ImageShack Hacked, Security Groups Threatened

revjtanton writes "Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."

Their message is certainly ironic,

[Anonymous Coward]

in a "shoot the innocent bystander while sounding all righteous about risk" sort of way.

What is their motivation?

[fictionpuss]

I mean, if they got their way, completely. What would happen? Anyone motivated enough could find an exploit of their own and hack anyone else. But presumably this would eradicate the script-kiddie element as it would require an element of skill.

Is this just another way of the internet evolving itself? If you're an asshole or are part of a company which fucks someones shit up for profit, then in that potential future you'd be vulnerable to backlash. This isn't the chaos ensuing from giving automatic weapons

Re:

[Artifakt]

Eradicating the script kiddies really sounds like a worthwhile goal in itself, but you're right, it doesn't really make the net any more secure or functional to trim off the low hanging fruit. This looks to be a lone black hat who wants it to appear he falls somewhere in the legitimately gray areas, but really is well over any ethical lines. I suspect the whole presentation of there being a group that stands behind the defacement is itself also false.

Re:

[fictionpuss]

Possibly - anonymous itself could just be three guys in a basement. Then again, it could have started off in a single basement but grew because of the insinuation that it was a large distributed, anonymous organisation.

Both/and?

If the internet automatically detects censorship as damage and routes around it, we're going to be seeing larger and more intricate self-defence mechanisms as it moves from a simple chaotic knowledge-base towards sentience.

Doesn't matter if you don't believe it, the internet will jus

Re:

[Nursie]

Why would eradicate the script kids?
They wouldn't have as ready a source of info to make their scripts with, but I don't get the feeling they'd be the ones making the scripts anyway. Their scripts come from black hats that have skills.

Frankly all this would do is mean that companies *cough* MS *cough* could get away with not patching stuff for longer, leaving things even more vulnerable. It's lunacy what they're asking for.

Re:

[fictionpuss]

If these black-hats win, they'll not be giving shit to the script-kiddies. Period.

Lunacy is what we have already[1]. Reality is a bit more relative.

1 - Doing the same thing again and again, expecting different results. Buying the latest firewall or virus software has never, and will never be a guarantee of security.

Re:

[_Sprocket_]

I mean, if they got their way, completely. What would happen? Anyone motivated enough could find an exploit of their own and hack anyone else. But presumably this would eradicate the script-kiddie element as it would require an element of skill.

It goes back to an amplified version of the old BBS philez [textfiles.com] days. Except now they're not historical curiosities but relevant instructions as the exploits they describe remain current. At least, for a short while.

Since we're not falling back to the old analog MODEM days, but remaining here in the current Internet era, these tutorials will be just as distributed as they are now. They'll be fed in to the underground community instead of the general public. But in the Internet era, that underground community

Re:

[fictionpuss]

If you discover another zero-day root exploit in the Linux kernel on your own, and you have the means to sell it to the highest bidder for a nice pile of cash, then neither you nor the winner have a motivation to pass on that secret to the underground.

If there are fewer active vulnerabilities floating in the underground - accounting for accidental or the occasional intentional leak - then how is that more chaotic than what we have now?

I'm curious - I'm not an expert in this stuff by any means.

Oh wait, this

Re:

[Bert64]

What would happen, is that the prevalence of unskilled script kiddies would massively decrease, and the background scans taking place constantly would decrease... Because the perceived threats would have abated, people wouldn't bother installing updates or taking any measures to protect themselves. Also without public disclosure and/or active exploitation, software vendors would downplay the seriousness of their vulnerabilities and delay providing patches for them.

The end result of this, is that the smaller

Re:

[fictionpuss]

That's the stated goal. But all ideologies have at least one secondary goal which is of greater importance to the members - e.g. religions may preach love and peace, but will do anything (including contradicting the primary message) to protect the secondary goal of sustaining the religion.

Example - if they just manage to get all security companies out of business, then what's to stop new security companies popping up in the future once their movement starts to decay and their numbers drop? Nothing. It would

Re:

[fictionpuss]

Or maybe the current situation is just a local maxima, which we are trapped in?

Every company out there has at least one person who re-uses passwords between systems. Even if it's "only" the admin or a temp - there only needs to be one weak link in the chain.

Security problems are an annoyance foremost, and rarely a disaster. 50% of the windows clients reading this thread could be part of some botnet and they'll never know.

