Full Disclosure mailing list archives
OT: An odd question that has arrisen within my household
From: mitch_hurrison () ziplip com
Date: Mon, 13 Oct 2003 08:37:37 -0700 (PDT)
Hi Henry, I have to agree with Josh on this one. Basically you admit to not having any first-hand experience with the real "underground". This shows from your comments. There are alot of lowkey collaborations of people who research and exploit vulnerabilities for the pure joy of solving the puzzle. And that feel no further obligation to the "community" at large. Then there are those who research and exploit vulnerabilities to, oh no, hack systems. It amuses me that alot of people refuse to accept that intelligent people don't always seek the limelight. That for alot of us hacking is still about having fun with your friends and mental stimulation. People that aren't out to make the world a better place or make a bundle in the info-sec industry. It's the inherit arrogance of full disclosure that assumes that the one to bring it to the public's eye is the one to have first found the issue. This is a limited view. To assume people can only learn via publicly available information is to take the availability of this information as a given. You are assuming that the information posted is the only way someone else can learn. How do you think these techniques were developed in the first place? When you force people to be creative by not providing them with set answers, that's when real innovation is born. Small example: the get_sp function exploits even today are using. Just because aleph1 used it in the mother of all leaks. And even though using such a guessing methodology is complete nonsense on local stack overflow exploits, people are still using it because full disclosure claimed it was the way it should be done. There are close-knit collaborations of private research teams. And that is where the true knowledge lies. A place that is one step up the foodchain. For someone to "fully disclose" something they first have to aquire that very something. Saddly most of the full disclosure we see today is the result of someone being sloppy with private research. So people like HD Moore can wrap their ethereal dump in some perl and present the world with yet another worm-threat. With regards, Mitch
henry j. mason hmason () dbsinet com Mon, 13 Oct 2003 09:37:09 -0400 i agree with your assessment, basically, but: you say these 'uber-hackers' don't believe in full- disclosure, but you say they use it to learn? or, without full-disclosure (or any disclosure at all) they would learn anyway? care to posit some theories as to how? these people have tons of free time, yet a lot going on socially? i find those two mutually exclusive, unless you don't have a job, and job-less twenty- somethings are hardly the most motivated of people. i do grant you that there is a very small quiet minority of very skilled hackers. but they aren't t13r anything because they just do it because they have to, not for l33t recognition. henry
Joshua Levitsky wrote: I would add a tier before Tier I that would be hackers that do not believe in full disclosure, do not share exploits outside their close knit circle of friends, do not support "the man". A lot of these guys are better than "The best of the best", but nobody knows because they don't make themselves public. Maybe you could call it "T13r Z3r0" :) Seriously... there are people out there that have tons of free time to learn, and possibly monitor lists like this, and laugh at the silly people that disclose vulnerabilities and share information. They aren't necessarily out doing damage. They just don't play with strangers because they choose not to. Some of these people are damn cool. Some are just anti-social, but that really isn't the norm so far as I can tell. Of the people I've ever met they seem to have personalities, and usually have more going on than I do socially. If you met them you wouldn't think "hacker" or even know they are in to computers. I dunno... just my observations here in New York City. Perhaps it's different elsewhere. -Josh On Oct 13, 2003, at 1:02 AM, Joel R. Helgeson wrote:Tier I - The best of the best - Ability to find new vulnerabilities - Ability to write exploit code and tools Tier II - IT savvy - Ability to program or script - Understand wht the vulnerability is and how it works - Intelligent enough to use the exploit code and tools with precision Tier III - "Script Kiddies" - Inexpert - Ability to download exploit code and tools - Very little understanding of the actual vulnerability (launching Linux attacks against MS boxes) - Randomly fire off scripts until something works-- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: OT: An odd question that has arrisen withinmy household, (continued)
- Re: OT: An odd question that has arrisen withinmy household Jonathan A. Zdziarski (Oct 15)
- Re: OT: An odd question that has arrisen withinmy household Valdis . Kletnieks (Oct 15)
- Re: OT: An odd question that has arrisen withinmy household Jonathan A. Zdziarski (Oct 15)
- Re: OT: An odd question that has arrisen withinmy household Jeremiah Cornelius (Oct 15)
- Re: OT: An odd question that has arrisen withinmy household Joshua Levitsky (Oct 15)
- Re: OT: An odd question that has arrisen within my household Joshua Levitsky (Oct 14)
- Re: OT: An odd question that has arrisen within my household Valdis . Kletnieks (Oct 13)
- Re: OT: An odd question that has arrisen within my household Nate Hill (Oct 13)
- Re: OT: An odd question that has arrisen within my household Peter Busser (Oct 16)