Quote :

Releasing the POC code after only 2 days of notification is way too short

That looks like that was my major down fall i dont think i was thinking straight at the time i thought it was alot longer.But ive said i wont make the same mistake again.

Also has it made any difference to any one that the poc code was released no you know why no one is bothered about it.Its a local exploit and alot more comes into this than you think if people are running vista it wont work if people have dep switched on it wont work.If people have some third party stack protection the exploit wont work.If the wrong jmp register is not defined for the right service pack or language it wont work there are too many ifs.

It actually has not made any difference when the poc got released no one has actually used it.

Quote from muhaa :

Lol Bob.


Omfg what are you talking about a buffer over flow is not a serious bug..Wake up!!
the point is people do open replay files on this forum i have on many ocasions.By simply opening a modified replay file can take over your computer but don't worry its not serious.

Read the posts you are answering boohaa

I said a buffer overflow alone doesn't do anything to anyone
till someone used his criminal energy and wrote code to use or let others use this part of the software illegally.

So now we had a problem were no problem was just because the software was used in an illegal way.

You said it: if the replays weren't ILLEGALLY modified (which is criminal) then there wouldn't be a problem at all.

Quote from mikey_G :

well, kudos for you, but I think you'll agree on the fact that you're part of a minority doing that.

No, I do not think so. As no one "heard" of some people doing so, so they don't "hear" about others doing so - but it is happening. Not everything gets a headline. A released vuln with POC code to go with it will get much more attention and will likely get a headline too, especially if it gets used. And that just fuels the ego-trip.

I would be convinced this is a "public service" if said POC and vulns were released anonymously and without "shout-outs" and crap like that.

Look in the LFS credits - I'm sure several of the people mentioned there have supplied bugs that could be classified as vulnerabilities and we probably never heard of them or what they did, let alone exactly how to recreate them.

Quote from BBO@BSR :

I said a buffer overflow alone doesn't do anything to anyone
till someone used his criminal energy and wrote code to use or let others use this part of the software illegally.

Discovering a buffer overflow and writing shellcode for it isnt criminal nor illegal, otherwise they wouldn't sell books on amazon on how to do it....

And there wouldnt be sites and stuff that actualy sell exploit.

The only thing i can be held on account for is that i released the exploit to early big mistake like ive said i take full responsibility.And i wont do that again its a big learning curve.

Quote :

I would be convinced this is a "public service" if said POC and vulns were released anonymously and without "shout-outs" and crap like that.

The shouts are to some friends that don't mean any thing these friends i know for a long time.

Quote from muhaa :

The only thing i can be held on account for is that i released the exploit to early big mistake like ive said i take full responsoblity.And i wont do that again its a big learning curve.

And as I said - that's good. We'll take your word for it.

Also can you please consider my point and next time also try to weigh your decisions/timing on a per-situation basis and not treating all software developers/issues the same?

Quote from mikey_G :

Discovering a buffer overflow and writing shellcode for it isnt criminal nor illegal, otherwise they wouldn't sell books on amazon on how to do it....

Well, Amazon also sells books on how to make explosives. So the amazon argument isn't all that solid...
Not to say that you are wrong.

Quote from mikey_G :

Discovering a buffer overflow and writing shellcode for it isnt criminal nor illegal

+1. Proofs of concept are considered a good practice, although spreading them in the wild isn't justifiable.

Anyway, all of this reminds me of the wonderful words of Thomas Hesse, Sony BMG's president: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

By the same logic if you don't know what cancer is, you shouldn't care about it. That's stupid. I prefer to know. I prefer to be warned about risks. As a software user I have a right to know and take action to prevent abuses from those who have the know-how.

Quote :

Also can you please consider my point and next time also try to weigh your decisions/timing on a per-situation basis and not treating all software developers/issues the same?

Yes im sure if i knew it was only a 1 man band i wouldn't have even released the pocs at all.But i thought lfs was so big it must have had a huge company,With hundreds of programmer's.But i was wrong its one guy eating a ham and pickle sandwich and coding in the other hand.

