Recently, on a popular security awareness mailing list, Carolyn Meinel, author of "The Happy Hacker blah blah blah", was responsible for a post of supposed full disclosure information on wuftpd version 2.6.1. This post included a bit of seemlying harmless code that was actually a malicious rm -rf ~/* code.

Seeing Carolyn's place in the security field, and her experience, would one have trusted code that was released by her?

Well, I did. I did check over the C source, it looked good, pushing large amounts of data into the USER variable of the FTP daemon, typical buffer overflow.

So, I compiled it, and ran it as per the "usage" instructions in the header, and low and behold, I get rm: responses of not being able to delete certain things in my directory. Interesting.

I go open the code, and poof, it's gone as is everything in that directory that wasn't owned by root.

The malicious bit of code was int eh shellcode of the buffer over. As I sit now, I regret not taking that assembly language class, but that is here nor there..

My question to you all is, is this ethical? Should this be allowed? Would this tarnish the reputation of a once, supposed, respectable security specialist? Should this be thought of as a "lesson to script kiddies" ( which I am not )? OR thought of as a violation of the "full disclosure" and open source idea? The idea of being able to share information without fear for the advancement of knowledge, isn't that why we're all here.

Ok. That's just assinine. What kind of security expert has you delete your own home directory?? What if you were doing this on a home system logged in as root? Now, you shouldn't be but some people do out of habit. Some systems have / as the home directory of root while others have a home directory of /root. If it's the first option, then the whole system gets erased.

Very bad IMHO.


Goofiness if you ask me. I wouldn't trust her judgement and based on reviews I've seen on her books, I'd take a lot of what she says with a huge grain of salt.

No one is perfect mind you but one doesn't have people remove their directories without adding lines (remark lines) as to the purpose of this removal.

was the asm code specifically designed to take out your home directory, or was it aimed at removing the entire HD? if it was aimed at the HD and you ran it as a non-root user then only your home directory would have been deleted, but if you ran it as root and it only killed your home directory then it's slightly less harmless. I'm just curious as to how much damage she wanted to cause....

I read many of the hh's gtmhh, and I had, for a while, come to respect meinel. Not any more. I recieved the same e-mail, but I never got around to compiling the code. I'm glad that I had too many other things to do. I no longer have any respect for meinel. The whole thing would be some-what okay if she had put a disclaimer in there or something. I hope the damage to your computer wasn't too bad.

Afte rit had happend, I inspected the code closer.. It was intentional that it did what it did. There was misleading information, and outright lies. She knew what it was. There was no excuse or reason.

But why would she give up her reputation as a newbie's friend to do that? It doesn't quite click together in my head...

If she is a "newbie" friend the only possible logical reasoning is that she didn't write the code herself, didn't look at it and just passed it on.

Jparker however did do one mistake that we all do: made an assumption and didn't look at the code. No matter who you get code or tools from, examine them first before utilizing them.

Ya.. I suck. :-/ I just glanced over it and it looked workable. OH well, we've all learned a lesson.. Not to mention, there was an article written about it!

http://www.newsbytes.com/news/01/170392.html

Carolyn seems to be telling people that SHE was "hacked" and that her webserver AND e-mail server were violated.. Right..

Carolyn Meinel...working with a computer forensics expert to find out who the perpetrators were.

Thats like when OJ said he was hunting down the "real" killers.

if she is l33t enough to write a damn book.....she should be able to find out who broke into her box. lame ass wench.


alas...she beat me to it...although I wouldn't have rm ~/* 'd you parker :D

Trust no one
Trust no one
Trust no one
Jesus you people are trusting. Be paranoid. I don't compile or run anything i get on a Email, I don't care if god sent me an email saying run this attachment and you'll go to heven. It's hard to surprise someone who thinks their out to get him.

Yes, but being beyond belief paranoid and "conspiracy theory" oriented isn't healthy either. Being extremely paranoid results in assumptions about things that aren't there. That something that is normal traffic is perceived as an attack. (aka False Postive).


Perhaps its better to say be viligent and if you are going to test scripts do it on non-important machines, ones that are ok to sacrifice.

Some viligence is required but there has to be an element of trust. I know that given our current climate and the effects of Sept 11th have changed that but in order for society to exist we need some element of trust.

You log on here. You trust them not to give out your personal information. You trust that they won't connect back to your computer and do malicious things. How do we know they don't? Officially, I can say I don't but I trust the owner, JP, because of the reputation he has earned. I trust JP that if he sends me a file to open it because it comes from a trusted source.

Jparker made the mistake of trusting someone who comes off as an "authority" and as "trustworthy". He also made the mistake of not checking beforehand and of using the code on a machine that had some importance to him. He needs to be more viligent about the code.

Be viligent when using code and tools. Be aware but not paranoid.

If you guys would have read the secrity announcements on antionlines homepage this discussion would not be taking place because it was not her fault, she was hacked and this was distributed by the hacker, I am not sticking up for her but no one is perfect, and why are you testing exploit code somewhere besides a "forensics machine" as i like to call it.
peace

trust is a luxury on the internet. Sure a paranoid person may have tons of false alarms but at least we are never caught off gaurd.

Originally posted by darqw1nd
If you guys would have read the secrity announcements on antionlines homepage this discussion would not be taking place


Darkwind, this thread started three days before the news came out on the page.

This thread started:
09-20-2001 08:35 AM

'Happy Hacker' Drops a Bomb on Security Experts:
09-23-2001 08:59 PM