Society as a whole needs to treat security with more respect in order to improve it. Ev

Re:

[fictionpuss]

If that's their motivation, then they will fail.

History proves that bad ideas always poison themselves before too long. It's just simple evolution/ or rather emergence.

Is this considered full-disclosure ...

[neilobremski]

... of their movement?

Re:

[ILuvRamen]

well not exactly but wouldn't it be funny is someone did publish the exploit they used to hack imageshack? :-P

related to openssh rumors?

[Anonymous Coward]

These are the same people who say they've found an exploit in some versions of openssh. Any connection?

http://seclists.org/fulldisclosure/2009/Jul/0028.html

http://news.ycombinator.com/item?id=692036

http://lwn.net/Articles/340483/

Astalavista

[Spyware23]

For interested readers; these were the same people who killed astalavista. (Logs of that attack can be found all over the internet if you google).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Threni]

Hardly, given that they're anti-disclosure.

Re:Astalavista

[tomhudson]

Hardly, given that they're anti-disclosure.

... but they ARE in favour of people p0wning sites - which requires disclosure of vulnerabilities - something they're against. Kind of contradictory ...

They're just a bunch of assholes, same as the punks who key cars.

Re:

[alexhard]

No, one of the reasons they cite for their anti-full disclosure sentiments is that it allows hordes of script kiddies to "p0wn" sites.

Re:Astalavista

[tomhudson]

No, one of the reasons they cite for their anti-full disclosure sentiments is that it allows hordes of script kiddies to "p0wn" sites.

... in other words, they (Anti-Sec) don't want competition that will ruin the economic value of the 'sploit prematurely.

Just follow the money ...

Re:

[Monkey Angst]

... but they ARE in favour of people p0wning sites - which requires disclosure of vulnerabilities - something they're against. Kind of contradictory ...

Well, not if you look at it this way: They're not against finding and exploiting vulnerabilities. They're against sharing those vulnerabilities so that others can exploit them. Think of it like an anti-nuke treaty. The US has nukes and will not give them up, but we're dead against letting anyone else have them.

They're just a bunch of assholes, same as th

Leave door open or we will rob you ?

[abies]

From what I can understand from their manifest, they don't want full disclosure of exploits so
1) Other script kiddies cannot use them too easily
2) General public is not aware of the risks
3) Security companies cannot prepare protection against them

This is like... let's thing about proper, slashdot analogy... bunch of car thieves telling that they are against installing immobilizers in cars and warning they will steal cars of immobilizer producers and supporters till they stop distributing immobilizers. When they stop, thieves will come back to stealing random cars, with less effort.

Re:Leave door open or we will rob you ?

[binkzz]

1) I think that's a good thing
2) They don't want the world to not know about the exploits, they just don't want the world to know how to use those exploits
3) These exploits would still be in the hands of the security companies so that they could prepare protection against them

I'm not sure how you came to your conclusions, I don't believe they are correct.

Re:Leave door open or we will rob you ?

[whoever57]

3) These exploits would still be in the hands of the security companies so that they could prepare protection against them

Except that history has shown that many software companies won't actually fix problems until forced to do so by full disclosure.

Re:

[smoker2]

Prick.
Are you sat in front of a keyboard with full access to the internet ? This isn't a written dissertation, it's a live environment. Look around for yourself. You probably would only argue semantics if he had cited other instances.

Re:

[Ifni]

Because you are the only one (or member of a minority group) that apparently lacks the predominant knowledge of the statement's truth. If I state a fact that is common knowledge, I do not need to cite it. If you dispute that fact, it is your job to find corroborating evidence in defense of your stance, not mine.

Re:Leave door open or we will rob you ?

[Vellmont]

2) They don't want the world to not know about the exploits, they just don't want the world to know how to use those exploits

There's at least a couple large-scale problems with this viewpoint.

The most direct one is that knowing about the exploit, and knowing how to use the exploit aren't really as different as you try to make them out. How long do you think for "bad guys" to figure out the full picture if you released enough information for people to protect themselves? i.e. "disable function X of server product Y". Well shit, you just gave a HUGE clue to the "bad guys", but probably didn't really give ENOUGH information to enough of the "good guys". What about the guys relying on "function x of server y" who simply can't disable it?

