Administrivia

[full-disclosure () lists netsys com (sockz loves you)]

Hi Scott,

Nice to hear from you again.

> (I finally feel like some productive discussion is going on, even if it's not
> directly related to security concerns per se. I should probably move this to
> a philosophical forum. Long discourse follows; please hit 'd' if you're not
> interested.)

no i disagree.  these people need to hear it more than some philosophical
list.
 
> I mostly agree with your statement, especially about people leeching off the
> work of others (Jeff Goldblum's line from 'Jurassic Park' comes to mind -

hehe, he was my favourite character in the movie.

> "You stood on the shoulders of geniuses ..." unfortunately, I couldn't find
> it in the script archive online, and I can't remember from the movie well
> enough to quote verbatim.) However ... 'hackers aren't after security.
> they're after security that can be compromised' I disagree with. I know that
> is the motivation for some hackers. I consider myself to be a hacker,
> however, and I have motivations in addition to the lure of exploring systems
> and networks that aren't mine - it's the lure of learning, of creating and of

oh for certain, there are other motivations for a hacker.  but at the end
of the day, a hacker doesn't want a closed system.  how is something they
can't get into supposed to be a tool to use for satisfying their curiosity?
remember we are talking about hacking in relation to the security industry,
and the difference between a whitehat and a hacker.

> discovering new things. None of which are necessarily tied to what might more
> accurately be termed 'cracking'.

i believe i've already mentioned my dislike of this term.  nuff said.
 
> A secret involving more than one person doesn't remain a secret very long. No

assuming the person you tell violates your trust.  i agree.  personally, i
prefer to trust no-one unless i have to.

> matter how small and covert the group, people (especially hackers) cannot
> resist the temptation to brag about secret knowledge. This is how exploits

no i disagree.  for some it may be a temptation.  but i think once you get
over this idea of "if i tell everyone about my exploit they'll all think
i'm cool", that temptation becomes null.  any rational hacker can see that.

> that start out as private knowledge to a small group make their way into the
> hands of those with malicious intent, and eventually appear as tools for use
> by the script kiddies.

quite true.
 
[snip]
> knowledge. As an admin, I don't like this scenario. I have the utmost respect
> for the skills of those that find bugs and exploits; however, I also know
> that there simply are not enough hours in the day for every admin out there
> to personally audit every software package and OS under his/her control to
> find the same bugs that the underground is finding.

no.  this is what your software developers are for.  if you cant trust the
people who make the software for your system, then why are you using it?

> I think Raschid hit it on the head when he proposed the teaching of ethics
> alongside information and skills. Higher ethical standards among the
> underground is, I believe, the key to making the model you proposed work,
> without raping the general public and those of us responsible for protecting
> various of them (admins).

i'm skeptical about 'ethics'.  perhaps its cuz i've heard the debate faaar
more than any sane human being should.  but i can see where you are coming
from.  and i think i agree.  well, i do to some extent.  i would elaborate
but i'd only be repeating points i've made earlier.
 
> While that's true, those programmers _do_ have to pay the rent, feed
> themselves and support their families. If they shouldn't do it by using their
> security skills to make money, what do you suggest instead? Writing new
> software for profit can be a good model, but it can also be terribly abused
> (MSFT, etc.).

i can see where this is a problem for those who dont know how to do 
anything else.  personally, i see being a blackhat as more of a hobby than
a profession.  others may view things differently though.  i'm not saying
that programmers shouldn't be paid.  there are tonnes of jobs out there
that involve programming that dont support whitehats.  if you want to
continue to use your security skills to make money then go apply for a job
with a software development company relative to your area of skill.  you're
off much more use to the company there than you will ever be as a third
party.
 
> In the old phreaking days, information was generated by curious hackers and
> traded around in the underground. Some folks abused the info, but most of
> them were merely curious explorers, and those with a desire to keep on
> learning. When it was discovered that there was money to be made in the flow
> of this information, the modern security industry was born.

maybe i'm just not as old as those old phreaking days, but in *my* old
phreaking days, once something became well known it became obsolete.  the
telco had *spies* in the underground trolling for information it could use
to better secure its system.  perhaps this is why i am so against the
security industry.  because it makes the phreaks/hackers/whatever job
unecessarily harder.  once something is well known to the underground its
as good as useless anyway.
 
> True. The tinfoil hat brigade would tell you that the real power in this
> world has been hidden and silent for centuries now, and that everything the
> common person associates with power is merely a sham.

yeah pretty much.  i recommend reading that book "The Power Elite" by
C. Wright Mills.  although its far from anything new, i think Mills' ideas
relate to this debate almost directly.
 
> The only solution I have been able to come up with is Raschid's call to
> ethics.

"we are the knights who say... ethics!"  heh, sorry, couldn't resist.
 
> > ABOUT IT.  if you were smart enough to discover a way to compromise a system
> > in the first place, your first reaction isn't going to be as stupid as to tell
> > every script kiddy you see.  nor are you going to go and exploit it without
>
> There are exceptions, of course. The lure of fame and ego can be very strong.

like i've stated before, pride isn't rational.
 
> > > The law has a tendency to condemn blackhats, to date. :) (Those that are
> > > caught, anyway.)
> >
> > yep.  but only stupid and irresponsible blackhats get caught.. those who dont
>
> get caught, or abuse knowledge in such a way as to create a situation where
> they can _be_ caught (i.e. if you're acting ethically, you have no fear of
> being caught, because you're not doing anything to be caught for. Obviously,
> this assumes a benevolent and uncorrupt legal/moral system, and such is not
> currently the case in most countries and governments.)

ethical != legal
nuff said.
 
> I would not at all be surprised to learn that various AV vendors are,
> directly or indirectly, keeping the threat alive in order to keep sales alive.

neither would i.
 
> > a smart hacker will work in collusion with the government, just like your
> > media moguls work with politicians. or like law enforcement agencies work
> > with your ISP. like i said, real power is covert. and if you have that kind
> > of power its very hard for someone to take it away from you. because they
> > dont know you have it.
>
> Exactly. man, I feel myself growing more paranoid by the second.

hahaha

> Very much so. Thanks for writing. I haven't had a good thought-provoking
> discussion, especially touching on ethics, since I left college. To the
> naysayers: while this thread may not technically fit the topic, I think in
> the˜òÿ¿àÏ long run it will be more valuable than discussion of the 37th javascript
> hole in MSIE this year, etc.

oh for sure.  i really think people need to stop coding once in a while and
take a good look, with an open, rational mind, at where exactly they are
heading.
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup