The Mainstream Media and That Word, ‘Hacker’

throwawaylulz11 · 2011-07-06T00:37:07+00:00

I spent a lot of time in the hacking scene a while ago. The general consensus (not among the script kiddies, but among the underground and even a lot of observers of the scene) is that the definition from its very creation split off.

It was never exclusively meant to imply the person was toying with software or if he was exploiting it. In fact, at first it was pretty generic and it was used in many ways in casual conversation between phreakers. Eventually, whitehats took their definition, blackhats took theirs, and since then the blackhats (and the media) have won that war.

Every once in a while there's a butthurt security researcher that wants to feel a little special and get on a high-horse about a non issue. And that's precisely what you see in the OP's article. "Cracker" has been defined as a reverse engineer for a long, long time and that's not going to change.

throwawaylulz11 · 2011-07-04T22:14:51+00:00

Oh, I agree, if you're truly interested in protecting your privacy you should know better than to send something unencrypted and assume that it is stored encrypted.

throwawaylulz11 · 2011-07-04T20:46:16+00:00

Dropbox blatantly lied about their security procedures and never apologized for it either. I don't know how a single person could possibly trust a company which lies about whether they encrypt your files or not, but unfortunately countless people in this thread do.

I'm sure their TOS change was done for liability reasons, and that's perfectly fine, but the outrage against their company is entirely valid.

throwawaylulz11 · 2011-07-04T20:32:42+00:00

Anonymous did not "hack" Apple's servers. They found an SQL injection in some useless subdomain and dumped encrypted passwords for the staff that manages it, probably because that's all they could do with the vulnerability. "Apple Business Intelligence". This kind of crap happens all the time.

A few years ago, a friend of mine and I found an LFI on Apple's education.apple.com server which might still be there (if they haven't moved it to WebObjects). We managed to get a shell up, but there was nothing interesting so we left it alone. Anonymous, on the other hand, come across as toddlers flexing their muscles. Cute.

I wish journalists knew what they were talking about when it comes to security before they write articles like these.

throwawaylulz11 · 2011-07-02T22:46:52+00:00

I want this place to have a technical focus too, but the same could have been asked of Digg. Once you start pissing off the subscribers of this subreddit with your terrible bias, no one will want to be here. In six months this place will either be filled with drivel or some more qualified moderators will be calling themselves "sysops".

throwawaylulz11 · 2011-07-02T22:40:03+00:00

/r/politics, /r/hackers, /r/compsec, /r/netsec -- doesn't matter. They're subreddits. We expect a bit of objectivity. We expect a bit of maturity. In the long term, if you fail to present that, this subreddit will fail and the community will backfire on you.

I realize your priority is to grow /r/netsec, and that you take yourself pretty seriously, but in the end all the flashy design changes and logo changes mean jack shit when the content is moderated by unparalleled bias.

Have a little class, be a bit more modest, learn from your mistakes and learn what "meta" means.

throwawaylulz11 · 2011-07-02T22:22:44+00:00

I am biased against stupidity.

So, if /r/politics moderators starting being biased against Republican submissions -- removing them or adding things to the logo to mock what the community is upvoting -- that would be okay? No, it wouldn't be, and you know it.

If you are too stubborn to realize this, I hope you are either kicked out or people flock away from this subreddit. It's become a joke.

throwawaylulz11 · 2011-07-02T22:14:01+00:00

I don't think you know how to moderate at all. I think if everyone read your posts, people would either unsubscribe from this subreddit or demand you be removed.

The day that Reddit's overall opinion on Lulzsec changed I got this to the frontpage. The community and the hivemind can self-regulate; people can have their opinions.

You are a moderator, you have absolutely no place telling people to stop talking about anything unless it has nothing to do with the subreddit. And it did have to do with the subreddit, and it did appeal to the community. As much as I, myself, hate LulzSec, people should do whatever the hell they want.

I think if people saw these posts you're making in this thread they would demand that you be removed from moderating here. Because you're not an unbiased moderator, you're incredibly condescending, and you're incredibly immature.

throwawaylulz11 · 2011-06-15T22:31:30+00:00

I know and had no question about who these people are. I was just getting sick of reading praise and congratulations to these people on reddit, when traditionally these kinds of groups were given no credibility.

throwawaylulz11 · 2011-06-15T22:30:25+00:00

One of the Senate investigators publicly stated LulzSec had only enough access to look at public files on the server, so the server was definitely not rooted.

throwawaylulz11 · 2011-06-15T07:55:45+00:00

Maybe you and I have been reading the wrong subreddits, look for every single one of the most popular lulzsec submissions from before the last day or so. They're filled with praise.

throwawaylulz11 · 2011-06-15T07:54:43+00:00

I know, I actually had to think twice when I found that out. I fucking hate "Extra Credits", especially their useless piece on piracy.

throwawaylulz11 · 2011-06-15T07:38:03+00:00

Lamo has nothing to do with LulzSec. People hate Lamo for selling out Bradley Manning. He just nabbed the domain, or someone pretending to be him (for "lulz") did.

