lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 3 Oct 2007 13:54:15 +0200
From: endrazine <endrazine@...il.com>
To: "Mr Frog" <hacking4froggies@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: The real motivations of vulnerability
	disclosure

Hello FD readers,

I don't usually answer non technical posts, but I feel like explaining why I
believe the ideas expressed by Mr Frogs and similar underground orthodoxes
are clueless.

"Mr Frog" : To summarize your thesis : ppl disclose vulnerabilities for fame
& profit. "That's not how real hackers used to be".

Ok, let's analyze those statements a bit deeper :

First, let's establish the truth about fame :
Fame ? What fame ? Does your mother know who Michal Zalewski is ? Of course
not. When you first decided to be a "computer enthusiast", you also decided
you would spend your life behind a computer an none would ever give a damn.

You're also mentioning people having wikipedia entries or belonging to
"crews" ( the so called research communities) : you're surely missing people
writing bullshit on blogs and posting links to their miserable thoughts on
public mailing lists...

Additionally, I especially enjoy the intellectually challenging relation
between your first sentence "when a vulnerability in a major site is
discovered people freak out"... and your conclusion : "These types of people
tend to hang around 'xss' hacking sites where they can learn the masterful
art of finding an issue any 5 year old could find with less than 15 minutes
of training.".

In a nutshell, that's the good old manichean (did I say Protestant ?) schema
: the good (being the "non disclosure" folks from your blog post) agains the
bad (being the "fame seekers") guys. In the same veine, let me quote
http://www.phrack.org/issues.html?issue=64&id=4#article :

"    But it is the reason not to write a technical article. The purpose of
this article is to launch an SOS. An SOS to the scene, to everyone, to all
the hackers in the world. To make all the next releases of Phrack better
than ever before. And for this I don't need a technical article. I need
what I would call Spirit."

(follows an apology of pre-internet hacking mythology)

Those kinds of thoughts, almost as inept as they are widespread.

To you all, anachronic purists of the so called underground : go to hell. If
there ever was a "spirit of the underground", it was the belief  that
individuals can, on their very own, do better than what engineers do on the
industry (which is in fact absolutly understandable if you consider that
companies have budget constraints, deadlines and limited knowledge). I don't
see any opposition between this and vulnerability disclosure. What you do
with a vulnerability you have found is unrealevant. Now, if the whole dilema
is about people being at the same time security enthousiasts on their own,
and social beings needing to work in a way or an other to feed their
families, let me tell you a big secret : everyone on the underground,
starting with Adm, teso, phenoelite, phrack,  (pasting from phrack's
article) 2600,Phrack, PacketStorm, Phreak.org, Uniformed,
PTP,Netric,Felinemenace, Hackcanada,Toxyn, phc, w00w00, devhell, cDc, l0pht,
el8, gobbles, synergy, blacksecurity, u-name-it people and members of every
other reasonably skilled security group I have never heard of are working
for security related companies. Maybe it wasn't the case in the 80's. But
today, of you want to be able to understand a bit what's going on, hacking
is a full time job. Their is no dichotomy between hacking on your own and
selling your skills to a company. So please, stop pointing the finger at
each person trying to share a bit what they have discovered.

my 0.02$

Regards,

--
endrazine-    //    Garage made hacker & Security Engineer at the same time.


PS: The members of the above cited groups are asked not to flame me with
"I'am no industry guy" posts : I know you are ;) And thanks for sharing your
work : I couldn't get half of the skills I have today without your
"disclosures".



On 10/3/07, Mr Frog <hacking4froggies@...il.com> wrote:
>
> For the past 10 years when a vulnerability in a major site is discovered
> people freak out. I'm not debating the importance of certain site
> vulnerabilities such as those exposing personal or account information. I'm
> going to talk about one of those things people think, but don't speak
> publicly about which involves the intentions of those vulnerability
> disclosure folks. I'm going to break down these types of people and some
> people in the 'industry' are going to laugh and others possibly be offended.
> If you have a problem with this then we can meet in an alley for warfare,
> but please don't bring salt as it burns.
>
> http://hackingfrog.blogspot.com/2007/10/o-o-omg-frog.html
>
> - Froggie
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