A hacking group has broken into one of the biggest image hosting websites on the net before uploading its manifesto. "Anti-Sec" broke into ImageShack to post a protest over sites that publish full disclosure material on security vulnerabilities, though how the attack furthers this agenda is unclear. The group, which also …
Yeat another trolling skript kiddie.
"Ironically, exploit code associated with Anti-Sec's latest attack was posted on a full disclosure mailing list."
I'd image that's kind of their point ;)
my own view is that full disclosure should only happen,
a) sometime after the vendor issues a patch, or
b) after attacks are known to be widespread, or
c) if the vendor isn't updating their stuff
if i post lots of pro disclosure stuff
will they hack the reg ??
What Anti-Sec is, and what they *say* they are...
... are two entirely different things.
What they really are is a bunch of carders and russian spammers who hate full disclosure because they want to keep their 0-days to themselves and keep sites vulnerable so they can carry on breaking into them and stealing CCs. All the rest is just disinformation, spin and propaganda.
They *are* the skiddies, and they hate it when systems get secured; they attack full disclosure because it *works and protects* people, not because it exposes them to some theoretical risk that they were already exposed to anyway but just didn't know it. Like a lot of gangsters they would like to portray themselves as noble Robin-Hood-like vigilantes, but it's all bullshit; they're just another gang of thieving little scrotes.
"It also ignores the point that cybercrooks often profit from undisclosed vulnerabilities."
Who wants to bet this is actually the reason for the hack?
They make it look like a legit group with a legit concern in the hope people will listen, but the real reason they want to halt full disclosure is because it's harming the profits of online criminal gangs due to full disclosure cutting the amount of money they can churn out of an exploit before it's fixed.
We've known for years that some companies can take years to fix an exploit unless their hand is forced to fix it earlier through full disclosure. This group probably want to exploit that for profit and full disclosure just aint helping them do that.
Though how the attack furthers this agenda is unclear
Easy - forums right across the interwebs have people hosting sigs and other images on imageshack. They were all replaced with the notice.
Quick way to get the word around. ;)
A secure Internet...
i) one where all vulnerabilities are kept quiet and only exploited by those that discover them.*
ii) one where there is no privacy and every action is logged by governments.
iii) one where there is no anonymity and every action can be traced to an identity and physical street address.
*Thus only the elite few would be able to create mischief (should that be their goal) as opposed to just about anyone smart enough to run the metasploit frame work... Namely script kiddies. I see a double edged sword here.
A secure Internet is the end of the internet as a useful resource for the oppressed.
Long live the wild West. One can only secure that which one controls, So who's going to step up and control the internet? Will the technology ever be there to do so? And do we really need another Wyatt Earp?
I don't know enough to answer these questions, but thanks to full disclosure I am smart enough to cover my own ass. So keep them coming because without them I wouldn't be.
I like the Internet the way it is, which self respecting anarchist wouldn't?.
>>Ironically, exploit code associated with Anti-Sec's latest attack was posted on a full disclosure >>mailing list.
Where did you see that??
is -not- an exploit code, k?
These asshats get all the attention...
...whilst the real revolution [http://anti-anti-sec.com/] withers unappreciated. Hardly anybody reports when things get fixed and left alone; only hacks and controversial exploit demos are newsworthy.
Knuth was a script kiddie too.
Writing unknown exploits and using them? They must be script kiddies.
Releasing Retina source on Undernet after breaking into eEye, Must be Script kiddies.
Developing private exploits that can stay private for years. Must be script kiddies.
el8 - Script Kiddies , dikline - Script kiddies , MNNSE - Script kiddies.
Noticing a trend here?
Most security 'professionals' couldn't tell you what f* = 0x1234; f+1 = ___ much less write solid exploit code and stand up for something you believe is right.
In short, Antisec will continue to live on. More people will be hacked, I trust you to keep calling them script kiddies, and I trust that your init.d (Because you don't even need an LKM with the level of knowledge most security 'professionals' have) will soon be filled with ./jrkeyd , SSH will be apatched. Such is life.
Also, As a final note, Antisec isn't a group, Its a Movement, Get it strait.
Grow up you script kiddie. did mummy let you on the internets ?