I descovered today that muhaa is a member of Zone H. I dont know if that is mentioned here or not. Zone H is a group that spouts all of this 'security industry' line and reports their members as 'researchers'. Whilst internally they have a league table for who does the most hacking, all hidden away from the public.

Make of that what you will, I know what I make of it.

Im not a member of zone-horg i used to know the admins there that is all.Please don't put me in the same leauge as some skiddy defacers..Im not a script skiddy.

Im very against defacers i dont like any thing they do.We have nothing in common i have no friends in the defacement archive of zone-horg.

zone-horg is full of little procks who think its good to wreak other peoples sites im not about that i think you got your lines mixed up some where.I test softwear nothing more.Im not saying that i didnt sign up there like i said i know one of the admins there.And u used to chat to him about exploit development via pm.That was over 2 years ago.

Quote from Becky Rose :

I descovered today that muhaa is a member of Zone H.

If this is real, he just lost a lot of respect from me.

Edit: nice to know that muhaa... I can't condone what Ghioni has done.

In the same way that you originally said you did not release the alleged poc codes and that it was a 'mate'. I say alleged, because from my own experience I know it damned well wasnt a proof of concept. It was used to launch a sustained attack on my groups LFS servers. That's not a proof of concept, that's an assault. A very direct and malliscious assault, and one that I will not under any circumstances ever look favourably on.

I have never and will never publicly post the details of a report or why I have banned somebody from my servers, except for this day today.

Quote :

Banned by executive order. Muhaa wrote an alleged proof of concept server crashing system which was not used as a "test" to repeatedly attack the CTRA servers, it was used "persistently"! Muhaa will never be allowed on our servers again. Of course this report is just a 'proof of concept'.

If this proof of concept report works, then you are permanently banned, and that comes from me, and i'm not changing my mind lightly. I'd like to take this opportunity to encourage other server operators to do the same.

Go away you nasty little man.

Anyhow, for the opponents of public disclosure i'll post one more story to let them see from a different side. This one is written by Bruce Schneier, a well known person in the security industry.

http://www.schneier.com/crypto ... ublicizingVulnerabilities



here an excerpt for people to lazy to click

Quote :

Those against the full-disclosure movement argue that publishing vulnerability details does more harm than good by arming the criminal hackers with tools they can use to break into systems. Security is much better served, they counter, by not publishing vulnerabilities in all their gory details.

Full-disclosure proponents counter that this assumes that the researcher who publicizes the vulnerability is always the first one to discover it, which simply isn't true. Sometimes, vulnerabilities have been known by attackers (sometimes passed about quietly in the hacker underground) for months or years before the vendor ever found out. The sooner a vulnerability is publicized and fixed, the better it is for everyone.

That's the debate in a nutshell: Is the benefit of publicizing an attack worth the increased threat of the enemy learning about it? (In the language of the intelligence community, this is known as the "equities issue.") If vulnerabilities are not published, then the vendors are slow (or don't bother) to fix them. But if the vulnerabilities are published, then hackers write exploits to take advantage of them.

In general, I am in favor of the full-disclosure movement, and think it has done a lot more to increase security than it has to decrease it. Publicizing a vulnerability doesn't cause it to come into existence; it existed even before it was publicized. Given that most vendors don't bother fixing vulnerabilities that are not published, publicizing is the first step towards closing that vulnerability. Punishing the publicizer feels a lot like shooting the messenger; the real blame belongs to the vendor that released software with the vulnerability in the first place.

Look there is no need i come here to explain my self i didnt want trouble from this then all of a sudden you want to ban me.Im not a ****ing hacker i do exploit development i have never defaced or hacked a site in my life.

I will make it easy for you all i will stop playing lfs which i payed for and let you all get on with it i did not come here for trouble.

I actualy feel damn bad i hope you are feeling good about your selfs i thought the lfs community was and is full of good people who would at least give me a chance to explain my self.How wrong could i have been.

Quote :

Becky Rose

Please let me explain i never wrote the code or found the bug for the lfs dedicated server that was not me..I have never attacked or used the code that was provided for the dedicated server.This is unbelive able im also geting the blame for the remote bugs in lfs that was not me please do some more research on this.

You could always contact the devs to see who did as im not going to name and shame.

