Eyeballing Rob Levin

[posted to the Full-Disclosure mailing list]

Odds are you’ve at least heard of Rob Levin (aka lilo), the director of Texas 501(3)(c) corporation Peer-Directed Projects Center. He’s been aptly mentioned in the Register as a “professional online beggar” and the incompetence with which he runs the Freenode IRC network has been aired many a time on popular blogs like Slashdot. In the past week, a group of hackers took over the Freenode IRC network by sniffing lilo’s *@*-bound oper block password off the wire, a gaping security issue that could have been resolved via many different means– an SSL port on a single freenode server for lilo to use, lilo sshing to a server and IRCing from localhost, or the binding of his oper block to his home host. This was proof enough for me that lilo is an idiot that wasn’t capable of running an IRC for a small group of friends, much less one hosting hundreds of open-source projects.

But what of lilo himself? Is he really this benevolent, though sometimes incompetent dictator he makes himself out to be? After the Freenode fiasco, I decided to poke around lilo’s personal life and get a glimpse of his character. The results are quite hilarious.

Everyone knows lilo lives in a trailer. He flaunts his existence as white trash with glee and twisted pride, playing the part of a martyr for the cause of open source software. He constantly talks about how poor and beaten down he is, despite having the leisure time to spend eleven hours a day chatting on the Internet. The address listed on the PDPC.us domain is indeed a trailer. Some quick poking around the Texas State Comptroller of Public Accounts shows the truth. That address is an office to which the business is registered, and the registered agent is Robert Levin of 9212 Burdine St, an apartment building in Houston.

For a man who claims to be such a martyr for open source development he has done almost nothing to advance it. He has never made any notable commits to open source projects. He has done almost nothing at all. The man is in his fifties and has nothing notable on his resume — a long history of manual labor and office tasks for monkeys. The truth about Rob is that he cannot code. His support of open source is limited to idly chatting away on IRC.

Rob and his wife both suck at the teat of the federal government by collecting disability. They both claim to have ADHD so intense that it prohibits them from holding a job. During the day, they go to the PDPC trailer to chat on IRC and answer phonecalls. Two disability checks and PDPC donations add up. Enough to pay for not only a reasonable apartment and the PDPC trailer, but for a Hispanic nanny to take care of their son and clean their house during the day (I would cite her name, address, and phone number but I do not feel it fitting that he should be harassed). Not only do they not feel it fitting to work at any task whatsoever, but they can’t even raise their child and clean up for themselves.

Personally I have supported open source with my blood, sweat, and tears. I work at least forty hours a week in a cubicle much smaller than Rob Levin’s trailer and go home to spend several more hours coding for projects that I feel are worthwhile. I do this not for personal gain, but to fight against a system of intellectual property law which I find overzealously rewards the rich and powerful. I’m not going to mention my name, but a good many of you know it. I’ve put commits into major operating systems and household name daemons.

Lilo is a fraud. He is a huckster that steals money that could be going to legitimate open source development. There are countless programmers with real, valuable talent who choose to work hard for the greater good rather than spending all their time selling their talents to the highest bidder. Lilo has no talent and epitomizes the kind of vile, undisciplined leech that I spend my time working against.

To the FOSS world: Do yourselves a favor and move to EFnet, Undernet, OFTC, anything but Freenode. EFnet now has chanfix and has not been a lawless packeteer playground for several years. The days of channel wars on EFnet are over. It also handles three times the traffic of Freenode without major incident.

Don’t believe me about Rob Levin? I pulled all his information from public record in the past twenty-four hours. Poke around his life and see for yourself:

Rob’s federal employer identification number is 74-3033697
The address officially listed for pdpc is 10100 main street #31 houson tx 77025.
Phone number for pdpc officially listed is 713-589-5863.
Rob’s ssn is 462 13 0351.
PDPC’s 11-digit texas state taxpayer number 32004514421
Rob’s apartment is at 9212 BURDINE ST. #1005 HOUSTON, TX 77096.
12-16-1955 is Rob’s birthday

a curageous crusader for coup
crushes this contested crater of crap we call a country
catalyzing a closing chaotic crash
he creams the core complex
and creates contemporary Canaan in confidence

Stop aiding an industry which just hurts humanity.

