thepcdude

Imageshack butthurt

37 posts in this topic

http://img20.imageshack.us/img20/3120/tesla09w.gif

Very interesting. People have been complaining their forums are now littered with this image. It appears as though thousands if not all imageshack images were replaced with this. I'm not too sure what ImageShack is trying to achieve with this, or what they're against, but so far I'm getting the gist of "skiddies" and them using scripts.

I hate that, so I guess I'm with ImageShack? :-/

-1

Share this post


Link to post
Share on other sites

This isn't ImageShack, the group anti-sec hacked ImageShack and defaced all the images ( http://seclists.org/fulldisclosure/2009/Jul/0095.html ) They are a group of BlackHats opposed to WhiteHat hackers who they believe release exploit code and spread FUD in order to make money. They are threatening to deface white hat sites and rm -rf white hat's boxes in order to force the security industry underground.

http://romeo.copyandpaste.info/

Edited by n3xg3n
0

Share this post


Link to post
Share on other sites

Regardless of what anybody thinks about their views on white hats, isn't it a little extreme to attack *anyone* who posts an exploit of any sort? There's always tards out there, sure, but exploits help people learn how something works, no?

0

Share this post


Link to post
Share on other sites

It was a hack in order to spread the word about anti-sec a 'movement' that opposes full disclosure and the security industry.

0

Share this post


Link to post
Share on other sites

Blackhat? I understood a blackhat to mean a penetration tester that goes in completely blind as opposed to a whitehat that goes in WITH information about a network to test a specific area. Both of which are legitimate paid professions.

0

Share this post


Link to post
Share on other sites

I was getting ready to post this when I checked everyone's comments for duplicates and see that pcdude posted a link first. I got mine differently. Anyway I still thought it would be cool to display the page in its own post. It's clean, easily readable, and includes their manifesto.

Anti-sec_manifesto_ImageShack_Hack.JPG

0

Share this post


Link to post
Share on other sites

Blackhat? I understood a blackhat to mean a penetration tester that goes in completely blind as opposed to a whitehat that goes in WITH information about a network to test a specific area. Both of which are legitimate paid professions.

black hats are malicious hackers, whereas white hats are hackers with benign intentions. it's a good vs bad generalization.

as far as their stated mission against full disclosure sites, I think they're ridiculous. they don't stand a chance in taking down every single full-disclosure site, and they won't be able to stop the act of full disclosure. to me, it looks like they want to try and make it easier for them to hoard exploits

0

Share this post


Link to post
Share on other sites

as far as their stated mission against full disclosure sites, I think they're ridiculous. they don't stand a chance in taking down every single full-disclosure site, and they won't be able to stop the act of full disclosure. to me, it looks like they want to try and make it easier for them to hoard exploits

Not only that but FULL disclosure is the only way to ensure the maximum level of security possible. In certain cases a slight delay is beneficial to particularly pernicious perpetratable penetrations (sorry just got done watching something on Stan Lee)so that a patch can be developed before release and thereby prevent a zero day exploit from occurring which could cause major damage.

This is why in cryptology everybody knows the "rules" or algorithm of a particular implementation. It's the only way to ensure that nobody can break it...or at least ensure that the fewest number of people can break it. :nubie:

-----Phail_Saph-----

0

Share this post


Link to post
Share on other sites

Blackhat? I understood a blackhat to mean a penetration tester that goes in completely blind as opposed to a whitehat that goes in WITH information about a network to test a specific area. Both of which are legitimate paid professions.

black hats are malicious hackers, whereas white hats are hackers with benign intentions. it's a good vs bad generalization.

as far as their stated mission against full disclosure sites, I think they're ridiculous. they don't stand a chance in taking down every single full-disclosure site, and they won't be able to stop the act of full disclosure. to me, it looks like they want to try and make it easier for them to hoard exploits

It isn't about hoarding exploits or them personally trying to take down all disclosure sites. What they are fighting for is for people to stop public disclosure (eg. posting to milw0rm) The main purpose is to drive the hacker scene back underground away from the public. From the papers they've written and other information it seems that the main reason for this is to stop people from making money off other people's work (the white hats) which I do agree with. A lot of people basically fuck up, go to jail, and when they come out have enough internet fame that they are able to become "IT Professionals" which is stupid because if you look at the reason they were caught originally, generally it is because they were dumb. You also have all the companies and individuals walking around penetration testing and doing consulting work who are merely using other people's work (exploits from milw0rm, random tools they find, etc.) without any real knowledge of them. They are making money off the work of others. Lastly full disclosure enabled script kiddies to look for a video that shows exactly what to do and provides packaged exploits for them to do it. They can randomly run around owning everything they find running that particular version.

