Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ImageShack Hacked, Security Groups Threatened

Soulskill posted more than 5 years ago | from the a-picture's-worth-a-couple-hundred-words-or-so dept.

Security 288

revjtanton writes "Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."

Sorry! There are no comments related to the filter you selected.

first post (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28660309)

first

Their message is certainly ironic, (3, Insightful)

Anonymous Coward | more than 5 years ago | (#28660325)

in a "shoot the innocent bystander while sounding all righteous about risk" sort of way.

Re:Their message is certainly ironic, (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28660459)

Hey cats! I just wrote a rap song called "Knig Knog == King Kong". Check it out and offer constructive criticism:

Okay, now - Knig knog equals king kong
Cuz the white man be weak, and the black man be strong
Like a gorilla. Cuz they thrill ya. You gotta white bitch
They put the black dick in 'ah.
You're alone on the street in a dark night,
I'm afraid that I might have to fight,
You're scared shitless, and you know why,
Nigs are worse than lions and tigers and bears (oh, my!)
Cars a mile away, walkin the street
past a gang of niggers and their footlong meats,
You look down at yo feet, they goin to KFC to eat
You make eye contact than you gon' get beat! (chorus)

Can I get some privacy without a...NOG
Climbin up the side of my apartment like KING KONG
I'd better scratch my trigger finger itch,
before he punches through my window and he steals my white bitch!
Naw, she's safe, he's still goin up and up,
Till he finds the blonde bitch he wants to fuck, so good luck,
He grabs the bitches that he knows, like LeBron James
On the cover of Vogue! [thestartingfive.net]

I remember, way back when,
My girlfriend dumped me for a black man
Same thing happened to my homie Slick,
he can't complete with a footlong dick!

So there's this hot black bitch who works at the store
and she bags my forties, but I want much more
Black dudes are dicks, always in-yo-face
but does that hot black mama give a fuck about race?
Rashawn took my woman from me,
And now I'm gonna take his bitch from he
I'll take her out, treat her real nice
while Rashawn's beating his dick with his dreadlocks and lice
My kid have white man's brains, and black man's brawn
With genetic material superior to RaShawn's
So it'll be a happy ending after all,
with my offspring buyin my house after playin' pro football!(chorus)

What is their motivation? (1)

fictionpuss (1136565) | more than 5 years ago | (#28661015)

I mean, if they got their way, completely. What would happen? Anyone motivated enough could find an exploit of their own and hack anyone else. But presumably this would eradicate the script-kiddie element as it would require an element of skill.

Is this just another way of the internet evolving itself? If you're an asshole or are part of a company which fucks someones shit up for profit, then in that potential future you'd be vulnerable to backlash. This isn't the chaos ensuing from giving automatic weapons to the mob, as the weapons would only be in the hands of those parts of the mob who give enough of a shit to actively study things which are beneficial to the internet as an organism; thereby sustaining a symbiotic relationship.

Or are they just a bunch of bored script-kiddies? Either way it's interesting.

Re:What is their motivation? (1)

Artifakt (700173) | more than 5 years ago | (#28661145)

Eradicating the script kiddies really sounds like a worthwhile goal in itself, but you're right, it doesn't really make the net any more secure or functional to trim off the low hanging fruit. This looks to be a lone black hat who wants it to appear he falls somewhere in the legitimately gray areas, but really is well over any ethical lines. I suspect the whole presentation of there being a group that stands behind the defacement is itself also false.

Re:What is their motivation? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#28661171)

I doubt that they are script kiddies.

They just want companies to stop showing people exploits, so companies that rip people off by offering protection can't continue.

Is this considered full-disclosure ... (3, Funny)

neilobremski (1344051) | more than 5 years ago | (#28660331)

... of their movement?

I'd call it full-disclosure... (0)

Anonymous Coward | more than 5 years ago | (#28660355)

...of a bowel movement.

Re:Is this considered full-disclosure ... (2, Funny)

ILuvRamen (1026668) | more than 5 years ago | (#28661039)

well not exactly but wouldn't it be funny is someone did publish the exploit they used to hack imageshack? :-P

Making the world a better place. (1)

moj0e (812361) | more than 5 years ago | (#28660337)

I think they are North Korean.... :) (JK)

Actually, I find it interesting that the group wants to make the world a better place by
discouraging full disclosure.... the funny thing is that they want to do this
by destroying things.

Re:Making the world a better place. (1)

Architect_sasyr (938685) | more than 5 years ago | (#28660811)

How does lack of full disclosure make the world a better place? The way I see it, if I know how an attack is operational I can figure out how to defend against it, if I don't then I won't know how (or more importantly why I am having) to write secure code. My other issue with a lack of full disclosure is the indication that only, say, the richest people (or companies) can afford them - effectively monopolizing things like the anti-virus or firewall industries.

Re:Making the world a better place. (5, Insightful)

billcopc (196330) | more than 5 years ago | (#28660943)

They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.

Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".

Re:Making the world a better place. (2, Informative)

aristotle-dude (626586) | more than 5 years ago | (#28661195)

They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.

Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".

Wow. I don't think you understand what full disclosure is and what they are allegedly advocating. It seems like they are not advocating to not disclose the vulnerability to the vendor but rather to not disclose not only the existence of vulnerability but also an example exploit to the world. This full disclosure is precisely what results in "script kiddies" getting their toys because they don't have to be part of any particular hacking group or hack significant "skillz". It creates a mad rush for the vendor to get the patch out there before it can be exploited by lamerz using a script they either downloaded off a website or a script that they copied from the the disclosure with some minor changes.

Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.

Wow (0)

Anonymous Coward | more than 5 years ago | (#28660341)

I'd like to see where this goes. This is gutsy, and apparently they know what they're doing and they mean business. Their message is clear, concise, and I don't completely disagree with them. Interesting.

Re:Wow (4, Insightful)

Kell Bengal (711123) | more than 5 years ago | (#28660437)

Wait, wait. How is messing with other people's stuff on the net from safely behind a computer 'gutsy'? Sounds like cowardice to me. I don't care what their message - if they're fucking with my, or other people's, stuff then whatever their argument is will go unheard. If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

Re:Wow (3, Insightful)

jombeewoof (1107009) | more than 5 years ago | (#28660477)

...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.

Re:Wow (5, Funny)

Anonymous Coward | more than 5 years ago | (#28660539)

...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.

And trust me, the dwarves are not happy about that.

Re:Wow (0)

Anonymous Coward | more than 5 years ago | (#28660721)

...and we won't get into what the halflings think about it...

Re:Wow (0)

Anonymous Coward | more than 5 years ago | (#28660861)

...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.

And trust me, the dwarves are not happy about that.

And why wouldn't dwarves be happy about a diseased, desecrated elf?

Re:Wow (0)

Anonymous Coward | more than 5 years ago | (#28660597)

...why can't they convince us with a logical argument?

Because...

o/` Love is a battlefield. [youtube.com] o/`

Re:Wow (-1)

dimeglio (456244) | more than 5 years ago | (#28660607)

I would argue that these are not attacks but free speech (as in freedom of expression). Sure, some security sites will be down, that's just the way it is. A mDDOS attack, assuming this is going to be their method, is just like free speech but through the mouth of your NIC card. Ok it's more like yelling but all they need are good earplugs.

We often have Indians tribes who block major roads in order to make a claim. Ok, they get sometimes get arrested but more often than not they are listened to. To me this is no worse than PETA's or Greenpeace's actions to raise awareness. Unfortunately, in this case, I'm afraid that big profit will prevail.

Re:Wow (5, Insightful)

sqlrob (173498) | more than 5 years ago | (#28660647)

If it's free speech, mind if I come and write graffiti on the side of your house? If you stop me, you're censoring my speech.

Re:Wow (4, Insightful)

NickFortune (613926) | more than 5 years ago | (#28660789)

Why stop at the outside? Break into the place and scrawl all over his wallpaper. That's effectively what anti-sec did here.

Re:Wow (3, Funny)

GeorgeS (11440) | more than 5 years ago | (#28661061)

They did a LOT more than that!
They came inside the house. Sat down at the TV and ordered PPV and drank all the beer!

Bastards!

Re:Wow (1)

maxume (22995) | more than 5 years ago | (#28660819)

Better to protest living in cold climates by smashing his windows during the middle of winter.

Re:Wow (1)

sysgeek01 (866290) | more than 5 years ago | (#28661049)

It's not censorship. It's enforcing the castle doctrine by protecting my property and family.

