lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20020817004907.68668.qmail@web12908.mail.yahoo.com>
From: anodyne68040 at yahoo.com (Anodyne Perspective)
Subject: Re: thoughts on hacking, life and the future of the Net

--- aliver@...il.com wrote:
> On Fri, 16 Aug 2002, Scott Francis wrote:
[snip]
> > The only thing that troubles me is that in order
> to change the industry
> > (or eliminate it entirely) in the way that is
> being proposed, we have to
> > be willing to sustain a lot of casualties of
> innocents.
> 
> Who is ultimately responsible for this? Was it the
> blackhat who found a
> bug, or the software vendor who released the
> software in the first place?
> In truth maybe a little of both. However, I have to
> ask myself who is more
> moral. The megacorp or the hacker. Now in that
> regard it's a no brainer.
> When it comes to free software projects like Apache,
> I'd say that a little
> bit of politeness goes a long way if you plan to
> release an exploit.
> However, if sitting on an exploit you wrote for a
> bug you found suites
> your purposes, I'd say you have zero moral
> obligation to help, if you have
> a greater goal in mind.

[snip]

I've snipped the rest of the email, because it's the
sort of healthy scepticism of "big business" and
"globalism" that many people are feeling these days,
and some discussion about Theo DeRaadt, both of which
I have no particular quarrel with.

The only thing that made me stop and want to know more
was the "greater goal in mind" that an exploit writer
might have.

What greater goal do you speak of?

The cynic in me would cite real world examples of
exploit writers posting information to Bugtraq with
"send job offers" messages attached (eg
http://marc.theaimsgroup.com/?l=bugtraq&m=102324168812638&w=2),
or exploits being used to compromise the systems of
personal enemies for what are ultimately little more
than personality clashes and pissing contests.  The
current "no disclosure" movement condemns the former,
and seems to variously condemn yet employs the latter
(el8 magazines being the highest profile current
example), so I'm doubting it's either of these.

The optimist in me would proffer examples of exploit
writers using the exploits against multinationals that
pollute the environment, giving their dirty little
secrets to Government and Industry regulators, or
using the exploits against the tobacco industry,
publishing the research they try ever so hard to deny
the existence of regarding the dangers of smoking.  Or
pointing out the folly (perhaps even without releasing
specific exploitation details) of running certain
software to sensitive Government departments if
patriotism is your thing.  Perhaps "getting back" at
Equifax for their privacy abuses over the years.  None
of these are real life examples - just what I can come
up with given the anti-globalism, anti-corporate
tinges of this discussion.

Is the "Robin Hood" style of exploit information the
"greater goal" you speak of?

Or is it more simplistic? Perhaps the "strangle the
security industry" thing?  I discounted this because
the "ethical, skilled" people have as much opportunity
to create a company and perform an ethically
particular service, with their exclusive information,
and probably reap the rewards to boot once their
prowess becomes known, but they have (thus far) chosen
not to.

If not, what might it be?

It's a serious question, and one that has always sort
of sat unanswered in any black/grey/white hat
discussion.  I think we'd be all well served by some
serious attempts to answer it on this list.

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