Hacker News new | past | comments | ask | show | jobs | submit login
Yahoo Hacked (googleusercontent.com)
722 points by doctorshady on Oct 6, 2014 | hide | past | favorite | 236 comments

Howdy, Hacker News. I’m the CISO of Yahoo and I wanted to clear up some misconceptions.

Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.

Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.

Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.

As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!

I also want to address another issue: Yahoo takes external security reports seriously and we strive to respond immediately to credible tips. We monitor our Bug Bounty (bugbounty.yahoo.com) and security aliases (security@yahoo.com) 24x7, and our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation. We run one of the most successful Bug Bounty programs in the world and I hope everybody here will participate and help us keep our users safe.

We’re always looking for people who want to keep nearly a billion users safe at scale. paranoids-hiring@yahoo-inc.com

>> Yahoo takes external security reports seriously

Few weeks ago, I reported to your team that some of the yahoo servers' SSL cert were expired, acknowledged but no one want to fix it (until I post it here and finally get them updated...your site was showing security warning to your users for 2 weeks)

One of your awesome engineers replied the issue with expired SSL cert: "there do not appear to be any security implications as a direct result of this behavior"

I appreciate you reporting expired certs, which unfortunately happen from time to time. That canned reply for is not appropriate and not a reflection of how we approach TLS and I will get it changed.

which unfortunately happen from time to time

How on earth do you manage that? Surely you have a process for monitoring and maintaining them?

Any real third party certification authority will let you generate emails to an address of your choice 90, 30, 14, and 3 days before your cert expires (or some similar schedule)

Why wouldn't Yahoo set this up to email the group responsible or a ticketing email?

Or you know, create a reminder in Yahoo! Calendar...

People use that??

Does your "successful" bug bounty program still only pays $12,50 in store credit per bug? That could explain the lack of interest in contacting you about any bug at all.

I was curious. So I went to the link secalex posted. Bountys start at $50; max is $15k.

Admob.com also had an expired ssl cert for a few days recently.

People make mistake, we all understand. (actually quite surprising as Yahoo does not have a mechanism to scan/monitor expired SSL certs).

This is not the real issue here, the thing is their engineers think expired SSL cert is okay and no action being done. I told them you are now training your users to `feel` comfortable with browser warnings when they edit their Yahoo profile and risk your users in future's phishing attacks. I asked them why you are not using a self-signed cert if you think expired SSL cert is okay (of coz they didn't reply)

Util I raise this up in another hackernews' thread on their product's announcement and maybe this time it really made them feel embarrassing and finally they fixed it with a day.

The real problem here is actually not on the expired SSL cert, it is their mindset - you should treat every little reports seriously and it is your responsibility, because you are running one of the world's largest web sites.

if that's true then... wow and hopefully there's a new engineering position opening up at Yahoo right now

Patched twice? There are 7 known shellshock exploits (and 30 patches) so far.. https://shellshocker.net/

Not knocking on you or anything, just more interested to know if all exploits have been patched against, more than the # of patches applied.

Before Yahoo poached him to be their CISO, Alex was one of the principals behind iSEC Partners, our former arch-competitor and now sister company. He knows what he's talking about. If he says they're on top of shellshock, my money would be on him being right.

His team also recently poached Chris Rohlf, from his own company no less!, and Chris is probably one of the best vulnerability researchers working.

(I have no affiliation whatsoever with Yahoo and while I like Alex fine, we're not close friends. I'm pretty biased about Chris, though.)

This is more "vote of confidence" than your comment asked for; I'm just heading off a potentially unproductive thread at the pass. :)

This all sounds good - especially given your reputation for infosec.

However, genuine question - how does the laymen (like myself) rate infosec specialists? Imagine for a second I'm a senior exec at Target and IBN (IBM's fake arch-competitor) comes to me and says "no worries about security, we use 256-bit encryption, bank grade security, etc etc". Do I believe him?

I feel like infosec is a "I don't know what I don't know" industry and the consequences could be potentially dire.

You essentially can't evaluate that in isolation (looking at their past interactions with the infosec community may help).

It gets better: you can't even depend on the large players generally getting it right. If a large organization makes a bad decision with their first infosec hire, it's not a self-correcting problem - the next hires will be cut from the same cloth, and unless something blows up, almost nobody will know.

If I knew, I'd be a lot wealthier. :|

How much are e.g. SANS certifications worth? I subscribe to their vulnerablity emails but they push the certification programs so hard it smells a little like University of Phoenix.

I can't comment on SANS in particular, but certifications in general tend to be worthless. Receiving a certification tends to be more a matter of persistence than competence. Worse, because the higher quality applicants generally recognize the futility in it, many of them don't participate, which means you can't even assume that someone without the certificate is unqualified.

As far as I can tell the best information provided by a certificate is that you should avoid applicants who brag about them (and for applicants, avoid employers who list them as job qualifications).

I'm not a fan of any security certification.

You make hiring decisions off of a home-grown security "course", right? You've found that valuable -- would others?

That's not an accurate summary of how we hire. We don't make decisions based on the crypto challenges or Microcorruption; we use them to find people to talk to. We have a whole process that actively evaluates candidates.

In some organizations, infosec is just for show. They do it because compliance forces them to do so. In those organizations, the senior execs don't care. They only want to keep the cost down and to comply with audits. They hire managers who do that and mostly rely on legal contracts and agreements to enforce security. When they get hacked, they will pull out the report (or whatever) that states that they are XYZ compliant.

While I don't doubt that infosec is just for show in some places, you can't just say that when they get hacked, they'll just say "We're XYZ compliant" and do nothing else.

The whole point of those audits is to show that, while every company of any importance will eventually have some sort of breach/break-in/hack, the company takes all reasonable steps to prevent it and mitigate the possible effects of such an event.

Infosec isn't a fool-proof thing. There's no way to prevent everything, and all you can do is keep on top of things and take steps to ensure you're doing everything you can to protect your systems.

You WILL get hacked eventually.

Twice means once for the initial bug on Wednesday, the second time with one of the "nuke the attack surface from orbit, it's the only way to be sure" patches that became available that Thursday.

This is no guarantee, of course, which is why the pen-test team that Chris Rohlf runs has to stay abreast of and continuously test the latest available exploits as well as the attempts that we see in our logs.

If you followed some common-sense advice [1], you only needed two patches: the original one as a stop-gap measure for the original RCE on September 24, and Florian's prefix-adding patch that came out shortly thereafter (but has taken some time to appear upstream).

Now, I'm a bit stumped how any obvious variant of the CVE-2014-6271 or CVE-2014-6278 RCE payloads could lead to accidental code execution somewhere else, since they generally produce a parser-breaking syntax error when executed outside an env-encoded function definition. Also, because of an unusual fixed-string prefix required to carry out the attack, there is not a lot you can really do to avoid any half-baked IDS/IPS. Anyway, for the sake of my idle curiosity, I secretly hope that Alex shares the buggy line of code, even though that's unlikely =)

[1] http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficia...

There aren't '30 patches' for each system. For CentOS there have been only 2 patches as far as I can tell. Whether all of the issues have been fixed in these patches, I'm not certain. I've also made sure we're using modperl instead of cgi perl.

The 30 patches are the number of total patches on that version of bash (bash's version release cycle is major.minor.patch), not the number of patches related to shellshock.

I've long had experience with: exploits working for the wrong reason, and also the reverse, failing for the wrong reason.

For example, way back in the day before ISS bought my company, somebody claimed their IDS was vulnerable to an IMAP evasion. They actually weren't, but that specific test triggered a wholly separate (and much worse) bug that made it look like it was evadable. I laughed and laughed.

It looks like the guy who originally posted this has pretty much accused you of flat out lying about this[1]. What do you have to say to his comments, particularly about the sports servers being internal.

[1] - http://www.futuresouth.us/wordpress/?p=25

Yes, the systems with the log parsing bug are part of an internal subnet. As with most web scale companies HTTPS requests are terminated on a unified edge and load-balanced to web service hosts in internal clusters. In this case the malicious header was maintained in the backend requests and ended up in the application log, which triggered the command injection. Everything I wrote above is correct and is in no way incompatible with the fact that the affected machines have RFC1918 addresses.

Thanks for that. Understandably, the presence of an RFC1918 address doesn't necessarily mean a site isn't inaccessible, but for everyone else there's no way to tell without poking around Yahoo! which, lets face it, isn't something many of us would condone.

That fact that the API hosts are internal seems to be the bulk of the argument against the validity of the claims here. However, internally accessible application servers behind public proxy/proxies is a fairly common pattern...

If you want hackers to report you vulnerabilities via Yahoo Bug Bounty Program, at least pay more than 50$ for a minimum bounty, 50$ is a joke https://hackerone.com/yahoo ...

That's the minimum bounty. It's what they'll pay for an off-brand CSRF. They'll pay up to $15,000. Wild guess: RCE doesn't get the minimum bounty.

RCE is 3000$ for *.yahoo.com https://hackerone.com/reports/6674. I forgot, they want RCE on https://login.yahoo.com, and then maybe, but maybe, they will pay 15000$

Thank you

That one single instance, in those circumstances, was $3k. Which (a) is much, much more than $50, and (b) is not bad for a bug that dies the instant the vendor learns about it.

I view bug bounties as more of a conscious nod towards responsible disclosure than anything else. I sincerely doubt anyone could make a competitive living off of bug bounty programs (even accounting for the legal grey area of selling vulnerabilities) so the economic incentive argument seems really silly to me.

In contrast, if you've ever tried to responsibly disclose a vulnerability and gotten a threat from the legal department in response (still common practice in a lot of companies), a bug bounty program can be a very encouraging show of good faith.

We have several participants in our program who are making a pretty decent living, especially the ones for whom a US$5000 reward is comparable to their nation's per-capita GDP. We are hoping to highlight some of these people in a future talk.

I personally think that the opening created for those without the educational or economic opportunities available to developed world researchers is the best side effects of bug bounties.

I think there are quite a few people who do make a living by participating in vulnerability reward programs (well, not at $50 level, obviously).

Now, I have not seen too many people who would be doing it consistently for many years - simply because it gets tiresome. But it's the same thing for security consulting - at most consultancies, pentesters come and go.

$50.00 is a joke, I'm sure they can do better.

Me too. I am sure, too. You know how I'm sure? Because I clicked the link the parent commenter helpfully provided alongside their gripe about Yahoo's bug bounty and read that they do, in fact, do better.

Interesting I saw the Y debug tool on sports.yahoo.com . It said Y Confidential and had a web bug on it and something else in red. Also, was on the yahoo.com root domain. I saw this over a few days. Did anyone else see it? I couldn't click on anything and it was on the lower right hand corner of the screen.

My opinionated answer to the statement released by Yahoo!:

I won’t sit here and say that I think they are lying. To make such an accusation would only prove me to be a fool not having ammunition in the weapon before I fire it. I will, however, say that I believe – in my opinion – that this is a wordplay and a game of semantics. First off, there are several “shellshock” exploits. The term “shellshock” as the media has portrayed it is to execute the vulnerability or vulnerabilities recently discovered in bash by means of delivering the following payload: () { :; }; <commands>

When we look at this payload, what we are actually seeing is a function definition, not the execution of or calling of that function, with the regards to the following: () { :; }; 

The actual “arbitrary code” to be executed last past that point, where we’re no longer defining a function, but instead – giving instructions to be executed on the operating system via Bash. One could inevitable argue that taking the payload, and modifying it to look like: () { whatever; }; /bin/bash –c ‘id;uname –a’ could, or even could not, be identified as “shellshock” in the manner of which it was portrayed to be by the media. However, the fact still remains that this “payload” would cause the execution of the commands proceeding the {}; 

When we look at the other SIX (6) payloads that essentially accomplish the same exact thing: https://shellshocker.net – we see that modification of the “payload” does not stop the blatant fact that the same underlying results are achieved via the same exact vulnerable code in the Bash shell. 

My response to Yahoo! : Please issue out the UNTAMPERED and UNMODIFIED apache logs, showing the payload delivered to your “sports API’s” - and other researchers, and potentially shareholders, determine what the underlying cause was. Furthermore, to state that this resulted in bypassing your “IDS/IDP” and “WAF filters” makes me wonder exactly what kind of IDS/IDP and WAF filtering you’re imploring. I’m willing to bet there were exact phrase match filters looking for what most sites have identified as the “Shellshock” vulnerability, I.e. “() { :; };” and preventing the scripts and/or bash from being executed once that string was identified. That could have been with something as simple as a wrapper for bash… And considering the IPS/IDS didn’t pick up on outbound IRC connections on port(s) 6660 and/or 6667, which NO internal server would have a reason to be connecting to, I can only say that your concept of IDS/IDP is seemingly inadequate in my professional opinion. So, once again, since the vulnerability has seemingly been “patched,” I urge you to release the details of the vulnerability in the script, and also explain why it is that the initial compromise appears to have been on a web-facing box with public access to it, and found amongst a botnet running a perl script that had self-spreading and searching capabilities based around the “shellshock” vulnerability? You are comparing apples and oranges, when in all actuality, you should be comparing “to-may-to” to “to-mah-toh."

> Please issue out the UNTAMPERED and UNMODIFIED apache logs

Who do you think you are? lol.

I'm a share holder, making me an "owner" of a publicly traded company. And, who are you?

That's not how it works. You're not privy to the internal operations of Yahoo simply because you own stock. And as regards your role as a security researcher, they're not obligated to disclose logs or, indeed, provide you any detail whatsoever about their security response. They say they've contained the problem, you (presumably) can't still perform the exploit, end of story, unless you have evidence that more servers were compromised than Stamos admits.

Then raise the issue at a shareholder meeting. Owning 2 shares (or 200) won't get you access to logs.

With proper controls, even having 40% of shares won't get you log files having user information. Those roles should be separated.

While we are at it, let me go on a little tangent: I have Yahoo mail for android which i use as a dump of my emails, and I get perhaps 100 emails per day. After about 4-6 weeks, Yahoo mail app becomes so slow, that it is no longer possible to even scroll through emails (on Nexus 5). I have to clear Yahoo app's data cache, and reconfigure to make it fast again. Perhaps it's time to take a look at this: when you have things decaying and breaking like that, it encourages hackers to look extra hard for vulnerabilities, since it's a reasonable assumption that other things are neglected, too. I should note that Yahoo's android mail app is probably the most viable part of the whole Yahoo business now.

