[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4A5E72C0.4080806@propergander.org.uk>
Date: Thu, 16 Jul 2009 01:22:24 +0100
From: mrx <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Ant-Sec - We are going to terminate
Hackforums.net and Milw0rm.com - New Apache 0-day exploit uncovered
Travis,
Our conversation is now not really related to full disclosure, it is
more philosophy of information dissemination.
And I, much as I mentioned in my last post, I agree with your views on this.
I was pointing out that we all need a starting point and an occasional
guide through the abyss, and a rock solid foundation on which to base
our own investigations.
The works of great thinkers provide this, be that great thinkers like
Aristotle, Newton or skilled hackers - el8, dikline? Without the public
exposure of their ideas we would still be struggling in the dark... Not
that the human race is basking in the light, but that is another discussion.
I did mention I had a problem with the propensity of step by step guides
and tutorials that allow our most ignorant and ill-educated (for want of
a better term)
fellow beings to fulfill their base desires for control, dominance and
mischief. And yes I see how those who offer a panacea to such activity
delight in the availability of such information.
But the thing is, even altruistic people can access this information and
expand, build upon and apply it to a more useful and less destructive
purpose. It allows for quick response and rapid mitigation from those
charged with defending systems, though not having the necessary acumen
to do so without such guides. Again as I mentioned previously a double
edged sword. Not all of those charged with defending IT systems from
attack are wise enough to do so without such step by step insight into
how the enemy will attack.
Knowledge and wisdom to me are in themselves a admirable goals, but many
IT security specialists have too many corners to cover to have the time
to be expert in all areas. Full disclosure narrows that gap between the
talented hacker and the hard pressed system admin.
I would however, like to see much more information and step by step
guides to securing systems freely available rather than tutorials on how
exploit said systems for control and gain.
Acr0nym
T Biehn wrote:
> You raise valid points, I would like to see you further form your
> analogy between the works of great thinkers to a collection of
> ready-to-compile or evaluate exploits or YouTube and text based
> tutorials on how to hack hotmail accounts.
> 'Full Disclosure' is defined by your e-mail, and pretentiously (the
> pretension is mine) by the anti-sec movement, as these 'script kiddie'
> oriented resources. I'm sure no one is advocating the suppression of
> legitimate and novel research.
> Certainly one would not be pompous enough to imply broad competency in
> a field without familiarity with peer works, original research into
> the theory of security has always been welcome.
> The public dissemination of easy to follow tutorials, public botnet
> source-code and public exploits mainly serves to allow a wider lowest
> common denominator of the population to wield tremendous destructive
> force to the delight and profit of a number of 'information security'
> companies. Public availability of this information is never helpful
> when you are actually tasked with system defense, and is tantamount to
> spoon-feeding when using it to 'learn.'
>
> -Travis
>
> On Wed, Jul 15, 2009 at 6:04 PM, mrx<mrx@...pergander.org.uk> wrote:
>
>> T Biehn wrote:
>>
>>> Mr X,
>>> Isn't the gaining of expertise, in any field, a labor of love?
>>> Going through the process without being spoon-fed usually carries with
>>> it a certain amount of wisdom. So much potential talent is wasted
>>> because of the ease of access to 'hacking tools and tutorials,' such
>>> guides feed into our lethargic tendencies and offer no intellectual
>>> challenge. The same is true of University, College, and Certification
>>> programs.
>>> I happen to pride myself on my ability to self-teach, and largely
>>> credit it to my experience as an un-mentored 'hacker'.
>>>
>>> -Travis
>>>
>>>
>>>
>> Hi Travis,
>>
>> Whislt I agree with just about all you have said, I stand by my statement.
>>
>> Many of those responsible for the security of systems do not have the
>> skills and knowledge necessary to protect those said systems against all
>> possible threats.
>> Not all IT security professionals are in a class of their own.
>>
>> Yes, spoon feeding allows the most dumb of individuals to own anothers'
>> box and I would say such spoon feeding leads to compromises executed by
>> those who need help tying shoe laces. Hence I do have a problem with
>> step by step tutorials on how to hack xy and z.
>>
>> But we all need pointers and help at sometimes, we can not all be
>> experts in every field, we are all standing on the shoulders of giants.
>> Imagine a world where Plato, Einstein, Dirac and Feynman, kept their
>> shit to themselves.
>>
>> I like to think I am smart... but I really am a dumbfuck compared to the
>> true elite. Without documented exploits, reference books and scroogle I
>> would likely have my ass handed to me on a regular basis.
>>
>> I too am un-mentored but what I do know is built upon that which I have
>> researched from other sources other than my own imagination, I can't see
>> and visualise every possible exploit. perhaps there are those that can.
>> However I have yet to meet one.
>>
>> Regards
>> Acr0nym
>>
>>
>>> On Wed, Jul 15, 2009 at 7:41 AM, mrx<mrx@...pergander.org.uk> wrote:
>>>
>>>
>>>> Well if I was able to take down hackforums and mil0worm and intended to
>>>> do so, I certainly wouldn't brag about it on a full disclosure list and
>>>> warn my targets.
>>>>
>>>> Just in case:
>>>> i) They believed the threat was real and took mitigating action.
>>>> ii) Backed up and mirrored the content so that they could be back up in
>>>> 24 hours.
>>>>
>>>>
>>>> I can see anti-sec's point regarding script kiddies, however, full
>>>> disclosure levels the playing field somewhat.
>>>> Full disclosure serves and aids hat's of all colours.
>>>> without full disclosure we would have a handful of real experts able to
>>>> compromise, control and abuse regardless of motive.
>>>> Knowledge is power and when that knowledge is in the hands of the few,
>>>> abuse is the usual result.
>>>>
>>>> Full disclosure not only feeds skiddies, it serves to warn us all.
>>>> Indeed a double edged sword.
>>>>
>>>> But hey what does this noob know?
>>>>
>>>>
>>>>
>>>> Ant-Sec Movement wrote:
>>>>
>>>>
>>>>> Dear members of Hackforums.net, Jesse Labrocca (AKA Omniscient),
>>>>> Milw0rm.com, str0ke, and Reader,
>>>>> We are the Ant-Sec movement, and we are dedicated
>>>>> to eradicating full-disclosure of vulnerabilities and exploits and free
>>>>> discussion on hacking related topics. We are dedicated to stalling the ocean
>>>>> of script-kiddies currently trawling the Internet, and those so called
>>>>> "White Hat Hackers" who benefit financially from full-disclosure; employing
>>>>> scare-tactics in order to con people into buying their firewalls and
>>>>> anti-virus software.
>>>>>
>>>>> Thus, our new targets are Hackforums.net and Milw0rm.com. Both are notable
>>>>> within the hacking underground and the computer security world, and both
>>>>> violate what the Anti-Sec movement is fighting for. Such as it is, both must
>>>>> be terminated...utterly.
>>>>>
>>>>> Let us first discuss Hackforums.net. It is run by a man named Jesse
>>>>> Labrocca, also known as "Omniscient" within the hacker underground. Although
>>>>> he, himself, claims to not know a thing about penetrating computer systems.
>>>>> Hackforums.net is perhaps one of the largest communities of hackers and
>>>>> script-kiddies alike currently at large in cyber space. The beginner
>>>>> section, alone, is flooded every single day with messages by script-kiddies.
>>>>> The "Hacking Tutorials" section is a diamond mine of full-disclosure
>>>>> information. And that is not the entirety of it. As a result, this community
>>>>> MUST be terminated.
>>>>>
>>>>> Recently, the Anti-Sec movement became aware that some unknown entity has
>>>>> been launching successfully crippling denial of service attacks against
>>>>> Hackforums.net. Whoever you are, we of the Anti-Sec movement extend our
>>>>> warmest gratitude to you and we ask that, if you're reading this email,
>>>>> please do not cease your attack against Hackforums.net. By bringing it down,
>>>>> you are helping to recover the health of the Internet. Hackforums.net is a
>>>>> hive of knowledge that should only be known by a select few. It MUST be
>>>>> terminated. In addition, we also encourage any and all who can to launch
>>>>> denial of service attacks against Hackforums.net in order to support us in
>>>>> furthering our goals.
>>>>>
>>>>> We would like to stress that we will not be participating in DDOSing
>>>>> Hackforums.net. The reasons for this bring us to our next topic of
>>>>> discussion.
>>>>>
>>>>> In addition to our OpenSSH 0-day exploit, the Anti-Sec movement have also
>>>>> unearthed an Apache 0-day vulnerability and we have subsequently developed
>>>>> exploit code in order to take advantage of this vulnerability. It affects
>>>>> ALL versions. We will be using this as well as our OpenSSH exploit to hack
>>>>> into Hackforums.net and rm its contents, thus terminating it.
>>>>>
>>>>> As soon as, if ever, the recent crippling DDOS attacks against
>>>>> Hackforums.net cease, we will strike. And in that moment, Hackforums.net
>>>>> will be history. Your only hope, Hackforums, is for the heavy DDOS attacks
>>>>> to never stop.
>>>>>
>>>>> Once we have dealt with Hackforums.net, we will terminate Milw0rm. Better
>>>>> you had quit and left it at that, Str0ke, for now milw0rm.com will be
>>>>> completely and utterly wiped. It is the second highest target after
>>>>> Hackforums.net.
>>>>>
>>>>> This is our message to all. You have seen what the Anti-Sec movement can do.
>>>>> We will do it again, and again, and again, until our goals are achieved.
>>>>>
>>>>> This we promise.
>>>>>
>>>>> Sincerely,
>>>>>
>>>>> Anti-Sec
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>>
>>>
>>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists