[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] The real motivations of vulnerability disclosure



Hello FD readers,

I don't usually answer non technical posts, but I feel like explaining why I
believe the ideas expressed by Mr Frogs and similar underground orthodoxes
are clueless.

"Mr Frog" : To summarize your thesis : ppl disclose vulnerabilities for fame
& profit. "That's not how real hackers used to be".

Ok, let's analyze those statements a bit deeper :

First, let's establish the truth about fame :
Fame ? What fame ? Does your mother know who Michal Zalewski is ? Of course
not. When you first decided to be a "computer enthusiast", you also decided
you would spend your life behind a computer an none would ever give a damn.

You're also mentioning people having wikipedia entries or belonging to
"crews" ( the so called research communities) : you're surely missing people
writing bullshit on blogs and posting links to their miserable thoughts on
public mailing lists...

Additionally, I especially enjoy the intellectually challenging relation
between your first sentence "when a vulnerability in a major site is
discovered people freak out"... and your conclusion : "These types of people
tend to hang around 'xss' hacking sites where they can learn the masterful
art of finding an issue any 5 year old could find with less than 15 minutes
of training.".

In a nutshell, that's the good old manichean (did I say Protestant ?) schema
: the good (being the "non disclosure" folks from your blog post) agains the
bad (being the "fame seekers") guys. In the same veine, let me quote
http://www.phrack.org/issues.html?issue=64&id=4#article :

"    But it is the reason not to write a technical article. The purpose of
this article is to launch an SOS. An SOS to the scene, to everyone, to all
the hackers in the world. To make all the next releases of Phrack better
than ever before. And for this I don't need a technical article. I need
what I would call Spirit."

(follows an apology of pre-internet hacking mythology)

Those kinds of thoughts, almost as inept as they are widespread.

To you all, anachronic purists of the so called underground : go to hell. If
there ever was a "spirit of the underground", it was the belief  that
individuals can, on their very own, do better than what engineers do on the
industry (which is in fact absolutly understandable if you consider that
companies have budget constraints, deadlines and limited knowledge). I don't
see any opposition between this and vulnerability disclosure. What you do
with a vulnerability you have found is unrealevant. Now, if the whole dilema
is about people being at the same time security enthousiasts on their own,
and social beings needing to work in a way or an other to feed their
families, let me tell you a big secret : everyone on the underground,
starting with Adm, teso, phenoelite, phrack,  (pasting from phrack's
article) 2600,Phrack, PacketStorm, Phreak.org, Uniformed,
PTP,Netric,Felinemenace, Hackcanada,Toxyn, phc, w00w00, devhell, cDc, l0pht,
el8, gobbles, synergy, blacksecurity, u-name-it people and members of every
other reasonably skilled security group I have never heard of are working
for security related companies. Maybe it wasn't the case in the 80's. But
today, of you want to be able to understand a bit what's going on, hacking
is a full time job. Their is no dichotomy between hacking on your own and
selling your skills to a company. So please, stop pointing the finger at
each person trying to share a bit what they have discovered.

my 0.02$

Regards,

--
endrazine-    //    Garage made hacker & Security Engineer at the same time.


PS: The members of the above cited groups are asked not to flame me with
"I'am no industry guy" posts : I know you are ;) And thanks for sharing your
work : I couldn't get half of the skills I have today without your
"disclosures".



On 10/3/07, Mr Frog <hacking4froggies@xxxxxxxxx> wrote:
>
> For the past 10 years when a vulnerability in a major site is discovered
> people freak out. I'm not debating the importance of certain site
> vulnerabilities such as those exposing personal or account information. I'm
> going to talk about one of those things people think, but don't speak
> publicly about which involves the intentions of those vulnerability
> disclosure folks. I'm going to break down these types of people and some
> people in the 'industry' are going to laugh and others possibly be offended.
> If you have a problem with this then we can meet in an alley for warfare,
> but please don't bring salt as it burns.
>
> http://hackingfrog.blogspot.com/2007/10/o-o-omg-frog.html
>
> - Froggie
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/