This writeup doesn't really get to the point so, the tl;dr

He was looking for places to exploit shellshock by googling for cgi scripts. Most of the ones he did find had already been hit by someone using a perl script that made them join an irc channel that was being used as CnC. He also joined it and monitored it. A bunch of different yahoo boxes were in the channel and he saw some of them get rooted.

I think its important to mention the fact that he wasn't just looking for places to exploit shellshock.

He was actively exploiting it by sending himself reverse shells from the computers. He wrote code to collect and exploit the reverse shells. He wrote code to spider sites to try to find more exploitable hosts. Then he was logging and exploring the infrastructure and servers he penetrated.

His actions enabled him to cause damage if he chose, but it would be disingenuous for us to avoid examining his intent. The only evidence we have of his intent is that he warned the hosts who were vulnerable, and also warned the customers whose personal information and private emails may no longer be safe.

If he had malicious intent as you imply, then I believe he would not have disclosed anything, let alone under his real name.

He seems honest to a fault, loquacious to the point of legally endangering himself just to spread awareness of some horrible things he witnessed.

In my opinion, spinning his actions as anything other than heroic is itself an order of magnitude more malicious than what you're claiming, because it contributes to a false narrative in which the end goal is to completely destroy another human being's life when he was just trying to help.

I have mixed feelings about this. I think you're probably right that he did this with altruistic intent (or, at worst, just to satisfy his curiosity), and I hope he hasn't gotten himself into serious trouble. (Though I fear he may have.)

But I hasten to add that intent is clearly not dispositive of whether it was OK for him to infiltrate someone else's system. Certainly ordinary physical property law makes is an offense to trespass regardless of whether you are trespassing with malicious intent. Certainly it is worse to break into a house intending to steal something than to walk into someone else's house out of curiosity, but neither is legal or, in my view, morally acceptable.

So I say: good for him for making these breaches known, but he definitely should not have been in there poking around in the first place.

> Certainly ordinary physical property law makes is an offense to trespass regardless of whether you are trespassing with malicious intent.

In the case of physical property the most common remedies for trespassing are either an injunction prohibiting future trespassing on the same property or a modest fine (e.g. $100). Applying the same penalties to the equivalent behavior in the computer context would be completely reasonable, but that empirically isn't what happens, because the CFAA is defective.

I basically agree - though I hasten to add that I never said anything about what penalty a person would actually receive or whether it is appropriate. I do think that it makes sense for "computer tresspass" to be punished more harshly than tresspass to physical property. It takes a lot more effort to break into a server than it does to walk through someone's door (or into their yard), so I think the baseline level of culpability is higher (though bear in mind that these are generalizations). There is also a lot more risk involved in a "casual" computer tresspass. But I agree with you that this doesn't gets us to the maximum CFAA sentence.

This gets us into complicated territory, though. There are very few people who have ever actually been sentenced to the maximum CFAA penalty. (I'm actually aware of none.) The actual punishments actually imposed are often, I think, fairly reasonable.

Of course, there are plenty who have been threatened with the huge maximum by federal prosecutors, but this is no different from any other crime. Of course federal prosecutors will menace defendants with the maximum possible penalty. They want to extract a guilty plea, and it would also be dangerous for them to claim that any shorter penalty than the maximum applied, since they do no actually control sentencing. (Imagine the controversy if the U.S. Attorney told a defendant that he was only realistically looking at 6 months but the judge gave him 2 years.) It's the defense attorney's role to make sure that her client has a realistic understanding of the likely punishment, not the government's.

What's really needed is a replacement for CFAA (and, for that matter, most other criminal statutes) with more carefully graded maximum sentences, but I've never heard a realistic proposal about how such a law would work.

This isn't quite trespassing, though: this is breaking and entering (without malicious intent). This is someone noting that your door lock is easily pickable and then going on a quest to see just how far they can get, maybe finding a key to the car in the garage and then going into their glove compartment. The equivalent situation with physical property is clearly "criminal".

The Law should have a case for the need to ignore some rights in order to protect other rights, given that any damage will be compensated. E.g. break a window to get someone out of a car crash. Seeing that he didn't do any damage, it should be fine. I know that's the case in German civic law. Intent is regularly a deciding factor in measure of punishment. This may as well go without a warning.

If you walk by a house seeing someone crack a window and crawl in, do you think it's morally acceptable to trespass on the property to ascertain whether this is a burglary in progress or someone who forgot their key? (This case seems somewhere between my and your example.)

Stop the allegories already. This is unlawful computer access, not burglary. There is nothing to be gained from comparing with unrelated crimes, neither moral understanding nor any understanding of judicial consequences.

Perhaps, but this case is more like walking by a house, seeing a cracked window, and crawling in yourself to take a look around and see if anyone else might have done the same.

It's been stated here several times before. The reward for pointing out lapses in security like the aforementioned are generally awarded in the form of hostility. He'll probably get a big reward for this one.

That said, it was a well-written article by an obviously talented hacker, though I did find the simile about the infant with a genital wart to be unsettling.

Notwithstanding HN's very reasonable ideas about right and wrong in this case, getting an unauthorized shell on someone's server and cd'ing/ls'ing around is probably illegal in most jurisdictions.


This guy writes a lot of text but it takes him forever to get to the point.

The point was already in the article title and opening line.

The servers compromised were more like content servers though, not user data servers? Yahoo says no user data was accessed. But could the affected servers be used to more easily get at user databases from 'inside'?

Yahoo! keeps their user information mainly in a DB called 'UDB'... User Database. It is a key, value store and clients are only allowed to access permitted keys. So the encrypted user password, plain-text answers to 'secret questions' (for password rests), etc. were not accessed unless a login server was compromised.

For the user's data for each property (games, mail, etc) they have their own data stores, and those would have been compromised for sure.

> But could the affected servers be used to more easily get at user databases from 'inside'?

short answer: yes, definitely.

You can also use this resource http://www.globalshellshock.com to check if your IP address is vulnerable to ShellShock.

IP addresses are not vulnerable to ShellShock

The services running on the machine assigned your IP address?

I knew what he meant...

More importantly, while a casual scan of a website that shows a "Yes" is bad, a "No" doesn't prove much. Update bash.

Not mentioned in the title, but important:

Winzip.com has been hacked as well. Do not trust their binaries.

Either this will be headline news tomorrow, or it will be suppressed in its entirety. The OP will probably go to prison, unfortunately, as they will not differentiate between this and black hat intrusion - the case will be judged by someone who saw his nephew using a computer, once, and they will go after him, because they know who he is, and will not have any joy identifying the actual intruders, and this will just go further to demonstrate that the spy agency dragnets are as useful as a chocolate teapot in preventing and acting against actual crime.

I hope he contacted a great defence attorney and the ACLU at the same time as Yahoo and the FBI.

Contrary to his claim, OP is clearly not a white hat "ethical hacker", since he does not have consent from the owners of any of these systems.

> they will not differentiate between this and black hat intrusion

Should they? This reads like textbook unauthorized access to a computer system,

> A quick `ps aux` on the box yielded...

This isn't just poking at web servers to see what secrets they freely reveal, this is trespass.

Trespassing is a good analogy. Neither all laws or violations of laws are equal.

On one hand, there are the vandals, or outright criminals, who are using and abusing my property for their gain to my detriment.

On the other hand, there's a passerby who knows about the criminals in the area, knows no one else is looking for them, and trespasses my property because the trail led him onto it.

Now that guy willingly alerts me to the criminals, offers an explanation of what he did on my property and how he found the criminals -- what should my response be?

I know that technically he broke the law, and there are those who want to see anyone and everyone pay for their deeds, but in this situation, wouldn't a reasonable person possibly consider tracking down the criminals first before crying "trespassing!"

It doesn't sound like this person trespassed at all, but merely traversed your land during his investigation. He didn't do any damage or remove anything, so what was the trespass?

Trespass to land doesn't require damage, all it requires is the willful, unauthorized, entry onto land in another's exclusive possession. Vandalism requires that there by some property damage.

This isn't true. You're overestimating the strength of property rights to land. You should follow the link provided elsewhere in this branch of the discussion - http://www.shouselaw.com/trespass.html

It's amazing how many people think that traversing and trespassing are the same thing. Sadly, in many states, they are the same under the law.

I wish there were stronger free-to-roam laws. I don't think anybody has the right to tell another person they can't traverse land so long as they don't enter any structures, do any damage, take anything, disturb any wildlife, etc.

I wouldn't be happy at all if someone went into my cellar without my permission and told me that my gas line was weakening. Despite good intentions, trespass is trespass.

What if his house was next to yours and he smelled a gas leak but wasn't sure, so his investigation led him to your cellar?

If he can smell it from outside my cellar, then why isn't he able to knock on my door? Or call the cops if I'm not home. Even for actual extremis (such as a fire) I'd generally expect people to call the fire department instead of breaking into my house to put a blanket over a kitchen fire.

With that said I'm sympathetic to this guy's intent. If I were Yahoo or the FBI and he can prove that innocuous access is all he was doing, let's just say I wouldn't go out of my way to throw the book at him.

Because (going back to IRL analogies again), the authorities writ large have the authority to do an exigent search of my home if there's probable cause of a disaster of some sort going on, but local and Federal LE don't exactly have the same right to go around pwning the entire Internet to look for sites that have already been rooted, so in a sense leaving this issue to the authorities is simply leaving it to no one except the criminals, which is also unsatisfactory.

If the right answer to widespread problems like these is supposed to be law enforcement "patrolling the Internet" in some fashion, then we'd need to have way different legal authorities to allow for that. Until then I'm not sure that "only the criminals can search for burning buildings on the Internet" is really the most pragmatic answer.

In any event we obviously can't rely on each and every single important web site's system administration teams. If even Yahoo can be caught, who can you trust?

call the cops if I'm not home

yeah right, they'll fix your KDE 2 install on freebsd in a jiffy as well

Until then I'm not sure that "only the criminals can search for burning buildings on the Internet" is really the most pragmatic answer.

It's not a pragmatic answer, it's a matter of fact. NSCIA are busy collecting phone calls and developing backdoors. I'd be careful calling anyone criminal.

Would you allow a police officer to do the same?

Exactly, intent is very important in these types of things.

This thread has a lot of shaky analogies with physical trespassing. Here's an article on trespass laws (in California) - the article is more interesting than you would expect and the trespass laws are more complicated than you'd expect. http://www.shouselaw.com/trespass.html

California law is not typical is this regard (or in very many others).

It looks quite similar to Washington State trespass law in practice. If anything it might actually be broader, our criminal trespass statute up here tends to be interpreted rather narrowly because it's somewhat lacking in detail.

...this is trespass.

If you're not intending this metaphorically, I must disagree. Trespass is a fairly limited act involving a physical presence. Sending and receiving packets with another host that is configured to do that is really not anything like physically inhabiting a place.

trespassing is not illegal

If person A walked up to your window and fired shots through it, killing a family member of yours, and then person B walked up to your window out of curiosity (trespassing), saw a dead person, and called 911 (or whatever your country's emergency number is), should person B be prosecuted for murder?

Edit: I thought this was an accurate analogy, but I'm assuming the downvoter either disagreed or felt I phrased this as a sarcastic attack rather than an analogy. If it incorrectly came across as the former, that would be my fault, but I don't know if that's what caused the downvote, so an explanatory comment would be appreciated.

Since you asked for a downvote explanation: I couldn't make any sense of the comment, even after thinking about it. It's not that I disagree, I can't even figure out the analogy. Are you saying B shouldn't be charged with anything because they didn't murder, or B should be charged with trespassing but not murder, or B should be charged with felony murder because of the trespass, or something else?

The parent asked whether the OP should be treated differently from people actually doing the malicious act. My analogy was meant to illustrate that we should.

I didn't express a stance either way on whether he should be prosecuted for a more minor offense or not, in the analogy's case trespassing. (There are obviously both pros and cons in the precedent set by prosecuting people for revealing their own minor crime on account of reporting a terrible one.)

That is NOT an accurate analogy.. to make it analogous, you need at least two fixes: a) the person needs not simply see from window, but to get into your basement from breaking a double-panned window, and go up into your bedroom. b) Also the charge needs to be for 'intrusion'

Plus, using 'murder' and 'family' and 'dead' etc. are too dramatic and personal and unnecessary to convey your point about internet security.

fortunately i've not trusted winzip binaries since the mid-90s

The OP will go to prison? Seems a bit hyperbolic to me, without any sort of citation or basis for belief.

It probably would have been best to just notify Winzip.

Telling the FBI you broke into a server to see if you could, and that you found that someone else had also broken in before you is just plain stupid.

Bank robber calling the cops to report the safe has already been cleaned out...

It's a safe cracker calling the cops in this scenario. "I wanted to see what banks I could break into" is a much more reasonable defense in this situation seeing as he's alerting others to the intrusions when he clearly could have just kept quiet and stayed out of trouble.

Not that it says anything about whether he'll be in legal trouble. Laws are crazy.

You poke into someone's house when you see their front door wide open, see it has been cleaned up and then notify the cops...

That would imply OP had malicious intentions, which he apparently did not.

Malice is in the eye of the beholder. He logged into a server he didn't own and ran commands without authorization. That is malicious from the perspective of the law.

Out of curiosity, wouldn't this also apply to the security researcher at erratasec.com that did an earlier survey? That scan logged into peoples boxes and executed a ping going out. Now obviously there isn't any damage, but what legal theory is protecting these legit security researchers?

Really this a question that can only be answered by a judge.

The CFAA in the US might apply, section a.2.c bit is pretty broad: information from any protected computer). The wikipedia article is full of interesting bits and bobs: http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

Though whether or not a DA would be bothered with investigating and building a case is a different story (probably not, unless there were lots of complaints and/or "serious" complaints).

I strongly doubt anyone, even at the FBI, is tasked with finding hackers independent of any complaints.

Nothing is protecting them legally, and many people mentioned similar things on those threads. However the fact that this guy sent himself reverse shells and actively exploited the servers makes it much more likely that someone will try to prosecute him.

The lack of anybody attempting to prosecute them.

If you walk into my house through the backdoor you're trespassing. Your intentions are irrelevant.

