lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20030917184034.GA96644@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Lun_mountd.c vs mounty.c

Okay, here's the scenario:  a hacker/cracker exploits a vulnerability (I'll
leave it to others to debate "who was first") and then that person
gives/shares that code with other hacker/crackers and one of *them* posts
the slightly modified 'sploit code and takes credit for the hack. 

What's wrong with this picture?

First, the ethics/morality of hacking/cracking ... I'm going to take a 
pass on this one because of where the discussion is ... Full Disclosure.
If people want to argue the merits and morals of hacking, I think that
there are better fora for those discussions than here.

Second, sharing the code.  Well, the Hacker Ethic says "Information
should be free" (or "All information should be free" - Levy, Steven,
Hackers). So, for the sake of argument, sharing is a good thing.  Now
*who* you share it with may be the problem, since it appears that at
least one of the recipients (or someone that they passed it on to) has 
less than stellar scruples.

Then there is the point about disclosure. I'm going to take another pass
here for the same reason as my first point - no preaching to the choir.

Another issue is the somewhat less obvious "are they not able to got[sic]
there own skills" issue. To that I will respond no, most people that I
run into either (a) cannot program, (b) can program and are too busy/lazy
to write their own code, and (c) can program but would just as soon use
someone else's work as take the time to write their own. In fairness, I
also know people (many of whom are subscribers to FD)  who (a) can code, 
(b) write sploits, and (c) don't give a hoot if someone else uses what
they wrote (because they're already onto the next project by then anyway).

There's a bit of a conflict here - if you share something and you don't 
want other people to use/abuse it, you either have to (a) not share it, 
or (b) be more discriminating about the people with whom you share it.

Personally I wonder why the author of the 'sploit didn't just post it
immediately (or after they were done with it)? If you find a vulnerability
and you want to use it for your own purposes, maybe sharing it is not a 
good idea. If not, post it and let everyone play.

Here's what *I* would like to see:

(1) hacker/cracker finds vulnerability and writes 'sploit code.
(2) developer then tests 'sploit on every possible variant of target
    that they have access to, and verifies what's vulnerable and what 
    is not vulnerable. Alternately, developer does minimal testing and
    then releases the code asking for help testing.
(3) developer posts 'sploit code to Full Disclosure with detailed
    explanation and appropriate posturing ;-)
(4) Full Disclosure reviews/discusses/patches as necessary

Of course, I would also like to see competent honest people run for 
political office <sigh>

G


On or about 2003.09.17 15:41:11 +0000, Tobias Klein (tobias.klein@...tel.de) said:

> frew min ago i was browsing packetstorm and i cant belive my eyes
> anyone has changed a half haeder of my code and disclosures it to 
> packetstorm
> 
> i cant understand why pplz does that
> are they not able to got there own skills
> i have investigate many hours to write this code and it should never 
> released
> but some sucker leaked it and some other gay changes the half haeder and
> disclosures it
> 
> attached is the ORGINAL EXPLOIT code i wrote months ago

<SNIP> 

-- 
Gregory A. Gilliss                                    Telephone: 1 650 872 2420
Computer Engineering                                   E-mail: greg@...liss.com
Computer Security                                                ICQ: 123710561
Software Development                          WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