| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: sockz at email.com (sockz loves you) Subject: Administrivia Hi Scott. It was refreshing to read your email. I agree with you on many points and couldn't resist the urge to reply. > For the most part, I agree with you. I've spent a lot of time reading over > some rants/manifesto-type stuff at http://www.eurocompton.net/~fuk/phrack/ > and elsewhere. My attitude about this whole situation was basically "same old > tired angst, new set of kids", until I started looking past the l33t speak > and the profanity. ethics1.txt really started to change my mind a bit. > > That said, there was one point below that I was hoping you'd elaborate on. > > So what you are advocating is no more public discussion of security issues, > because such discussion is invariably co-opted by large companies as > basically free research, and they then go on to make money off of the sweat > of various hackers. Is this more or less correct? to a degree. yes, that is part of it. but its only a minor part. first of all, the people it makes money OFF are not hackers, they're whitehats with the delusion that they are hackers. the people it TAKES capital gain from, though ARE hackers. but like i said, this is just a minor point. the big part of the argument is that through public discussion of security issues you have morons leeching off the ideas of those with intelligence. people cease to work for themselves. taht and its just plain stupid to begin with. hackers aren't after security. they're after security that can be compromised. > I agree with your sentiments, however: by not publicly discussing security > information, we ensure that only the underground (which you must admit has > more than its share of people eager to misuse such info) has this knowledge. > If the underground could be trusted not to hurt others with the knowledge, I > would not have a problem keeping it there. My issue is, when exploits and > holes stay private, it means that a small group of individuals is able to do > some very nasty stuff to people that have no means of protecting themselves. > Being on the receiving end of that kind of attack is frustrating and can be > rather scary at times. yes. but that's life, Scott. and in many ways, if you think about it, we're all better off in a scenario like that. a) it restores the "knowledge = power" relationship -- forcing all the stupid people to stay stupid and not rise to fame on the shoulders of others. b) when an exploit is known to only a small covert group, it cannot be used by many other people. hence, fewer people are affected by that exploit. c) the fewer internet security companies you have, the better. why? because they are _companies_ and the fundamental focus of any company is profit. while their core function may be security, it is the exploitation and careful manipulation of that core function that is used for profit. HENCE you have more capitalists trying to exploit the security fears and inhibitions of people like e-business executives where it is UNECESSARY. the entire security industry is HOLDING BACK e-business because it generates fear and paranoia in order to generate profit. so the part where one individual may suffer isn't of any great concern. you remove the security industry and you remove this 'desire for profit' that has managed to latch itself onto the minds of programmers. its not about profit. its about information. its about intelligence. to put a price on intelligence is to devalue humanity. > I used to think the solution was full disclosure of all information - after > all, hackers used to have the motto "Information wants to be free", and this > was the motivation in days gone by. What I'm sensing now is that attitude has > been replaced by cynicism as hackers, working for the good of the community, > have had their work stolen by greedy corps. YES!!!! YES THAT IS EXACTLY RIGHT! And it has changed the psyche/mindset of those who used to call themselves 'hackers'. they have changed into profiteers who's only concern is public glory, money, and having their ego stroked. greed like that isn't human and it isn't smart. anyone who argues that its the challenge of uncovering an exploit that leads them to post information on some- thing like bugtraq, is lying. its not the challenge that motivates them. its the public recognition that they're after... the recognition that they have *some* kind of intelligence capable of meeting that challenge. > So maybe the solution now is more along the lines of what Raschid said - > hackers banding together, closing ranks, keeping the info and techniques and > knowledge available, but available to the underground, and most importantly, > making sure ethics (along the lines of what Raschid said) are passed on. > > The idea that with great power comes great responsibility is one that I think > is missed sometimes, especially in newer hackers who are merely in a rush for > power or glory. this is perfectly true. and real power is not overt in its nature. real power is covert. it is hidden and unseen. if knowledge = power then it stands to reason that those who give out their information give away their power. what you end up with is an immature society thats conditioned to dealing with power by giving it away because they have no idea how to handle it responsibly. furthermore you have power being given to those who wouldn't normally have knowledge of the vulnerability. and with that you have those morons out there who are not able to handle the information in a responsible manner. THINK ABOUT IT. if you were smart enough to discover a way to compromise a system in the first place, your first reaction isn't going to be as stupid as to tell every script kiddy you see. nor are you going to go and exploit it without caution. no. you're going to store your knowledge and use it in a manner that renders covert results. ie results that dont provoke victims to draw attention to you. > Is there no room anymore for the original definition of the word? (referring > to ESR's jargon file entry) It looks like the definition being embraced is > the criminal one (i.e. hacker being akin to a cracker, somebody who breaks > into other machines, rather than a hacker being someone who creates things). [next bit is actually from the end but i put it here cuz its relevant] > The name 'hacker', until recently, did not mean somebody who breaks into > systems. Some would argue that the meaning you ascribe to it is what has > sullied its reputation; that the true meaning of hacker is more along the > lines of the jargon file entry. > > http://www.tuxedo.org/~esr/jargon/html/entry/hacker.html true. i dont refer to "crackers" as such. i did at one stage but really, its just a whitehat term that allows whitehats to call themselves hackers, and real hackers end up not being hackers at all. eric may be right in the origins of the word, but society changes. the word "gay" is a good example of that. or "faggot". i mean if you look up the word "faggot" in the dictionary it gives you something completely different to the meaning we have for it today. fag·ot also fag·got Pronunciation Key (fgt) n. A bundle of twigs, sticks, or branches bound together. A bundle of pieces of iron or steel to be welded or hammered into bars. tr.v. fag·ot·ed, also fag·got·ed fag·ot·ing, fag·got·ing fag·ots, fag·gots To bind into a fagot; bundle. To decorate with fagoting. (source: http://www.dictionary.com/search?q=faggot) eric also suggests that a person isn't labelled a hacker unless someone else labels them a hacker. and i think thats kinda stupid. a person whos hacking activites are THAT known to a community (of any sort) isn't a hacker. they're an "imbecile". people exist outside of labels, Scott. you could say someone is an accountant who occasionally dabbles in the art of magic. whether you see them as a mage or an accountant is beside the point. the point being that books are still balancing and you are still find them strangely charming. you could call them a janitor and still see the same effect. > The law has a tendency to condemn blackhats, to date. :) (Those that are > caught, anyway.) yep. but only stupid and irresponsible blackhats get caught.. those who dont know how to handle their power... those who are looking for scene status or seek some other un-intellectual goal. and if you look at a lot of the policy drawn up in the past few years to deal with blackhat hackers, you have to realise that it has come as a result of the security industry's grip of paranoia over luddites. and i can tell you that most of the policy makers (be they politicians or beaurcrats) aren't all that computer savvy. when looking for information they go to a security company and that company tells them to be scared. so even though they may learn as they go along, what they learn is based on this notion of "the internet is scary, its not secure, and hackers are everywhere just waiting to pounce!". a smart hacker will work in collusion with the government, just like your media moguls work with politicians. or like law enforcement agencies work with your ISP. like i said, real power is covert. and if you have that kind of power its very hard for someone to take it away from you. because they dont know you have it. Hope this made my previous posts a bit clearer. -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup
Powered by blists - more mailing lists