Re: Security Industry Under Scrutiny #4

["sockz loves you" <sockz () email com>]

> > ****************************************************************************
> > but, the issue here is not that professional's liability but rather
> > corporate responisbility in the kind of information it releases.
> > ****************************************************************************
>
> Look at regular society - there's always going to be run of the mill
> killers out there, if only because human beings are inherently fragile
> things, just as computer software tends to be.
>
> And society can only do so much to get rid of run of the mill killers - we
> understand this, and have a system of law to punish those who happen to
> get around our attempts to protect everyone (police, social conditioning,
> prohibition of certain weapons, etc).
>
> Staying the course with your hacker/killer comparison, why would you
> expect security companies to be able to do any better at preventing misuse
> of otherwise benign information than society can do preventing one person
> from killing another?

am i following this logic correctly?  you're saying that just because there are
hackers out there the security industry should tell everybody how to hack and
somehow... *somehow* this will reduce the number of attacks?

> > the threat that wants to see the general public turned into criminals, thus
> > degrading society and making crime more common.  crime is bad for society,
> > remember?
>
> Sure, but even when blackhats are the ones behind it?

hacking is illegal, nobody.  i do not dispute this.  if you hack something
you a commit computer crime.  its that simple.  but the difference here is that
unlike other crimes, it is acceptable for people to glorify this crime.
even those bodies that seek to "decrease" the level of computer crime support
the crime.  what we're discussing here is one of the ways these bodies do this,
specifically through proving information on how to commit the crime in the
first place.

security companies have been lured into the misconception that all of the bad
people won't read bugtraq.  this is silly.  just as Paladin Press assumed that
the readers of "Hit Man" wouldn't be actual real killers (heavens no!)

the security industry needs to wake up and realise that its being taken
advantage of.  and full-disclosure mechanisms only serve to heighten this
level of exploitation.

> > there is a difference between self defence and offense.  i have nothing
> > against self defence, i think its a basic human reaction.  but to 
> > maliciously attack another human (or their computer) is illegal.  and we
> > have to stop treating hacking as though its acceptable in society.  that
>
> Same story again.  Even when blackhats are the ones breaking into people's
> systems etc?  Oh, "they deserved it", or "they were asking for it", or
> "they're a fucking narc".  This is the sort of stuff that pops up on
> phrack.ru.

i dont see the security industry hailing phrack.ru as an authoritative
*technical* source on how to improve internet security.  do you?  do you
see any advisories on that site?  and step-by-step FAQs detailing how you
can compromise a system?  i dont.  phrack.ru doesn't pretend to be what it
isn't.  securityfocus.com on the other hand is highly pretentious and 
delusional as to its real purpose on the internet.

take a good look, phrack.ru doesn't tell ppl how to hack... funny that.

> Is the victim of a blackhat any different to the victim of a bumbling
> whitehat?

i suppose it can be.  but when looking at the global picture, its clear that
the whitehat generally does more damage more often than the blackhat.

> Is the victim of a professional killer any different to the victim of a
> bumbling amateur killer?
>
> They're still both hacked, or dead.

point taken.  but we're looking at how we can prevent so many ppl from dying/
being hacked.  in this case i've suggested that we should start making
information providers more accountable for the kind of data they put out,
specifically for those providers who tell people HOW to commit crime.

> > read through advisories and then use that information to compromise a
> > system.  its not right.  and non-disclosure is one of the more effective
> > ways to stop it.
>
> Yes, so only the blackhats can hack and the professional killers can kill.
>
> Top idea.

i thought so too :)

> > > I <3 U 2
> >
> > !!!
> > 2 b4d w3 c4n n3v3r b 2g3th3r bcuzz u r a wh1t3h4t & 3y3 h8 u :(
>
> oppositez attrakt!

h4h4h4h4

> Don't be too hasty to think that we're on opposite sides here - I just
> think your comparison is a poor one.  They read similarly, but if you want
> to legitimise being a blackhat and wipe out the whitehats, that's akin to
> legitimising professional hitmen and wiping out the run of the mill
> killers like James Perry.
>
> Is that really what you're suggesting?

is it legitimising to say that professional hitmen will always exist,
regardless of changes in society?  no, i think its a fact.  the same can
be said for hackers like Vladimir Levin, the guy who ripped Citibank off
for $10mil.  Though I cannot say for sure, I am pretty certain the
techniques he used weren't those devised on Bugtraq, or anything that any
security company could have forseen.  And any sec company that says they
could have prevented an attack like that through research are delusional.
but there is a huge difference between Levin and some dorq who wants to
learn how to hack so he can spy on his girlfriend, or some even bigger
dorq who wants to learn how to hack so she can change her school grades,
or get revenge on a former employer.  These kinds of attacks comprise the
MAJORITY of 'hacks' on the internet, and they could be easily prevented
by simply not telling these dorqs how to hack.
-- 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Meet Singles
http://corp.mail.com/lavalife

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html