Re: Security Industry Under Scrutiny #4

[Anonymous <nobody () cryptofortress com>]

> > They're already skilled at developing their own tools for "killing", and
> > they already "kill" for various reasons, whether it be personal gain,
> > organisational gain (ie a hacking group), or conceivably for the gain of
> > a foreign, enemy power.  To continue your comparison between wannabe
> > hackers and amateur killers, the blackhats, therefore, are the
> > professional hitmen.  The real contract killers.  The Jackal, perhaps.
>
> oh please, and you think that telling everyone about some new xml exploit
> is going to stop people like that?  face it, buster, there is no way to stop
> professional hackers.  but the crucial differences are:
>
> a) they generally spend less time looking for exploits and are fewer in
>    numbers than whitehats.  thus, pose less of a threat to security than
>    the amount of information put out by the security industry to the
>    general public.

You made the point that people hacking with information they barely
understand is akin to someone that's read "Hit Man" and kills someone.

Just because a blackhat doesn't look around as much for exploits, and
because a professional killer kills less people in absolute numbers than
regular run of the mill killers, doesn't make them any less dangerous.

A blackhat still hacks people's systems without permission, and a
professional killer still kills people, however you want to cut it
(slasher pun not intended).

> b) these people dont share their exploit information.  reducing the likelihood
>    of an attack to some random system.  essentially it is safer.

Oh, I feel so much safer now.  Thanks.

A professional hitman is still a professional hitman regardless of whether
they share their killing techniques or not.

Ditto for the blackhat.

> c) if the security were so great at doing its job then why do these people
>    still exist in society?  as it stands, current practices seem as though
>    the result would be more professional hackers because more people are being
>    informed about how to hack shit.  sure there is a big leap between reading
>    something liek nomads faq and being paid to hack shit for some terrorist
>    organisation, but given that the audience is so large, that percentage
>    chance is still a higher number.
>
> ********************************************************************************
> but, the issue here is not that professional's liability but rather corporate
> responisbility in the kind of information it releases.
> ********************************************************************************

Look at regular society - there's always going to be run of the mill
killers out there, if only because human beings are inherently fragile
things, just as computer software tends to be.

And society can only do so much to get rid of run of the mill killers - we
understand this, and have a system of law to punish those who happen to
get around our attempts to protect everyone (police, social conditioning,
prohibition of certain weapons, etc).

Staying the course with your hacker/killer comparison, why would you
expect security companies to be able to do any better at preventing misuse
of otherwise benign information than society can do preventing one person
from killing another?

> > Which do you think an open, democratic society would see as the greater
> > threat?
>
> the threat that wants to see the general public turned into criminals, thus
> degrading society and making crime more common.  crime is bad for society,
> remember?

Sure, but even when blackhats are the ones behind it?

> > The threat of a vast number of people capable of "falling off the
> > cliff" and killing other random citizens that don't have protection
> > details etc.
>
> heh i like it how you extended this analogy to have the hacker falling on ppl
> to kill them.  its cute, i love it :D

Ofir?

> > Or the threat of a select few that understand defensive tactics, walking
> > formations, successive layers of security, what security surveys are
> > likely to find, and are capable of assassinating the head of state?
>
> there is a difference between self defence and offense.  i have nothing against
> self defence, i think its a basic human reaction.  but to maliciously attack
> another human (or their computer) is illegal.  and we have to stop treating
> hacking as though its acceptable in society.  that its okay for people to

Same story again.  Even when blackhats are the ones breaking into people's
systems etc?  Oh, "they deserved it", or "they were asking for it", or
"they're a fucking narc".  This is the sort of stuff that pops up on
phrack.ru.

Don't forget the reason why we're having this discussion - you've compared
hacking without understanding what you are doing to killing people
after reading the book "Hit Man".

Is the victim of a blackhat any different to the victim of a bumbling
whitehat?

Is the victim of a professional killer any different to the victim of a
bumbling amateur killer?

They're still both hacked, or dead.

> read through advisories and then use that information to compromise a system.
> its not right.  and non-disclosure is one of the more effective ways to stop it.

Yes, so only the blackhats can hack and the professional killers can kill.

Top idea.

> > You'll find your answer to this question in the degree to which
> > organisations such as the FBI take threats against the President so
> > seriously.  They know they can protect against most random nutballs with
> > an ounce of information and proper preparedness.  They don't know they can
> > protect against an individuals with skill, determination and the proper
> > equipment.
>
> sorry but you're wrong.  i dont find my answer here.  all i see is that in your
> analogy the FBI can be called the "security industry" but where the FBI releases
> information to the public (maybe through a newspaper or tv) on how to
> assassinate presidents.
>
> > I <3 U 2
>
> !!!
> 2 b4d w3 c4n n3v3r b 2g3th3r bcuzz u r a wh1t3h4t & 3y3 h8 u :(

oppositez attrakt!

Don't be too hasty to think that we're on opposite sides here - I just
think your comparison is a poor one.  They read similarly, but if you want
to legitimise being a blackhat and wipe out the whitehats, that's akin to
legitimising professional hitmen and wiping out the run of the mill
killers like James Perry.

Is that really what you're suggesting?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html