to change this (such as UNESCO) but I suggest people take a look at the pledge campaign at the Student Pugwash USA web site (http://www.spusa.org/pugwash/ [spusa.org]) as the site has a stock of documents related to ethics and technology.

  • Brett Glass has a long history of being anti-GPL.

    His arguments on the Infoworld Electric fora were thoroughly refuted and he hasn't been seen there for a while.

    The gist of his opposition to the GPL is that it prevents people making money off software. Any attempt to disprove this (Look at Red Hat etc) met with personal abuse, denial, a change of subject, or silence.

    I think the real reason is that his beloved FreeBSD is released under a licence he considers to be better, yet it's the GPL'd Linux which is running away with the press and the userbase.
    --
  • You are Gerald Holmes [freeyellow.com] and I claim my five pounds.

    jsm
  • Come on, Brett, you can do better than that.

    Linux is a moving target. For how long has the source to 2.2.12 been open? Of course it's not possible to guarantee zero security holes, even where the source is available. The question is whether or not opening the source is a benefit to bug-spotting; the answer is a priori yes.

    Hamish
  • The so called "journalist" who wrote this should take some english classes. First off, according to MLA format, quotes should be used when you are quoting something, not accentuating a point.

    You saw quotation marks? I simply saw question marks all over the place. I guess it is asking too much for a site called "internet.com" to be able to use a proper character set. There didn't seem to be any problems with the well over a dozen occurrences of parentheses, though.

    Furrfu!

    Those are bad habits for a writer, Brett - lose them, but quickly.
    --
  • OK, I'm going to be mean and this might cost me some karma points, but I've just got to say this:


    I hope you don't take these posts to the heart in generating "karma" cause if you do I'd personally rate you a basher...

    1) Brett Glass pointed out *his own* article. That has to be some indicator of cluelessness and/or
    hubris.

    He made some strong points in the article about the influx of those who have no ethics and it's painfully obvious, but for a "clueless" reported to notice this would be what?... a guess? Don't be so quick to judge.

    2) He's a MORON. He obviously didn't use the DeMoronizer to fix up the Microsoft Stupid Quotes.

    There go those karma points you worry about

    3) What's with the^H^H^H^H^H^H^H^H^H^H^H^H^H^I Love the Hair!
    4) If you read what this guy posts on Infoworld.com, you'll see that he's generally clueless compared to everyone else there. He is a critic of open source, but not a very good one. I seem to remember him claiming that Red Hat didn't sell Linux because Linux was free. Red Hat sold bandwidth, because they could mail a CD to you for an effective data rate of 670 Megs per 24
    hours for FedEx. Ummmm. Sure.
    5) He described BO2K as a trojan horse program. Would he describe PC Anywhere the same way? How about an admin tool released from Microsoft? These are all the same kind of program, and can be used or misused in a wide variety of ways.

    I'm sure Microsoft wouldn't embded backdoors other than those used by the NSA on them ;) ... Seriously though, Back Orifice is nothing more than a kiddie tool. You don't see millions of hacker wanna be's downloading PC anywhere to rm -rf each others workstations. Being that this is a free "remote administration" tool which translates into "donwload me and rm -rf your friend" hundreds of morons everywhere went on rampages with that gadget. It's a shame cDc waisted time on such moronic programming.

    6) Brett obviously has no idea what obfuscated code is. He claims that BO2K could have trojans hidden in obfuscated code. Heee hee haw haw.

    How do you explain those cDc backdoors?

    7) Linux is just as insecure as Windows? Poorly designed and rife with security holes? That's a joke. For goodness sakes, MS Excel has a whole flight simulator hidden away inside of it. Where is the easter egg inside the Linux kernel?

    What he should've said is Linux could be as insecure as Windows in the story. Truth of the matter is if you haven't kept up on security issues, Linux does have some problems as much as Windows does. Haven't you read any BugTraQ postings? Just about every other week they're finding some sort of overflow on Linux. Personally I think it's just crappy admining but for the most part linux can be just as insecure as Linux can be... but I wouldn't know I use OpenBSD ;)
  • Good point -- but I think you should pick up a MLA book on correct english writing styles.
    Over using quotes is not a good way to write. Quotes are for quoting, not for emphasizing a point.
    -= Making the world a better place =-
  • by ryanr ( 30917 ) <ryan@thievco.com> on Monday October 04, 1999 @08:35AM (#1641034) Homepage Journal
    Computer security systems (real computer security systems) are becoming harder than even to break.

    Not true. Real computer systems are becoming horribly more complex, and therefore have more holes. True, some of the low hanging fruit is gone, but I still see the same stupic mistakes being made all over the place, just usually not in the same place twice.

    While movies like War Games inspired us all to crack to the launch mechanisms of the U.S. nuclear missile defense, those days are gone.

    I disagree. We're seeing far more goverment sites broken into now than we have in the past.

    Truly secure systems are only available for acces locally, while important national systems are better protected than ever by the crackers of yesteryear.

    No, they're connecting them to the Internet as fast as they can. The level of clue relative to the number/ability of attackers is decreasing, not increasing.

    What this all leads up to is that the only people left will truly be able to wreak havoc are the government and big corporations. Only they have the computing power and the money to be able to work past strong defense systems.

    This would seem to demonstrate a lack of understaning about how hacking works. I only need lots of computing power to crack crypto. I can do any of the other hacking I need from a $299 PC. It's not about resources, it's about using your head. Resources never hurt, but they are certainly not required.

