[Full-disclosure] hack this zine #4: zen and the art of non-disclosure
Whooka de HackThisSite.org
whooka at gmail.com
Thu Aug 3 15:35:52 BST 2006
This article is pulled from the newest issue of "hack this zine",
which was printed and distributed at the recent Hackers on Planet
Earth conference. You can download the new zine in full at
http://www.hackbloc.org/ammo_for_the_infowarrior.txt or the full color
PDF at http://www.hackbloc.org/ammo_for_the_infowarrior.pdf
Zen and the Art of Non-Disclosure
As hackers, squatters, scammers and phreaks, we are often asked, "That's
amazing, how do you do it?" Yes, there still is magic out there, but it's not
going to find you, nor will you find it through a google search*.
It's a vulnerability so long as the vendor isn't informed and releases a patch;
it's a squat so long as it's "legal owner" doesn't find out and kicks you out;
and it's an underground party so long as no one slips up and police raid the
place. Same goes for sneaking into theatres, copy hookups, and other scams.
How do we keep these tricks alive? By keeping them a secret only to those who
need to know. A magician never reveals her secrets lest it will cease to be
magical. You will likely never hear the magician's true name either.
Why do people publicly release these tricks in the first place, and what
effects does this have? Those vulnerable to the trick will likely find out and
promptly patch their weaknesses. And law enforcement will have an opportunity to
learn and train themselves as well as find out who to bust. Or the trick will
fall into the wrong hands and be counter-productive (script kiddies, right
wingers, fascists, etc).
All so you can get your name on some security list as the one who "found it
first", and in all probability, you probably weren't the first anyway, as the
real people who made the discovery would want nothing to do with such lists to
begin with. And they probably have a billion more important ways of applying the
trick in the first place.
So before you spill the beans, ask yourself whether there are people who need
these tricks more than you do, or whether there are already such people at work
and would full disclosure jeopardize their secret plans?
That being said, we can move on to more pressing issues: how can we help the
hacker movement to learn and grow without giving away and spoiling all our
tricks? This was the big question as we were putting together this issue of our
zine, thinking about whether we should publish instructions on 'how to hack X
and hack Y'. Certainly we don't want to become some "eliter than thou" clique
because it again becomes about individual ego and not the community, and while
individuals come and go, ideas last forever. So we have to train ourselves and
others willing to learn, but find a way to do it in a carefully calculated
manner. And it's not gonna happen by giving away proof-of-concept code but by
teaching the approach and technique so people can figure it out for themselves.
I don't think that was our conscious goal of Hack This Site but it certainly
was the result. We wanted to introduce people to the wild world of hacking so we
put together several series of hacking challenges modeled after real websites
with real vulnerabilities. Creating this safe and legal training front group*,
people were able to jump in and start with the basics, not by downloading
exploits or "appz", but by hands-on security research. People sometimes give us
shit because we're dominated by newbies or that we are aiming too low. Rest
assured, there are plenty of us with skill waiting in the background waiting for
YOU to start asking the right questions so the real training can begin. Yes, we
want to share our shit with those who want to learn.
Before you can walk, you have to learn to crawl. And when you can walk you can
be shown the path. And this is what every white-hat, security consultant, or
full-disclosure advocate fails to see: we can show you the path, open the door,
and offer you the red pill, but you have to take that first step and become that
black hat hacktivist ninja.
Cause you're not helping anybody when you alert the vendor or post that 0day
proof of concept code.
Or get that full time computer security job for the phone company.
Or turn in your buddies to the FBI when the going gets tough.
This is what is known and loathed as "selling out", and it helps nobody but the
forces which are working to destroy the hacking movement. The people who are
seduced into it either end up regretting it or lose a bit of their humanity in
the process of becoming a zombie worker bee for the Establishment.
So you've gone this far, but where are we going and what do we do next? You've
probably realized this world isn't a very friendly place for not just black hat
hacktivist ninjas but for most people in general, unless you happen to be in
that top 1% where you have your own mansion, private jet and congressman. Every
day we hear about how hackers and activists are criminals and terrorists. If you
watch television you are also probably tired of hearing about how illegally
tapping your phone or reading your mail protects os from terrorism, or how
another thousand dead babies in Iraq is a Strong Victory for Worldwide
Democracy. So instead of boring you and further let me encourage you to Turn Off
That Television and Get Involved with your Community cause Now is the Time to
¥ get involved with your local indymedia center to tell the stories corporate
¥ set up servers for radical websites and email lists and teach them how to
communicate securely on the internet
¥ find ways to get shit for free(free copies, free internet, free public
transportation, etc) and share it with those who need it the most
¥ help develop the next Internet, one that is free from NSA spooks, traffic
shaping, hierarchal domain authorities, or corporate control in general
¥ help inspire those who will grow to be bigger stronger and smarter than you or
I who will deal that final blow against capitalism and the state
There is still magic out there for those who seek it: don't wait for it, it
waits for you!
Full-Disclosure is hosted and sponsored by Secunia.