==Phrack Inc.== Volume 0x0e, Issue 0x43, Phile #0x03 of 0x10 |=--------------------------------------------------------------------=| |=-----------------------=[ Phrack World News]=-----------------------=| |=-------------------------=[ by EL ZILCHO ]=-------------------------=| |=----------------------=[ elzilcho@phrack.org ]=---------------------=| |=--------------------------------------------------------------------=| 1. The TJX Case and the Longer Arm of the Law 2. Stuxnet, Cyberwar, Hacktivism and Political Hacking 3. Wikileaks and Whistleblowing 4. Scene Events: the Final Word ------------------------- --[ 1. The TJX Case and the Longer Arm of the Law When the going gets weird: The TJX crew / Probation for the narqs, tough sentences for the hard luck crowd / The longer-reaching arm of the law Computer crime and hacking have always made for uncomfortable bed fellows, splitting hackers into two general camps; The laissez-fair consideration of those who know they commit several technical crimes before even getting out of bed in the morning, and those whose fear of the law drives them, essentially, straight -- condemned to endless nights in front of a debugger with nary an unauthorized rootshell to be seen. So where to draw the fuzzy line under the TJX crew, from the manipulating Gonzales, who narqed out #phrack opers early in 2003, to the erstwhile seven-foot tall computer programmer the_uT who faces two years in the cage and a $172.5 million restitution for the writing of a simple computer program that most of us could have written at age fifteen, under the influence of ketamine or not? PWN corespondents have viewed the original source code to 'blabla' and can attest that it consists of nothing more than a read loop from a raw socket on a high port outputting, unformatted and unfiltered, data to a file. To say that tcpdump is a far more sophisticated piece of software for data thiefing is not an exaggeration. At least we can say with a comforting certainty that the fine old art of narqing like a pro will still get you out off the hook in times of phear and stress. As many old-timers will attest, narqing has been a fine defensive tradition among hackers over the years, with many well-loved figures of hacker mythology, from Chris Goggans to Agent Steal, being firm believers in the practice. The TJX case has been a prominent reminder of the efficacy of the ancient technique of daubing one's mates in, with all sides planting knives between shoulder blades with sickening alacrity and producing some truly Olympic-grade scores in the Freestyle 100m Narq -- to wit, among others: * Patrick 'eckis' Toey who faced a maximum sentence of twenty-two years, reduced to a paltry five years by merit of supplying 'extensive cooperation' to the authorities. * Breakout act Jeremy 'horse addict' Jethro -- evidently the star of the case -- managing to not only narq out everyone he knew, but then managing to find his Saviour in Our Lord Jesus Christ AND being fined less than what he actually earned for his crimes (thus earning a nice little profit); He also managed to get his sentence commuted to probation, on top of everything else! Once again, this is solid proof that God is indeed on the side of the just. * Albert 'soupnazi' Gonzales -- the sole failure here, scoring miserably by still receiving a massive twenty-year sentence despite having implicated everyone he knew up to and including his own grandmother -- and that's just for starters. The most disconcerting element in the entire show so far for anyone in any way involved in any sort of criminal activity (or, indeed, anyone who involves themselves in anything anywhere near anything resembling criminal activity), is the startling comaraderie and friendly interaction between international agencies - particularly Interpol and the FBI. Especially the FBI. Recent international busts involving novel interaction between agencies has lent heavy weight to previously unfounded concerns of privacy advocates. The mere idea of a foreign national's being arrested overseas and renditioned/transferred to the custody of American civilian agencies purely on the basis of American testimony and evidence is enough to turn the stomachs of anyone, and yet it seems to have gone largely under the radar -- especially among American Citizens. The pseudo-criminal actions necessitated by the various agencies involved in order to bring down Gonzales would stagger even the most ardent Republican waterboarder. To wit, the hard drives belonging to Ukrainian carder Maksym 'Maksik' Yastremskiy were cloned during his trip to Dubai and yet again when he was coerced into visiting someone in Turkey (all the while while US agencies tried to tote the party line that they caught him while he was taking "vacation" -- conveniently ignoring the fact that they lured him to visit) and his movements tracked throughout Europe and Asia over an extended period of time. We can be sure that Interpol had not the gumption nor Ukrainian officials the interest (or resources) to bring about this level of interplay. With the evidence in hand, surely only the FBI can be to blame? The Turkish officials got to crow about a 30 year prison sentence -- in a Turkish prison, no less -- and the US got to cross one more name off their "to do" list, case closed, job done -- success all around. Further confirmation of such a hearty and hale level of cooperation was provided just this past October by the FBI, who affirmed that the break-up of a major Zeus botnet ring was the result of an "unprecedented" partnership between the FBI and police forces around the world including the UK's Metropolitan Police, the Security Service of Ukraine (SBU) and the Netherlands Police Agency. So far the international Operation Trident Breach effort has yielded more than 150 arrests across the US, the UK and Ukraine, the FBI said. One can assume that's only "so far" and that once the narq ball gets rolling, yet more waves of arrests -- and yet more international cooperation -- will commence in earnest. Perhaps you are wondering what this has to do with you, at this point. Perhaps you ARE merely doing your job as a whitehat, researching these transglobal "criminal conspiracies", reversing malware, sticking to only machines you have permission to access, maybe even contributing to some open source projects and communicating giddily about 0day bugs on bugtraq and full-disclosure, or releasing exploit information on your twitter feed; after all, in this wired global age, the opportunities for collaboration are indeed unprecedented. But where does one's level of responsibility for the use of one's research end and begin? Dig Sklyarov and the DMCA brouhaha. Witness certain unnamed Linux distros suddenly being unwilling to allow tools such as SQL Ninja to be included in their source code repositories. At what point might YOUR code be considered a munition? At what point might your totally legitimate work as a whitehat (or greyhat, or what have you) researcher, or pentester, or even systems administrator or website developer be called into question? While it is certainly difficult to argue that putting identity thieves behind bars is a quote-unquote "bad thing", it is also difficult to refute that code itself is being seen as a munition (just as crypto was not so long ago, and probably will be increasingly so again, as time passes and the reins tighten up in only somewhat predictable ways). If you mistakenly introduce an error into your codebase at work and it creates a security hole, can you prove it was not intentional? There really are no guarantees. An overly aggressive legal system will at the very least threaten to steal time, money, resources, and quite probably your reputation. If you're very unlucky you might wind up in jail, or in trouble for something someone you know was involved in, in hopes that you will be the next hacker willing to daub in his (or her) mates to be set free, thus maintaining the cycle of narqing and providing an always-revolving door of the Usual Suspects to lay blame to. That's not even including the Patriot Act and wiretaps (an issue pretty much deserving of its own article some other time). The exposure of Google's Street View Wifi data gathering fiasco is likely only the tip of the iceberg -- what we were told was the accidental coding error of a single engineer (who probably will wear that virtual scarlet letter on his resume for life). And yet again, in that case, other countries were first to protest; only lately has there been a strange and questionable desire TO have those records retained -- for what purpose who only knows. The question to wrap all of this up with, here, probably isn't "Does it affect you now?" (unless you are indeed a blackhat, in which case, no doubt, this will impact you tremendously). The question is "can you be sure it never will?" --[ 2. Stuxnet, Cyberwar, Hacktivism and Political Hacking It's no secret that, with the US economy in a state of planned poverty, conventional sense. But the growing speculation, that Iran's nuclear power plant at Bushehr will turn into a weapons program, is a timely excuse for governments to exercise their newfound cyber warfare tactics. Iran believes Stuxnet was intended to derail its nuclear ambitions; and "analysts" expect us to believe that a string of numbers, the name of some shrubbery, futbol domains, and weird 2012 shit... somehow indicates Israel was behind it all. The reality is probably this: as much as Israel's super star hacking squads would love to take down Bushehr, Russia is standing in the way, defending its plan for a return on investment. Stuxnet represents just one of a few big events in this arena since last issue. We've also had Aurora and that whole Google scandal in China. Hildawg has been bitching about China from the start, and it came as no surprise that pressure would be put to bear on big companies, like Google, to defame China's government in the midst of a GFC. More recently, Europe's cyberwar simulation has been hailed as a success, with countries across the EU learning to defend against over 300 attacks. This marks another milestone in the EU's attempt at coordinating intraregional cybercrime investigations. Across the Atlantic, USCYBERCOM has finally gone live. While governments prefer to keep their military hax a secret, there exists a necessity for them to demonstrate their power. Welcome to a whole new wave of terror, hackers. The majority of high profile attacks in the last year show a trend towards highly skilled and targeted hacks that take a lot of time and/or money to develop. In these cases there is minimal collateral damage, months may pass before detection, the hackers are anonymous, and the vector is unique. While these are still large-scale attacks, they're not intended to affect the entire internet -- just a select few major players, and sometimes only for a short while. As corporations and governments throw big bucks into cyber warfare we're going to start to see some of the big names in the IT industry get left behind. The continued DDoS of Burma, in the lead-up to its first election in over 20 years, showed a recent and unwelcome return to stupidity and ignorance at a rate of 10-15gbps, easily dwarfing the Estonia DDoS of 2008. Amnesty International had been working hard to get radios into Burma, so that people could keep up with the election news from across the border. Days after the election, their Hong Kong website was compromised and visitors were attacked with an IE exploit that Microsoft knew about, but blatantly refused to patch early. On the same day that the Burma DDoS began, the Iranian Cyber Army announced its "botnet for hire", though it is rather unlikely that there is a substantial link between the two. Their admin system is some kind of honeypot, their stats are fake, and surely the very idea should have screamed of an obvious trap. But as the news started to spread, bloggers began recycling news media, and slower reporters started relying on those bloggers, until we started coming across reports that ICA was renting out "the same botnets that took down Twitter and Baidu". Uh, sorry? Last time I checked, social engineering a dude at Register.com didn't require a botnet. But hey, maybe there is a botnet, or at least one in development. It's hardly as though ICA are the first to do so. But their treatment by news media is ridiculous. I mean, if these guys really are an "army" then just where were they when Honker struck out in retaliation for Baidu's defacement earlier this year? Unfortunately the media still clings to them because of a handful of high profile defacements. And because they tend to pop up every time something big happens, some journalists actually think these kids are an officially sanctioned military force that reports to Ahmadinejad himself! I don't believe, for a second, that they're even Iranian to begin with. On the related note of poor-man's hacking, we're also seeing a rise in grassroots hacktivism. Social networking sites are making it increasingly easy to inspire angry mobs of ordinary computer users to take part in a DDoS by clicking a link. Years ago we laughed at those kinds of methods (remember the cDc's hacktivismo?). But we're not on dialup anymore, and there's not a lot you need to get your own "human-net" started -- just a persuasive cause and a handful of idiot-proof programs. LOIC is popular for this, as are websites that send GET requests in iframes over and over and over. Next thing you know, there's thousands upon thousands of stupid tweeters, staggering forth like something out of Resident Evil. This isn't even including the more normal botnets that use sites rely on Twitter for commands. Throw that into the mix and Twitter becomes some kind of pluralistic middle-class pseudo-political force to be reckoned with. Law enforcement seem to just give up in those cases. Too many people to chase. Not enough resources to prosecute them all. The most we see is the instigators of these human-nets being hunted down. As the RIAA and MPAA attacks showed us, Anonymous ain't so anonymous when they plan their attacks in the open, in front of feds, on 4chan and Darknet. The trend toward military-directed cyber attacks is prompting some academics to call for a change to the laws that regulate the conduct of hostilities in war. They are questioning whether a country can remain neutral in a cyber war if the data carrying the attack travels along that country's pipelines. Some militaries insist that for hackers to qualify for "prisoner of war" status, these geeks must wear a special hacker uniform and