lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200208161340.g7GDeIv89574@mailserver2.hushmail.com>
From: shameinfame at hushmail.com (shameinfame@...hmail.com)
Subject: Covering that baldspot...or...hat ethics

Covering that baldspot..or..hat ethics

These are strange days. The security industry, an industry that grew out
of what used to be some sort of underground, was spawn on soil drenched
with the sweat and tears of what would nowadays be considered to be
"blackhats".

It was in its core built on knowledge painstakenly gathered
by these very same blackhats. Knowledge that was, at its root,
mostly gained by "unlawful" experimentation. Think about it, exploitation techniques were developed and researched to...UH OH...EXPLOIT things.
It was only when these techniques leaked and surfaced in the hands of
"legitimate" researchers that they got enlisted to take part in a perverted form of "security" that we now know as "Full Disclosure".

These early "researchers" were mostly former blackhats seeking some form
of monetary gain. Would they have foreseen the state of information
security today, I'm sure many of them would have chosen to take that
"normal" programming job to gain funds and keep their blackhat ethics and philosophy in tact. In fact, a large chunk of the newly found infosec workers did hold on to some of the blackhat mentality. By strongly opposing public dissemation of security information and exploitation methods. They would operate within a closed circle of trusted security experts and only share information amongst themselves. Ultimately giving them alot of power and the ability to "demonstrate" insecurity anywhere.
Thus being able to make a decent living, and bye keeping security
information in private hands ensuring a steady cashflow. That might not
be as "ethical" as some people would like, but hey..its a big boy world.
At this point in time both camps could live side by side. Knowing that
neither side would demolish the livelyhood of the other.

Then the leech appeared. The leech is a person who does not want to invest time and effort into gaining information and knowledge. They expect it to be handed to them on a silver platter and will even complain if the information is not presented in an easily digestable format. They expect people to take the time and sit down with them to "teach" them things. And over all show very little initiative. The leech is the infosec equivelant of a spoiled brat. They have this unrational mindset that it is an obiligation for those in the know to share their information with them. Because they have a "right to know".

We fast forward to today. The leeches have developed and integrated into the infosec world. They are the snosofts and ngsecs of the industry. People that have aquired a moderate skillset by leeching off of the knowledge of others and never show any creativity or original thought. Neither in their advisories nor in the accompaning "exploit". I'm sure they dont consider their recursive grepping for strcpy's and faulty printf's to be leeching. They call it "auditing". Auditing as it is today is nothing more than spotting pre-chewed situations
that have been proven to be exploitable by someone else. And that my friends, is leeching and also the reason of the genericness of many of the work that spawns from these leech based security companies. In that sense they are not the most dangerous a creature in todays infosec world. They regurgitate stolen knowledge and would never find, develop and publicly spread an original method of exploitation. The biggest danger that we/us/them face is the "friend".

90% of all publicized exploitation methods have not been published by the people that first implemented them, but by friends of friends. They gain this knowledge via the grapevine and write papers in their need to educate. Or even worse...gain recognition. So how ever harsh it may be to deny people close to you access to information..think about the greater good and how that information will be abused in the future. There must exist a true circle of trust and a basis of equality
to properly exchange information. Do not let leeches suck you dry. They expect all and return nothing.

In conclusion I suppose I, as many before me, should provide some sort of pseudo solution to the problems we, blackats and non-disclosure supporters alike, face. Sadly enough I fear the damage has been done and it irreversible. So let armageddon come. Clean up the ruins. And start over again. *DING* *DING* *DING*

shameinfame

"fame? shame."




Get your free encrypted email at https://www.hushmail.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