You brought this upon you - this isn't a witch-hunt and you are not a great security analyst or whatever.
From the looks of it you're some kid who found out about bugtraq, read a few security related articles, interpreted them in some weird fantasy sort of way and talks/writes way bigger than he is and commits the same syntactical and grammatical mistakes over and over.
Don't get on a tirade about "guidelines" and "ethics". The way you treated this situation was like holding the devs hostage.
Just let it be, there was a problem, you did your boo-boo in it, and now it'll attract flies until Scawen, like a community nanny, cleans it up.
Okay, Muhaa, let's be clear then, the server crasher committed a criminal offence. It was a DoS, and that's illegal. If you write the code (make the bomb) for someone else to execute (blow up), you're culpable.
I did not write a dos for lfs that was not me i think you are confusing the situation.Im not a defacer i don't like zone-horg i know some people from there the admins and stuff.But i don't associate with people like that.That zone horg is not a legit security site there full of skiddy who wreak other peoples site.I have nothing but hatred for these types of people.And the people i know don't like them at all.
I dont know where the denial of service comes into this,We are talking 3rd party software its totally different from what there actually talking about.There on about bot nets which skiddys love to d0s people.
[merge double post]
I did not write a dos for lfs that was not me i think you are confusing the situation.Im not a defacer i dont like zone-horg i know some people from there the admins and stuff.But i dont associate with people like that.
xaotik
You dont even know me im not some skiddy.Not like your thinking your blowing the whole thing out of context.I agree im not the best person in the security industry but i do know what im talking about.Go on try and recreate the bug i found in lfs,You know why you cant simple you have no debugging experience or coding skills.I have been playing with security related subjects for 7 years if not longer.
Obviously there are bugs in any piece of software. It's an unavoidable part of programming. With big software houses, each programmer is in charge of something and they all code differently. Sometimes one line will conflixt with another, it's a fact. When they discover them, they get fixed.
With indie houses it's harder to find, because they don't have the same hardcore intensive QA and testing, so only glaring bugs which show up during standard small-scale testing will show up. That's what beta testing is for. But obviously even that doesn't get them all.
In theory, your argument is correct. Bug are caused by the programmers. However, since 99% of other LFS users haven't come across them, that means you were obviously using the program to do something you shouldn't, and therefor you found the vulnerability. Had you been using it in the intended method it wouldn't have shown up.
For someone who thinks he knows what he's talking about (and talks a lot about), you don't seem to understand how easy it is for a minor bug or vulnerability to go unnoticed.
Have you ever programmed something as complex as LFS?
Was it tested by thousands of people and found to be flawless?
Until the answer to both of those questions is 'yes', you have no right at all to disparage their work or threaten their program with your POC release.
By all means go with steps 1 & 2, that's actually helpful. But by moving onto stage 3, all you are doing is exposing the program you claim to want to be secure by giving access to anyone who wants to exploit it.
Seems to me the best way of keeping it secure would be not telling everyone how to hack it. Silly me, what do I know?
Do not try and disguise your efforts as security 'help' when you are willing to share them with the hacking community. That's like telling a bank that by robbing them you were trying to show them the flaws in their security system. Bollocks, my friend, bollocks.
You published a POC to hack MPRs and, you claim, attack the victim's computer. You released the code, therefore you are responsible for making the bomb. If that bomb goes off, you'll be responsible. Everything else aside, you will have broken the law.
I really wanna get off this blame-muhaa-for-every-network-glitch thing, guys. He does what he does, regardless of whether we think he's right or wrong to do so.
Moving on to the topic of exploits in general (non-LFS), I remember the days when a criminal prosecution against a hacker would be a job and a half to pull off... none of the jury would be able to tell a floppy disk from a mouse....
...but these days, every jury's probably got 3 or more people in there with either an MCSE or CISCO certification, and I can guarantee the rest of the jury has been infected by at least ONE virus in the last 3 years..
What are the chances of a hacker getting an easy time in court today? Next to no chance, I reckon. You guys?
Hello? Trying to save you getting your ass fried, here, yeah? You made the bomb. You're culpable for anything that happens as a result. Read the page I linked. It's not lying, especially the "a CRIME under all means, even if you don't think so" bit. http://www.zone-h.org/component/option,com_notify/Itemid,89/
I don't think you can walk away from it so easily, actually. I don't think it's only illegal in Germany.. plus, god forbid your actions result in someone in Germany getting screwed over.. extradition in Europe is a lot simpler now, since the EU
[edit] PS: I don't know if this is true or not.. I'm not a lawyer. I just think people who release code that enables retards to screw people over are just pants. Complete and utter pants. Anyone who does that sucks the big wiener, IMO.
Strangely, I've never thought about it in proper jail terms. Bans, reports, swift beatings round the head with a mallet, but never actual jail time.
Laws are amended as we move with the times, so I guess in future less reporting to admins or developers and more reporting to prosecuting websites. Maybe the problem is that those websites don't get enough attention so people don't know who to contact.
SamH what i do and what zone horg do are two completely different things.if i was to dos a network and take down the back bone of the Internet then yes fair enough.If i was to write a local exploit im hardly going to take down a net work.Skiddy who d0s can be held accountable im not saying they can not.But that is the skiddys not people who write poc code.You will see when i release an exploit it usually comes with a disclaimer.
<?php ---------- Disclaimer ---------- The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind.
I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. Educational use only..!! ?>
What them chose to do with the information provided is nothing to do with me as it was released for educational use only.
SamH
Ive looked into this trust me there is nothing illigal of what i done nothing what so ever if it was there would be loads of people even at "Stanford university" that release a windows exploit some years ago be held for there actions.
