Title : Phrack World News
Author : EL ZILCHO
==Phrack Inc.==
Volume 0x0e, Issue 0x43, Phile #0x03 of 0x10
|=--------------------------------------------------------------------=|
|=-----------------------=[ Phrack World News]=-----------------------=|
|=-------------------------=[ by EL ZILCHO ]=-------------------------=|
|=----------------------=[ [email protected] ]=---------------------=|
|=--------------------------------------------------------------------=|
1. The TJX Case and the Longer Arm of the Law
2. Stuxnet, Cyberwar, Hacktivism and Political Hacking
3. Wikileaks and Whistleblowing
4. Scene Events: the Final Word
-------------------------
--[ 1. The TJX Case and the Longer Arm of the Law
When the going gets weird: The TJX crew / Probation for the narqs, tough
sentences for the hard luck crowd / The longer-reaching arm of the law
Computer crime and hacking have always made for uncomfortable bed fellows,
splitting hackers into two general camps; The laissez-fair consideration
of those who know they commit several technical crimes before even getting
out of bed in the morning, and those whose fear of the law drives them,
essentially, straight -- condemned to endless nights in front of a
debugger with nary an unauthorized rootshell to be seen.
So where to draw the fuzzy line under the TJX crew, from the manipulating
Gonzales, who narqed out #phrack opers early in 2003, to the erstwhile
seven-foot tall computer programmer the_uT who faces two years in the cage
and a $172.5 million restitution for the writing of a simple computer
program that most of us could have written at age fifteen, under the
influence of ketamine or not?
PWN corespondents have viewed the original source code to 'blabla' and can
attest that it consists of nothing more than a read loop from a raw socket
on a high port outputting, unformatted and unfiltered, data to a file. To
say that tcpdump is a far more sophisticated piece of software for data
thiefing is not an exaggeration.
At least we can say with a comforting certainty that the fine old art of
narqing like a pro will still get you out off the hook in times of phear
and stress. As many old-timers will attest, narqing has been a fine
defensive tradition among hackers over the years, with many well-loved
figures of hacker mythology, from Chris Goggans to Agent Steal, being firm
believers in the practice.
The TJX case has been a prominent reminder of the efficacy of the ancient
technique of daubing one's mates in, with all sides planting knives
between shoulder blades with sickening alacrity and producing some truly
Olympic-grade scores in the Freestyle 100m Narq -- to wit, among others:
* Patrick 'eckis' Toey who faced a maximum sentence of twenty-two years,
reduced to a paltry five years by merit of supplying 'extensive
cooperation' to the authorities.
* Breakout act Jeremy 'horse addict' Jethro -- evidently the star of the
case -- managing to not only narq out everyone he knew, but then managing
to find his Saviour in Our Lord Jesus Christ AND being fined less than
what he actually earned for his crimes (thus earning a nice little
profit); He also managed to get his sentence commuted to probation, on top
of everything else! Once again, this is solid proof that God is indeed on
the side of the just.
* Albert 'soupnazi' Gonzales -- the sole failure here, scoring miserably
by still receiving a massive twenty-year sentence despite having
implicated everyone he knew up to and including his own grandmother
-- and that's just for starters.
The most disconcerting element in the entire show so far for anyone in any
way involved in any sort of criminal activity (or, indeed, anyone who
involves themselves in anything anywhere near anything resembling criminal
activity), is the startling comaraderie and friendly interaction between
international agencies - particularly Interpol and the FBI. Especially the
FBI.
Recent international busts involving novel interaction between agencies
has lent heavy weight to previously unfounded concerns of privacy
advocates. The mere idea of a foreign national's being arrested overseas
and renditioned/transferred to the custody of American civilian agencies
purely on the basis of American testimony and evidence is enough to turn
the stomachs of anyone, and yet it seems to have gone largely under the
radar -- especially among American Citizens.
