Re: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others)

["Euan Briggs" <euan_briggs () btinternet com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

*yawn*
Is noone capable of posting without making it personal? Ignoring all
the venomous junk:

You state that blackhats advocate non-disclosure, yet you omit the
reasons _why_ they advocate it. These are the reasons I supplied in
my earlier posts.
Let me try and explain this frankly for you:

Situation A - If there is a hole in a system which is deployed on a
huge scale etc, and it is kept secret, the entire user base is at
risk from criminal hackers, and these hackers are the only people
aware of it. I have shown you already that blackhats disclose vulns
among themselves and these things inevitably come into the hands of
the blackhat masses. In case you hadnt noticed, script kiddies
themselves are getting into vuln-dev these days and no doubt will
find holes themselves and distribute them.. If someone gets hacked,
the responsibility is not of the admin, who cannot possibly know the
system he was sold as secure had a vuln. So the responsibility is
moved onto the vendor. Now this may not be a bad thing, computing
technology seems to be the only  product which we _expect_ it to be
broken and there is no such thing as liability of the vendor if they
release something which is broken. However, is it a good idea to take
responsibliity away from the administrator? Will this not make him
lazy, *shrug* and say 'its not my problem, its out of my hands,
nothing I can do". We all know the problems negligent admins cause
for the internet as whole. Also, if you rely on vendors to discover
and fix holes, then you can count on it that they WONT want to
announce it in a timely fashion. How many corporations do you know
that are willing to say "hey, we sold you a flawed and  insecure
product that puts your entire business at risk, and lied when we told
you it was safe to use, sorry about that!".

Summary - Everyone is vulnerable, only blackhats have the tools,
people feel more uncertain about the supposed security of their
systems. Vendors can keep vulns secret to protect their business
image. 
Bottom line - People get hacked and there is nothing they can do
about it.

Situation B - Dealing with that same hole, the entire installed user
base is still at risk until it is discovered and disclosed. Now if it
is disclosed, not only do the criminal blackhats have the
information, but the admins etc become aware of it too. This gives
them the opportunity to patch it up. Any good admin should be keeping
tracking of security issues with the systems he uses, and if someone
fails to patch their machine and gets hacked, that is their problem.
Anyone doing responsible full disclosure will always coordinate with
vendors and allow them to create the fixes needed before releasing
the vulnerability information. My only problem with full-disclosure,
is that I feel it should be in the form of an advisory which
describes the vuln adequately to allow people to be informed about
how it affects them and how best to protect against it. Full
disclosure in the form of ./hack tools is completely un-necessary and
irresponsible, and if you cared to notice, most people doing
full-disclosure in the form of ready to run tools happen to be
blackhats. Look at GOBBLES activity this year for example. How many
reputable security companies have you seen, doing full disclosure in
the form of ./tools ?

Summary - Everyone is made aware they have a vuln in their system,
they are given the means to fix it as they are informed of it. Sure
the information allows people to write their own attack for the vuln,
but the fix is available at the same time, and is no doubt easier to
install the patch than it is for a kiddie to write the exploit from
an abstract advisory, so that risk is effectively mitigated.
Bottom line - People still get hacked, but there is a fix available
so they have the means to protect themselves. Responsibility for
security breach after disclosure remains in the hands of the network
administrator which is where it should be. Full-disclosure also
reveals the tricks and techniques of the exploit coder, which in turn
assists the people making vulnerable systems to clean up their act.

I stand by everything I said in the posts where I spoke about the
blackhats selfish criminal motivations, and if you dont like that,
tough luck. I stand by full-disclosure as long as it isn't in the
form of ready to use "Proof of concept" code.

Responsible full-disclosure is working, before the security industry
matured EVERYONE was insecure. Now MANY are secure. That has to be
considered a positive improvement no?


Euan



PS, ever heard the story of the bug in the rug who spends his whole
life wandering around in circles, and never gets to see the whole
pattern of the rug he lives in?
Also, various quotes such as "if crypto is outlawed, only criminals
will have crypto" seem appropriate. 



