lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1075494108.563.60.camel@banshee.mythic.magic>
From: hh at ktabic.co.uk (ktabic)
Subject: Script Kiddies [OT]

Well, I know you should feed the trolls, but anyway...

On Fri, 2004-01-30 at 16:23, Uncle Scrotora Balzac wrote:
> I love hearing security people talk about script kiddies. It's the funniest
> thing to see them walking around with their chests pushed out like peacocks,
>  as they scoff the silly little kiddy.

Script Kiddie, usually used on this list to refer to a certain set of
what could be termed as Blackhats. I sure that most Blackhats however,
would be insulted by being included in the same group as Script Kiddies.
> 
> Funny because 99.9 percent of the people using the term so loosely have
> no idea how to *really* find vulnerabilities in systems, compromise,
> gain control, hide their presence, then use it for whatever they want.
> Hell, a significant percent of those "security [engineers/professionals/consultants/researchers]"
> (circle one) have trouble compiling exploits (if they even know where
> to find them in the first place), much less figure out offsets, return
> addresses, etc.. The same exploits those "kiddies" use!! What these people
> don't realize is that the "kiddies" they so affectionately refer to have
> learned this practice by reading comments, headers, and cryptic help
> messages in code and scripts. Not by completely out-of-touch and wickedly
> outdated texts like their CISSP study guides, vendor whitepapers, and
> books by aging whitehat hackers. Irony.

Well, from my experience, and time lurking on several IRC channels and a
couple of Yahoo chatrooms, 'cause I'm bored and need entertaining, most
Script Kiddies wouldn't know a compiler if it jumped up, bit them on the
arse and shouted 'I'm a compiler! Compile a program with me!!' let alone
know the theory behind a buffer overflow, or even do basic hexidecimal
arthmetic. Sadly, all I have even seen is the trade of canned exploits,
you know, the ready made executables.
There probably are some advanced Script Kiddies out there, that might e
able to take an exploit in source code form and make a working exploit,
and I've even seen some modified exploits, that might have been the work
of Script Kiddies, but I doubt it.
You see, the reason a Script Kiddie is called a Script Kiddie, isn't
because they can or can't write exploits, but rather they don't
understand the basics of target selection, so run their exploits
againist every single machine they can. Usually using a script. Hence
SCRIPT Kiddie. The only reason the Script Kiddes are even considored a
hazard on the 'Net is because of the number of machines they hit, not
their technical ability, which, as I pointed out, is pretty much
non-exsistant. And it always seems to be to build a botnet. Or a warez
server. Maybe the ability to run a program and use and IRC client so you
can control the botnet is technically skilled for you, but for most of
the readers of this list, thats something they could do while rebooting
the mail server, clearing three people computers of viruses, advising
the non-IT geek on hardware, and showing the new member of staff how to
log on and where Word is and persuading the boss to part with money for
the next round of upgrades, while simutaneously reading Full-Disclosure
and wondering why the hell they didn't decide on a careers as a sheep
farmer in the Australian Outback.
Those Blackhats I have talked to that I don't lump in with Script
Kiddies, have always thought that being indescriminate in the target
selection stage was a waste, and that a DDOS wasn't the aim.


ktabic
-- 
www.ktabic.co.uk
Many sysadmins won't give you the time of day.
Thats what NTP is for.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