The pseudo-criminal actions necessitated by the various agencies involved
in order to bring down Gonzales would stagger even the most ardent
Republican waterboarder. To wit, the hard drives belonging to Ukrainian
carder Maksym 'Maksik' Yastremskiy were cloned during his trip to Dubai
and yet again when he was coerced into visiting someone in Turkey (all the
while while US agencies tried to tote the party line that they caught him
while he was taking "vacation" -- conveniently ignoring the fact that they
lured him to visit) and his movements tracked throughout Europe and Asia
over an extended period of time. We can be sure that Interpol had not the
gumption nor Ukrainian officials the interest (or resources) to bring
about this level of interplay. With the evidence in hand, surely only the
FBI can be to blame? The Turkish officials got to crow about a 30 year
prison sentence -- in a Turkish prison, no less -- and the US got to cross
one more name off their "to do" list, case closed, job done -- success all
around.
Further confirmation of such a hearty and hale level of cooperation was
provided just this past October by the FBI, who affirmed that the break-up
of a major Zeus botnet ring was the result of an "unprecedented"
partnership between the FBI and police forces around the world including
the UK's Metropolitan Police, the Security Service of Ukraine (SBU) and
the Netherlands Police Agency. So far the international Operation Trident
Breach effort has yielded more than 150 arrests across the US, the UK and
Ukraine, the FBI said. One can assume that's only "so far" and that once
the narq ball gets rolling, yet more waves of arrests -- and yet more
international cooperation -- will commence in earnest.
Perhaps you are wondering what this has to do with you, at this point.
Perhaps you ARE merely doing your job as a whitehat, researching these
transglobal "criminal conspiracies", reversing malware, sticking to only
machines you have permission to access, maybe even contributing to some
open source projects and communicating giddily about 0day bugs on bugtraq
and full-disclosure, or releasing exploit information on your twitter
feed; after all, in this wired global age, the opportunities for
collaboration are indeed unprecedented. But where does one's level of
responsibility for the use of one's research end and begin? Dig Sklyarov
and the DMCA brouhaha. Witness certain unnamed Linux distros suddenly
being unwilling to allow tools such as SQL Ninja to be included in their
source code repositories.
At what point might YOUR code be considered a munition? At what point
might your totally legitimate work as a whitehat (or greyhat, or what have
you) researcher, or pentester, or even systems administrator or website
developer be called into question? While it is certainly difficult to
argue that putting identity thieves behind bars is a quote-unquote "bad
thing", it is also difficult to refute that code itself is being seen as a
munition (just as crypto was not so long ago, and probably will be
increasingly so again, as time passes and the reins tighten up in only
somewhat predictable ways).
If you mistakenly introduce an error into your codebase at work and it
creates a security hole, can you prove it was not intentional? There
really are no guarantees. An overly aggressive legal system will at the
very least threaten to steal time, money, resources, and quite probably
your reputation.
If you're very unlucky you might wind up in jail, or in trouble for
something someone you know was involved in, in hopes that you will be the
next hacker willing to daub in his (or her) mates to be set free, thus
maintaining the cycle of narqing and providing an always-revolving door of
the Usual Suspects to lay blame to. That's not even including the Patriot
Act and wiretaps (an issue pretty much deserving of its own article some
other time).
The exposure of Google's Street View Wifi data gathering fiasco is likely
only the tip of the iceberg -- what we were told was the accidental coding
error of a single engineer (who probably will wear that virtual scarlet
letter on his resume for life). And yet again, in that case, other
countries were first to protest; only lately has there been a strange and
questionable desire TO have those records retained -- for what purpose who
only knows.
The question to wrap all of this up with, here, probably isn't "Does it
affect you now?" (unless you are indeed a blackhat, in which case, no
doubt, this will impact you tremendously). The question is "can you be
sure it never will?"
--[ 2. Stuxnet, Cyberwar, Hacktivism and Political Hacking
It's no secret that, with the US economy in a state of planned poverty,
conventional sense. But the growing speculation, that Iran's nuclear
power plant at Bushehr will turn into a weapons program, is a timely
excuse for governments to exercise their newfound cyber warfare tactics.
