PDA

View Full Version : Anti-Sec Crusade Against Full-Disclosure. "Imageshacked"



klange
July 10th, 2009, 10:35 PM
So, I'm sure that by now you've seen this thing:

http://blog.phpwnage.com/%7Eklange/is-full-disclosure.jpg

... instead of some image you were looking for.

What is Full Disclosure?

Full disclosure (http://en.wikipedia.org/wiki/Full_disclosure) is when whitehat hackers (the good guys) release information on critical exploits to demand that they be fixed and patched immediately. When exploits aren't publicly released, many software developers ignore them and allow them to stay in code - creating security risks that can be exploited when blackhats (the bad guys) find them.

What's Anti-Sec doing?

They've hacked ImageShack so that instead of serving the images you've uploaded, they are randomly returning the image pictured above to try and "fight" full-disclosure. They are wasting your bandwidth and breaking our forum rules to do this, and also wasting our time.

Why are they wrong?

Full-disclosure is the opposite of security-through-obscurity. It is at the heart of why open-source projects like Linux are so secure: the freely available source-code has precisely the same effect as releasing exploit information for a proprietary application. Even Apache's security updates are driven by publicly posted exploits. By fighting this long-established security practice, ImageShack is not only wasting our time and money, but they are also defending the most ridiculous methodology in existence.

What can you do to stop them?

I have no idea where this campaign came from, I just saw the image, read it, got extremely pissed off, grabbed a more reputable source, sat down and typed this post. There's no way to block the specific image as it is randomly returned from ImageShack, so you'd just have to block all of their images. What I can say is that we have hundreds of other places to upload our images. I've been using my own server for years, and while it's painfully slow, it offers much better service than ImageShack.

The only solution right now is stop using ImageShack to host your images.


UPDATE: ImageShack was hacked by Anti-Sec to put these up. Either way, avoid ImageShack to ensure that your images aren't replaced by this annoying message.

ANTI-SEC IS A BLACKHAT HACKING GROUP - They are looking to shut down sites like Bugtraq to capitalize on zero-day exploits.

Xetsuei
July 10th, 2009, 11:01 PM
Bumpin' this to the top.

Imageshack is being retarded.

StankBacon
July 10th, 2009, 11:10 PM
sup (http://www.hivclan.net/hivshack/)

Rook
July 10th, 2009, 11:14 PM
www.tinypic.com for life

bacon your site was ok for my albums though!!

Cojafoji
July 10th, 2009, 11:16 PM
www.tinypic.com (http://www.tinypic.com) for life

bacon your site was ok for my albums though!!
WORST. FUCKING. SITE. EVER.

jcap
July 10th, 2009, 11:18 PM
I've been ranting to Snaf about this on AIM.

I can't believe the dildo stuck up Imageshack's ass right now. I bet they are running Linux for their servers too, which would not be nearly as secure if it wasn't for full-disclosure, as you stated in your post.

If nothing was ever publicly disclosed, nothing would ever be done about any discovered exploits. It's the fear that something WILL happen when they are made public that drives them to be patched. If all of the Internet Explorer and Windows exploits discovered by the public were not fully disclosed, Microsoft would have fully ignored them (as we ALL know they do) and it would be sitting in an archive, waiting for that one day that someone decides to launch their attack.

One of the best examples of this that everyone in the Halo community should be familiar with is the Haloboom exploit. This was kept quiet and privately submitted to Microsoft. When they refused to take action after months of waiting, the exploit was finally fully disclosed. Once the attacks started, the game was patched within a few days.

I would laugh my damn ass off if Imageshack was hacked using some exploit and their campaign image was replaced. Oh my god, I might just die from asphyxiation from laughing so hard....or is this a hack in response to their anti-sec campaign?

FRain
July 10th, 2009, 11:21 PM
Imageshack used to be Imageshack.

Now it's imageshit.

Photobucket FTW.

Rook
July 10th, 2009, 11:24 PM
Hey guys hey guys

http://mashable.com/2009/07/10/imageshack-hacked/

Bodzilla
July 10th, 2009, 11:25 PM
thats some increidble usage of puns you have there flaming rain.


i think i'll lock my thread in Feedback section and continue the discussion in here.

sdavis117
July 10th, 2009, 11:25 PM
The only solution right now is stop using ImageShack to host your images.

I've been trying that for a couple years and it still isn't working.

I like photobucket much more then I like Imageshack.

Cagerrin
July 10th, 2009, 11:28 PM
Majhost > every other image host ever.

Also these people are seriously deluded if they think they're doing anything right.

sdavis117
July 10th, 2009, 11:29 PM
http://i276.photobucket.com/albums/kk17/spartan123209/poster24958531.jpg

FRain
July 10th, 2009, 11:33 PM
http://bighugelabs.com/output/motivator3c026a9285e5012fca7490342ab4c99ef08654ae. jpg

Phopojijo
July 10th, 2009, 11:34 PM
The irony is they probably hacked Imageshack using a known example-code exploit o.O

klange
July 10th, 2009, 11:39 PM
Further research seems to lean towards them having been hacked, but it shouldn't be taking this long to fix the issue.

