XXX Supplied by theyu0 of #phrack XXX
-------------------------------------



----- Forwarded message from Dragos Ruiu <dr@kyx.net> -----

Delivered-To: xxxxxxxxxxxxxxxx
From: Dragos Ruiu <dr@kyx.net>
Organization: kyx.net
To: dr@dursec.com, rongula31@hotmail.com, ken.williams@ey.com,
	roesch@sourcefire.com, fygrave@scorpions.net, vision@whitehats.com,
	rfp@wiretrip.net, aleph1@securityfocus.com, wooc@powersurfr.com,
	apr.inc@powersurfr.com, conroy.badger@powersurfr.com,
	crystal@positioning-research.com, jason.dorie@blackboxgames.com,
	darryl_turner@yahoo.com, mrandles@softhome.net,
	vizuelle@eudoramail.com, fyodor@insecure.org, spikeman@spikeman.net,
	lance@spitzner.net, listuser@seifried.org, mfranz@cisco.com,
	phillip.ibis@blackboxgames.com, cwallace@exceedia.com, priest@sfu.ca,
	hdm@digitaloffense.net, rhamel@kpmg.ca, nico@securite.org,
	kaneda@securite.org, dsward9s@pacbell.net,
	andy@dragonfly.demon.co.uk, ktwo@ktwo.ca, kinkster1@shaw.ca,
	ajarman@metacomcorp.com, zindelak@telusplanet.net, jeff@wwti.com,
	smkoen@hotmail.com, cwilson2@kpmg.ca, newspixie@hotmail.com,
	mock@obscurity.org, j@lords.com, ksoze@obscurity.org,
	frank@atstake.com, fishy@powersurfr.com, cakeislove@hotmail.com,
	tiffany_kary@zd.com, stephenn@powersurfr.com,
	webmaster@pneumafables.com, bsapiro@kpmg.ca, kmx@egatobas.org,
	hectorh@pobox.com, emmanuel@relaygroup.com, vanja@vanja.com,
	dje@bht.com, dugsong@monkey.org, lyndon@orthanc.ab.ca,
	mts@off.off.to, paudley@blackcat.ca, robert_david_graham@yahoo.com,
	spambait-kyx@inetgrity.com, chris@obscurity.org,
	peter_wong@pmc-sierra.com, janet@lomas.ab.ca,
	dfreelove@yottayotta.com, dowen@intravelnet.com, randlest@oanet.com,
	jay@bastille-linux.org, phil@ccc-ltd.com, jed@pickel.net,
	gshipley@neohapsis.com, deraison@cvs.nessus.org, maxx@securite.org,
	mixter@newyorkoffice.com, deraadt@cvs.openbsd.org,
	dittrich@cac.washington.edu, bgreenbaum@securityfocus.com,
	neil@bortnak.com, annemarie@counterpane.com,
	chris.kuethe@ualberta.ca, bob.beck@ualberta.ca, tan@atstake.com,
	natasha@snort.org, arr@watson.org, aempirei@ucla.edu,
	ggolomb@enterasys.com, jfrank@b-ap.com, robert@infoserf.net,
	kkuehl@cisco.com, donna.andert@sun.com, bmc@snort.org,
	jgary@clicktosecure.com, jpavlick@sourcefire.com,
	talisker@networkintrusion.co.uk, jwalchuc@enterasys.com, itay@imc.nl,
	halvar@blackhat.com, Sk!ppY@IdealRealms.com, forrest@code-lab.com,
	mconley@atstake.com, jennifer@granick.com, scott@microsoft.com,
	ah@securityfocus.com, cruci@hwa-security.net, solar@openwall.com,
	ivan.arce@corest.com, rlogan@camisade.com, cmg@uab.edu, jed@grep.net,
	v0nelm0@best.com, snorthcutt@hawaiian.net, frank@ccc.de,
	dmckay@microsoft.com, jwilkins@bitland.net, kf@gnosys.biz,
	unlearn@ne.mediaone.net, jpr5@darkridge.com, shok@dataforce.net,
	thegnome@nmrc.org, ofir@sys-security.com, provos@umich.edu,
	silvio@big.net.au, mike@infonexus.com, crispin@wirex.com,
	halfdead@phear.org, niness@devilness.org,
	curtis.king@messagingdirect.com, rob@incident-response.org
Subject: kyxspam: retro is in (new kyx key is sillyrabbit)
Date: Tue, 16 Jul 2002 02:07:13 -0700
X-Mailer: KYX-CP/M [version core00-mail-92]

(Well today was a busy day with a rash of irc warfare
that was very retro90's.  BTW the el8/gobbles folks who had
taken over #phrack rooted lia in France and then started
hacking/takeover on w00w00 from there... but lia had the 
last laugh when he uh liberated their #phrack trophy from 
them late in the North American evening.

