| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: aliver at xexil.com (aliver@...il.com) Subject: true hacker apostasy On Fri, 16 Aug 2002, sockz loves you wrote: > to a degree. yes, that is part of it. but its only a minor part. > first of all, the people it makes money OFF are not hackers, they're > whitehats with the delusion that they are hackers. Good distinction, nice to point out that the "ethical hackers" aka corporate pen-testers are, for the most part, not hackers. They hate it when you point this out, and as you mention later on, try to split hairs about the "true" meaning of hacker. As someone else already said, "you either hack, or you don't." > the big part of the argument is that through public discussion of > security issues you have morons leeching off the ideas of those with > intelligence. Very true. This is a non-original recurring point that you don't see making it's way to Bugtraq much (ever?). It can't be stressed enough. > people cease to work for themselves. I'd say they have already ceased. This "security industry" is so diseased already. To illustrate your point there is one very large corporation (the largest?) that I'm aware of who has an internal "network security auditing" tool. The checks performed by this tool are 99% leeched off of the intellectual labors of not-for-profit hackers. The tool itself is fairly complex, and the guy that wrote it is no dummy. However, the point is that this three letter acronym corporation gets the real work done for them, and their systems benefit from checks it performs. IMHO, they don't deserve it because of the nature of who they are and what they represent. > a) it restores the "knowledge = power" relationship -- forcing all the stupid > people to stay stupid and not rise to fame on the shoulders of others. "Knowledge given is power lost" -Alexter Crowley > b) when an exploit is known to only a small covert group, it cannot be used > by many other people. hence, fewer people are affected by that exploit. Morally it would offend most people. However, the logistics of what you are saying are true. > HENCE you have more capitalists trying to exploit the security fears and > inhibitions of people like e-business executives where it is UNECESSARY. > the entire security industry is HOLDING BACK e-business because it > generates fear and paranoia in order to generate profit. Well, in some ways. However, I think that one critical element is that you gloss over is that they are so afraid and ignorant that they cannot be pragmatic. In my opinion, they have no one to blame but themselves. If they hire pen-testing firms to tell them what's wrong, and those guys make a killing off of their ignorance, it's kind of poetic justice. What I don't like is the fact that the pen-testers are using tools and information they didn't really work to obtain. As you say, they have mostly stood on the backs of hackers and free software authors to do their jobs. Shame on us blackhats and programmers for letting them take advantage of us like this. I hope it was a mistake due to a naivety that is passing. I for one won't release a damn thing for public consumption. I'll release it to only whom I wish, in secret, for my own purposes. Thanks to corporate executives buying my all the power away from my vote with lobby dollars and campaign contributions, I can no longer afford to risk what freedom I have left by maintaining some illusion that the First Amendment will protect me and subsequently leaking information or tools to the public. I've felt that way for a long time, actually, but never more strongly than now. HP recently showed how prudent of a move this was. So too did the "life sentence for hackers" bill. > so the part where one individual may suffer isn't of any great concern. > you remove the security industry and you remove this 'desire for profit' As much as I share your wish for this "industry" to crumble to dust, I fear it's never going to happen. Fear is a powerful marketing tool, and these companies are just warming up and figuring out how to use it. > that has managed to latch itself onto the minds of programmers. Hopefully with a bit of well placed disillusionment, we programmers will all unlatch ourselves. > its not about profit. its about information. its about intelligence. > to put a price on intelligence is to devalue humanity. " Nothing has such power to broaden the mind as the ability to investigate systematically and truly all that comes under thy observation in life. " -Marcus Aurelius > YES!!!! YES THAT IS EXACTLY RIGHT! And it has changed the > psyche/mindset of those who used to call themselves 'hackers'. they > have changed into profiteers who's only concern is public glory, money, > and having their ego stroked. Some did, but not all. I point at the L0pht crew for a good example. Although they don't do much to facilitate ego-stroking anymore. They are probably too busy lighting cigars with $100 bills. > greed like that isn't human and it isn't smart. anyone who argues that > its the challenge of uncovering an exploit that leads them to post > information on some- thing like bugtraq, is lying. They might have done it for the challenge, but I agree that the impetus for posting it was for "glory". > its not the challenge that motivates them. its the public recognition > that they're after... the recognition that they have *some* kind of > intelligence capable of meeting that challenge. That's not all that horrible, though. I happen to play guitar and write poetry. You can win friends, influence people, and occasionally impress the opposite sex sometimes by such forms of self-expression. I've found both pursuits very gratifying for myself, but the aforementioned ancillary effects didn't hurt either. However, writing code rarely, if ever, results in such appreciation. C programmers and most other people above sysadmin-who-codes-in-perl do some pretty difficult things for some pretty inappreciative people. I rarely hear any praise for my professional work or get any recognition for the labor I've saved someone else. I