Re:Wow (1)

Zak3056 (69287) | more than 5 years ago | (#28660669)

I would argue that these are not attacks but free speech (as in freedom of expression). Sure, some security sites will be down, that's just the way it is.

I'll be by your house later with some spray paint--I, too, have a message to share with the world, and your attitude toward defacement of private property is refreshing.

Re:Wow (1, Flamebait)

bistromath007 (1253428) | more than 5 years ago | (#28660689)

PETA and Greenpeace are terrorist organizations. They do alot worse than nuisance hacking. :|

Re:Wow (0, Troll)

Kell Bengal (711123) | more than 5 years ago | (#28660737)

I'm not sure if that's supposed to be a legitimate argument or a fantastic piece of trolling, but if it's trolling then I'm impressed. You've combined free speech, activism, minorities, anti-corportism and anti-social behaviour into one slick package without differentiating any of their goals or means. There is no concordance between peaceful protest and hacking a webpage to spread a message. One just makes noise, the other interferes with the lives and property of other people. The ends do not justify the means.

Re:Wow (1)

houstonbofh (602064) | more than 5 years ago | (#28660775)

I would argue that these are not attacks but free speech (as in freedom of expression). Sure, some security sites will be down, that's just the way it is. A mDDOS attack, assuming this is going to be their method, is just like free speech but through the mouth of your NIC card. Ok it's more like yelling but all they need are good earplugs.

Right up until you decide to have a press conference in my living room. Break into my house and you may get shot.

Re:Wow (1)

Niris (1443675) | more than 5 years ago | (#28660699)

Good point, they should stop doing things over the net. Time to start building those bombs!

Re:Wow (0)

Anonymous Coward | more than 5 years ago | (#28660839)

What's brave about making a logical argument? This moron is risking jail time. I've never understood the need to call terrorist we don't agree with cowards. Bush call Osama a coward, for having other people fight for him, then it took Bush years to even visit Iraq. Foolish people may be brave, but I'm not impressed.

Re:Wow (1)

taoye (1456551) | more than 5 years ago | (#28660529)

No it isn't. These guys don't even understand what they're talking about... and we'll see if they mean business when the FBI comes a knockin'...

Re:Wow (1)

Sebilrazen (870600) | more than 5 years ago | (#28660837)

I'd like to see where this goes. This is gutsy, and apparently they know what they're doing and they mean business. Their message is clear, concise, and I don't completely disagree with them. Interesting.

Oddly, this comment, verbatim - save the "Wow" is the subject and not "Wow...", is on another story [mashable.com] about this.

Personally I fear people that would go to lengths to post the exact same thing on multiple sites than people with causes.

I'd like to give a shout out to Zorg, from the Fifth Element on this one "I don't like warriors. Too narrow-minded, no subtlety. And worse, they fight for hopeless causes. Honor? Huh! Honor's killed millions of people, it hasn't saved a single one."

related to openssh rumors? (2, Interesting)

Anonymous Coward | more than 5 years ago | (#28660353)

These are the same people who say they've found an exploit in some versions of openssh. Any connection?

http://seclists.org/fulldisclosure/2009/Jul/0028.html

http://news.ycombinator.com/item?id=692036

http://lwn.net/Articles/340483/

Astalavista (5, Informative)

Spyware23 (1260322) | more than 5 years ago | (#28660357)

For interested readers; these were the same people who killed astalavista. (Logs of that attack can be found all over the internet if you google).

Re:Astalavista (1, Troll)

liquidpele (663430) | more than 5 years ago | (#28660425)

Then they should put their money where there mouth is, and disclose the privilege escalation method they used in that case.

Re:Astalavista (-1)

Anonymous Coward | more than 5 years ago | (#28660483)

wow, that was the dumbest comment I have read all morning -- and I came to Slashdot AFTER reading Fark today. Congrats.

Re:Astalavista (3, Interesting)

Threni (635302) | more than 5 years ago | (#28660517)

Hardly, given that they're anti-disclosure.

Re:Astalavista (4, Insightful)

tomhudson (43916) | more than 5 years ago | (#28660887)

Hardly, given that they're anti-disclosure.

... but they ARE in favour of people p0wning sites - which requires disclosure of vulnerabilities - something they're against. Kind of contradictory ...

They're just a bunch of assholes, same as the punks who key cars.