Intention is relevant. What if I was mentally ill and mistaken your backdoor for my own? Or it was was the only feasible escape route from a murderer that was in pursuit of me? Of course this doesn't apply directly to the OP, because this house analogy doesn't hold water. BUT, intent is very relevant when it comes to law.

Well, no, intention is not relevant in the sense that these people are still trespassing. Ok though, you have a point; in some extremely rare circumstances it may make a difference. Of course, as you said, none of these apply here, so what's your point?

Only good to a certain extent, and since hackers are often easy targets and successful computer prosecutions are a good feather in the cap of prosecutors ever more concerned about having something on their resumes related to the "cybersecurity" buzzword, they'll frequently get harsh sentences.

Weev got 3.5 years and also did nothing malicious with the data he found: http://www.wired.com/2013/03/att-hacker-gets-3-years/

I think intention is important in these cases, more than what you actually did.

He did not break there to make himself rich or to cause any trouble for the server owner; quite the contrary.

The prosecution and charges brought against Aaron Swartz would lead me to believe that you are quite wrong.

Just to let you know, you can have a chocolate teapot: http://www.bbc.com/news/uk-england-york-north-yorkshire-2912...

TIL - people still use WinZip

It is surprising how many 90s tools remain popular today: WinZip, WinRar, WinAmp, CCleaner, Icq, Real Player, etc.

People just get into using something and simply never stop. Then there's the comfort barrier to switching (e.g. I know how to use WinZip but 7Zip is new and unfamiliar).

CCleaner is still popular with low level tech support types, which is quite ironic as it damages the Windows Registry on later versions of the OS. There is also built in tools (Disk Cleaner, Recycling Bin maximum size, auto-Defrag/Trim, etc) which accomplish most of the same things.

Teachers use Real Player. Several nationalities (Russia?) use ICQ.

> CCleaner is still popular... which is quite ironic as it damages the Windows Registry

CCleaner has two main use-cases: a performance tool (allegedly) and a privacy tool.

You assume that CCleaner is popular because people think that it boosts performance. This was never my use-case and anyone that I've seen actually uses it as a privacy tool, i.e., to clean up browser history, delete caches, wipe free space, etc., to not expose what they've been looking at, searching for, and downloading.

With respect to privacy, if I see someone using CCleaner, I recommend that they switch over to BleachBit[1] which is open source and which even Bruce Schneier swears by. I used both simultaneously for awhile on my Windows systems and found that BleachBit found many more privacy-sensitive files to erase than CCleaner.

[1] http://bleachbit.sourceforge.net/

If you're interested in privacy and have Windows 8 Pro, you can use Client Hyper-V and Differencing Disks to make what is effectively a "read only" system. You boot into the VM, do whatever it is you have to do, then shred the differential [0].

Alternatively just encrypt the VM[1].

Alternatively again just run a Linux "Live OS" from a DVD and pull the power to "wipe."

Alternatively ad-infinitum make a Windows To Go Thumb Drive and smash it with a brick when you're done.

[0] http://technet.microsoft.com/en-us/library/cc720381(v=WS.10)...

[1] http://www.virtualizationadmin.com/kbase/VirtualizationTips/...

I see CCleaner on probably at least 50% of the desktops shown by people streaming on Twitch. Seems so odd to me.

Then again, I used WinRAR up until probably 2010 or so, whenever ninite made it easier to install 7zip.

A sort of related oddity is how often I see OpenOffice on the desktops in doctors offices - usually alongside Microst Office icons. I have no idea what they would use it for.

It's a little ironic, but I still find WinAmp to be the best audio player.

I mean - all I want to do is to quickly setup a playlist out of a bunch of directories and eventually do searches in it, which is incredibly common at a party when you quickly assemble playlists from multiple sources. Other media players are completely retarded.

I am from Czech Republic.

ICQ was popular here way more than in the rest of the world, but it got displaced by Facebook Messenger (and to some smaller extent Google Talk/Hangout/what's the name now).

I have no idea about Russia or Israel, where it was too popular.

To this day I can't figure out how ICQ ever became popular, but yes I can vouch that there are still people who use it and probably always will.

It originally became popular simply due to lack of competition.

AOL Instant Messenger (AIM) was popular but full of ads and didn't offer many features. MSN Messenger (later "Live Messenger" ".Net Messenger Service") didn't exist yet (1999) and while Windows had something called Netmeeting it was simply terrible.

ICQ technically came around before AIM, being released in 1996 Vs. 1997 but AIM hit the ground running as AOL hooked up their massive (then) subscriber base. So while AIM was a more popular service, ICQ became popular with a certain more savvy class of user (e.g. tech' nerds, who wanted more functionality, and something NOT tied to their email address).

ICQ offered that. Less ads, more features, and slightly anonymous (ICQ numbers). ICQ sucks by todays' standards, but in 1996-1999 it was really competing with AIM. There's also Yahoo! Messenger that came out in 1998 which was fairly popular (particularly as an "AIM replacement").

ICQ just somehow remained popular in certain parts of the world for the same reason Facebook isn't going away: It reached a critical mass, now "everyone" is using it which means "everyone" has to continue using it...

Don't forget that the A in AOL stands for 1/193 countries. In AU (yes - anecdote != data) -- friends I would chat with were all on ICQ - before switching over to msn. Never heard of AIM

Second datapoint. In FI everyone who did not use IRC used ICQ and then switched to MSN.

Also AU and used ICQ; then MSN.

Note there was a strong anti-AOL sentiment throughout the 90's.

I used MSN. Now I use XMPP 'cause they wanted me to use skype instead... pffff...

For some reason it was considered anonymous and safe from surveillance.

Can you point me to a description of CCleaner's problems? It's still my go-to tool for cleaning computers, and I've never had a problem or heard of anything major (besides the normal bugs that get fixed). It also isn't a 90s tool, being first released in 2003.

What's your idea of a better alternative?

I listed the alternatives already. They're all built in.

CCleaner's registry cleaner is the main issue (aside from the fact it makes computers literally slower by clearing every single cache it can find). Some of the issues it has caused:

- Registry damage: Windows 8 store was damaged/corrupted by a previous version (you had to run DISM to repair it), Windows uninstaller corruption (this impacted Mcafee anti-virus around 2009, the uninstaller would become unusable), deletes preferences for unconnected devices (USB sticks, external drives, network drives, etc) so if you have any software installed externally the drive letter may shift and the software will break, deletes unmounted but valid COM objects, and so on...

- Damage: http://features.en.softonic.com/the-dangers-of-using-ccleane....

- Article: https://bitsum.com/regcleanerfacts.php

- Wikipedia: https://en.wikipedia.org/wiki/Registry_cleaner

- Microsoft support article ("serious issues can occur when you modify the registry incorrectly using these types of utilities"): https://support2.microsoft.com/kb/2563254

- Microsoft Article: http://windows.microsoft.com/en-us/windows/are-registry-clea...

Everyone is saying the same thing. Registry Cleaning is unnecessary, won't improve performance, and really only offers you a chance of doing damage. Registry cleaning hasn't been important since XP, and XP shipped over ten years ago.

Everyone else CCleaner does is either stupid (clearing caches) or duplicated of internal functionality (IE cache clearing, Recycling Bin emptying, etc). Plus Disk Cleanup isn't a new addition to Windows.

