| --[ Contents
0 - Facts
1 - Accused, to whom the crime profits
1.1 - Software Vendors
1.2 - Security Service Firms
1.3 - Fallacious "hackers"
2 - Defendants, the rights at stake
2.1 - User Land, hear my cry
2.2 - Hacker Space, free as in freedom
3 - Indictment
4 - Verdict
5 - Reference
--[0 - Facts
Some will share, others will keep gems to themselves.
We are judge to none.
Today some wish to force the ones that shares, not to, for
it depreciate the value of greed.
We will defend freedom, and fight to preserve the
open-space, that air we breath.
-What happened ?-
Once upon a time many of those "Chief Technologists/Hacking
Officers" of the
flourishing security industry were just a bunch of young pranksters
eager for
technology.
And the pranksters collected into groups lurking on some
computing specifics:
hacking. Many good things arose from those groups, sweets for the brain.
And the groups got respect, for their findings came atop a pyramid of
knowledge
that every one helped build. Recognition by peers, ultimately
being called a
"hacker", was the highest retribution.
And the kids went to high school to get an MBA, get a
car, get a job, get
money, try to make an aggressive buy-up on that pyramid, trade it
for a buck.
In the same course raise of communication and Internet growth
had Corporations
began to fear those strange pizza-cola eaters: The corporate
knowledge, they
called "trade secrets", they did not want to trade with hackers - at
all.
Secret service has a saying: "kiss the
hand you couldn't cut", and so
corporations cunningly inflated pizzas with money, and
some "old school-full
disclosure-non profit hackers" turned to security
firms belly dancing with
software vendors.
-Then-
Some started regulating with "disclosure policies" [1][2],
their publishing of
knowledge. Not yet "Non-Disclosure Agreements" though, but a step
forward into
the semantics. And called it "ethic" ... toward whom ?
-The unthinkable happened-
In a more radical move a bunch tried to -how funny- hack IETF
and push for a
generic disclosure policy [3]. Can you
see that -how strange- Microsoft's
employee in the " Aknowledgement " section of the document ?
All bullets for
the underground, all benefits for the corporate. No commitments to
the people.
Thankfully IETF reacted strongly, the draft is no more, for now [4].
-A putsch from above-
Helped in that by what once was the "elite", a – pretending - general
agreement
emerged to restrict hacking publications without "ethical"
peer review [5].
They want to moderate your mind, the newsgroups, the mailing
lists, all main
vectors for public information not in accordance with strong
content but with
disclosure policies compliance. Legislation is on its way
too. Can you say
lobbying ? Can you see the ten villains ?
This will not go through.
--[1 - Accused, to whom the crime profits
--[1.1 - Software Vendors
Side note: In trying to sell you hype some uses
confusion of terms. Very
simple psychology: sell shit and call it a rose -or- say the
rose is made of
shit. It's amazing how many people calls free software
programmers "Software
Vendors". Don't get confused, one of them is not asking for money.
Here's a trade secret: out of a 100 found software vulnerabilities
almost 100
will initially come from end users experiencing
a bug, and passing the
information around (also count disgruntled ex-employees passing code
around).
There was a time when information couldn't flow, and as an end
user you would
have to pay to get a patch. Software Vendors are really longing this
time.
How does "software insurance" smells to you ?
-So they want hackers to adopt "disclosure policies"-
The most candid argument is in warning the vendor will help to
get the patch
out before the vulnerability hurts. Everyday experience proves
this to be a
nonsense, because systems are actively exploited
LONG before any kind of
announcement [6], because vendors can sit for months
on an unpublished bug [7].
The reasons why vendors are pushing for "d.p." is ... well more down
to earth:
Without vulnerability announcements, products looks more secure:
it helps the sales.
Working hand in hand with "ethical hackers" increases the
credibility of the
vendor: it helps the sales.
Forcing vulnerability authors to help vendors [3]
allow them to benefit from a
free task force: it helps to cut down the costs.
Asking for a delay between discovery and disclosure lets vendors
have a happy
face in front of the press. Good press helps the sales.
At last, knowing who authors the advisories
helps vendors for more spin
control.
--[1.2 - Security Service Firms
You can get software for intrusion detection, penetration
tests, firewalling (etc ..) for free [8].
