Re: Re: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"

[Barrie Dempster <barrie () reboot-robot net>]

On Tue, 2005-09-20 at 18:31 -0400, Marcus J. Ranum wrote:
> First off, I apologize for my delay in responding. I had a crunch project
> due and pretty much dug myself into a hole for a week. I'm out, now. :)
>
>
> Dave Aitel writes:
> > Hacking, or in common parlance, breaking into other people's computers 
> > is a tool of the human spirit. We live in a time where new technologies 
> > engender new freedoms as well as new tyrannies. As the discipline of 
> > revolution must take hold among a society in order to combat any 
> > tyranny, such has hacking taken hold among the technical community
>
> This is the most unexpected and fascinating defense of hacking that
> I have ever encountered; I thank you for it. 

It can't be that unexpected, it's a core theme of the hackers manifesto,
not citing that document as entirely relevant or worth believing in,
just a very well known source of Daves above point.

> Freedom-loving people understand that, to resist the inevitable
> trend toward tyranny, it is important that "the tree of liberty be
> refreshed from time to time with the blood of patriots and tyrants."
> But Jefferson probably would have drawn the line at watering the tree
> of liberty with innocent victims chosen at random based on their
> IP address.

He would draw the line at targeting innocents but he didn't draw the
line at researching and understanding the weapons that could be used for
this because he knew the benefits that could come from this.

> My "issue" if you will, with hacking, is not that it is practiced by
> a small handful of well-disciplined patriots. Such patriots, if they actually
> existed, would presumably maintain effective tradecraft, hold their
> weapons and techniques closely, and would only field them at the
> point where it was necessary to spruce up the tree of liberty. But
> that's not what I see - I see hacking practiced by a vast rabble of
> undisciplined amateurs and opportunists. The amateurs, or "script
> kiddies" are not interested in defending liberty or preparing to
> overcome tyranny - if they were, they wouldn't be victimizing helpless
> home users, university accounts, and small businesses. The
> opportunists often rely on publicizing flaws in software so they can
> get their 15 minutes of fame on CNN. They're not interested in
> protecting the world against tyranny; they just want to hype
> themselves so they can get better consulting contracts or promote
> the products they want to sell.

So because of the opportunists the whole security industry is bad? Does
the same go for financial consultancy firms ? They commonly come up with
ways to defraud systems, or design poor systems that no one adequately
researches. Then you get opportunists defrauding the 72 year old
grannies you mention. They do this by exploiting financial loopholes
(vulnerabilities). This is a close mirror of what goes on in Security,
pointing out and detailing a flaw does not make you a criminal - using
that flaw can do. It's the role of a responsible researcher to try to
prevent this, by coming up with protection mechanisms. You can't protect
against something if you don't know what it is. This is where coding
exploits and understanding them openly becomes beneficial. If it was
done behind closed doors by the revolutionaries you believe should be
doing this, then the benefit wouldn't be felt by people outside of these
groups. You seem to miss the most important point that many security
researchers have a belief in. The information should be available to
anyone that can make use of it. The attackers will always have it
because they are determined enough, they will always be hidden away in
corners coding up shellcode and exploits. Unless this is openly studied
then the defenders lose out not the attackers.

For the security industry to consider exploits as forbidden fruit would
only serve to increase the underground market for them and drive people
with these skills into that market in order to survive. This would be
less beneficial than the current situation. Have you ever tried to share
information between agencies in different jurisdictions in order to
analyse a security incident ? Without open forums to discuss this and
open research there is no basis for communication - add that to the
pre-existing political differences and the defenders are left high and
dry.

> So, Dave, you use ringing words of liberty and revolution to defend
> a situation in which, from where I stand, I see little but victimization.
> Indeed, what is tyranny but the usurpation and revocation of liberties?
> As it stands, today, the hacking community has done more to usurp
> personal liberties on the Internet than any government has. It is not
> fear of governments that cause home users to disconnect their
> internet links: it's fear of worms written by hackers/malware writers
> based on knowledge published by "security researchers" and "grey
> hat" hackers. It is not government censorship that renders Email
> unreliable and dangerous as a form of communication: it is the
> constant flood of new phishing scams, spyware, and trojans written
> by hackers/malcode writers and shared with spammers and scammers.
> If hacking is about fighting tyranny, then how has it become a tool
> of the worst sort of petty, venal tyrants - tyrants that erode our
> people's right to free speech by taking down or defacing web sites,
> and destroy our ability to enjoy the web by forcing us to hunker down
> behind firewalls?

A very romantic essay on Daves part here, but nonetheless valid points.
You seem to believe that if security consultancies didn't release
exploits you wouldn't have to "hunker down behind your firewall". That
seems to be a very naive position. Even now WITH this openness we have
underground 0day trading going on, that will not go away if we make
exploits forbidden - more researchers will be underground and there will
be no one above ground keeping the IT industry in the loop. 