- ----- Original Message ----- 
From: "sockz loves you" <sockz () email com>
To: "Euan Briggs" <euan_briggs () btinternet com>
Cc: <full-disclosure () lists netsys com>
Sent: Monday, November 25, 2002 12:48 PM
Subject: Re: [Full-disclosure] [PHC] Sermon #3 (w/ reply to Paul
Schmehl & others)


> ----- Original Message -----
> From: "Euan Briggs" <euan_briggs () btinternet com>
> Date: Sat, 23 Nov 2002 00:52:30 -0500 
> To: <full-disclosure () lists netsys com>
> Subject: Re: [Full-disclosure] [PHC] Sermon #3 (w/ reply to Paul
> Schmehl & others)  
>
> > Sorry to tell you this PHC, but I know who the majority of you
> > are and where you originate from. 
>
> OMG NO!!!
> does this mean that my real identity as a transvestite
> cross-gendered ex-felon stripper who never originated from boston
> but really comes from a shell that was hatched in the ocean deep
> has been made public?!  oh the embarassment!!!  how  will the
> hacker world ever take me seriously again!?!
>
> mr euan briggs, PHC isn't just the #phrack@EFnet ops.  there are
> members of PHC who aren't opped on #phrack, some who don't even
> visit the channel.  some who dont even bother with irc like you and
> i do.
>
> but seriously, i'd like to know what you know about me, and where i
> "originate from".  i'm comfortable with you revealing this to the
> list or anywhere else for that matter.  my identity is hardly
> something of a secret these days, but i'm fairly certain you remain
> without any clue.
>  
> > My work with Snosoft does not mark my entry into the field. To be
> > frank, the reason I entered the whitehat arena, is because I am
> > appalled at what has happened to the blackhat scene. I am
> > appalled by the motives and attitudes of people such as PHC. I am
> > appalled by the behaviour of people like you. I have a conscience
> > and a sense of responsibility, towards my fellow human beings and
> > our society. I want the world to be a better place. I don't see
> > working for the security industry as some sort of "betrayal" of
> > my blackhat roots, I see it as making a -positive- contribution
> > to society. I see it as paying my debt to society, for the years
> > I spent as a blackhat. Entering the industry was a natural
> > progression. I dont get a kick out of crime, it only brings guilt
> > and it is a rejection of the society that nurtured you,  human
> > society which you owe your life to. 
>
> if this is the case then what have you actually done about it?  you
> constantly whine and gripe about how #phrack is so "bad and evil
> and omg stop them!!"  but so far your actions to stop #phrack have
> amounted to zilch, nada, nothing.  if you are so eager to talk
> about how great you are and how right you are, then why not give us
> some evidence as to why we should believe you.  if you're not
> prepared to show evidence of malicious activities against #phrack
> or anyone else then shut up about your "blackhat roots" and your
> "debt to society".  
>
> i doubt you ever were a blackhat, as you have consistantly shown a
> lack of skill to back up the lies you tell.
>  
> > You claim to "hate" the security industry, because you believe
> > they are exploiting hackers and their world. Unless you yourselfs
> > are genuinely being exploited, I would say this part of your
> > rather contradictory manifesto its nothing more than a thin
> > veneer of justification for your delinquent attitudes. As I said
> > in my last post, I think you are just pissed off that you have a
> > motivated and well funded competitor (the industry), and people
> > like you helped create it.
> *snip*
>
> i cant speak for everyone who's against the security industry, just
> myself. so far my ideology in this whole mess has evolved.  as i
> expanded my investigation into what the problem actually is, i
> realised that the term "anti-security industry" didn't really fit
> me, as i was more about changing the current system for the
> better... not the worse.  like you and just about everyone else on
> this list i feel a degree of social responsibility when it comes to
> the matter.  but unlike yourself i am not so resistant to change,
> and the cost of that change.
>
> we're learning as we go along here, just like anyone else.  plz
> dont take words that were uttered in the heat of spirited
> patriotism to be the basis of our arguments.
>
> *snap*
> > You claim to be advocating non-disclosure because you believe it
> > will increase security, yet at the same time you claim to be
> > blackhat (implication = criminal) hackers. It doesnt add up.
