lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200208161440.g7GEew272004@mailserver4.hushmail.com>
From: chaos_magician at hushmail.com (chaos_magician@...hmail.com)
Subject: A PHC PRODUCTION: THE REAL SCRIPTKIDDIES

Several things ring true here.  

1.  The points here are almost verbatim from a presentation gave by Winn Schwartau at an early Defcon.  He asked the same questions of the group there.  He had a list that specified if you were a hacker or a script-kiddie.  And many of the points listed here are verbatim from that list.

2.  The only reason they are upset with security professionals in particular is that like they said "THE SECURITY INDUSTRY DEMOLISHED OUR WORLD."  Meaning we are obviously doing our job if we have pissed them off this much LOL :-).  

3.  If we can listen to their truths, perhaps we can all educate ourselves more to a degree to which we can "ANNIHILATE THEIR WORLD". Of course this means more research into vulnerabilities, and a better way of handling the information dissemination so as to avoid mis-information.

4.  These guys have a direction.. which is good.  It allows us all to focus our efforts on it, and to keep our jobs!.  In fact I wouldnt be surprised if the entire shenanigan was designed to ensure job security for those who fear the economic trends in IT employment.

5.  Many of these folks appear to be bearing the burden of existential frustration.  Most likely due to their intellectual isolation.  I know personally that becoming intimate with technology leaves you feeling disconnected somewhat from humanity.  But this is good too, its natures built in deconstruction tactics. I for one applaud them for taking a stance, regardless of what it is.  (Especially if it helps keep my field interesting. :-)

6.  If we refer to them as the Diogenes of our time, of course with more motivation, (someone please buy these guys some weed), then perhaps we can use them as our own check and balance. 

-Chaos_Magician

"The soul cannot bear to have anything above it.  I believe that it cannot bear to have even God above it.  If he is not in the soul,  and the soul is not as good as he, it can never be at ease." - Meister Eckhart

----- Original Message ----- 
From: <auto461723@...hmail.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, August 16, 2002 9:30 AM
Subject: [Full-Disclosure] A PHC PRODUCTION: THE REAL SCRIPTKIDDIES


