Grave Security Hole By Default being over looked ?

Lenny

well things like that aren't as worrying about educationing script kiddies ...
but that Counter-strike one was and probberly is the only one, becasue of the hudge cs community

ecksor

There a lot more cisco routers on the Internet, which are a lot more important than CS servers.

Hobbes

Forgive me if I'm wrong, but this is pretty generic security stuff. You should always change the default password. If your not doing this then you really have no right to be working in that area.

Having said that. Tom... I do not like your posts.

Posting exploits is one thing, posting concise instructions for script kiddies is another. If you check other security sites you will see they tend to post the exploit too, but they don't give detailed instructions on how to create your own binary to exploit the systems.

Your post from CS forums was deleted for a reason. You then went and posted it here. It isn't appreciated. If you actually play CS you will know that the community is being destroyed by cheaters+hackers, most of whom are script kiddies and haven't got a clue what they are doing. If you check back through posts in that forum you will find loads of people warning of possible exploits and how to spot/stop them. What you won't find is people explaining in detail of how to do them.

Your comment on IRC too is in the same vein. A hacker would know this stuff because they would study it. What you have just done is give information to script kiddies without background knowledge of how to do it.

Why don't you just post exploits to get free porn? That way you will be as l33t as Nas/Neo.

Hobbes

it's "feel" not "feal". Why ask me a question if you don't want me to reply to it?

But yes I do work with admining servers in work and with networks. Big deal. Here is something for you. The place where I work have thier own private department which is paid to hack into + DoS attacks internally. They do this weekly and if I fail thier attacks I get a nice email telling me to fix it within X amount of time or I'm fired. I've only failed thier test twice in over 2.5 years of testing.

So what is your point? So you know there is an exploit you found by searching a security website. You must be l33t. Your first post in this thread was ok, the second one wasn't. I recommend you go back and read what you wrote to understand what it is that you are doing wrong.

ecksor

Tom posted this to Security and CS boards at the same time, there was no issue of him posting it here after it was edited there.

My opinion on this was posted there, and if you disagree with it, you are perfectly welcome to take it up with me via e-mail.

LegacyUser

./SLICE3 1 hobbes.host.com 0 5000&
but really hobbes I think you are full of ****, I think we should go our own ways and you should keep thinking you are better than every one else when every one knows you would find it hard even to install a module.

Now lets leave it at that.

Regards
Tom

p.S
it dont take must sense hobbes to read the date when a message is posted, and that you for editing my spelling !

Hobbes

>but really hobbes I think you are full of ****,

Like your badly spelled opinion means anything to me.

1. The exploit you posted is old. VERY old. So old that most people who should know about it have so for a long while now.

2. The majority of the regulars on the CS are well aware of what cheats are available and what they do. They don't post how to use them for a reason. Because they are well aware of the problems it causes. Some of the exploits have no fixes, which is why full details aren't posted.

3. Posting exploits is one thing. Posting concise details on how to use that exploit so anyone with half a brain can do it is another.

4. I don't like script kiddies. I personally feel if a person wants to learn to hack fine. But they shouldn't short circuit the process.

5. To give you the idea of the mentality of script kiddies that the CS community have to put up with. One of the most popular CS-hack sites a hacker posted a program which trashed your machine and all the people ran it without checking for viruses or reading the source that came with it. It took out most of the script kiddies along with the sites owner and all his machines.

6. Doing a search on a security website and then posting it to another forum doesn't make you a security expert. If your going to do it you can at least check the dates on the exploits.

7. I have no probs whatsoever how X_OR runs his board. I might disagree with some things he does but it's his forum.



[This message has been edited by Hobbes (edited 11-04-2001).]

LegacyUser

7 whole lines and numbers did you do all that by your self . But honestly you are full of sh-ite and you are trying to have me at your level posting ponitless messages on the boards like this. Would you please refrain from speaking to me, thank you.

Best Regards

Tom

[This message has been edited by TheBoxNetwork.net (edited 11-04-2001).]

ecksor

Tom, don't take my defence of your postings as a blessing or some sort of kudos. Our paths have crossed a few times before, and I've seen nothing to change my original opinion that you're a muppet, and certainly nothing to suggest that you're in a position to be telling people (who've been on these boards a lot longer than you I should add) that they're full of ****e.

fisty

yeah tom
u rock
u admin stank

Catch_22

a few comments for tom,

>Hobbes I feal you do not have any idea on security subjects

Be very careful what you say, you have been on these boards a matter of days, where exactly do you draw these conclusions from, you havent been around long enough to

>But I on the other hand work in security for a living

I have yet to see any post / demonstration of knowledge which makes you a security guru, or gives you the right to criticise others.

Like it or not you are the newbie on these boards and as such insulting people who are some of the longest running members here is really not the way to go about it.

That being said, I think in general this has at least livened up the security board a little, which was dying a death, but i respect the opinions being poseted here that posting exact instructions on how to crack a cs server is not going to do anyone any favours but just result in kids making use of the fact, if your going to post security issues post the line by line fix rather than the line by line exploit if you must go through it in detail.


c22

Bard

<font face="Verdana, Arial" size="2">Originally posted by ToM-theboxnetwork.net:
I always wondered why I dont use web based www boards now I know why, see you in the real world guys. As I wont becoming here again .
</font>

Seems to be because there's a chance people's views might conflict with your own views or your own actions...

If you're not prepared to have a discussion about a topic (in which differing opinions are a natural occurance) then you shouldn't post a message about that topic on a discussion forum...

Seems like common sense really...

---

Bard

---

"and there was much rejoicing..."

ecksor

Catch_22, I can assure you that Tom is not a security guru. Some people will have spotted that when he recommended UBB 6 (which has had a few serious issues in it's short life to date) over UBB 5.47e.

Tom, I may be moderator of a small branch of a www board (although I do have admin access to the entire board if you pay attention), and you may be a big ass security whizz out in the real world, but that doesn't change the fact that you're out of order telling Hobbes that he's full of ****.

FYI, I do work in security, as do quite a few of the people who read these boards, and I don't have a problem with you posting generic issues or discussing them here. Working in security doesn't automatically make you a security expert, and dismissing people's opinions because you work in security and they don't instead of a decent argument doesn't quite cut the mustard with me at least, and obviously a few others around here.

What Catch_22 said about posting the fix details rather than the script downloading details is something you should consider.

spod

One last thing, posting specific vulnerable hosts is a bad thing etiquette wise.

It's one thing to post problems, and discussions of them, *hopefully* including how to fix it, but to post details of vulnerable hosts is just not on.

Otherwise, as X_OR says, responsible full disclosure is welcome here

http://www.wiretrip.net/rfp/policy.html if in doubt rfppolicy is always worth a look.

Koopa

**** etiquette, tom youre doing the right thing, there is no other way these things will get fixed, and that counterstrike one was good too.. i wouldnt have expected they would still have that many exploits after all the **** that was going around about game servers since the original quake

as for educating the "script kiddies", well any "script kiddie" that wants to find it can just go into a search engine and type "HALFLIFE SERVER EXPLOIT" and find out exactly how to work it anyway, what tom here is doing is telling people what they should (but obviously dont) know already if they are running a cisco router, or whatever

who gives a crap if he is telling people exactly how to compile something, or whether he is just posting a link to the source files.. its like telling someone "go to the start menu, click shutdown, click yes" etc. instead of just telling them to shutdown windows.. if you dont like it, you dont have to read it.

Koopa

replace "HALFLIFE SERVER EXPLOIT" with "CISCO ROUTER EXPLOIT"

Koopa

oh by the way, about posting details instead of scripts.. fair enough, but he is probably just posting what he knows (or else he doesnt want to write an article 2 pages long that noone will read)

you cant really fault him for that..

ecksor

With regard to etiquette, spod was referring the naming of specific sites rather than generic vulnerabilities (tom pointed to problems with one site in particular).

spod

Yup.

Disclosing details of vulnerabilities == Good. [1]

Disclosing details of victim sites ripe for hacking with lame ass exploit == bad.

Simple.

[1] Although following rfp policy for releasing vulnerabilities is good. Give vendors advance notice and a reasonable amount of time to prepare a fix. Don't release it on a Friday afternoon when everyones gone home for the weekend. Try to provide a detailed description of the problem and a solution etc.

spod

Put another way, I'm all for full disclosure, just responsible full disclosure.

Gerry

Even I knew about the cisco router password. And if I knew, anyone who still doesn't know should be shot. Posting details of how to expoit security holes on a popular site like this which is read by a fairly broad cross section of people, (well compared to most security sites), will give budding script kiddies a helping hand, so I dont think its a good idea. Just my opinion.

[This message has been edited by Gerry (edited 16-04-2001).]

koriordan

Tom: "a large % of people still have the default password on their cisco routers set to cisco"

Hobbes: "... you have just done is give information to script kiddies without background knowledge of how to do it."

Spod: "Disclosing details of victim sites ripe for hacking with lame ass exploit == bad. Simple."


Well, I'm glad a load of opinion cleared that one up. Yeah, shame about that whole publicising targets malarky, there might be something wrong there - so you have two options:

1.) Try and stop people from saying stuff

or

2.) accepting that they will, and acting accordingly. In this case, either changing yr default passwd, or hiring a competent admin who will.


I imagine most of you would go for option 2, but seem to frown on people publicising targets ... when you think about it, it should only affect the folk who "really have no right to be working in that area" anyways ? Ah, what would I know ...

Incidentally, our college routers still have the default passwds, and several folk have known this for a loooonnnng time ... oh, and our compsoc was nearly h4x0r3d by Tom a while back, a copy of leechFTP in a netcafe held a cached passwd.

ecksor

<font face="Verdana, Arial" size="2">Originally posted by koriordan:
I imagine most of you would go for option 2, but seem to frown on people publicising targets ... when you think about it, it should only affect the folk who "really have no right to be working in that area" anyways ? Ah, what would I know ...
</font>

However a vulnerability appears on a site, it does not give anyone the right to go messing around with their machines as you seem to always suggest. A vulnerability doesn't necessarily just affect the admin or company that are responsible for it for one thing.

I seem to remember an incident a couple months ago when you were caught messing around with a perl cgi script that a user had on their website, attempting to use it to get system information. Would you have informed the owner of any problems if you hadn't been discovered?

<font face="Verdana, Arial" size="2">Incidentally, our college routers still have the default passwds, and several folk have known this for a loooonnnng time ... oh, and our compsoc was nearly h4x0r3d by Tom a while back, a copy of leechFTP in a netcafe held a cached passwd.</font>

Right, and have you told the network admins in your college about this, or do you just ponce about thinking you're an elite hacker d00d acting cool because you know about it and they don't?

You may not be as clueless as Tom, but your superior attitude is unwarranted.

[This message has been edited by X_OR (edited 17-04-2001).]

ego

Just to be really anal here but I would like to point out that any release of CatOS/IOS/PIX(Finesse/even CBOS etc of the cisco product range are _not_ configured out of the box with a "default" password.

You cannot blame cisco for the idiocy of some of the people configuring these devices.

The use of "cisco" and "sanfran" etc as passwords on these devices stems from budding router monkeys taking their CCNA course or "cut and pasting" configs from CCO.
I liken these people to the same who set myname/myname as their u/p on their favourite linux distribution.

This comes down to companies not having defined policies for enforcing strong paswords or indeed using some other form of strong authentication (kerberos/tacacs+ etc).

Anyway this is probably off the point at this stage of the post im just sticking up for a multi billion dollar corporation, right.

Koopa

<font face="Verdana, Arial" size="2">
from Hobbes:

If you actually play CS you will know that the community is being destroyed by cheaters+hackers, most of whom are script kiddies and haven't got a clue what they are doing
</font>

this is the fault of the game companies really, the most secure game i know of right now (as online cheating goes) is quake1 using qizmo proxy (http://qizmo.sci.fi/)..

still uncracked, and its been over 2 years since the last version update

Hobbes

Actually CS has Punkbuster which is supposed to stop cheating. People are forced to use it because others feel it's thier god given right to totally fuk others over because they know of an xploit.

Evil Phil

I'm not a security expert, not in security at all. But doesn't Boards.ie have certain responsibilities as a member of the internet community if not legal obligations?

I don't think posting an exploit is right. I think the boards lads we're right to take it off. Most of what Tom said, although probably correct (I wouldn't know) was just boasting about being a cool hacker type, d*ckhead! If you that good make a contribution. Himself and Postman P(r)at should get together and go bowling.


thats my 2 cents. I really should do some work today.

[This message has been edited by Evil Phil (edited 17-04-2001).]

ecksor

The only reference taken from the security board was to the site that Tom alleged had an open proxy.

I don't see how there could be a legal problem with posting an exploit that was publically known of to begin with. You could argue that it is an irresponsible thing to do hide this information, when it could be used to educate people by informing them of such vulnerabilities.

Evil Phil

<font face="Verdana, Arial" size="2">Originally posted by X_OR:
The only reference taken from the security board was to the site that Tom alleged had an open proxy.

I don't see how there could be a legal problem with posting an exploit that was publically known of to begin with. You could argue that it is an irresponsible thing to do hide this information, when it could be used to educate people by informing them of such vulnerabilities.</font>

I stand corrected.

sam

i just realised x_or was in fact jerry

that picture gives you away

haha

[This message has been edited by sam (edited 17-04-2001).]

ecksor

Eep! my cover is blown.

koriordan

"...have you told the network admins ... about this ..."

What ? I have no reason to talk to them, and that surely isn't one.


"... do you just ponce about thinking you're an elite hacker d00d ..."

What ? Hahahahaha ! Look, all my h4X0ring I learnt from JeffK[0], and I'll freely admit that.

"... your superior attitude is unwarranted."

okay, I'll change.


[0]http://www.somethingawful.com/jeffk