* Author: Brian McWilliams. Brian McWilliams Business
     * Date of Publication: 01.16.03. 01.16.03

                       Hackers Humble Security Experts

   A wise-cracking group of hackers confirmed that its claim this week
   that it spread an anti-piracy virus was nothing but a hoax aimed at
   garnering fame.

   But members of the group, known as GOBBLES Security, conceded that a
   program it released to demonstrate the problem was a Trojan horse
   capable of destroying files on the computers of unwary UNIX users.

   Experts said the bizarre incident, which caused a brief frenzy
   among some security firms and fans of music file sharing, follows a
   grand tradition of pranks by the playful hacking group.

   "I think that the latest GOBBLES advisory is genius," said Dave
   Aitel, head of Immunity Security, a security software and services
   provider. "GOBBLES takes the piss out of all of us, and we need
   to respect and appreciate that."

   GOBBLES' advisory said the Recording Association of America had
   contracted the hacking group to develop a hydra-like computer worm
   that has already spread widely by exploiting security vulnerabilities
   in several popular music programs.

   GOBBLES claimed the anti-piracy tool enabled the RIAA to create
   infected MP3 music files and distribute them through file-sharing
   networks, compromising and cataloging the infected systems.

   In an e-mail interview, GOBBLES representatives admitted that they
   fabricated the RIAA claim to get attention.

   "The only excuse we can offer for our immaturity is that we like the
   fame," they said.

   An RIAA spokesperson also said GOBBLES' claim that it's working for
   the trade association was a hoax, but the representative declined to
   comment on RIAA's technology-based anti-piracy efforts.

   However, a security flaw described in the GOBBLES warning was very
   real, according to Michael Hipp, developer of mpg123, a
   UNIX-based MP3 player cited in the advisory.

   Included with the GOBBLES advisory was source code to a hacking
   program that exploits the security bug. The use of mpg123 to play
   special MP3 files created by the hacking program will delete files on
   the user's computer with the UNIX command "rm -rf," GOBBLEs
   acknowledged.

   "If anyone was dumb enough to lose data because of this, they deserved
   it," wrote GOBBLES representatives in an e-mail, which also noted
   that the program warned users before deleting their files.

   Dan Ingevaldson, an R&D manager at Internet Security Systems,
   said GOBBLES is "kind of an enigma" and is known to distribute both
   serious and frivolous advisories. But Ingevaldson said he always
   enjoys reading the group's bulletins, even though they sometimes
   poke fun at ISS.

   But to some in the security business, Gobbles' pranks and long-winded
   advisories - often written in faux broken-English and
   containing diatribes about the industry - have become tiring.

   "It's just a big waste of everyone's time... It's about as
   useful as a bag of flaming dog doo on your doorstep," said Ryan
   Russell, author and former moderator of the Vuln-Dev security mailing
   list.

   Indeed, GOBBLES' haughty attitude has made the group the target of
   recent attacks, especially after a GOBBLES leader, who uses the alias
   nwonknu, ridiculed members of the security industry in a rambling
   keynote address in August at the annual DEFCON hacker convention in
   Las Vegas.

   The following month, a computer allegedly owned by nwonknu was hacked,
   and some of its contents were anonymously posted to
   Full-Disclosure, a security mailing list, from the e-mail account
   bastedturkey@hushmail.com.

   Then in October, someone forged hundreds of nonsensical messages
   to the list with the subject line "Poot ze-a cheekee in de-a oofee!"
   from GOBBLES' e-mail address. The incident caused some list
   participants to call for a blockade of e-mails from the group.

   But some security experts said GOBBLES' technical prowess gives the
   group a platform as the voice of conscience for the security industry.

   Mark Litchfield, co-founder of NGSSoftware, said he put up $275
   in response to a public request last August by GOBBLES for help
   with airfare to DEFCON.

   According to Litchfield, Gobbles "knows (its) stuff" and shares its
   findings with the security community "instead of keeping all (its)
   advisories/exploits and sharing them privately with the black-hat
   community, which I would feel is a greater threat."

   In a jab at SecurityFocus, the Symantec-owned security firm that
   operates the popular Bugtraq mailing list, GOBBLES registered
   the domain Bugtraq.org in 2001. Due to an apparent spate of attacks
   on the site (archived here), GOBBLES' advisories have been
   mirrored at a site hosted by Aitel. According to Aitel, who said
   he has no other involvement with the group, GOBBLES helps to keep the
   security industry's "huge egos" in check.

   "GOBBLES teaches everyone the valuable lesson that no matter how
   elite we are, how rich we are, how many three-letter agencies we have
   contracts with, how much of the Fortune 500 relies on us to keep their
   systems secure, someone out there is giggling at us," said Aitel.