Re:Astalavista (1)

alexhard (778254) | more than 5 years ago | (#28661147)

No, one of the reasons they cite for their anti-full disclosure sentiments is that it allows hordes of script kiddies to "p0wn" sites.

so, they'd rather? (0)

Anonymous Coward | more than 5 years ago | (#28660375)

So, it sounds like they'd rather be able to sell their exploits to the highest bidder instead of publishing them for anyone to see. It will be interesting to see how much support this movement gets around here (there are already a few posts supporting them), because from the sounds of things it's almost the exact opposite of the OSS mindset.

Re:so, they'd rather? (2, Insightful)

MaskedSlacker (911878) | more than 5 years ago | (#28660845)

Not only is the exact opposite of the OSS mindset, I'd be willing to be that it is motivated by exactly what you describe. These are not people concerned about security, these are people who want exploits kept secret so they can sell them and use them--the morons posting here in support of this don't get it. These people are not your friends.

There are a number of well-documented cases of vendors being notified well in advance of publication, and those vendors doing nothing until after publication (in some cases the publication was only made because the vendor refused to do anything). Full disclosure forces lazy, cost-cutting corporations to improve their products when they would otherwise have no motivation to do so. The only people who benefit from non-disclosure are black hat criminals.

Leave door open or we will rob you ? (4, Insightful)

abies (607076) | more than 5 years ago | (#28660377)

From what I can understand from their manifest, they don't want full disclosure of exploits so
1) Other script kiddies cannot use them too easily
2) General public is not aware of the risks
3) Security companies cannot prepare protection against them

This is like... let's thing about proper, slashdot analogy... bunch of car thieves telling that they are against installing immobilizers in cars and warning they will steal cars of immobilizer producers and supporters till they stop distributing immobilizers. When they stop, thieves will come back to stealing random cars, with less effort.

Re:Leave door open or we will rob you ? (4, Informative)

binkzz (779594) | more than 5 years ago | (#28660827)

1) I think that's a good thing
2) They don't want the world to not know about the exploits, they just don't want the world to know how to use those exploits
3) These exploits would still be in the hands of the security companies so that they could prepare protection against them

I'm not sure how you came to your conclusions, I don't believe they are correct.

Re:Leave door open or we will rob you ? (4, Insightful)

whoever57 (658626) | more than 5 years ago | (#28660931)

3) These exploits would still be in the hands of the security companies so that they could prepare protection against them

Except that history has shown that many software companies won't actually fix problems until forced to do so by full disclosure.

Re:Leave door open or we will rob you ? (-1, Troll)

binkzz (779594) | more than 5 years ago | (#28660997)

Except that history has shown that many software companies won't actually fix problems until forced to do so by full disclosure.

[citation needed]

Re:Leave door open or we will rob you ? (1, Insightful)

smoker2 (750216) | more than 5 years ago | (#28661045)

Prick.
Are you sat in front of a keyboard with full access to the internet ? This isn't a written dissertation, it's a live environment. Look around for yourself. You probably would only argue semantics if he had cited other instances.

Re:Leave door open or we will rob you ? (0)

Anonymous Coward | more than 5 years ago | (#28661117)

not really, idiot

Re:Leave door open or we will rob you ? (2, Funny)

Svartalf (2997) | more than 5 years ago | (#28660891)

Good analogy- so it's not in keeping with the "proper, slashdot analogy" thinking.

You have to do a **BAD** car analogy for it to be that.

Re:Leave door open or we will rob you ? (1)

Hurricane78 (562437) | more than 5 years ago | (#28660905)

Exactly. It sounds like straight out of the mouth of Zensursula [wikipedia.org] , who enforced censorship and filtering of the net in Germany, to "fight against child porn", while is reality, it just results in a protective cover above the real child porn criminals.

Re:Leave door open or we will rob you ? (1)

not_anne (203907) | more than 5 years ago | (#28661059)

Respectfully, you're missing the point. Their point is that full disclosure helps the exploiters exploit more. Anti-sec is pointing out that there are two main ways that full disclosure is a bad thing:

1. Full disclosure allows cut and paste script kiddies to wreak continual havoc with detailed and fully documented exploits from the whitehat security industry.

2. The whitehat security industry (antivirus, firewalls, auditing services) profit hugely from full disclosure by scare tactics.

