Dailydave mailing list archives
Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"
From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 21 Sep 2005 10:41:57 +0100
On Tue, 2005-09-20 at 18:31 -0400, Marcus J. Ranum wrote:
First off, I apologize for my delay in responding. I had a crunch project due and pretty much dug myself into a hole for a week. I'm out, now. :) Dave Aitel writes:Hacking, or in common parlance, breaking into other people's computers is a tool of the human spirit. We live in a time where new technologies engender new freedoms as well as new tyrannies. As the discipline of revolution must take hold among a society in order to combat any tyranny, such has hacking taken hold among the technical communityThis is the most unexpected and fascinating defense of hacking that I have ever encountered; I thank you for it.
It can't be that unexpected, it's a core theme of the hackers manifesto, not citing that document as entirely relevant or worth believing in, just a very well known source of Daves above point.
Freedom-loving people understand that, to resist the inevitable trend toward tyranny, it is important that "the tree of liberty be refreshed from time to time with the blood of patriots and tyrants." But Jefferson probably would have drawn the line at watering the tree of liberty with innocent victims chosen at random based on their IP address.
He would draw the line at targeting innocents but he didn't draw the line at researching and understanding the weapons that could be used for this because he knew the benefits that could come from this.
My "issue" if you will, with hacking, is not that it is practiced by a small handful of well-disciplined patriots. Such patriots, if they actually existed, would presumably maintain effective tradecraft, hold their weapons and techniques closely, and would only field them at the point where it was necessary to spruce up the tree of liberty. But that's not what I see - I see hacking practiced by a vast rabble of undisciplined amateurs and opportunists. The amateurs, or "script kiddies" are not interested in defending liberty or preparing to overcome tyranny - if they were, they wouldn't be victimizing helpless home users, university accounts, and small businesses. The opportunists often rely on publicizing flaws in software so they can get their 15 minutes of fame on CNN. They're not interested in protecting the world against tyranny; they just want to hype themselves so they can get better consulting contracts or promote the products they want to sell.
So because of the opportunists the whole security industry is bad? Does the same go for financial consultancy firms ? They commonly come up with ways to defraud systems, or design poor systems that no one adequately researches. Then you get opportunists defrauding the 72 year old grannies you mention. They do this by exploiting financial loopholes (vulnerabilities). This is a close mirror of what goes on in Security, pointing out and detailing a flaw does not make you a criminal - using that flaw can do. It's the role of a responsible researcher to try to prevent this, by coming up with protection mechanisms. You can't protect against something if you don't know what it is. This is where coding exploits and understanding them openly becomes beneficial. If it was done behind closed doors by the revolutionaries you believe should be doing this, then the benefit wouldn't be felt by people outside of these groups. You seem to miss the most important point that many security researchers have a belief in. The information should be available to anyone that can make use of it. The attackers will always have it because they are determined enough, they will always be hidden away in corners coding up shellcode and exploits. Unless this is openly studied then the defenders lose out not the attackers. For the security industry to consider exploits as forbidden fruit would only serve to increase the underground market for them and drive people with these skills into that market in order to survive. This would be less beneficial than the current situation. Have you ever tried to share information between agencies in different jurisdictions in order to analyse a security incident ? Without open forums to discuss this and open research there is no basis for communication - add that to the pre-existing political differences and the defenders are left high and dry.
So, Dave, you use ringing words of liberty and revolution to defend a situation in which, from where I stand, I see little but victimization. Indeed, what is tyranny but the usurpation and revocation of liberties? As it stands, today, the hacking community has done more to usurp personal liberties on the Internet than any government has. It is not fear of governments that cause home users to disconnect their internet links: it's fear of worms written by hackers/malware writers based on knowledge published by "security researchers" and "grey hat" hackers. It is not government censorship that renders Email unreliable and dangerous as a form of communication: it is the constant flood of new phishing scams, spyware, and trojans written by hackers/malcode writers and shared with spammers and scammers. If hacking is about fighting tyranny, then how has it become a tool of the worst sort of petty, venal tyrants - tyrants that erode our people's right to free speech by taking down or defacing web sites, and destroy our ability to enjoy the web by forcing us to hunker down behind firewalls?