Quote from mikey_G :

Discovering a buffer overflow and writing shellcode for it isnt criminal nor illegal,...

I didn't said that.

I meant if one of the goals of this exploit is to show others an easy way how to modify replays to take over others computers like muhaa said. Then it's an instruction how to do illegal things and this is criminal in a lot of countries.

Releasing an instruction manual how to make a simple suitcase bomb is the same thing. Some would say it's just a poc and if someone then using it to bomb away some others, the author of that, of course, has nothing to do with it.
That's crazy imo.

I FOUND A FLAW IN THE CODE

If I replace cfg.txt with an executable virus, I can control the whole world! Devs, please fix this flaw. If you don't I'll release the code vulnerabilities in 37 minutes. No need to thank me, other than praise me online where everyone can see it please. Haw does that sound?

Quote from tristancliffe :

I FOUND A FLAW IN THE CODE
If I replace cfg.txt with an executable virus

LFS stops working (maybe). That's all.

Quote from Albieg :

Alright Sam, you know I respect your ideas. But let's get a fact straight: there may be black, grey and white hats out there, but there isn't any sure border.

Respect to you too! I'm merely pointing out that even zone-h acknowledges that the actions of its "contributors" are illegal. The text at the top of the page is a classic side-step, intended to defer their activities and use a free press/journalism trick. (it's illegal to murder, but it's not illegal to report a murder). What it says about the legalities of the activities is correct, however.. it's illegal to do what their contributors do.

Quote from SamH :

Respect to you too! I'm merely pointing out that even zone-h acknowledges that the actions of its "contributors" are illegal.

They keep this database as a form of advertising for their worldwide security chapters: a bit of shame for the defaced, a bit of fame for the defacers and tah-dah! You need zone-h. We'll secure your website, but maybe a zone-h founder will wiretap you. Not now, for sure .

Edit: and they fail to mention that Ghioni is in deep trouble with justice... No full disclosure in this case.

Quote from mikey_G :

Anyhow, for the opponents of public disclosure i'll post one more story to let them see from a different side. This one is written by Bruce Schneier, a well known person in the security industry.

http://www.schneier.com/crypto ... ublicizingVulnerabilities

Yes, but Bruce there is on a totally different level and he can say "security industry" in a room full of people and they will maintain a straight face. I doubt he is referring about doing this to a software developer you can just about walk over to his house, knock on the door and tell him about it in person*.

* Disclaimer: I am not saying people should start doing this. It's just a proof of concept idea - however it will likely be very educational for you if you do do it. So yes - for educational purposes only.

Quote from tristancliffe :

I FOUND A FLAW IN THE CODE

If I replace cfg.txt with an executable virus, I can control the whole world! Devs, please fix this flaw. If you don't I'll release the code vulnerabilities in 37 minutes. No need to thank me, other than praise me online where everyone can see it please. Haw does that sound?

I always humbly await the moment you come posting in threads to read your intelligent input. And I have to say, this time you surpassed my expectations

Quote from xaotik :

Yes, but Bruce there is on a totally different level and he can say "security industry" in a room full of people and they will maintain a straight face. I doubt he is referring about doing this to a software developer you can just about walk over to his house, knock on the door and tell him about it in person*.

* Disclaimer: I am not saying people should start doing this. It's just a proof of concept idea - however it will likely be very educational for you if you do do it. So yes - for educational purposes only.

That would make the whole "bug disclosure cycle" more interesting Maybe this is an idea for a reality tv show specifically tuned for nerds

Becky i think you are wrong to put me in the ban list but do as you please.I dont go on the server any ways to much wind.Im disappointed by your actions but its your server and you can do as you wish.

Quote from xaotik :

I doubt he is referring about doing this to a software developer you can just about walk over to his house, knock on the door and tell him about it in person*.

Moreover muhaa failed to keep track of the time passed between the discovery of the security issues and of his disclosure, he spread a poc in the wild, he didn't take into account the fact that LFS isn't so widespread. I see no professionality in this.

Im going to leave it at that i think there has been enough public hanging of muhaa for one day.I just wish people would have listened more to what i was saying and it would have not got to this stage.