Kevin Mitnick. The first high profile hacker. Went to jail after prawning the ever loving shit out of Sun, Nokia, and many, many others. Got out and now is a "Security Consultant" who makes infinite dough lecturing and doing audits.

Dan Kaminski. Among other accomplishments, he recently discovered a massive hole in DNS, the way names are translated to IP addresses on the internet, that shook the foundations of the entire web's trust model. Security Guru, makes infinite money lecturing, auditing.

0×000000.com (Ronald van den Heetkamp)
perlmonks.org (Perl Monks)
elitehackers.com/info (EliteHackers)
binrev.com (Binary revolution)
invisiblethingslab.com (Joanna Rutkowska)

All icons in the information security biz. Top tier talents. All have contributed immensely to the full-disclosure community.

And on Monday morning, all of them got their shit pushed in.

A "anti-sec" group called zf0 (Zero For 0wned) effectively pulled their collective pants down and displayed their collective withered, useless nuts to the world.

Anti-Sec is a group of apex predators in the digital arena who take exception with the overall concept and philosophy of full-disclosure. Full-disclosure basically works like this; you find a bug, you contact the vendor and help them patch it, then you go public with the bug.

Anti-sec has some problems with this. Anti-sec feels that ultimately this is disastrous, as it allows "weaponized" versions of the bugs to be distributed to bottom feeders with no upside above and beyond fame and ego for the original publishers.

And so, anti-sec has gone to war. zf0, for example, does not bother to weaponize other peoples exploits. They are quite comfortable with finding and writing their own. And thats probably why there appears to be literally nothing on the planet they cant fuck with right now.

Evidence of which can be found here:

[url=http://www.rec-sec.com/files/zf05.txt]http://www.rec-sec.com/files/zf05.txt[/url]

This zine was released Monday morning. I spent yesterday reading it, and I can honestly say that the information security industry will never be the same.

Careers are over. Reputations forever vaporized. Relationships have been destroyed. The extent of the damage zf0 have done can only be described in terms previously reserved primarily for the discussion of asymmetrical warfare; "scortched earth", "fire storm", etc.

Basically, there were two major phases in the history of the full disclosure movement; yesterday, and everything before then.

And now, we have no choice but to completely revisit the entire notion of how online data is stored. Web2.0 is completely done, its over. At least as far as a trusted mediums go. People need to revisit the old military data partitioning standards, and even then it needs to be done from a perspective of relentless paranoia and assumption of hostility.

No one wants to be the next security expert who wakes up to this:

(Found in Dan Kaminski's home directory):


:headpalm

The zine itself is an object lesson in how not to fuck up, its got tremendous educational value. Their comments about password strength are very interesting, and the methodologies they display, although they may be doctored, indicate that a motherload of undisclosed vulnerabilities exist that probably affect at least 75% of the webserver's online at any given moment.

Most important however is the lesson they continue to hammer home; being able to weaponize other peoples exploit code is not the end game, at least not the one anyone of worth should be concentrating on. Being able to recognize bad code and manipulate it yourself is what constitutes true power in the digital domain. Therein lies the ultimate expression of aptitude. Regardless of what they do with that tool, I think its hard to argue with its potential.

Regardless, bon appetite!

Addendum #1:

Kaminsky gave his lectures today, as scheduled. He was, however, noticabley *fucked* up on liquor and pointedly refused to answer any of the multitude of questions the audience trolled him with regarding his shit being pushed in by zf0.

Addendum #2:

Googling "DAN KAMINSKI" brings this up as the first result:

DoxPara ResearchOh shit, Dan Kaminsky is 0wned and fUcked Up. Check doxpara.com/zf05.txt ..... >This is the personal blog for security researcher Dan Kaminsky, ...

Addendum #3:

Announced within hours of the zf0 hacks going public and the zine being released:

Acting Cybersecurity Czar resigns for 'personal reasons'

by Donald Melanson posted Aug 4th 2009 at 6:03PM
She still hasn't ever been formally named to the post she helped create, but acting White House Cybersecurity Czar Melissa Hathaway has now already taken her name out of the running and announced her resignation from the job, citing the usual "personal reasons" and the need to "pass the torch." As The Wall Street Journal reports, however, there may have been a bit more drama going on behind the scenes, with "people familiar with the matter" reportedly saying that she has been "spinning her wheels" in the post, and marginalized politically. For it's part, the White House simply says that cybersecurity remains "a major priority for the president," and that "the president is personally committed to finding the right person for this job, and a rigorous selection process is well under way."

Coincidence?

I wish I understood the impact of this, because it must be major as I don't see you as one to engage in hyperbole. I remember reading of Mitnick years ago in this book

http://www.amazon.com/Takedown-Pursuit- ... 388&sr=1-1

From the rating, it seems like it's probably a laugher to those in the know, but I found it interesting 10 years ago when I read it.

HAy guyz, long time reader, second time poster. My question is for computer donks like myself. I obviously have no lcue what you are talking about but does this mean hackers can get into my library of gay porn that was meant to be exclusively for posting on NWP....not for spank purposes.

In laymens terms, does this effect me directly? What am I supposed to do or is this just a problem for security analysts and big corporations and stuff. I do understand this could affect me if my info is stored at a bank etc., but Im trying to find out how far reaching this is. Data breaches at credit card processing companies are fined 6 -7 figures whether or not its their "fault".

I read that book. Some interesting shit in it but I found Shimomura's writing to be self serving and an overall shitty to boot. Worth note that for every person who remembers that dudes name, 100k+ know Mitnick's. Oh and Mitnick parlayed that into a career while Shimomura is probably a failed day trader by now.

The closest I can come to describing how ridiculous this whole thing is, would be for a total random to wander into the cage at the next UFC and KO Silva, then sub BJ Penn, then pause to pound down a Fresca before tricking Dana White into signing a contract that ceded all control of the UFC to the new champ while forbidding Dana from wearing clothes in public ever again.

The people who got hacked were considered the creme de la creme of the information security industry, and whats more embarrassing than them getting hacked, is how truly, utterly *bad* they were at their own security. These are the people the banks hire to lock down their shit. NASDAQ, *.mil, *.gov, if you have sensitive data, these cats were the ones you wanted to tell you how to keep it safe.

Its just a monumental slap in the nuts basically, and the odds of any of the perpetrators going to jail, much less getting caught, are realistically nil.

So you know, yeah Im pretty amped up about it.

It doesnt affect you directly more than likely, its just a seismic shift in the internet security landscape.

I imagine some are very nervous about now from your description of what they are contracted to protect.. As far as the book, that's how I remember it, the kid wrote a fairly interesting tech story mixed with a bunch of crap about his personal life and was a bit of an egomaniac.

i was fascinated by a lot of what he did, like writing software to hook up a directional antennae to his sun laptop so he could isolate mitnick's cell phone frequency and home in on its location.

but the other half of the book was insufferable, with the constant whining about how his girlfriend didnt understand him and so on.

[url=index.php?act=findpost&pid=1165988]http://en.wikipedia.org/wiki/Tsutomu_Shimomura[/url]



lawls.

interesting, apparently mitnick released his side of the whole ordeal and claimed that much of what tsutomu wrote about was pure literary invention.

i wouldnt be shocked.

im also slightly skeptical of shimomura's current status as "computer security expert" considering he hasnt published anything since 1996 afaik.

anyway.

as for the contracted stuff's integrity, i mean, its been my experience that when people are hired to lock down a system or network, they take it a lot more seriously than they do their own stuff, which is really part of the problem here.

like, sooo many of these hacked boxes were running cPanel and wordpress, which would surely never be running on any forward facing high-profile targets.

huh.. no sooner had i finished typing the above, that i realized how stupidly unrealistic that statement is.

yeah this is a mess, haha.

I need to learn how to write and read code.

Any suggestions besides the google on where to start?

there are a lot of different types of code and a lot of different reasons its written.

its best to have a goal in mind, decide at the very least what you want to learn to read and write code for. once you decide what type of code you want to read and write, you can download all sorts of code from the internet, tear it apart, set it on fire, and drip it in molten smoldering chunks on the ants of your choosing.

start a new thread on this, imo

Computer security is like heads-up poker.

One day there's a superstar who nobody can beat, the next he's a has-been who has been broken by someone else.

So I haven't been following the whole thing here, and it's been 2 months. What ended up happening as a result of all of this?

Funny and true on many levels.

As far as the zf0 shenans, to my knowledge no one was ever caught, but a whole lot of people changed their root passwords I suspect.

Why are the columns of this forum all fucked up once you scroll down a page ? It starts at a post of sonatines.. anyway.. makes it horrendous to read.

I don't pay attention to security stuff anymore.. never really did. (Although I did go to Hohocon - which was a predecessor to defcon. mad cred.) Anyway.. so whats the deal with this zine? Is there anything interesting in it beyond the fact that they hacked a bunch of relatively low priority systems that high profile people kept sitting around? Those logs.. are those just from sessions to show that these people were in fact hacked ? Or is there something to be learned from them?

it was a seismic event on the infosec landscape, and demonstrates how illusory security can be. given what most people on this forum spend their time doing (playing poker online for real money), its germane.

i dontknow what the fuck is up with the forum format, will ping LF.