| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20020817004907.68668.qmail@web12908.mail.yahoo.com> From: anodyne68040 at yahoo.com (Anodyne Perspective) Subject: Re: thoughts on hacking, life and the future of the Net --- aliver@...il.com wrote: > On Fri, 16 Aug 2002, Scott Francis wrote: [snip] > > The only thing that troubles me is that in order > to change the industry > > (or eliminate it entirely) in the way that is > being proposed, we have to > > be willing to sustain a lot of casualties of > innocents. > > Who is ultimately responsible for this? Was it the > blackhat who found a > bug, or the software vendor who released the > software in the first place? > In truth maybe a little of both. However, I have to > ask myself who is more > moral. The megacorp or the hacker. Now in that > regard it's a no brainer. > When it comes to free software projects like Apache, > I'd say that a little > bit of politeness goes a long way if you plan to > release an exploit. > However, if sitting on an exploit you wrote for a > bug you found suites > your purposes, I'd say you have zero moral > obligation to help, if you have > a greater goal in mind. [snip] I've snipped the rest of the email, because it's the sort of healthy scepticism of "big business" and "globalism" that many people are feeling these days, and some discussion about Theo DeRaadt, both of which I have no particular quarrel with. The only thing that made me stop and want to know more was the "greater goal in mind" that an exploit writer might have. What greater goal do you speak of? The cynic in me would cite real world examples of exploit writers posting information to Bugtraq with "send job offers" messages attached (eg http://marc.theaimsgroup.com/?l=bugtraq&m=102324168812638&w=2), or exploits being used to compromise the systems of personal enemies for what are ultimately little more than personality clashes and pissing contests. The current "no disclosure" movement condemns the former, and seems to variously condemn yet employs the latter (el8 magazines being the highest profile current example), so I'm doubting it's either of these. The optimist in me would proffer examples of exploit writers using the exploits against multinationals that pollute the environment, giving their dirty little secrets to Government and Industry regulators, or using the exploits against the tobacco industry, publishing the research they try ever so hard to deny the existence of regarding the dangers of smoking. Or pointing out the folly (perhaps even without releasing specific exploitation details) of running certain software to sensitive Government departments if patriotism is your thing. Perhaps "getting back" at Equifax for their privacy abuses over the years. None of these are real life examples - just what I can come up with given the anti-globalism, anti-corporate tinges of this discussion. Is the "Robin Hood" style of exploit information the "greater goal" you speak of? Or is it more simplistic? Perhaps the "strangle the security industry" thing? I discounted this because the "ethical, skilled" people have as much opportunity to create a company and perform an ethically particular service, with their exclusive information, and probably reap the rewards to boot once their prowess becomes known, but they have (thus far) chosen not to. If not, what might it be? It's a serious question, and one that has always sort of sat unanswered in any black/grey/white hat discussion. I think we'd be all well served by some serious attempts to answer it on this list. __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com
Powered by blists - more mailing lists