lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.SGI.4.44.0208170602590.84806-100000@hexeris>
From: aliver at xexil.com (aliver@...il.com)
Subject: Winstrol boy

On Sat, 17 Aug 2002 fuk@...hmail.com wrote:
> I believe that though appearing illogical, these points will expose
> them, divide them, and eventually end their days.

Wow, if you are that cocksure about yourself, I'd like to put you to work
on some other major world problems.

> 1. They are not all script kiddies. Some are grown men with college
> degrees whom work at security companies (qualys and ISS). Others
> (Gweeds, for instance), have been developers and know how to code.

It pleases me to hear that some of the very people working for ISS are
secretly work on the back-end to undermine their aims (and I know at least
one myself, but not any of the ones in this particular circle). However, a
recent post made a good point in that the two groups are self
perpetuating. The best way to stop the efforts of whitehats is to cease
feeding the luddites proof that we blackhats even exist. As I've said
before, my own goals for my own reasons and in the most covert ways I can
manage. No posting exploits for fame and glory. That's not something I'm
interested in these days.

> It can be safely assumed the rest are their teenaged, male groupies.

It seems that assumption is a popular pastime with self-admitted
whitehats.

> 2. Geeks == Nerds. Talking tough does not fit in with geeks. It just
> doesn't work.

It doesn't really work for you either, tough guy. Stating:  "I can break
your face in and bury you in the desert." goes a long way toward making
this statement self-iterative, where "self" == you.

> You say one thing online, but geesh, we have all been to these
> conventions... and these kids are skinny wusses whom don't bring dates.

Please feel free to pound on your chest now, and grunt loudly.

> Sorry, but you can hack my system, and I can break your face in and bury
> you in the desert. One is scarier than the other. You choose.

Idle threats from a faceless name on a mailing list. Well, I'm sure you've
got us all just quaking in fear at this point. I know I nearly pissed
myself in terror when I read this.

> 3. The whole idea of criminals telling cops they are selling out, is, of
> course, absurd.  They are criminals, what do they know about being cops?

You are so far off base here I'm questioning how you fabricated this in
the first place. Cops? Who are you talking about? Whitehats != police. I
haven't seen anyone making statements about sell-out cops. Where are you
getting this stuff?

> Okay, okay, to be good in this business you probably have done some down
> and dirty work... hacking pedophiles and Neo-Nazis and such. Which makes
> the analogy a bit more like terrorists telling Delta force they are
> selling out because they are still kicking bad guy's butts and not going
> around and hacking innocent systems.

Are you by chance taking Winstrol ?

> 4. As far as "black hats" go... the question remains if they really are
> black hats at all!  Their worst stuff is breaking into their buddies
> systems and posting their mail spools online?

Your definition is a bit out of whack. However, I don't think that I can
really set you straight here, but at the very least this has been an
interesting read.

> Has it even occurred to them to hack a bank? Or, to hack a Bloomberg
> terminal? To hack a senator? Because I am sorry, but if what they are
> doing is not even criminal or dangerous... then they are not "black
> hats".

Wrong. Committing felonies does not make you a blackhat. It's a certain
mindset. However, something tells me we are not going to agree here, and
so I won't bother going forward with more detail.

> I understand the fun of vengeance.

Hmm. Have you ever been near Ruby Ridge or worked for the ATF by chance?

> And, I even understand the fun of my opponents, real criminals.

Okay, another guess, I'm visualizing a local PD somewhere in Podunk,
Kansas.

> But, these guys? They are so stupid about what they are doing, everybody
> knows whom they are. If they ever do do something, or ever make a real
> threat... they will all be in jail.

A real threat? You mean if they stopped threatening to cease all
cooperation with whitehat pen-testing firms and sit on their code and
knowledge and then started threatening to smash people's faces and bury
them in the desert?

> That crap is what destroys internet security. Ego freaks.

It's humorous to hear you say the phrase "Ego freaks"...

> 5. Fight Club was a great movie. These guys are bozos. They break the
> first rule every chance they get like Bob with tits.  If I was so
> inclined, which I am not, I would do it right... and destroy the credit
> database, then switch the DMV records for everyone in New York state!

The dripping irony of your conflicting statements has now reached it's
Zenith. You call your self a whitehat, and claim to work with or for law
enforcement, but then come off with what could be construed as a criminal
conspiracy or at the very least demonstrate some premeditation on how you
would "do it right", followed by the description of what would be a few
major felonies. Bravo!

> But, what do these guys come up with? Hacking their drinking buddies.

Again, where exactly are you pulling this stuff out of?

> Oh, and they tell homosexual jokes to each other all the time in #phrack
> and never wonder why they don't have girlfriends!

I'm seeing a pattern with self-admitted whitehats trying to confute an
assertion in an argument. It goes 'assumption + straw-man' ad absurdiam,
ad infinitum.

> 6. Girlfriends. Getting laid. Let's get to business. Really, really good
> hackers almost never get laid because they are too busy learning.

Once again, despite my telling myself "if this guy only knew", I really
have to wonder what orifice you are pulling this stuff out of, and who
exactly you are talking to or at?

> And, almost always they do this because they really wouldn't get laid
> even if they could try out for the High School football team.  (Which,
> of course, is not something they could ever accomplish).

Football. Ahh, now you've hit a nerve with me at least, and you'll succeed
in getting me off on you tangent. I mentioned my friend Brian was a Freak
(like I am, an I mean this in the best sense of the word). He was murdered
by a football player, and I've had other friends raped by them. I have no
love for them. My description of football this. A group of men in tight
clothing take a showers together, wearing tight clothes and slapping each
other on the ass they take the field, they dash frantically after balls
and madly run around throwing each other passionately to the ground and
leaping on top of one another (sometimes refusing to get up), all the
while grunting and groaning like oxen. At the end of the game they whisk
off to the locker room for a final grand finale' in the showers. Beyond
that, only speculation can determine what happens. However, as far as
getting onto the football team in high school, or anywhere else I'd prefer
to abstain. They may be "getting laid"  but I don't count soapy escapades
with each other and the "coach".

> Okay, so now that is on the table... it is true, some of us white hats
> actually are good hackers, but not the best.

Heh, I don't find it hard to believe that you aren't the best.

> Yes, we make money and spend too much time with the ladies.  I am sorry.
> Sue me. Oh, yeah, you can't from jail.

At this point I'm too busy laughing to type properly. Please give me a
minute to recover.

> 7. "White Hats are evil", oh, okay, right... so, why, little wussies,
> are you messing with us if you know we are evil?

We aren't. We (or at least I) want nothing to do with you.

> Heck, maybe we are working with your friendly IRC server admin or your
> ISP right now against you?

Great. Have fun, and good luck. May the best man win.

> Who knows what kind of dirty tricks we have up out sleeves?

Oh, I've got a pretty good idea. I work with individuals not unlike
yourself on a regular basis. As far as infiltration goes, I'd say that I'm
way ahead of you in that game.

> 8. I find it amusing how they claim credit for all of these security
> holes, yet the actual number of systems they have hacked is so small.
> Some people go, "Oh, uh, well, they hacked openbsd and k2, they are
> scary, man, scary". Say what? And?

You are looking for the lowest common denominators and judging the
underground based on personalities and their exploits which are most
likely the tip of the iceburg. I'm glad. The whitehat community needs a
lot more people like you. However, I'm not sure if "the ladies" could
stand it. If you knew as much about woman as you intimate you'd probably
realize that the kind of testosterone driven blather you've spewed here is
the kind of thing that most women absolutely despise.

> Do people really not get it that once, twice, five times a week a new
> bug comes out from some low key, humble researcher which could have
> hundreds of millions of systems?

Your grammar and diction leaves a lot to be desired. I'm having a bit of a
hard time trying to decrypt what you are getting at here. Maybe I'm just
getting tired, though.

> Do people not get it that we whom post these vulnerabilities could hack
> your systems, could hack EVERYONE'S systems -- but DON'T?

"we whom post" ? Are you intimating that you can write an exploit? Oh
please say yes, and we can have a nice long talk about x86 ASM, or would
you care to demonstrate how to, for example, overwrite an atexit()
function ptr or pointers in GOT table? I'm sure, based your your
demonstrated brilliance that you could add something insightful to such a
discussion.

>  - the FBI, the lazy, gutless goofs that they are for not locking them up

Yes, being all "terrorists" I'm sure you and many others would like to see
that.

>  - Qualys and ISS (whom, by not firing these criminals show themselves
> up to be utterly unethical, which is absolutely unacceptable in
> companies you are supposed to trust with your important data and
> secrets)

Once again I applaud these kind of folks. To be a cancer that eats the
corporatist system from the inside out is powerful good ju-ju..

> Hey, we the bug finders, aren't asking for much. Most of us have worked
> shit jobs. We don't get much credit for our work. We rarely get much
> pay. Script kiddies base their entire reputations on our work... and
> always have.

What, just a few lines back you were claiming to be making bank and
spending too much time with the ladies. Now you are noble philanthropic
researchers who are being victimized by script kiddies? Make up your mind.

> But, to claim we buy these kid's exploits, or any crap like that? To
> claim that we steal from them, when they steal from us?

You (whitehats) steal from us (blackhats). Simple as that. The proof is in
the pudding. Every major pen-testing firm has the greater part of their
arsenal due to the efforts of researchers, many of whom are blackhats. If
you deny this, then your credibility even as a whitehat pen-tester is
diminished, since it's pretty much common knowledge of those who work in
this industry and can be easily validated by cross referencing checks in,
say, Realsecure with post to Bugtraq and vuln-dev.

> The only system we think was actually hacked with "zero day" from them
> was monkey.org! And, it wasn't their bug! They wrote exploit code for
> it, and have been living on the reputation ever since! Get real, people!

I wish I could live in such a sheltered microcosm like you seem to have
accomplished. The fact that you seem to really believe the stuff you are
saying strengthens my already steadfast faith in the unlimited potential
of ignorance.

> 9. What really pisses these guys off is the full disclosure community
> has become less full disclosure. We are waiting more and more for
> vendors to fix their holes.

What? Waiting for vendors to fix their own software? Say it isn't so! Some
of these "researchers" have become dissented and no longer wish to work
for greedy corporates for free? The horror!

> We are not releasing exploit code for our bugs.

I find it quite difficult to believe you are finding bugs to release
exploits for in the first place, and I find it fantastical bordering on
fictional that you could code an exploit.

> We are putting the "black hats" out of business by doing so.  And, this
> means their "hacking" days are numbered.

Well, I'm certainly convinced that my "hacking days are numbered" after
reading your oh-so-intimidating rant.

> Rightly, they go out kicking and screaming. And, taking credit for other
> people's work. And, not showing respect where respect is due.

You've got that about as backwards as it can get.

> That is the price for ego pumping all day on IRC.

I wouldn't know. I don't do IRC, but I'll take your word for it.

>  - Bug finders should continue to wait for vendors... except in those
> extreme instances.  (Come on, vendors, what we did in the past had to be
> done to get things going, don't slam us on it, just move on).

Don't presume to put yourself in the place of someone who can actually
code. You don't speak for me, that's for sure.

>  - We should not hack these morons back, which most have considered, but
> dropped it...  knowing that ultimately that leads nowhere. (Whereas a
> fist, perhaps, does not).

It's so easy for me to believe that an ape such as yourself would turn to
violence, but then harp about how law-enforcement isn't doing enough to
protect your interests.

> Don't try and hack the hackers. Because in the end you will just end up
> friendless, in jail, whimpering, fat, old and you still won't ever get
> laid.

You are quite the sage. I'll be sure and pen this down in my book of
quotations right next to my section devoted to Al Capone.

> And, if *we*, the *real* elite, ever decide to do a project mayhem, you
> won't know whom did it. You will just suddenly realize your life has
> turned into a bad Mad Max movie and don't know why.

I shiver at the very thought. Please don't hurt us mister bad-ass. Please?



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