>
> *sigh*
> i've tried to explain this so many times before.  yet again i
> attempt to  simplify everything without making too broad an
> assumption... yet again do i  explain this:
>
> blackhat ~= person who advocates non-disclosure.  hacks computers. 
> doesn't brag security ~= the likelihood of a system withstanding an
> attack.
>
> at the moment many many ppl have ready access to information on how
> to compromise security.  but a person can only secure their own
> system.  this means that many ppl pose a security risk that few ppl
> can actually manage. (strong offence versus weak defence)
>
> non-disclosure solves this problem.
>
> if fewer ppl know about hacks (because blackhats dont talk about
> them) then fewer systems are threatened because the ratio of
> "attackers:admins" is reduced.
>
> PLEASE, try and think about it for yourself instead of trying to
> find all the faults in what i've said.  just take a good look with
> an open and rational mind and work it out for yourself, it will
> make sense, i promise.
>
>
> > Nobody gives a damn because you have nothing interesting or
> > useful to say. Nobody gives a damn because you are wrong. You
> > simply want to stop full-disclosure so you can continue your
> > disgruntled teenager "soft crime" blackhat antics. You want to
> > remove script kids from the scene, not to make the internet more
> > secure, but to restore the prestige and status that true hackers
> > used to have, for your own selfish interests (your ego). You want
> > to feel special again, and not just the generic hacker number
> > 4593845 that you are now.
>
> i think you must have overlooked something crucial when you were
> writing this, that or maybe you hadn't slept enough, or were having
> a bad day, or just too much coffee.  the first two lines about
> nobody giving a damn didn't even strike a cord against my
> self-esteem as i have none, and dealt with the whole "no-one gives
> a damn" concept months ago.  its like i said, i have a sense of
> social responsibility that nags at my conscience (or whats left of
> it).  sure i could just throw my hat in on this whole movement and
> say "fuck it, i'm out", and i'd be lying if i were to say this
> thought hadn't crossed my mind before.  but the reason why i don't
> isn't because of any of the reasons you stated.  its because i WANT
> to do this.  i WANT to make an impact and try to change things. 
> the fact that its an uphill battle means is more of a challenge to
> conquer.  i dont do this for public recognition.  i do this as a
> personal challenge, an area of  interest, the ultimate hobby.
>  
> > As misfit teenagers, your flawed ideology is understandable to
> > some degree. As adults, you are simply petty criminals, and there
> > is nothing glamorous, sexy, or clever about crime other than the
> > fabricated ideas which the media has blunted your morality with.
>
> i think its grand that you think teenagers could be so smart.  but
> all you've done here is proven how little you really know about PHC
> (see top of this email where you claimed otherwise).  your petty
> attempts at trying to demonise our efforts serve only to highlight
> your own ignorance in the ways of psychology and social
> engineering.  if i did all of this for attention and social
> recognition from my peers then you'd see me at bars proclaiming to
> cute chicks how much of a hacker i was.  bragging in the hope that
> it will get me sex, or social recognition.  i've seen ppl do things
> like that and it sickens me.  i think nothing debases human
> intelligence and respect more than bragging.  
>
> bragging gets you into trouble.  trouble is detrimental to my
> cause.  hence, i dont brag.  i only seek to let ppl know what i'm
> _about_ so that i can somehow inspire them to join with me and
> achieve a better future.
>
> now if you'll excuse me i need some sleep before a big day/night
> ahead tomorrow.  
>
> take care and plz think about what i've said.  not at face value,
> but about what it _means_.  what i'm _trying_ to say versus my
> inability to communicate.  
>
>
> <3 sockz
> -- 
> _______________________________________________
> Sign-up for your own FREE Personalized E-mail at Mail.com
> http://www.mail.com/?sr=signup
>
> One click access to the Top Search Engines
> http://www.exactsearchbar.com/mailcom

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPeJyE0P0lBKBG8xoEQI5pACbBv2QS2LB7pMAPyR/7ozLPIjFGnMAoI7s
I8F4aGlK9NC+KYbuQroRJVvt
=dxxv
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html