A very romantic essay on Daves part here, but nonetheless valid points. You seem to believe that if security consultancies didn't release exploits you wouldn't have to "hunker down behind your firewall". That seems to be a very naive position. Even now WITH this openness we have underground 0day trading going on, that will not go away if we make exploits forbidden - more researchers will be underground and there will be no one above ground keeping the IT industry in the loop.
Your words sound good, but if they were true we would be hearing about how hackers had broken down the information firewalls in the oppressive theocracies of the middle east, or had established covert ISPs and Email access in North Korea. But instead, we hear an endless litany of "600,000 credit cards stolen" "Personal information compromised" "Crucial system taken offline"
Quite correct, because there is money in it. This has nothing to do with whether or not someone releases some cool new shellcode. It will continue to happen. Do you remember where this thriving security community out in the open came from ? Do you know who runs and fills up the staff of all these security companies? It's many of these underground guys that grew up a bit and "sold out" to join society and try to better it. Whether or not you agree with what they do now, you have to admit that the illegal and darker side has been going on much longer than this legal and open side of the industry. However back then the firewall wouldn't even be suggested to your granny - now it is.
These are not acts of revolution, no matter how you try to paint them: these are acts of non-ideological selfishness, committed by borderline sociopaths who enjoy anonymity as they electronically rape, pillage, pry, and plunder.
You are discussing crimes and using that to argue against research. Not many here would agree with harming innocents. Researching attack and defence, patterns and mechanisms give obvious tactical advantage to people defending their systems. Using these for illegality is a different matter.
I grew up in the late 60's and went on some of the peace marches in NYC in the 70's - so you can imagine my surprise when I hear the sounds of old-school Marxist populism on an internet security mailing list!!
Why is this surprising to you? You do realise that most of the initial researchers of the technologies we use just now developed them during that period and the initial discussions stemmed from views of that period. The icons and heroes worshipped for creating the basis of this community are all of that generation and their romantic views continue to be passed on.
Here, you are appealing to anti-classist sentiment. As if, somehow, Paris Hilton has no right to privacy because she's beautiful and vapid, or Michael Bloomberg's right to privacy should be derided because he's a billionaire. But even so, your argument is flawed, because it IS my sister's email that gets hacked AND it's Michael Bloomberg's. It is not the billionaires and famous who have their identities stolen and traded on IRC like poker chips. The people who are hurt the worst by hacking are, as usual, the poor and ignorant. It is one thing to shout "SCREW THE RICH!" but quite another when it's the poor who are actually getting screwed.
What is your argument then? If Dave didn't send us a link to creating shellcode on Windows earlier this week, then the guys committing these sort of crimes would cease to do so? If so then I have this cool idea you might like, I call it "prohibition".
Yes, hacking flourishes under oppressive regimes - but profit-motivated hacking flourishes particularly in economically deprived areas. It is not love of revolution that makes Nigeria the global champions of bank fraud - it is poverty and a corrupt banking system. It was not Communist oppression that fueled the great wave of Russian hackers of the late 20th century: it was lack of local resources and opportunity. They weren't fighting communism; they were trying to cash in on the table-scraps of the dot-com bubble.
Good argument, it reinforces my point. Hacking isn't the cause - it's the tool.
I believe hacking has done a lot to erode false senses of security. Certainly, fewer people trust their credit cards online. Fewer people are willing to rely on their email. Yes, I'm sure that fewer people will trust E-voting systems, as well.
Like I said, without hacking more people would completely trust these systems and more people would be open to attack when their trust was misplaced. Stopping open research of hacking will not make computer crime go away. In fact it would increase and less people would be protected from it.
