| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.SGI.4.44.0208190351330.149459-100000@hexeris> From: aliver at xexil.com (aliver@...il.com) Subject: Shiver me timbers. On Mon, 19 Aug 2002, sockz loves you wrote: > i dont see how a bug in the user's software is anything that a _user_ > should be doing anything about. as i've said time and time again, if > you think you've found a bug in your software, go to the software vendor > to report it... not some open discussion list. if the dudes who make > your software dont want to fix the damned thing THEN CHANGE F*CKING > BRANDS! (where possible) You make a good point. I'd like to add a couple things. I believe that from a "consumer" point of view that software isn't much different from most consumer products. A person pays money and expects a service. They expect _only_ that service and not a bunch of ancillary effects like, for example, the application causing their machine to get owned by a kidiot. As a consumer, they have some decisions to make. If the software caused unwanted effects or broke something, then they can call them and complain about it. This is most certainly going to be the case, when for example, they can't get the software to run properly on their machine. What I'm hearing from the "whitehat community" is that other programmers not employed by that company have some obligation to not only report bugs, but also to point out how to fix them wherever possible. Since I'm a programmer am I supposed to find and/or fix bugs for them also not related to security issues? I mean if some software, when used improperly, can overwrite your boot sector with "BuyMSorDIE" a hundred times, should I be responsible for point out and patching this? I don't think so. I also don't feel, in most cases, I have any obligation to protect these "innocent" consumers from the evil software vendor. > 1. blackhats dont release their exploits to the rest of the community. > any blackhat who does is no more a "hacker" than a whitehat is. Well, I think I agree with the core point you are making. However, I'd expand this to say that blackhats don't release their work unless it serves their purposes. We should not be slaves to the vendors or the consumers who are allowing themselves to be victimized. Personally, I write code because the projects I choose are interesting to _me_. The work I do is not something that I have an obligation to release, but I may choose to do so if it serves some other goal. The bottom line is that I make my own decisions based on my conscience and beliefs first, then and my goals second. The one thing I'm sure as hell not going to do is robotically follow some so called "RFC" for vulnerability release written by a whitehats, just because they claim to be more ethical than me. > just because you have malicious intent doesn't mean you're not a > whitehat. Damn right. > and no, there is no such thing as a grey hat. You know I've always thought of myself as a blackhat, but lately I'm getting tired of labels. Mainly because it wastes a lot of time while people like fuk@...hmail.com claim "YOU ARE A GREYHAT AT BEST" or whatever. It's starting to take too much energy to keep up with everybody's definitions of these terms. For clarity, my definition of blackhat is someone who is willing to use the skills they have to serve their own goals without giving pause to the "rules" placed upon their practices by the law, or by one-size-fits-all ethics that others are espousing. Now, this is a binary state in my opinion (ie.. you are willing to do it, or you aren't). So, with that said, I agree. There are no such things as "greyhats". > 2. like you noted, script kiddies lack the intelligence and skillz to > find their own bugs. Yes, by definition, we hopefully all agree on this. > they hear about 0-day exploitz through their friends from school, from > "hacking" websites and so-called "hacker zines" which act in just the > same manner as whitehat mailing lists like bugtraq, full disclosure, or > vuln-dev. THIS IS WHERE THESE MORONS GET THEIR ELITE INFO FROM! NOT > THE BLACKHAT COMMUNITY (which advocates exactly the opposite)! Well, they may indirectly get their info from a blackhat. However, I understand that this is not your point. Also, consider some circumstance where a blackhat may target a company or product they believe to be corrupt. They may choose to release a tool or exploit to the kidiots to allow them to act as a tool for their own reasons. For example what if the Citizens Corps (http://www.citizencorps.gov/tips.html) decides to release an application that allows Joe Six Pack to send "tips" about terrorists to some law enforcement entity with complete anonymity and this ends up getting a lot of innocent people arrested for trumped up charges. Then in turn I create an exploit+trojan that will instead redirect the tips to USENET in alt.rats with the tipper's IP address and as much information about them as possible. Well, I just might think that it's necessary to give the details of my trojan + exploit combo for this application to the kidiot community. Just some food for thought. > wow. cuz its like this dude. smaller software companies are worried > about their reputation and larger companies are worried about their > investors. Yep. It's all about shareholders, most of whom couldn't give a damn about some security hole in a piece of software unless it means it'll turn into some class-action lawsuit. I'll be doing a jig the day I hear about a consumer suing HP because of some security hole they refused to address. > ah-hoy, matey! Yar, har har. Yo ho ho? Heh, sorry to butt in, just couldn't resist.
Powered by blists - more mailing lists