>Everyone is saying the same thing. Registry Cleaning is unnecessary, won't improve performance, and really only offers you a chance of doing damage.

Well, shit. I've been using the registry cleaner for years now on Windows 7. I've always liked that it seems to clear certain cruft from my system (unused file extensions, crap left behind by uninstalled programs, etc.), as I have a certain need for digital tidiness. I'm now considering abandoning the feature after these posts.

Thanks for the explanations!

Before anything else, I should mention that I haven't worked help desk in over 5 years.

Back when I worked help desk, the most common reason for a completely FUBAR and need a re-install was that the user ran CCleaner on it.

Your organization likely did something unconventional with the registry that made systems break when touched by CCleaner (perhaps a groupware tool, or perhaps the broken systems had already been FUBAR'd by intrusive software and CCleaner's attempt to fix that FUBAR triple-FUBAR'd it).

That doesn't mean CCleaner's behavior is correct, but it's probably a situation the developers haven't been able to test against. For what it's worth, I've run CCleaner's registry cleaner on dozens of machines and never had a problem of any type, and I still use CCleaner sometimes because it's a simple way to clean the temp/junk files left by many common applications with one button click.

I always feel a little nervous when I run the registry cleaner, and while I haven't noticed any problems, I also haven't noticed a meaningful improvement after running it either. I should probably stop doing it just for that reason.

> That doesn't mean CCleaner's behavior is correct, but it's probably a situation the developers haven't been able to test against.

So reading between the lines, you're saying that CCleaner is a bad idea simply because they cannot possibly understand the registry well enough to make the changes that they're making.

We agree completely.

Honestly if people want to use CCleaner to do jump lists, file history, and caches (although that last one is misguided) then I'm all for it. There's very little chance anything will break with those (it is hard to screw up!).

I just warn against the registry cleaner primarily, and just feel like with Disk Cleaner and Windows' automatic cleaning that has been integrated for a while you could live without using CCleaner (unless you still have a Windows 9x box).

you're saying that CCleaner is a bad idea simply because they cannot possibly understand the registry well enough to make the changes that they're making.

It sounds more like, "the software vendor is doing incorrect or incomplete things with the registry and CCleaner cannot possibly know that."

As a long-time Windows software developer, I've been stunned at how sloppy desktop programs and installers are, even today. People ignore Microsoft guidelines, somehow get the software to the "works for me" stage, and deploy it.

This ...

Frick. A .pl CGI script on a production box?

All the yapache & yphp security fixes and is all undone by a a .pl with +ExeCGI.

They used to run "crack days" where all of us used to get kicks out of breaking & entering prod, whatever means available.

Was a fun way to weed through such low-hanging issues, by a highly motivated (i.e otherwise bored) crowd.

I wonder if they still have them.

What's the issue with Perl scripts on production web servers? Probably 90% of my (homegrown) scripts are written in Perl. What does Perl vs. PHP vs. Ruby vs. $languageoftheweek have to do with anything?

It's really just that Shellshock becomes viable only when HTTP headers are passed to your code as environment variables. For CGI, this is the way things are done, and most Perl scripts interact with the web server through CGI. On the other hand, Ruby and $languageoftheweek are usually called through a server framework like WSGI or Rack, which have their own ways of getting HTTP headers to the user code besides passing them as environment variables. Perl has PSGI ( plackperl.org ) but it's more commonly used in CGI.

Perl has PSGI ( plackperl.org ) but it's more commonly used in CGI.

Citation needed.

I've been a serious Perl programmer since the 90s who has written public facing code at at least a half-dozen companies in the last decade. I've seen all kinds of combinations of things like mod_perl, fastcgi and Plack, but not once CGI.

I don't doubt that there are still some toy websites that run old CGI programs written in Perl. But I haven't seen them in the wild. And that niche has been replaced by PHP.

I spent four years mostly on perl 2009-2012, and again briefly last year. The performance of any non-trivial perl web app is laughably bad when you run as CGI. I've never run prod systems without psgi or mod_fcgid.

I think therein lies the problem: yapache. It's their own version of (modified) Apache. So when these bugs like shellshock come out, it's harder to patch your own home-grown version.

Not sure that's the problem though. yapache and yphp solve a very important need and probably saved Yahoo!'s ass on multiple occasions with engineers making lazy or common mistakes.

There might have been a better way to implement it but with a company the size of Yahoo! I think they'd have the resources to maintain/patch such critical flaws. So the idea of a home-grown (really it's more of a patched version of apache / php than anything else) isn't entirely crazy.

Just looks like this one slipped through the cracks.

Nobody was really working on yapache when I worked there around 2 years ago.

The idea of still using Apache / PHP nowadays is pretty crazy if you ask me.

I could say the same about most of the supposed superior replacements.

Everything is dangerous in the hands of idiots. The technology is almost entirely irrelevant to the discussion.

Half the world must be crazy. What is better and why?

Nginx, Node.js … and Twitter Bootstrap, obviously. (scnr)

What's wrong with a Perl CGI script?

Golly. Who was this "they" and "all of us"?

People who use the word "frick" or "frickin'".

I'm guessing GP once worked for Yahoo.

Am I the only one that thinks this kind of thing would be cool to see? I've seen logs of attacks, but I've never watched a botnet irc live. that would be crazy for me. Not really moving the conversation forward, but is this so commonplace that I'm the odd man for marveling?

:) You're not the only one.

First, read this. Note the date. http://www.crime-research.org/library/grcdos.pdf

I read that shortly after it was originally published. And I thought to myself: COOL!

I was seventeen. I had a spare Windows 95c (or was it 98se?) box laying around, and some experience with inctrl5, a linux box which could operate as a router, and some basic knowledge of tcpdump(1). Importantly, I could also script the behavior of an IRC client.

At the time I was a channel operator in a relatively popular IRC channel on EFnet... "Don't ask to ask!" :) Users would come in and request assistance with malware all the time, so I was already roughly familiar with the mechanisms of infection and CnC.

This is a long story that I must cut short: I ended up in the same CnC room as Gibson did. Not the same type--the same one. I met some of the people in the story. :D

That PDF is fascinating. Thank you for posting.

Do you still idle in that help channel?

Not for a while. I'm Sebboh. :)

I used to do that for fun. It was a lot easier back when SDBot and AgoBot was the shit.

The trick I used was to go on some xdcc network, change nickname to one similar to the bots and just wait. Sooner or later one of the botnet owners tried to authenticate and soon after I would exit with a ping-timeout.

Then you could just log into one of them, get a list of processes and download the one with a random name. It was pretty easy and you could get your hands on a few thousand bots in a weekend.

Oh the joy of running "!uninstall" while the owners was in the chatroom...

You might find this paper about stealing a botnet interesting [0]. Even though its five years old, the crazy stuff these researchers found is still amazing.

[0] http://www.net.t-labs.tu-berlin.de/teaching/ws0910/IS_semina...

To be honest, it's not that interesting. If it's a well configured irc host then you will not be seeing any of the other bots, and all you will occasionally see is a command coming by from a generically named operator. Some botnet irc's are lazily configured, and will let you see all of the other bots as part of the channel, but generally will not let you speak. The bots usually have nicknames built from the host's computer name, username, country, etc.

It's interesting, but in itself is not that exciting in my opinion.

