Full Disclosure mailing list archives

Re: Please post to the list

From: Alexander Bartolich <alexander.bartolich () gmx at>
Date: Sat, 23 Nov 2002 02:52:28 +0100

Schmehl, Paul L wrote:
> [...] So why should I, as a guy who is concerned about the
> security of my network, care what blackhats have to say?
> Why should I support anything the blackhats are trying
> to convince me I should support?

"You cannot have a science without measurement."
-- R. W. Hamming

Examiners who carefully avoid all areas where you might have
trouble are a waste of time. Military maneuvers without
someone playing the enemy are not fun. And crash tests with
cars, trucks, trains and planes are fairly standard.

Of course software is not strictly comparable.
It is more like bananas, inedible on delivery, ripes on site.
There is no liability, no class action-suits, not even applied
anti-trust law. But then software development is dirt cheap,
provided you already have the knowledge and do it on spare time.

Since vendors get away with shipping buggy software they are
effectively out-sourcing debugging to their customers.
Or whoever gives their stuff a try.
Is it ethical to actively search bugs? I think so.
Is it ethical to misuse these bugs, i.e. not stop after a
core dump but to take the extra miles to a working exploit?
I'd say that depends on whom you consider your enemy.

The individuals who speak up on Usenet, mailing lists and
weblogs might do it for a lot of reasons; fame, vandalism,
revenge or just from nine to five. But I doubt that members
of organized crime, secret services or anarchist groups
will ever announce their 'achievements' that openly.

A freak sneaking into corporate head quarters and managing
all the way to the penthouse is a nuisance. Double so if he
takes the liberty to shit on the desk of the CEO. Quadruple
if he takes pictures of the result and publishes them.

But this is _nothing_ compared to the damage a dedicated
professional can do. Apart from espionage and electronic fraud.
What about using your account to sent hate mail or other
anti-reputation material? Upload illegal content and tip off
the cops? How much 'mobbing' does it take to ruin a career?
Getting angry at script kiddies and the like is to confuse
symptoms with the cause.

--
post tenebras lux. post fenestras tux.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Please post to the list Schmehl, Paul L (Nov 22)
- Re: Please post to the list Day Jay (Nov 22)
- <Possible follow-ups>
- RE: Please post to the list Schmehl, Paul L (Nov 22)
  - RE: Please post to the list Day Jay (Nov 22)
  - Re: Please post to the list Alexander Bartolich (Nov 22)
- RE: Please post to the list b0iler _ (Nov 22)
- RE: Please post to the list Schmehl, Paul L (Nov 22)
- RE: Please post to the list Schmehl, Paul L (Nov 22)
- Re: Please post to the list ratel (Nov 22)
- RE: Please post to the list Schmehl, Paul L (Nov 22)
- RE: Please post to the list ratel (Nov 22)
- RE: Please post to the list Schmehl, Paul L (Nov 23)
- RE: Please post to the list ratel (Nov 23)
  - Re: Please post to the list John Andersen (Nov 23)
- RE: Please post to the list Schmehl, Paul L (Nov 23)