If i was to deface a server then yes or get acsess to some ones computer then yes.But i think your missing the point i dont actually hack since the laws change.I have kidds and responsibilities to take care of.If i thought for one minute i was going to get jail time for any of my actions for pentesting i would not do it simple.But some one has to and as the laws stand at this moment in time i have not committed no offence.
My sentiments exactly, Sam. Glad I refreshed before posting
I'd like to add that I believe intentionally crashing a private server being used to provide a service to the public sounds an awful lot like DoS to me.
And I seriously almost wet myself when I read "if i was to dos a network and take down the back bone of the Internet". I think someone has ideas well above their station. There's a phrase about writing cheques your body can't cash that springs to mind.
The SecurityFocus maitains a database of vulnerabilities (and exploits, ... etc.). Almost all exploits can be found there. E.g. http://www.securityfocus.com/archive/1/476516 (I hope, that it is ok now to put the link here). So they don't release the exploits, but the exploits can be always found here. Maybe I don't understand your question right.
Who is responsible for the bug in the software? The original author of the software, no doubt about that. Releasing exploits is important at least for two reasons:
1) The angry customers push the software vendor to release the patch. Notice, that in most cases the software comes with "no warranty", read Microsoft EULA, for example. So the customer has usually no rights to require a new version.
2) The customers are pushed to apply the patch.
At the end, it makes the world more secure (less unsecure computers available for spam robots).
The important question is when release the full disclosure to the public. In my opinion, the best practise is, that the author of the exploit and software vendor arrange the date of releasing the patch. And the exploit is released with the patch, or one day later. If the software vendor refuses to tell the exact date of releasing the patch, the exploit should be released after reasonable amount of time anyway. It's a hard way, but it's the way, that works even with huge software companies like Microsoft. What is "reasonable amount of time" depends on the situation, in LFS's case two weeks is enough, in my opinion. (...and the customers push the software vendor to publish the patch, the are pushed to apply it, the world is more secure then...).
The other question is, where to publish the exploit. I think, that the SecurityFocus's mailing lists and database is enough. E.g. I would _not_ support to give the link to the exploit (before releasing patch X11) here at lfsforum, did that happen? The point is, that system admistrators will find the exploit there (in Security Focus database) and they could defend against the kiddie scripter, even if the patch is not released (e.g to set a password on LFS server, in our case).
EDIT: Tons of posts were added until I finished this post, so maybe some of things mentioned here were already posted.
EDIT2: The big mistake is, that many people believe that a vulnerability doesn't exist until it is disclosed to the public (from Jason Miller's article).
SamH
There is nothing illegal in what i done i can say that with known i would get no come backs.The disclaimer is there for a reason to stay with in the recommendations of releasing the poc code.So if any of the skiddys do use it that it is down to them not me.
I think Kada_CZ knows alot about the security industry and how it works.
If the developers had actually took the time to contact me and talk about the bug and let me know when roughly the patch would come out or contact me at a later date,About the date of the patch no poc code would have been released at all till the patch or just before tha patch was released.The developers didnt give me a time scale on when a patch would be applied that is one of the main reasons for the public disclosure.You also forget the av company take the file offsets and stuff and add them to there data base so anti virus picks them straight up.That is anther reason for releasing a poc code.
You guys are not looking into the whole subject with an open mind all your thinking of is the malicious things that can be done.I could have even sold the exploit to some one who was wanting a few extra vic legaly.But i wouldn't do that i wont sell myself out.
illegal in most countries. Whether you believe it's right or wrong.
@Muhaa, you're wrong. But don't take my word for it, go and see your local met's Cybercrimeforce and tell them exactly what you did, and see what THEY say. I DARE ya.
Lol sam i know where i stand it is not illegal to release poc codes.It depends where you are from they are clamping down in some country and yes you would probly get some sort of court aperiance depending on the situation where im for it is not illegal to publicly release exploit or poc code.If i was to use it then yes it would be.
I will try and find some stuff to back my claims up.
Well in this specific case there is no "the developers" or "the big-ass software house". It's Scawen. One person. We all know this - and since you are part of the community for 2 years now, you do too.
Full disclosure is a way of pressuring big companies or large teams of closed-source projects and usually just the former.
Just to be clear, I have no issue with this. However, at NO point in this entire moronic tirade by the stupid pillocks who released the LFS exploit code did they arrange any such thing. Muhaa held the devs over the POC for two days and then he released it. TWO DAYS. Man, that sucks. BIG wieners.
Nobody is suggesting that Scawen is not responsible for the code that he writes. It would be silly to suggest differently. But LFS is an Alpha program, given away for free (we buy the licence, not the software. The demo racers have the exact same software). It's mid-development, by one brilliant programmer.
Anyone who fails to recognise the real-world constraints for this independent software developer is absolutely incapable of even the lightest of thinking, and anyone who would choose to jeopardise the entire LFS software project for their own glory of being recognised ("or I release the POC") is... well, I'm not saying. Let's say the only way I'd hold a tosser like, for example, Phlos in my arms is strictly by the THROAT.
I'm not a lawyer, but I'm 100% sure, that it is not illegal in the Czech Republic, and 99% sure, that it is not illegal in the United States (SecurityFocus servers are in the US. And according to the whois database the aluigi.org is in Washington).
= cry for attention and recognition because you are a brat.
Helping someone with a bug fix is noble right up to the point where you publicly beat your chest about it with complete disregard for anybody but your own insecure self. If all you wanted to do was help you could have just helped discreetly. It is obvious to all that you just want some sort of recognition for your meaningless pastime.
35 Making, supplying or obtaining articles for use in computer misuse offences
(2)
A person is guilty of an offence if he obtains any article with a view to its being supplied for use to commit, or to assist in the commission of, an offence under section 1 or 3.
(3)
In this section “article” includes any program or data held in electronic form.