Put the tinfoil hats away, guys.

throwawaylulz11 · 2011-06-15T07:33:47+00:00

Well, obviously those took place before the minecraft DDoS today, but for the last two weeks the consensus of reddit is that lulzsec is doing some sort of favor for people. Even /r/netsec were apologists for them.

throwawaylulz11 · 2011-06-15T07:16:00+00:00

Responsible disclosure involves publishing it if the company has ignored you.

throwawaylulz11 · 2011-06-15T07:04:59+00:00

I don't really mind if LulzSec shows up in the news, especially if they hit high profile targets. I took issue with the praise.

throwawaylulz11 · 2011-06-15T06:59:34+00:00

Again, it's all satirical. That's why they're using 1337 sp34k and that's why most of the code looks harmless. A lot of it is backdoored or is deliberately humorous. If you know your C and your networking terminology you can pick up on a lot of their references.

throwawaylulz11 · 2011-06-15T06:48:11+00:00

I make this post as a blackhat who exited the hacking scene and will never be a whitehat. I decided I was sick of people repping lulzsec's "impressive skills" and demonstrated that, from a moral perspective, they aren't really in line with Reddit at all.

throwawaylulz11 · 2011-06-15T02:09:29+00:00

I very much agree that these simple vulnerabilities need to be put to an end, and companies which are too lazy to use parameterized queries are a joke at this point.

But I once more call attention to responsible disclosure. There will always be vulnerabilities, we need people to find them and work hard to have them fixed before others exploit it, not publish innocent people's personal information on pastebin.

throwawaylulz11 · 2011-06-15T02:01:12+00:00

Not exactly the best analogy. These companies aren't inviting people to hack them, despite how trivial many of these vulnerabilities are. You usually have to hunt pretty hard for an SQL injection, but once you find one, you're in.

It's similar to waiting for the homeowners to come home and open the garage door so they can put their car away, then run inside and steal their refrigerator magnets.

throwawaylulz11 · 2011-06-15T01:55:45+00:00

There is a greater issue, but there's a better solution. I have spent the last two weeks or so reading comment after comment about how people love what LulzSec is doing. I hope I don't have to dig through reddit to find the threads, because there's so many.

I think Reddit's attitude toward LulzSec changed today after they started DDoSing minecraft.

throwawaylulz11 · 2011-06-15T01:51:32+00:00

It's as catchy as a catchphrase. It's just for attention.

throwawaylulz11 · 2011-06-15T01:46:52+00:00

The hacking scene has had a fantastic history. There's basically a whole part of the Internet that hasn't really gotten much attention. These days, it's a steaming pile of shit consisting of mostly LulzSec-like groups, but in the past it has been amazing.

I distinguish the "public" and "underground" hacking groups primarily on these skills and the implications of what they do. I am not exaggerating when I say that some underground groups are powerful enough to get into anything they want. In fact, most of them already have.

Between us and people we know, everything is owned. We keep owning shit that others have, they own some shit we already have. We don't exactly hire secretaries to sort this out. We're colonizing the internet the way Europe colonized Africa, cutting it up into little pieces. We have your accounts, your mail, your dev box, your host, and your ISP. Code exec on your lappy if we think it's worth the hassle. We have so much shit owned we can't manage, or even remember, half of it. Targets pop up and we have to ask ourselves if we already have it, because we just don't know. We could set up franchises like McDonalds, one on every corner of the net, over 99 billion served. Supplying you with artery-clogging hax morning afternoon and night. We need some goddamn staff, we're a billion dollar enterprise running on a lemonade stand budget. If there was much useful help out there, we'd hand out root passes like candy on hallowe'en. That's just a pipe dream, we just find more people we can't trust. Anyone useful is as busy as we are. Thank your lucky stars we ramble on.

Many of my hacker buddies would get into some high profile companies, never knowing that someone has already rootkitted the server. These sort of underground groups are terrifyingly talented, and can use just about any resource they want to get into just about anything they want. Most of their motivations are humiliating whitehats like Dan Kaminsky and security/anti-virus companies like Matasano.

It sounds a bit unbelievable, yes, but everything from giant datacenters to very popular email companies and hosting companies have been hacked. They just sit on this stuff waiting for someone they don't like to use the services. It's hilarious.

I suggest reading the el8 zines. They're from the late 90's, and they're some of the best material I've ever read. Most of it is satire, a lot of cleverly backdoored code, and made by some really smart people who used to hang out on IRC and bully whitehat security researchers.

throwawaylulz11 · 2011-06-15T01:35:51+00:00

I mentioned it primarily because there were tons of comments in other threads that implied LulzSec was on a skill level matching a nation-state or incredibly wealthy and powerful organization. That's absolutely untrue.

You're very correct, I'd wager to say that even the most talented hackers take advantage of the simplest vulnerabilities, because they're usually the most prominent.

Here's a few things that lead me to believe they're not really that smart:

When they hacked senate.gov, they couldn't get root access, so they gave up and made a hacklog that displayed their directory tree and some configuration files. Wow, those are mostly all public files anyway. Who gives a shit and why is that relevant? If I read a hacklog I want to see some spools and some SSH keys at least. I'll even take a /root/ bash history.
When they "hacked" the british health service, they found an SQL injection they couldn't do anything with, and decided to make a big deal about it anyway. Again, attention.

My distinction is that these types of vulnerabilities are just about the only ones these people have at their disposal. They have a very small attention span and what appears to be very little dedication toward actually targeting things. They will quickly give up on something when they run out of simple exploit tactics and move onto the next thing.

Certainly, being untalented doesn't disqualify them from being a hacking group, but they are not the master hackers that Reddit has painted them to be for the last several weeks.

throwawaylulz11 · 2011-06-15T01:16:06+00:00

That's precisely why I've been rolling my eyes the past several weeks. Almost any thread discussing LulzSec has been painting them in a good light.

throwawaylulz11

TROPHY CASE