DEElekgolo
July 10th, 2009, 11:43 PM
Photobucket sucks. And its blocked by many schools and businesses.

InnerGoat
July 10th, 2009, 11:45 PM
Oh I see now. Yeah well imagesuck has been crap the last 3 years so stop using it tia~

Timo
July 10th, 2009, 11:49 PM
http://xs.to is good if it's still around, light weight.

Phopojijo
July 11th, 2009, 12:07 AM
http://antisec.wordpress.com/

Yeah according to their website "Blackhat for Life" -- they appear to be wanting security-by-obscurity because they want to capitalize on zero-day exploits.

Also they don't seem like people you want to fuck with.

klange
July 11th, 2009, 12:19 AM
Someone with the right powers, change the thread title to Anti-Sec's blah blah blah... I'm editing the OP.

legionaire45
July 11th, 2009, 12:29 AM
Cute.

The fatal flaw with their brilliant plan is that they have now pissed the internet off, since they cannot access their pictures.

GG guys. Crap like this is why I have an FTP.

StankBacon
July 11th, 2009, 12:47 AM
Also they don't seem like people you want to fuck with.


prolly just a bunch of 4chan rejects.

Phopojijo
July 11th, 2009, 12:50 AM
True -- but ones who can find out your personal info really easily.

Siliconmaster
July 11th, 2009, 01:05 AM
prolly just a bunch of 4chan rejects.

Isn't that sort of difficult? o_0

p0lar_bear
July 11th, 2009, 03:45 AM
Yeah, sounds like a few script kiddies are mad that people are finding the exploits before they do and doing full-disclosure so they can't use them first for their own ends.

The whole reason full disclosure works is because of why they claim it's bad: since everyone and their grandmother can just compile a source or repeat the steps to break it, it gives incentive to fix the problem, and fast. And the problem usually does get fixed fast.

English Mobster
July 11th, 2009, 04:01 AM
Meh, Imageshack sucks anyway. They've sucked for years, way too many ads.

I prefer Photobucket over all of 'em. Nice way to organize my pictures, even if you can have your account banned for things they deem "inappropriate".

Mass
July 11th, 2009, 04:51 PM
I use photobucket and have for a while but I would enjoy not being broadsided with MORE ADS THAN MY EYES HAVE ROOM FOR...

This is a sad attempt to mislead people made serious by the causing of grievous inconvenience.

Bacon, didn't you get the banhammer at halomaps for whitehatting?

klange
July 11th, 2009, 04:55 PM
Bacon, didn't you get the banhammer at halomaps for whitehatting?
Yessir. I went full-disclosure on the insecurity in Dennis' forum's avatar upload functions, which he had failed to properly disable (or the forum itself failed to properly disable).

Sel
July 11th, 2009, 05:41 PM
imageshack has always been shit

anyone whose using them to host their shit should be banned right now.

sdavis117
July 11th, 2009, 05:46 PM
I find myself half agreeing with Selentic. I think it should be at least looked down on to use imageshack thumbnails. I never click them, because I have a feeling that I'll get a virus if I do. I have no problem with directly embeding the images themselves from imageshack, I just hate thumbnails.

Siliconmaster
July 11th, 2009, 05:51 PM
I don't like the thumbnails, but I do use it for hosting images because I find it pretty easy to use.

Please don't ban we who use the shack. :(

Sel
July 11th, 2009, 07:00 PM
The thumbnails are a fucking joke. I tend to ignore them, and when I don't, I usually have to click 4 different things to get the full sized picture.

n00b1n8R
July 11th, 2009, 07:02 PM
I only ever used it for shit that photobucket wouldn't take (too hires or potentially considered pornographic)

rossmum
July 12th, 2009, 12:34 AM
I have to admit that I'm more than a little pissed off at the open availability of exploits; I get that it's to force devs to improve their software's security, but it also means any Tom, Dick or Harry who's watched one too many hacker films and thinks they're hot shit can cause a disproportionate amount of chaos with no consequences at all. These aren't the kinds of kids who threaten to hack you in Halo because you beat them, but never go through with it; these are the fucking dolts who try and say 'smart' or 'intimidating' things, and then exploit whatever they can to get at you if you don't play along with them. The only real way to beat them is either to completely wreck their shit yourself, or to outsmart them (usually not that hard, but they're persistent little cunts).

How do I know this? Personal experience. I was part of a community which had something one of these kids wanted. He terrorised the place, jacking steam accounts, emails, what have you left and right; he brought the servers and forums down; hell, I got an email notification from there just the other week telling me that HE WAS MASTER OF YOUR INBOX - the little cunt had done something to give himself full access to everyone's inboxes. I was on the verge of leaving when things started to really kick off, but I had to accelerate things a little to avoid the shit that was going down there. I was one of few people with credible influence there (I was a basic admin, but my word held a lot of sway) who didn't lose their Steam account - possibly because he realised he was fucking with someone out of his league mentally, or because he just lost interest. Either way, he's tried to 'remind' me of his presence since I completely disassociated myself with that community, and nothing has happened (the rootkit saga was apparently totally unrelated - someone else jacked FPSB and used it as an attack site).