For some reason these kids have decided that
K2, and kyx amongst others are a form of ultimate 
"whitehat" evil for them, and the amount of BS hurled at 
servers over here today was exceptionally high.  Aleph 
One as the Security Focus poster child also seems to
rank high in their contempt along with Lance and a few 
others, so at least we're in good  company. :-)

for more details see: 

http://www.eurocompton.net/~fuk/phrack/

After a few of these folks started bragging about owning
me and others up, I rebuilt some boxes including my
mail server as a precaution.  I would also advise
the recipients of this message to also take care
in case of spillover form these kids' spree of
silyness. They are silly but these kids are not
unskilled.  Fortunately none of this seems to
have crossed the line from mere bragging, virtual
trophies and irc dick waving into real damage, 
but do me a favor and be extra careful for a while 
in case something or someone gets stupid.

BTW today's prescient award goes to Jordan Ritter
who very accurately predicted all of this kiddie
backlash building up about a month ago.

Oh well. things never seem to be dull anyway,
and those machines _did_ need a reinstall.
BTW the new #kyx@efnet key is "sillyrabbit"
since someone leaked the old key.  If you did
give them the old key or other info, no worries, 
but please save me some time and let me know 
about it so I can stop supecting security breaches 
at local machines.

But as Nico so aptly put it... let's not give too much 
importance to what is ultimately just a bunch of kids
acting immaturely. Cause all they want is attention. 
cheers, --dr :-)

url: http://theregister.co.uk/content/55/26198.html

Security industry's hacker-pimping slammed
By Thomas C Greene in Washington
Posted: 15/07/2002 at 15:48 GMT

 I spent three days at H2K2 hoping someone would say something worth
mentioning in The Register. Finally, on Sunday, a couple of speakers did just
that (on which more tomorrow). Best of all was Gweeds' savage synopsis of a
thing which world + dog has no doubt long entertained as a vague suspicion,
namely the way hackers pimp themselves in hopes of getting hired at great
expense by security companies, and the way conferences provide fertile soil for
the illusory threat exaggeration on which the security industry feeds. 

 The corporate model whereby hackers gravitate towards corporate greed and
away from the liberation of data and private resources developed with public
funds was pioneered by ISS, Gweeds noted. Hackers now work to expose security
flaws with the specific intention of selling out and obtaining funding to
become a security company, he said. 

 Security lists like BugTraq become the matter for resume stuffing. "Post to
BugTraq, become a well-known gadfly on the list, and, like Sir Dystic, get a
high-paying job at Microsoft. It's an interesting progression: post a fix to a
bug, work on the resume, release some software and then get offered a good
job," Gweeds noted with sarcasm. 

 He also mapped out the cyclical food chain whereby hacker sell-outs propagate
cyber-crime FUD to feed the propaganda needs of government agencies, which
helps to lard agency budgets with public funds, and which in turn helps to
enrich the security industry. 

 "L0pht went in front of Congress and testified at the behest of NIPC and
talked about how they could get into any network in the United States. The
result is that NIPC got increased funds for cyber-defense and FBI got more
funding to fight cyber crime. And now L0pht (@Stake) enjoys federal security
auditing contracts," Gweeds observed. 

 "They're making money, sure; but they're also increasing the reach of the
Federal police state at the expense of fellow hackers who are being caught and
put in jail." 

 Gweeds also believes that the window between when an exploit is developed by
the underground and publicly released is shrinking as hackers turned
security-knights hasten to pad their resumes with proppies on BugTraq. This may
be good for the computing public at large, but when the purpose of hacking is
to liberate information which may well be of concern to the public, then it's
just another sell-out. 

