Re: Who Are These Jerks, Anyway?

["Reverend Jain T. Resin" <doomstar () WSP1 WSPICE COM>]

> I disagree. What is the difference between posting ready-to-use Denial Of
> Service programs and posting ready-to-use security vulnerability exploits?
> Both of them can and often will be (ab)used, but people need them as a proof
> that an attack is feasible. Tons of exploits are being posted on full
> disclosure sites and lists such as Bugtraq - would you disagree to their
> philosophy of combating security through obscurity by providing them?

Hmm.. the only difference I see between ready-to-use progs and a
security vulnerability exploit post is that the exploit posts give
*knowledgeable* people info on how to exploit, where as the ready-to-use
progs give both knowledgeable *and* un-knowledgeable people access to
exploit the security vulnerabilities.  If only the 'in the know' people
wrote their own exploit programs and didn't distribute them, we would have
less lame hacks being committed but then again the FBI would also have a
harder time tracking down the culprit, seeing as how the person is 'in the
know' and knows something about covering their tracks.  Of course,
people who are smart enough to write programs for script kids are less
likely to commit lame hacks because.. well.. lame attacks are lame
attacks and 'in the know' people have more advanced 'hacks' in mind.

But alas, the real world...we have prepubescent morons running scripts and
binaries to allow them to commit the ancient DoS attacks.  The good news
is that they are morons so they will be easier to catch.

I personally think that individuals and groups should continue to post
security vulnerabilities.  I also think that people who are smart enough
to write tools which enable anyone to commence an 'attack' should be
greedy to a point and not spread the binaries to any and every script kid
on the net.  I remember in '84 there wasn't much in the way of tools so
you commenced a hack by hand or you wrote your own 'tool'.  These newbie
hackers that want 'elite status' should realize they are not true 3l33t
haXors unless they gain one thing; knowledge.  Installing a binary, typing
in an IP, then clicking 'hack this box' is not knowledge.

As for why I think places like BugTraq *should* exist.  Well, its really a
simple matter.  I'll use Microsoft as an example.  Microsoft writes
crapware - They add lines of code to lower the number of 'bugs per line of
code' instead of writing better software.  Microsoft also has a somewhat
uncontrolled environment and lots of miscommunication between various
development departments.  So.. the bottom line.  Microsoft releases their
latest pile of dung, DungPile 2000 elite, which is full of bugs.  A
'hacker' finds a bug and reports it to Microsoft.  Microsoft ignores this
bug report for whatever reason.  Now the 'hacker' posts his/her findings
to BugTraq.  This is sometimes a kick in the ass and Microsoft then jumps
to resolve the issue, write a patch or whatever.  This doesn't always
work..which is why I say 'sometimes'.

Anyways, the bottom line is that we need places like BugTraq to indirectly
enforce consumers the right to quality code.  Without places like BugTraq,
Microsoft will release the most insecure applications and never look back
or fix any bugs related to security in the future.  After working at an
ISP for many years, I realized how all the end users who are new to
computing think Windows is this steel suited warrior of an operating
system. They totally freak out when you tell them Win32 (95/98) has bugs.
They either refuse to beleive you or they realize you are being truthful
and that they were ripped off by Bill Gates' claims to offer support when
everyone knows that microsoft does just about ZERO in terms of letting
purchasers of products know about new bugs found in their software.

Any feedback regarding my opinion is always welcome...

formerly morpheus of digital murder magazine (defunct zine)

ISN is sponsored by Security-Focus.COM