TUCoPS :: Phrack Inc. Issue #67 :: p67-03.txt

Phrack World News

                            ==Phrack Inc.==

               Volume 0x0e, Issue 0x43, Phile #0x03 of 0x10

|=--------------------------------------------------------------------=|
|=-----------------------=[ Phrack World News]=-----------------------=|
|=-------------------------=[ by EL ZILCHO ]=-------------------------=|
|=----------------------=[ elzilcho@phrack.org ]=---------------------=|
|=--------------------------------------------------------------------=|


1. The TJX Case and the Longer Arm of the Law

2. Stuxnet, Cyberwar, Hacktivism and Political Hacking

3. Wikileaks and Whistleblowing

4. Scene Events: the Final Word

                          -------------------------


--[ 1. The TJX Case and the Longer Arm of the Law

When the going gets weird: The TJX crew / Probation for the narqs, tough 
sentences for the hard luck crowd / The longer-reaching arm of the law

Computer crime and hacking have always made for uncomfortable bed fellows, 
splitting hackers into two general camps; The laissez-fair consideration 
of those who know they commit several technical crimes before even getting 
out of bed in the morning, and those whose fear of the law drives them, 
essentially, straight -- condemned to endless nights in front of a 
debugger with nary an unauthorized rootshell to be seen.

So where to draw the fuzzy line under the TJX crew, from the manipulating 
Gonzales, who narqed out #phrack opers early in 2003, to the erstwhile 
seven-foot tall computer programmer the_uT who faces two years in the cage 
and a $172.5 million restitution for the writing of a simple computer 
program that most of us could have written at age fifteen, under the 
influence of ketamine or not?

PWN corespondents have viewed the original source code to 'blabla' and can 
attest that it consists of nothing more than a read loop from a raw socket 
on a high port outputting, unformatted and unfiltered, data to a file. To 
say that tcpdump is a far more sophisticated piece of software for data 
thiefing is not an exaggeration.

At least we can say with a comforting certainty that the fine old art of 
narqing like a pro will still get you out off the hook in times of phear 
and stress. As many old-timers will attest, narqing has been a fine 
defensive tradition among hackers over the years, with many well-loved 
figures of hacker mythology, from Chris Goggans to Agent Steal, being firm 
believers in the practice.

The TJX case has been a prominent reminder of the efficacy of the ancient 
technique of daubing one's mates in, with all sides planting knives 
between shoulder blades with sickening alacrity and producing some truly 
Olympic-grade scores in the Freestyle 100m Narq -- to wit, among others:

* Patrick 'eckis' Toey who faced a maximum sentence of twenty-two years, 
reduced to a paltry five years by merit of supplying 'extensive 
cooperation' to the authorities.

* Breakout act Jeremy 'horse addict' Jethro -- evidently the star of the 
case -- managing to not only narq out everyone he knew, but then managing 
to find his Saviour in Our Lord Jesus Christ AND being fined less than 
what he actually earned for his crimes (thus earning a nice little 
profit); He also managed to get his sentence commuted to probation, on top 
of everything else! Once again, this is solid proof that God is indeed on 
the side of the just.

* Albert 'soupnazi' Gonzales -- the sole failure here, scoring miserably 
by still receiving a massive twenty-year sentence despite having 
implicated everyone he knew up to and including his own grandmother

-- and that's just for starters.

The most disconcerting element in the entire show so far for anyone in any 
way involved in any sort of criminal activity (or, indeed, anyone who 
involves themselves in anything anywhere near anything resembling criminal 
activity), is the startling comaraderie and friendly interaction between 
international agencies - particularly Interpol and the FBI. Especially the 
FBI.

Recent international busts involving novel interaction between agencies 
has lent heavy weight to previously unfounded concerns of privacy 
advocates. The mere idea of a foreign national's being arrested overseas 
and renditioned/transferred to the custody of American civilian agencies 
purely on the basis of American testimony and evidence is enough to turn 
the stomachs of anyone, and yet it seems to have gone largely under the 
radar -- especially among American Citizens. 

