life, code, and idiocy

the journal of dan fuhry

 

Re: ImageShack

July 11th, 2009

That was a cool takeover job there – owning ImageShack, and earning yourself what has been regarded as one of the best advertising campaigns ever. Well done. Here’s my breakdown of your threat.

Anti-sec. We’re a movement dedicated to the eradication of full-disclosure. We wanted to give everyone an image of what we’re all about.

OK then, let’s hear it. For the record, I respect all opinions. I read your messag– errm, image in full the first time I saw it.

Full-disclosure is the disclosure of exploits publicly – anywhere. The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software, and auditing services.

In some cases, that can be completely true. Firewalls, anti-virus software, and auditing services can only do so much. For instance, a lot of exploits on web applications are based on different types of malformed HTTP requests. I’ve studied these a lot. That’s why I have automatic systems in projects like Enano to filter out common types of attacks. I completely acknowledge that it’s not perfect, and I wouldn’t be surprised if there’s a huge hole sitting under my nose. All I can do is design my project with security in mind and carefully consider security when I’m coding each component.

That said, I don’t consider “IE6 is outdated and insecure – you should upgrade!” to be a scare tactic. Maybe “Protect your web infrastructure with Acme, Inc. Heuristic HTTP Firewalls” could fall within that scope if it’s marketed as the only way to keep your website from getting hacked. But that’s advertising. I don’t necessarily agree with that kind of marketing either, but they are trying to sell their product. I share the view that ads like that market to idiots who think they can put a black box in between their router and web server and be unhackable, but I guess I’m just too white-hat to say that they deserve to be destroyed. I feel like I have the same discriminatory and sometimes hateful attitude towards n00bs sometimes, but that is not an excuse to do anything illegal.

Meanwhile, script kiddies copy and paste these exploits and compile them, ready to strike any and all vulnerable servers they can get a hold of. If whitehats were truly about security this stuff would not be published, not even exploits with silly edits to make them slightly unusable.

Script kiddies are a part of life. They’re also part of the security ecosystem, whether you like it or not. I hate them too. Fact is, there’s a concept called BORE – Break Once, Run Everywhere – that says that if one person publishes an exploit, it will propagate everywhere in time. I haven’t written any live exploits for this Enano security vulnerability whose patching was the reason for 1.0.6, but someone could easily look at the regular expression and figure out what was being filtered out and write an exploit. Boom, goes on milw0rm, exploit in the wild and I can’t do a damn thing about it. If there’s a hole, there will be an exploit somewhere. And open source software has no way to really avoid full disclosure because of version control and diffs.

If we didn’t have script kiddies, people would have no inclination to apply updates, and when someone did decide to pull off an elaborate hackfest, it would be mayhem. Instead, full disclosure means ImageShack contained your attack enough that they were able to restore everything from backups with no particularly heavy repercussions.

Full disclosure is inevitable. The whole reason full disclosure policies are put into place is because every vulnerability will get leaked at one point or another, so best to just publish it and get it over with, so that others can understand the vulnerability and avoid similar problems within their own code. Full disclosure is a driving force behind the growth of the security and software industry because people learning from each other is the most productive way for a group as a whole to become better. And because full disclosure is an inherent part of open source software as mentioned above, if you are against full disclosure, you are also against open source software. Open source software that you’re probably using to pull off your hackfest. I dare you to hack my blog with only closed source tools. In fact, I’ll make a bet. If you do that and e-mail me with a detailed explanation of how you did it, I’ll replace this blog with whatever non-pornographic “pwn3d” page you want.

As an added bonus, if publication wasn’t enough, these exploits are mirrored and distributed widely across the Internet with a nice little advertisement embedded in them for the crew or website which first exposed the vulnerability to the public.

It’s about money. While the world is difficult to change, and money will certainly continue to be a very important in the eyes of many, our battle is that of the removal of full-disclosure for the purpose of making it harder for the security industry to exploit its consequences.

What’s wrong with giving credit where credit is due? What’s the problem with a little self-promotion? What’s the problem with being competitive?

For what it’s worth, I don’t make a dime when someone visits my blog or any of my other sites. I pay $10 a year for the domain, and I host it all myself. But I’ll still credit myself if I ever post an exploit, because it helps me to build a reputation. I’m a kid that just graduated high school and am looking to make a name for myself in the security industry so that I can get a good job and make a living. How am I supposed to do that if I don’t get any credit for my work? It pays to put “Discovered X vulnerability in Acme, Inc. Foo Application (CVE-2009-1234)” on a résumé.

It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies, and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.

How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full-disclosure and the security industry in its present form. If you own a security blog, an exploit publication website or you distribute any exploits… “you are a target and you will be rm’d. Only a matter of time.” This isn’t like before. This time everyone and everything is getting owned.

Signed: The Anti-sec Movement

Try me.

I just wrote my argument on why full disclosure is good for the industry. Counter it, and you’ll get your message pushed across further. Or, you can just hack my blog to death using your tools that were authored around the very principle you are rejecting, and I’ll just shell into my server and take down your “pwn3d” page and restore a backup, and you won’t get anywhere.

Bring it on, I dare you.

 
20 Comments | Posted in Uncategorized

20 Responses to “Re: ImageShack” (post new)

  1. popurls.com // popular today
    July 12th, 2009 at 5:01 pm
     

    popurls.com // popular today…

    story has entered the popular today section on popurls.com…

  2. b
    July 12th, 2009 at 5:07 pm
     

    They didn’t own hundreds, they simply took control of the main and used a redirect so that all images accessed through imageshack.com, which included the sub-domains, redirected to their own image.

  3. John Lewis
    July 12th, 2009 at 6:18 pm
     

    Who gives a shit?

  4. royal
    July 12th, 2009 at 7:09 pm
     

    I applaud your challenge. Any group the promotes any form of security through obscurity just doesn’t understand how computer security works.

  5. chkno
    July 12th, 2009 at 7:23 pm
     

    Regarding “open source software has no way to really avoid full disclosure because of version control and diffs.”:

    Closed source software has no way to avoid it either. It’s only slightly harder to compare two binaries, pre and post fix, and determine what the vulnerability was. See this paper on *automatically* generating exploits from Windows Update patches: http://www.ece.cmu.edu/~dbrumley/pubs/apeg.pdf

  6. Desu
    July 12th, 2009 at 9:38 pm
     

    Time to upgrade the shared hosting account, eh?

  7. worldStupid++;
    July 12th, 2009 at 10:44 pm
     

    this is simple, and it has nothing to do with software. you either support a society where information flows freely amongst its members or you support an oligarchy where self appointed dick-douches get to enforce their will. Now i don’t want to suggest that anti-sec actually compares to a genuine oligarchical entity, far from it. In fact, the similarities are few and far between once you take a step beyond dick-douche. Actually, I think that last statement was a bit vague. here, let me clarify my point:

       ________________________________________
  /               /         \              \
 /      A        /   A U B   \       B      \
|               |             |              |
|   anti-sec    | dick-douche | oligarchy    |
|               |             |              |
 \______________\____________/______________/

    there. that should cover it.

    seriously, who attacks a free service that plays no tangible role in propagating the supposed “evils” that you seek to rectify?

    anti-sec can lick my nuts.

    Mod node: Formatting fixed

  8. Eric
    July 13th, 2009 at 1:08 am
     

    I think you might have the Anti-Sec argument backward – you seem to agree that hacking with closed source tools is more difficult. This sounds like the argument Anti-Sec is making. I believe the goal of Anti-Sec is not to hack your box…in fact it’s quite the opposite. So even if “having it Anti-Sec’s way” means closed source (which I don’t know if I agree that it is), and this makes it harder to hack your box, then it seems their argument is pretty valid.

    I don’t have my foot in either camp, but it’s an interesting debate to watch. Also, not sure if I’d advise you to invite people to hack you when you run your blog off Wordpress…(!)

  9. Dan Fuhry
    July 13th, 2009 at 1:28 am
     

    Eric:
    I don’t quite understand where you’re coming from – my argument is just that full disclosure is made inevitable by open source software, so if they are against one, they must be against the other, and they must therefore use closed source tools, which I think are harder to hack with personally.

    Yes it’s Wordpress, but it’s the latest version available, and I run (*checks*) 2 plugins, both are up to date, one is officially bundled (Akismet) and the other is entirely security related (Yubikey). Hopefully I’ll be safe, I have a fair amount of trust for this code, but if not, then it is what it is.