[posted to the full-disclosure mailing list]

“In the end, more than freedom, they wanted security. They wanted a comfortable life, and they lost it all – security, comfort, and freedom. When the Athenians finally wanted not to give to society but for society to give to them, when the freedom they wished for most was freedom from responsibility, then Athens ceased to be free and was never free again.” –Edward Gibbon

We stand at the cusp of a renaissance. A freely communicating humanity is closer to unity and harmony than ever before. Never before have ideas and knowledge traveled so rapidly. If not for the Internet, little would be known about the atrocities our government attempts to commit in secret. All the American people would be able to read is the party line off of cable television. With a morally bankrupt media, the Internet is the key to any sort of democratic resistance. Thanks to the Internet, we may view photos of American caskets, wounded Iraqis, and internal government memos. The priveledge of viewing and knowing these things is easily lost.

We approach the final hour of the free Internet. As I write, forces within our society are beginning to impose control and restriction onto it. If these forces are not turned back, I know that within a decade that the free world’s Internet will be a mix of cable television and the supressed Chinese Internet. As a beggar, I present myself with the humility that my lowly position deserves. My plea is simple: stop publishing your vulnerabilities. We will need them.

I want my children and their children to have access to truth. Not just my truth, or my government’s truth, but all the other truths in the world as well.

I want us to be able to communicate easily and safely about the actions of our government.

I want the merits of the Internet to progress in form and finesse until we are ready to cast the criminals, thugs, and mammonites out power all over the world.

A secure Internet is an Internet without freedom, without privacy, and without anonymity. The nature of security is control. Were we to be governed by the just, I would worry little about this situation. Sadly, the political systems of the first world have been perverted by an evil which ensures that none who do not share its nature hold office.

Submitting yourself to a secure system requires that we have a reasonable amount of trust for the system’s keepers. Does your current government have the ideal qualities needed to control the flow of information? We should be keeping everything which may allow us to circumvent the system guarded closely. The subversion of trusted resources will eventually be the only way to keep forbidden information in mass circulation and the primary means of resistance against tyranny.

“If ye love wealth greater than liberty, the tranquility of servitude greater than the animating contest for freedom, go home from us in peace. We seek not your counsel, nor your arms. Crouch down and lick the hand that feeds you. May your chains set lightly upon you; and may posterity forget that ye were our countrymen.” –Samuel Adams

If you place any value on freedom, then stop working for the oligarchy and start working against it. I’ll admit, subversion does not pay well. It isn’t quite as cushy as the six figure job I passed up, but it has a great benefit: I can sleep at night. I’m not aiding a set of corporations and a government which used unethical means to corner vast amounts of wealth and proceeded to flagrantly abuse their power. The reward for doing what is right is better than any earthly reward that I could receive.

“He who passively accepts evil is as much involved in it as he who helps to perpetuate it.” –Martin Luther King, Jr.

To the employees of the biggest security firms of the world, all American, I want you to stop and look at the government of your country. You have an administration which has gone and invaded countries on a whim, which authorizes torture that is conducted in secret, which has less transparency than any government in recent memory, that places extreme emphasis on executive power… the countless historical comparisons that could apply here are obvious so I need not make them. This administration is a perfect example of the type of systemic corruption that is inevitable due to the very nature of power, of control, and yes, of security. People like this will soon be deciding the fate of the Internet.

When engaging in reasonable political discourse is not allowed you are going to be wanting to take your freedom back.

It is time for the last stand. Our mission is to retain the right to freely think, code, and communicate. Stop helping the industry, stop publishing your 0day, start working to make a real difference. Save your arms for the time very soon in which we will need them. Have faith in your self and your God and good works will come. We need not be slaves to a master that despises us!

Non-disclosure is a heroic endeavor. Be a hero.

Government control gives rise to fraud, suppression of Truth, intensification of the black market and artificial scarcity. Above all, it unmans the people and deprives them of initiative, it undoes the teaching of self-help… – Gandhi

–
Bantown is unprecedented as the first catalyst of the revolution to a have a tollfree customer feedback number. Questions? Comments? Call us at 888-LOL-WHAT. Chat us up at irc.rizon.net #bantown.

