
GhostShell hacker leaks 39M accounts in security “protest” - Harry101
http://www.zdnet.com/article/hacker-posts-39-million-accounts-online-in-security-protest/
======
kjaftaedi
The most interesting thing to me was the evidence posted that other hackers
had already penetrated these systems, which I guess goes without saying when
you have little to no security in place.

Many many years ago when I was younger and playing with buffer overflows and
learning shellcode, I'm not saying that I'm proud of this either, but in my
journeys I had breached a couple of online retailers, had full access to their
databases and internal networks.. of course I alerted them via anonymous
e-mails, but what always struck me was the amount of times that I encountered
files from 'hackers' just saying that they were here or what have you. Many of
them just placing files because they couldn't transverse the NAT, and others
who had uploaded ftp scripts but had typos in them so the scripts didn't get
deleted like they had planned. Evidence of crimes and theft laying all over
the internal network for months or years, and nobody finding it.

At some point it's hard not to side with people like ghostshell, because when
you're supposed to be responsible for important information, but have
seemingly no interest in protecting it, at some point the system is bound to
fall apart.

I'm reminded of something I read posted by l0pht, way back when, and they just
said how much better they were than everyone else because they had jobs at
burger king and were dedicated to spending all of their time penetrating
networks while their opponents were a bunch of overpaid nobodies who hated
their jobs and overall really didn't care, and that they would always win.

I think that still holds true today.

~~~
jlg23
> The most interesting thing to me was the evidence posted that other hackers
> had already penetrated these systems

Some 20 years ago it was common knowledge among hackers that the reason
critical IT-infrastructure has not been used to do real harm was that "good"
hackers locked destructive hackers out of systems they had pwned.

To me the most interesting thing is that information security is still not on
the curriculum for devs. There is no fscking reason a power plant or cement
plant needs a bidirectional connection to company headquarters except for
saving a few bucks on skilled on-site personnel. And don't get me started on
cloud-based IoT-idiocy.....

~~~
vonklaus
> Some 20 years ago it was common knowledge among hackers that the reason
> critical IT-infrastructure has not been used to do real harm was that "good"
> hackers locked destructive hackers out of systems they had pwned.

Can you elaborate, this is fascinating.

~~~
fapjacks
I was around during this time and can vouch for it. Back in the 90s there was
really nothing like a computer security industry. Firewalls were things you
heard about but almost never saw in practice. Systems were hooked up in ways
which today would be considered gross negligence. University networks and
Telenet were full of easily-accessible machines and networking equipment. One
of the first times I got caught doing bad shit was on a SysV Unix system of
the newspaper in the next town over. I had met another user on that system who
was one of these vigilantes. He actually had caught me trying to root the box
and deactivated my dialup login so that when I logged in, it spat out the motd
and immediately disconnected. The message said to call a number for "support".
I called the long distance number, and got questions and a lecture about my
bad behavior. You know, being thirteen years old, I didn't think things
through. I was just scared for my life that the cops were going to show up to
my dad's house (they did later, for something different, but I digress). He
was totally open about not working for the newspaper, and not being the
regular sysop. He said he was another user trying to keep me from getting in
real trouble.

There is a "telenet simulator" on the internet[0] that you should check out.
This will give you some idea what it was like to use Sprint's Telenet system,
which was a worldwide dialup network serving all kinds of juicy customers like
banks, airlines, all kinds of businesses. This system had been devised and
deployed long before the world wide web. Telenet had local dialups in most
American cities[1]. Lots of those systems were using crap passwords, or
defaults. You could use systems to dial other systems that weren't hooked into
Telenet. It was tremendous fun exploring that network[2]. It was a hell of a
lot of fun. Truly an exceptional time that I really have nostalgia for.

[0] [http://telehack.com/](http://telehack.com/)

[1]
[http://textfiles.com/hacking/telnumbe.txt](http://textfiles.com/hacking/telnumbe.txt)

[2]
[http://textfiles.com/hacking/telenet2.txt](http://textfiles.com/hacking/telenet2.txt)

~~~
vonklaus
wow, this is super interesting. I have actually used telnet and the telnet
simulator. i think there used to be an old bbs or game online that was before
my time that was still hooked up and one where you voild telnet in and play
the oregon trail.

thanks for the info.

~~~
jlgaddis
Telenet, not telnet. There is a _HUGE_ difference.

------
pmorici
Wouldn't a better "protest" have been to delete all the databases. That would
harm the people responsible for the problem in the first place.

~~~
suprjami
You've obviously never heard of backups.

------
aw3c2
Direct link
[http://pastebin.com/raw/aNmdgGg4](http://pastebin.com/raw/aNmdgGg4)

------
jlg23
What happened to hacker ethics? Screw over 39 million people to protest the
sorry state of the security of a service they have been using?

Back in the good old days one would have secured the systems instead of
harming the victims again.

GhostShell, please stay away from IoT or connected medical devices, I'm afraid
you'll kill people just to make a point every security professional already
understands.

~~~
vonklaus
I agree with joof. I consider this grey tipping towards white rather than
black hat. s/he basically just automated default credentials or autologin
attempts, the door was already wide open and there were already numerous
pieces of evidence s/he wasn't the only person to know that. If you see a door
wide open a curious hacker will look.

------
ryanlol
Here's another classic team GhostShell zine

[http://pastebin.com/raw/tEX6yGX6](http://pastebin.com/raw/tEX6yGX6)

------
update
> The size of the downloadable cache alone puts it at one of the largest
> breaches this year -- but it could have been far larger, given time and
> resources.

> "The worst part is that this is barely a fraction of what I could get my
> hands on," the hacker said.

So why didn't GhostShell release everything he could get his hands on?

~~~
0x4a42
Because he didn't bother. His POC is more than enough.

------
agumonkey
Reading the title I had visions of digital vaccines.

------
williamstein
MongoDB

~~~
amjo324
"NoSQL, or rather NoAuthentication, has been a huge gift to the hacker
community. Just when I was worried that they'd finally patched all of the
authentication bypass bugs in MySQL, new databases came into style that lack
authentication by design"

[https://ghostbin.com/paste/6kho7](https://ghostbin.com/paste/6kho7)