Exploits are often esoteric sounding enough that companies can just claim (and often have) "that vulnerability is entirely theoretical". It's often the case that the exploit is VERY exploitable, but the developers or companies are just being arrogant, don't understand, or don't care. In a perfect world where companies and developers had perfect knowledge of exactly how exploitable and dangerous a vulnerability was (and addressed the ones that needed to be addressed) your idea would work. The real world has proven otherwise.

The third problem is simply that the companies/developers responsible for fixing the problem often don't suffer the costs (or a much lower cost) or people actually exploiting the vulnerability. i.e. Microsoft doesn't suffer enormous losses when the latest worm ravages the internet. Since they suffer a lot less pain, they'll devote a lot less resources to fixing it. If the exploit eventually will get out then company X will be a lot more likely to fix it rather than just ignoring it and hoping nobody else ever finds out.

3) These exploits would still be in the hands of the security companies so that they could prepare protection against them

Heh. Where does this view that there's always the mysterious people who are just going to fix everything come from? If you think "Security Companies" are going to save you, blah blah blah Bridge to sell.. blah blah blah swamp land in Florida.

No, what needs to happen is if security is important it needs to be built into the product to begin with. Security isn't a product you "buy", it's something you are. This is nothing different than what people have been saying for 20 years.

Re:

[Svartalf]

Good analogy- so it's not in keeping with the "proper, slashdot analogy" thinking.

You have to do a **BAD** car analogy for it to be that.

Re:

[sqldr]

slashdot is like a ford focus. they're both, er, um, you can get green ford focuses.

Re:

[Tycho]

OT: your sig "I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas"

I assume you aren't going to try to deny that you are also a citizen of the United States of America at this point. Other people, now in jail, have tried not to pay income taxes and other federal taxes by claiming that they had renounced their US citizenship and were now just a citizen of the State of X, but not a US citizen any longer. None of these individuals actually successfully argued in court that th

Re:

[DrugCheese]

Just to suck it up and pay your income taxes like everyone else.

Yeah, just continue to be a slave. It's cool everyone's doing it!

There are many stupid people in jail for many stupid things. Taking a stand, ANY stand, against people OWNING YOUR LABOR is not stupid.

Re:

[Hurricane78]

Exactly. It sounds like straight out of the mouth of Zensursula [wikipedia.org], who enforced censorship and filtering of the net in Germany, to "fight against child porn", while is reality, it just results in a protective cover above the real child porn criminals.

Re:

[not_anne]

Respectfully, you're missing the point. Their point is that full disclosure helps the exploiters exploit more. Anti-sec is pointing out that there are two main ways that full disclosure is a bad thing:

1. Full disclosure allows cut and paste script kiddies to wreak continual havoc with detailed and fully documented exploits from the whitehat security industry.

2. The whitehat security industry (antivirus, firewalls, auditing services) profit hugely from full disclosure by scare tactics.

They are pushing for ch

Re:

[Bigjeff5]

The ends don't justify the means. These are people willing to destroy other people's work to make their point, and it is not ethical. These guys have lost all right to take the moral high ground, and their arguments will now and forever be tainted with "Aren't these the guys who hacked Imageshack? Why the hell are we listening to them?"

I'll take script kiddies over assholes like these any day. They may have valid points, but they sure as hell don't have my support, not now anyway. These jackasses are no

Re:

[shish]

Both Gandhi and Martin Luther King, Jr. constantly broke the law with their peaceful protests.

Peaceful protests may break the law, but they don't break many people's morals; destroying servers (if you read their site, you'll see a history of "rm -rf /"'s), even with the best of intentions, is much less morally sound.

Pretty much

[Sycraft-fu]

It'll be quite amusing to watch their dumb asses get drug off to prison if they actually carry out their threat of "destruction and mayhem." Cyber criminal types seem to forget that when it comes to criminal investigations, the bigger a target you make yourself the more likely you are to get caught. When you are just causing trouble, there just isn't enough care to really devote any resources to going after you. However if you do real damage, all of a sudden there's more interest. The more damage, the more

HaCk ThE PlanET!!!

[carn1fex]

These punks dont know who theyre messin with!! Me and my posse are put on our roller blades, spike our hair and take them out with our camouflage thirty three point six bee pee ess moh demz.

wow what an awesome idea!

[trybywrench]

What an effective way to distribute a message, hack one of the worlds most popular image hosting sites and replace all the images with your manifesto! Every site with an image linked back to imageshack would be displaying your message. Instant.global.audience. I'm not justifying what they did and I'm all for the feds handing out a beat down, afterall, the law is the law but man, what a good idea.