BANTOWN PRESENTS: Eleatic thought and hacker ethics

[posted to the ‘full-disclosure’ list]

Because of my philosophical leanings, I have made the assumption that freedom of speech and expression is an inalienable right granted by nature’s God. I have made the extension to this statement that the freedom to write code and execute your code is an extension to free speech. Fascists that may disagree with my statements may go ahead and skip this post.

Now, let us say you have a machine connected to the Internet. It is impossible, by this computer’s very nature, for it to do anything that is was not programmed to do. It takes in the data that it is given, processes it according to deterministic rules, and returns output that it could not possibly have deviated from. This process may be so complex that it appears to be stochastic, but it is nonetheless deterministic and we should not pretend it is anything but. This deterministic sequencing extends far beyond just your computer. If every element in a system is deterministic, then the whole system itself is deterministic. The entire Internet is a single, uninterrupted deterministic state machine.

I present to you the Eleatic school of hacker ethics.

The Internet is public property. No establishment has a right to own it, subvert it, subject it, or rule over it. It extends beyond race, nationality, religion, or geopolitical agreement. Now that we understand that the Internet is a single deterministic machine, we may approach this situation with logic and reason as opposed to knee-jerk reactionary idiocy. When connected to the Internet, your computer becomes a part of this deterministic machine. It is impossible for your computer to execute any code which it has not been programmed to execute. If your computer has been programmed to accept my arbitrary code, then there is no moral or ethical violation committed when I introduce my code to yours.

If you download and execute my code, you have done so willingly.

If your daemon executes my code after I introduce it in a manner that is innovative and unique, then your daemon has done exactly what it has been programmed to do.

You don’t want me to execute my code inside your code? Then keep your machine out of OUR deterministic state machine. Keep it on your own private network, so that someone will have to commit a real honest-to-God crime like breaking and entering to have access to it. The minute you connect it to a public network, it becomes connected to all of us through the 0 and 1.

Whitehats will try to play games and act like they’re the good guys. They will tell you that people who commit “computer crimes” are organized crime types who are out to empty your grandma’s bank account. Their arguments are bullshit. No doubt that emptying someone’s bank account is a serious crime, but we have real laws to punish this. The laws that we have made to punish “information crimes” are merely laws against thoughtcrime. It is impossible to commit crimes that extend solely in the wired.

Take a look at what your governments are doing. The majority of whitehats are employed in the US, where they have a leader that willingly and openly defies the fourth amendment of their constitution. They have a corporate oligarchy where a select few families get to control ninety-nine percent of the public funds and purposefully impoverish the working and intellectual classes. Things are only marginally brighter in the rest of the first world. This is your idea of a utopia, the system that you want to perpetuate indefinitely? Do you really want the tyrants in this new Rome to reign a thousand years like the last one did? I sure don’t, so stop preaching to me a bunch of bullshit about rule of law.

Wake up.

Stop working for these oligarchs that despise you. Band together, because at this point all that keeps the oligarchs in power is control over the ones and zeros. We have a power to change them for the better, a chance to make a lasting contribution to humanity.

You can be a hero in the manner of Plato, of Socrates, of Pappus, Pascal, Parmenides and Zeno. You can change the world. All you need is to cast off the shackles that your masters have put on you!

Be fearless.
—
Bantown is unprecedented as the first school of philosophy to a have a tollfree customer feedback number. Questions? Comments? Call us at 888-LOL-WHAT. Chat us up at irc.rizon.net #bantown.

(hack4.txt) A PHC PRODUCTION: The Real Scriptkiddies

[Posted to the ‘full-disclosure’ list.]

Does anyone find it strange that the talentless scriptkiddy Ron DuFresne is banging on about “kids this” and “kids that”? I certainly do. This clueless moron is in no position to speak down on or scold those he obviously knows nothing about.

If you search google for his name, you can easily see the technically inept scriptkiddy Ron DuFresne making a monkey out of himself:

http://www.google.com/search?q=%22Ron+DuFresne%22

This guy knows nothing beyond 1980’s security policy construction and point-and-click firewall operation. He makes many technical blunders in his posts and displays an uncanny knack for sounding like a total dumbass.