The pseudo-criminal actions necessitated by the various agencies involved 
in order to bring down Gonzales would stagger even the most ardent 
Republican waterboarder. To wit, the hard drives belonging to Ukrainian 
carder Maksym 'Maksik' Yastremskiy were cloned during his trip to Dubai 
and yet again when he was coerced into visiting someone in Turkey (all the 
while while US agencies tried to tote the party line that they caught him 
while he was taking "vacation" -- conveniently ignoring the fact that they 
lured him to visit) and his movements tracked throughout Europe and Asia 
over an extended period of time. We can be sure that Interpol had not the 
gumption nor Ukrainian officials the interest (or resources) to bring 
about this level of interplay. With the evidence in hand, surely only the 
FBI can be to blame? The Turkish officials got to crow about a 30 year 
prison sentence -- in a Turkish prison, no less -- and the US got to cross 
one more name off their "to do" list, case closed, job done -- success all 
around.                                       

Further confirmation of such a hearty and hale level of cooperation was 
provided just this past October by the FBI, who affirmed that the break-up 
of a major Zeus botnet ring was the result of an "unprecedented" 
partnership between the FBI and police forces around the world including 
the UK's Metropolitan Police, the Security Service of Ukraine (SBU) and 
the Netherlands Police Agency. So far the international Operation Trident 
Breach effort has yielded more than 150 arrests across the US, the UK and 
Ukraine, the FBI said. One can assume that's only "so far" and that once 
the narq ball gets rolling, yet more waves of arrests -- and yet more 
international cooperation -- will commence in earnest.

Perhaps you are wondering what this has to do with you, at this point. 
Perhaps you ARE merely doing your job as a whitehat, researching these 
transglobal "criminal conspiracies", reversing malware, sticking to only 
machines you have permission to access, maybe even contributing to some 
open source projects and communicating giddily about 0day bugs on bugtraq 
and full-disclosure, or releasing exploit information on your twitter 
feed; after all, in this wired global age, the opportunities for 
collaboration are indeed unprecedented. But where does one's level of 
responsibility for the use of one's research end and begin? Dig Sklyarov 
and the DMCA brouhaha. Witness certain unnamed Linux distros suddenly 
being unwilling to allow tools such as SQL Ninja to be included in their 
source code repositories.

At what point might YOUR code be considered a munition? At what point 
might your totally legitimate work as a whitehat (or greyhat, or what have 
you) researcher, or pentester, or even systems administrator or website 
developer be called into question? While it is certainly difficult to 
argue that putting identity thieves behind bars is a quote-unquote "bad 
thing", it is also difficult to refute that code itself is being seen as a 
munition (just as crypto was not so long ago, and probably will be 
increasingly so again, as time passes and the reins tighten up in only 
somewhat predictable ways).

If you mistakenly introduce an error into your codebase at work and it 
creates a security hole, can you prove it was not intentional? There 
really are no guarantees. An overly aggressive legal system will at the 
very least threaten to steal time, money, resources, and quite probably 
your reputation. 

If you're very unlucky you might wind up in jail, or in trouble for 
something someone you know was involved in, in hopes that you will be the 
next hacker willing to daub in his (or her) mates to be set free, thus 
maintaining the cycle of narqing and providing an always-revolving door of 
the Usual Suspects to lay blame to. That's not even including the Patriot 
Act and wiretaps (an issue pretty much deserving of its own article some 
other time). 

The exposure of Google's Street View Wifi data gathering fiasco is likely 
only the tip of the iceberg -- what we were told was the accidental coding 
error of a single engineer (who probably will wear that virtual scarlet 
letter on his resume for life). And yet again, in that case, other 
countries were first to protest; only lately has there been a strange and 
questionable desire TO have those records retained -- for what purpose who 
only knows.

The question to wrap all of this up with, here, probably isn't "Does it 
affect you now?" (unless you are indeed a blackhat, in which case, no 
doubt, this will impact you tremendously). The question is "can you be 
sure it never will?"


--[ 2. Stuxnet, Cyberwar, Hacktivism and Political Hacking

It's no secret that, with the US economy in a state of planned poverty, 
conventional sense.  But the growing speculation, that Iran's nuclear 
power plant at Bushehr will turn into a weapons program, is a timely 
excuse for governments to exercise their newfound cyber warfare tactics.  
Iran believes Stuxnet was intended to derail its nuclear ambitions; and 
"analysts" expect us to believe that a string of numbers, the name of some 
shrubbery, futbol domains, and weird 2012 shit... somehow indicates Israel 
was behind it all.  The reality is probably this: as much as Israel's 
super star hacking squads would love to take down Bushehr, Russia is 
standing in the way, defending its plan for a return on investment.

