lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 20 Feb 2006 13:39:11 -0800 (PST)
From: Bigby Findrake <bigby@...emeron.org>
To: Anthony Cicalla <Anthony.Cicalla@...kServ.com>
Cc: bugtraq@...urityfocus.com
Subject: RE: Vulnerabilites in new laws on computer hacking


On Wed, 15 Feb 2006, Anthony Cicalla wrote:

> I would have to say that I agree with you in what you have said.  I am a 
> young security professional with a cissp, but growing up I did not have 
> the $ to be able to purchase vmware and all the software to setup a test 
> environment. I also bet that most of you between ages 12 - 16 had the 
> minimum 500.00 for a pc and another 300.00 for vmware and the list goes 
> on and on. To learn computer / network security is expensive and the 
> materials are costly in a lot of situations.

Perhaps this is beating a dead horse, but could someone explain to me why 
the addition of a $50 computer found at a garage sale, a $10 NIC, and a 
$20 switch or hub to any would-be-infosec's arsenal wouldn't suffice for 
this purpose?  We're not trying to brute force 4 kilobit pgpkeys, we're 
trying to present a host to attack.  FreeBSD, NetBSD, OpenBSD, Linux... 
all free operating systems.  Isn't there an x86 version of solaris that's 
free?  $500 computers aren't needed for this testing.  I suggest that the 
necessity for more expensive hardware is the exception, and not the rule. 
Bochs may not be speedy, but it works.

I would also suggest that anyone who finds that money is an obstacle is 
looking for excuses.  I have often found ways to make outdated hardware 
useful in a variety of situations.

> If we are going to make stricter laws why do we not have something setup 
> for more positive learning.  Maybe a sponsored couple of sites to teach 
> this and be legal targets for script kiddies. Just some of my thoughts 
> on the matter. After saying this I don't support illegal activities but 
> if we want the kids to learn and not go to jail for being curious then 
> we as a community need to look at this and provide a positive outlet for 
> this type of activity.
>
> -----Original Message-----
> From: self-destruction@...best.com [mailto:self-destruction@...best.com]
> Sent: Saturday, February 11, 2006 8:35 AM
> To: bugtraq@...urityfocus.com
> Subject: Vulnerabilites in new laws on computer hacking
>
>
> It'd be interesting to see if this post gets approved by the moderators of
> bugtraq.
>
> As all of you know, this forum (bugtraq) is constantly monitored not only by
> crackers and infosec professionals, but also by government and
> law-enforcement agencies.
>
> The reason why I'm posting this message is because I'd like to bring
> attention to the new laws on hacking.
>
> As everyone knows, laws on computer hacking are going tougher. There are
> however, some negative consequences.
>
> "Advanced societies" are updating computer crime laws faster than the rest
> of the world. This means that new generations of these more "advanced
> societies" will have no clue about how remote computer attacks are carried
> out. Future generations of security "experts" will be among the most
> ignorant in the history of computer security.
>
> New generations of teenagers will be scared of doing online exploration. I'm
> not talking about damaging other companies' computer systems. I'm talking
> about accessing them illegally *without* revealing private information to
> the public or harming any data that has been accessed. To me, there is a big
> difference between these two types of attacks but I don't think that judges
> feel the same way. Furthermore, I don't even think that judges understand
> the difference.
>
> Now, I'm not saying that I support accessing computer systems illegally. All
> I'm saying is that by implementing very strict laws on "hacking", we will
> create a generation of ignorant security professionals. I think to myself,
> how the hell will these "more advanced societies" protect themselves against
> cyber attacks in the future?
>
> These new tougher computer laws will, in my opinion, have a tremendous
> negative impact in the defense of these "advanced societies". It almost
> feels to me like we're destroying ourselves.
>
> I know what you're thinking. You can learn about security attacks by setting
> up you're own controlled environment and attacking it yourself. Well, what I
> say is that this approach *does* certainly make you a better attacker, but
> nothing can be compared to attacking systems in real world scenarios.
>
> Now, I personally know many pentesters and I can say that most of them *do*
> cross the line sometimes when doing online exploration in their own free
> time. However, these guys would *never* harm anything or leak any sensitive
> information to the public. That's because they love what they do, and have
> very strong ethical values when it comes to privacy.
>
> I would say that most pentesters are "grey hats", rather than "white hats".
> In fact, I believe that the terms white and black hat are completely
> artificial because we all have different sides. The human mind is not
> binary, like black or white, it's something fuzzy instead, with many layers.
> The terms white and black hat were, in my opinion, created by business
> people to point out who the "good guys" and "bad buys" are.
>
> If I was the technical director of a computer security testing company I
> would try to find pentesters that are not malicious, but that do cross the
> line sometimes but at the same time, know when it's a good time to stop
> exploring.
>
> If you hire someone that has never broken into a system, this guy will not
> be able to produce valuable reports for customers because he will not be
> able to find vulnerabilities that can't be found running a scanner.
>
> In summary, I'd like governments of the world to rethink their strategy when
> fighting computer crime. Extremism never worked and never will.
>
> Remember, many of today's script kiddies will be the infosec professionals
> of tomorrow.
>


/-------------------------------------------------------------------------/
"I've tried to install this linux crap about nearly five times, but everytime 
it stops with the error message: 'login:'
Fix that immediately or I'll go public with that." -- some random moron

                    finger://bigby@...emeron.org
                   http://www.ephemeron.org/~bigby/
                   irc://irc.ephemeron.org/#the_pub
                 news://news.ephemeron.org/alt.lemurs
/-------------------------------------------------------------------------/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