 One of the nastier things a blackhat can do is exploit a company, say, for
quick cash, which can be done many ways. Money can be leached from a bank;
proprietary information can be sold to a competitor, or sold back to the owner
in a simple blackmail scam. These familiar and dark scenarios, along with
numerous others, are the ones eagerly propagated by the Feds through the
mainsteam press. 

 Yet one of the best things a blackhat can do is obtain and disseminate
information which the public needs to know, e.g., internal memos indicating
unsafe products, discrepancies betwen a company's SEC filing and its own
acounts, dirty dealings with local property owners, and a hundred other routine
crimes of corporations protected by walls of silence and spin and totalitarian
internal rules. 

 The rush to publish and take credit for discovering and patching a new
exploit hobbles the positive efforts of blackhats with a social conscience
(though admittedly no one knows how big a category that is). 

 Finally, Gweeds elaborated the scam of corporate-sponsored security
conferences and their role in nourishing the hacking/security/Fed food-chain,
the most famous of which is BlackHat, and its handy companion side-show,
Defcon. 

 "BlackHat brings together CEOs and corporate secuity people and government
and military people, to tell them why they need to spend money on security
services and products." They then learn about intrusion techniques from hackers
who are there essentially to frighten them. 

 And then, when it's over, "BlackHat attendees get a free pass to Defcon, a
hacker culture freak show, so they can see the people they're supposed to be
afraid of up close and personal," Gweeds said. 

 It was a refreshing piece of cynicism well expressed, and for me the
highlight of the entire conference. I do hope USA Today caught it.  

--kyx----kyx----kyx----kyx----kyx----kyx----kyx----kyx--
url: http://theregister.co.uk/content/55/26202.html

Gweeds gets killed
By Thomas C Greene in Washington
Posted: 16/07/2002 at 07:30 GMT

 
 My recent item entitled "Security industry's hacker-pimping slammed" has
generated damn few page hits but a vast flood of e-mail. What I reported,
essentially, is that my boy Gweeds stood up at H2K2 this past weekend and
excoriated the security establishment for selling out 'old-fashioned' (possibly
fictional) hacker ethics for a quick buck. But before we get to the dirt, which
readers have supplied with glee, I should at least say this much: 

 Gweeds' cynical angle on hacker sell-outs doesn't get enough play in the
press, imho. It doesn't seem right that the public discussion should be so
asymmetrical. I think it's healthy to play Devil's Advocate once in a while.
That said, I believe I expressed a hint of a doubt that the blackhat community
actually gives a rat's ass about social issues: 

 "The rush to publish and take credit for discovering and patching a new
ewxploit hobbles the positive efforts of blackhats with a social conscience
(though admittedly no one knows how big a category that is)." 

 It would be cool if that category would grow -- assuming it contains at least
one, that is.... 

 I never said that I believe what Gweeds claimed about @Stake or SD. I
reported what he said, and said that I liked it. That's not to say that I
believed it. 

 Regardless of Gweeds' foibles, I maintain that his argument is worth
presenting in The Register. Where else will you find stuff like that, after
all? 

 And finally, I have no loyalties other than my own, which are well-known to
our beloved readers. I loathe Microsoft, adore Linux, loathe Feds, adore
soldiers, loathe cops, adore firefighters, and would be delighted beyond
expression to beat John Ashcroft, Billy Rehnquist and Little Dubya to death
with a tightly-rolled-up copy of the Bill of Rights. 

 And as for Gweeds, who suddenly seems quite easy to ignore in context of
Presidents and Attorneys General and Supreme Court Chief Justices, I'll still
gladly tear him a new one if the dirt sticks. Which it very well might....  



 Gweeds and Sir Dystic have a past - and there are many stories floating
around about a fued between Gweeds and Sir Dystic over NewHackCity, a site
Gweeds screwed up and is no longer. Are you sure that Sir Dystic works for MS?
Or are you taking Gweeds word for it? Something tells me that MS wouldn't go
and hire the programmer of BO knowingly. Nor would "programmer of BO, member of
cDc" look all that good on a resume. 

 If you do a search of the Bugtraq archives (I used both SecurityFocus'
archive and Neohapsis) you will find only one post by Sir Dystic to the mailing
list and its not even a security advisory. 

