Life, the Universe, and Everything (was: Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site")

["I)ruid" <druid () caughq org>]

Responding to two separate messages:

On Wed, 2005-09-21 at 14:21 -0400, Marcus J. Ranum wrote:
> > Like I said, without hacking more people would completely trust these
> > systems 
>
> Fool. Without hacking THERE WOULD BE NO PROBLEM
> WITH THE SYSTEMS AT ALL.

...

> I believe that users become vulnerable through a combination
> of events:
>        - choice of what code the user will be running
>        - pre-existence of a flaw in the code
>        - discovery of the flaw
>        - exploitation of the flaw
> All four of these things must happen (in approximately that order)
> for a user to become vulnerable. If any single one of those four
> does not happen, the user is not vulnerable to a particular flaw.

I get the impression that you believe that if you are unaware of
something, it doesn't exist.  In the first message above, you suppose
that if there are no hackers exploiting vulnerabilities on a system that
the vulnerabilities do not exist (paraphrasing, please correct if I
didn't get the gist of it).  I suggest that they do exist, they are just
not utilized.  That is still a problem, because if they exist they will
eventually be utilized, even if they aren't right now.  When was the
last time a race with inherent exploratory spirit like humans not
utilized something that they had discovered existed?  As Dave suggested
in his essay, hacking is truly an extension of the human spirit.

In your second message, you follow the same theme and state that a user
is not vulnerable until the flaw is actually exploited (i.e. the
vulnerability is utilized).  I disagree, they were vulnerable at step
two, the instant the flaw came into existence, the vulnerability just
did not impact the user until step four.  Step two in your list provides
a place for the list to fork with multiple discoverers and even more
exploiters (assuming there's a step 3.5 of disclosure to one or more 3rd
parties).  Steps >=3 cannot exist unless the user is vulnerable at step
two.  This of course assumes we are only discussing exploitable flaws.

In conclusion, I ask you this;  If a tree falls in the woods, and no one
is around to hear, does it make a sound?  I'd guess that you'd say no,
it doesn't because there are no ears on which the sound could fall.  Or
maybe you were around and closed your eyes and covered your ears.  But
of course it does.  It always makes a sound.  Even if you try not to see
or hear it and it lands square on your head.  Unless it falls in the
vacuum of space, but then, is it really falling at all?  Or floating?
Or does floating imply that there are air molecules within which to
float?

But I digress, it's late here.  But if I don't look at the clock, is it
really late?  I guess it's always late somewhere...

-- 
I)ruid, C²ISSP
druid () caughq org
http://druid.caughq.org

Attachment: signature.asc
Description: This is a digitally signed message part