Stuxnet represents just one of a few big events in this arena since last 
issue. We've also had Aurora and that whole Google scandal in China.  
Hildawg has been bitching about China from the start, and it came as no 
surprise that pressure would be put to bear on big companies, like Google, 
to defame China's government in the midst of a GFC.  More recently, 
Europe's cyberwar simulation has been hailed as a success, with countries 
across the EU learning to defend against over 300 attacks.  This marks 
another milestone in the EU's attempt at coordinating intraregional 
cybercrime investigations.  Across the Atlantic, USCYBERCOM has finally 
gone live.  While governments prefer to keep their military hax a secret, 
there exists a necessity for them to demonstrate their power.  Welcome to 
a whole new wave of terror, hackers.

The majority of high profile attacks in the last year show a trend towards 
highly skilled and targeted hacks that take a lot of time and/or money to 
develop.  In these cases there is minimal collateral damage, months may 
pass before detection, the hackers are anonymous, and the vector is 
unique.  While these are still large-scale attacks, they're not intended 
to affect the entire internet -- just a select few major players, and 
sometimes only for a short while.  As corporations and governments throw 
big bucks into cyber warfare we're going to start to see some of the big 
names in the IT industry get left behind.

The continued DDoS of Burma, in the lead-up to its first election in over 
20 years, showed a recent and unwelcome return to stupidity and ignorance 
at a rate of 10-15gbps, easily dwarfing the Estonia DDoS of 2008.  Amnesty 
International had been working hard to get radios into Burma, so that 
people could keep up with the election news from across the border.  Days 
after the election, their Hong Kong website was compromised and visitors 
were attacked with an IE exploit that Microsoft knew about, but blatantly 
refused to patch early.

On the same day that the Burma DDoS began, the Iranian Cyber Army 
announced its "botnet for hire", though it is rather unlikely that there 
is a substantial link between the two.  Their admin system is some kind of 
honeypot, their stats are fake, and surely the very idea should have 
screamed of an obvious trap.  But as the news started to spread, bloggers 
began recycling news media, and slower reporters started relying on those 
bloggers, until we started coming across reports that ICA was renting out 
"the same botnets that took down Twitter and Baidu".  Uh, sorry?  Last 
time I checked, social engineering a dude at Register.com didn't require a 
botnet.  

But hey, maybe there is a botnet, or at least one in development.  It's 
hardly as though ICA are the first to do so.  But their treatment by news 
media is ridiculous.  I mean, if these guys really are an "army" then just 
where were they when Honker struck out in retaliation for Baidu's 
defacement earlier this year?  Unfortunately the media still clings to 
them because of a handful of high profile defacements.  And because they 
tend to pop up every time something big happens, some journalists actually 
think these kids are an officially sanctioned military force that reports 
to Ahmadinejad himself!  I don't believe, for a second, that they're even 
Iranian to begin with.

On the related note of poor-man's hacking, we're also seeing a rise in 
grassroots hacktivism.  Social networking sites are making it increasingly 
easy to inspire angry mobs of ordinary computer users to take part in a 
DDoS by clicking a link.  Years ago we laughed at those kinds of methods 
(remember the cDc's hacktivismo?).  But we're not on dialup anymore, and 
there's not a lot you need to get your own "human-net" started -- just a 
persuasive cause and a handful of idiot-proof programs.  LOIC is popular 
for this, as are websites that send GET requests in iframes over and over 
and over.  Next thing you know, there's thousands upon thousands of stupid 
tweeters, staggering forth like something out of Resident Evil.  This 
isn't even including the more normal botnets that use sites rely on 
Twitter for commands.  Throw that into the mix and Twitter becomes some 
kind of pluralistic middle-class pseudo-political force to be reckoned 
with.  Law enforcement seem to just give up in those cases.  Too many 
people to chase.  Not enough resources to prosecute them all.  The most we 
see is the instigators of these human-nets being hunted down.  As the RIAA 
and MPAA attacks showed us, Anonymous ain't so anonymous when they plan 
their attacks in the open, in front of feds, on 4chan and Darknet.