> 
> A PHC PRODUCTION: THE REAL SCRIPTKIDDIES
> 
> [Posted to the netsys.com 'full-disclosure' list.]
> 
> Does anyone find it strange that the talentless scriptkiddy Ron DuFresne is
> banging on about "kids this" and "kids that"? I certainly do. This clueless
> moron is in no position to speak down on or scold those he obviously knows
> nothing about.
> 
> If you search google for his name, you can easily see the technically inept
> scriptkiddy Ron DuFresne making a monkey out of himself:
> 
> http://www.google.com/search?q=%22Ron+DuFresne%22
> 
> This guy knows nothing beyond 1980's security policy construction and
> point-and-click firewall operation. He makes many technical blunders in his
> posts and displays an uncanny knack for sounding like a total dumbass.
> 
> For those out of the loop, the scriptkiddy Ron DuFresne was a former member
> of the defacement group known as GForce Pakistan, albeit only for a month or
> so at most. What's sad is that he has admitted this in the past, but
> justifies it as some kind of adventure "for research purposes." He also
> denies having defaced any websites. Still, makes you wonder, doesn't it?
> 
> I also see many other technically incompetent people/leeches on this list
> who are making unqualified assertions that so-and-so are scriptkids, that
> so-and-so don't know their stuff, that so-and-so are attention deprived...
> 
> If you can answer 'yes' to all of the questions below, then by all means
> feel free to think of yourself as equal to or better than these ~el8 guys.
> Otherwise, please stop speaking down to people who are obviously much more
> technically skilled than your ignorance will ever allow you to be.
> 
> * Do you know how to program in C? Are you intimately familiar with ISO C89?
> C99? While other people in your neighbourhood were out partying, were you
> sitting at home in bed making an almost biblical study of the POSIX
> standards? What about those from The Open Group?
> 
> * Do you know how to write hash tables? Balanced trees? Do you know the art
> of algorithms? Do you know Knuth's work like the back of your hand? Did you
> teach yourself everything about computers that one would otherwise only
> learn by paying thousands of dollars for in Computer Science tuition?
> 
> * Do you know how to juggle assembly code in your head for multiple
> architectures, such as MIPS, SPARC, x86? Do you understand the peculiarities
> of each architecture down to the nittiest, grittiest details? Can you
> optimize your own assembly routines? Can you take advantage of things such
> as Pentium instruction pairing or the delay slots in various RISC
> architectures? Do you understand the deal with the I-Cache on MIPS? Are you
> fluent in assembly language? Hell, do you even know what SPARC stands for?
> Quadrants in PA-RISC, make sense?
> 
> * Do you know how to write your own exploits? Do you know how to audit
> software with surgical precision for the most intricate bugs imaginable? Do
> you know how to take advantage of buffer overflows? Do you know how to
> exploit off-by-one errors on a little-endian machine? Do you know about
> integer overflows and signedness issues? Can you exploit format string
> vulnerabilities? Can you gain control of a process vulnerable to a heap
> overflow via a deep knowledge of the malloc implementation on the target
> host? Do you know how to bypass the "security" afforded by crap like
> Openwall, StackGuard, PaX? Or is your knowledge of these things limited to
> the papers that non-hackers publish? You probably think the people trying to
> help the security community with bullshit patches/fixes like this are
> hackers, when in fact no hacker would ever publish any such thing that aims
> to improve security.
> 
> * Have you studied the UNIX kernel with as much fervour as some would have
> for physical pursuits such as basketball or baseball? Do you know the data
> structures and organization in the kernels of various operating systems?
> Have you read books on UNIX internals cover to cover? Do you know how Linux
> works under the hood? Can you write your own kernel modules for both defense
> and offense? Ever written a kld on FreeBSD? Can you write a device driver
> for a peripheral that your OS doesn't support? Can you find flaws in kernel
> src trees that allow you to compromise a machine given local access?
> 
> * What do you know about evading (N)IDS? Your knowledge isn't limited to
> what Thomas Ptacek & Tim Newsham have said years ago, right? Surely you
> don't rely on tools written by people like Dug Song who like to think of
> themselves as hackers, when in fact they are traitors to the underground,
> assuming they were ever a part of it to begin with.
> 
> * What do you know about defeating firewalls? What techniques have you
> innovated and pioneered on your own? What tools have you written that allow
> you to toy with firewalls? Hell, the fucktard security community is probably
> limited to lameass crap like Firewalk.
> 
> * What do you know about web security? Do you sit back and laugh at the
> "cross-site scripting" revolution governed by an idea that has been around
> well before the CSS/XSS sensation that literally blew the dumbass security
> community apart? Must've wasted a lot of brain cells with that gigantic
> stretch of the imagination. Do you laugh at all these "SQL injection" papers
> and how most of them overlook the blatantly obvious: they have you believe
> you have to fumble around with all kinds of convoluted queries to achieve
> something that can be done with minimal typing if only they'd read the
> fucking documentation for various DBMS. Their CGI experts like RFP and
> Zenomorph call certain script conditions non-exploitable, e.g. when you
> can't get arguments supplied to a binary that you've managed to trick a Perl
> script into running -- RFP mentions this in his Phrack article -- yet any
> moron can easily figure out that you can use the POST method, make the
> script run /usr/bin/perl for instance, and have it run a script of your
> choice that is fed as stdin from the HTTP request's POST data. Oh God, sorry
> for pushing the realm of web security forward with this INCREDIBLY COMPLEX
> revelation.
> 
> * Have you written your own tools that exploit protocol weaknesses? Have you
> written your own tools for routing protocol weaknesses, e.g. RIP, BGP? Have
> you written your own tools that play games with DNS? Have you written your
> own ARP cache poisoning / mitm tools? Your own tools for shit like icmp
> redirects and router advertisements? Can you write a tool that will exploit
> the TCP sequence number prediction + IP spoofing vulnerability of older
> days? Or can you only mock Mitnick for his 1994 attack, calling him a
> scriptkiddy? Or utter useless banter about ISNs and cookies that you
> digested from some textfile? Who are you kidding? Fuck, have you read all 3
> volumes of the glorious TCP/IP Illustrated, or can you just mumble some
> useless crap about a 3-way handshake? Do you know Net/3 code? TCP
> algorithms? TCP extensions? Perhaps you're some fucking security expert
> because you've memorized /etc/services -- a walking fucking getservbyport, a
> la 70% of the Vuln-Dev subscription base.
> 
> .....................................
> 
> I have seen the ~el8 guys cover the full spectrum of everything discussed
> above. 95% of the people calling them scriptkids probably can't even code
> helloworld.c.  
> 
> Further ranting for those who are so quick to judge...
> 
> Are you just a fucking whitehat leech who knows nothing more than how to use
> tools written by others? Using techniques and exploits that most likely
> originated in the playground of blackhats known as the computer underground.
> More likely than not you're a fucking scriptkid who only knows how to do
> mundane and trivial crap like configuring ACLs on a Cisco router or some
> half-assed product such as Firewall-1.
> 
> You likely are so ignorant that you believe anyone who compromises machines
> is a clueless scriptkiddy like yourself. You likely are so idiotic that you
> believe that Bugtraq and CERT will protect you from the latest 0day
> exploits. 
> 
> You think Apache 1.3.26 can't be compromised remotely with one of four two
> year old Apache remotes that haven't even been hinted at on the security
> lists. You think sendmail is (now) remotely secure because what you don't
> see on Bugtraq doesn't exist. Qmail. ProFTPd. My God, you people are so
> fucking out of it. People report intrusions on their machines and you
> dumbfucks immediately conclude it's done by some public vulnerability, e.g.
> OpenSSL. That's right, because in your ignorant bliss there are no skilled
> people out there who would actually use their exploits to hack.
> Narrow-minded fools. Scriptkiddies.
> 
> You know nothing of what lurks beneath the surface glamour of the corrupt
> security industry/community. Your only resort is to call these people kids.
> 
> Trust me, they laugh at you clueless imbeciles. They laugh at your feeble
> attempts to manipulate hacking so that it becomes some fucking ethical or
> philanthropic pursuit. They laugh at your "hacker vs. cracker" debates. They
> laugh at anyone who thinks hacking isn't about compromising computer
> systems.
> 
> Who are the scriptkids now? You're outgunned and outclassed. Take a nap and
> retire, you pathetic leeches. 
> 
> The scriptkids like Ron DuFresne and Anodyne Perspective are likely going to
> snap after reading this, so I'm sitting back looking forward to the imminent
> outbursts from these scriptkids whose only rebuttals will be in the... 
> 
> "I have my fingers in my ears, can't hear you kids NANANANANAN JAJAJAJAJAJA
> itiththdsfhg grow up immature children, get a girlfriend HHSHee KkakakKAkka
> pffffttt damn kiddies."
> 
> ... range.
> 
> All "dox" dropped on the lists have been fake. They have been engineered by
> people either making false assumptions or trying to get their "foes" in
> trouble. Most of the phony ~el8 members lists mention people that have been
> attacked by ~el8, ironically enough. Put one and one together. There is only
> valid "info" for one of those poor souls, anywayz.
> 
> It's time for an underground revolution. You all quote The Mentor's
> Manifesto in your misguided ethics rants; alas, The Mentor was an active
> hacker, in the true, modern sense of the word. Stop being brainwashed ye
> hackers. Keep your souls untarnished.
> 
> It's time to bring the corrupt security industry to its knees. 
> 
> THE SECURITY INDUSTRY DEMOLISHED OUR WORLD.
> 
> THERE WILL NOW BE HELL TO PAY.
> 
> 
>                 Offer up your best defense
>                 But this is the end
>                 This is the end of the innocence
> 
> 
> 
> 
> 
> 
> Get your free encrypted email at https://www.hushmail.com
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html



Get your free encrypted email at https://www.hushmail.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