If I may sidetrack into politics, E-voting should not be what we fear. A quick look at political history shows us that dictatorships have NEVER bothered to conceal what they are; they have never needed to. Nobody who has the power to topple a republic by force would bother using E-voting to do so. Nobody who lacked the power to hold a republic once it was stolen would be able to retain their grip even if an E-voting election were rigged. E-voting is an interesting problem and a fun technological toy, but it's just a pretty GUI atop a more profound process. Mao was right, political power grows out of the barrel of a gun - not a rigged E-voting machine. If you truly believe what you're espousing, I suggest you become a right-wing gun nut and supporter of The 2nd Amendment and give up this computer security nonsense entirely.
The most powerful guns are controlled by computer systems.
There are right ways to foster honesty, and there are wrong ways. When Ollie North's e-mails with the NSC were pulled from backup tapes pursuant to a legitimate court order, the justice system was seen to be functioning correctly. When someone defaced SCO's website, justice was wronged. Why? Because whether you think it was fast enough, the justice system was grinding along and doing the right thing in that case. Hackers defacing websites of the side they don't like is an attempt to threaten, annoy, or intimidate - it is a miscarriage of justice. Justice respects property rights. Justice encourages free speech. Eroding trust does neither.
Indeed. So we don't try to understand how web defacement works then, we just jail the exploit writers teaching us how to do so and the problem goes away? Do you honestly believe that it is the security consultants defacing these websites? Or are the security consultants jumping up and down saying, "PATCH! FIREWALL! DEFEND! or your websites will end up controlled by a pissed of school kid"
Does that sound like a fair trade? Not to me. Next time some big worm brings down a mission-critical network, will you stand up in front of the network administrator and tell him it was for the greater good? I'd like to be there; I'll drive you to the hospital after he's done with you.
Nope we'd tell him that the exploit has been available for weeks, the vulnerability has been discussed all over the place, was on the front page of the register and slashdot, was in the email from his vendor, on his vendors website and the patch was available for download two weeks ago, not to mention the IDS signatures and the fact that it wouldn't affect him if he'd shut off the service he wasn't using anyway. He'd have no excuse for not protecting himself.
An exploit itself is a study in cool understated elegance.So is a haiku, or a well-coded B+tree, or a well-made sword, or a nicely-fitted dovetail joint, or a photograph, or a techno track - or any of literally hundreds of thousands of socially-sanctioned forms of creativity. Humans create and appreciate art. Yet, society has the right to implicitly approve of some forms of art and to disapprove of others.
They approve of photography and generally of tasteful nudity, but not anything that harms the innocent such as child porn. They could equally approve of exploit research and development in order to create defence systems, but not the use of those to harm the innocent.
By arrogating upon themselves the power to penetrate, destroy, and compromise both the evil and the innocent, the hacker is stepping outside of the body politic.
No. Having the power to do something evil AND protect from it isn't bad, there are many professions that have this sort of power. It is the misuse of this power that is the problem.
Indeed, in a sense, the hacker collective might be a "rogue state" or the individual hacker a "terrorist." You appeal to us with the words of revolution but you're no revolutionary - you're just another computer security entrepreneur teaching shellcoding technique at conferences to market your company's products. Real anarchists do not hide in broad daylight - G.K.Chesterton was writing parody, not truth. If you were truly a cultural revolutionary trying to help defend us all against tyranny you'd be an IT specialist for one of the 2 political parties, working quietly from the inside. No shellcode necessary.
Ahh, what about the rest of us that believe there can be more than two views and would like everyone to benefit from the technology regardless of their political motivation. The researcher should have freedom to say that there is a big hole over there and someone should fill it. Saying that withing a political party can be suicide (literally).
No matter how much you want to romanticize a thing, if there are innocent people being placed at greater risk through your actions or inactions, you bear some moral responsibility for your actions.
Indeed I agree! Stopping security research of the type we are discussing would have grave consequences for the general security of companies and individuals. Action is required - research those exploits.
There's where I have a problem with all this. By romanticizing hacking, you make it more attractive. You make it easier for someone to think "well, it's OK." Whenever some hacker gets busted and defends their actions based on "I didn't mean to harm anyone" and THAT is what the media reports,
Criminals get busted, not hackers. It just so happens that hacking can be used to commit crimes and it makes great copy. Stock brokers get arrested constantly for fraud which also makes great copy. It doesn't make understanding and teaching ways to defraud and protect from this a crime.
it desensitizes the potential hacker against the consequences his actions might have on a victim. Desensitization goes further, when you hear security practitioners blaming the victim: "well, he got 0wned because he was too lame to update his firewall." Never mind that the victim was a 72-year-old lady in a retirement home, and it was some kind of miracle to her that Email works at all - now you expect her to install a firewall?
The home user and the corporate administrator are very different things. If the corporation gets hacked, then generally they failed to listen to the security practitioners or made a mistake - that is their problem that security research helps overcome. If the home user gets hacked that is a different matter and is something the technology should solve transparently, which is what many vendors are trying to do. This is a difficult problem to solve and the solution is still being worked on - without research into security, use and misuse, it will never be solved.
The computer security industry has a number of reprehensible practices which I believe will eventually be abandoned.
I don't know when you see this happening, but it won't be anytime soon - we can't even sort out the physical security and safety of the worlds citizens and that problem has been around a lot longer than this one. (We are having an ID card debate in the UK just now.)
If they are not, we security practitioners will eventually be regarded with the level of professional respect accorded to tort lawyers and used car salesmen.
Indeed, because bad apples make the news. CNN don't care when new security techniques and concepts appear, they just care that Paris Hilton got hacked. Mainstream news is generally bad news, because thats what the public like to see. Hacking is an easy target, or rather the victims of it are, just like the victims of the dodgy car salesmen. When you go to buy a car most people know to get a "trusted" expert to look it over. They should, and often do, do the same with computer systems. "BREAKING NEWS: Bank doesn't get hacked" - I doubt it.
History will judge us all by our deeds, not what we choose to call ourselves.
Good quote to end on, which again reinforces my point - it's not hacking that is bad, it's not guns that are bad, it's not photography that is bad. It's the people that use these for something morally disagreeable. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
Attachment:
smime.p7s
Description:
Current thread:
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site", (continued)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Theo Winter (Sep 19)
- RE: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Dave Korn (Sep 19)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Bas Alberts (Sep 19)
- RE: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Dave "I do not speak for AT&T!" Korn (Sep 19)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Marcus J. Ranum (Sep 20)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" sinan . eren (Sep 20)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Jonathan Karon (Sep 20)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Drsolly (Sep 21)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Marcus J. Ranum (Sep 21)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" haroon meer (Sep 21)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Barrie Dempster (Sep 21)
- RE: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Paul Melson (Sep 21)
- RE: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Drsolly (Sep 21)
- RE: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Barrie Dempster (Sep 21)
- Message not available
- Re: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Marcus J. Ranum (Sep 21)
- Message not available
- Re: Re: Exactly 500 word essay on "Why hacking iscool, so that Marcus changes his web site" Barrie Dempster (Sep 21)
- Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Theo Winter (Sep 19)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Marcus J. Ranum (Sep 21)
- Life, the Universe, and Everything (was: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site") I)ruid (Sep 23)
- RE: Life, the Universe, and Everything (was: Exactly 500 word essay on"Why hacking is cool, so that Marcus changes his web site") Jos Pols (Sep 23)
- RE: Life, the Universe, and Everything (was: Exactly 500 word essay on"Why hacking is cool, so that Marcus changes his web site") Bryan McAninch (Sep 24)
- Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site" Robert Nickel (Sep 26)