0

Share this post


Link to post
Share on other sites

I say let people do what they want. If they want to release an exploit (or discuss a vuln), good for them. If they want to keep it private, good for them. I don't think extreme-ism in either case (non-disclosure or full-disclosure) maintains a healthy viewpoint. Some of the greatest hackers I know discuss vulnerabilities within an open community, but usually keep exploits private. They'll usually submit patches to the vendor instead of releasing an exploit. I think that's a great approach. By analyzing patches, security researchers can find out vulnerabilities and write their own exploits if they want.

2

Share this post


Link to post
Share on other sites

Blackhat? I understood a blackhat to mean a penetration tester that goes in completely blind as opposed to a whitehat that goes in WITH information about a network to test a specific area. Both of which are legitimate paid professions.

black hats are malicious hackers, whereas white hats are hackers with benign intentions. it's a good vs bad generalization.

as far as their stated mission against full disclosure sites, I think they're ridiculous. they don't stand a chance in taking down every single full-disclosure site, and they won't be able to stop the act of full disclosure. to me, it looks like they want to try and make it easier for them to hoard exploits

It isn't about hoarding exploits or them personally trying to take down all disclosure sites. What they are fighting for is for people to stop public disclosure (eg. posting to milw0rm) The main purpose is to drive the hacker scene back underground away from the public. From the papers they've written and other information it seems that the main reason for this is to stop people from making money off other people's work (the white hats) which I do agree with. A lot of people basically fuck up, go to jail, and when they come out have enough internet fame that they are able to become "IT Professionals" which is stupid because if you look at the reason they were caught originally, generally it is because they were dumb. You also have all the companies and individuals walking around penetration testing and doing consulting work who are merely using other people's work (exploits from milw0rm, random tools they find, etc.) without any real knowledge of them. They are making money off the work of others. Lastly full disclosure enabled script kiddies to look for a video that shows exactly what to do and provides packaged exploits for them to do it. They can randomly run around owning everything they find running that particular version.

So basically every penetration tester needs to write their own exploits and tools or they dont deserve to get paid? That kind of thinking doesnt make any sense. The only reason I can think of for having a non disclosure attitude is to hoard their precious 0days. Ill admit it would be slightly "cooler" if the hacker scene was more underground (have you seen some of those "hacker" videos on youtube :thumbsd: ) but in the long term more public knowledge of security is beneficial for all.

2

Share this post


Link to post
Share on other sites

Yeah, don't share info with anyone else, only j00 are teh l33t enough to have it!

"This isn't like before. This time everyone and everything is getting owned"

Ah, comedy...

1

Share this post


Link to post
Share on other sites

Blackhat? I understood a blackhat to mean a penetration tester that goes in completely blind as opposed to a whitehat that goes in WITH information about a network to test a specific area. Both of which are legitimate paid professions.

black hats are malicious hackers, whereas white hats are hackers with benign intentions. it's a good vs bad generalization.

as far as their stated mission against full disclosure sites, I think they're ridiculous. they don't stand a chance in taking down every single full-disclosure site, and they won't be able to stop the act of full disclosure. to me, it looks like they want to try and make it easier for them to hoard exploits

It isn't about hoarding exploits or them personally trying to take down all disclosure sites. What they are fighting for is for people to stop public disclosure (eg. posting to milw0rm) The main purpose is to drive the hacker scene back underground away from the public. From the papers they've written and other information it seems that the main reason for this is to stop people from making money off other people's work (the white hats) which I do agree with. A lot of people basically fuck up, go to jail, and when they come out have enough internet fame that they are able to become "IT Professionals" which is stupid because if you look at the reason they were caught originally, generally it is because they were dumb. You also have all the companies and individuals walking around penetration testing and doing consulting work who are merely using other people's work (exploits from milw0rm, random tools they find, etc.) without any real knowledge of them. They are making money off the work of others. Lastly full disclosure enabled script kiddies to look for a video that shows exactly what to do and provides packaged exploits for them to do it. They can randomly run around owning everything they find running that particular version.