carry a sidearm (I like to think this uniform would look like TRON Guy). And then there's the question of whether something like Stuxnet can be a legal impetus for conventional war. The real beauty of Stuxnet isn't just in the code (as specialised and 0-day as it may have been) -- it's also in the attack vector. If you conveniently lose your malicious USB key in a parking lot, and some "unscrupulous person" picks it up and decides to use it at work... YOU are not committing an attack -- at least not directly (one could argue, after all, that they had no business picking up the usb key in the first place). Moreover, philosophical arguments aside, if you're a civilian, the likelihood of you being charged with anything is extremely remote. Add all of this to the essential argument that hacking cannot be considered an act of war necessitating self-defense unless the hack can be compared to a substantive and conventional military attack, and conventional arguments are essentially thrown out the window. In other words, in the case of Stuxnet, while Iran recognises there was espionage, and possibly an intentional attack, the worm was not an "armed attack" sufficient to qualify self-defense under the UN Charter. In sum, if the events occurring since the last issue has been anything to go by, the next decade will see a growing disparity between the nature of high-profile hacks, but at the end of the day the bulk of it is the same old same old, with some new shit thrown in. Militaries are fast becoming a cyber-force to be reckoned with, but in the absence of laws to regulate their actions, don't expect bombs to fall as a result. While it is most probably that the recent spate of uniquely targeted high-profile attacks will go unpunished, what we can expect is the government to play an increasing role in regulating the Internet and hunting down ordinary hackers in the name of a "war on cyber terrorism". --[ 3. Wikileaks and whistleblowing But what of Wikileaks? While it is undeniable that it has had some impact, one must ask oneself if we are not just raucously accepting as a date to the prom the only girl who asked us out and considering ourselves lucky to have found anyone at all. One could argue that when a society needs a hero, someone will always be willing to show up fighting, but the same could be said of most movements, even including the upstart 'Tea Party' being cawed about on Fox News to cheers by the same people who would have voted for Obama if they'd been Democrats instead of Republicans. Perhaps it's unfair to tilt this article so specifically in the direction of the US -- after all, Wikileaks has shed some light on some tremendously important stories in the three or four years since its inception -- but it's hard to argue that 2010 was the year that Wikileaks came to true nation-wide attention, due in no small part to a certain "redacted" video going by the sobriquet "Collateral Damage", and then fueled by the document dumps ostensibly leaked by US insiders concerning Iraq and Afghanistan that came not long thereafter. Yes, we have a responsibility to make information acceessible, or at least make the knowledge of how such information is stored and used more public, less draconian and redolent of a country poised to curtsy/bow to 'Mein Fuhrer' but we also have a responsibility to treat that information with respect, and more importantly to be able and willing to filter that data through the sieve of common sense and reason: Data should be valuable because it is valuable data (and in some cases the releases by Wikileaks have indeed been valuable data) and not valuable simply by the reasoning that "they don't want us to have it." By the same token, sometimes the very act of sticking the proverbial middle finger up at The Man serves as a call to arms -- or at the very least a rate limiter: A way to urge the current Powers That Be to think a little more before trying to instituting even further privacy eroding measures. Conversely, it is all too easy for any country to consider any "leak" -- righteously whistleblowing or not -- as an act of war, or an excuse to add a few zeros to a department's line budget. And there's something else we all need to be thinking about: Every country, every war, every movement has secrets. We may tell ourselves that information wants to be free, but freedom comes with a price and some secrets are GOOD secrets. More importantly there OUGHT to be some secrets in the world. To completely submit to Wikileaks' vision is almost more akin to Big Brother than anything the US government -- or any other government -- could possible create on its own: A culture where your every move may be exposed, your every thought may be tallied, your every minutiae published for the whole world to see, in a world where Google gambols giddily in the grasses of greed and Facebook and Twitter announce to the world your every move to a perceived audience of enthralled onlookers all willing to say 'you!' when you say 'ah, me!'. In a way we're already most of the way there, and that's a very dangerous thing. When your baseline gets reset and you don't REALIZE that your privacy is being invaded, then the great big "They" has already won -- and you have just let yourself do the dirty work for Them. One could argue that if PFC Manning did indeed leak what has been attributed to him, he may have done a heroic thing, but the fact that he may have also broken a trust that he covenanted into in advance with the US government is difficult to completely discount. The Manning case having received the attention it has gotten this year has brought up a lot of grey areas in peoples' political belief systems, but it has also begged the question: What *is* "whistleblowing" and what is "disloyalty"? What is "patriotism" and what is "narqing"? When can one trust one's judgment about another person's true intentions and is it truly as cut-and-dry as we all wish it would be? Adrian Lamo snitched, but it is always possible that he thought he was protecting himself or his country even as he may have also been trying to cobble together some newfound publicity for a receding career that has been inarguably past its prime for years now. At some level this isn't about government or whistleblowing or privacy -- it's about society and about interpersonal trust, and perhaps that is where things get the murkiest. Naive or not, trust is dealt out increasingly to total strangers on the internet. One could argue that Manning, if indeed that was Manning, was naive in trusting a veritable stranger, but most of us do this on a regular basis now; the difference here is, Manning paid. Without an explicit agreement of nondisclosure one cannot truly and totally scorn somebody for "squealing", but by the same token our very society has been built up on such simple and implicit bonds of trust: I will not hurt you, I will not steal from you, I will not betray you. I may not agree with what you do, but I respect your choices as an individual. At what point does that trust need to be broken off? Some secrets are good, if they contribute to the greater good of society -- and that goes *both* ways -- at times in favour of the individual, at other times in favour of government. As a species we always want to root for the Underdog (and nowhere is this more true than the US, perhaps), but given the fast fluxing nature of the Internet, who the Underdog is can flip at a second's notice: At first Wikileaks was the cause celebre of people everywhere, then came the backlash. All movements have backlashes, and Wikileaks was bound to not be the exception. Perhaps one reason so many scorn Wikileaks has to do with the closed-book nature of a site so overtly and devoutly espousing transparency; at some point it becomes difficult not to interpret all sides as playing with similar playbooks. But it's difficult to win at poker at a table where everybody knows your cards, especially when the rest of the players have bankrolls that far eclipse your own. Again, the question arises: When is transparency necessary, and when is secrecy a requirement to make any progress at all? On the one hand, one must worry about too much transparency; on the other hand, one must worry about too much lurking in the shadows. In the past we had journalists to expose corruption; now it is often journalists themselves fighting off corruption charges, hiding facts, skewing evidence. It's incredibly difficult to deny that some transparency, and indeed Wikileaks itself, can have a positive impact -- and it's hard to imagine a world where SOME sunshine shouldn't be shed; The trick here is to remember that such increased levels of exposure demand we be a more responsible, measured animal -- something as homo sapiens we have really never learned how to do or be. There is no way to shove the genie back into the bottle, and old rumours on the Internet never really die -- they just get archived til someone else manages to come along and dig them up from their temporary graves. This holds great promise for the future of integrity, but it also creates issues when the possibility of outright falsehoods are introduced, especially through an anonymous third party, or in cases where a split exists between haves and have-nots; who really has time to monitor their reputation online to that level? And if someone does besmirch your name, what can be done? If your data shows up on a whistleblower site care of a third party, then it also becomes yet another way to show a display of power: The Vice-Presidential hopeful breaks the rules -- nay, the law -- and walks free while the college student who guesses at her password gets sentenced to a year of supervision or prison. If there is to be light shed, then it should be an equally penetrating (and perhaps softer) light -- not a light meant to shine in the victims' faces and hide the face of the perpetrators -- especially when the label of 'victim' and 'perpetrator' is so murky and grey (as in the Palin case; one could argue both sides committed some form of fault). Julian Assange likes to say 'speak truth to power" but this is a tall order; to first be able to speak ANYTHING to power, you must basically gain the ear of the powerful, or you just get thrown into an eddy, left to whirl around with a bunch of kooks and nutjobs (as any federal agent handling walk-ins will likely attest to, and too, so must whistleblowing sites contend with; with fame comes your own raft of nutjobs to weed out). It'd be hard to deny that whatever else Wikileaks has accomplished in the past year, it has gotten someone's attention. Whether that will be a good thing or a bad thing remains to be seen... But one imagines any call to arms must bring about some force for good, even if that force is something as simple as a renewed spirit of vigour and willingness to be involved among an otherwise sluggish populace juggling its own sense of powerlessness in a country demanding what essentially constitutes sexual assault merely in order to board an airplane. To make an omelet you must first break some eggs; To create a change you must first gain the ear of not just power but the people itself -- and then you must charge them with the duty to act. The true collateral damage may wind up being Manning himself, here; basically judged guilty already, his name forever stored, his acquaintances being hassled, his personal life bared open to the world, he serves as both an example of what to strive for and a cautionary tale for a new age. What the future holds for him remains to be seen, but with any luck he will receive a fair trial by a jury of his peers -- if any such people even exist. Wikileaks may not be perfect -- in fact, it may be deeply flawed -- but for now it's probably all we're going to get. And we should probably be grateful for it -- but wary. Always wary. The danger of mixing the message up with the messenger is always great, and there is no real way for any whistleblowing site to always be 100% correct. Even governments have an incredible amount of difficulty verifying the veracity of any information or separating rumours from fact; to put this level of blind trust in a volunteer organization with no oversight is bound to be fraught with a whole host of issues we haven't seen the likes of yet... For instance, what happens when a non-governmental entity views it as a potential source of information? Once any whistleblowing site gets information, it is out there; what is done is done; At this point, false flags and disinformation is also an issue; the possibility of tricking any whistleblower site to publish false information would destroy not only its credibility if found out but possibly be used to forward some governmental or non-governmental party or agenda. Additionally, to believe everything that any organization says is as short-sighted as believing everything your government tells you. Ultimately your conscience will have to be your guide -- and likely no two consciences will ever completely agree, especially about anything as at-times agit prop as Wikileaks can be, or as secretive as governments have always been. --[ 4. Scene Events: the Final Word To be sure, many other events have taken place this past year and a half (the whitehat-vs-blackhat wars forever raging (cue zf05 and the never-ending arguments about disclosure-vs-nondisclosure); the global emergence of a harsher, more organized form of cybercrime (and the many busts that resulted); etc, etc), but several basic themes emerge: There has been fraud -- but there has always been fraud. There have been invasions of privacy -- but there have always been invasions of privacy. There have be governments overstepping their bounds -- but there have always been governments overstepping their bounds. That doesn't make any of it acceptable, but it also doesn't make any of it new -- nor does it give any of us an excuse to pretend it has nothing to do with us (no matter where you reside or what flag you fly (or choose not to fly, whatever the case may be)). If anything, there has been an amplification of all of the above, but none of it is truly 'new'. Read past issues of Phrack: All of the above has existed in some form or another, just on a smaller scale. It's still existed. Judging by the drive for wealth or fame or infamy displayed in so many of this year's stories, it bears mentioning that we cannot let a few key players make us forget how important it is to treat technology responsibly, reasonably -- to love it, to hack it, to, please, take risks, but to do so with heart -- with CONSCIENCE --. In the end it all starts and ends with you. [EOF]