Re: Security Industry Under Scrutiny #4

[Anonymous <nobody () cryptofortress com>]

> > > ****************************************************************************
> > > but, the issue here is not that professional's liability but rather
> > > corporate responisbility in the kind of information it releases.
> > > ****************************************************************************
> >
> > Look at regular society - there's always going to be run of the mill
> > killers out there, if only because human beings are inherently fragile
> > things, just as computer software tends to be.
> >
> > And society can only do so much to get rid of run of the mill killers - we
> > understand this, and have a system of law to punish those who happen to
> > get around our attempts to protect everyone (police, social conditioning,
> > prohibition of certain weapons, etc).
> >
> > Staying the course with your hacker/killer comparison, why would you
> > expect security companies to be able to do any better at preventing misuse
> > of otherwise benign information than society can do preventing one person
> > from killing another?
>
> am i following this logic correctly?  you're saying that just because there are
> hackers out there the security industry should tell everybody how to hack and
> somehow... *somehow* this will reduce the number of attacks?

Lets stop beating around the bush here.  You want to get rid of the
whitehats and the amateurs that don't understand the information they're
using to hack, and the security industry that allegedly fuels them.  The
(unstated) end result of this being that there's a whole habitat of
computers and networks that aren't being patched, left wide open to
blackhats, whose existence and power we are collectively supposed to
ignore.

Correct?

> > > the threat that wants to see the general public turned into criminals, thus
> > > degrading society and making crime more common.  crime is bad for society,
> > > remember?
> >
> > Sure, but even when blackhats are the ones behind it?
>
> hacking is illegal, nobody.  i do not dispute this.  if you hack something
> you a commit computer crime.  its that simple.  but the difference here is that
> unlike other crimes, it is acceptable for people to glorify this crime.
> even those bodies that seek to "decrease" the level of computer crime support
> the crime.  what we're discussing here is one of the ways these bodies do this,
> specifically through proving information on how to commit the crime in the
> first place.
>
> security companies have been lured into the misconception that all of the bad
> people won't read bugtraq.  this is silly.  just as Paladin Press assumed that
> the readers of "Hit Man" wouldn't be actual real killers (heavens no!)

Some call this "Free Speech", and accept the consequences.

> the security industry needs to wake up and realise that its being taken
> advantage of.  and full-disclosure mechanisms only serve to heighten this
> level of exploitation.

Stop me where this starts to sound silly:

"The American people need to wake up and realise that it's being taken
advantage of.  And free speech only serves to heighten this level of
exploitation"

You're not advocating a ban on free speech, are you?

> > > there is a difference between self defence and offense.  i have nothing
> > > against self defence, i think its a basic human reaction.  but to
> > > maliciously attack another human (or their computer) is illegal.  and we
> > > have to stop treating hacking as though its acceptable in society.  that
> >
> > Same story again.  Even when blackhats are the ones breaking into people's
> > systems etc?  Oh, "they deserved it", or "they were asking for it", or
> > "they're a fucking narc".  This is the sort of stuff that pops up on
> > phrack.ru.
>
> i dont see the security industry hailing phrack.ru as an authoritative
> *technical* source on how to improve internet security.  do you?  do you
> see any advisories on that site?  and step-by-step FAQs detailing how you
> can compromise a system?  i dont.  phrack.ru doesn't pretend to be what it
> isn't.  securityfocus.com on the other hand is highly pretentious and
> delusional as to its real purpose on the internet.
>
> take a good look, phrack.ru doesn't tell ppl how to hack... funny that.

telnet anti.inet-sec.org 6787

If that's not some kind of instruction on how to hack, what is it?

Sorry - I forgot.  It's "art", or "entertainment".

> > Is the victim of a blackhat any different to the victim of a bumbling
> > whitehat?
>
> i suppose it can be.  but when looking at the global picture, its clear that
> the whitehat generally does more damage more often than the blackhat.

Can you elaborate on this, please?

Strategic damage, or tactical?

Doesn't the knowledge of a blackhat and the potential systems they have
access to act as a significant force multiplier?  I don't think you've
taken this into account.

> > Is the victim of a professional killer any different to the victim of a
> > bumbling amateur killer?
> >
> > They're still both hacked, or dead.
>
> point taken.  but we're looking at how we can prevent so many ppl from dying/
> being hacked.  in this case i've suggested that we should start making
> information providers more accountable for the kind of data they put out,
> specifically for those providers who tell people HOW to commit crime.

If this isn't all a grand ploy to create blackhat hacking opportunities by
wiping out the whitehats and amateurs, and a legit attempt to prevent
people from being hacked, why not contribute to the development of various
pieces of software to make them more secure?  Give Vixie a swift kick in
the pants for all those years of insecure BIND releases.  Fix MySQL once
and for all.  And write something to replace all those php-nuke
installations that are oh-so-broken.

> > > read through advisories and then use that information to compromise a
> > > system.  its not right.  and non-disclosure is one of the more effective
> > > ways to stop it.
> >
> > Yes, so only the blackhats can hack and the professional killers can kill.
> >
> > Top idea.
>
> i thought so too :)

KEKEKE

> > Don't be too hasty to think that we're on opposite sides here - I just
> > think your comparison is a poor one.  They read similarly, but if you want
> > to legitimise being a blackhat and wipe out the whitehats, that's akin to
> > legitimising professional hitmen and wiping out the run of the mill
> > killers like James Perry.
> >
> > Is that really what you're suggesting?
>
> is it legitimising to say that professional hitmen will always exist,
> regardless of changes in society?  no, i think its a fact.  the same can
> be said for hackers like Vladimir Levin, the guy who ripped Citibank off
> for $10mil.  Though I cannot say for sure, I am pretty certain the
> techniques he used weren't those devised on Bugtraq, or anything that any
> security company could have forseen.  And any sec company that says they
> could have prevented an attack like that through research are delusional.
> but there is a huge difference between Levin and some dorq who wants to
> learn how to hack so he can spy on his girlfriend, or some even bigger
> dorq who wants to learn how to hack so she can change her school grades,
> or get revenge on a former employer.  These kinds of attacks comprise the
> MAJORITY of 'hacks' on the internet, and they could be easily prevented
> by simply not telling these dorqs how to hack.

In a recent book by a couple of senior Chinese Colonels entitled
'Unrestricted Warfare', one of their eight principles is that your
objectives must always be smaller than measures. (It reads a lot like Sun
Tzu) For example, in Vietnam, the US objective of winning was larger than
the measures that the US leaders were prepared to commit to the task, and
hence defeat was inevitable.  The objective here is the wiping out of a
whole bunch of amateur hackers and "dorqs" by cutting off their air
supply.  The measures you have at your disposal is a small, secretive
community of blackhats amongst whom you discourage disclosure, and free
speech (to express your point of view in forums like this).  But it's the
availability of free speech that the security industry uses to
inform people about software flaws and help them secure their computers
and networks.  Or as you put it, they tell the amateur hackers and
"dorqs" how to hack.

Arguably, your objectives are greater than the measures you have to
commit to the task.

Isn't victory therefore unattainable for you and your kin?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html