So basically every penetration tester needs to write their own exploits and tools or they dont deserve to get paid? That kind of thinking doesnt make any sense. The only reason I can think of for having a non disclosure attitude is to hoard their precious 0days. Ill admit it would be slightly "cooler" if the hacker scene was more underground (have you seen some of those "hacker" videos on youtube :thumbsd: ) but in the long term more public knowledge of security is beneficial for all.

I'm not saying that penetration testers need to write everything they use and neither are these guys. They are basically saying that they want to stop script kiddies from having access to exploits and they want to stop people from leeching off the hacker community and monetizing off of it. A lot of these penetration testers simply go to sites like milw0rm and just download all the exploits and try them out, or they run autopwn from metasploit and they call them self a penetration tester. There are people out there selling packages that are basically just exploits and tools written by other people that they just compiled together and are making money off.

0

Share this post


Link to post
Share on other sites

The only reason I can think of for having a non disclosure attitude is to hoard their precious 0days.

You don't need to guess, this is their stated goal.

From their site:

~ Keep 0days private

~ Hack everyone you can and then hack some more

-snip-

Own everyone.

Disclose nothing.

Destroy everything.

0

Share this post


Link to post
Share on other sites

Are these guys well known?

I mean, I'm not going to discount the fact that they managed some pretty serious ownage, but they sound like weirdos.

1

Share this post


Link to post
Share on other sites

Blackhat? I understood a blackhat to mean a penetration tester that goes in completely blind as opposed to a whitehat that goes in WITH information about a network to test a specific area. Both of which are legitimate paid professions.

black hats are malicious hackers, whereas white hats are hackers with benign intentions. it's a good vs bad generalization.

as far as their stated mission against full disclosure sites, I think they're ridiculous. they don't stand a chance in taking down every single full-disclosure site, and they won't be able to stop the act of full disclosure. to me, it looks like they want to try and make it easier for them to hoard exploits

It isn't about hoarding exploits or them personally trying to take down all disclosure sites. What they are fighting for is for people to stop public disclosure (eg. posting to milw0rm) The main purpose is to drive the hacker scene back underground away from the public. From the papers they've written and other information it seems that the main reason for this is to stop people from making money off other people's work (the white hats) which I do agree with. A lot of people basically fuck up, go to jail, and when they come out have enough internet fame that they are able to become "IT Professionals" which is stupid because if you look at the reason they were caught originally, generally it is because they were dumb. You also have all the companies and individuals walking around penetration testing and doing consulting work who are merely using other people's work (exploits from milw0rm, random tools they find, etc.) without any real knowledge of them. They are making money off the work of others. Lastly full disclosure enabled script kiddies to look for a video that shows exactly what to do and provides packaged exploits for them to do it. They can randomly run around owning everything they find running that particular version.

So basically every penetration tester needs to write their own exploits and tools or they dont deserve to get paid? That kind of thinking doesnt make any sense. The only reason I can think of for having a non disclosure attitude is to hoard their precious 0days. Ill admit it would be slightly "cooler" if the hacker scene was more underground (have you seen some of those "hacker" videos on youtube :thumbsd: ) but in the long term more public knowledge of security is beneficial for all.

I'm not saying that penetration testers need to write everything they use and neither are these guys. They are basically saying that they want to stop script kiddies from having access to exploits and they want to stop people from leeching off the hacker community and monetizing off of it. A lot of these penetration testers simply go to sites like milw0rm and just download all the exploits and try them out, or they run autopwn from metasploit and they call them self a penetration tester. There are people out there selling packages that are basically just exploits and tools written by other people that they just compiled together and are making money off.

There is value in both those things. Sometimes a company can't afford expensive and uber knowledgeable penetration testers. Knowing a machine is not easily exploitable may be enough (but then i guess if exploits weren't realised nothing would be easily exploitable). Compiling public knowledge into easy to read/use packages is a service. If someone wants to get paid for it then more power to them.

1

Share this post


Link to post
Share on other sites

Are these guys well known?

I mean, I'm not going to discount the fact that they managed some pretty serious ownage, but they sound like weirdos.

This weekend I attended a hacking presentation by a guy who describes himself as an "anarchist" and a "pirate." He displayed that Imageshack pic as an example of his philosophy and read a blackhat manifesto as a justification for breaking into websites. The manifesto basically stated that the "true hackers" were the ones who exploited security problems to break shit in an effort to fight "the Man," and that nowadays hacking has degenerated into a bunch of hobbyists pretending to be cool because they dare to disassemble and modify consumer products which they wasted their own money on.

The speaker's stated reasoning for opposing full-disclosure was that it only feeds the script-kiddies and the people who build vulnerable websites do so out of laziness, apathy and ignorance so it's OK to cause as much trouble as you can for them. He advocated that when you discover any kind of vulnerability you should just keep it to yourself because that empowers the individual instead of the corrupt corporate system.

Edited by Colonel Panic
1

Share this post


Link to post
Share on other sites

Wow...that reasoning is kinda nuts...so if I leave my car unlocked with the keys in the ignition with a full tank of gas it's now OK for you to steal my car. I may be stupid but that doesn't justify theft. Only a criminal minded individual thinks that way, justifying their need to exploit people.

I do agree with the sentiment that individuals should provide as much resistance as possible to corporations and government institutions. Working from the inside works more to convert the individual into a tool than reforming the institution. I always suspect individuals who are trying to change things from the "inside." Those people are already the beneficiaries of the status quo and so if they have the power to "reform" they could just as easily worked it the other way to strengthen the status quo. It makes them better people than their status peers but they are still part of the system.

On this script kiddie thing...I just don't get their hatred. If a kiddie can only follow simple youtube instructions then they aren't really a threat but in fact help to gauge the level of malicious people out there. They help IT security professionals create a "ranking" system so that they know where the current state of maliciousness is actually at. Think of it like Chess rankings...there are different bands for different skill levels. If there weren't a ranking system in place you couldn't tell how tough or easy the field really is making your assessment of the situation less precise. Assessment is at the core of IT security...there will always be bugs and there will always be black hats out there...but how advanced they are is a major security question. Scrip kiddies help to determine a base state, the base of the black hat pyramid.

BTW...most Black Hat hacking is a probability thing...very rarely does a hacker say I want to take this and only this site down and succeed. What is done is fishing for sites that have known weaknesses. The attack on ImageShark was done because it was the most popular site of the set of successful sites they could exploit. How do you think they get these weaknesses? Do you think they actually independently discovered them? No...they got them from the professionals that they are fighting against...and no they are not somehow proving that they are right because they didn't discover the hacks themselves...they are clearly elitist and if they weren't would be hypocrites...all hypocrites have suspect intentions.

--Edit--

The use of "you" is in a general sense...sometimes posts make it seem like a person is referencing a previous poster.

Edited by Phail_Saph
0

Share this post


Link to post
Share on other sites

Wow...that reasoning is kinda nuts...so if I leave my car unlocked with the keys in the ignition with a full tank of gas it's now OK for you to steal my car. I may be stupid but that doesn't justify theft.

I see that attitude as being more like: if you're dumb enough to drive a car that's easily hot-wired, then you deserve to have it stolen.

Only a criminal minded individual thinks that way, justifying their need to exploit people.

I agree. That's an antisocial, predatory mentality.

I do agree with the sentiment that individuals should provide as much resistance as possible to corporations and government institutions. Working from the inside works more to convert the individual into a tool than reforming the institution. I always suspect individuals who are trying to change things from the "inside." Those people are already the beneficiaries of the status quo and so if they have the power to "reform" they could just as easily worked it the other way to strengthen the status quo. It makes them better people than their status peers but they are still part of the system.

We're all part of the system, whether we like it or not. If you drive down a road or use public transit to get around, if you live in a country, pay taxes, eat store-bought food, live in a building, make and spend money in any way, then you're part of it. The "system" is made up of regular people like you and me, so the way to change "the system" is to change peoples' minds. Making a nuisance of yourself by breaking the law isn't going to change shit. It's only going to to get you into trouble and cause people to write you off as a sleazy, untrustworthy criminal.

On this script kiddie thing...I just don't get their hatred. If a kiddie can only follow simple youtube instructions then they aren't really a threat but in fact help to gauge the level of malicious people out there. They help IT security professionals create a "ranking" system so that they know where the current state of maliciousness is actually at. Think of it like Chess rankings...there are different bands for different skill levels. If there weren't a ranking system in place you couldn't tell how tough or easy the field really is making your assessment of the situation less precise. Assessment is at the core of IT security...there will always be bugs and there will always be black hats out there...but how advanced they are is a major security question. Scrip kiddies help to determine a base state, the base of the black hat pyramid.

I think these groups don't really care about security in the first place. They're only using that "script kiddie" argument as a red herring to distract from their real motives of stealing and breaking stuff.

BTW...most Black Hat hacking is a probability thing...very rarely does a hacker say I want to take this and only this site down and succeed. What is done is fishing for sites that have known weaknesses. The attack on ImageShark was done because it was the most popular site of the set of successful sites they could exploit.

It looks to me like that quasi-political, anti-corporate stance is just a flimsy justification for stealing stuff, or hacking for the challenge of it. When it comes down to it, most of these guys probably don't really give a shit who they're fucking with. If their attacks don't work against Raytheon or General Electric or Bank of America, they'll turn their attention to softer targets. They just get off on the petty power trip of stealing or causing some working sucker a lot of grief.

How do you think they get these weaknesses? Do you think they actually independently discovered them? No...they got them from the professionals that they are fighting against...and no they are not somehow proving that they are right because they didn't discover the hacks themselves...they are clearly elitist and if they weren't would be hypocrites...all hypocrites have suspect intentions.

The presentation I mentioned above basically consisted of this guy announcing a number of recently-disclosed vulnerabilities, Googling full-disclosure sites for descriptions of them, and then demonstrating how to exploit them.

The use of "you" is in a general sense...sometimes posts make it seem like a person is referencing a previous poster.

No worries.

Edited by Colonel Panic
1

Share this post


Link to post
Share on other sites

Oh, so they claim there is only one true form of hacking and they happen to embody it. What a stroke of luck for them.

1

Share this post


Link to post
Share on other sites

I say let people do what they want. If they want to release an exploit (or discuss a vuln), good for them. If they want to keep it private, good for them. I don't think extreme-ism in either case (non-disclosure or full-disclosure) maintains a healthy viewpoint. Some of the greatest hackers I know discuss vulnerabilities within an open community, but usually keep exploits private. They'll usually submit patches to the vendor instead of releasing an exploit. I think that's a great approach. By analyzing patches, security researchers can find out vulnerabilities and write their own exploits if they want.

I agree 100%. Make a personal decision on what YOU believe in personally and let everyone else have their personal decisions and opinions and move on with life.

1

Share this post


Link to post
Share on other sites

personally i find that again they are just hippocrits, i mean every single black hat just downloaded a compiler and just started typing in every single combination of words to find out the commands/protocols. yeah right there wouldnt be any blackhats if it werent for disclosure of information.

you can go ahead and lie and say you tought yourself without any information from anyone, thats your desicion. but you are just trying to stop people from learning the way you did.

i mean i could see how anyone would be pissed if some one post vulns before they are patched and get everyone using them. but isnt that the best way to "stick it to the man"? having tons of people raping every machine they see instead of 1 person?

Edited by dinscurge
-1

Share this post


Link to post
Share on other sites

personally i find that again they are just hippocrits, i mean every single black hat just downloaded a compiler and just started typing in every single combination of words to find out the commands/protocols. yeah right there wouldnt be any blackhats if it werent for disclosure of information.

you can go ahead and lie and say you tought yourself without any information from anyone, thats your desicion. but you are just trying to stop people from learning the way you did.

i mean i could see how anyone would be pissed if some one post vulns before they are patched and get everyone using them. but isnt that the best way to "stick it to the man"? having tons of people raping every machine they see instead of 1 person?

The intelligent people aren't saying to stop disclosure, they are saying stop public disclosure. There is a big difference.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now