They are pushing for change in the whitehat security industry itself, so that script kiddies and security companies stop exploiting the consequences of full disclosure.

I was a victim... (0)

Anonymous Coward | more than 5 years ago | (#28660387)

My mom sent an email to the whole family with my high school graduation pictures using ImageShack to host them, but something went wrong and all my relatives saw goatse.cx pictures instead.

Re:I was a victim... (3, Funny)

Niris (1443675) | more than 5 years ago | (#28660771)

Thankfully you're a /. user, so the goatse.cx picture was probably better.

Re:I was a victim... (1)

tomhudson (43916) | more than 5 years ago | (#28660797)

"My mom sent an email to the whole family with my high school graduation pictures using ImageShack to host them, but something went wrong and all my relatives saw goatse.cx pictures instead."

Since you're posting anonymously, it was probably an improvement.

Now, back on-topic ... rule #1 - "follow the money and see who benefits". Who else is against full disclosure? Malware vendors, anti-virus companies, Microsoft, the Russian Business Network, click-fraudsters, bot-netters - they're ALL against full disclosure. They ALL would rather that vulnerability information be closely held, so that they can either ignore it or exploit it to their economic advantage.

I'm not saying Anti-Sec is working with them - they may also fit the definition of "useful fool." But either way, they ARE acting like a bunch of tools, in the Urban Dictionary sense of the word [urbandictionary.com] .

Re:I was a victim... (1)

houstonbofh (602064) | more than 5 years ago | (#28660815)

My mom sent an email to the whole family with my high school graduation pictures using ImageShack to host them, but something went wrong and all my relatives saw goatse.cx pictures instead.

Ohh... Sorry... I thought that was your graduation. You know... Senior prank to the principal. Shake his hand and, OH MY GOD!

Fing Funny (0)

Anonymous Coward | more than 5 years ago | (#28660407)

That's the problem with limiting free speech. Who is enlightened enough, trust worthy enough, and wise enough to be the gate keepers of knowlege?

Anti-Sec?

The same idiot who would do this and threaten what they have done? Maybe Anti-Sec should talk to Theodore Kaczynski about how well threatening others because of one's lofty ideas works out.

SERIOUSLY offensive BS. And I'm diametrically opposed to its position. FIX THE SOFTWARE THEN!!! And don't tell me I don't have the right to know about the security flaws in YOUR software YOU want ME to use.

Re:Fing Funny (1)

Kell Bengal (711123) | more than 5 years ago | (#28660659)

Why should knowledge need a gatekeeper in the first place? People say "We can't let this fall into the wrong hands!" but security through obscurity is a losing strategy, if that's all you're doing. I'm not advocating we have no secrets, but I think we have more to gain by disclosing and improving than we do through hiding what we know under a white sheet in the hopes that nobody else knows about it. Remember, if we figured it out, they can figure it out - and then we'll still have the problem but nobody else will be informed or prepared when the hammer falls.

not again (1)

delete2kill (1449861) | more than 5 years ago | (#28660431)

its the new fad.. or it it the same old bottled in new trust it to die out soon...

HaCk ThE PlanET!!! (4, Funny)

carn1fex (613593) | more than 5 years ago | (#28660447)

These punks dont know who theyre messin with!! Me and my posse are put on our roller blades, spike our hair and take them out with our camouflage thirty three point six bee pee ess moh demz.

Re:HaCk ThE PlanET!!! (1)

Xenoproctologist (698865) | more than 5 years ago | (#28660739)

You know, I had happily repressed that little slice of cultural wasteland. Now it's all flooding back -- and it's brought most of the `80's along for the ride.

Re:HaCk ThE PlanET!!! (0)

Anonymous Coward | more than 5 years ago | (#28660749)

ObLiGaToRY!!1 [youtube.com]

wow what an awesome idea! (4, Interesting)

trybywrench (584843) | more than 5 years ago | (#28660469)

What an effective way to distribute a message, hack one of the worlds most popular image hosting sites and replace all the images with your manifesto! Every site with an image linked back to imageshack would be displaying your message. Instant.global.audience. I'm not justifying what they did and I'm all for the feds handing out a beat down, afterall, the law is the law but man, what a good idea.