usually only hear complaints about how something is "user unfriendly" or rants about how I should have fixed some minor bug. What is gratifying about hacking to me is two fold. First of all it's more fun to participate in tradecraft than trade-craft. Secondly, the payoff is the occasionally fulfillment of some of my own personal political goals, no matter how trivial of a form it actually takes. In the end it's still better than being forced to write some accounting package or device driver. I can see why hackers (the programming kind) post their exploits occasionally. It's fun sometimes to start a big bonfire and watch it blaze around you. However, these days my "old age" has kept me too afraid of being burned by the conflagration myself. I'd prefer to create a torch and leave it accidentally laying around for someone with a little more spunk, and a little less to lose. After all, making torches isn't illegal, if you catch my drift. > this is perfectly true. and real power is not overt in its nature. > real power is covert. True power is never brokered in public. Wizards first rule. > you end up with is an immature society thats conditioned to dealing with > power by giving it away because they have no idea how to handle it > responsibly. furthermore you have power being given to those who > wouldn't normally have knowledge of the vulnerability. and with that > you have those morons out there who are not able to handle the > information in a responsible manner. Yep. If you ask me the corporations who create pen-testing tools are just as irresponsible as the script kiddies they are "fighting". The only differences are the script kiddies don't delude themselves into thinking that they are helping the corporation, and the pen-testers are making some quick cash off the deal. > THINK ABOUT IT. if you were smart enough to discover a way to > compromise a system in the first place, your first reaction isn't going > to be as stupid as to tell every script kiddy you see. nor are you > going to go and exploit it without caution. no. you're going to store > your knowledge and use it in a manner that renders covert results. ie > results that dont provoke victims to draw attention to you. Sometimes that's true, but not always. It heavily depends on what your goals are. Consider the case of the guy who wrote code-red. He didn't release the bugs (they were already known), he didn't exploit it without caution (ie.. he's still at large), but he DID provoke the victims and would draw a great deal of attention to himself if folks knew who he was. In fairness, it could have been a woman, too. It's a shame there aren't more female hackers, but that's the breaks, I guess. > its just a whitehat term that allows whitehats to call themselves > hackers, and real hackers end up not being hackers at all. Very astute observation. I very much agree with your point here. > eric may be right in the origins of the word, but society changes. Yep, words change with as little as inflection differences. No reason to stick by definitions that don't work anymore. > eric also suggests that a person isn't labelled a hacker unless someone > else labels them a hacker. and i think thats kinda stupid. I don't know his exact definition, but if that's the case, it's definitely stupid. A hacker doesn't need the validation of some other authority. He is what he is. > Scott. you could say someone is an accountant who occasionally dabbles > in the art of magic. whether you see them as a mage or an accountant is > beside the point. the point being that books are still balancing and > you are still find them strangely charming. you could call them a > janitor and still see the same effect. A rose by any other name... blah blah. > yep. but only stupid and irresponsible blackhats get caught.. those who > dont know how to handle their power... those who are looking for scene > status or seek some other un-intellectual goal. Again, mostly true but not always. Sometimes people get caught just because they are unlucky, and no matter how careful they are. Sometimes, people get caught who aren't even guilty. Hard to make categorical statements about our justice system. > and if you look at a lot of the policy drawn up in the past few years to > deal with blackhat hackers, you have to realise that it has come as a > result of the security industry's grip of paranoia over luddites. Absolutely. > and i can tell you that most of the policy makers (be they politicians > or beaurcrats) aren't all that computer savvy. when looking for > information they go to a security company and that company tells them to > be scared. so even though they may learn as they go along, what they > learn is based on this notion of "the internet is scary, its not secure, > and hackers are everywhere just waiting to pounce!". Just like gun control, the only people that get hindered by the laws made by said politicians are Joe Six Pack. Real malicious hackers and especially the criminally minded variety of blackhats don't give damn what laws are made. It's not terribly difficult to remain anonymous these days (at least on the Internet) if you can keep your mouth shut. > a smart hacker will work in collusion with the government, just like > your media moguls work with politicians. or like law enforcement > agencies work with your ISP. I don't really follow you here. > like i said, real power is covert. and if you have that kind of power > its very hard for someone to take it away from you. because they dont > know you have it. True. This principle is applied to US citizens daily by our government. TLA's with power stemming from the DoD can do all kinds of scary and cruel stuff in our country and others. However, nobody wants to remove their power to do so. They are too busy watching TV to stay informed enough about what's going on around them, or perhaps they are too cynical and agnostic to care unless it impacts them. "Float like a butterfly sting like a bee, your hands can't hit what your eyes can't see" -Mohammed Ali aliver
Powered by blists - more mailing lists