lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Jan 2012 13:14:54 -0800
From: Gage Bystrom <themadichib0d@...il.com>
To: Laurelai <laurelai@...echan.org>, 
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Rate Stratfor's Incident Response

Exactly. People are mostly being ridiculous atm. If they told you about a
vuln and did not take advantage of it they are innocent. By all means you
have the right to investigate and make sure they didn't do anything else,
but if they didn't they are innocent. The moment they take advantage of a
vuln to door you, steal important system files, or steal confidential
information they are guilty. Accidentally finding a document is not a crime
either. I really hate physical analogies but I think this one is relevant:

It would be like if someone found your wallet and saw your credit card, ssn
card(which you shouldn't carry with you), and your drivers license, and
then found you to give it back. If they didn't do anything with it they are
fine.

People need to realize that the internet is the modern wild west. You only
trust strangers enough to do business with them. You can't expect strangers
to immediately understand your way of doing things. Real law enforcement
only gets involved if something big happens. Attackers are the modern
bandits from the lowly script kiddie to the billy the kids running around.
You hire your sheriff because he's the best shot around. Why are people
saying that the sharpshooters of this day shouldn't become sherrifs just
because of prior activities? Of course you're not going to hire the guy
that shot up your joint, but what real reason do you have to not hire the
guy that shot up other places? A good shots a good shot and if he's willing
to come clean then hand him the soap.

Yeah I believe we shouldn't be hiring script kiddies, but we shouldn't
discriminate against where people honed their skills. Especially something
like security where they had to have their skills down on a day to day
basis where it really counts. As for people complaining about them not
knowing how to secure things ethics, etc: well you have a very poor
knowledge of the underground hackers psychology.

I've spent my share of time observing the underground, talking amongst
others out of curiosity. They have more ethics than most day to day people.
The good ones, the ones you'd want to hire KNOW how to secure stuff. Why?
Well the secure one is easy: they don't want to get pwned, and they don't
want their targets to get pwned by other people. They have to know how to
be defensive or they lose their trophies. The ones that don't learn
eventually that need to start learning. The ethics claim may seem strange
but consider this: this is a society of sorts where everyone works together
to expose fradulant vendors so they don't get scammed, no legit person
screws over their clients and clients don't screw over vendors because the
only business license is your reputation. And its a well understood rule
that is pounded into newbs that you don't fuck up your own workplace. They
make it clear that its too risky and that it'd be the same as screwing over
your clients. You may not trust these people, but that's because you don't
understand what they value, how they build a trust amongst themselves and
more importantly you don't know how to build trust with them. No wonder its
surprising if your company gets pwned cause you don't remotely try to
understand the ones really doing the damage. You don't talk to them, ask
them questions, you don't share interesting knowledge with them. You are
being an antithesis to everything they value and not bothering to see if
you should be against some of those values.
On Jan 13, 2012 12:04 PM, "Laurelai" <laurelai@...echan.org> wrote:

> On 1/13/12 1:24 PM, Paul Schmehl wrote:
> > --On January 13, 2012 12:03:22 PM -0500 Benjamin Kreuter
> > <ben.kreuter@...il.com>  wrote:
> >
> >> On Fri, 13 Jan 2012 10:37:31 -0600
> >> Paul Schmehl<pschmehl_lists@...rr.com>  wrote:
> >>
> >>> --On January 12, 2012 3:16:19 PM -0500 Benjamin Kreuter
> >>> <ben.kreuter@...il.com>  wrote:
> >>>
> >>>> The law is not going to stop the really bad people
> >>>> from attacking your system, nor is it going to stop them from
> >>>> profiting from whatever access they gain; sending law enforcement
> >>>> after someone who reports problems to you accomplishes little and
> >>>> only discourages people who might try to help you.
> >>>>
> >>> Assuming everyone's motives are as pure as the driven snow is a bit
> >>> naive, don't you think?
> >> Are there lingering doubts about the motives of someone who is
> >> reporting a vulnerability to you?  They could have just profited from
> >> their discovery and never bothered to tell you.  In any case, what have
> >> you accomplished by sending the cops after *someone who is helping you*?
> >>
> > Unless you're a complete fool, yes.  You say you're helping me, but you
> > broke in to my server.  How do I know you didn't help yourself to a
> > permanent back door?
> >
> > Again, it's naive to think that most people are motivated purely by a
> > desire to help others, especially when they are actively intruding into
> > other people's assets.
> >
> > YOU might say thank you, but I'll be taking the server offline, grabbing
> > forensic images and rebuilding it long before I get around to saying
> thank
> > you.
> >
> Well just remember they could have *not* told you and helped themselves
> to a backdoor. If they wanted to door you they probably wouldn't have
> told you.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