 L0pht was invited to speak to congress by Senator Thompson not NIPC. I've
read some of the L0pht testimony and have yet to see any FUD in it. Does Gweeds
have any examples? 

 Gweeds does not have the ability to know anything about @Stake government
contracts. From what I can tell from coversations I have had with @Stake people
Gweeds statement is false. Again, does he have any examples? I have interviewed
with @Stake in the past and am pretty sure that they are not living off of
lucritive government contracts - a simple phone call could also confirm this. 

 It would also seem that Gweeds is somehow connected to the "el8" crowd as the
following was taken from IRC recently
(http://www.eurocompton.net/~fuk/el8.3.txt) 

 *snip* Oh it just keeps getting better: Six degrees of seperation..This is
the whois info for gweeds on IRC this morning gweeds
(gweeds@ghettobox.eurocompton.net). Oh my goodness..the hostnames match..looks
like Gweeds has a posse. 

 As you might know, the el8 crowd has made it their mission to attempt to
destroy the so called whitehats. To them, the legitimate hackers are a threat
to their zero days and their fun. 

 Is it just me or has the true hacker ethic always been about the quest to
explore systems and gain knowledge? 



 "L0pht went in front of Congress and testified at the behest of NIPC and
talked about how they could get into any network in the United States. The
result is that NIPC got increased funds for cyber-defense and FBI got more
funding to fight cyber crime. And now L0pht (@Stake) enjoys federal security
auditing contracts," Gweeds observed. 

 L0pht testified at the request of Senator Thompson's office. No one from NIPC
ever spoke to them. They testified because they thought the citizens of the
country needed to hear the truth about the security of governmental systems and
the critical infrastructure. I would like to see some evidence to back up the
statement that @Stake now enjoys federal security auditing contracts. Any tiny
bit of evidence. 

 "They're making money, sure; but they're also increasing the reach of the
Federal police state at the expense of fellow hackers who are being caught and
put in jail." 

 So if there is no evidence then this second statement is clearly untrue. 

 So taken together these statements paint a picture that L0pht used its fame
and knowledge to get in front of Congress so that they could get government
contracts to help the government catch hackers. This is clearly bizarre. You
would think if you were going to rewrite history so boldly that you would have
sought out a comment from someone who was actually there. 

 [I was there, and Gweeds' characterization, while not strictly correct, is
revealing and worthwhile -- tcg] 



 After reading your article it became important to me to express my
perspective. I've sent it out to various channels, including the Security Focus
forum related to the article, and only time will tell if SF deems it acceptable
for publishing in the forum, and Gweeds. It seemed appropriate to send it to
you directly also. You should be aware that I am close friends with Gweeds, Sir
Dystic, and almost all the members of the L0pht, and an actual member of The
Cult Of The Dead Cow, so that my bias and motivations are understood. I think
it's great that you focused on Gweeds' speech, as it was probably the most
significant session that happened at h2k2. There are ripples in the net as a
consequence of the talk, your article being part of those ripples. Anyways,
here's what I have to say about it. 

 Over the past year I've spoken to many hackers who share a lot of the same
sentiments that were expressed in "Black Hat Bloc or How I Stopped Worrying
About Corporations and Learned to Love the Hacker Class War". However, it took
Gweeds' courage to step up and lay it out to a live audience of hackers. I have
to admit that I have been guilty of some of the same "exposure equals success"
thoughts, and I have made attempts to join the big money computer security
industry, unsuccessfully. Although, I would also have to say that my underlying
intention was to make a career doing something I enjoy, hacking. 

 Gweeds didn't hold back in his talk. There was no innuendo. Names were named.
I think some of those mentioned, like Chris Klaus, deserved to be exposed. The
evidence exists in the original ISS code. However, I think others were unjustly
accused. To the best of my knowledge, Sir Dystic does not work for Microsoft,
but if he did, doesn't that make sense? Aren't we always saying that Microsoft
lacks the skill or talent to do things right, especially when it comes to
security. Couldn't we use someone like Sir Dystic, on the inside, just like we
have Andy Mueller-Maguhn on the inside at ICANN? 

