Archive for myfreeforum.org Before posting please check the "stickies" in the support forums.
Please ask questions in real English and not "txt". You will get a better response.
Please do not ask support questions via PMs.
 

The free forums are now under new ownership, a full announcement will be made shortly

       myfreeforum.org Forum Index -> Off Topic
CodyT07

Popular site Image(s)hack was well, hacked!

By script kiddies
http://mashable.com/2009/07/10/imageshack-hacked/

The group that claims to have did the attack were 'white hats.' Which are hackers who hack for good purpose so the 'black hats' don't hack them cause destruction.

Their thinking is security companies themselves are making the attacks on many sites (and the anti virus companies making viruses as an example of what they are against)

This site here explains them better
http://www.examiner.com/x-12971-H...ck-overnight-Is-it-coming-to-town
Zudane

Wow.  I can understand though, that they are showing companies that publishing their security flaws is a security flaw (duh?).

While seeing what the other flaws are does make us want to be more secure, there's only a small selection of people that can do anything about it - they are the only ones that need to know the information.  Spreading the information so that everybody that knows how can fix it is a great idea - if it weren't for black hat hackers.

It is kinda a catch-22, the information needs to be out so it can be fixed, but it needs to be kept secret so it can't be abused.
array

It isn't white hat, it's people trying to justify their actions by masquerading as white hat, if they were truly white hat (I should stop using that so much) then they would have contacted imageshack privately and had it sorted out, they wouldn't have made their exploits public before contact imageshack.
myff admin

array wrote:
It isn't white hat, it's people trying to justify their actions by masquerading as white hat, if they were truly white hat (I should stop using that so much) then they would have contacted imageshack privately and had it sorted out, they wouldn't have made their exploits public before contact imageshack.


Agreed, there are very few instances where hacking can be justified. In a cyber world rife with criminal hacking, admins need this sort of thing like a hole in the head  
Daniel(u1bd2005)

I am all in support of hacking as long as the hackers intent isn't to cause damage.

If they're trying to make a point of a security flaw then this is the best way to do it as it will force the website to get it fixed quickly rather than putting it on an endless list of future updates.
myff admin

I hope you are not defending the case in question here   They have defaced web sites.

Just recently there as a suicide associated with server being hacked!
Viper

Daniel(u1bd2005) wrote:
I am all in support of hacking


Zudane

I can't really say that what they did was terrible.  I can't say it was the best way to get the message out, but it probably was the best way to get it noticed.

If you think about it, they messed with the site, then let it go back to normal.  They didn't completely remove it, they didn't damage any of the millions of images, and they didn't damage anything on the site.

While some of these hacks do supremely bother people, I don't think you can blame a suicide on a hack along these lines.  It may have been the straw that broke the camel's back, but alone it was not the reason.
myff admin

Straw maybe, but I can personally testify to masses of stress caused by the literal floods of criminality aimed our way, and I know server admins who have collapsed under the unremitting stress of the job. No one who would deface a site is in any way white hat in my view  
Zudane

Permanently defacing and temporarily defacing are extremely different in my book.  It's like the comparison of someone throwing acrylic paint on your car compared to someone throwing a water-based paint on your car.  The water-based paint comes off easy, it's just an inconvenience, but the acrylic is there until you get it repainted.

I understand how you can't say they are whitehats, but I can't see them as blackhat either, since they are doing no permanent damage.

Can we settle on calling them grayhats?
Daniel(u1bd2005)

Still, it remains the best way to force a website to fix security flaws.

As long as they dont cause any permanent destruction in the process then I think what they are doing is important, it they (whitehat hackers) dont then its open to someone else hacking it with the intention to cause harm (the blackhat hackers).

This is a fictional example that I'm going to use here, but lets think about Die Hard 4.0 for a moment.

Thomas Gabriel told the government that there were fatal security flaws in the software while he was working for them, they fired him and denied it and basically ruined his reputation.

So he hacked them and started a firesale (taking down the transport network, utilities, economy) to cause major destruction.

If a whitehat hacker had came in before Thomas Gabrial though and displayed a nice "Hey look, I can hack the government, please fix this guys" message, then they would've got it sorted and avoided the damage.


Ok, so all hacking is morally wrong, but hacking with no intent to cause permanent damage (in my view) is ethical, and is why I am in support of it.
It is the best way to get noticed and once you've been noticed they will take action.
myff admin

People who deface a site without warning the site of the flaw first are doing it for their own egos. You can dress it up how you like but it is still criminal. If I see someone has a weak lock do I smash it in and say that it needed changing anyway?
Daniel(u1bd2005)

Hmm didn't quite think of it like that, I guess you're right, it's no different to breaking a weak lock on a door or something.

But I also think that if sites are temporerily defaced this may also convince other websites to look at their own security, which could also be a good thing.

So there are good and bad points, but there are good and bad points to most things, legal or not.
array

admin (no pm's please) wrote:
People who deface a site without warning the site of the flaw first are doing it for their own egos. You can dress it up how you like but it is still criminal. If I see someone has a weak lock do I smash it in and say that it needed changing anyway?