For those out of the loop, the scriptkiddy Ron DuFresne was a former member of the defacement group known as GForce Pakistan, albeit only for a month or so at most. What’s sad is that he has admitted this in the past, but justifies it as some kind of adventure “for research purposes.” He also denies having defaced any websites. Still, makes you wonder, doesn’t it?

I also see many other technically incompetent people/leeches on this list who are making unqualified assertions that so-and-so are scriptkids, that so-and-so don’t know their stuff, that so-and-so are attention deprived…

If you can answer ‘yes’ to all of the questions below, then by all means feel free to think of yourself as equal to or better than these ~el8 guys. Otherwise, please stop speaking down to people who are obviously much more technically skilled than your ignorance will ever allow you to be.
* Do you know how to program in C? Are you intimately familiar with ISO C89? C99? While other people in your neighbourhood were out partying, were you sitting at home in bed making an almost biblical study of the POSIX standards? What about those from The Open Group?

* Do you know how to write hash tables? Balanced trees? Do you know the art of algorithms? Do you know Knuth’s work like the back of your hand? Did you teach yourself everything about computers that one would otherwise only learn by paying thousands of dollars for in Computer Science tuition?

* Do you know how to juggle assembly code in your head for multiple architectures, such as MIPS, SPARC, x86? Do you understand the peculiarities of each architecture down to the nittiest, grittiest details? Can you optimize your own assembly routines? Can you take advantage of things such as Pentium instruction pairing or the delay slots in various RISC architectures? Do you understand the deal with the I-Cache on MIPS? Are you fluent in assembly language? Hell, do you even know what SPARC stands for? Quadrants in PA-RISC, make sense?

* Do you know how to write your own exploits? Do you know how to audit software with surgical precision for the most intricate bugs imaginable? Do you know how to take advantage of buffer overflows? Do you know how to exploit off-by-one errors on a little-endian machine? Do you know about integer overflows and signedness issues? Can you exploit format string vulnerabilities? Can you gain control of a process vulnerable to a heap overflow via a deep knowledge of the malloc implementation on the target host? Do you know how to bypass the “security” afforded by crap like Openwall, StackGuard, PaX? Or is your knowledge of these things limited to the papers that non-hackers publish? You probably think the people trying to help the security community with bullshit patches/fixes like this are hackers, when in fact no hacker would ever publish any such thing that aims to improve security.

* Have you studied the UNIX kernel with as much fervour as some would have for physical pursuits such as basketball or baseball? Do you know the data structures and organization in the kernels of various operating systems? Have you read books on UNIX internals cover to cover? Do you know how Linux works under the hood? Can you write your own kernel modules for both defense and offense? Ever written a kld on FreeBSD? Can you write a device driver for a peripheral that your OS doesn’t support? Can you find flaws in kernel src trees that allow you to compromise a machine given local access?

* What do you know about evading (N)IDS? Your knowledge isn’t limited to what Thomas Ptacek & Tim Newsham have said years ago, right? Surely you don’t rely on tools written by people like Dug Song who like to think of themselves as hackers, when in fact they are traitors to the underground, assuming they were ever a part of it to begin with.

* What do you know about defeating firewalls? What techniques have you innovated and pioneered on your own? What tools have you written that allow you to toy with firewalls? Hell, the fucktard security community is probably limited to lameass crap like Firewalk.

* What do you know about web security? Do you sit back and laugh at the “cross-site scripting” revolution governed by an idea that has been around well before the CSS/XSS sensation that literally blew the dumbass security community apart? Must’ve wasted a lot of brain cells with that gigantic stretch of the imagination. Do you laugh at all these “SQL injection” papers and how most of them overlook the blatantly obvious: they have you believe you have to fumble around with all kinds of convoluted queries to achieve something that can be done with minimal typing if only they’d read the fucking documentation for various DBMS. Their CGI experts like RFP and Zenomorph call certain script conditions non-exploitable, e.g. when you can’t get arguments supplied to a binary that you’ve managed to trick a Perl script into running — RFP mentions this in his Phrack article — yet any moron can easily figure out that you can use the POST method, make the script run /usr/bin/perl for instance, and have it run a script of your choice that is fed as stdin from the HTTP request’s POST data. Oh God, sorry for pushing the realm of web security forward with this INCREDIBLY COMPLEX revelation.