The trend toward military-directed cyber attacks is prompting some 
academics to call for a change to the laws that regulate the conduct of 
hostilities in war.  They are questioning whether a country can remain 
neutral in a cyber war if the data carrying the attack travels along that 
country's pipelines.  Some militaries insist that for hackers to qualify 
for "prisoner of war" status, these geeks must wear a special hacker 
uniform and carry a sidearm (I like to think this uniform would look like 
TRON Guy).  

And then there's the question of whether something like Stuxnet can be a 
legal impetus for conventional war.  The real beauty of Stuxnet isn't just 
in the code (as specialised and 0-day as it may have been) -- it's also in 
the attack vector.  If you conveniently lose your malicious USB key in a 
parking lot, and some "unscrupulous person" picks it up and decides to use 
it at work... YOU are not committing an attack -- at least not directly 
(one could argue, after all, that they had no business picking up the usb 
key in the first place).  Moreover, philosophical arguments aside, if 
you're a civilian, the likelihood of you being charged with anything is 
extremely remote. Add all of this to the essential argument that hacking 
cannot be considered an act of war necessitating self-defense unless the 
hack can be compared to a substantive and conventional military attack, 
and conventional arguments are essentially thrown out the window. In other 
words, in the case of Stuxnet, while Iran recognises there was espionage, 
and possibly an intentional attack, the worm was not an "armed attack" 
sufficient to qualify self-defense under the UN Charter.

In sum, if the events occurring since the last issue has been anything to 
go by, the next decade will see a growing disparity between the nature of 
high-profile hacks, but at the end of the day the bulk of it is the same 
old same old, with some new shit thrown in.  Militaries are fast becoming 
a cyber-force to be reckoned with, but in the absence of laws to regulate 
their actions, don't expect bombs to fall as a result.  While it is most 
probably that the recent spate of uniquely targeted high-profile attacks 
will go unpunished, what we can expect is the government to play an 
increasing role in regulating the Internet and hunting down ordinary 
hackers in the name of a "war on cyber terrorism".


--[ 3. Wikileaks and whistleblowing 

But what of Wikileaks? While it is undeniable that it has had some impact, 
one must ask oneself if we are not just raucously accepting as a date to 
the prom the only girl who asked us out and considering ourselves lucky to 
have found anyone at all. One could argue that when a society needs a 
hero, someone will always be willing to show up fighting, but the same 
could be said of most movements, even including the upstart 'Tea Party' 
being cawed about on Fox News to cheers by the same people who would have 
voted for Obama if they'd been Democrats instead of Republicans. Perhaps 
it's unfair to tilt this article so specifically in the direction of the 
US -- after all, Wikileaks has shed some light on some tremendously 
important stories in the three or four years since its inception -- but 
it's hard to argue that 2010 was the year that Wikileaks came to true 
nation-wide attention, due in no small part to a certain "redacted" video 
going by the sobriquet "Collateral Damage", and then fueled by the 
document dumps ostensibly leaked by US insiders concerning Iraq and 
Afghanistan that came not long thereafter.

Yes, we have a responsibility to make information acceessible, or at least 
make the knowledge of how such information is stored and used more public, 
less draconian and redolent of a country poised to curtsy/bow to 'Mein 
Fuhrer' but we also have a responsibility to treat that information with 
respect, and more importantly to be able and willing to filter that data 
through the sieve of common sense and reason: Data should be valuable 
because it is valuable data (and in some cases the releases by Wikileaks 
have indeed been valuable data) and not valuable simply by the reasoning 
that "they don't want us to have it." 

By the same token, sometimes the very act of sticking the proverbial 
middle finger up at The Man serves as a call to arms -- or at the very 
least a rate limiter: A way to urge the current Powers That Be to think a 
little more before trying to instituting even further privacy eroding 
measures. Conversely, it is all too easy for any country to consider any 
"leak" -- righteously whistleblowing or not -- as an act of war, or an 
excuse to add a few zeros to a department's line budget.

And there's something else we all need to be thinking about:

Every country, every war, every movement has secrets. We may tell 
ourselves that information wants to be free, but freedom comes with a 
price and some secrets are GOOD secrets. More importantly there OUGHT to 
be some secrets in the world.