Re:wow what an awesome idea!

[Pyrion]

Except they haven't replaced all of the images. I just looked in my account and only one of my images (a horribly outdated tf2 screenshot, of all things) was replaced.

Best pro full-disclosure advert ever

[AmiMoJo]

This hack demonstrates exactly why we need full disclosure. If I used ImageShack to host important images for (e.g. a lot of people use it for blog images or forums) and someone figured out a way to hack in, I'd want to know about it so I can take steps to protect myself. What if someone uploaded child porn and it appeared on my forum?

It's always better to know than to stay ignorant. It might harm the companies behind affected products, but if it was a safety issue (e.g. your car can occasionally explode while filling it with petrol, which actually happened) there would be no question that full disclosure would be a good thing.

Re:

[EdZ]

If I used ImageShack to host important images

Then you're a bit of a prat?

Re:

[AmiMoJo]

Do you think everyone has their own server which can withstand the traffic generated by images used on popular forums?

I guess maybe you are the kind of prat who laughs at people for not investing vast amounts of time and money in 5-nines services, but I tend to just try and get on with my life and spend the money on more important things like food.

Re:

[EdZ]

Let's put it this way: If you have images that are actually important, then it's almost certain the site you're running has hosting where you should be placing these images. A forum avatar or a 'witty' animated signature image are not important images. Even assuming that image hosting alone is required, regardless of the site that links to them, then a paid service (e.g S3, where the hosting costs would be pennies per month) makes a lot more sense than a free ad-supported service if the images are actually

Easy to identify ?

[sugarmotor]

Their language and style sounds rather distinct. If other writings of them are available on the web, they should be easy to identify.
There's also quite a lot of text.

Stephan

They have a point but it's not that simple

[thetoadwarrior]

Yes, full disclosure can make things worse but some companies take an "out of sight, out of mind" approach to fixing exploits and if no one knows about it they don't fix it.

But I'm not sure it's much better only having a few experts able to steal money and run bot nets over a longer period of time or a lot of clueless script kiddies doing it within a shorter period.

Re:

[Svartalf]

The biggest problem with this thinking is that the experts eventually sell the tech to the script kiddies to gain maximal value from the exploit. So, in this case, you have the worst of both worlds- they use it over a longer period of time AND then you have a lot of clueless script kiddies doing it over a medium period of time before the companies get pressured into fixing the damn thing in the first place.

Security through obscurity is NOT an answer- as you pointed out, they typically don't fix it if they

From their manifesto:

[Hurricane78]

Apparently they are against full disclosure of exploits, because this would lead to the cracks in the first place.

Sounds to me like they are Microsoft PR workers in disguise. ^^

So rash

[UnixUnix]

They didn't even bother to Ask Slashdot :(

I'm not sure I get it

[sjames]

In order to put an end to security consultants and companies spreading fear of being hacked in order to sell security oriented products and services, they will go on a reign of terror hacking everything that isn't secured to the nines? Uhmmmmmm. I'm not sure how that works.

Re:I'm not sure I get it

[maxume]

It probably makes more sense if you are 15.

Re:I'm not sure I get it

[Bigjeff5]

You may need to go younger, ever seen a toddler when mommy or daddy tells them "no"? They tend to pitch a fit, and try to break stuff.

These guys may be smart as hell, but they are little more than toddlers who can hack. They are definitely NOT worth paying attention to beyond what is necessary to track them down and put them in jail.

BTW, do you know what happens to guys like these when they get caught? After jail time, they are generally banned from computers. I.e. more jail time if they are caught using one. That's got to be a virtual death sentance for a hacker.

I'm not sure these guys thought this thing through, they are definitely public enough to be traceable. I hope they don't like where they live very much!

I'm hoping..

[slashkitty]

that this is just some sort of reverse logic... because now, anyone wanting to hide details of sec exploits are thrown into the group of these "nasty hackers"..

I mean, it's mostly only big corps that are for "non-disclosure".. the rest of the free world wants to know!

Ok.

[EddyPearson]

Guess the OpenSSH bug is real...

Confused...

[WPIDalamar]

I'm confused.

So they're a group of black-hat hackers? I assume this since, well, what they did qualifies as black hat hacking.

So that would mean they WANT a less secure world, right? They don't want vulnerabilities fixed. They don't want people to know about them. They want less competition from script kiddies.

