[Full-Disclosure] Shiver me timbers.
aliver at xexil.com
aliver at xexil.com
Mon Aug 19 12:38:34 BST 2002
On Mon, 19 Aug 2002, sockz loves you wrote:
> i dont see how a bug in the user's software is anything that a _user_
> should be doing anything about. as i've said time and time again, if
> you think you've found a bug in your software, go to the software vendor
> to report it... not some open discussion list. if the dudes who make
> your software dont want to fix the damned thing THEN CHANGE F*CKING
> BRANDS! (where possible)
You make a good point. I'd like to add a couple things. I believe
that from a "consumer" point of view that software isn't much different
from most consumer products. A person pays money and expects a service.
They expect _only_ that service and not a bunch of ancillary effects like,
for example, the application causing their machine to get owned by a
kidiot. As a consumer, they have some decisions to make. If the software
caused unwanted effects or broke something, then they can call them and
complain about it. This is most certainly going to be the case, when for
example, they can't get the software to run properly on their machine.
What I'm hearing from the "whitehat community" is that other
programmers not employed by that company have some obligation to not only
report bugs, but also to point out how to fix them wherever possible.
Since I'm a programmer am I supposed to find and/or fix bugs for them also
not related to security issues? I mean if some software, when used
improperly, can overwrite your boot sector with "BuyMSorDIE" a hundred
times, should I be responsible for point out and patching this? I don't
think so. I also don't feel, in most cases, I have any obligation to
protect these "innocent" consumers from the evil software vendor.
> 1. blackhats dont release their exploits to the rest of the community.
> any blackhat who does is no more a "hacker" than a whitehat is.
Well, I think I agree with the core point you are making. However,
I'd expand this to say that blackhats don't release their work unless it
serves their purposes. We should not be slaves to the vendors or the
consumers who are allowing themselves to be victimized. Personally, I
write code because the projects I choose are interesting to _me_. The work
I do is not something that I have an obligation to release, but I may
choose to do so if it serves some other goal. The bottom line is that I
make my own decisions based on my conscience and beliefs first, then and my
goals second. The one thing I'm sure as hell not going to do is
robotically follow some so called "RFC" for vulnerability release written
by a whitehats, just because they claim to be more ethical than me.
> just because you have malicious intent doesn't mean you're not a
> and no, there is no such thing as a grey hat.
You know I've always thought of myself as a blackhat, but lately
I'm getting tired of labels. Mainly because it wastes a lot of time while
people like fuk at hushmail.com claim "YOU ARE A GREYHAT AT BEST" or
whatever. It's starting to take too much energy to keep up with
everybody's definitions of these terms.
For clarity, my definition of blackhat is someone who is willing to
use the skills they have to serve their own goals without giving pause to
the "rules" placed upon their practices by the law, or by
one-size-fits-all ethics that others are espousing. Now, this is a binary
state in my opinion (ie.. you are willing to do it, or you aren't). So,
with that said, I agree. There are no such things as "greyhats".
> 2. like you noted, script kiddies lack the intelligence and skillz to
> find their own bugs.
Yes, by definition, we hopefully all agree on this.
> they hear about 0-day exploitz through their friends from school, from
> "hacking" websites and so-called "hacker zines" which act in just the
> same manner as whitehat mailing lists like bugtraq, full disclosure, or
> vuln-dev. THIS IS WHERE THESE MORONS GET THEIR ELITE INFO FROM! NOT
> THE BLACKHAT COMMUNITY (which advocates exactly the opposite)!
Well, they may indirectly get their info from a blackhat. However,
I understand that this is not your point. Also, consider some circumstance
where a blackhat may target a company or product they believe to be
corrupt. They may choose to release a tool or exploit to the kidiots to
allow them to act as a tool for their own reasons.
For example what if the Citizens Corps
(http://www.citizencorps.gov/tips.html) decides to release an application
that allows Joe Six Pack to send "tips" about terrorists to some law
enforcement entity with complete anonymity and this ends up getting a
lot of innocent people arrested for trumped up charges. Then in turn I
create an exploit+trojan that will instead redirect the tips to USENET in
alt.rats with the tipper's IP address and as much information about them
as possible. Well, I just might think that it's necessary to give the
details of my trojan + exploit combo for this application to the kidiot
community. Just some food for thought.
> wow. cuz its like this dude. smaller software companies are worried
> about their reputation and larger companies are worried about their
Yep. It's all about shareholders, most of whom couldn't give a damn about
some security hole in a piece of software unless it means it'll turn into
some class-action lawsuit. I'll be doing a jig the day I hear about a
consumer suing HP because of some security hole they refused to address.
> ah-hoy, matey!
Yar, har har. Yo ho ho? Heh, sorry to butt in, just couldn't resist.
Full-Disclosure is hosted and sponsored by Secunia.