My point is that disclosure is fine, but full disclosure is more trouble than it's worth. If you find an exploit, tell the devs, not the kids who are just waiting for some way of getting what they want.

Phopojijo
July 12th, 2009, 10:16 PM
Well Security Through Obscurity isn't designed to hold off patches you assume people don't know about... it's *designed* to slow the attacker's ability to find the exploits.

Doesn't work though.

rossmum
July 14th, 2009, 11:03 AM
Both methods are kind of shit, you'd think if they found an exploit they could surely keep it to themselves to use it, or at least amongst people who don't get giddy on delusions of power?

Jelly
July 14th, 2009, 02:31 PM
Both methods are kind of shit, you'd think if they found an exploit they could surely keep it to themselves to use it, or at least amongst people who don't get giddy on delusions of power?
Exploits are only normally published by ethical and white-hat hackers. The ones who hack programs to protect users, rather than to exploit them. The risk of script kiddies is the reason that the devs want to patch the exploit.

rossmum
July 14th, 2009, 02:41 PM
Yeah, but it'd be nice if they could sort all this out without risking losses of money or risk to personal information for the general userbase.

klange
July 14th, 2009, 02:47 PM
Yeah, but it'd be nice if they could sort all this out without risking losses of money or risk to personal information for the general userbase.
It doesn't work. That's why full disclosure is used in the first place. Companies refuse to patch out exploits when they don't pose enough of a risk.

rossmum
July 15th, 2009, 12:05 AM
Oh, that's alright then. As long as some upstart gets hold of my Steam account which is worth a few hundred by now (hypothetically speaking, nobody's been successful to date but most of my mates have fallen victim at least once) for a good cause!

The devs might be risking this by not patching, but I fail to see how telling all and sundry how to exploit the hole is not worse than the problem it's meant to alleviate. Now instead of a few determined malicious sorts trying to lift people's accounts, I see kids jacking accounts just because they don't get their own way in an online community. It's like amputating someone's arm because they have a mild skin rash, total overkill and far more of a menace.

Sel
July 15th, 2009, 12:13 AM
oh no

hackers on the itnenret

Con
July 15th, 2009, 12:19 AM
They said it themselves; they can't change the world. Any difference they make won't last forever and things will return to normal.

jcap
July 15th, 2009, 12:51 AM
Oh, that's alright then. As long as some upstart gets hold of my Steam account which is worth a few hundred by now (hypothetically speaking, nobody's been successful to date but most of my mates have fallen victim at least once) for a good cause!

The devs might be risking this by not patching, but I fail to see how telling all and sundry how to exploit the hole is not worse than the problem it's meant to alleviate. Now instead of a few determined malicious sorts trying to lift people's accounts, I see kids jacking accounts just because they don't get their own way in an online community. It's like amputating someone's arm because they have a mild skin rash, total overkill and far more of a menace.
If that were to happen, then Valve would have to immediately admit there was a massive security flaw and they would reverse all the changes instantly and patch their system.

If anything, it's better if you have hundreds of people hacking accounts with an exploit than only a handful. If you have a few, it would be difficult to say that you can't login one day and you think the account was stolen. If you have hundreds or thousands doing this to people's accounts, Valve has to say that hundreds of accounts are falling victim due to a security flaw that they knew of but ignored.

With haloboom, if a few servers just randomly started crashing, no one would think anything of it. But when the exploit was released and people were crashing servers left and right, Microsoft patched it!

rossmum
July 15th, 2009, 01:20 AM
Call me odd but I just don't like the idea of playing with other peoples' personal shit just to force somebody else into doing something at all...

p0lar_bear
July 15th, 2009, 01:33 AM
Sorry duder, but that's how the world works. Everyone is lazy and/or focused on something else to care unless the security exploit is brought to the front.

Besides, in some cases of full disclosure, end users have the information they need to take steps in preventing the attacks from working. Remember when haloloop 1.07 was found? A community member patched up a quick workaround.

Hypothetically, what if there was a forum exploit where someone could somehow see your login credentials when you login on a certain type of page? Wouldn't you rather have that info out in the open so you know which page to not log in on?

Security through education (and yes, a little bit of blackmail). If there was no such thing as full disclosure, then the blackhat hackers who are really nothing more than script kiddies who got the exploit info from their best buds would be much more prominent.

rossmum
July 15th, 2009, 01:55 AM
Oh, I'm all for telling people ABOUT problems, just not how to exploit them.

Bodzilla
July 15th, 2009, 02:01 AM
but what your not getting ross is that THEY DONT GET FIXED UNTIL LOTS OF PEOPLE KNOW.

blame lazy dev's.
Alot of these things they find out before they're completely disclosed.

paladin
July 15th, 2009, 02:03 AM
YAYAYAYA I get a new credit card

~snip~ :ohdear:

<3 SnaF

Corndogman
July 15th, 2009, 11:22 PM
Making a patch for an exploit takes time, and remember kids: Time is money!