* Have you written your own tools that exploit protocol weaknesses? Have you written your own tools for routing protocol weaknesses, e.g. RIP, BGP? Have you written your own tools that play games with DNS? Have you written your own ARP cache poisoning / mitm tools? Your own tools for shit like icmp redirects and router advertisements? Can you write a tool that will exploit the TCP sequence number prediction + IP spoofing vulnerability of older days? Or can you only mock Mitnick for his 1994 attack, calling him a scriptkiddy? Or utter useless banter about ISNs and cookies that you digested from some textfile? Who are you kidding? Fuck, have you read all 3 volumes of the glorious TCP/IP Illustrated, or can you just mumble some useless crap about a 3-way handshake? Do you know Net/3 code? TCP algorithms? TCP extensions? Perhaps you’re some fucking security expert because you’ve memorized /etc/services — a walking fucking getservbyport, a la 70% of the Vuln-Dev subscription base.

……………………………….

I have seen the ~el8 guys cover the full spectrum of everything discussed above. 95% of the people calling them scriptkids probably can’t even code helloworld.c.

Further ranting for those who are so quick to judge…

Are you just a fucking whitehat leech who knows nothing more than how to use tools written by others? Using techniques and exploits that most likely originated in the playground of blackhats known as the computer underground. More likely than not you’re a fucking scriptkid who only knows how to do mundane and trivial crap like configuring ACLs on a Cisco router or some half-assed product such as Firewall-1.

You likely are so ignorant that you believe anyone who compromises machines is a clueless scriptkiddy like yourself. You likely are so idiotic that you believe that Bugtraq and CERT will protect you from the latest 0day exploits.

You think Apache 1.3.26 can’t be compromised remotely with one of four two year old Apache remotes that haven’t even been hinted at on the security lists. You think sendmail is (now) remotely secure because what you don’t see on Bugtraq doesn’t exist. Qmail. ProFTPd. My God, you people are so fucking out of it. People report intrusions on their machines and you dumbfucks immediately conclude it’s done by some public vulnerability, e.g. OpenSSL. That’s right, because in your ignorant bliss there are no skilled people out there who would actually use their exploits to hack. Narrow-minded fools. Scriptkiddies.

You know nothing of what lurks beneath the surface glamour of the corrupt security industry/community. Your only resort is to call these people kids.

Trust me, they laugh at you clueless imbeciles. They laugh at your feeble attempts to manipulate hacking so that it becomes some fucking ethical or philanthropic pursuit. They laugh at your “hacker vs. cracker” debates. They laugh at anyone who thinks hacking isn’t about compromising computer systems.

Who are the scriptkids now? You’re outgunned and outclassed. Take a nap and retire, you pathetic leeches.

The scriptkids like Ron DuFresne and Anodyne Perspective are likely going to snap after reading this, so I’m sitting back looking forward to the imminent outbursts from these scriptkids whose only rebuttals will be in the…

“I have my fingers in my ears, can’t hear you kids NANANANANAN JAJAJAJAJAJA itiththdsfhg grow up immature children, get a girlfriend HHSHee KkakakKAkka pffffttt damn kiddies.”

… range.

All “dox” dropped on the lists have been fake. They have been engineered by people either making false assumptions or trying to get their “foes” in trouble. Most of the phony ~el8 members lists mention people that have been attacked by ~el8, ironically enough. Put one and one together. There is only valid “info” for one of those poor souls, anywayz.

It’s time for an underground revolution. You all quote The Mentor’s Manifesto in your misguided ethics rants; alas, The Mentor was an active hacker, in the true, modern sense of the word. Stop being brainwashed ye hackers. Keep your souls untarnished.