Re:wow what an awesome idea! (4, Informative)

Pyrion (525584) | more than 5 years ago | (#28660507)

Except they haven't replaced all of the images. I just looked in my account and only one of my images (a horribly outdated tf2 screenshot, of all things) was replaced.

bitchslap kids (0)

Anonymous Coward | more than 5 years ago | (#28660487)

These morons prove that when you have a small penis and no brains, you'll do anything to get your 15 minutes of fame. I hope they get caught and become an obedient bitch for some big convict one day soon.

Best pro full-disclosure advert ever (3, Insightful)

AmiMoJo (196126) | more than 5 years ago | (#28660541)

This hack demonstrates exactly why we need full disclosure. If I used ImageShack to host important images for (e.g. a lot of people use it for blog images or forums) and someone figured out a way to hack in, I'd want to know about it so I can take steps to protect myself. What if someone uploaded child porn and it appeared on my forum?

It's always better to know than to stay ignorant. It might harm the companies behind affected products, but if it was a safety issue (e.g. your car can occasionally explode while filling it with petrol, which actually happened) there would be no question that full disclosure would be a good thing.

Re:Best pro full-disclosure advert ever (1)

MonsterTrimble (1205334) | more than 5 years ago | (#28660679)

I agree fully. Personally, I want to know why these guys decided to hit image shack - easy target? They say that they are going after exploitive & detremental communities which do the full disclosure thing. Maybe I missed the memo, but when the hell did imageshack become astalavista? BTW - you killed Astalavista? YOU BASTARDS!!!

Re:Best pro full-disclosure advert ever (1)

EdZ (755139) | more than 5 years ago | (#28660809)

If I used ImageShack to host important images

Then you're a bit of a prat?

Help for the unfamiliar (-1, Troll)

bradbury (33372) | more than 5 years ago | (#28660569)

For those unfamiliar with the site and only loosely following security issues, is there any speculation on how the hack was done? Was ImageShack stupid enough to be hosting a web site on Windows or was it a Linux hack? Was the site designed (perhaps mis-designed) to allow remote users the ability to upload data? Or was it something as simple as allowing ssh or ftp from anywhere?

If its a windows hack, the story lead-ins should perhaps reveal that so Linux users know whether or non they should just shake their heads or whether they should actually be concerned.

Re:Help for the unfamiliar (5, Interesting)

klui (457783) | more than 5 years ago | (#28660627)

It doesn't show the details but their website gives a summary. http://romeo.copyandpaste.info/txt/imageshack-pwned.txt [copyandpaste.info] How accurate, who knows.

Re:Help for the unfamiliar (0)

Anonymous Coward | more than 5 years ago | (#28660753)

Obviously fake: that shows a Linux box getting hacked into.

Re:Help for the unfamiliar (0)

Anonymous Coward | more than 5 years ago | (#28660953)

meh.
if that's the system imageshak uses... linux 2.6.15-1 ... only that thing has 7 pages of bugs on securityfocus.com....

but... if you are against full-disclosure, why the heck do you hack imageshak ?
securityfocus, milw0rm, and countless other websites should be their target, intead they hacked imageshak...

to me, they're just a bunch of lamers who wanted to shout "hei! we're here too!"...
"everyone and everything is getting owned"... o come on... are you really *that* dumb?

"The security industry uses full-disclosure to profit and develop..."
"our battle is that of the removal of full-disclosure for the purpose of making it harder for the security industry to exploit its consequences"...

it's like saying "i got t3h guns! no one else must have it! i'll protect everyone!"
come on... this is childish...

Re:Help for the unfamiliar (0)

Anonymous Coward | more than 5 years ago | (#28661003)

Interesting. That does lend credence to the theory that they have an exploit for an old version of sshd, since it's explicitly mentioned in their script output that the servers were running openssh-4.5.

Then again, it's not unthinkable that the script output is faked, and they're just trying to ride the publicity from the supposed break. Without more details it's impossible to be sure.

Re:Help for the unfamiliar (1)

klui (457783) | more than 5 years ago | (#28661185)

Interesting. That does lend credence to the theory that they have an exploit for an old version of sshd, since it's explicitly mentioned in their script output that the servers were running openssh-4.5.

