Re: thoughts on hacking, life and the future of the Net

[full-disclosure () lists netsys com (full-disclosure () lists netsys com)]

On Fri, 16 Aug 2002, Scott Francis wrote:
> I've been doing a lot of reading and thinking lately, and what I
> initially saw as the same tired old attitudes that every generation of
> kids has (anti-establishment, anti-grownups, anti-authority, angst &
> anarchy, etc.), I am now seeing as something different.

It's unfortunate that those attributes are almost always characterized as
negative. "Kids" can make some amazing stuff happen given a lot less
motivation than old folks. It's a double edged sword to be sure. However,
a sword like any weapon can be swung at any target, for good or evil
purpose.

> The only thing that troubles me is that in order to change the industry
> (or eliminate it entirely) in the way that is being proposed, we have to
> be willing to sustain a lot of casualties of innocents.

Who is ultimately responsible for this? Was it the blackhat who found a
bug, or the software vendor who released the software in the first place?
In truth maybe a little of both. However, I have to ask myself who is more
moral. The megacorp or the hacker. Now in that regard it's a no brainer.
When it comes to free software projects like Apache, I'd say that a little
bit of politeness goes a long way if you plan to release an exploit.
However, if sitting on an exploit you wrote for a bug you found suites
your purposes, I'd say you have zero moral obligation to help, if you have
a greater goal in mind.

> Admins who are responsible for security but aren't exploit coders and
> can't hang out on IRC to get their news.

No, but enough due diligence on their part will keep their systems secure
enough that culpability should not rest on them (from their PHB's) if
things go horribly wrong. Blame the vendor, they wrote the software after
all.

> Small companies that try to remain secure by following the lists will be
> at the mercy of the unethical blackhats

This is something that will never change. Exploits are like weapons. They
fall into the wrong hands sometimes and sometimes they get used by bad
people for a bad purpose. That doesn't mean I'm going to turn all my info,
tools, or exploits over to some group of "security pros" because they
claim to be more "ethical" than me.

> I fully support the movement to change or even abolish the industry; I
> agree that it profits at the expense of the free labor of hackers, and
> this is not right.

Agreed.

> I just hope there is a way to achieve this goal without hurting a lot of
> people that aren't involved.

I don't want to see good people suffer at the hands of bad people. In this
debate, though, it's not as clear cut. Whitehats claim to be the good
guys, but are they really. Most of them are nothing more than thieves and
leaches.

> One other problem I have seen - there is a lot of animosity towards
> those who are perceived as being 'sell-outs' or working in the
> 'professional' security industry. That is, blackhats that turned their
> skills into a profession or started companies or joined existing ones.

Well, to me I don't fault someone for trying to make a buck off their
skills. However, it's the methods they deploy which anger me. For example,
they use Nessus, but they don't contribute their own 0day exploits to the
project since they can use them to cause a knee-jerk reaction in their
customers when they magically root a machine. It's their hypocrisy That I
hate. They participate in condemning the underground when they engage in
worse practices themselves.

> As a caveat, let me say that in many cases, I agree - the l0pht was
> completely destroyed when they were absorbed by @stake, and many great
> tools and attitudes from the members are gone forever. It was a sad day
> when l0pht.com, as it was, disappeared.

Yep.

> That said, what would you suggest for a hacker whose skillset is
> security - researching software, finding bugs, coding exploits - in the
> way of a career?

Either stay true to the game and don't renig on your own ethics the moment
you turn 25, or do something like systems programming where you can put
your knowledge to good use in a non-security field. I choose the latter
since it's a bit difficult to be a security researcher and a blackhat at
the same time. I'm too jealous with the knowledge that I have worked so
hard to aquire.

> I mean, as distasteful as it seems to be these days, people _do_ have to
> pay the rent and feed themselves and their families.

Yep. However, it's not impossible to make an honest living and stay true
to your morals.

> If it's wrong to use your skills to support yourself

I personally don't think it is. I just think it's wrong to say one thing
then do another, or to hide your true intentions for the purpose of having
other people do free work that you should have already done yourself.

> Theo's infamous personality aside, you must certainly admit that the
> OpenBSD project has one of the best track records of any openly
> available (commercial or free) operating system in common use over the
> last several years, security wise.

It has a good track record comparatively, no doubt. It's Theo I have a
problem with. Also, if you look closely it's track record is not much
different from NetBSD, to whom they really owe the bulk of the work to.
Don't think that the two projects still don't keep a close eye on each
other's CVS trees, and make use of them.

> Or do you consider their track record to be a smokescreen hiding
> undisclosed bugs and holes?

Theo has been known to do his best to marginalize and obfuscate some bugs
he's found and fixed. This is in an effort to keep others from rushing up
and sticking him when he opens his mouth to antagonize them (which is far
too often). However, as a more general practice I don't fault him for
this. I fault him for being a jerk.

> I follow OBSD. I don't worship Theo. I think his social skills are
> inferior to the average four-year-old, and he definitely goes out of his
> way to antagonize people sometimes, but I do recognize that he has
> skills I am (currently) lacking.

Sometimes it's useful to use people like this in a way that suites your
needs (as long as it doesn't hurt anyone).

> Sure, there are better coders out there. But none of them is currently
> building a publicly-available OS.

Point taken, and I personally would never build a secure OS for public
consumption. It's too much work and the public doesn't deserve it as far
as I'm concerned.

> I think the message is about the same now as it has been in the past -
> if you don't like it, or think you can do better, well, please do!

I don't like Theo, and I think OBSD is overblown. IMO NetBSD folks have
done better in some respects, and I since I'm mostly criticizing Theo and
not OpenBSD, I think a hamster can do better personality-wise.

> I'd love to find a more secure project to follow, but a lot of what I
> hear when people gripe about Theo is personal, and I'm merely interested
> in using the best tool for the job (which in my case, is often
> synonymous with 'most secure out of the box').

Perhaps sometimes that's OBSD. More power to you.

> That was certainly the case when the project started. I think that
> percentage has dropped significantly in the last year or two, at least
> based on the little bit of casual CVS browsing I've done.

If you did a line-wise comparison, I'll bet it's definitely upwards of 90%
NetBSD code.

> It's because he sets himself up for abuse by making claims that just
> _beg_ for attacks.

Damn straight.

> Hackers find it nearly impossible to resist the kind of claims that have
> been made by Theo and others wrt the OBSD project. If he had kept a
> lower profile socially in the last several years, I honestly think he
> would have attracted less hatred from the cracking community.

I agree.

> that's mostly true for myself at the moment. When I got into the Net and
> UNIX my point of entry was in systems and networking, and I didn't start
> trying to learn C (I mean really learn it, as opposed to just reading
> it) until lately. For me at least, it was impossible to learn everything
> at the same time - there was just too much.

No harm in that, at least you don't perpetrate like you are something that
you're not.

> Maybe I just got a late start. I feel like I've made some good progress
> in certain areas, but there are definitely places (like C coding and
> network operations) where I know I'm just a beginner.

Just keep trucking. This stuff takes a lot of work. Sockz I think was
saying "did you stay home reading C89 while others were out partying?"
It's apt, because I certainly have done stuff like this, and so I can
appreciate the animosity of a programmer toward non-programmers who think
that we some how owe it to them to create secure and functional software
for them, for free.

> Nothing is perfect, and Theo has definitely given that impression at
> times,

Usually at times when someone releases an exploit.

> He's definitely high on rhetoric, no question there. I'm not convinced
> that his rhetoric is _completely_ unfounded though.

His rhetoric is often quite attractive. I mean "secure by default" sounds
good doesn't it? I'm saying he is a primmadonna and a jerk, and that Ron's
citation of him was weak but predictable.

> Trend started by the US government's tendency to label anybody that
> disagrees with current policy a terrorist, either directly or
> indirectly.

Yep, and it seems whitehats have caught on to this rather quickly.

> This is the current trend that scares me the most, because resisting
> corporations, while difficult and costly in terms of time, money and
> entertainment, is far less likely to land one in federal
> pound-me-in-the-ass prison than resisting the federal gov't.

Yeah, I do my best to stay out of their way. That doesn't mean I like
them.

> Very good history lesson - the winners write the history books. Lesson
> two (which prompted the entire debate/war about whitehats and the sec
> industry): the golden rule. Namely, he who has the gold, makes the
> rules.

No doubt.

> I think we need new definitions (or divisions, maybe) of hackers. I
> consider myself to be in league with the underground, and
> anti-corporatism, but I absolutely do not condone attacks on innocents,

Consider carefully who is innocent, though.

> which is the primary motivation for many blackhats and kiddies.

Many, but not all.

> Raschid hit the nail on the head with his call for a new kind of
> character - the hacker paladin, and in general for information to be
> taught hand in hand with ethics.

Taught by who? Who's ethics? Those are the hardest questions. Whitehats
are quick to jump in and suggest their own standards documents, but
unfortunately they do nothing but proceduralize their corrupt morals and
maintain the status quo.

> I think I understand the reason why you feel the way you do, but I think
> change rather than eradication is the solution.

Looking at things pragmatically, I think it's going to get a lot worse
before it gets any better.

> The Net has accomplished so many good things, and has such potential to
> unite humanity and eliminate barriers, that I think we are morally
> obligated to help it reach its potential, rather than attempting to
> destroy it.

We built it. Those with a mindset the same or similar to the hacker
mindset _built_ the damn thing. Now the megacorps are trying to ruin it.
They are partially responsible for it's success, but I'd give a lot more
credit to people and events pre-1993 instead, and in fact I had no problem
with the status of the Internet user population in 1994 for sure. The Net
won't die, but I'd sure love to see The Suits go down in flames.

> I think the latter is actually just giving in to the corporate takeover
> of the Net - they took over what started as a cooperative effort, and
> could become one again, if we don't give up on it.

There are other possibilities, for similar revolutionary activities.
Wireless networks have some incredible potential which hasn't been
realized. However, I have pretty much given up on the Net as the last
great hope of the hacker.