Exactly. I have absolutely no problem with people working to expose flaws in systems; as I'm sure you'll agree admin having someone coming to you and saying "I found a security hole in your forum system; here it is and here is how you can fix it!" is absolutely find and should be encouraged, but using that security hole maliciously then claiming you did it for awareness is just stupid and clearly after the attention.

If you're going to whitehat, do it properly.
Nick(NR)

If I recall mozilla actually give a reward if people report exploits in their software
Zina2008

If someone new to a site, or even to the Internet as a whole, drops in on a site which is damaged, defaced, call it what you will - they're going to get out quickly and not come back.

For that person the damage was permanent, even though the intruders might put everything back as it was five minutes later.

That can never be "right".
Daniel(u1bd2005)

But the amount of other websites which will have now reviewed their own security structure as a result of this will be quite a lot, and thats a good thing.

If they had contacted ImageShack to get it sorted instead then no-one else would have known and wouldn't have reviewed their own security.

As I am saying, there are good and bad points to this, I see it as a good thing overall, some people disagree with me.
myff admin

Why would a hack on a bespoke site cause other sites to review security?
Nick(NR)

admin (no pm's please) wrote:
Why would a hack on a bespoke site cause other sites to review security?


I've always found imageshack is a dire service anyway, have used photobucket in the however long I've been on myff without issue.
Daniel(u1bd2005)

Even on a custom website it will make people rethink their own security methods in my opinion as it is a very big website.

In my opinion people will think "If a site as big as ImageShack has security flaws then maybe there is something in our security which can be strengthened."
array

Daniel(u1bd2005) wrote:
Even on a custom website it will make people rethink their own security methods in my opinion as it is a very big website.

In my opinion people will think "If a site as big as ImageShack has security flaws then maybe there is something in our security which can be strengthened."


If they're too stupid to overlook security in the first place they're not going to consider it when a big site gets hacked, are they? Surely if that was the case you'd think "wow, they're only going for big websites why should I ever bother with security?".
myff admin

The unfortunate fact is that security is such a big issue that it takes up vast amounts of time anyway,  web admins cannot on top of that single handedly beat the hackers to the post when it comes to finding previously unknown security flaws.
Zudane

Off topic to what Nick had said... I've used imageshack with no problem (I heard about this - never saw it though).

The problem I've seen with photobucket though is a limit for bandwidth per account, which does occasionally get reached.  Never seen that on imageshack.
Nick(NR)

Zudane wrote:
Off topic to what Nick had said... I've used imageshack with no problem (I heard about this - never saw it though).

The problem I've seen with photobucket though is a limit for bandwidth per account, which does occasionally get reached.  Never seen that on imageshack.


you get 25gb of bandwidth per month which is tbh more than my hosting account, $39 a yr, you get unmetered.
CodyT07

admin (no pm's please) wrote:
Why would a hack on a bespoke site cause other sites to review security?

From what I understand, they attacked a popular site like imageshack to indirectly attack security companies for allowing the holes in the first place. Their thinking is the security companies knew about the holes but just didn't tell anyone, if things where perfectly secure we wouldn't need a whole industry dedicated to web security. Long as holes exist, the companies exist.
.:Connor:.

I hosted a lot on ImageShack, lukily I started using my ZetaBoards Admin Control Panel...
reallifeconsulting

TO CodyT07
Guru

Why are you pointing your site to my ip address (reallifeconsulting.net).  Could you take it down?  I don't think that this is legal, are you trying to pull something?  I finally find you now.  You were browsing on my website.  Please take it down immediately.
CodyT07

reallifeconsulting wrote:
TO CodyT07
Guru

Why are you pointing your site to my ip address (reallifeconsulting.net).  Could you take it down?  I don't think that this is legal, are you trying to pull something?  I finally find you now.  You were browsing on my website.  Please take it down immediately.


Not hurting anything (btw my e-mail is codyt07(AT)codyt07.com).

If you want a full explanation

You have my old server I use to rent from Godaddy, so my domain name is still pointing to that IP of the server even though I canceled my account, I never really changed it as I have a few relatives in the law enforcement field and I liked the site so I just left the domain as is.

Right now it should default to a different site now give it around 48 hours if the changes actually work.

Continue this using my e-mail please.
Zudane

CodyT07 wrote:
admin (no pm's please) wrote:
Why would a hack on a bespoke site cause other sites to review security?

From what I understand, they attacked a popular site like imageshack to indirectly attack security companies for allowing the holes in the first place. Their thinking is the security companies knew about the holes but just didn't tell anyone, if things where perfectly secure we wouldn't need a whole industry dedicated to web security. Long as holes exist, the companies exist.


The point wasn't to show the holes that are in the security... the point is that when a company finds a hole in their security, they tend to give people notice of the hole as they are working to fix it.  This lets people know what to avoid or be careful of in the meantime.  The problem is that it lets hackers know how to get in until it's fixed.

       myfreeforum.org Forum Index -> Off Topic
Page 1 of 1
Create your own free forum | Buy a domain to use with your forum