Re: coding (was: Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)

["Robert A. Seace" <ras () slartibartfast magrathea com>]

In the profound words of David Schwartz:
> >     Bullshit!  There are PLENTY of "moral applications" for exploit
> > code...
>
>       Okay, what are they?

        Well, a handful were listed out below for you...

> > Just to name a few: testing your own servers to see if they
> > are vulnerable;
>
>       That requires nothing malicious nor anything to exploit anything. That
> simply requires detecting the presence of a vulnerability.

        Simply detection which doesn't rely on actually exploiting
the vulnerability, is highly susceptible to failure...  That's
why good security scanners (eg: Nessus) don't rely on simple
detection-based tactics (eg: banner/version checking), but rather
actually attempt to exploit the vulnerability to determine if
you are vulnerable or not...  That's the only reliable method
of doing so...

        Maliciousness is a totally different topic...  Obviously
it's not "malicious", if you're using it in a beneficial way;
that's sort of self-evident, just from the definition of the
word...  And, as I said before, CODE can not be "malicious",
any more than a hammer, knife, or gun is "malicious"...  It
can be USED for "malicious" purposes, however; or, the very
same code can be used for benign, even helpful purposes...

> > testing your servers after patching to verify the
> > patch actually worked as advertized;
>
>       That requires nothing malicious nor does anything need to be exploited.
> Please state specifically what malicious or exploitative act is required.

        See above...  Exploiting the vulnerability is necessary
to ensure any level of accuracy...

> > using the exploit in an authorized
> > penetration test type of scenario;
>
>       That's malicious? 

        No, obviously not, nor are any of the other acts...  I don't
know why you have "malicious" on the brain, but I never mentioned
the word ONCE!  Maliciousness is an attribute of human beings, not
of computer programs...

> Arguably that does require the vulnerability to be
> exploited.

        Yes, it definitely does...  I don't know how you think
it's "arguable"...  Tell me how exactly you would penetrate
a machine WITHOUT exploiting a vulnerability of some sort??

> > demonstrating to clueless higher
> > management at your place of employment the need for applying that
> > patch that they are so reluctant to do;
>
>       That's no malicious, 

        No kidding...

> nor does that require the vulnerability to be
> exploited. 

        Yes, it does...  The particularly clueless ones won't believe
you if you just tell them; if you can't show them proof of how
easy it is to break in, they don't see a danger...  Don't think
people this stupid don't exist, either...  I've seen them...  And,
I know I can't be the only one...

> In any event, the moral value of responding to irrational
> requests or demands as if they were rational is questionable.

        Heh.  Ok...  If you don't consider increasing a company's
security, despite the incompetence of upper management, of any
"moral value", that's your call, I guess...  But, I think many
people would disagree... *shrug*

> > studying the code for educational
> > purposes, to learn how it works, possibly for the purpose of developing
> > something to guard against it; etc...
>
>       I said they have no moral _application_. Studying a gun is not an
> application of a gun. In any event, the studied code need not be malicious
> nor need it exploit anything.

        *shrug*  THIS one is perhaps a "questionable" one...  Whether or
not you consider studying code an "application" of it, is just
semantics...  I can see both sides...

> > There are many, many legitimate,
> > "moral" uses for exploit code...  Code is just like any other tool:
> > it can be used for either good or bad purposes...  It's not inherent
> > in its design which you use it for...  There is no "good" or "bad"
> > code; only code...  Plenty of so-called "good" programs have been
> > used for very bad purposes...  And, plenty of so-called "bad" programs
> > have been used for very good purposes...
>
>       I could not disagree more with this assertion. It's a great cop out -- 'I
> only built it, I have no control over what people do with it'. But it's not
> true at all.
>
>       To cite a recent real-world example of this, there's a discussion on
> alt.irc about operator invisibility, which is a piece of code. The only
> purpose for operator invisibility is to intercept the communications of
> third parties without their knowledge. It has no other application.

        I tend to think you overstate...  I honestly have no knowledge
about what you're speaking of, so I can't speak with authority...
But, being a programmer, I find it next to impossible to believe
that any program has ONLY ONE specific use, and CAN'T POSSIBLY be
used for anything else...  I'd need to see some proof to accept
that one...  Christ, you can even use "Hello, world!" in ways that
it wasn't intended!

>       If you agree that it is immoral or unethical to intercept the communication
> of third parties without their knowledge, then how can you escape the
> conclusion that it is imorral or unethical to provide for use code that
> provides only this functionality?

        Because, I don't believe that it does ONLY provide that
functionality, for one...

        For another, the mere existence of the code does NOT
intercept anyone's communication...  It's not until someone
uses it for that purpose that it becomes immoral/unethical...

        Even assuming this app truly ONLY could be used to
intercept a third party's communication, I can think of
an ethical use for it: intercepting a friend's communication
(with their permission, of course), to point out to them
that they aren't secure in whatever they're doing (IRC,
presumably, you're talking about?); thereby, convincing
them to either stop doing it, or to do something to make
themselve secure...

>       Would you argue that it's okay to produce the perfect poison (quick,
> undetectable, etcetera), an item clearly and inarguably optimized as an
> effective silent killed, because you just make the perfect poison, you have
> no idea or control over what it's going to be used for?

        Code does not equate to physical products...  However...  Yes,
I would say it's fine to produce poison...  In fact, companies do
it every day!  I'm not sure I see where whether or not it's "perfect"
comes into play; show me a piece of code that's "perfect"...

>       No, humans make tools. They make them for a purpose and the purpose is
> reflected in the design of the tool.

        In general, yes...  But, the thing with tools is, they can
be used for a wide variety of other purposes from that which they
were designed for...  (I just used a beer bottle to pound a tack
into the wall...  Are you telling me Belhaven breweries designed
this bottle for that purpose??)

-- 
||========================================================================||
||    Rob Seace    ||               URL              || ras () magrathea com ||
||  AKA: Agrajag   || http://www.magrathea.com/~ras/ || rob () wordstock com ||
||========================================================================||
"A dead telephone sanitizer?" "Best kind." "But what's he doing here?"
"Not a lot." - The Restaurant at the End of the Universe