Iran believes Stuxnet was intended to derail its nuclear ambitions; and
"analysts" expect us to believe that a string of numbers, the name of some
shrubbery, futbol domains, and weird 2012 shit... somehow indicates Israel
was behind it all. The reality is probably this: as much as Israel's
super star hacking squads would love to take down Bushehr, Russia is
standing in the way, defending its plan for a return on investment.
Stuxnet represents just one of a few big events in this arena since last
issue. We've also had Aurora and that whole Google scandal in China.
Hildawg has been bitching about China from the start, and it came as no
surprise that pressure would be put to bear on big companies, like Google,
to defame China's government in the midst of a GFC. More recently,
Europe's cyberwar simulation has been hailed as a success, with countries
across the EU learning to defend against over 300 attacks. This marks
another milestone in the EU's attempt at coordinating intraregional
cybercrime investigations. Across the Atlantic, USCYBERCOM has finally
gone live. While governments prefer to keep their military hax a secret,
there exists a necessity for them to demonstrate their power. Welcome to
a whole new wave of terror, hackers.
The majority of high profile attacks in the last year show a trend towards
highly skilled and targeted hacks that take a lot of time and/or money to
develop. In these cases there is minimal collateral damage, months may
pass before detection, the hackers are anonymous, and the vector is
unique. While these are still large-scale attacks, they're not intended
to affect the entire internet -- just a select few major players, and
sometimes only for a short while. As corporations and governments throw
big bucks into cyber warfare we're going to start to see some of the big
names in the IT industry get left behind.
The continued DDoS of Burma, in the lead-up to its first election in over
20 years, showed a recent and unwelcome return to stupidity and ignorance
at a rate of 10-15gbps, easily dwarfing the Estonia DDoS of 2008. Amnesty
International had been working hard to get radios into Burma, so that
people could keep up with the election news from across the border. Days
after the election, their Hong Kong website was compromised and visitors
were attacked with an IE exploit that Microsoft knew about, but blatantly
refused to patch early.
On the same day that the Burma DDoS began, the Iranian Cyber Army
announced its "botnet for hire", though it is rather unlikely that there
is a substantial link between the two. Their admin system is some kind of
honeypot, their stats are fake, and surely the very idea should have
screamed of an obvious trap. But as the news started to spread, bloggers
began recycling news media, and slower reporters started relying on those
bloggers, until we started coming across reports that ICA was renting out
"the same botnets that took down Twitter and Baidu". Uh, sorry? Last
time I checked, social engineering a dude at Register.com didn't require a
botnet.
But hey, maybe there is a botnet, or at least one in development. It's
hardly as though ICA are the first to do so. But their treatment by news
media is ridiculous. I mean, if these guys really are an "army" then just
where were they when Honker struck out in retaliation for Baidu's
defacement earlier this year? Unfortunately the media still clings to
them because of a handful of high profile defacements. And because they
tend to pop up every time something big happens, some journalists actually
think these kids are an officially sanctioned military force that reports
to Ahmadinejad himself! I don't believe, for a second, that they're even
Iranian to begin with.
On the related note of poor-man's hacking, we're also seeing a rise in
grassroots hacktivism. Social networking sites are making it increasingly
easy to inspire angry mobs of ordinary computer users to take part in a
DDoS by clicking a link. Years ago we laughed at those kinds of methods
(remember the cDc's hacktivismo?). But we're not on dialup anymore, and
there's not a lot you need to get your own "human-net" started -- just a
persuasive cause and a handful of idiot-proof programs. LOIC is popular
for this, as are websites that send GET requests in iframes over and over
and over. Next thing you know, there's thousands upon thousands of stupid
tweeters, staggering forth like something out of Resident Evil. This
isn't even including the more normal botnets that use sites rely on
Twitter for commands. Throw that into the mix and Twitter becomes some
kind of pluralistic middle-class pseudo-political force to be reckoned
with. Law enforcement seem to just give up in those cases. Too many
people to chase. Not enough resources to prosecute them all. The most we
see is the instigators of these human-nets being hunted down. As the RIAA
and MPAA attacks showed us, Anonymous ain't so anonymous when they plan
their attacks in the open, in front of feds, on 4chan and Darknet.