You can read from the Internet all necessary documents on security,
and become
an expert yourself.
Security Service Firms sells consultancy services and security
software. Where
does the competitive advantage stands ? Mainly
in the level of expertise
between you and them. Would it help those firms sales to restrict public
access
to "valuable" piece of information ?
It helps their sales to have access to early releases of security issues
before you do.
It helps to cut down their costs to have the free community research
those bugs for them.
So they want the community to submit all findings to
a central intelligence
that would sell early release of information to security firms,
whom in turn
sells you pattern updates for their tools and try to discredit
free projects [9].
Already, they are reports of big gaps between the sending of some
advisory
to a well known security mailing list and the time it finally get published.
To discourage you from publishing information or to try access
it those firms
will work with governments to rule it illegal.
Saying its military grade
secrets [10]. Which also fits political agenda
to protect interests of "big
business", and further control any free speech that could
modify the current
balance of power.
To force you into buying consultancy you will see those firms soon working
hand
in hand with insurance companies that require "independent an professional
peer
review" of you entire computing infrastructure. As we know audit
firms reports
are the most qualified and trustworthy items one could find.
Then, what if running a software would require it to be "tested
and approved",
as well as the hardware [11] ?
--[1.3 - Fallacious "hackers"
Granted social engineering is part of hacking, you would be surprised
how many
renown "Ethical Hacker" have so poor coding skills.
The truth is they take credit for code anonymous writes, or better
even, they
say how bad they manage to exploit a bug but they won't publish
for "ethical"
reasons. The truth is that ruling it illegal to release
exploits fits them perfectly,
so they can still have you think they are "hackers" when they
can't make the
difference between a shell code and some ASCII art.
On a larger scale its the very understanding of what a "hacker"
is that gets
compromised. Until recently you would be called a "hacker" by
peer review of
your work, retribution by recognition of an intellectual elite. In
the avail of [3],
a "hacker" would not be a skilled individual but someone respectful
of the
"ethical" rules, accredited by security firms.
--[2 - Defendants, the rights at stake
--[2.1 - User Land, hear my cry
User rights is mostly unheard in the security world.
Everyone must have a rightful access to information
to protect themselves
against vulnerabilities and patch their systems in time.
Curiously security firms breaks their own disclosure policies when the
affected
software is free software [12] [13].
What does that two-face attitude means ?
Early release in the event of free software (even before a patch is
available),
moderated information when money is engaged.
Without a warning, users are in a false sense of security.
When someone finds a bugs the only certainty is that the bug exists
for as long
as the software was initially released. As
security firms recognize [14],
underground exploits exists before any users hear
publicly about the bug.
Keeping a vulnerability private is just an open door to crackers.
Ironically crackers can even be tough new tricks by
the "Ethical Hackers",
granted they spawn a few thousands bucks for the exclusives [15].
--[2.2 - Hacker Space, free as in freedom
Hacking is a kind of science, and as such should be discussed
on its logical
basis by anyone that wish to participate
where ever anonymously or not.
Discovering a vulnerability should not imply obligations of any
kind for the
discoverer - except publishing it, as an engagement
towards the scientific
community.
Hackers need anonymity for his own personal security
- We've seen to many
people in trouble with secret service and justice
for publishing scientific facts,
see the DeCSS case [16] or the Russian e-book hacker
[17].
Also, some disclosure policies makes it compulsory for the
bug discoverer to
help vendors in reproducing and/or solving
the bug. This is just not
acceptable, discovering a vulnerability should follow military
rule: fire and
forget. It's not a hacker's job to solve the issue, he's
not responsible for
the existence of the bug in the first place.
--[3 - Indictment
Free hacking is in danger, not directly by an opposing force, not in
a struggle
of power, but by ex-hackers that have turn their face from scientific
curiosity
into greed. The very ones that took part in building the
foundations of our
common knowledge, want to steal our dreams and wrap it in a shiny paper.
The many ways in which they try to enforce control upon
free hackers may be
found throughout the reading of their "disclosure policies", that includes:
- The infamous "30 days delay" between informing a software vendor of
a bug and
the public at large -
This is ridiculous and should be a mere "30 days
delay" after the initial
release of the software before anything gets published
simultaneously to all
possible audience, because any bug could have been discovered and
exploited at
any time since then.
- Removal of exploit codes -
Users need to check if their systems are vulnerable:
software and version
numbers as included in announcement are not enough, a check is
mandatory since
software programmers often re-use the same code between various
software [18].
Hence, between bug announcement and proof of concept code
release one could
choose for -no more than- a week delay.
- Multi-level moderation -
Usual media used for hacking discussion should never be moderated
nor censored
for anything else than accuracy. Would the information flow come to
a stop, be
prepared to wide open your wallet, because those would
be the time of the
mediocre tyranny.
Would some try to enforce their "disclosure" rules
upon all, a new hacker
network has to arise, totally free. For this purpose we
prepare, and invite
free hackers to join in the manifest below.
--[4 - Verdict
--- Free Hackers Manifest ---
(1) Licensing
This Manifest is published under the
Free Documentation License (FDL)
(http://www.gnu.org/copyleft/fdl.html),
any publication made explicitly in
respect with the terms hereby will also follow the FDL.
(2) Freedom
The author of a published document has the right
to remain anonymous, and
protect himself from further prosecution
or pressure of any kind. His
communication should be regarded as a scientific work and treated as
such.
(3) Respect of others
The minimum amount of time before a software bug is published can not
exceed 30
days after the initial software release, in respect of
users protection whom
systems are already exposed. Past the 30 days delay of
the initial software
release a security bug must be published as soon as possible.
A delay between the bug announcement and
the proof of concept code (if
available at the time) must not
exceed 1 week for users to test the
vulnerability of their systems.
Although announcement will be made by all means possible, Free
Hackers freedom
must be ensured at all times and as such some mediums of information
might just
be not suitable (as taking contact with vendors directly).
The Free Hackers recognize their scientific work was made
possible thanks to
the contribution of many others and will pursue the construction of
that common
knowledge for free. The Free Hackers will not participate in actions
that goes
against the spirit of this Manifest (such as holding
restricted details of
public announcements for private firms).
(4) Dormant network
A dormant network of Free Hackers is to be built, for
this purpose everyone
that agrees with the spirit of the manifest is encouraged
to add his e-mail
ROT-13 encoded (to foil spammers) below with the ones already
there, and to
show the document
on his/her web
site as u.r.l.
"<web-site>/Free-Hackers-Manifest.html".
Anonymous Free Hackers that wish to support the Manifest are encouraged
to do so
by having their e-mails added by a fellow Free Hacker on his/her web
site.
Whenever it will be made clear that traditional means of public information
are
compromised to the point the above rules
are systematically broken (like
enforcing any kind of disclosure policies, delaying transmission of
information
or retaining technical details), the below list of
e-mails will be used to
activate a Free Hacker Network as such:
(a) Using a web search engine, one will look for every instance
of
"Free-Hackers-Manifest.html" were he could
easily extract a list
of Free Hackers e-mail. The web search
engine could help in
determining the most pertinent lists as being
the most linked to,
for instance.
(b) The group will work on releasing a client tool for a peer-to-peer
network such as the freenet project
(http://www.freenet.org), the
release name for the tool will be
"Free-Hackers-Manifest-<YYYY/MM/DD>.tgz".
The tool will be made
available by a link on the Manifest
web page.
That network will allow for anonymous
posting from web based mail
client and user base moderation on source
e-mails (per original
posts and threads).
It must not be possible for any individual
to alter the content
of any message nor block its diffusion
to others.
Spammers will be blocked on the client
side, much like one does
it with anti-spam code on his mail client,
as well restrictions
could be set on the number of message
one individual is allowed
to post per day.
(c) If a group name is required on that
network it will be of
"Free-Hackers-Manifest".
(5) ROT-13 e-mail list
cyb3RtR0n@s0urce.org;
cru54d3r5@yahoo.com;
qwertyqwerty_15@lycos.com;
-----------------------------
--[5 - Reference
[1] Full Disclosure Policy (RFPolicy) v2.0
http://www.wiretrip.net/rfp/policy.html
[2] Extract from "RFPolicy for vulnerability disclosure",
http://archives.neohapsis.com/archives/vuln-dev/2000-q2/0908.html
> My intent is not to push this policy onto
the community. Everyone can
> obviously do whatever they feel
like. But *I* will be using this
> disclosure policy in all future security
disclosures, and I encourage
> anyone wishing to use or modify it, to do
so.
