The FBI sleeps when libraries burn

  • 0x4E4F
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    1 month ago

    There are other ways to point out a problem. What this person did could have been done as a POC, discussed privately with IA and published publicly later on, when the problem was patched.

    This was deliberate and probably paid for.

    • Ajen
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 month ago

      Deliberate? If someone was paying for it, wouldn’t they have done something more harmful?

      • 0x4E4F
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        Maybe that was the only thing that was easily exploitable… or maybe it’s a warning… or maybe not enough pay for something more sinister… or maybe all of the above.

        • Ajen
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 month ago

          None of those theories sound very plausible. It’s far more likely that an amateur who didn’t understand responsible disclosure decided to check if the keys that were leaked 2 weeks ago are still valid, got excited when they were, and chose a slightly-irresponsible way to share their findings.

          They didn’t exploit or hack anything. They just tried to log in with credentials that were leaked 2 weeks ago.

          • 0x4E4F
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            1 month ago

            It’s still an exploit if he/she didn’t rightfully have access to those parts of IA.

            And what was written in that screenshot doesn’t say “script kiddie” to me, it says that this person knew full well what he/she was doing. Script kiddies lack confidence. That is not what I’m getting from the screenshot.

            It may also be a plan that was in the making for a long time, but the party was just waiting for an easy opportunity to make a good hit on IA.

            Most people into security knew they were leaked a few weeks ago and everyone (including myself) thought that, yes, they are probably still working, but they’re understaffed, so they’ll probably get to it, but it’ll take a few more weeks. It never occured to me that anyone in their right mind would deliberately do harm to IA. There’s honor, even amongst thieves. I know for certain at least one group looked at those keys and didn’t do anything. Why bite the very thing that you rely on… there is no point. All of us use IA for various things, including long gone packages and source code. It would be dumb to actually do this. Unless there is a financial incentive, of course… I’m sorry, but that’s the only thing that makes sense in my mind.

            • Ajen
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 month ago

              Being “into” security doesn’t make you an expert. Why wouldn’t you expect rotating the leaked keys to be one of the first steps of their incident response plan?

              And script kiddies lack confidence? I don’t know why you’d think that - from what I’ve seen they tend to be over-confident and act like they know more than they actually do.

              • 0x4E4F
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 month ago

                Rotating the keys was my first thought as well, I just thought they were busy with something else and couldn’t get this done at the time. Though, yes, I would make it my no.1 priority as well and drop everything else. But I guess they learned their lesson now. When you’re that well known, you’re a huge target and you’ve also managed to piss off some of the world’s largest corps… you better make security your no.1 priority.

                Script kiddies act like that only when bragging online. Put them in a real world scenario and most of them don’t know what to do and just bail. The might get into the system, but then realize what they’ve done and start unplugging things from outlets. And script kiddies just brag around and leave notes like “you’ve been hacked loozer”, or something similar. This is a well thought of response, this has nothing to do with bragging or a challenge, this was intentional.