Full Disclosure mailing list archives
Re: The real motivations of vulnerability disclosure
From: endrazine <endrazine () gmail com>
Date: Wed, 3 Oct 2007 13:54:15 +0200
Hello FD readers, I don't usually answer non technical posts, but I feel like explaining why I believe the ideas expressed by Mr Frogs and similar underground orthodoxes are clueless. "Mr Frog" : To summarize your thesis : ppl disclose vulnerabilities for fame & profit. "That's not how real hackers used to be". Ok, let's analyze those statements a bit deeper : First, let's establish the truth about fame : Fame ? What fame ? Does your mother know who Michal Zalewski is ? Of course not. When you first decided to be a "computer enthusiast", you also decided you would spend your life behind a computer an none would ever give a damn. You're also mentioning people having wikipedia entries or belonging to "crews" ( the so called research communities) : you're surely missing people writing bullshit on blogs and posting links to their miserable thoughts on public mailing lists... Additionally, I especially enjoy the intellectually challenging relation between your first sentence "when a vulnerability in a major site is discovered people freak out"... and your conclusion : "These types of people tend to hang around 'xss' hacking sites where they can learn the masterful art of finding an issue any 5 year old could find with less than 15 minutes of training.". In a nutshell, that's the good old manichean (did I say Protestant ?) schema : the good (being the "non disclosure" folks from your blog post) agains the bad (being the "fame seekers") guys. In the same veine, let me quote http://www.phrack.org/issues.html?issue=64&id=4#article : " But it is the reason not to write a technical article. The purpose of this article is to launch an SOS. An SOS to the scene, to everyone, to all the hackers in the world. To make all the next releases of Phrack better than ever before. And for this I don't need a technical article. I need what I would call Spirit." (follows an apology of pre-internet hacking mythology) Those kinds of thoughts, almost as inept as they are widespread. To you all, anachronic purists of the so called underground : go to hell. If there ever was a "spirit of the underground", it was the belief that individuals can, on their very own, do better than what engineers do on the industry (which is in fact absolutly understandable if you consider that companies have budget constraints, deadlines and limited knowledge). I don't see any opposition between this and vulnerability disclosure. What you do with a vulnerability you have found is unrealevant. Now, if the whole dilema is about people being at the same time security enthousiasts on their own, and social beings needing to work in a way or an other to feed their families, let me tell you a big secret : everyone on the underground, starting with Adm, teso, phenoelite, phrack, (pasting from phrack's article) 2600,Phrack, PacketStorm, Phreak.org, Uniformed, PTP,Netric,Felinemenace, Hackcanada,Toxyn, phc, w00w00, devhell, cDc, l0pht, el8, gobbles, synergy, blacksecurity, u-name-it people and members of every other reasonably skilled security group I have never heard of are working for security related companies. Maybe it wasn't the case in the 80's. But today, of you want to be able to understand a bit what's going on, hacking is a full time job. Their is no dichotomy between hacking on your own and selling your skills to a company. So please, stop pointing the finger at each person trying to share a bit what they have discovered. my 0.02$ Regards, -- endrazine- // Garage made hacker & Security Engineer at the same time. PS: The members of the above cited groups are asked not to flame me with "I'am no industry guy" posts : I know you are ;) And thanks for sharing your work : I couldn't get half of the skills I have today without your "disclosures". On 10/3/07, Mr Frog <hacking4froggies () gmail com> wrote:
For the past 10 years when a vulnerability in a major site is discovered people freak out. I'm not debating the importance of certain site vulnerabilities such as those exposing personal or account information. I'm going to talk about one of those things people think, but don't speak publicly about which involves the intentions of those vulnerability disclosure folks. I'm going to break down these types of people and some people in the 'industry' are going to laugh and others possibly be offended. If you have a problem with this then we can meet in an alley for warfare, but please don't bring salt as it burns. http://hackingfrog.blogspot.com/2007/10/o-o-omg-frog.html - Froggie _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- The real motivations of vulnerability disclosure Mr Frog (Oct 02)
- Re: The real motivations of vulnerability disclosure worried security (Oct 03)
- Re: The real motivations of vulnerability disclosure endrazine (Oct 03)
- Re: The real motivations of vulnerability disclosure worried security (Oct 03)