It was interesting the first few times watching them. Sometimes the commands are not even authenticated so you could do fun things like write a text file saying their computer was infected and then open it with notepad... or other things.[0] You aren't going to find many large scale botnets that still use IRC though. It is really amateur hour CnC.

[0] It probably is not really advisable to do even 'helpful' actions such as that, but when you are young you do careless things.

Expose a vulnerable linux VM to the raw internet. Wait for it to get infected. Find the process thats connected to the cnc server using lsof. use gcore to dump its memory to a file. cat that into strings and look for the irc channel and server. Or just watch it all in wireshark but thats kinda boring. Have fun and stay safe.

Mirror of the response, since the site is loading really slow:


Classic. "Thanks for pointing out this insanely serious issue, which is unfortunately not eligible for our bug bounty program." Maybe they'll send him a free hat.

Embarrassing. People should just sell their zero-days on the black market for BTC until these companies wise up on paying out on "non-qualifying" bugs. Facebook has done this too.

lol, dudes going to prison. He ain't getting no hat...

"Yeah, this major bug you told us about, not eligible."

Fk Yahoo, they deserve what's happening to them.

Sorry but if this is not I wonder what is? A remote OpenSSH root exploitation technique or a CSS3 misconfiguration (smiley doesn't display on all browsers), can't believe this.

"Though the FBI seemed intrigued by this, in my opinion, they aren’t moving with any form of haste."

I am doubtful that FBI would share their plans and/or actions with OP.

Exactly. It's not like they're going to call up the OP to give him status updates.

Maybe it's implied due to the lack of correspondence (follow up questions)

This guy works in the security industry and yet he couldn't google "yahoo security" to find their security contact email address (second result for me)? He was also unaware that Yahoo runs a Bug Bounty Program?

Well.. you didn't read the first couple lines? Notably:

> I’ve notified both Yahoo! and the FBI New Orleans field office of the infiltration, but in my eyes, they really aren’t seeing the severity and danger of this situation, and really are not reacting quick enough.

> This document is being released due to several high profile companies being infiltrated using the recent Shellshock vulnerability, and what I have deemed as an improper response, or lack thereof ...

Seems pretty straight forward: hackers have already downloaded all the personal data out of these organizations and are probably using it in ways harmful to the general public already. This guy is forgoing his probable bug bounty payouts as this is, as he says, a really serious issue.

Thank you to him!

> I’ve notified both Yahoo! and the FBI New Orleans field office of the infiltration

And the feds are standing at his front door in 3 .. 2 .. 1.

Looks like you only read the first couple lines. What I'm referring to:

> I’ve also emailed Marissa Mayer and contacted her via twitter, both of which yielded zero results and no response. There are no publicly available contact methods for Yahoo! that have yielded any luck with trying to contact them regarding this.

I think the "that have yielded any luck" part of that quote is pretty important.

The point I'm making is that he didn't do the obvious thing and search for their actual security report address which they have, respond to, and pay people money who report bugs to. He found the hacked servers by doing a search but couldn't do this?

I don't see how you're reaching this conclusion. He said, there are no publicly available contact methods that have "yielded any luck". He didn't say there are no publicly available contact methods or that he didn't e-mail yahoo's "security" e-mail address.

I'm reaching this conclusion because the only person he mentions emailing is Yahoo's CEO.

Pretty sure that if he's actually talking with Yahoo and the FBI then someone would have pointed him to that address if he really hadn't found it himself! More likely, they just told him "hang on, we'll look into this.. eventually" and he felt this was important enough that a delay like that is unacceptable. Which it is. If you know you've just lost all your customers data, you don't wait a few days to tell them - you schedule a press release for same day release.

> that have yielded any luck with trying to contact them regarding this

Might be the important part of the quote you missed.

He didn't email the right address and didn't bother to look for it. Yahoo, like google and facebook, has a large security department but if you send your report to support@yahoo.com and not security@yahoo.com and don't get a response you don't get to say Yahoo is lax in security because you didn't take a second to google for the right address.

Dude your screen name is really telling.

He reached out, and didn't have any luck. Companies truly need to learn how to deal with these breaches in a way that re-invites the public trust

You seem to be missing my point. I've repeated it in a bunch of other comments but I'll do it again here: You don't get points for "reaching out" when you don't spend a second to search for the right address to reach out to. Yahoo has a page dedicated to reporting bugs. If he had used that page he would have gotten a response. Yahoo has paid dozens of people for doing this https://hackerone.com/yahoo?show_all=true.

I'm not quite sure why you seem so sure he didn't also send an email to that address (or use that form)? I didn't read the article thoroughly, did he enumerate somewhere which ways of contacting Y! he tried?

if he had sent it to the other address, why would the person who responded pointed it out as the email to contact? If he had already sent an email to the Yahoo Security contact, why would he then be told to do the same thing twice?

According to this[1] article about the current issue:

"Before releasing this information, Hall emailed Yahoo and tweeted at its engineering team and CEO Marissa Mayer.

It was confirmed to him that its servers had been infiltrated but Yahoo refused to pay him for alerting them as it was not part of the company’s bug bounty programme."

[1]: http://www.independent.co.uk/life-style/gadgets-and-tech/new...

EDIT: The quote previously included "Yahoo is notorious for its disregard of bug bounty hunters, having last year rewarded one such hacker who identified three bugs in Yahoo's servers with a $25 voucher for company merchandise." but I moved it here as it caused confusion regarding which issue the article was referencing.

That article is poorly reported. Yahoo didn't have a bug bounty program at all at that time. And their response was blown totally out of proportion.

They keep insulting bounty hunters like that, they'll end up on the wrong side of black market bug trades every time some new exploit comes up. And I won't be defending Yahoo when that happens.

Are these people concerned with security or are they running a protection racket? The way you put it is starting to sound like the latter.

This has nothing to do with "protection racket" and downvoters are going to be in for one hell of a reality check if you don't believe that this will happen.

Bounty hunters do this stuff for a living. If the company pays with $25 vouchers and the black market pays on the order of tens/hundreds of thousands, who do you think "these people" will go to?

I frankly don't believe you. I think you vastly overestimate how much you can sell a vulnerability for and vastly underestimate the morals of white hat hackers reporting bugs for a bounty.

There are close to zero companies that pay tens/hundreds of thousands for a bug, and yet clearly bounties are being paid and not 100% of bugs end up on the black market.

Microsoft will pay up to $100,000 plus $50,000 bonus for defense submissions (http://technet.microsoft.com/en-us/security/dn425049)

Facebook has paid $12,500 for one (http://techcrunch.com/2013/09/02/security-researcher-discove...)

Google will pay up to $20,000 for one (http://www.google.com/about/appsecurity/reward-program/#rewa...)

Forbes even posted an article a couple years ago on the market of zero day exploits and listed prices someone could get for zero day exploits with prices in the tens/hundreds of thousands. (http://www.forbes.com/sites/andygreenberg/2012/03/23/shoppin...) It should be noted that they state in this article that the groups that will buy these exploits for these prices are generally western governments.

Mitnicks security company recently started a vulnerability marketplace. For vulnerabilities that meet the criteria (they have to be of a certain severity, not already known, etc), they are sold for a minimum of $100,000.

I'd say: "Are these people concerned with receiving income for difficult, highly specialized, valuable work, or are they running a charity?" I guess it's a matter of perspective.

Not really. We have a system for ensuring that people get paid for valuable work: they're called contracts.

Yes, the market for security vulnerabilities is essentially a protection racket, and everyone knows it.

Found this email from him archived on Seclists:

    I identified that a few major sites were actually compromised using the vulnerability - Yahoo! being one in 
    particular. Tripod/Lycos and WinZip.com were also compromised. Yahoo! reached out and gave me a response, albeit a very 
    weak one, only after the FBI, media and CEO Marissa Mayers was contacted... WinZip patched their boxes and didn't 
    bother responding or notifying me that they got it done.
And, amusingly, an apology for his rambling:

Please do excuse the scattered nature of the email sent to Marissa Mayers @ Yahoo! - there were other correspondences that are currently being kept private, and at the time that I wrote that one, I had been awake for roughly 48 hours and was fueled on caffeine and nicotine.

From http://seclists.org/nanog/2014/Oct/158

Then he wouldn't bring attention to his consultancy firm. "Gee, these guys sure did show the Yahoo CEO! We need to hire them!" Says the MBA.

And this is different from what everyone else on HN does...how?

This is a courageous disclosure since the OP risks to be in some trouble for his "ethical probing".

In the winzip email, he rambles about his mother.

Which makes his signature line pretty interesting. :)

> A fool learns only from himself. A wise man will learn from the fool.

So he's got this 'honest fool' thing going for him. If he can marry that with meticulous record keeping, maybe he'll be OK.

Of course, IANAL.

But ffs, I'm sick of this world where the defense "Wait, you misunderstand--I'm the GOOD guy!" isn't good enough. Why isn't it?

Well, mostly because if it was good enough, it would be the first thing out of the mouth of every blackhat that was caught...

Or to put it in a slightly more nuanced fashion, as a blackhat I could compromise your system, and then turn around and inform you that your system was being compromised whilst at the same time profiting from any data I had already stolen. If the company being contacted does not personally know the person contacting them, it is not altogether unreasonable to treat the person with great suspicion.

That said, people that do have a public reputation for white-hat work probably deserve to get a pass. This of course raises the question of how you go about getting a whitehat reputation, because most whitehats get their rep by doing the same things the blackhats do, without the profit motive.

Well, every time I've gone vigilante, I've logged the ever lovin' shit out of myself, just in case. Nothing interesting ever happened, though.

There was one time when I used a CnC channel to issue uninstall commands against a couple hundred bots. That was only after trying to contact a user or two to suggest that they uninstall the malware themselves... Those conversations went SO poorly! :)

Anyway, the only way to find a user's contact information via a piece of malware like that is arguably an invasion of privacy... Which brings us full circle.

Could we establish a metric for Good Samaritanism? Could we design a metric that is restrictive enough to prevent misuse but inclusive enough to allow unrequested, benevolent cleaning and patching?

> Or to put it in a slightly more nuanced fashion, as a blackhat I could compromise your system, and then turn around and inform you that your system was being compromised whilst at the same time profiting from any data I had already stolen.

Which provides a perfectly reasonable way to distinguish the white hat from the black hat. The black hat is the one making fraudulent charges to stolen credit cards, or selling social security numbers, etc.

" a perfectly reasonable way to distinguish "

Well no, not really. After all, the blackhat isn't telling you that they're also busy selling your data to someone. And even if you are aware that the data is being sold, the blackhat can claim that it must be another intruder using the same flaw, and geez, you really should fix that!

If the data "is being sold" then go arrest whoever is selling it. This is basic police work. Someone is making fraudulent credit card charges? Go nab the guy when he goes to pick up the merchandize, then turn him against whoever provided the credit card numbers (if it wasn't the same person).

Doesn't that make a lot more sense than charging anyone who cuts across your lawn with grand theft just because someone engaged in grand theft might cut across your lawn?

Everyone thinks they are the good guy

I am pretty surprised he didn't disclose it anonymously to be honest.

courageous? ethical probing? lol. Obviously he just wants free publicity. Pretty stupid move overall, notifying the fbi and all... unbelievable. And his crappy web server where he brags about it all is down by now too, so much for the free publicity.

Mass scanning using ping back for shell shock was controversial. Starting a remote shell would seem to cross the line.

Is this a new phenomenon? I always felt that Yahoo's systems weren't secure. Until I shut down my Yahoo accounts, it would be a semi-regular occurrence for both my Yahoo email and IM to send out spam to everyone in my Yahoo contacts list. Am I wrong? I've since shut down my account since I got sick of dealing with it.

That's not a Yahoo hack though. When that happens it is almost always your local machine that has been breached by a virus which simply reads the locally stored contact list. And to answer your question, no, it is not a regular occurrence for Yahoo, or any of the major players, to have their servers hacked.

A number of times in recent memory Yahoo has been subject to attacks using XSS and similar. One example of one that was exploited (there was a disclosure back in May, but that didn't have reports of active exploits): http://thenextweb.com/insider/2013/01/31/yahoo-mail-users-st...

It may explain it for other users, but at the time I hadn't logged into any yahoo service for months.

To my knowledge, my machine is secure. It wasn't Windows and I had both anti-virus and a firewall active. For one thing, what made this strange was that I haven't even logged into Yahoo for months (probably close to a year) when this happened, repeatedly.

Another possible explanation is password reuse on a site that was breached.

I don't reuse my passwords.

Could also be password guessing; lots of people use the "common word + number" pattern for their Yahoo! passwords.

If I remember correctly it was a random alpha-numeric password with both different cases and a special character or two, and I've never used the same password on a different service.

All I know is that I've never had this problem on competing services.

I've found XSS bugs that allow full account takeover being actively exploited on Yahoo! a couple of times. They have a lot of legacy crap that was written 15-20 years ago.


futuresouth.us got Hacker News'd this morning.

Here's a much shorter version that explains things in a less technical way... http://milankragujevic.com/post/65

A pretty interesting read, despite the occasionally challenging style. If the email to Mayer had been a little more focused then perhaps it might have punched through. But in any case, kudos to the author for doing the work and writing it up. I learned a few things. But at the same time, no kudos for using what might be the most unfortunate metaphor ever. I suggest avoiding any future attempts at picturesque description.

Server seems to be having trouble keeping up with all the requests, so in the meantime please use the Google's Cache[1] of the page

[1]: http://webcache.googleusercontent.com/search?q=cache:http://...

I wonder what best practice is for consumer websites which have domains like yahoo.com which has mostly customers, and yahoo-inc.com for corporate, for things like security@ addresses. It's reasonable someone wouldn't know about yahoo-inc.com.

BCP is for domains to have abuse@, which for Yahoo.com should be tied into their corporate security and intelligence group.


Why didn't he use Shellshock to update bash on the vulnerable servers?

That would be illegal, unfortunately. If we could do that the internet would be a much cleaner place for sure.

What he's been doing is illegal too anyway...


No. He CC'd them.

Why is this a link to a cached version of the website?

Ah nevermind, found the answer below. The site had problems handling HN traffic earlier.

Wow, Lycos is still around?

So when is Marissa Mayer's getting fired?

They got owned by shellschock? Common Yahoo, really?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact