Full Disclosure mailing list archives
Re: thoughts on hacking, life and the future of the Net
From: full-disclosure () lists netsys com (Anodyne Perspective)
Date: Fri, 16 Aug 2002 17:49:07 -0700 (PDT)
--- aliver () xexil com wrote:
On Fri, 16 Aug 2002, Scott Francis wrote:
[snip]
The only thing that troubles me is that in orderto change the industry(or eliminate it entirely) in the way that isbeing proposed, we have tobe willing to sustain a lot of casualties ofinnocents. Who is ultimately responsible for this? Was it the blackhat who found a bug, or the software vendor who released the software in the first place? In truth maybe a little of both. However, I have to ask myself who is more moral. The megacorp or the hacker. Now in that regard it's a no brainer. When it comes to free software projects like Apache, I'd say that a little bit of politeness goes a long way if you plan to release an exploit. However, if sitting on an exploit you wrote for a bug you found suites your purposes, I'd say you have zero moral obligation to help, if you have a greater goal in mind.
[snip] I've snipped the rest of the email, because it's the sort of healthy scepticism of "big business" and "globalism" that many people are feeling these days, and some discussion about Theo DeRaadt, both of which I have no particular quarrel with. The only thing that made me stop and want to know more was the "greater goal in mind" that an exploit writer might have. What greater goal do you speak of? The cynic in me would cite real world examples of exploit writers posting information to Bugtraq with "send job offers" messages attached (eg http://marc.theaimsgroup.com/?l=bugtraq&m=102324168812638&w=2), or exploits being used to compromise the systems of personal enemies for what are ultimately little more than personality clashes and pissing contests. The current "no disclosure" movement condemns the former, and seems to variously condemn yet employs the latter (el8 magazines being the highest profile current example), so I'm doubting it's either of these. The optimist in me would proffer examples of exploit writers using the exploits against multinationals that pollute the environment, giving their dirty little secrets to Government and Industry regulators, or using the exploits against the tobacco industry, publishing the research they try ever so hard to deny the existence of regarding the dangers of smoking. Or pointing out the folly (perhaps even without releasing specific exploitation details) of running certain software to sensitive Government departments if patriotism is your thing. Perhaps "getting back" at Equifax for their privacy abuses over the years. None of these are real life examples - just what I can come up with given the anti-globalism, anti-corporate tinges of this discussion. Is the "Robin Hood" style of exploit information the "greater goal" you speak of? Or is it more simplistic? Perhaps the "strangle the security industry" thing? I discounted this because the "ethical, skilled" people have as much opportunity to create a company and perform an ethically particular service, with their exclusive information, and probably reap the rewards to boot once their prowess becomes known, but they have (thus far) chosen not to. If not, what might it be? It's a serious question, and one that has always sort of sat unanswered in any black/grey/white hat discussion. I think we'd be all well served by some serious attempts to answer it on this list. __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com
Current thread:
- Re: thoughts on hacking, life and the future of the Net full-disclosure () lists netsys com (Aug 16)
- Re: thoughts on hacking, life and the future of the Net Anodyne Perspective (Aug 16)