Then again, it's not unthinkable that the script output is faked, and they're just trying to ride the publicity from the supposed break. Without more details it's impossible to be sure.

img1...us is running on 4.5; there is no img998...us though. Yes, the logs definitely don't show all details nor do we have any way of knowing if they're all true. Their hack into two other sites appear to indicate they used a OpenSSH 4.3 vulnerability. http://romeo.copyandpaste.info/txt/nowayout.txt [copyandpaste.info] http://romeo.copyandpaste.info/txt/ssanz-pwned.txt [copyandpaste.info]

Others have linked to other sites on this thread that speculates a 0-day vuln for the most up-to-date version of OpenSSH exists and this is a way for them to target more people. That would be interesting. It will show if the open method is good for exposing bugs in a timely manner. It will also show how a lot of sysadmins not have the time or maybe skill to go over all changes in a distribution to see if it's secure. I know many times I would download a dist. and compile and if make test passes, I install.

Re:Help for the unfamiliar (1)

maxume (22995) | more than 5 years ago | (#28660779)

They are running lighttpd and PHP (at least, that is what the headers say), so I doubt they are running on Windows.

Re:Help for the unfamiliar (0)

Anonymous Coward | more than 5 years ago | (#28660957)

Shush, you're not helping the OP's superiority complex.

They have a point but it's not that simple (0)

Anonymous Coward | more than 5 years ago | (#28660605)

Yes, by using full disclosure some exploits become much worse because then it becomes something anyone can do. But some companies won't fix their exploits if they're not known about and I'm not sure I'd feel much better with a handful of experts able to pinch my money over a long period of time or having a load of script kiddies able to do it in a shorter period of time.

Easy to identify ? (2, Insightful)

sugarmotor (621907) | more than 5 years ago | (#28660615)

Their language and style sounds rather distinct. If other writings of them are available on the web, they should be easy to identify.
There's also quite a lot of text.

Stephan

Re:Easy to identify ? (0)

Anonymous Coward | more than 5 years ago | (#28660849)

Not necessarily. To me it comes off a lot like Anonymous' writing style (and before I get attacked by rabid fanboys, yes I know they are _not_ Anonymous, completely different group, blah blah gtfo NEWB, and other assorted retarded memes)

They have a point but it's not that simple (1)

thetoadwarrior (1268702) | more than 5 years ago | (#28660629)

Yes, full disclosure can make things worse but some companies take an "out of sight, out of mind" approach to fixing exploits and if no one knows about it they don't fix it.

But I'm not sure it's much better only having a few experts able to steal money and run bot nets over a longer period of time or a lot of clueless script kiddies doing it within a shorter period.

Re:They have a point but it's not that simple (1)

Svartalf (2997) | more than 5 years ago | (#28660821)

The biggest problem with this thinking is that the experts eventually sell the tech to the script kiddies to gain maximal value from the exploit. So, in this case, you have the worst of both worlds- they use it over a longer period of time AND then you have a lot of clueless script kiddies doing it over a medium period of time before the companies get pressured into fixing the damn thing in the first place.

Security through obscurity is NOT an answer- as you pointed out, they typically don't fix it if they can help it. :-D

From their manifesto: (1)

Hurricane78 (562437) | more than 5 years ago | (#28660693)

Apparently they are against full disclosure of exploits, because this would lead to the cracks in the first place.

Sounds to me like they are Microsoft PR workers in disguise. ^^

So rash (2, Funny)

UnixUnix (1149659) | more than 5 years ago | (#28660715)

They didn't even bother to Ask Slashdot :(

What's New? (0)

Anonymous Coward | more than 5 years ago | (#28660765)

People have been defacing websites for more than a decade. Twitter gets screwed nearly every day by kids. Some flashy kiddies who act so immaturely should just be ignored - all this slashdot article has done is further their attention grabbing. Anyhow, someone is always looking to break in. Give the chance for people to fix it, give time for the patch to propagate, let the people know what caused it - someone else might trigger something in their mind for some other software. And of course, this is fully usable in a malicious way. But my kitchen knife is also fully usable as a murder weapon.

Wikipedia?! (1)

jkxx (739331) | more than 5 years ago | (#28660785)

Anyone seeming abnormally slow load times for wikipedia at this time? (Or at least a very odd title image)

I'm not sure I get it (3, Insightful)

sjames (1099) | more than 5 years ago | (#28660787)

In order to put an end to security consultants and companies spreading fear of being hacked in order to sell security oriented products and services, they will go on a reign of terror hacking everything that isn't secured to the nines? Uhmmmmmm. I'm not sure how that works.