But they're arguing against full disclosure in a way that makes it sound like they want a more secure world.

Actually, that's Brilliant!

It's almost like saying "I want more republicans in office, s

Some observations

[rs79]

1) The text was syntactically and grammatically near perfect. You don't often see that in these sorts of things.

2) The cadence and style was sort of familiar. I was always able on usenet to identify forgeries not by the path, but by the way they were written. Any idiot can put words where they're not supposed to be, but very few people can wrote like somebody else.

3) I posit that if they weren't good intentioned they'd have hacked DHS.

It would not surprise me if this turned out to be a bunch of CS/security professors or the like, or their minions doing their work.

From the message, I'm absolutey certain they're in America, and had either a very rigorous or British schooling.

Re:

[Psyborgue]

I agree. Something doesn't smell right.

Re:

[tcolberg]

I've got a baaad feeling about this...

Re:

[maxume]

I no get rigorous or Brit schooling and I are good grammer.

What I mean is, that is quite a statement to make, there are plenty of people who learned to write by reading, not in school.

Re:

[TheRaven64]

You have an odd definition of perfect grammar. Their writing style isn't bad, but they had run-on sentences and incorrect hyphenation in a few places early on and then deteriorates completely towards the end into something barely coherent.

Actually they are retired Sergeants of Marines...

[atrocious cowpat]

What? [gutenberg.org]

ac :)

Judging by the thought process behind this

[93 Escort Wagon]

So the average age of this group is apparently what, 15 or thereabouts?

Re:

[smoker2]

Are we talking about /. now ?
Oh sorry that's mental age.

The motive and action contradict each other..

[Seth Kriticos]

The fact that they hacked ImageShack shows that there is a vulnerability, probably one that was exposed before. In terms of natural selection this is a good thing to make the severity of the vulnerability clear. I think it would be a good thing if this kind of attacks would happen more often to get a better relation to security situation overall, because many companies and individuals tend to ignore otherwise.

Their message is complete bullocks tough. Full disclosure in combination with destructive exploitin

My best guess is...

[bXTr]

• This is a legitimate threat, and they're truly against full disclosure.
• Or they're using reverse psychology and are for full disclosure.
• Unless they're using reverse-reverse psychology and are really against full disclosure.
• But maybe they're using reverse-reverse-reverse psychology and are really for full disclosure.
• ...
• Or they're just a bunch of script kiddies trying demonstrating their "l33t 5k1lz".

"Look out, we'll further ruin our own credibility"

[Pahalial]

Is anyone else tremendously amused at the method these guys have chosen to get their message out? I don't necessarily disagree with them - specifically, I usually only believe in full disclosure being necessary when an exploit is already in use in the wild - but it seems to me that they're just going to polarize the debate against their own position. IT security geeks are notably stubborn, defiant, etc., and being attacked over this will only entrench them further in their position. And to add to this, the

Excellent use of irony

[gr8dude]

I think they are pro full-disclosure, and this action is just a pun.

The message they are trying to get across is: "If you close your eyes, the world doesn't disappear. Here's an example of a hack, just to show you that vulnerabilities will continue to exist even if you don't make them public. Not only that, but there will also be people who will find them and use them, regardless of your will to make them public or not".

The message is worded well, others noticed it too; I think the author is too intelligent to be so ignorant of the truth.

Re:Wow

[Kell Bengal]

Wait, wait. How is messing with other people's stuff on the net from safely behind a computer 'gutsy'? Sounds like cowardice to me. I don't care what their message - if they're fucking with my, or other people's, stuff then whatever their argument is will go unheard. If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

Re:Wow

[jombeewoof]

...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.

Re:Wow

[Anonymous Coward]

...If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

Because logic doesn't always work. Logic in the hands of those who count the beans is usually twisted into some diseased, desecrated version of it's former elf.

And trust me, the dwarves are not happy about that.

Re:

[dna_(c)(tm)(r)]

because the image of the elf was substituted by one of an angry hacker.

Re:

[MadUndergrad]

So that's how Melkor created the orcs!

Re:

[Niris]

Good point, they should stop doing things over the net. Time to start building those bombs!

Re:

[Jurily]

If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?

Because they already tried that and nobody listened?

Re:Wow

[sqlrob]

If it's free speech, mind if I come and write graffiti on the side of your house? If you stop me, you're censoring my speech.