[3] Responsible Vulnerability Disclosure Process,
http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt
[4] Bug-reporting standard proposal pulled from IETF
http://www.computerworld.com/securitytopics/security/story/0,10801,69391,00.html
[5] Re: Remote Compromise Vulnerability in Apache
HTTP Server
David Litchfield <david@ngssoftware.com>
http://online.securityfocus.com/archive/1/277259/2002-06-14/2002-06-20/0
[6] Remember when RootShell claimed to be victim from
a hack via ssh back in
1998, how long before
the first advisories on SSH
weaknesses?
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&th=9a1078fad663e9e&rnum=1
[7] Compare CVE assignement dates of
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0071
and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0079
with
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-018.asp
Also notice the synchronicity of
assignements dates for different research
groups, all released under Microsoft the same
day.
[8] http://www.nessus.org,
http://www.nmap.org, http://www.openwall.com,
http://www.snort.org,
http://netfilter.samba.org, ...
[9] No pointer - but http://www.nessus.org
was not accessible to "unfair
companies", which used nessus to generate
a lot of cash, without helping the
community in any way.
[10] Uniform Computer Information Transactions Act
(UCITA)
http://www.arl.org/info/frn/copy/ucitapg.html
[11] Digital rights management operating system
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=
/netahtml/srchnum.htm&r=1&f=G&l=50&s1='6,330,670'.WKU.&OS=PN/6,330,670&RS=PN/6,330,670
> A fundamental building block for client-side
content security is a secure
> operating system. If a computer can be
booted only into an operating
> system that itself honors content
rights, and allows only compliant
> applications to access rights-restricted
data, then data integrity within
> the machine can be assured. This stepping-stone
to a secure operating
> system is sometimes called "Secure
Boot." If secure boot cannot be
> assured, then whatever rights management
system the secure OS provides,
> the computer can always be booted into an
insecure operating system as a
> step to compromise it.
[12] ISS Advisory clarification
Klaus, Chris (ISSAtlanta)
<CKlaus@iss.net>
http://online.securityfocus.com/archive/1/278189/2002-06-15/2002-06-21/0
[13] ON THE CUTTING EDGE 2001: A Security Odyssey
http://www.infosecuritymag.com/articles/december01/departments_news.shtml
> Under the proposal, coalition members would
have a 30-day grace period to
> disclose vulnerabilities with
law enforcement agencies, government
> agencies and their trusted client. In theory,
this will give software
> vendors a head start in correcting the problem
before anyone knows it
> exists.
>
> So far, Microsoft has drafted the support
of BindView (www.bindview.com),
> Foundstone (www.foundstone.com),
Guardent (www.guardent.com), @stake
> (www.atstake.com)
and Internet Security Systems (www.iss.net).
[14] Apache HTTP Server Exploit in Circulation
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20524
> ISS X-Force has learned that a
functional remote Apache HTTP Server
> exploit has been released. This exploit
may have been in use in the
> underground for some time.
[15] http://www.blackhat.com/html/bh-usa-01/bh-usa-01-speakers.html
https://www.worldwideregistration.com/registration/vegas-blackhat-usa.html
[16] DVD hacker Johansen indicted in Norway
http://wneclaw.wnec.edu/faculty/kalodner/courses/softwarelaw/JohansenArrest.html
[17] Russian Author of Adobe eBook Password-Removing
Software Held Without Bail,
Faces Possible 5-Year Prison
Term
http://www.ebookweb.org/news/tech.20010716.elcomsoft.roush.htm
[18] see numerous vulnerabilities announced
after initial snmp bug, apache, or bind.
This document is pgp-signed below. Don't trust any claim of authorship
unless that
individual may produce the necessary PGP keys.
iD8DBQE9LX2siFdkMnNRCv0RAnAKAKCmAo2B/dnUdpahsaPudQsLIiQJKACfQeXV
joLXFpUVRZZQGHCl0VrTyEE=
=OPrO |