    Desu:
    You won’t believe this but it’s running off of my home server (with a couple of newly added iptables rules, might I add) through my somewhat less-than-adequate broadband connection. Yes, it’s slow. I’ve done my best to contain the sudden surge of traffic without getting completely DDoSed. Bear with me OK? :)

  10. Eric
    July 13th, 2009 at 1:51 am
     

    Dan:
    So if Anti-Sec is against full disclosure, (and thus against open source), and the alternative (closed source) is harder to hack with, shouldn’t you be in support of Anti-Sec’s position?

    I guess this assumes you WANT things to be harder to hack…Aha! I have caught on, Dan!

  11. Dan Fuhry
    July 13th, 2009 at 2:03 am
     

    I’m not in support of their position, I’m just looking at it from their angle. They hate full disclosure and by extension open source, so they are being hypocritical by using the tools they hate, so if they really believed their own philosophy they should be using closed source tools.

    Notice that “I think” open source tools are harder to hack with. Opinion. It has nothing to do with my factual presentation above.

    I agree with most of the reddit commenters: they just want everything to be easier for them to hack. They want to own the world, and don’t seem to understand that we’re telling them the same thing we told the last group with similar ambitions: Dream on.

  12. Eric
    July 13th, 2009 at 2:16 am
     

    I believe we may be discussing two different things. In any case, how do we know they didn’t use closed source tools? I agree it’s likely they put on their s’kiddy hat to do it, but I haven’t seen any reports of how the hack was done. Does anyone know? Or has Anti-Sec won in this case (in terms of no full-disclosure of their hack)?

  13. Dan Fuhry
    July 13th, 2009 at 2:21 am
     

    It’s an OpenSSH hole of some sort, and I think they are script-kiddies, in the sense that they wrote their own code but use the same thing everywhere. So seeing as I have SSH firewalled pretty carefully, I don’t really even perceive them as a threat.

  14. secy
    July 13th, 2009 at 12:14 pm
     

    like worldStupid++; said, “anti-sec can lick my nuts.”

  15. Phil
    July 13th, 2009 at 12:15 pm
     

    fwknop ftw.

    Great post Dan. I agree with everything, glad I came across this post.

  16. Douche LaRue
    July 13th, 2009 at 2:03 pm
     

    This “anti-sec” stuff sounds exactly like the kind of boneheaded teenage manifestos I used to see in high school. I’m sure the hundreds of thousands of people involved in computer security worldwide are trembling in their boots at being “destroyed” by these jokers.

    Oh noes! People are exploiting public ignorance for profit! They must be destroyed! Hey, how about you turn your rage on more deserving targets, like the oil companies or multinational food conglomerates? I mean, computer security? Really?

  17. Snife
    July 13th, 2009 at 4:35 pm
     

    @Dan Fuhry

    Bravo! I’m glad to see someone call out the so-called “anti-sec movement” on its ridiculous and hypocritical statements. I would like to see them get stealthrm’ed and shamed, but that’s just the mean guy in me.

  18. James
    July 14th, 2009 at 12:37 pm
     

    You do not seem to understand, or maybe I don’t.. but let me try to show you what I understood..

    @b:

    You should contact ImageShack it self, just like I did… the 998 servers were compromised.
    this is not like a shared hosting env. where if you gain access to main domain you can edit all the subdomains, no. every subdomain on imageshack had its own different server.

    @Dan:

    No one knows for sure it was an OpenSSH vuln, so don’t be so sure that this is the only thing they have, because even that has not been confirmed.. Astalavista did not run OpenSSH 4.3, they even had there SSH iptabled..

    One more thing, I found this:

    http://pastebin.com/f6e27894b

    It really explains the movement way better than that image, you should give it a read.

  19. Anti-Sec: Not a True Hacker Group - *NIXEDBLOG 3.0
    July 14th, 2009 at 10:19 pm
     

    [...] software to allow the source code and the software itself to be shared.  Thanks to a comment on Dan Fuhry’s blog, I ran across a more eloquent argument.  There is an inevitable problem [...]

  20. Thomas Holbrook II
    July 14th, 2009 at 10:40 pm
     

    I read the argument from the pastebin link, but I still disagree with the argument. Doesn’t this violate the Hands On Imperative?

Leave a Reply