Re:Wow

[NickFortune]

Why stop at the outside? Break into the place and scrawl all over his wallpaper. That's effectively what anti-sec did here.

Re:

[GeorgeS]

They did a LOT more than that!
They came inside the house. Sat down at the TV and ordered PPV and drank all the beer!

Bastards!

Re:

[dimeglio]

sure, as long as you use washable ink. After an attack, what has changed except delay access for a few and more cash in the pockets of IT security contractors?

Re:

[Zak3056]

I would argue that these are not attacks but free speech (as in freedom of expression). Sure, some security sites will be down, that's just the way it is.

I'll be by your house later with some spray paint--I, too, have a message to share with the world, and your attitude toward defacement of private property is refreshing.

Re:

[houstonbofh]

I would argue that these are not attacks but free speech (as in freedom of expression). Sure, some security sites will be down, that's just the way it is. A mDDOS attack, assuming this is going to be their method, is just like free speech but through the mouth of your NIC card. Ok it's more like yelling but all they need are good earplugs.

Right up until you decide to have a press conference in my living room. Break into my house and you may get shot.

Re:

[Nautical Insanity]

True, they're exercising free speech in the text of their manifesto. They have their right to that. However, while you're entitled to say what you want, how you say it is quite naturally under some limitations. For example, you are free to say that you like flowers. But if you said that by lighting houses on fire so that from the air, the flames could be read, then you'd get arrested for massive arson. Hacking into the site is clearly illegal and this group should get busted for that.

Re:

[Kell Bengal]

It takes brains and introspection to produce a convincing and well-reasoned statement of ones position. Putting your ideas out there - ideas you may be passionate about - is always a risk. You risk rejection, you risk being proven wrong, but most of all you risk the consequences.

.

There's a reason people fear public speaking more than death. Anybody can write graffiti on a toilet door without risk, but it takes character to say the same thing in front of an assembly of your peers. Don't think these peo

Re:

[Kell Bengal]

It's still cowardice to anonymously conduct vandalism, even if that anonymity is an illusion. So, it would appear to be anti-sec's assumption, not mine.

Re:

[Sebilrazen]

I'd like to see where this goes. This is gutsy, and apparently they know what they're doing and they mean business. Their message is clear, concise, and I don't completely disagree with them. Interesting.

Oddly, this comment, verbatim - save the "Wow" is the subject and not "Wow...", is on another story [mashable.com] about this.

Personally I fear people that would go to lengths to post the exact same thing on multiple sites than people with causes.

I'd like to give a shout out to Zorg, from the Fifth Element on this one "I don't like warriors. Too narrow-minded, no subtlety. And worse, they fight for hopeless causes. Honor? Huh! Honor's killed millions of people, it hasn't saved a single one."

Re:Help for the unfamiliar

[klui]

It doesn't show the details but their website gives a summary. http://romeo.copyandpaste.info/txt/imageshack-pwned.txt [copyandpaste.info] How accurate, who knows.

Re:

[klui]

Interesting. That does lend credence to the theory that they have an exploit for an old version of sshd, since it's explicitly mentioned in their script output that the servers were running openssh-4.5.

Then again, it's not unthinkable that the script output is faked, and they're just trying to ride the publicity from the supposed break. Without more details it's impossible to be sure.

img1...us is running on 4.5; there is no img998...us though. Yes, the logs definitely don't show all details nor do we hav

Re:

[klui]

Damn, I meant to say 998 doesn't show what version of SSH it runs.

Re:

[Kell Bengal]

Why should knowledge need a gatekeeper in the first place? People say "We can't let this fall into the wrong hands!" but security through obscurity is a losing strategy, if that's all you're doing. I'm not advocating we have no secrets, but I think we have more to gain by disclosing and improving than we do through hiding what we know under a white sheet in the hopes that nobody else knows about it. Remember, if we figured it out, they can figure it out - and then we'll still have the problem but nobody

Re:I was a victim...

[Niris]

Thankfully you're a /. user, so the goatse.cx picture was probably better.

Re:

[tomhudson]

"My mom sent an email to the whole family with my high school graduation pictures using ImageShack to host them, but something went wrong and all my relatives saw goatse.cx pictures instead."

Since you're posting anonymously, it was probably an improvement.