> Your words sound good, but if they were true we would be hearing
> about how hackers had broken down the information firewalls in
> the oppressive theocracies of the middle east, or had established
> covert ISPs and Email access in North Korea. But instead, we hear
> an endless litany of
> "600,000 credit cards stolen"
> "Personal information compromised"
> "Crucial system taken offline"

Quite correct, because there is money in it. This has nothing to do with
whether or not someone releases some cool new shellcode. It will
continue to happen. Do you remember where this thriving security
community out in the open came from ? Do you know who runs and fills up
the staff of all these security companies? It's many of these
underground guys that grew up a bit and "sold out" to join society and
try to better it. Whether or not you agree with what they do now, you
have to admit that the illegal and darker side has been going on much
longer than this legal and open side of the industry. However back then
the firewall wouldn't even be suggested to your granny - now it is.

> These are not acts of revolution, no matter how you try to paint
> them: these are acts of non-ideological selfishness, committed by
> borderline sociopaths who enjoy anonymity as they electronically rape,
> pillage, pry, and plunder.

You are discussing crimes and using that to argue against research. Not
many here would agree with harming innocents. Researching attack and
defence, patterns and mechanisms give obvious tactical advantage to
people defending their systems. Using these for illegality is a
different matter.


> I grew up in the late 60's and went on some of the peace marches
> in NYC in the 70's - so you can imagine my surprise when I hear
> the sounds of old-school Marxist populism on an internet security
> mailing list!!

Why is this surprising to you? You do realise that most of the initial
researchers of the technologies we use just now developed them during
that period and the initial discussions stemmed from views of that
period. The icons and heroes worshipped for creating the basis of this
community are all of that generation and their romantic views continue
to be passed on.

> Here, you are appealing to anti-classist sentiment. As if, somehow,
> Paris Hilton has no right to privacy because she's beautiful and
> vapid, or Michael Bloomberg's right to privacy should be derided
> because he's a billionaire. But even so, your argument is flawed,
> because it IS my sister's email that gets hacked AND it's Michael
> Bloomberg's. It is not the billionaires and famous who have their
> identities stolen and traded on IRC like poker chips. The people
> who are hurt the worst by hacking are, as usual, the poor and
> ignorant. It is one thing to shout "SCREW THE RICH!" but quite
> another when it's the poor who are actually getting screwed.

What is your argument then? If Dave didn't send us a link to creating
shellcode on Windows earlier this week, then  the guys committing these
sort of crimes would cease to do so? If so then I have this cool idea
you might like, I call it "prohibition".

> Yes, hacking flourishes under oppressive regimes  - but profit-motivated
> hacking flourishes particularly in economically deprived areas. It is
> not love of revolution that makes Nigeria the global champions of
> bank fraud - it is poverty and a corrupt banking system. It was not
> Communist oppression that fueled the great wave of Russian hackers
> of the late 20th century: it was lack of local resources and opportunity.
> They weren't fighting communism; they were trying to cash in on
> the table-scraps of the dot-com bubble.

Good argument, it reinforces my point. Hacking isn't the cause - it's
the tool.


> I believe hacking has done a lot to erode false senses of security.
> Certainly, fewer people trust their credit cards online. Fewer people
> are willing to rely on their email. Yes, I'm sure that fewer people
> will trust E-voting systems, as well.

Like I said, without hacking more people would completely trust these
systems and more people would be open to attack when their trust was
misplaced. Stopping open research of hacking will not make computer
crime go away. In fact it would increase and less people would be
protected from it.

> If I may sidetrack into politics, E-voting should not be what we
> fear. A quick look at political history shows us that dictatorships
> have NEVER bothered to conceal what they are; they have never
> needed to. Nobody who has the power to topple a republic by
> force would bother using E-voting to do so. Nobody who lacked the
> power to hold a republic once it was stolen would be able to
> retain their grip even if an E-voting election were rigged. E-voting
> is an interesting problem and a fun technological toy, but it's
> just a pretty GUI atop a more profound process. Mao was right,
> political power grows out of the barrel of a gun - not a rigged E-voting
> machine. If you truly believe what you're espousing, I suggest
> you become a right-wing gun nut and supporter of The 2nd
> Amendment and give up this computer security nonsense entirely.

The most powerful guns are controlled by computer systems.


> There are right ways to foster honesty, and there are wrong
> ways. When Ollie North's e-mails with the NSC were pulled from
> backup tapes pursuant to a legitimate court order, the justice
> system was seen to be functioning correctly. When someone
> defaced SCO's website, justice was wronged. Why? Because
> whether you think it was fast enough, the justice system was
> grinding along and doing the right thing in that case. Hackers
> defacing websites of the side they don't like is an attempt to
> threaten, annoy, or intimidate - it is a miscarriage of justice.
> Justice respects property rights. Justice encourages free
> speech. Eroding trust does neither.

Indeed. So we don't try to understand how web defacement works then, we
just jail the exploit writers teaching us how to do so and the problem
goes away? Do you honestly believe that it is the security consultants
defacing these websites? Or are the security consultants jumping up and
down saying, "PATCH! FIREWALL! DEFEND! or your websites will end up
controlled by a pissed of school kid"


> Does that sound like a fair trade? Not to me. Next time some
> big worm brings down a mission-critical network, will you stand
> up in front of the network administrator and tell him it was for
> the greater good? I'd like to be there; I'll drive you to the hospital
> after he's done with you.

Nope we'd tell him that the exploit has been available for weeks, the
vulnerability has been discussed all over the place, was on the front
page of the register and slashdot, was in the email from his vendor, on
his vendors website and the patch was available for download two weeks
ago, not to mention the IDS signatures and the fact that it wouldn't
affect him if he'd shut off the service he wasn't using anyway. He'd
have no excuse for not protecting himself.

> > An exploit itself is a study in cool understated elegance.
>
> So is a haiku, or a well-coded B+tree, or a well-made sword,
> or a nicely-fitted dovetail joint, or a photograph, or a techno
> track - or any of literally hundreds of thousands of socially-sanctioned
> forms of creativity.
>
> Humans create and appreciate art. Yet, society has the right
> to implicitly approve of some forms of art and to disapprove
> of others. 

They approve of photography and generally of tasteful nudity, but not
anything that harms the innocent such as child porn.

They could equally approve of exploit research and development in order
to create defence systems, but not the use of those to harm the
innocent.

> By arrogating upon themselves the power to penetrate, destroy,
> and compromise both the evil and the innocent, the hacker is
> stepping outside of the body politic.

No. Having the power to do something evil AND protect from it isn't bad,
there are many professions that have this sort of power. It is the
misuse of this power that is the problem.

>  Indeed, in a sense, the
> hacker collective might be a "rogue state" or the individual
> hacker a "terrorist." You appeal to us with the words of 
> revolution but you're no revolutionary - you're just another
> computer security entrepreneur teaching shellcoding technique
> at conferences to market your company's products. Real
> anarchists do not hide in broad daylight - G.K.Chesterton
> was writing parody, not truth. If you were truly a cultural
> revolutionary trying to help defend us all against tyranny you'd
> be an IT specialist for one of the 2 political parties, working
> quietly from the inside. No shellcode necessary. 

Ahh, what about the rest of us that believe there can be more than two
views and would like everyone to benefit from the technology regardless
of their political motivation. The researcher should have freedom to say
that there is a big hole over there and someone should fill it. Saying
that withing a political party can be suicide (literally).

> No matter how much you want to romanticize a thing, if
> there are innocent people being placed at greater risk through
> your actions or inactions, you bear some moral responsibility
> for your actions.

Indeed I agree! Stopping security research of the type we are discussing
would have grave consequences for the general security of companies and
individuals. Action is required - research those exploits.

> There's where I have a problem with all this. By romanticizing
> hacking, you make it more attractive. You make it easier for
> someone to think "well, it's OK."  Whenever some hacker gets
> busted and defends their actions based on "I didn't mean to
> harm anyone" and THAT is what the media reports, 

Criminals get busted, not hackers. It just so happens that hacking can
be used to commit crimes and it makes great copy. Stock brokers get
arrested constantly for fraud which also makes great copy. It doesn't
make understanding and teaching ways to defraud and protect from this a
crime.

> it
> desensitizes the potential hacker against the consequences
> his actions might have on a victim. Desensitization goes
> further, when you hear security practitioners blaming the
> victim: "well, he got 0wned because he was too lame to
> update his firewall."  Never mind that the victim was a
> 72-year-old lady in a retirement home, and it was some
> kind of miracle to her that Email works at all - now you
> expect her to install a firewall?

The home user and the corporate administrator are very different things.
If the corporation gets hacked, then generally they failed to listen to
the security practitioners or made a mistake - that is their problem
that security research helps overcome. If the home user gets hacked that
is a different matter and is something the technology should solve
transparently, which is what many vendors are trying to do. This is a
difficult problem to solve and the solution is still being worked on -
without research into security, use and misuse, it will never be solved.

> The computer security industry has a number of reprehensible
> practices which I believe will eventually be abandoned.

I don't know when you see this happening, but it won't be anytime soon -
we can't even sort out the physical security and safety of the worlds
citizens and that problem has been around a lot longer than this one.
(We are having an ID card debate in the UK just now.)

>  If they are
> not, we security practitioners will eventually be regarded with
> the level of professional respect accorded to tort lawyers and
> used car salesmen.

Indeed, because bad apples make the news. CNN don't care when new
security techniques and concepts appear, they just care that Paris
Hilton got hacked. Mainstream news is generally bad news, because thats
what the public like to see. Hacking is an easy target, or rather the
victims of it are, just like the victims of the dodgy car salesmen. When
you go to buy a car most people know to get a "trusted" expert to look
it over. They should, and often do, do the same with computer systems.

"BREAKING NEWS: Bank doesn't get hacked" - I doubt it.
 
>  History will judge us all by
> our deeds, not what we choose to call ourselves.

Good quote to end on, which again reinforces my point - it's not hacking
that is bad, it's not guns that are bad, it's not photography that is
bad. It's the people that use these for something morally disagreeable.


-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

"He who hingeth aboot, geteth hee-haw" Victor - Still Game

blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

Attachment: smime.p7s
Description: