"In the land of the blind, the one-eyed man is king."
-- I guess you just don't realize how difficult it is to actually secure something until some of the people the industry respects, go down in flames. Enter ZF05. (link is now broken)
"Zero for Owned" was released yesterday, detailing the brutal hacks on some of the people (and sites) the security industry, check that, the White-hat segment of the security industry, consider the best and brightest. If I may, for one brief moment, indulge the ZF0 crew(?) with a quote (I fixed some typos)...
"It's July 28th, 2009! Welcome one and all to the real Black Hat Briefings. Livefrom the underground, coming right at you free of charge. You don't have to pay to come, and you don't get paid to be featured. Presented by real blackhats, this is a must-see event!
This is a big one. We hacked notable whitehats Kevin Mitnick, Dan Kaminsky, and Julien Tinnes, among others. We continued the skiddie holocaust with darkmindz, elitehackers, hak5, binrev, and blackhat-forums. Along the way we created mass mayhem. There are more rm's in this zine than you can count on a hand. Just fromtargets shown here we collected about 75,000 passwords. Passes, not hashes. If you are reading this, then your browser probably did not crash, so you know we couldn't include all of our passwords, let alone hashes. The first version of this was ten times the size of ZF04."
That's pretty powerful stuff. Let me be clear - I don't think it was right of the ZF0 folks to publish personal emails, communications and nasty details... I don't care how much of a douchebag you think someone is... no one deserves that. It does show a serious lack of moral judgement and personality ugliness.
Moving on past all the interesting details ... a singular theme runs through this entire zine... no one is safe. If you've not heard someone say it before, memorize it -
"There is no such thing as secure."
If you don't believe me (the above quote)... look around. Matasano - the 31337 of 31137... pwn3d. Dan Kaminsky, Kevin Mittnick and many other people we have grown to respect... pwn3d. Are any alarms going off yet?
Forget the personal attacks, forget all the nasty things that this dug up... it's irrelevant. What we're learning here is that there is no such thing as a totally secure system - even by those who are researching, teaching, and living high-security. This makes sense, I hope.
At the risk of going off on a rant... this can't be news to anyone! If you've ever told someone you can completely secure their assets you're a moron. There is no secure, there is only minimized risk. Every system has some level of risk of being compromised... did you write every line of code on every piece of software you're running and using? Hell no! Do you have a reasonable expectation that the code you're running for your OS (whether you're in Windows, Linux, OSX, or what-not) your mail server, your CMS, your twitter client - any of that... is even remotely secure? Again, hell no!
So is the world coming to an end?
... has every system been compromised?
... ... is there no hope of any kind of reasonable security?
Get over it. Things are going to get hacked but you need to learn a few lessons from this, and for that I think we have to say thanks to the boys (and girls?) at ZF0...
- Don't re-use passwords (even it's just across different systems you have access to, different customers, high/low security, etc)
- Segment, separate and compartmentalize so that a single compromised point-of-entry doesn't turn into a complete pwn (didn't we learn this back in... 1997 or so?)
- Minimize your risks! If you don't have a damn good reason to put extremely sensitive stuff on an internet-facing system... uhmm... don't
- Don't assume that because you're smart - that you're intelligent
- Accept that at some point... you will be hacked. Get over it.
So... sucks for the people who got pwn3d but at the end of the day - know we (those that actually understand security) don't think any less of you [unless we didn't like you already]. Understand that we'd prefer that everyone worked together to make things better rather than this stupid in-fighting like you see on the playground in 3rd grade recess.
Writing good, secure code is always 10x more difficult than pointing out bugs... so if all you're doing is hacking and breaking without actually contributing to the greater security of things... you're a cockroach. It obviously doesn't require a rocket scientist to find a new way of thinking the engineer didn't envision to break something down... hell, even a blind squirrel finds a nut eventually -making sure that your code stands the test of time, peer reviews and inevitable malice is the true genius.
Play nice. Work towards the greater good.