 I think I need to shed some light on Sir Dystic's history, to set the record
straight, even though I also feel it is an invasion of his privacy. Sir Dystic
never cared for money. There was never any spark of greed in him. He doesn't
own a BMW, a Mercedes,.. he drove around in an old minivan he borrowed from his
parents. He doesn't own a house. He never made any millions from company stock.
He never joined any company that appeared to have great prospects. He was
expressing that the industry made him sick while Gweeds was still at
Macromedia, earning one hell of a salary for a 20 year old, plus stock options.
Sir Dystic was mostly unemployed through most of the "dot com years", only
doing enough to get by, and only trying to find something that interested him.
There were long periods of time that Sir Dystic didn't see his friends, but
instead was sitting in front of his 2 year old computer doing research and
coding. And what would he do with what he found? Did he use vulnerability
extortion to line his pockets? or parlay it into working for some big security
firm? No. He shared it, openly. Even though most often I think in doing so it
only caused him grief. Accusations of being unethical, and tons of email
requesting for tech support and warez that can be used to hack shit up! I think
we should all implore Sir Dystic, and other hackers to work at Microsoft. Maybe
by being on the inside, change can be made. History has shown that Microsoft
isn't going to go away, let's see if we can make it better. For me, if I saw
that Microsoft was hiring our brethren, it would lend credence to their recent
so called "Security Initiative". 

 I think it was also unfair to call to the forefront the jealous laden cry of
"L0pht has sold-out"! L0pht had no intentions of making a huge financial
windfall through government contracts when they testified at congress. It was
an amazing feat to finally have a chance for hackers to be heard and respected
for their way of thinking. L0pht made attempts to point out the straight truth
about security flaws in the internet, the way government and commerce handles
information (including yours) insecurely, and that software companies should be
held accountable for the flaws in their expensive software. History shows that
the L0pht continuously freely released information and software. I'll also take
this opportunity to point out that many years ago, when each new vulnerability
didn't make the news, L0pht tried to speak to vendors and companies about their
security holes, and got harassment and threats in return. L0pht, at great risk
to themselves, released the information to all, long before the term Full
Disclosure became a hacking political tool. In so many ways, L0pht is a shining
example of what it means to be hackers. For that, they deserve our respect, not
our usual need to tear down our own heroes when we're done with them. 

 Although, I think Gweeds was off target with his slings and arrows, those
arrows were true. I feel that I don't deserve to name names, lest perhaps my
own envy show through. However, I can speak of things in general terms. 

 The bugtraq Full Disclosure phenomenon comes to mind. Full Disclosure which
was originally a means to share knowledge openly, alert everyone to a possible
flaw, and force the vendor to provide a patch. This has instead become, as
Gweeds said, about bragging rights and resume fodder. Also, while some focus on
the problem of unethical hackers misuse of Full Disclosure, it is the security
industry using this free information resource, to fuel their own expensive
proprietary software, while spreading the word that hackers are evil, that
turns my stomach. The ultimate example of this has to be the recent
over-zealous release of the Apache chunked encoding vulnerability. 

 I think that we do have to be concerned that our government is going down the
wrong path again. Software companies are still not under pressure to promote
quality and be liable for the lack of it. Instead of using technology to
improve our lives and as a means to disseminate public information, it will be
used to restrict our freedoms, and peer into our private lives. If software is
made with less obvious well-known coding flaws, intelligent authentication
schemes, and encryption there should be no need for the government to spy on
it's own citizens. 

 The good and bad things that have come out of hacking, involve people's
motivation. We all have to explore our own motives and the motives of others,
when it comes to hacking. There is nothing wrong with making a living, doing
something in the technology field, even in the security industry. It should be
based on a love of technology, the desire to improve things, and fact-based
honesty, rather than fear and materialism. 



I have a couple comments about your article. 

 "Hackers now work to expose security flaws with the specific intention of
selling out and obtaining funding to become a security company, he said." 

 Perhaps today that is true when you see s'kiddiots like PimpShiz going out
and defacing sites then starting up his own security company but in the past
this has never been the case. Today, you see a lot of high flash but low skill
guys getting the money and yes, they are manipulating things but to compare
these idiots with the true hackers and the true security professionals is
offensive. 

 "Security lists like BugTraq become the matter for resume stuffing. Post to
BugTraq, become a well-known gadfly on the list, and, like Sir Dystic, get a
high-paying job at Microsoft. It's an interesting progression: post a fix to a
bug, work on the resume, release some software and then get offered a good
job," Gweeds noted with sarcasm." 

 Or like Gweeds, become an early Macromedia employee so that you can cash in
on options and never have to work again. Who is he to point a finger at those
of us who still have to work for a living? As someone who has been in senior
hiring positions at a few security firms, there is no way in hell I would hire
someone just based on Bugtraq posts. Of course if someone was to post a well
thought out and well written advisory plus showed a high level of maturity when
working with vendors his name is going to be remembered but it's the skill set
that gets the job, not the "pimping". 

 "L0pht went in front of Congress and testified at the behest of NIPC and
talked about how they could get into any network in the United States. The
result is that NIPC got increased funds for cyber-defense and FBI got more
funding to fight cyber crime. And now L0pht (@Stake) enjoys federal security
auditing contracts," Gweeds observed." 

 Was any of this even confirmed by you? When did L0pht go in front of congress
and when did L0pth become @Stake. What specific government contracts is Gweeds
talking about and how would he even know what contracts @Stake has? I don't
work for @Stake but I am in pretty constant contact with a lot of their people
and I am willing to bet you would hear a different story if you checked with
them for a comment. 

 "They're making money, sure; but they're also increasing the reach of the
Federal police state at the expense of fellow hackers who are being caught and
put in jail." 

 Now this is outright FUD. The morons that are being caught and put in jail
are not even considered hackers. Script kiddies at best. What is wrong with the
idiots who deface web sites being caught anyways? What makes Gweeds think that
L0pht should have some sort of allegiance with idiots? It's the job of a
security professional to protect their employers networks and respond
accordingly to attacks. 

 "Gweeds also believes that the window between when an exploit is developed by
the underground and publicly released is shrinking as hackers turned
security-knights hasten to pad their resumes with proppies on BugTraq. This may
be good for the computing public at large, but when the purpose of hacking is
to liberate information which may well be of concern to the public, then it's
just another sell-out." 

 I agree that the exploit window is shrinking and I even agree that there are
a few unethical organizations out there that hack then chase the ambulance in
order to get the work. But without proper proof is this just not more FUD?
Gweeds couldn't find his ass with both hands let alone be able to talk about
the security industry or what security professionals are doing. We have all
heard the rumors of certain research groups going out and defacing sites then
having their consulting arm make a cold call the next day -- but these are just
rumors with no proof. I personally would love to see this proved especially
with who is rumored to be doing it. 

 "BlackHat brings together CEOs and corporate secuity people and government
and military people, to tell them why they need to spend money on security
services and products." They then learn about intrusion techniques from hackers
who are there essentially to frighten them." 

 Its not like the presentations at Blackhat are just high level doom and gloom
scenarios that are designed to scare people. They are presentations on real
risks that are really exploitable. How is this designed to scare money out of
people? It is a forum to increase the awareness of the true risks. You know as
well as I do from attending most of the BH/Defcons that if someone got up there
and did a FUD presentation they would get chased out of the venue. Although
this year I see iDefense is presenting so we will see. :-) 

 The bottom line is, Gweeds sold you a bridge, he talks about nothing that he
would even have the opportunity to offer evidence of and he is definitely in no
position to point fingers when he himself sold out and cashed in on Macromedia. 

 Some consider me to be a hacker, I consider myself to be a pretty good IT guy
that likes security and therefore works in the security area, can you fault
people like me for making a living? That would be like saying that Thomas C.
Greene is a good writer but he has really sold out by writing for The Reg -- he
should do it for free. 



 Of course, when was the last time you've heard of a hacker releasing internal
memos indicating unsafe products, discrepancies between a company's SEC filing
and its own accounts, dirty dealings with local property owners, or any other
routine crimes of corporations? Not recently, eh? 

 Cynicism of the security industry is good and healthy, but please let's not
give precious ink to such bullshit hacker mantras as "information wants to be
free", which are nothing more than a lame excuse by pimpled kids and folks with
no social skills to read your private email to a drug use mailing list and raid
your porn image collection. 

--kyx--

----- End forwarded message -----