Now, back on-topic ... rule #1 - "follow the money and see who benefits". Who else is against full disclosure? Malware vendors, anti-virus companies, Microsoft, the Russian Business Network, click-fraudsters, bot-netters - they're ALL against full di

Re:

[houstonbofh]

My mom sent an email to the whole family with my high school graduation pictures using ImageShack to host them, but something went wrong and all my relatives saw goatse.cx pictures instead.

Ohh... Sorry... I thought that was your graduation. You know... Senior prank to the principal. Shake his hand and, OH MY GOD!

Re:

[Architect_sasyr]

How does lack of full disclosure make the world a better place? The way I see it, if I know how an attack is operational I can figure out how to defend against it, if I don't then I won't know how (or more importantly why I am having) to write secure code. My other issue with a lack of full disclosure is the indication that only, say, the richest people (or companies) can afford them - effectively monopolizing things like the anti-virus or firewall industries.

Re:Making the world a better place.

[billcopc]

They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.

Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".

Re:

[aristotle-dude]

They want to discourage full disclosure, because it means they won't get to abuse undisclosed vulnerabilities as freely as they currently do.

Let me put it to you in more immediate terms: If the BH presentation on ATM exploits goes through, it will trigger a much more rapid response to patch the problem, which means the true exploiters have less time to plunder. Now this is just one example... There are hundreds of high-risk exploits discovered every day, some of which were obviously used to hack into ImageShack. These kiddies are scared that full disclosure will take away their "toys".

Wow. I don't think you understand what full disclosure is and what they are allegedly advocating. It seems like they are not advocating to not disclose the vulnerability to the vendor but rather to not disclose not only the existence of vulnerability but also an example exploit to the world. This full disclosure is precisely what results in "script kiddies" getting their toys because they don't have to be part of any particular hacking group or hack significant "skillz". It creates a mad rush for the vendor

Re:Making the world a better place.

[Thiez]

I think full disclosure is a good motivation for companies to fix their stuff. Notify them you found a problem, what the problem is, and that you will make the exploit public after a certain (reasonable) period of time, whether they fix it or not.

Re:Making the world a better place.

[UncleTogie]

I think l0pht's home page back in the day had it right when they quoted Microsoft as saying:

"That vulnerability is theoretical." -Microsoft

...which is one of my arguments for releasing POC code. Some folks need to be hit with a bigger clue-stick than others.

Re:Making the world a better place.

[Jah-Wren Ryel]

Wow. I don't think you understand what full disclosure is and what they are allegedly advocating.

Nope. He has it right, you have it 100% wrong. The ATM issue is a perfect example. That vulnerability was disclosed to the vendor eight months ago and they haven't done jack shit. Now the threat of full disclosure - to the entire world - has caused the vendor to get an injunction to prevent disclosure. Where is the fix? I still don't see a fix. Under your theory of "full disclosure is just another word for limited disclosure" the vendor would have fixed the problem long ago.

It rarely ever works like that and we have 30+ years of history to prove it - the security industry used to work the way you wish and the results were the same, vendors didn't do shit. The only time a fix comes is when the vendor knows that the only way to stop the script kiddies and all the serious blackhats is to actually fix the problem instead of sitting on it. Without at least the threat of true full disclosure vendors won't fix their problems, they don't have enough of an economic incentive to do so.

Providing the public with a warning that a vulnerability exists is not unethical and neither is providing information to the vendor but providing full exploit information is not only unethical but completely useless to the end user and places them at additional risk.

Without the threat of true full disclosure, nothing ever comes of limited disclosure. [schneier.com]

Example of a virus from Image Shack.

[afxgrin]

A friend of mine had her machine infected with one of the imageshack exploits. It was basically a double extension EXE, labelled like Aphoto.jpg__________________.exe

She wasn't paying much attention and had hit OK when prompted to run the program. So her computer had started sending me MSN links to similar images hosted on ImageShack.

Here's the EXE that I got sent. [rapidshare.de]

Someone I was chatting with in a technology IRC chatroom had run the virus in a VM, and it apparently has code to detect the presence of a VM,

Re:

[MaskedSlacker]

Not only is the exact opposite of the OSS mindset, I'd be willing to be that it is motivated by exactly what you describe. These are not people concerned about security, these are people who want exploits kept secret so they can sell them and use them--the morons posting here in support of this don't get it. These people are not your friends.

There are a number of well-documented cases of vendors being notified well in advance of publication, and those vendors doing nothing until after publication (in some

Re:

[REBloomfield]

yes. thought it was me.