    And at the same time, I see this electronic power becoming more and more important. So what kind of future do we have to look forward to? Well, I believe that electronic terrorism (or at/corporate action, when it comes down to it, there is really little difference beyod perspective) will bring the world to a standstill. My question, is will that bring about a world like that seen in rollerball (great movie) with Corporations splitting up the world between them, or a 1984 scenario with Big Brother becoming all powerful because all of our lives can be catalogued electronically.

    If the corporations hold "the power" then they will be the victims of "terrorist attacks" rather than perpetrators, no?

    When I think of conferences like DEF CON, I wonder if there purpose should not be to prevent futures like this. So while I am not in support a violently breaking the law, or causing others intentional hurt, I so long live the hackers and even the crackers, for they may be the only hope for a medium between two horrible futures.

    The purpose is exchange of information, without regard to the intentions of those who receive it. The current game is very much "pay attention, or lose." The good guys can't find out without the bad guys knowing. So, be one of the good guys paying attention to what's being said.

  • Not picking NT soley because BO2K exists is being as ignorant as Brett.

    The BO equivalent for Unix has been there for years. We call it "telnetd" and "X".

  • I remember being interviewed by this guy at the post BO2K launch press conference. He was the one who was TOTALLY convinced that we MUST have hidden a backdoor in BO2K. "You can hide trojans in the source!" he said, over and over again. I tried to get him to tell me what HE would have us do to convince people that BO2K was not backdoored, but he didn't have any answers. He refused to acknowledge that making bo2k open source was anything but a massive conspiracy to make people THINK we hadn't put a backdoor into the code. Finally I said "well, if you're that worried about it, you don't have to use it. anybody who does can read the code"

    He also JUMPED on the fact that I slipped and said "infected"... yeah, that MUST be a sign that I REALLY think bo2k is a virus, 'cuz otherwise - after correcting literally dozens of media who used that (incorrect) terminology - I wouldn't have made that slip EVEN ONCE. Never mind that even if BO2K were a purely malicious trojan horse (it's not any of those things) a machine still wouldn't be INFECTED with it, because it STILL wouldn't be a VIRUS.

    Finally, I'm not sure where his whole theory about one of us secretly putting CIH on those CDs... why would ANY of us want to make cDc look that stupid? Has anything else we've ever done indicate that we operate that way? Clearly not, but just as clearly, this loser didn't pay much attention to how we do things, choosing instead to feature the conspiracies he chose to see before even talking to any of us.

    This isn't reporting. It's paranoid ranting based on a weak, unsubstantiated, and indeed, already disproven version of the facts.

    I mean, really. We fucked up and let somebody burn CDs from a machine infected with virii, and then we fucked up doubly by refusing to believe that could have happened. We admitted as much on cultdeadcow.com a couple weeks after defcon... If we could have possibly laid the blame anyplace besides our own slipups, don't you think we would have?

    I wish everybody who read this column, Hemos, and everybody on slashdot, could have seen how consummately unprofessional this "reporter" was at the press conference he attended.

    And no, we didn't invite him to our party.

    - tf
  • by CC ( 1075 )

    Brett Glass is an idiot.

    Hemos is a bigger one fer posting this drek (very well written) .... geeeeze


    CC
  • The comment he made about the anti abortion site that told people the location of doctors willing to practise abortion is way off. AFAIK, Cult of the Dead Cow, does not update its pages with ips of hapless victims for people to pick on.. If they did, I would believe that would be wrong. However, they are not doing this. End of story.
  • by Anonymous Coward
    He's a BSD person, which probably explains his anal-retentiveness (the smoking thing was wierd, he was in Las Vegas, right?) and his groovin' 70's hairstyle [internet.com]. Check that guy out! Man, it's incredible what you can do with those banana feather combs!
  • I believe you missed a point..

    9) He makes a point of saying hackers and crackers, but then goes on to use the two words interchangeably. If that is not an indication of cluelessness, I don't know what is.

  • Practically everything you said is an indication to me that you are either attempting to troll, or.. no, I won't bother flaming too much today. I'll just examine the point you made which almost made sense as opposed to the others which were apparently the work of an underdeveloped brain..

    What he should've said is Linux could be as insecure as Windows in the story. Truth of the matter is if you haven't kept up on security issues, Linux does have some problems as much as Windows does. Haven't you read any BugTraQ postings? Just about every other week they're finding some sort of overflow on Linux. Personally I think it's just crappy admining but for the most part linux can be just as insecure as Linux can be... but I wouldn't know I use OpenBSD ;)

    Any OS could be insecure.. If you want total security, don't install any new applications, and don't connect yourself to a network. OpenBSD would be just as subject to security holes as GNU/Linux if you installed the same easily exploitable application onto both systems. OpenBSD may be the most secure "out of the box", but do you expect me to believe, for even one second, that you have never ever installed any other application onto your OpenBSD system since you've got it? Even if that were true, I think you're missing the entire point of having a computer. So.. next time I suggest using the preview button ("Linux can be just as insecure as Linux"??), and I highly recommend you actually try thinking for once in your life. You obviously haven't been lately.

    I'm sick of clueless fanatics trying to press their opinions onto us as if they were documented facts. I don't make up shit about *BSD, so why should others make up shit about GNU/Linux? Because they're bitter? Because they're fscking idiots? They want more "mind share" and will do anything to get it, including lie their asses off? It seems the more *BSD folks I meet, I find that almost all of them are assholes and liars. Damn, I want to join that community right away.. However, I know that the grand majority of *BSD users are probably good people, despite what I think of those I have met so far. As such.. Would the actual "clued in" *BSD advocates please be more vocal than those who do a disservice to *BSD users everywhere, and make it so that the signal/noise ratio appears to be a little higher from that community than it looks like right now? =P

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...