| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Lun_mountd.c vs mounty.c
Okay, here's the scenario: a hacker/cracker exploits a vulnerability (I'll
leave it to others to debate "who was first") and then that person
gives/shares that code with other hacker/crackers and one of *them* posts
the slightly modified 'sploit code and takes credit for the hack.
What's wrong with this picture?
First, the ethics/morality of hacking/cracking ... I'm going to take a
pass on this one because of where the discussion is ... Full Disclosure.
If people want to argue the merits and morals of hacking, I think that
there are better fora for those discussions than here.
Second, sharing the code. Well, the Hacker Ethic says "Information
should be free" (or "All information should be free" - Levy, Steven,
Hackers). So, for the sake of argument, sharing is a good thing. Now
*who* you share it with may be the problem, since it appears that at
least one of the recipients (or someone that they passed it on to) has
less than stellar scruples.
Then there is the point about disclosure. I'm going to take another pass
here for the same reason as my first point - no preaching to the choir.
Another issue is the somewhat less obvious "are they not able to got[sic]
there own skills" issue. To that I will respond no, most people that I
run into either (a) cannot program, (b) can program and are too busy/lazy
to write their own code, and (c) can program but would just as soon use
someone else's work as take the time to write their own. In fairness, I
also know people (many of whom are subscribers to FD) who (a) can code,
(b) write sploits, and (c) don't give a hoot if someone else uses what
they wrote (because they're already onto the next project by then anyway).
There's a bit of a conflict here - if you share something and you don't
want other people to use/abuse it, you either have to (a) not share it,
or (b) be more discriminating about the people with whom you share it.
Personally I wonder why the author of the 'sploit didn't just post it
immediately (or after they were done with it)? If you find a vulnerability
and you want to use it for your own purposes, maybe sharing it is not a
good idea. If not, post it and let everyone play.
Here's what *I* would like to see:
(1) hacker/cracker finds vulnerability and writes 'sploit code.
(2) developer then tests 'sploit on every possible variant of target
that they have access to, and verifies what's vulnerable and what
is not vulnerable. Alternately, developer does minimal testing and
then releases the code asking for help testing.
(3) developer posts 'sploit code to Full Disclosure with detailed
explanation and appropriate posturing ;-)
(4) Full Disclosure reviews/discusses/patches as necessary
Of course, I would also like to see competent honest people run for
political office <sigh>
G
On or about 2003.09.17 15:41:11 +0000, Tobias Klein (tobias.klein@...tel.de) said:
> frew min ago i was browsing packetstorm and i cant belive my eyes
> anyone has changed a half haeder of my code and disclosures it to
> packetstorm
>
> i cant understand why pplz does that
> are they not able to got there own skills
> i have investigate many hours to write this code and it should never
> released
> but some sucker leaked it and some other gay changes the half haeder and
> disclosures it
>
> attached is the ORGINAL EXPLOIT code i wrote months ago
<SNIP>
--
Gregory A. Gilliss Telephone: 1 650 872 2420
Computer Engineering E-mail: greg@...liss.com
Computer Security ICQ: 123710561
Software Development WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3
Powered by blists - more mailing lists