lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: phc at hushmail.com (phc@...hmail.com)
Subject: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others)

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 22 Nov 2002 11:46:38 -0800 "Schmehl, Paul L" <pauls@...allas.edu>
wrote:
>I received one response (so far) to my request to explain how "black
>hats" would propose I keep my network secure.  I would appreciate
>it if
>responses could at least be cc'd to the list so they can be discussed
>openly.

Just a few things before the reply to your post:

1. To 'Jesus': we're interested in hearing your ideas on appropriate action
plans for 'underdog' victory. Feel free to email us.

2. el8@...hmail.com: word tells us this is not ~el8. It smells of Danny Dilber
(stringz) making a comeback. If this is true, diestringz2.txt can be rolled out
at any time.

    ~el8 make all their announcements, etc. in their ezine, and anything else
outside of the ezine is more than likely an attempt to discredit or
misrepresent their views.

3. Stripey, you speak of the "PHC new bloods" when you have no knowledge of how
long any of us have been online for. Based on how recently you started selling
bugs to Snosoft, it's very likely that you're the one who's Only Been Around
For A Few Years. You made an important point about the media sensationalizing
stories of 'hackers' and whatnot, but you defended the security industry. Based
on what we've witnessed over the last decade, the media AND the security
industry waltz side by side to reciprocate the generation of sensationalism
that keeps both in business... in the security arena. They are the Yin and Yang
of hype.


Paul,

Your network will never be secure.

People seem to think Attack Windows -- a term coined by the same class of
people who brought you the Nop Sled (tm) -- exist between public vulnerability
disclosure and public patch release. This is untrue; Attack Windows exist from
public vulnerability disclosure right back into the long forgotten past.
Example: if in 2010 a vulnerability is publicly disclosed in a widely used
program that has been used for 20 years, then every box on the planet using
that program has been at risk for 20 years, and not merely the week or so
between public announcement and public fix. In retrospect, the security
industry accomplished nothing in 20 years, except stuffing their pockets with
cash and generating a false sense of security.

Insecurity will be perpetual. As democow said, blackhats will always be able to
compromise you. Scriptkids will not be able to compromise you if you always
manage to win the scriptkid-admin race that occurs when a new bug is disclosed
on a security mailing list. However, not all admins will be so lucky. The
security industry in this manner has increased not only the number of attackers
exponentially, but the threat to the Internet at large. This is a cycle that
can stop, but it won't happen while the security industry can make money on it.
They need figures and statistics to market their flimsy products. They need
visible threats to justify their existence. They need widespread defacements
and system compromises.

In the SecurityFocus article, _Full disclosure is a necessary evil_, Elias Levy
agrees that full disclosure brings more short-term insecurity than
non-disclosure does. So it's not only the 'blackhats' who see this. However,
Levy qualifies this short-term insecurity as a "necessary evil" to effect
long-term security. Just HOW long-term is a matter of conjecture, but based on
the security industry's own tenet that "no software, system, or network can be
totally secure," we don't ever see the final destination being reached by the
security industry. Instead, we see them as the purveyors of lies and broken
promises who will never be able to deliver what they're paid for. This holds
true even for the 5% of 'programmer-phrack-magazine-esque' security
professionals Who Have A Clue. The crazy thing is that it's their inability to
deliver the goods that keeps them in business. While they rake in large amounts
of cash and fail miserably at their self-appointed task, their failures succeed
in convincing the gullible that they're still needed.

There was a Vuln-Dev thread on Alan Turing's "Halting Problem" (we remember
this thread because it was probably the only educated thread ever to appear on
Vuln-Dev, not to mention a brilliant battle of wits between Lcamtuf-the-Brain
and Mixter-the-Fucking-Narc) that brought the identification of security holes
in software under the light of elementary discrete mathematics. This added to
the tenet mentioned above. We mention this to reiterate what we said in Sermon
#2 about all disciplines of study being applicable in some way, however slight,
to the problem we seek to change. See, even a math nerd can help us.

In summary, the security industry is reaping large sums of money for doing
absolutely nothing for Internet security. Along with the media, and (now) the
Government (capital G this time since we have learned since our previous sermon
that there really is only one government in the world, namely that one run by
Octopus Dubya Bush With His Tentacles Up The Asses Of Every Puppet PM And
Puppet Prez In The World), the security industry is responsible for all the
legislation that has been brought in that not only will affect 'hackers'... but
every LOL'ing, OMG'ing person on the Internet.

We can churn out sermon after sermon, but it will do little good if nobody
gives a damn. We're not fools to believe all this talk will do anything great.
If you see what we are fighting for, then PLEASE contribute Stuff to the cause,
where Stuff can be textfiles, graphics, old AntiSec posts, ideas, constructive
criticism, whatever.

And if you call anything that moves a "scriptkid" or a "lamer," for fuck's
sake, do not bother replying to this.

Dear #phrack:

STOP FUCKING BEING LAZY. THIS IS NOT A MATINEE PUT ON BY #PHRACK OPS. PROJECT
MAYHEM IS DOOMED IF YOU ALL JUST SIT THERE BEING HANDSOME. CONTRIBUTE SHIT.
STOP CHATTING ABOUT IRRELEVANT POLITICS. STOP CHATTING ABOUT SPINLOCKS,
SEMAPHORES, WEB SCANNERS, OPTIMIZATION, AND OTHER CRAP. GET SERIOUS. GET
MOTIVATED. LISTEN TO SOME ANTHONY ROBBINS. AWAKEN THE GIANT WITHIN. GET SOME
NLP HAPPENING. WORK ON YOUR AFFIRMATIONS. PSYCHE YOURSELVES UP. GIVE EACH OTHER
A PEP TALK. LET'S LEAD PROJECT MAYHEM TO VICTORY.

PHC
Sermon #3
http://phrack.efnet.ru | http://phrack.ru
"Join us to teach and learn."


>
>My request still stands.  Any takers?
>
>Paul Schmehl (pauls@...allas.edu)
>TCS Department Coordinator
>The University of Texas at Dallas
>AVIEN Founding Member
>http://www.utdallas.edu/~pauls/
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlgEARECABgFAj3ezdMRHHBoY0BodXNobWFpbC5jb20ACgkQ0rw64nEc6GLflACgmgpB
bVHppeFWbN+ftpzcAdf2BskAoLs52O9PY8l2qWLoJE+GId4BHq1L
=I8NC
-----END PGP SIGNATURE-----




Get your free encrypted email at https://www.hushmail.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