Information Security News mailing list archives
Re: Who Are These Jerks, Anyway?
From: "Reverend Jain T. Resin" <doomstar () WSP1 WSPICE COM>
Date: Mon, 14 Feb 2000 14:05:49 -0600
I disagree. What is the difference between posting ready-to-use Denial Of Service programs and posting ready-to-use security vulnerability exploits? Both of them can and often will be (ab)used, but people need them as a proof that an attack is feasible. Tons of exploits are being posted on full disclosure sites and lists such as Bugtraq - would you disagree to their philosophy of combating security through obscurity by providing them?
Hmm.. the only difference I see between ready-to-use progs and a security vulnerability exploit post is that the exploit posts give *knowledgeable* people info on how to exploit, where as the ready-to-use progs give both knowledgeable *and* un-knowledgeable people access to exploit the security vulnerabilities. If only the 'in the know' people wrote their own exploit programs and didn't distribute them, we would have less lame hacks being committed but then again the FBI would also have a harder time tracking down the culprit, seeing as how the person is 'in the know' and knows something about covering their tracks. Of course, people who are smart enough to write programs for script kids are less likely to commit lame hacks because.. well.. lame attacks are lame attacks and 'in the know' people have more advanced 'hacks' in mind. But alas, the real world...we have prepubescent morons running scripts and binaries to allow them to commit the ancient DoS attacks. The good news is that they are morons so they will be easier to catch. I personally think that individuals and groups should continue to post security vulnerabilities. I also think that people who are smart enough to write tools which enable anyone to commence an 'attack' should be greedy to a point and not spread the binaries to any and every script kid on the net. I remember in '84 there wasn't much in the way of tools so you commenced a hack by hand or you wrote your own 'tool'. These newbie hackers that want 'elite status' should realize they are not true 3l33t haXors unless they gain one thing; knowledge. Installing a binary, typing in an IP, then clicking 'hack this box' is not knowledge. As for why I think places like BugTraq *should* exist. Well, its really a simple matter. I'll use Microsoft as an example. Microsoft writes crapware - They add lines of code to lower the number of 'bugs per line of code' instead of writing better software. Microsoft also has a somewhat uncontrolled environment and lots of miscommunication between various development departments. So.. the bottom line. Microsoft releases their latest pile of dung, DungPile 2000 elite, which is full of bugs. A 'hacker' finds a bug and reports it to Microsoft. Microsoft ignores this bug report for whatever reason. Now the 'hacker' posts his/her findings to BugTraq. This is sometimes a kick in the ass and Microsoft then jumps to resolve the issue, write a patch or whatever. This doesn't always work..which is why I say 'sometimes'. Anyways, the bottom line is that we need places like BugTraq to indirectly enforce consumers the right to quality code. Without places like BugTraq, Microsoft will release the most insecure applications and never look back or fix any bugs related to security in the future. After working at an ISP for many years, I realized how all the end users who are new to computing think Windows is this steel suited warrior of an operating system. They totally freak out when you tell them Win32 (95/98) has bugs. They either refuse to beleive you or they realize you are being truthful and that they were ripped off by Bill Gates' claims to offer support when everyone knows that microsoft does just about ZERO in terms of letting purchasers of products know about new bugs found in their software. Any feedback regarding my opinion is always welcome... formerly morpheus of digital murder magazine (defunct zine) ISN is sponsored by Security-Focus.COM
Current thread:
- Who Are These Jerks, Anyway? William Knowles (Feb 11)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 11)
- Message not available
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 14)
- Message not available
- Re: Who Are These Jerks, Anyway? Mixter (Feb 14)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 14)
- Re: Who Are These Jerks, Anyway? Reverend Jain T. Resin (Feb 16)
- Re: Who Are These Jerks, Anyway? whitvamp (Feb 16)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 16)
- Re: Who Are These Jerks, Anyway? Johnathan Meehan (Feb 11)