jim@elwood.net
June 26, 2008
Repost of Denven and the BSD-News hack

Reposted in full! Denven is back, and unrepentant. He did not hold up his end of the deal, so why should I do mine? Orginally posted here. Read why it was reposted here.

——————-

Well! You try to do the right thing and look where it gets you!

This is an amusing side effect from the BSDnews site breach from Friday. I had that behind me, notices went out to affected parties, issue closed. No big deal. Well, apparently not for some people!

Turns out that Denven (also known as eagle to his good buddies over at http://www.golden-warez.com) was not too pleased that I was talking about the issue on my website here. But you might ask, why would I think that? Well, it took me a bit to figure out what was going on at first. Let me show you a little peak into our e-mail exchange we shared:

from: denven
to: jameso@elwood.net,
date: Sun, Apr 27, 2008 at 10:36 PM
subject: BSDNEWS INFO REMOVE!

I want you to remove the information about BSDNews. Else i don’t know if your websites stays exists.

Denven


Well, I was not quite sure what was going on here so I asked for clarification:

from:    Jim O’Gorman
to:    denven ,
date:    Mon, Apr 28, 2008 at 12:12 AM
subject:    Re: BSDNEWS INFO REMOVE!

Hi there Denven.

Just wondering, what does my site talking about BSDnews concern you? Obviously you care for some reason, but its not obvious to me why you do. Mind filling me in?

Thanks
Jim


See, sometimes I am not too quick on the uptake. Denven was kind enough to fill me in using plain language that even one such as myself could understand:

from:    Denven
to:    Jim O’Gorman ,
date:    Mon, Apr 28, 2008 at 4:31 AM
subject    Re: BSDNEWS INFO REMOVE!

Just fucking remove it


Alas, I was not fully awake when I replied to this message. So, once again I tried Denven patience with me and asked for further clarification:

from:    Jim O’Gorman
to:    Denven ,
date:    Mon, Apr 28, 2008 at 6:07 AM
subject:    Re: BSDNEWS INFO REMOVE!

What would be accomplished by me removing it?

I am not trying to be rude here or anything, but look at it from my position. Some guy here I don’t know shows up and starts and starts barking orders at me. At least could you tell me who you are? What your goal here is? That sort of thing.

Thanks.
Jim


At this point, I feel that Denven and I began to form a real relationship. So, he told me a little about himself and where he was coming from with his request:

from:    denven
to:    jameso@elwood.net,
date:    Mon, Apr 28, 2008 at 6:31 AM
subject: Re: BSDNEWS INFO REMOVE!

Ok lets become seriouse.
I am eagle/denven.
I didnt know bsdnews was famous.
But 2 things:
1. I didnt hack any user  of the 5498 users.
2. I just publish at hack zones to proof my skill.

But why did you placed that news?


See, something you have to understand about Denven is, he is a Dutch hacker. In fact, well, lets let Denven speak for himself shall we?



And, ladies! You know now Denven has the skillz, and guess what?!? He is looking for a Hax0r Chix!


Now that we know Denven a little better, lets continue on with my conversation with him. Now remember, when we last heard from Denven he made a couple of statements and asked me a direct question. Knowing the extent of Denven’s skillz, I felt as if I owed him a legitimate, up front answer. So, I delivered:

from:    Jim O’Gorman
to:    denven ,
date:    Mon, Apr 28, 2008 at 8:48 AM
subject:    Re: BSDNEWS INFO REMOVE!

Ah! Nice to meet you Eagle/Deven. First off, I am not sure I would exactly call bsdnews famous. It was just a community driven open source news site. And according to slashdot, its official: BSD is dying.

In all seriousness however, you asked a legitimate question and I am prepared to give you a legitimate answer. But first, I want to address a couple things you said here.

First off, you say you did not know bsdnews was famous. Really, what does that matter either way? I mean, lets ignore the fact that rule #1 is to know your target, and you freely admit to blowing that one, what does it matter the level of “fame” the site has? You took unauthorized access to the system and publicly posted sensitive information. The level of notoriety of the victim does not really matter here.

As for the fact you did not hack any of the 5498 accounts, so what? You made that information public. Now, shame on BSDnews.com for keeping those passwords in clear text. That is obviously negligent of them, but it does not absolve you of the harm you did. The fact is, if any one of those 5498 (give or take as there was some dupes) individuals are harmed based on the fact you made their information public, you could be personally held responsible. If just one of those people have a paypal account that is drained of money, or a amazon account that has unauthorized purchases made, that is on you. You enabled criminal fraud to talk place and would be an accessory a crime, and that is on top of the criminal trespass that you already freely confess too.

Now, you might be able to hind behind some other countries laws. But perhaps not. I don’t know where you live. Up to the point you started threatening me, I did not care about you at all.

To the topic of just posting to hack zones as proof of your skills, I call bullshit. If all you wanted to do was display proof of your “skillz”, you would have found the problem and contacted the BSDnews site admins informing them of the problem on their website. They would have corrected the problem and publicly given you credit. You would have the “fame” you desired, and no citizens would be hurt by your actions. In fact, you would have gotten more attention through this method rather then the one you took.

As for why I posted this news? Well, first off lets just be honest here, elwood.net is a bit site. Its more of a personal linkblog for myself for things I might want to go back too and a place where people can google me and find out what I am up too. On the other hand, I felt as if this issue was one that was worth making as public as possible. This has nothing to do with you, and more with trying to make sure victims of your actions can minimize their exposure as much as possible. If me having it on elwood.net helps this in any small way, it is a good thing.

As for you, I can understand why you might be upset. I am sure this is more exposure then you really wanted. But really, this is the world you stepped into brother, and this is the world that you now stand. Even if I did take the post off my site, that won’t change anything. Once it is out there, it is out there.

My advice to you is, publicly apologize for what you did and work with the BSDnews people to get it cleaned up. Take down your warez site. Still practice your trade, but do legit disclosure to sites or companies you find issues with. And really, in the long run you could make some decent money off of it. Look at the CanSecWest, Charlie got over 10k for selling his Safari exploit. Why spend your time with these little warez-d00d sites posting hacks to two-bit sites when you can make some real money?

Honestly, I don’t have anything against you. I hope you do the right thing, just don’t be scared like you sound. I am willing to help you out on cleaning up the mess you are in if there is something I can do, assuming you are trying to do the right thing. If you want to continue on the road you are going, all I can do is wish you luck and hope you don’t hurt too many people too bad.

On the other hand, you have your site back up with the passwords still downloadable from your forums. So, I don’t have high hopes.

Thanks
Jim


Now, here is Denven’s moment of truth. I am extending the hand of friendship to him, offering to help clean up the issue if he shows remorse and a willingness to do the right there. So what did Denven do? What action did he take next? Well, as I am posting this all publicly here, what do you think he did?

from:    Denven
to:    Jim O’Gorman ,
date:    Mon, Apr 28, 2008 at 8:57 AM
subject:    Re: BSDNEWS INFO REMOVE!

Ha great story,
But you are right, I will do my excuse when bsdnews is up.
I dont know, i just downloaded their database, and then the site was down??
I dont know what happened, but i didnt make die the server.
But nice story , and i appreciate your time for this.

PS; i removed the download already, who this is hosted further, its not my responsbelitty(something like that: :P)
And my warez should continue, because i get some good money for it. (for ads)

and you dont have to publish this contact at your website.
Else I had given this message as comment at ur website.

Greetz


Oh! Denven! Really? I offer to help you out, and all you can do is brag about how you have a GREAT excuse ready if you ever do get in trouble? Oh, and you will keep the warez site up, as you get great m0ney from it! Denven, really my boy. I expected such good things from you. I thought you turned the corner. Sad to see a bad kid stay bad.

Well, had just about enough of this! I was ready to throw down! So I challenged Denven to a dual!

from    Jim O’Gorman
to    Denven ,
date    Mon, Apr 28, 2008 at 10:59 AM
subject    Re: BSDNEWS INFO REMOVE!   

Tell you what. Lets face this down like men.

I challenge you to a dual. You and me, one on one, on Call of Duty 4. You pick the map. First to 20 kills wins. I win, I post this e-mail thread. You win, and I will take down the posts from my site. (Has to be on the PS3 though, I don’t have an Xbox 360.)

How about it? Are you man enough?

Thanks
Jim


Was Denven man enough to take up the challenge?

from:    Denven
to:    Jim O’Gorman ,
date:    Mon, Mar 10, 2008 at 12:05 PM
subject:    Re: BSDNEWS INFO REMOVE!

Haha, funny you start talk about that,
First i need to finish my exams, then i got a xbox from my parents.
But on the pc we can


Oh, little Denven needs to wait until after his exams, then his parents will buy him an Xbox! Denven, I though you made good money off your warez site ads? What up with that?

Now, it may seem like I am picking on poor Denven here. And, well, I am. Denven, consider yourself picked.

However, I did not care at all about the person responsible for the BSDnews hack at all until Denven decided to sling threats my way. Plus, I am refraining from posting Denven’s telephone number and address (I have them). But really, what got me upset about this the most is the fact that Denven finds this funny. Observe:
See, there is no remorse here. The boy finds this funny.

And this my friends, is the world we live in. This is a world where a pimple face youth from the Netherlands can find time between exams (that he needs to pass to get his xbox) to reach out and touch the lived of 5400 some odd people and put them at risk. The kid has no idea the implications of what he really did, and its doubtful he ever will. The fact is, it is doubtful that any law enforcement local to Denven will take any action against him. Kid will not even get a phone call chewing him out (I thought about calling his parents up, but I don’t speak Dutch (Any takers?)).

These script kiddies are free to take these actions free from accountability. Until that changes, the state of security on the Internet will not change.

Now Denven, go away or I will taunt you once again. Tomorrow is the big day, what with the release of Grand Theft Auto 4 and my SANS Local Mentor Computer Forensics and Incident Response class. I don’t have the time to engage you any further. But, I will make a deal with you here: You take down your warez site (but, you can keep on doing your dance music site!) and leave the script kiddie world and I will take down this post.

Comments (View)
blog comments powered by Disqus
1 of 1
This theme was created by Peter Vidani. It's called Secret Lab.
Standing on Tumblr