It’s time to bring the corrupt security industry to its knees.

hack3.txt

Don’t be confused by the evil words of whitehats. They dont really care about security, all they care about is money. They are hypocritical mercenaries that will do whatever suits _their_ interests. The common whitehat belief, is that we should pity corporations and private entities for not having the knowledge to secure themselves, and as such should feel some sort of moral duty to use our knowledge and abilities to aid them in the protection of their assets. Make no mistake however, these companies care for nothing more than their bottom line. None of them really want to secure anything all they want is a scapegoat, someone they can point the finger at when shit hits the fan and say, “It’s his fault Mr. CEO, that’s why our client databases got posted on a public hacker website.”. Let’s examine the converse side of the situation, do you think for a second that senior level executives in companies who’ve managed to figure out the system to the extent where they can embezzle, swindle, and screw good people out of millions and millions of dollars totally unjustly (and yet entirely legally), would feel any sort of obligation whatsoever to use the knowledge that they had gained to facilitate those who did not have that knowledge in obtaining what it is they were after ($$$$).

Why should I feel at all inclined to protect the assets of people who have more than likely obtained those assets by ‘morally’ unscrupulous actions. In all actuality, we have established that contrary to what prominent people in the business community will have you believe there is very little (if any) ethics involved in the business model of your average supercompany, (Worldcom, Enron, Tyco, etc.) which more often than not employs the “Let’s fuck them, before they fuck us” mentality. I challenge whitehats, any and all, to give me a single viable reason as to why I should feel compelled to help a bunch of self-interested, self-absorbed, financial barbarians protect assets they probably shouldnt have in the first place. Why should I care if sl4ppyj4ck the script kiddie makes life miserable for a bunch of assholes trying to cash in on the inherent gullability of the average schlep, who cant find people skilled enough to secure their machines without subscribing to bugtraq? See the whitehat community will also have you believe that we need to make the information superhighway safe for “Joe Q. Websurfer”, when in all practicality “Joe Q. Websurfer” is only going to be targeted by script kiddies, who would never have the means of causing him any grief if powerful exploit code wasn’t given to anyone with a compiler. If the information I’m providing to a person, for whatever reason, is being wasted or undervalued, why should I continue to give this person (or group of people e.g. SECURITY COMMUNITY) this information?

So we must ask ourselves the following question: Who is really benefitting from full disclosure practices, the companies that will most likely not even patch holes after they’re released, and even if they do remain vulnerable to countless number of “0day” bugs that will remain undisclosed. Or is it really the under- talented, overrated, glory seeking, self-proclaimed “Security Guru” provocaturs of anything that will increase their profit margins, and notariaty, at a rate directly proportional to the amount of security FUD that exists on public full disclosure mailing lists.

The message is simple:
STOP READING BUGTRAQ, STOP POSTING EXPLOITS, CLOSE YOUR FUCKING WEB BROWSER, START READING A BOOK, START LEARNING SOMETHING THAT WILL BE MORE SELF-FULFILLING THAN BEING A FUCKING LEECH THAT MAKES MONEY OFF OF THE TIME AND EFFORT OF PEOPLE SMARTER THAN YOU COULD EVER HOPE TO BE.

-Someone who’s sick of supporting an unrighteous cause.

hack1.txt

The dictionary.com definition:

hack·er1 Pronunciation Key (h k r)
n. Informal
1. One who is proficient at using or programming a computer; a computer buff.
2. One who uses programming skills to gain illegal access to a computer network or file.
3. One who enthusiastically pursues a game or sport: a weekend tennis hacker.

Historically, the definitions of words in a language changes over time. I’m sure there is someone out there who is educated and can provide me with the term for this phenomenon; and whoever you are, you can go fuck yourself. I’m not bragging to be a scholar, because that is something that I’m not. However, I am a hacker, and because of this I can make the following statements.

1) A hacker is someone who hacks.
2) Hacking is comprimising computers/computer networks.

A hacker is not someone who writes socalled “useful code” (operating systems, applications, etc). Hackers write tools to aide with the comprimise of computer networks. And hackers _use_ those tools; they do not sell them to the highest bidder, and they do not use them to make a name for theirself so that they can then become a “security consultant”.

Silly rhetoric aside — the important point is this: Hackers hack.

If you do not hack, you are not a hacker. That simple.

On a semi-related note. . .

Anyone who claims to be an “ethical hacker” is a moron. Hacking has nothing to do with ethics. There is no “ethical hacking” or “unethical hacking”; there is only hacking. If you have to dance around the definition of what a hacker is, or you have to dance around the definition of what hacking is, then what you do is not hacking, and you are not a hacker.

-a PHC member