To completely submit to Wikileaks' vision is almost more akin to Big 
Brother than anything the US government -- or any other government -- 
could possible create on its own: A culture where your every move may be 
exposed, your every thought may be tallied, your every minutiae published 
for the whole world to see, in a world where Google gambols giddily in the 
grasses of greed and Facebook and Twitter announce to the world your every 
move to a perceived audience of enthralled onlookers all willing to say 
'you!' when you say 'ah, me!'. In a way we're already most of the way 
there, and that's a very dangerous thing. When your baseline gets reset 
and you don't REALIZE that your privacy is being invaded, then the great 
big "They" has already won -- and you have just let yourself do the dirty 
work for Them.

One could argue that if PFC Manning did indeed leak what has been 
attributed to him, he may have done a heroic thing, but the fact that he 
may have also broken a trust that he covenanted into in advance with the 
US government is difficult to completely discount. The Manning case having 
received the attention it has gotten this year has brought up a lot of 
grey areas in peoples' political belief systems, but it has also begged 
the question: What *is* "whistleblowing" and what is "disloyalty"? What is 
"patriotism" and what is "narqing"? When can one trust one's judgment 
about another person's true intentions and is it truly as cut-and-dry as 
we all wish it would be? Adrian Lamo snitched, but it is always possible 
that he thought he was protecting himself or his country even as he may 
have also been trying to cobble together some newfound publicity for a 
receding career that has been inarguably past its prime for years now. At 
some level this isn't about government or whistleblowing or privacy -- 
it's about society and about interpersonal trust, and perhaps that is 
where things get the murkiest. Naive or not, trust is dealt out 
increasingly to total strangers on the internet. One could argue that 
Manning, if indeed that was Manning, was naive in trusting a veritable 
stranger, but most of us do this on a regular basis now; the difference 
here is, Manning paid.

Without an explicit agreement of nondisclosure one cannot truly and 
totally scorn somebody for "squealing", but by the same token our very 
society has been built up on such simple and implicit bonds of trust: I 
will not hurt you, I will not steal from you, I will not betray you. I may 
not agree with what you do, but I respect your choices as an individual. 
At what point does that trust need to be broken off? Some secrets are 
good, if they contribute to the greater good of society -- and that goes 
*both* ways -- at times in favour of the individual, at other times in 
favour of government. As a species we always want to root for the Underdog 
(and nowhere is this more true than the US, perhaps), but given the fast 
fluxing nature of the Internet, who the Underdog is can flip at a second's 
notice: At first Wikileaks was the cause celebre of people everywhere, 
then came the backlash. All movements have backlashes, and Wikileaks was 
bound to not be the exception.

Perhaps one reason so many scorn Wikileaks has to do with the closed-book 
nature of a site so overtly and devoutly espousing transparency; at some 
point it becomes difficult not to interpret all sides as playing with 
similar playbooks. But it's difficult to win at poker at a table where 
everybody knows your cards, especially when the rest of the players have 
bankrolls that far eclipse your own. Again, the question arises: When is 
transparency necessary, and when is secrecy a requirement to make any 
progress at all? On the one hand, one must worry about too much 
transparency; on the other hand, one must worry about too much lurking in 
the shadows. In the past we had journalists to expose corruption; now it 
is often journalists themselves fighting off corruption charges, hiding 
facts, skewing evidence.

It's incredibly difficult to deny that some transparency, and indeed 
Wikileaks itself, can have a positive impact -- and it's hard to imagine a 
world where SOME sunshine shouldn't be shed; The trick here is to remember 
that such increased levels of exposure demand we be a more responsible, 
measured animal -- something as homo sapiens we have really never learned 
how to do or be. 

There is no way to shove the genie back into the bottle, and old rumours 
on the Internet never really die -- they just get archived til someone 
else manages to come along and dig them up from their temporary graves. 
This holds great promise for the future of integrity, but it also creates 
issues when the possibility of outright falsehoods are introduced, 
especially through an anonymous third party, or in cases where a split 
exists between haves and have-nots; who really has time to monitor their 
reputation online to that level? And if someone does besmirch your name, 
what can be done?

If your data shows up on a whistleblower site care of a third party, then 
it also becomes yet another way to show a display of power: The 
Vice-Presidential hopeful breaks the rules -- nay, the law -- and walks 
free while the college student who guesses at her password gets sentenced 
to a year of supervision or prison. If there is to be light shed, then it 
should be an equally penetrating (and perhaps softer) light -- not a light 
meant to shine in the victims' faces and hide the face of the perpetrators 
-- especially when the label of 'victim' and 'perpetrator' is so murky and 
grey (as in the Palin case; one could argue both sides committed some form 
of fault).

Julian Assange likes to say 'speak truth to power" but this is a tall 
order; to first be able to speak ANYTHING to power, you must basically 
gain the ear of the powerful, or you just get thrown
into an eddy, left to whirl around with a bunch of kooks and nutjobs (as 
any federal agent handling walk-ins will likely attest to, and too, so 
must whistleblowing sites contend with; with fame
comes your own raft of nutjobs to weed out).

It'd be hard to deny that whatever else Wikileaks has accomplished in the 
past year, it has gotten someone's attention. Whether that will be a good 
thing or a bad thing remains to be seen... But one imagines any call to 
arms must bring about some force for good, even if that force is something 
as simple as a renewed spirit of vigour and willingness to be involved 
among an otherwise sluggish populace juggling its own sense of 
powerlessness in a country demanding what essentially constitutes sexual 
assault merely in order to board an airplane. To make an omelet you must 
first break some eggs; To create a change you must first gain the ear of 
not just power but the people itself -- and then you must charge them with 
the duty to act.

The true collateral damage may wind up being Manning himself, here; 
basically judged guilty already, his name forever stored, his 
acquaintances being hassled, his personal life bared open to the
 world, he serves as both an example of what to strive for and a 
cautionary tale for a new age. What the future holds for him remains to be 
seen, but with any luck he will receive a fair trial by a jury of his 
peers -- if any such people even exist.

Wikileaks may not be perfect -- in fact, it may be deeply flawed -- but 
for now it's probably all we're going to get. And we should probably be 
grateful for it -- but wary. Always wary. The danger of mixing the message 
up with the messenger is always great, and there is no real way for any 
whistleblowing site to always be 100% correct. Even governments have an 
incredible amount of difficulty verifying the veracity of any information 
or separating rumours from fact; to put this level of blind trust in a 
volunteer organization with no oversight is bound to be fraught with a 
whole host of issues we haven't seen the likes of yet... For instance, 
what happens when a non-governmental entity views it as a potential source 
of information? Once any whistleblowing site gets information, it is out 
there; what is done is done; At this point, false flags and disinformation 
is also an issue; the possibility of tricking any whistleblower site to 
publish false information would destroy not only its credibility if found 
out but possibly be used to forward some governmental or non-governmental 
party or agenda. Additionally, to believe everything that any organization 
says is as short-sighted as believing everything your government tells you.

Ultimately your conscience will have to be your guide -- and likely no two 
consciences will ever completely agree, especially about anything as 
at-times agit prop as Wikileaks can be, or as secretive as governments 
have always been.


--[ 4. Scene Events: the Final Word

To be sure, many other events have taken place this past year and a half 
(the whitehat-vs-blackhat wars forever raging (cue zf05 and the 
never-ending arguments about disclosure-vs-nondisclosure); the global 
emergence of a harsher, more organized form of cybercrime (and the many 
busts that resulted);  etc, etc), but several basic themes emerge: There 
has been fraud -- but there has always been fraud. There have been 
invasions of privacy -- but there have always been invasions of privacy. 
There have be governments overstepping their bounds -- but there have 
always been governments overstepping their bounds. That doesn't make any 
of it acceptable, but it also doesn't make any of it new -- nor does it 
give any of us an excuse to pretend it has nothing to do with us (no 
matter where you reside or what flag you fly (or choose not to fly, 
whatever the case may be)). If anything, there has been an amplification 
of all of the above, but none of it is truly 'new'. Read past issues of 
Phrack: All of the above has existed in some form or another, just on a 
smaller scale. It's still existed.

Judging by the drive for wealth or fame or infamy displayed in so many of 
this year's stories, it bears mentioning that we cannot let a few key 
players make us forget how important it is to treat technology 
responsibly, reasonably -- to love it, to hack it, to, please, take risks, 
but to do so with heart

-- with CONSCIENCE --.

In the end it all starts and ends with you.

[EOF]




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH