lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3DDEDF5C.5010700@gmx.at>
From: alexander.bartolich at gmx.at (Alexander Bartolich)
Subject: Please post to the list

Schmehl, Paul L wrote:
 > [...] So why should I, as a guy who is concerned about the
 > security of my network, care what blackhats have to say?
 > Why should I support anything the blackhats are trying
 > to convince me I should support?

"You cannot have a science without measurement."
-- R. W. Hamming

Examiners who carefully avoid all areas where you might have
trouble are a waste of time. Military maneuvers without
someone playing the enemy are not fun. And crash tests with
cars, trucks, trains and planes are fairly standard.

Of course software is not strictly comparable.
It is more like bananas, inedible on delivery, ripes on site.
There is no liability, no class action-suits, not even applied
anti-trust law. But then software development is dirt cheap,
provided you already have the knowledge and do it on spare time.

Since vendors get away with shipping buggy software they are
effectively out-sourcing debugging to their customers.
Or whoever gives their stuff a try.
Is it ethical to actively search bugs? I think so.
Is it ethical to misuse these bugs, i.e. not stop after a
core dump but to take the extra miles to a working exploit?
I'd say that depends on whom you consider your enemy.

The individuals who speak up on Usenet, mailing lists and
weblogs might do it for a lot of reasons; fame, vandalism,
revenge or just from nine to five. But I doubt that members
of organized crime, secret services or anarchist groups
will ever announce their 'achievements' that openly.

A freak sneaking into corporate head quarters and managing
all the way to the penthouse is a nuisance. Double so if he
takes the liberty to shit on the desk of the CEO. Quadruple
if he takes pictures of the result and publishes them.

But this is _nothing_ compared to the damage a dedicated
professional can do. Apart from espionage and electronic fraud.
What about using your account to sent hate mail or other
anti-reputation material? Upload illegal content and tip off
the cops? How much 'mobbing' does it take to ruin a career?
Getting angry at script kiddies and the like is to confuse
symptoms with the cause.

-- 
post tenebras lux. post fenestras tux.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