Spoken like a true script kiddie!
I kind of find the message humorous. The real question is what their resources actually are. Are they just a bunch of SQL-Injectors, or do they have some good social engineering skills? Are they smart enough to take over a site on the same server and attack the main target which may have unsecured files? All sorts of questions I can come up with...
Too bad there isn't more news about secure systems. It's much more impressive to build something secure than it is to break anything.
@Antisec isn't a group, Its a Movement, Get it strait.
Oh well, I was dumb like that back in the early 90's.
Appears that the perpetrators picked their prey purely for the pun possibilities. I'll chuckle at the message, but their political policy is poop.
declaration of war?
One would have to assume that this group is openly making threats against major sites owned by companies that can afford to make people disappear. If I were them, I would watch who I threaten because they might find themselves hanging outside of a helicopter.
I know the first thing I do when a site of ours is threatened is plan my own reaction, well that and secure the sites(s) so that nothing can happen:)
Can't these people get real jobs and lives? Haven't they learned that the it's more often then not the quiet ones that can really do the damage vs the ones that want to come out and bring their organization into the spotlight.
Theres always a faster car, always a better security guy, if i were ImageShack i'd do whatever is necessary to eliminate any future threats, if you know what i mean.
What do you mean 'they'? Of course, The people behind say, SSANZ or Imageshack, Its reasonable to believe, are different than the idiots behind say PHC or the Retina source leak. Obviously, in good faith, You can't speak to the abilities of other people with any great confidence (Especially in a medium like the internet). But I think its self-evident that they're not a bunch of SQL Injectors or Con men.
As far as your second question goes, Well, It depends, FreeBSD's jail command is pretty hard to break out of if a target was on the same box and you compromised a separate process or user on the same box. Of course, Breaking out of Vanilla chroot jail can be done by elementary school students, Likewise for Grsec'd Chroot jail provided you know how to use setpgid() to set an analogous process as the PID == PGID (And GRsec says they don't allow Process Grouping functions outside of the Chroot jail, lolz), but thats a topic that's out of the scope of this conversation.
This was the response received by the older generation of antisec like ~el8. I'd hope to expect that in 10 years, people could come up with something new to debase a person's argument if you're all out of ideas (I personally suggest Scurvy seadogs over Script Kiddies, but that's a matter of anachronistic taste). I think by definition you aren't a script kiddie if you're developing your own tools, but that as well is a matter of taste.
As far as your last point, Not to be the generic purveyor of managed code here, but in a parallel universe where CPUs can natively interpret Java bytecode, you've cleared yourself of most core security risks (Outside of design compromises) itself for very little work. Though I appreciate the thoughts that somehow breaking into systems requires no skill and building secure systems in the paragon of human insight.
By definition, a script kiddie uses someone else's code. These dudes are using their own 0-days which should explain their motives pretty plainly.
They don't want anyone else to have their tools. They don't want script kiddies sh**ting up the pool with a million derived iterations of something they discovered and would prefer to horde.
Also, money. Because it always boils down to money. Perhaps they want to sell their 0-days to the vendors or on the black market. Full disclosure makes that impossible or at least less profitable.
Even if the anti-sec front dudes performing the actual attacks against sites are script kiddies, you can bet the message was written by someone with an actual brain. Just read it. There is a serious lack of high-fivin' leet speak. The grammar and formatting look correct. It reads like a manifesto, not a "lolz u got pwned" defacement.
I have no idea who is behind the Anti-Sec "movement", but it isn't just some neckbeard sitting in his mom's basement stuffing Cheetos in his gullet, washing it down with a Code Red Mountain Dew while symbolically raging against the jocks who used to give him wedgies. It reminds me, in a way, of Anonymous and the attacks against Scientology.
This could be the start of something.
Maybe not. Maybe it is just a flash in the pan, but there is lots of money to be made in exploits and giving them away via full disclosure is pissing off the wrong people. Whether the truly criminal elements in the security market would be bold enough to strike in such an almost sanctimonious manner remains to be seen.
Look at the birth of the Pirate Party after what happened to The Pirate Bay. TPB may have sold out to pay their fines, but the mindset, the feelings of F* the Man and the Corporations are still boiling.
There will be an outlet.