Full Disclosure mailing list archives
hack this zine #4: zen and the art of non-disclosure
From: "Whooka de HackThisSite.org" <whooka () gmail com>
Date: Thu, 3 Aug 2006 09:35:52 -0500
This article is pulled from the newest issue of "hack this zine", which was printed and distributed at the recent Hackers on Planet Earth conference. You can download the new zine in full at http://www.hackbloc.org/ammo_for_the_infowarrior.txt or the full color PDF at http://www.hackbloc.org/ammo_for_the_infowarrior.pdf Zen and the Art of Non-Disclosure As hackers, squatters, scammers and phreaks, we are often asked, "That's amazing, how do you do it?" Yes, there still is magic out there, but it's not going to find you, nor will you find it through a google search*. It's a vulnerability so long as the vendor isn't informed and releases a patch; it's a squat so long as it's "legal owner" doesn't find out and kicks you out; and it's an underground party so long as no one slips up and police raid the place. Same goes for sneaking into theatres, copy hookups, and other scams. How do we keep these tricks alive? By keeping them a secret only to those who need to know. A magician never reveals her secrets lest it will cease to be magical. You will likely never hear the magician's true name either. Why do people publicly release these tricks in the first place, and what effects does this have? Those vulnerable to the trick will likely find out and promptly patch their weaknesses. And law enforcement will have an opportunity to learn and train themselves as well as find out who to bust. Or the trick will fall into the wrong hands and be counter-productive (script kiddies, right wingers, fascists, etc). All so you can get your name on some security list as the one who "found it first", and in all probability, you probably weren't the first anyway, as the real people who made the discovery would want nothing to do with such lists to begin with. And they probably have a billion more important ways of applying the trick in the first place. So before you spill the beans, ask yourself whether there are people who need these tricks more than you do, or whether there are already such people at work and would full disclosure jeopardize their secret plans? That being said, we can move on to more pressing issues: how can we help the hacker movement to learn and grow without giving away and spoiling all our tricks? This was the big question as we were putting together this issue of our zine, thinking about whether we should publish instructions on 'how to hack X and hack Y'. Certainly we don't want to become some "eliter than thou" clique because it again becomes about individual ego and not the community, and while individuals come and go, ideas last forever. So we have to train ourselves and others willing to learn, but find a way to do it in a carefully calculated manner. And it's not gonna happen by giving away proof-of-concept code but by teaching the approach and technique so people can figure it out for themselves. I don't think that was our conscious goal of Hack This Site but it certainly was the result. We wanted to introduce people to the wild world of hacking so we put together several series of hacking challenges modeled after real websites with real vulnerabilities. Creating this safe and legal training front group*, people were able to jump in and start with the basics, not by downloading exploits or "appz", but by hands-on security research. People sometimes give us shit because we're dominated by newbies or that we are aiming too low. Rest assured, there are plenty of us with skill waiting in the background waiting for YOU to start asking the right questions so the real training can begin. Yes, we want to share our shit with those who want to learn. Before you can walk, you have to learn to crawl. And when you can walk you can be shown the path. And this is what every white-hat, security consultant, or full-disclosure advocate fails to see: we can show you the path, open the door, and offer you the red pill, but you have to take that first step and become that black hat hacktivist ninja. Cause you're not helping anybody when you alert the vendor or post that 0day proof of concept code. Or get that full time computer security job for the phone company. Or turn in your buddies to the FBI when the going gets tough. This is what is known and loathed as "selling out", and it helps nobody but the forces which are working to destroy the hacking movement. The people who are seduced into it either end up regretting it or lose a bit of their humanity in the process of becoming a zombie worker bee for the Establishment. So you've gone this far, but where are we going and what do we do next? You've probably realized this world isn't a very friendly place for not just black hat hacktivist ninjas but for most people in general, unless you happen to be in that top 1% where you have your own mansion, private jet and congressman. Every day we hear about how hackers and activists are criminals and terrorists. If you watch television you are also probably tired of hearing about how illegally tapping your phone or reading your mail protects os from terrorism, or how another thousand dead babies in Iraq is a Strong Victory for Worldwide Democracy. So instead of boring you and further let me encourage you to Turn Off That Television and Get Involved with your Community cause Now is the Time to Act: ¥ get involved with your local indymedia center to tell the stories corporate media ignores ¥ set up servers for radical websites and email lists and teach them how to communicate securely on the internet ¥ find ways to get shit for free(free copies, free internet, free public transportation, etc) and share it with those who need it the most ¥ help develop the next Internet, one that is free from NSA spooks, traffic shaping, hierarchal domain authorities, or corporate control in general ¥ help inspire those who will grow to be bigger stronger and smarter than you or I who will deal that final blow against capitalism and the state There is still magic out there for those who seek it: don't wait for it, it waits for you! http://www.hackthissite.org http://www.hackbloc.org http://www.hacktivist.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- hack this zine #4: zen and the art of non-disclosure Whooka de HackThisSite.org (Aug 03)
- Re: hack this zine #4: zen and the art of non-disclosure teh kids (Aug 03)
- Re: hack this zine #4: zen and the art of non-disclosure Valdis . Kletnieks (Aug 03)