The trend toward military-directed cyber attacks is prompting some
academics to call for a change to the laws that regulate the conduct of
hostilities in war. They are questioning whether a country can remain
neutral in a cyber war if the data carrying the attack travels along that
country's pipelines. Some militaries insist that for hackers to qualify
for "prisoner of war" status, these geeks must wear a special hacker
uniform and carry a sidearm (I like to think this uniform would look like
TRON Guy).
And then there's the question of whether something like Stuxnet can be a
legal impetus for conventional war. The real beauty of Stuxnet isn't just
in the code (as specialised and 0-day as it may have been) -- it's also in
the attack vector. If you conveniently lose your malicious USB key in a
parking lot, and some "unscrupulous person" picks it up and decides to use
it at work... YOU are not committing an attack -- at least not directly
(one could argue, after all, that they had no business picking up the usb
key in the first place). Moreover, philosophical arguments aside, if
you're a civilian, the likelihood of you being charged with anything is
extremely remote. Add all of this to the essential argument that hacking
cannot be considered an act of war necessitating self-defense unless the
hack can be compared to a substantive and conventional military attack,
and conventional arguments are essentially thrown out the window. In other
words, in the case of Stuxnet, while Iran recognises there was espionage,
and possibly an intentional attack, the worm was not an "armed attack"
sufficient to qualify self-defense under the UN Charter.
In sum, if the events occurring since the last issue has been anything to
go by, the next decade will see a growing disparity between the nature of
high-profile hacks, but at the end of the day the bulk of it is the same
old same old, with some new shit thrown in. Militaries are fast becoming
a cyber-force to be reckoned with, but in the absence of laws to regulate
their actions, don't expect bombs to fall as a result. While it is most
probably that the recent spate of uniquely targeted high-profile attacks
will go unpunished, what we can expect is the government to play an
increasing role in regulating the Internet and hunting down ordinary
hackers in the name of a "war on cyber terrorism".
--[ 3. Wikileaks and whistleblowing
But what of Wikileaks? While it is undeniable that it has had some impact,
one must ask oneself if we are not just raucously accepting as a date to
the prom the only girl who asked us out and considering ourselves lucky to
have found anyone at all. One could argue that when a society needs a
hero, someone will always be willing to show up fighting, but the same
could be said of most movements, even including the upstart 'Tea Party'
being cawed about on Fox News to cheers by the same people who would have
voted for Obama if they'd been Democrats instead of Republicans. Perhaps
it's unfair to tilt this article so specifically in the direction of the
US -- after all, Wikileaks has shed some light on some tremendously
important stories in the three or four years since its inception -- but
it's hard to argue that 2010 was the year that Wikileaks came to true
nation-wide attention, due in no small part to a certain "redacted" video
going by the sobriquet "Collateral Damage", and then fueled by the
document dumps ostensibly leaked by US insiders concerning Iraq and
Afghanistan that came not long thereafter.
Yes, we have a responsibility to make information acceessible, or at least
make the knowledge of how such information is stored and used more public,
less draconian and redolent of a country poised to curtsy/bow to 'Mein
Fuhrer' but we also have a responsibility to treat that information with
respect, and more importantly to be able and willing to filter that data
through the sieve of common sense and reason: Data should be valuable
because it is valuable data (and in some cases the releases by Wikileaks
have indeed been valuable data) and not valuable simply by the reasoning
that "they don't want us to have it."
By the same token, sometimes the very act of sticking the proverbial
middle finger up at The Man serves as a call to arms -- or at the very
least a rate limiter: A way to urge the current Powers That Be to think a
little more before trying to instituting even further privacy eroding
measures. Conversely, it is all too easy for any country to consider any
"leak" -- righteously whistleblowing or not -- as an act of war, or an
excuse to add a few zeros to a department's line budget.
And there's something else we all need to be thinking about:
Every country, every war, every movement has secrets. We may tell
ourselves that information wants to be free, but freedom comes with a
price and some secrets are GOOD secrets. More importantly there OUGHT to
be some secrets in the world.
To completely submit to Wikileaks' vision is almost more akin to Big
Brother than anything the US government -- or any other government --
could possible create on its own: A culture where your every move may be
exposed, your every thought may be tallied, your every minutiae published
for the whole world to see, in a world where Google gambols giddily in the
grasses of greed and Facebook and Twitter announce to the world your every
move to a perceived audience of enthralled onlookers all willing to say
'you!' when you say 'ah, me!'. In a way we're already most of the way
there, and that's a very dangerous thing. When your baseline gets reset
and you don't REALIZE that your privacy is being invaded, then the great
big "They" has already won -- and you have just let yourself do the dirty
work for Them.
One could argue that if PFC Manning did indeed leak what has been
attributed to him, he may have done a heroic thing, but the fact that he
may have also broken a trust that he covenanted into in advance with the
US government is difficult to completely discount. The Manning case having
received the attention it has gotten this year has brought up a lot of
grey areas in peoples' political belief systems, but it has also begged
the question: What *is* "whistleblowing" and what is "disloyalty"? What is
"patriotism" and what is "narqing"? When can one trust one's judgment
about another person's true intentions and is it truly as cut-and-dry as
we all wish it would be? Adrian Lamo snitched, but it is always possible
that he thought he was protecting himself or his country even as he may
have also been trying to cobble together some newfound publicity for a
receding career that has been inarguably past its prime for years now. At
some level this isn't about government or whistleblowing or privacy --
it's about society and about interpersonal trust, and perhaps that is
where things get the murkiest. Naive or not, trust is dealt out
increasingly to total strangers on the internet. One could argue that
Manning, if indeed that was Manning, was naive in trusting a veritable
stranger, but most of us do this on a regular basis now; the difference
here is, Manning paid.
Without an explicit agreement of nondisclosure one cannot truly and
totally scorn somebody for "squealing", but by the same token our very
society has been built up on such simple and implicit bonds of trust: I
will not hurt you, I will not steal from you, I will not betray you. I may
not agree with what you do, but I respect your choices as an individual.
At what point does that trust need to be broken off? Some secrets are
good, if they contribute to the greater good of society -- and that goes
*both* ways -- at times in favour of the individual, at other times in
favour of government. As a species we always want to root for the Underdog
(and nowhere is this more true than the US, perhaps), but given the fast
fluxing nature of the Internet, who the Underdog is can flip at a second's
notice: At first Wikileaks was the cause celebre of people everywhere,
then came the backlash. All movements have backlashes, and Wikileaks was
bound to not be the exception.
Perhaps one reason so many scorn Wikileaks has to do with the closed-book
nature of a site so overtly and devoutly espousing transparency; at some
point it becomes difficult not to interpret all sides as playing with
similar playbooks. But it's difficult to win at poker at a table where
everybody knows your cards, especially when the rest of the players have
bankrolls that far eclipse your own. Again, the question arises: When is
transparency necessary, and when is secrecy a requirement to make any
progress at all? On the one hand, one must worry about too much
transparency; on the other hand, one must worry about too much lurking in
the shadows. In the past we had journalists to expose corruption; now it
is often journalists themselves fighting off corruption charges, hiding
facts, skewing evidence.
It's incredibly difficult to deny that some transparency, and indeed
Wikileaks itself, can have a positive impact -- and it's hard to imagine a
world where SOME sunshine shouldn't be shed; The trick here is to remember
that such increased levels of exposure demand we be a more responsible,
measured animal -- something as homo sapiens we have really never learned
how to do or be.
There is no way to shove the genie back into the bottle, and old rumours
on the Internet never really die -- they just get archived til someone
else manages to come along and dig them up from their temporary graves.
This holds great promise for the future of integrity, but it also creates
issues when the possibility of outright falsehoods are introduced,
especially through an anonymous third party, or in cases where a split
exists between haves and have-nots; who really has time to monitor their
reputation online to that level? And if someone does besmirch your name,
what can be done?
If your data shows up on a whistleblower site care of a third party, then
it also becomes yet another way to show a display of power: The
Vice-Presidential hopeful breaks the rules -- nay, the law -- and walks
free while the college student who guesses at her password gets sentenced
to a year of supervision or prison. If there is to be light shed, then it
should be an equally penetrating (and perhaps softer) light -- not a light
meant to shine in the victims' faces and hide the face of the perpetrators
-- especially when the label of 'victim' and 'perpetrator' is so murky and
grey (as in the Palin case; one could argue both sides committed some form
of fault).
Julian Assange likes to say 'speak truth to power" but this is a tall
order; to first be able to speak ANYTHING to power, you must basically
gain the ear of the powerful, or you just get thrown
into an eddy, left to whirl around with a bunch of kooks and nutjobs (as
any federal agent handling walk-ins will likely attest to, and too, so
must whistleblowing sites contend with; with fame
comes your own raft of nutjobs to weed out).
It'd be hard to deny that whatever else Wikileaks has accomplished in the
past year, it has gotten someone's attention. Whether that will be a good
thing or a bad thing remains to be seen... But one imagines any call to
arms must bring about some force for good, even if that force is something
as simple as a renewed spirit of vigour and willingness to be involved
among an otherwise sluggish populace juggling its own sense of
powerlessness in a country demanding what essentially constitutes sexual
assault merely in order to board an airplane. To make an omelet you must
first break some eggs; To create a change you must first gain the ear of
not just power but the people itself -- and then you must charge them with
the duty to act.
The true collateral damage may wind up being Manning himself, here;
basically judged guilty already, his name forever stored, his
acquaintances being hassled, his personal life bared open to the
world, he serves as both an example of what to strive for and a
cautionary tale for a new age. What the future holds for him remains to be
seen, but with any luck he will receive a fair trial by a jury of his
peers -- if any such people even exist.
Wikileaks may not be perfect -- in fact, it may be deeply flawed -- but
for now it's probably all we're going to get. And we should probably be
grateful for it -- but wary. Always wary. The danger of mixing the message
up with the messenger is always great, and there is no real way for any
whistleblowing site to always be 100% correct. Even governments have an
incredible amount of difficulty verifying the veracity of any information
or separating rumours from fact; to put this level of blind trust in a
volunteer organization with no oversight is bound to be fraught with a
whole host of issues we haven't seen the likes of yet... For instance,
what happens when a non-governmental entity views it as a potential source
of information? Once any whistleblowing site gets information, it is out
there; what is done is done; At this point, false flags and disinformation
is also an issue; the possibility of tricking any whistleblower site to
publish false information would destroy not only its credibility if found
out but possibly be used to forward some governmental or non-governmental
party or agenda. Additionally, to believe everything that any organization
says is as short-sighted as believing everything your government tells you.
Ultimately your conscience will have to be your guide -- and likely no two
consciences will ever completely agree, especially about anything as
at-times agit prop as Wikileaks can be, or as secretive as governments
have always been.
--[ 4. Scene Events: the Final Word
To be sure, many other events have taken place this past year and a half
(the whitehat-vs-blackhat wars forever raging (cue zf05 and the
never-ending arguments about disclosure-vs-nondisclosure); the global
emergence of a harsher, more organized form of cybercrime (and the many
busts that resulted); etc, etc), but several basic themes emerge: There
has been fraud -- but there has always been fraud. There have been
invasions of privacy -- but there have always been invasions of privacy.
There have be governments overstepping their bounds -- but there have
always been governments overstepping their bounds. That doesn't make any
of it acceptable, but it also doesn't make any of it new -- nor does it
give any of us an excuse to pretend it has nothing to do with us (no
matter where you reside or what flag you fly (or choose not to fly,
whatever the case may be)). If anything, there has been an amplification
of all of the above, but none of it is truly 'new'. Read past issues of
Phrack: All of the above has existed in some form or another, just on a
smaller scale. It's still existed.
Judging by the drive for wealth or fame or infamy displayed in so many of
this year's stories, it bears mentioning that we cannot let a few key
players make us forget how important it is to treat technology
responsibly, reasonably -- to love it, to hack it, to, please, take risks,
but to do so with heart
-- with CONSCIENCE --.
In the end it all starts and ends with you.
[EOF]