Re:I'm not sure I get it (4, Insightful)

maxume (22995) | more than 5 years ago | (#28660917)

It probably makes more sense if you are 15.

I'm hoping.. (2, Insightful)

slashkitty (21637) | more than 5 years ago | (#28660801)

that this is just some sort of reverse logic... because now, anyone wanting to hide details of sec exploits are thrown into the group of these "nasty hackers"..

I mean, it's mostly only big corps that are for "non-disclosure".. the rest of the free world wants to know!

How is imageshack a supporter of full disclosure? (0)

Anonymous Coward | more than 5 years ago | (#28660807)

supporters of full-disclosure and the security industry in its present form

(whatever that is)

How does imageshack fit into that definition? I guess it's just another script kiddy who chose imageshack because he happened to know an exploit, and the alleged cause is pure trolling BS.

Ok. (1)

EddyPearson (901263) | more than 5 years ago | (#28660817)

Guess the OpenSSH bug is real...

Confused... (1)

WPIDalamar (122110) | more than 5 years ago | (#28660825)

I'm confused.

So they're a group of black-hat hackers? I assume this since, well, what they did qualifies as black hat hacking.

So that would mean they WANT a less secure world, right? They don't want vulnerabilities fixed. They don't want people to know about them. They want less competition from script kiddies.

But they're arguing against full disclosure in a way that makes it sound like they want a more secure world.

Actually, that's Brilliant!

It's almost like saying "I want more republicans in office, so go vote democrat!", but their subject matter is such that most people won't understand and actually agree with them.

Some observations (2, Informative)

rs79 (71822) | more than 5 years ago | (#28660843)

1) The text was syntactically and grammatically near perfect. You don't often see that in these sorts of things.

2) The cadence and style was sort of familiar. I was always able on usenet to identify forgeries not by the path, but by the way they were written. Any idiot can put words where they're not supposed to be, but very few people can wrote like somebody else.

3) I posit that if they weren't good intentioned they'd have hacked DHS.

It would not surprise me if this turned out to be a bunch of CS/security professors or the like, or their minions doing their work.

From the message, I'm absolutey certain they're in America, and had either a very rigorous or British schooling.

Re:Some observations (1)

Psyborgue (699890) | more than 5 years ago | (#28660901)

I agree. Something doesn't smell right.

Re:Some observations (2, Funny)

maxume (22995) | more than 5 years ago | (#28661023)

I no get rigorous or Brit schooling and I are good grammer.

What I mean is, that is quite a statement to make, there are plenty of people who learned to write by reading, not in school.

Judging by the thought process behind this (1)

93 Escort Wagon (326346) | more than 5 years ago | (#28660865)

So the average age of this group is apparently what, 15 or thereabouts?

Re:Judging by the thought process behind this (2, Funny)

smoker2 (750216) | more than 5 years ago | (#28661085)

Are we talking about /. now ?
Oh sorry that's mental age.

The motive and action contradict each other.. (1)

Seth Kriticos (1227934) | more than 5 years ago | (#28661031)

The fact that they hacked ImageShack shows that there is a vulnerability, probably one that was exposed before. In terms of natural selection this is a good thing to make the severity of the vulnerability clear. I think it would be a good thing if this kind of attacks would happen more often to get a better relation to security situation overall, because many companies and individuals tend to ignore otherwise.

Their message is complete bullocks tough. Full disclosure in combination with destructive exploiting would harden the technology, but their agenda is to just 'not talk' about holes in the security, which is completely stupid, as it would only produce a temporal or no relief at all and then someone would wreck much more havoc.

So their statement "Security through obscurity" is complete crap, but we already know that.

Now away from wishful thinking, what will probably happen?

1. As these guys/girls (probably script kiddies, as they don't seem to have much cognitive power) did cause some financial damage, they will probably be tracked down and sentenced to something not nice for them (as they stepped on both sides toes).

2. People with financial interest exploiting vulnerabilities will continue to do so while they'll be staying below the radar (full disclosure or not, it stays like this), as companies don't give a damn in cases where the damage is not obvious or not on their side.

3. Security industry will stay as it is - because the white hat approach works better than the alternative.

I agree (0)

Anonymous Coward | more than 5 years ago | (#28661115)

Full disclosure is not the solution for security vulnerabilities like this one [imageshack.us] , oh wait...

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?